Security Theater Podcast

Episode 1: Joe Silva & Kyle Bubp

Former CISO turned CEO Joe Silva joins CISO Kyle Bubp for an unfiltered debut: survival tips, career truths, and a few laughs from the cyber hot seat.

About the podcast — Hosted by former CISO-turned-CEO Joe Silva, this show delivers unfiltered stories, lessons, and laughs from the frontlines of cybersecurity leadership.

Overview

Vulnerability management has barely changed in twenty years. Joe Silva and CISO Kyle Bubp open the first episode of Security Theater by taking that apart, starting with the CVE and National Vulnerability Database system itself: an opportunistic, crowdsourced catalog shaped by uneven researcher motivation, not a systematic measure of real-world risk.

From there the conversation turns to what the CVE model leaves out. Privilege level rarely factors into scoring, even though software running as domain admin carries far more blast radius than the same flaw in user mode. CVSS scores can be wrong. Kyle and Joe are blunter still about compliance-driven programs and third-party vendor questionnaires: necessary but not sufficient, with breaches that passed SOC 2 attestations as the evidence.

Kyle’s prescription is organizational as much as technical: stop centralizing every vulnerability in one team, push ownership back to the people who run the systems, then stop treating every “critical” as equally critical. Joe connects it to the paradox that application security tooling is at an all-time high while CVE volume keeps climbing and outcomes stay flat.

Scan data is a starting point, not an answer. Runtime and behavioral context turn a long list into a defensible one.

Key Takeaways

  1. The CVE/NVD catalog is opportunistic and crowdsourced. It reflects who chose to look and disclose, not a complete map of exploitable risk.
  2. Privilege level is missing from most scoring. The same vulnerability is a different risk at domain admin than in user mode.
  3. CVSS scores can mislead. A "critical" that requires physical local access is a different problem than one that is remotely exploitable.
  4. Vendor questionnaires and compliance attestations are necessary but not sufficient. Breached vendors have passed both.
  5. Push ownership to the asset owners. Vulnerability risk belongs with the teams that run the systems, not a single central queue.
  6. More AppSec tooling has not lowered CVE volume. Without context, every finding gets treated as the same nail.

Chapters

  • 00:00 — Introductions: Joe, Spektion, and guest Kyle Bubp
  • 00:59 — Vulnerability management hasn't changed in 20 years
  • 01:46 — Inside the CVE/NVD system and its blind spots
  • 04:41 — Legacy vs. new attack surfaces, and the MOVEit breach stat
  • 05:45 — What Spektion sees at runtime that CVEs never catch
  • 07:09 — SOC alerts, cloud-native gaps, and insecure security software
  • 10:35 — Privilege level is missing from the risk equation
  • 12:15 — Rebuilding vuln management: context, bad CVSS scores, compliance limits
  • 16:50 — Turning a big number into a small one, and the burnout it causes
  • 18:52 — Tech debt, compliance conflicts, and vendor risk theater
  • 22:21 — Kyle’s fix: push risk ownership to asset owners
  • 26:07 — Patch audits, elevated-privilege inventory, and red team reality
  • 33:57 — The AppSec paradox: more tools, more CVEs, no improvement
  • 36:24 — How unfixed criticals erode the severity model
  • 40:20 — Runtime insight as the fix, and closing optimism

Guest & host

The guest

Kyle Bubp

VP & CISO, Avid

Kyle Bubp is VP and Chief Information Security Officer at Avid. A security leader with more than two decades of experience, he co-founded Savage Security, has served as IANS faculty, and has built and led security programs across government, defense, cloud, and enterprise environments.

The host

Joe Silva

Co-founder & CEO, Spektion

Joe Silva is co-founder and CEO of Spektion and host of Security Theater. A former Fortune 200 CISO with a background in security and intelligence, he started Spektion to close the gap between what scanners flag and what is actually exploitable at runtime.

Share with friends: