No Trust Podcast: Howard Holton – How AI Exposes Security Skeletons and What to Do About It

In this episode of No Trust, Jaye Tillson and John Spiegel welcomed Howard Holton for a wide-ranging conversation on cybersecurity fundamentals, AI-driven risk, identity sprawl, technical debt, and why organizations continue to prioritize speed over resilience.

Howard brings a unique perspective to the discussion. Before becoming CEO of GigaOm, he spent decades operating as a CIO, CTO, and CISO across industries ranging from healthcare and telecom to manufacturing and government. His career started unusually early — building commercial software at age 11 after writing a program to manage his baseball card collection.

That long operational history shaped one of the episode’s central themes:

The cybersecurity industry has become extraordinarily good at compensating for bad fundamentals instead of fixing them.

The Industry Built Around Avoiding the Basics

Early in the conversation, Howard described cybersecurity as a multi-trillion-dollar industry largely built around the fact that organizations never truly solved foundational operational problems. Companies routinely overprovision access because it is easier. Administrative privileges remain in place because removing them creates friction. Flat networks persist because segmentation is inconvenient.

Rather than correcting those issues, organizations continue layering on tooling to compensate.

That approach may have been survivable when risk moved at human speed. Howard argued that AI changes that equation entirely.

AI does not magically make organizations smarter. What it does is amplify existing capability — and existing weakness — at machine scale.

That distinction became one of the most important points of the discussion.

AI Is Exposing What Organizations Already Ignored

One of the strongest parts of the episode centered around identity and access management.

Howard explained that most traditional enterprise behavior is relatively predictable. Human users tend to perform the same tasks repeatedly. Service accounts typically operate in deterministic ways. AI systems are different because they actively explore permissions, relationships, and data paths in order to solve problems.

That means AI systems naturally expose:

• overly broad permissions

• poor identity governance

• unrestricted file access

• excessive blast radius

• forgotten legacy access

The conversation highlighted a real-world example where an internal AI deployment was able to surface highly sensitive employee information because the underlying permissions model already allowed access. The AI itself was not exploiting a vulnerability. It was simply operating within the permissions it had inherited.

Throughout the discussion, one message became increasingly clear:

AI is not creating entirely new security problems.

It is accelerating the consequences of the ones organizations already accepted.

That concern aligns closely with broader industry conversations emerging around AI and operational complexity at events like RSA Conference, where security leaders are increasingly warning that AI-driven automation is making both exploitation and attack scaling dramatically easier.

“DevSecOps Is a Myth”

The conversation also challenged one of the industry’s most accepted concepts: DevSecOps.

Howard’s position was blunt. Developers are rewarded for moving fast. Security teams are rewarded for slowing things down enough to ensure things are done correctly. Those incentives fundamentally conflict.

Organizations continue prioritizing:

• release velocity

• rapid iteration

• first-mover advantage

• feature acceleration

while security becomes something added later in the process.

Howard used Apple as an example of why the obsession with being first is often misguided. Apple rarely invents entirely new categories. Instead, the company succeeds by delivering mature, refined, and usable products at the right time. The lesson, according to Howard, is that organizations should focus less on speed and more on being correct.

That idea resurfaced repeatedly throughout the episode:
fast does not necessarily mean effective.

Identity Sprawl, Technical Debt, and Operational Reality

As the discussion moved deeper into operational security, John Spiegel shared examples from past acquisitions where organizations maintained thousands of active accounts despite employing only a few hundred people. Contractors remained permanently enabled because disabling accounts was considered inconvenient. Multiple identity systems existed simultaneously with little coordination or governance.

Howard followed with a ransomware story involving a newly acquired organization that had already experienced multiple prior breaches before ultimately being compromised again through an ancient, unpatched VPN appliance. The underlying problem was not lack of tooling. It was the absence of operational discipline and governance.

One of Howard’s most practical recommendations was deceptively simple:

Organizations need to dedicate operational time specifically to reducing technical debt.

Instead of waiting for a major transformation initiative, he suggested building incremental cleanup directly into operational culture. Even dedicating a small percentage of weekly time toward reducing inactive accounts, tightening permissions, and shrinking blast radius begins changing organizational posture over time.

The larger point was not perfection.

It was momentum.

Why Boards Still Struggle With Cybersecurity

The conversation then shifted toward leadership and governance.

