In Episode 2 of The Cyber Roundtable: Security Evolutions, I sat down with cybersecurity leader Paul Drapeau.
Paul has been in the trenches for over 25 years. He started in security at Staples.com during the dot-com era, spent 13 years building and leading a security program at a major pharmaceutical company, moved into EDR threat research at Confer and Carbon Black, then helped breached organizations rebuild their security programs at Kroll Cyber. He's seen this industry from every angle: operator, builder, researcher, and consultant.
What stands out most is how Paul thinks about risk. He describes the job as "ruthless prioritization", knowing that choosing to focus on one thing means leaving something else on the table. You have to be comfortable making the call, absorbing some of that risk on behalf of the organization, and being transparent about why you made it.
We talked about why checkbox security fails. Yes-or-no answers don't work in organizations with real complexity. Maturity models do. Paul compared building a security program to tending a garden rather than building a house. It's never done.
We also talked about AI. Paul compared it to the early days of wireless networking. Back then, security leaders who refused to adapt didn’t last. The same goes for AI. You can’t always say no to the business, and you can’t say no to yourself either.
One thing was clear throughout our conversation: Paul sees this work as a fight between good guys and bad guys, and he wants the good guys to win.
Give it a listen.