In this episode of the TPRM Podcast, Nate Lee sits down with Ross Young, a former CISO and longtime security leader known for his pragmatic, outcome-driven approach to cybersecurity.
Ross brings experience from the intelligence community, including over a decade in government service, followed by senior security leadership roles at Capital One and Caterpillar Financial. He is also the co-host of the CISO Tradecraft podcast and the author of Cybersecurity’s Dirty Secret: Why Most Budgets Go to Waste.
The conversation focuses on why so much security spending fails to meaningfully reduce risk. Nate and Ross explore how budgeting based on status quo assumptions leads to bloated tool stacks, misaligned incentives, and defenses that no longer match today’s threat landscape. They discuss how CISOs can rethink prioritization, challenge legacy practices, and better align spend with real-world threats.
They also dig into how AI is accelerating both attack development and defensive capabilities — shrinking patching windows, changing risk dynamics, and forcing security teams to rethink how fast they operate.
What we cover
- Why most cybersecurity budgets don’t reduce real risk
- How legacy assumptions and inertia drive waste
- Zero-based budgeting and rationalizing tool sprawl
- Why third-party risk management is fundamentally broken
- How incentives shape vendor and security outcomes
- The impact of AI on patching speed and exploit development
- Practical frameworks for spending smarter, not just spending more
This episode is a practical discussion for CISOs, security leaders, risk executives, and anyone responsible for building security programs that actually work.
Listen to the episode
Spotify → https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA
Apple Podcasts → https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699
YouTube → https://youtube.com/@TPRMPodcast
About the Guest
Ross Young is a former CISO with leadership experience at Capital One and Caterpillar Financial, following more than a decade in the intelligence community. He is the co-host of the CISO Tradecraft podcast and the author of Cybersecurity’s Dirty Secret: Why Most Budgets Go to Waste, where he focuses on helping security leaders reduce waste and align spend with real-world risk.
About the Host
Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai, helping SaaS companies build business-aligned security programs that increase developer velocity, strengthen trust, and support sustainable growth.
About the Show
The TPRM Podcast features real-world conversations with security leaders reshaping how we think about risk, exposing the threats, pitfalls, and myths behind today’s cybersecurity challenges.