Spektrum Labs’ Joshua Brown on Why Control is an Illusion in Modern Security

"It's kind of like homeowners’ insurance," says Joshua Brown, Founder of Digital Defense Consulting & CISO at Spektrum Labs, about security programs — they’re helping to mitigate risks, not remove them entirely. “If you have homeowners insurance and your house never burns down, it doesn't mean you wasted money. You were there to mitigate the impact of that potentially catastrophic event.”

On this episode of Ahead of the Breach, Josh helps Casey dive deep into why security leaders must abandon technical jargon for financial impact metrics when speaking to executives. He also shares how his strategic approach to the FAIR risk model helps convert everything into business impact dollars. 

Josh tells Casey his multi-source technique for identifying security gaps by correlating CMDB, cloud services, and EDR data, as well as his three-point leadership framework that emphasizes purpose, ownership, and mentorship to retain talent in an era where AI-powered attackers are developing exploits and sophisticated phishing campaigns faster than defenders can patch.

Topics discussed:

• Translating risk using the FAIR model to convert complex security risks into financial terms, because boards care less about technical risk metrics and more about potential business impact in dollars.
• How his team at H&R Block built an internal threat team that monitored dark web markets to provide contextualized, industry-specific intelligence.
• Managing dynamic attack surfaces across hybrid environments with a multi-source approach to asset management, including correlated data from CMDB, cloud services, EDR solutions, and Active Directory to identify security gaps and configuration drift in highly dynamic environments.
• How attackers are currently leveraging AI more effectively than defenders, and how this is dramatically reducing the timeline for exploiting vulnerabilities and making phishing campaigns more sophisticated and harder to detect.
• Rather than fearing investment in team growth will lead to turnover, Joshua advocates for three principles: connecting team members to their "why," instilling ownership through budget control and OKRs, and embracing a mentorship mindset even if it means team members eventually outgrow their positions.
• The "Illusion of Control" fallacy in modern security, which argues that security teams should abandon the outdated notion that they can fully control their environments, especially with personal devices accessing corporate resources, and instead focus on building influence across the organization.