Your First Team Is Not Security

AFK — Amelia Forrest Kaye, fractional Chief Customer Officer and executive advisor — has spent nearly two decades inside the post-sales engines at companies like Expel, Salt Security, and Tanium. Founders and CISOs call her when they need to convert customer obsession from a buzzword into a measurable strategy. This conversation is built around what's actually changing in customer-facing leadership in 2026: how vendors should treat their customers during outages, how leaders should navigate the AI hype-versus-budget squeeze, and the operating reframe she gives every CISO who's stuck inside their own team.

The episode opened on the Cloudflare outage that took down a meaningful slice of the internet the day of recording — including Conor's connection mid-show. AFK's frame on how vendors should handle these moments is the most useful operating principle the show has aired on the topic. The service recovery paradox is real: vendors that respond to outages with transparency, accountability, education, and concrete next-step commitments don't just recover to neutral, they end up above where they started. Most don't, and most should. The corollary on the customer side is to ask hard questions, demand status pages, learn the stack you actually depend on.

The middle of the conversation goes after the agentic-AI hype cycle. Gartner is calling for 40% of agentic AI projects to be canceled by 2027 because business value is unclear and costs are high — and at the same time predicts that 15% of day-to-day decisions and a third of enterprise applications will embed agentic capabilities by 2028. Cybersecurity's share of IT spend just dropped from 11.9% to 10.9%. Threat actors orchestrate end-to-end attacks with Claude. The squeeze is real. AFK's answer is back to fundamentals — sponsored leader, clear why, tangible adoption steps, real change management. The closing third hits the operating reframe that gives this episode its title — your first team is not the security org. 

Thank you to our Sponsors:

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending 

The Cloudflare outage was the live backdrop for this episode and the cleanest setup AFK could have asked for to lay out the service recovery paradox. The framing is simple. Customers walk into your relationship at neutral. Something breaks — an outage, a bug, an integration failure — and they drop to a meaningful negative. Most vendors then do one of two things wrong. They point fingers at the upstream provider ("not our fault, look over there"), or they fully fall on their sword for something that isn't entirely their responsibility, eroding their own trust in the process.

The vendors that actually use these moments build a third path. They acknowledge the impact, take real ownership of the customer experience, educate the customer about what just happened in the broader stack, and commit to specific changes going forward. Done well, the customer ends up above neutral. The relationship strengthens because they saw how you operate under pressure. Conor's plumber story — the guys who covered cleanup, professional drying, and the second visit even though they couldn't prove the leak was their fault — is the same paradox in a different industry. They're still his plumbers because of how they handled the bad day.

For vendors specifically, the operational implication is that crisis response has to be designed before the crisis. Status pages need to exist and be discoverable. Knowledge-base articles need to be written for the kinds of failures your stack can produce. PR and customer communications need to be drafted and ready to deploy with the specifics, not invented under load. Fourth-party risk is finally getting attention because every vendor is downstream of three or four hyperscaler decisions they don't control — and the ones who handle those moments well will be the ones who keep the customer. 

AFK's framing of the current AI moment as a Bermuda triangle landed cleanly. On one side, Anthropic's November threat report documented a Chinese state-linked group orchestrating attacks against ~30 organizations using Claude, with the model completing 80–90% of the detailed work and humans only at strategic breakpoints. On the second side, Gartner is predicting 40% of agentic AI projects will be canceled by 2027 due to unclear business value and high costs — even while expecting 15% of day-to-day decisions and a third of enterprise applications to embed agentic capabilities by 2028. On the third side, the IANS data shows cybersecurity budgets only grew 4% this year, and cyber's share of total IT spend dropped for the first time in five years from 11.9% to 10.9%.

AFK's answer to navigating that triangle is a return to change management fundamentals — and she's right that the conversation almost never lives there. Every successful AI project has the same four components: a bought-in executive sponsor with both financial and brand commitment, a clear stated why with measurable expected impact, tangible enablement steps that are specific rather than nebulous, and explicit trade-offs about what the org is saying no to in order to say yes to this. The hype cycle skips all four. Threat actors don't — they have unambiguous goals, clean orchestration, and zero internal politics. Stuart's observation that bad-actor teams have clearer mission alignment than most enterprise C-suites is darkly funny and probably true.

