In this episode, cybersecurity veteran Andy Weeks shares lessons from over 20 years in leadership, with a focus on IAM and adopting Zero Trust. He discusses how to balance security with business needs and the importance of strategic thinking in building effective programs. Hear his advice for aspiring leaders and how organizations - especially smaller ones - can strengthen their security posture.
Have a zero trust relationship with pumpkin spice.
It is inappropriate to have pumpkin spice in September, and it is inappropriate to have pumpkin spice in January. October and November are the right times for pumpkin spice. Context matters. I don’t like it in my coffee, but I’m okay with it in a milkshake.
We’re thrilled to have you here, Andy. Welcome to the show. Before we get into your background, tell us about your trust issue.
When I think about trust issues, I go back to my time in the enterprise. One thing I always stressed about was making sure that when we issued credentials, they actually went to the right person. We’ve done a great job improving authentication with things like multifactor authentication and tokens. But the question remains: how do we really know the person receiving the credentials is who they claim to be? I don’t think we’ve fully solved that problem as an industry.
That’s an important one—making sure credentials truly belong to the right person.
Why don’t you give us a bit of your background?
I started as an electrical engineer and was part of one of the first computer and electrical engineering classes at Purdue. My career has taken a winding path. I’ve worked in corporate environments, built and sold a consulting company, and helped develop technical services for a large facilities organization. I also experienced a major company bankruptcy, which was a significant learning moment.
I later started a wireless internet company and have stories of being on top of a 30-story building in a thunderstorm fixing antennas to keep clients online. After that, I spent 21 years at Humana in various cybersecurity roles, including identity and access management and serving as a functional CISO.
Now I focus on independent consulting, helping organizations—especially smaller ones—benefit from that experience.
That’s a strong background. I’m sure those organizations benefit from your experience.
From your perspective, what does cybersecurity leadership look like at a strategic and tactical level?
The biggest challenge is getting stuck in the tactical, day-to-day work. Organizations spend too much time reacting and not enough time thinking strategically. The pace of business makes it hard to step back, but without that strategic thinking, outcomes suffer.
Ideally, leaders would spend about 80 percent of their time on operations and 20 percent on strategy. In reality, many spend nearly all their time reacting. Organizations that intentionally create space for strategic thinking tend to perform better.
That makes sense. Security has evolved into a core business function. How do you balance keeping a business running while keeping it secure?
It starts with culture. Security begins with individuals. Training people to recognize threats—like phishing or suspicious behavior—is one of the most effective defenses. Technology is important, but people are often the weakest link, and adversaries know that.
AI will make both sides more effective. It will enhance defense, but also enable more sophisticated attacks like deepfakes and advanced social engineering.
What about concerns around AI and data exposure?
I don’t think it’s fundamentally different from the risks we already accepted with cloud adoption. The data is already out there. The real focus should be on how AI is used—both by defenders and attackers. There’s a lot of potential on both sides.
You’ve worked in highly regulated environments. What’s that like?
It’s both empowering and challenging. Regulations make it easier to secure funding and support for security initiatives. But they often lag behind current technology, which can create friction.
For example, you might implement strong modern authentication, but still be required to follow outdated password rules. That gap between regulation and reality can be difficult.
Let’s talk about identity. Do you think identity is the new perimeter?
I think we’re moving beyond the idea of a perimeter altogether. Identity is involved in every transaction. Instead of authenticating once and granting broad access, we’re moving toward dynamic, context-based authorization.
Access should be granted only when needed, based on context—what the user is doing, where they are, and other signals. That’s the essence of modern zero trust.
How do you define zero trust?
I’m not sure “zero trust” is the best term. I prefer “dynamic trust.” Trust should be continuously evaluated based on context—what someone is trying to do, where they are, and how they’re accessing systems. It’s about granting access in real time, based on need.
Let’s shift gears—pumpkin spice or not?
Pumpkin spice has its time. October and November are appropriate. Not September, not January. And definitely not in coffee—but maybe in a milkshake.
What security concerns you most today?
I worry about how easily people can be socially engineered, especially older individuals. Many are very trusting and can be manipulated into giving away sensitive information. These attacks are becoming more sophisticated, and there’s a strong financial incentive behind them.
We also see similar issues in organizations with things like executive phishing. It’s surprising how often people fall for these attacks.
Do you think the industry is moving in the right direction?
Yes, but it’s an arms race. Attackers evolve, and defenders respond. Technology helps both sides. I expect devices themselves to become smarter—able to detect phishing or suspicious activity and protect users in real time.
What’s something you’re most proud of in your career?
Building a wireless internet company stands out. We took emerging technology and used it to provide affordable internet to small businesses that otherwise couldn’t access it. It wasn’t a huge financial success, but it solved a real problem and created value.
What advice would you give someone entering cybersecurity or aiming for leadership?
Stay curious. The field evolves quickly, and you need to continuously learn to keep up.
For leaders, focus on serving your team. Your role is to help others succeed. Study organizations with great customer service—they often have strong leadership cultures as well.
Tell us about what you’re doing now.
I work with smaller organizations that face the same challenges as large enterprises but with fewer resources. I help them make smart, practical security investments and move forward step by step.
If anyone wants to connect, I’m available on LinkedIn or by email.
We’ll include your information in the episode description. Thanks for joining us—this was a great conversation.
Thanks for having me.
That’s another show. Have a great day.
