EPISODE · Feb 10, 2026 · 29 MIN
EP 29 — Age of Learning's Carl Stern on Why Certifications Are Side Effects, Not Final Goals
from Future of Data Security · host Qohash
Carl Stern, VP of Information Security at Age of Learning, explains why forcing controls into place without executive alignment guarantees you'll fight uphill battles every single day, as people begin to see security as a blocker rather than a business enabler. Instead, he starts with identifying crown jewels and acceptable risk levels before selecting any frameworks or tools, ensuring the program fits company culture instead of working against it. He also asserts that certifications like HITRUST and SOC 2 validate you're already operating securely; the real program is the daily processes people follow because they understand why, not compliance theatre. Carl also argues the cybersecurity industry exists at its current scale because of a systemic failure: companies ship insecure software without liability, pushing security costs downstream. Most breaches exploit preventable defects that should never reach production, not sophisticated zero-days. Topics discussed:Building security programs from scratch versus inheriting existing programs and why executive alignment prevents daily uphill battlesTreating certifications as validation of operational security rather than the primary program goalPairing administrative controls with technical monitoring to establish baselines before enforcement for unstructured data security policiesApplying three-part investment calculus for lean teams: measurable risk reduction, manual work automation, and crown jewel protectionCalculating true cost of 24/7 internal SOC coverage including shift staffing, turnover, training, and tooling versus managed servicesWhy attack patterns remain consistent across healthcare, education, gaming, and retail despite different compliance requirementsExplaining how AI lowers the barrier for exploit development and expands zero-day risk beyond traditional high-value enterprise targetsArguing that the cybersecurity industry exists at current scale because companies ship insecure software without liability, pushing costs downstream
What this episode covers
Carl Stern, VP of Information Security at Age of Learning, explains why forcing controls into place without executive alignment guarantees you'll fight uphill battles every single day, as people begin to see security as a blocker rather than a business enabler. Instead, he starts with identifying crown jewels and acceptable risk levels before selecting any frameworks or tools, ensuring the program fits company culture instead of working against it. He also asserts that certifications like HITRUST and SOC 2 validate you're already operating securely; the real program is the daily processes people follow because they understand why, not compliance theatre. Carl also argues the cybersecurity industry exists at its current scale because of a systemic failure: companies ship insecure software without liability, pushing security costs downstream. Most breaches exploit preventable defects that should never reach production, not sophisticated zero-days. Topics discussed:Building security programs from scratch versus inheriting existing programs and why executive alignment prevents daily uphill battlesTreating certifications as validation of operational security rather than the primary program goalPairing administrative controls with technical monitoring to establish baselines before enforcement for unstructured data security policiesApplying three-part investment calculus for lean teams: measurable risk reduction, manual work automation, and crown jewel protectionCalculating true cost of 24/7 internal SOC coverage including shift staffing, turnover, training, and tooling versus managed servicesWhy attack patterns remain consistent across healthcare, education, gaming, and retail despite different compliance requirementsExplaining how AI lowers the barrier for exploit development and expands zero-day risk beyond traditional high-value enterprise targetsArguing that the cybersecurity industry exists at current scale because companies ship insecure software without liability, pushing costs downstream
NOW PLAYING
EP 29 — Age of Learning's Carl Stern on Why Certifications Are Side Effects, Not Final Goals
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Mar 19, 2026 ·34m
Feb 18, 2026 ·11m
Feb 11, 2026 ·45m