The most generative segment of the conversation was AFK rethinking the customer-success metric stack from scratch. The first metric — time to first value, which she frames as the ignition moment — replaces the old "time to value" that gave vendors months of cover. Ignition is the moment the customer turns the key, the engine roars to life, and they get the first credible "this works for us" signal. With AI-native tools, the patience window has collapsed from the historical 90-day enterprise benchmark to roughly a day. If your tool can't deliver an ignition moment in that window, the deployment narrative is already getting written against you.

The second metric is stickiness, and AFK's framing is sharp.

Happiness is a vanity metric in a tight market. Need-driven retention compounds. Build your product into the workflows your customers can't easily extract from. Then surface the value live, every day, every click — not in a quarterly report. The third metric is a more formal ROI track, but it has to be built around questions the buyer can actually answer at procurement time: what motivated this purchase, where is the budget coming from, who has to approve renewal. Loop those people into the value story while you still have time, not at the renewal cliff.

The conceptual core of the episode is AFK's challenge to every C-level executive about what their first team actually is. Most security leaders, when asked, say their first team is their security org. AFK's answer: that's the wrong answer. The CISO's first team is the rest of the C-suite — the CMO, the CRO, the CFO, the CCO, the CEO. The work that wins isn't running a tighter security org, it's understanding the motivations and constraints of the other executives well enough to translate security work into the language that benefits each of them. Brand for the CMO. New logos and retention for the CRO. Bottom-line discipline for the CFO. Compliance and risk for the legal lead.

Stuart's anecdote about the CISO who got more 2026 budget than they asked for and chose to redeploy it across other functions captures the point exactly. Most security leaders fight to maximize their slice. The CISO who operates as an organizational executive understands that fairness in capital allocation across the leadership team produces better business outcomes — and that 97% security plus a quadrupled sales team is a better company than 100% security with a starved go-to-market. That's not the security leader playbook most people learned. It's the executive playbook, and the CISOs who internalize it are the ones who get the next role, the board seat, and the seat at the table when the next M&A deal lands. 

The closing third of the conversation went after the public-presence question. The pattern is now clear across the industry — leaders who get invited to the next opportunity, the board, the advisory work, the conference stage, are the ones who built a public voice over time. AFK's honest take is that she doesn't love self-promotion, but she's been kicked into doing it by a CMO friend, and the shape that's worked for her is a mix of spice, dark humor, and a lot of generosity. Stuart's complement is consistent — the people who use platforms to amplify others build access faster than the people who use platforms to amplify themselves. Karl Mattson is the on-show example.

For CISOs sitting on the fence, Conor's framing was the practical one. Don't try to become a public personality overnight. Pick a minimal viable voice — one quarterly public piece, one recurring internal forum, one external community touchpoint, one Slack channel where you show up positively every day — and let it compound. The benefit isn't just personal brand. It's that on the worst day of a security leader's career — the Joe Sullivan or Tim Brown moment — the predictable record of generosity, kindness, and consistency you've built is what brings the community to your defense. It can't hurt to be good to people, loudly.

Guests — Amelia Forrest Kaye (AFK), fractional Chief Customer Officer and executive advisor; previously at Expel, Salt Security, and Tanium

Books mentioned — none

Frameworks / models / tools named — service recovery paradox; "first team" (the rest of the C-suite, not the security org); time to first value / ignition metric; stickiness metric / Batman metric; minimal viable voice; Anthropic's November threat report (GTG-1002, Chinese state-linked group, ~30 organizations attacked); Gartner's 40% agentic-AI cancellation prediction (Reuters); IANS / Artico Search 2026 cybersecurity budget data (4% growth, share of IT spend down from 11.9% to 10.9%); Cloudflare outage (recorded the day of the event); Granola (cited as a great status-page example of an AWS-dependent service)

Other people / shows / resources referenced — Damien Lewke / Nebulock (referenced for the prior-week deep dive on the Anthropic report); Karl Mattson (referenced as the on-show example of using a platform to amplify others); Daniel Miessler (referenced re: the "what if we collapsed the company to one person on YouTube" thought experiment); Joe Sullivan and Tim Brown (referenced as the cases where pre-built reputation mattered most under SEC / DOJ pressure); Steve at Levi's (referenced as the CISO who asked "how does my security program help me sell more jeans"); Sumo Logic Sumo Slam at AWS re:Invent (Conor's plug); House of Lies (Stuart's referenced TV show on consulting); Cribl (referenced re: Calista, prior pod hand)