In this episode, John Martinez sits down with Brent Deterding to discuss incident management, the rise in healthcare cyberattacks, and what it takes to lead as a modern CISO. They explore key topics like Zero Trust and identity-based authorization, along with the importance of maintaining a calm, effective security culture. Hear Brent’s candid advice for navigating today’s evolving threat landscape.
Anymore, honestly, I’m really hesitant to get on a plane. Not for any reason other than the fact that outside of Chicago, I can get to some pretty good events by driving downtown in the morning and being back home at night. You don’t have any trust issues with planes—that’s what I’m hearing. No. I am flying on Boeing planes across the ocean next week, so we’ll see.
Hey everybody, welcome to another episode of John Has Trust Issues. Today I’m very honored to have Brent Dedering as our guest on the show. Welcome, Brent.
Thanks, I appreciate it.
One of the things we do here on the show is start with a trust issue. So what is Brent’s trust issue?
I’m going to tell you something I’ve never mentioned on a podcast before, and it very rarely comes up. I worked for SecureWorks for 19 years—actually 18 years and four months, because I took eight months off. I left SecureWorks to day trade crude oil.
I did not get rich, and I did not get poor. I’m convinced I could have done it, but I didn’t during that timeframe. What I did learn was a massive amount about myself. I’m convinced a good day trader needs a therapist. My brain is a dirty liar.
I would sit there with my rules, my trade setup, everything written down, checking each step. I would execute the trade, and it would go against me. Then I’d review it later and think, what was I doing? I learned when not to trust my own brain. It really messes with you. So I have trust issues with myself.
I’ve always asked myself whether I’m naive or wrong. I don’t think I am, but maybe I am. So I don’t fully trust myself.
That’s the first time I’ve heard that one. Brent has trust issues with himself.
It’s me. I don’t trust me.
That makes me want to do some introspection myself.
It’s important not to take yourself too seriously.
Thank you for sharing that. Now let’s get into what we usually talk about on John Has Trust Issues: zero trust, identity, and authorization. Tell us a little about what you do.
I’m a Chief Information Security Officer for Acme. We’re a business process outsourcer, which in practical terms means we run large call centers around the world. This is my first CISO role, and I love it. I have a team of 22, and I genuinely enjoy the work. I’m not burned out. The stress exists, but it’s not a burden.
I worked at SecureWorks for 19 years, mostly on the vendor side, and that gives me a unique perspective. I’ve seen thousands of environments and built a large network of people in the industry. That shapes how I think about what works, what doesn’t, and what’s possible.
I’m not claiming to have all the answers, but I do think differently because of that experience.
You had me at “not burned out.” I love that.
I’ve been in rooms full of CISOs, and sometimes you look around and see a group of miserable people. That’s not how I want to operate. I’m happy. I love what I do. I tend to surround myself with other people who feel the same way.
So what are the top things that keep you happy and not burned out?
One thing I learned early on is to not experience stress over things I don’t control. I worked in a Verizon center where people would call in during major outages. It could be the worst day of their career, and you’d have to respond immediately without context.
That experience taught me to emotionally separate what I can control from what I can’t. I care deeply and put in the effort, but I don’t let uncontrollable things ruin my life.
The second thing is living according to my values. I constantly evaluate where I spend my time and whether it aligns with what matters to me. I don’t just look at it daily—I evaluate it over weeks and especially over the course of a year.
For example, I plan travel around my family. I might have several weeks of travel, but then I intentionally create space to be home. I make sure my decisions align with what I value.
That sounds like prioritizing what truly matters instead of worrying constantly about threats.
Exactly. I focus on significant risk reduction—simple, easy, and cheap. I handle the most important things first and don’t get consumed by everything else.
When it comes to risk, I use a simple framework. I ask: how surprising would this be, and how bad would it be? The most plausible and most damaging risks get addressed first. The more theoretical something is, the less attention it gets.
This allows me to focus on a handful of meaningful issues each day instead of being overwhelmed by everything.
That’s a great approach.
When it comes to measuring risk, I think it can be valuable, but it doesn’t have to be perfect. It just needs to be better than gut instinct. That said, gut instinct still has a role.
If someone wanted to become a CISO, what advice would you give?
First, don’t stress about things you can’t control. Second, be honest about what kind of CISO you are and what your organization needs.
Organizations often say they want a specific type of CISO, but what they actually need might be different—a builder, an operator, or an executive leader. If there’s a mismatch, it creates problems.
Also, if your identity is tied to being highly technical, that can create friction when you move into an executive role. You have to align your personal identity with what the role actually requires.
And finally, be willing to go your own way. A lot of common advice doesn’t apply universally.
I also make decisions based on what’s right, not based on protecting myself. If I make the wrong call, I accept the consequences. I focus on material risk reduction, not covering myself.
What does zero trust mean to you?
Some of the principles are essential. The user should be who they say they are. The machine should be what it claims to be and properly configured. Those are foundational.
But I didn’t need a “zero trust product” to achieve that. Those basics can be implemented without massive cost or complexity.
Tools can help with performance, consistency, and reducing technical debt, but they’re not a silver bullet. It starts with fundamentals.
Let’s talk about healthcare incidents like ransomware attacks. What’s your perspective?
I won’t speculate on specific cases, but I will say that effective risk reduction is simple in principle. I focus on five key areas: strong MFA everywhere, full endpoint detection coverage, no unmanaged devices for critical access, rapid patching of external vulnerabilities, and privileged access management.
Most major losses today come from ransomware or business email compromise, usually through phishing, stolen credentials, or exposed vulnerabilities. These controls directly address those risks.
The challenge isn’t technology or cost—it’s people and leadership. Many organizations say something won’t work, but in reality, it’s often a matter of priorities and execution.
If you can’t implement something, it’s better to say you haven’t been able to get alignment than to say it’s impossible.
There’s always a balance in industries like healthcare between security and usability, but leaving critical access unprotected is not the answer.
Switching gears—what are you drinking these days?
I like weeded bourbons. My favorite right now is from Bardstown Distillery. I also enjoy Buffalo Trace. Over my lifetime, I’ve probably had more Jack Daniels than anything else. It’s familiar—it’s like an old friend.
What about conferences this summer?
I’ll be at a Digital Director Network conference in Chicago. I’m selective about events, especially in the summer, because I want to spend time with my kids. I try to balance professional events with personal priorities.
These days, I prefer events I can drive to rather than flying. It’s more efficient and lets me stay connected at home.
Any final thoughts?
Enjoy what you do. If you don’t enjoy it, work toward changing that. You don’t have to stay in a role that makes you unhappy forever.
That’s another episode of John Has Trust Issues. Brent, thank you for joining us.
Thanks for having me.
This episode was brought to you by StrongDM, the zero trust privileged access management platform for your critical infrastructure.
