In the 20th episode of the Chasing Entropy Podcast, Dave Lewis sits down with Trey Ford, Chief Strategy & Trust Officer at Bugcrowd and former General Manager of Black Hat, to explore the realities of modern cybersecurity leadership.

From the pitfalls of annual penetration tests to the messy realities of vulnerability disclosure, Trey shares lessons from decades in the field. He explains why risk should be owned at the board level (not by the CISO alone), why disclosure remains the internet’s immune system, and what the rise of agentic AI means for governance and resilience.

The conversation also dives into leadership growth: shifting from arguing to win, to arguing to understand, and how CISOs can transform into true business partners rather than gatekeepers.

Key Takeaways

• Continuous resilience matters. Annual pen tests don’t reflect reality—continuous measurement does.
• Risk ownership belongs with the business. CISOs shouldn’t carry it alone.
• Disclosure is essential. Research-first venues like Black Hat make it safer.
• Agentic AI raises new risks. Guardrails, explainability, and governance must be designed in.
• CISO success = trust. Build partnerships across the executive team, not walls.

Memorable Quotes

• “If it’s accessible, it’s worth securing, scope is a convenience, not a defense.”
• “It’s not CISO vs. world; it’s the business deciding risk together.”
• “In the cloud you can ‘accidentally it all the way’, agentic AI just gives that accident agency.”

Listen to Episode 20 now wherever you get your podcasts!