Howard argued that many boards remain structurally unequipped to evaluate modern cybersecurity and AI risk because they lack people with deep operational technology experience. Familiarity with technology is not the same thing as understanding how systems fail, how identity breaks down, or how AI changes risk exposure.

John compared the industry’s current transition into AI to the evolution of military aviation. Organizations are attempting to defend against next-generation threats while still thinking in terms of older operational models.

The discussion also touched on the difficult position many CISOs operate within today. Security leaders are often held accountable for outcomes while lacking sufficient authority, staffing, or organizational alignment to meaningfully reduce long-term risk. At the same time, boards frequently continue treating cybersecurity primarily as a technical issue rather than a business resilience issue.

Security Will Improve — But Attackers Will Move Faster

Toward the end of the episode, Howard shared a cautiously optimistic outlook for the future.

He believes organizations will improve significantly over the next several years, particularly as AI forces companies to confront identity hygiene and governance failures more directly. But he also warned that attackers will improve faster in many areas because AI dramatically lowers the effort required to exploit operational weakness.

The organizations that adapt successfully will likely be the ones willing to accept short-term operational pain in exchange for long-term resilience.

That means:

• reducing blast radius

• enforcing least privilege

• improving governance

• eliminating unnecessary access

• prioritizing operational discipline over optics

Across the entire conversation, one theme remained remarkably consistent:

Cybersecurity’s biggest problems are rarely caused by a lack of tooling.

More often, they come from organizations refusing to confront the hard operational work they already know needs to be done.

The episode closed on a lighter note with discussions around Formula One, Porsche 911s, Lotus Elise ownership, classic Land Rovers, and Howard’s extensive car collection. But even those stories reflected the broader philosophy behind the conversation — a respect for systems that are thoughtfully engineered, purpose-built, and designed correctly from the beginning.

And in many ways, that may have been the clearest takeaway from the episode.

The future of cybersecurity will not belong to the organizations moving the fastest.

It will belong to the organizations finally willing to get the fundamentals right.

Link to the episode here - https://on.soundcloud.com/MgwiQLyP8rOUb2eXbZ

No Trust Podcast – Howard Holton

Jaye Tillson:
Hello everyone and welcome to another episode of No Trust. We have a new guest on the show today, Mr. Howard Holton. We actually spoke with Howard at RSA and we had such a fun time that we thought we'd get him on our show. But as you're a new guest on the show, Howard, maybe you can just introduce yourself to our listeners.

Howard Holton:
Sure. I’m Howard Holton, CEO of GigaOm. I’ve spent the last 20 years as a CIO, CTO, and CISO across multiple industries including healthcare, telecom, manufacturing, and government.

I actually got started in technology very young. When I was 11 years old, I built software to manage my baseball card collection. My dad owned a law office at the time and needed help with computers, so I wrote my first commercial software product for WordPerfect. From there I got into networking, Novell NetWare, and eventually worked across just about every technology role imaginable.

I even tried being a restaurateur for a while, but tech pulled me back in pretty quickly.

Jaye Tillson:
That’s an incredible journey. Before we started recording, you mentioned something that really stood out — that organizations still aren’t getting the basics right in cybersecurity. What do you mean by that?

Howard Holton:
Cybersecurity is basically a multi-trillion-dollar industry built around compensating for the fact that we never handled the fundamentals correctly to begin with.

Organizations overprovision access because it’s easy. Administrative privileges stay in place because removing them creates friction. Networks stay flat because segmentation is inconvenient. Then we buy layer after layer of security tooling to compensate for those bad decisions.

The problem is AI is now exposing all of those weaknesses at machine speed.

AI doesn’t magically make people smarter. It just amplifies capability and operates at a speed and scale we’ve never seen before.

Jaye Tillson:
I completely agree. We built systems to prioritize speed and efficiency for users and the business. Over time we added complexity and more tooling instead of fixing the underlying problems.

And now AI is exposing all of those gaps.

John Spiegel:
Exactly. We’ve accumulated years of security debt. Those compromises were made at human speed, but now AI is operating much faster.

I was talking to a CISO recently who attended a major AI conference. He said almost everyone attended the “how to build AI” sessions, but when the security sessions started, about 75% of attendees left.

That really says everything.

