What we talked about
Andrew Scott is Field CISO at Todyl, where he bridges executive decision-makers and cybersecurity programs for mid-market and SMB organizations. With over a decade of experience across IBM, CrowdStrike, and Recorded Future, he has built security operations programs, led threat intelligence teams, and advised Fortune 500 companies and Federal agencies.
Show notes
A railroad security director once told Andrew Scott something that caught him off guard: “If an APT wants to get us, I can’t do anything to stop them, so I just focus on the fundamentals.” Scott didn’t disagree. His entire approach to cybersecurity is built on that same honesty: you cannot stop every attack, but the organizations that get picked off are almost always the ones that skipped the boring work.
What we covered
- The most common security gap Scott encounters when walking into a new organization is not a missing tool, it is missing governance. Organizations have typically bought their way to what they think is security, accumulated too many tools that do not integrate, and have no documented process for who owns what when something breaks. He calls this the place where “programs of all sizes and all maturity levels continually fail.”
- Scott draws a sharp distinction between security enabling a business and security restricting it. Projects that introduce friction without aligning to business goals get deprioritized or abandoned, and when that happens, Scott says, the security initiative effectively failed before the threat did.
- He uses a simple pressure test with executives: if I remove technology from the equation entirely, ransomware, outage, whatever, how long can your business operate, and what does that cost per day? That single question, he says, “paints a very clear picture immediately of where we need to start managing risk.”
- On AI and defenders: Scott is skeptical of organizations that rush to AI-enabled security tools without having logging coverage, identity access management, or basic patching in order. “AI can’t solve our way out of that,” he said. The underlying infrastructure has to exist for AI to have anything useful to analyze.
- For threat actors, AI delivers the same benefits they want from any efficiency tool, speed, scale, and volume. He noted that from initial compromise to data exfiltration, research from firms like Palo Alto Networks now puts the window at between 30 and 70 minutes. That timeline, he said, forces organizations to plan for containment, not just prevention.
- Moody’s recently updated their credit risk models to treat cyber events as equivalent in severity to hurricanes and other catastrophic events. Scott cited this as the clearest signal yet that cybersecurity is now a business valuation issue, affecting insurance, funding, acquisitions, and credit ratings, not just an IT cost center.
About Andrew
Andrew Scott is Field CISO at Todyl, where he advises mid-market and SMB organizations on building security programs through Todyl’s managed service provider partners. He has spent over a decade in cybersecurity leadership roles at IBM, CrowdStrike, and Recorded Future.
- LinkedIn: https://www.linkedin.com/in/andrew-s-8b691729
- Website: https://www.todyl.com
Episode 149 of the PreVetted Podcast.