Ask Yourself, “Is this something we need to be genuinely worried about, or is it just another headline?”
Signal to Noise: An Interview with Mike Privette
Introduction
In this edition of Signal to Noise, I had the pleasure of sitting down with Mike Privette, a seasoned cybersecurity professional with over 15 years of experience in various regulated sectors like finance and insurance. Some personal context, Mike and I met first when I was in grad school at MIT and we’ve stayed in touch over the past few years.
Now at the helm of Return on Security (which I subscribe to and cannot recommend enough), Mike provides a unique perspective as both a practitioner and strategist. We dug into how he cuts through industry noise, prioritizes his time, and thinks about security investments.
For this edition, we’re going to go with direct excerpts from our conversation - so this blog will be in the first person.
Here’s what he had to say:
1. How do you define the term “signal to noise”?
To Mike, signal to noise is really about separating what’s meaningful from the hype. In cybersecurity, there is often a constant barrage of information, and the challenge is figuring out what’s actually relevant and what’s just designed to get attention.
For example, there’s all this talk about AI-generated phishing emails being the end of security as we know it. But is that really happening every day, at scale? You’ve got to take a critical eye to these things and ask, “Is this something we need to be genuinely worried about, or is it just another headline?”
2. What’s your take on the FUD/AI marketing we see in the industry?
As an industry, security loves fear, uncertainty, and doubt (FUD). Every new threat is treated as an apocalypse that only the latest tool can fix. Don’t get me wrong—there are real risks, but they get sensationalized.
You’ve got to break it down logically. Is something possible? Sure. But is it probable? That’s where context matters. Most attacks are still opportunistic, looking for easy wins.
As a security leader, you need to step back and see how these threats apply specifically to your business, not just buy into every marketing claim.
3. How do you prioritize and value your time when it comes to security?
It starts with understanding your business. When consulting, one of the first things I ask a team is, “How do we make money?” It sounds simple, but a lot of teams overlook it. Once you know that, you can figure out what’s mission-critical and where your most significant risks are. After that, it’s about using your resources wisely.
Budgets aren’t infinite, and neither is time, so you must prioritize what protects your core business. I also believe in focusing on the human element—security is about people as much as technology.
4. How do you prioritize and value your investments in security?
It’s not just about security for security’s sake; it’s about tying your investments back to business outcomes. If I can make a case that a particular investment will help us close deals faster or improve our compliance standing, that’s a win.
It would be best if you also were practical—figure out where you can solve multiple problems at once. For example, if a security investment also makes your engineers’ lives easier, that’s a great use of money. It’s all about balancing protecting the business and supporting its growth.
5. Any advice you’d give to security vendors looking to add value to your organization?
First, know the context of the business you’re pitching to. A large bank has different needs than a 30-person startup. Smaller companies can’t afford to buy five different tools for five different problems; they need broader solutions.
Another thing—understand that security is about making developers’ lives easier too. The more a tool gets in the way of productivity, the less likely it is to be adopted, no matter how good it is. So, vendors really need to think about how their product integrates into the existing workflow and adds value beyond just security.
6. How do you define resilience?
Resilience, to me, is about building systems that can withstand abuse—whether that’s from an attack or just normal wear and tear. It’s not just about keeping the bad guys out; it’s about making sure your business can keep operating when something does go wrong.
For smaller companies, that might mean accepting that if AWS goes down, you’re down too, because multi-cloud is just too expensive. But for larger organizations, resilience might involve having multiple redundancies and being able to recover quickly from a breach or a failure. It’s all about context.
Final Thoughts:
Talking with Mike, one thing became clear: signal-to-noise isn’t just about filtering out the hype; it’s about focusing on what truly matters to your organization.
Mike's approach is grounded in practicality and business relevance, from prioritizing security investments to understanding the human element of cybersecurity.
His advice for vendors is simple: Know your customers' needs and integrate your product into their workflow without disrupting productivity. When it comes to resilience, it’s all about building systems that can withstand a setback and continue operating.
Stay secure and stay curious, my friends!
Damien