Howard Holton:
It does. And honestly, DevSecOps is largely a myth.

Developers are paid to move fast. Security teams are paid to slow things down enough to ensure things are done correctly. Those incentives fundamentally conflict with each other.

Organizations reward release velocity and first-mover advantage. Security gets treated as an afterthought.

That’s a cultural issue more than a tooling issue.

Jaye Tillson:
How do we change that? Businesses want to move quickly because competition is fierce.

Howard Holton:
I think we’ve convinced ourselves that being first matters more than being right.

But look at Apple. Apple is rarely first to market. They succeed because they refine products and deliver them in a way users actually want.

We need to stop prioritizing speed over correctness.

Security needs to be considered part of “doing it right,” not something added afterward.

Jaye Tillson:
You also mentioned identity and blast radius earlier. That feels especially relevant with AI.

Howard Holton:
It absolutely is.

Traditional service accounts and even human behavior tend to be fairly predictable. Most employees perform the same tasks every day.

AI systems don’t behave that way. AI actively explores permissions and access paths to solve problems.

That means every overly permissive account, every accessible file share, every excessive permission becomes exposed.

The issue isn’t necessarily AI itself. The issue is that organizations already had poor identity hygiene.

AI just reveals it faster.

Jaye Tillson:
I recently heard about a company deploying an internal AI assistant that could retrieve employee salary and health information because it had inherited broad permissions from existing systems.

Howard Holton:
Exactly. The AI didn’t “hack” anything.

It simply operated within the permissions it had.

That’s why identity hygiene and blast radius reduction are so critical right now.

John Spiegel:
And many organizations still have major identity sprawl.

I’ve seen environments where companies had multiple identity systems, thousands of active accounts, contractors left enabled indefinitely — all because it was easier operationally.

Jaye Tillson:
I’ve seen that too. One acquisition I worked on supposedly had around 400 employees, but their Active Directory had over 5,000 enabled accounts.

Howard Holton:
That happens constantly.

And the challenge is organizations already know these problems exist. The issue isn’t awareness. It’s willingness to deal with the short-term pain required to fix them.

Jaye Tillson:
So how should organizations realistically start improving?

Howard Holton:
Incrementally.

Take a percentage of operational time every week and dedicate it to cleanup. Reduce inactive accounts. Tighten permissions. Shrink blast radius.

You don’t solve technical debt overnight, but you build operational discipline over time.

And importantly, you start measuring meaningful risk reduction instead of just buying more tools.

John Spiegel:
I’ve done exactly that with engineering teams before. We shifted resources away from purely new projects and toward operational cleanup and technical debt reduction.

It worked, but it required executive buy-in because the business always wants new capabilities faster.

Howard Holton:
And that’s another issue. Most boards still don’t truly understand technology risk.

Very few boards include people with deep operational cybersecurity experience. Familiarity with technology isn’t the same as understanding how systems fail.

As a result, boards often rely heavily on consultants and vendor messaging without having anyone capable of challenging assumptions.

John Spiegel:
That’s especially dangerous in the AI era because the operating model itself has changed.

Organizations are still defending systems using assumptions built for a completely different generation of threats.

Jaye Tillson:
Do you think things are improving at all?

Howard Holton:
I do think things will improve.

I think organizations will become much better over the next several years, especially around identity and governance. But attackers will improve faster in many ways because AI lowers the barrier to exploitation dramatically.

The companies that succeed will be the ones willing to accept short-term operational pain for long-term resilience.

Jaye Tillson:
Before we wrap up, we have to switch gears because we discovered you’re also a huge car enthusiast.

Howard Holton:
Very much so.

I’ve owned more than 170 cars and over 45 motorcycles over the years.

John Spiegel:
That’s incredible.

Howard Holton:
My favorite overall is probably the Porsche 911 Turbo. But one of my most beloved cars was a 1971 Land Rover Series 2A that my father and I restored together.

I also owned one of the Mini Cooper MC40 press cars, which was a really special vehicle.

Jaye Tillson:
We could probably spend another entire episode talking about cars.

Howard, this has been fantastic. Thank you so much for joining us.

Howard Holton:
This was a blast. Thanks for having me.

John Spiegel:
Absolutely. Thank you.

Jaye Tillson:
Thanks everyone for listening to another episode of No Trust.