"The noise isn't false positives, it's all the stuff you're taking action on that didn't need action in the first place."
Signal to Noise: An Interview with Carl Steeves, Deputy CISO at Shutterfly
In this edition of Signal to Noise, I sat down with Carl Steeves, Deputy CISO at Shutterfly. With roots in offensive security and a deep operational background, Carl brings a rare perspective on how to prioritize risk, separate engineering value from marketing hype, and build teams that scale through automation and trust. Our conversation touched on what signal and noise actually mean, how to cut through AI marketing, and where defenders should focus their energy for the highest risk reduction.
Actionable vs. Misguided Effort
Carl's definition of signal to noise isn't just about false positives or alert fatigue. He sees noise as the true positives that don't require action - findings that send defenders down rabbit holes without changing outcomes.
"It's not the false positives that bother me. It's the true positives that still mislead."
He emphasized the importance of thinking across layers, not just the SOC analyst triage queue. A detection might be noise to an analyst but useful to a risk model or automation system. For Carl, the real problem is when security teams waste effort on alerts that don't need a response, burning human time instead of machine cycles.
From Offense to Defense: Why Red Team Experience Matters
Carl started his career hacking routers and flashing firmware before pen testing professionally. That offensive mindset now shapes how he drives risk prioritization.
"I'm constantly saying: That doesn't matter. This does. That mindset came from offense."
He believes every security practitioner should have some offensive experience, not to break things, but to understand attacker priorities and eliminate noise masquerading as signal.
AI, FUD, and the Vendor Hype Filter
Carl has a healthy skepticism toward AI-forward product pitches. He draws a sharp line between AI that simplifies human interaction (like LLMs that help with queries) and AI that reasons, creates hypotheses, and mimics analyst decision-making.
"Don't start with the AI. Start with the problem. If you lead with your AI engine, I tune out."
He urges vendors to explain what problem they solve before showing off how AI helps. The real value, in his view, lies in how much reasoning and creativity the product can replace, not whether it uses the latest acronym.
Risk Reduction, Force Multipliers, and Smart Automation
Carl is a self-described automation junkie, but only when it truly saves time and amplifies impact. He evaluates security investments based on a simple equation: "With the budget I have, how much risk can I reduce?"
He prioritizes investments in people. Analysts, threat hunters, detection engineers are the highest leverage points. He focuses defensive coverage where ransomware actually spreads: Active Directory, lateral movement, and session hijacking, not just initial access. And he looks for force multipliers: automation, scripting, and smart detection logic that enable defenders to do more with less.
He also stressed the importance of maturity. For immature programs, start with basic operations and visibility. For mature ones, invest in high-level detection and intelligence.
How Carl Stays Informed: Community Over Conferences
While Carl appreciates events like DEF CON and Black Hat, he admits it's rare to see something truly new. Most attacks are iterations on the same themes.
Instead, he stays sharp through daily intel reports from sources like Intel 471, private threat intel communities from prior roles, and conversations with peers who've already distilled raw data into actionable summaries.
This daily discipline helps him avoid wasting time chasing hype. Real insight, he argues, is distilled through peer collaboration and operational experience.
What Keeps Him Up at Night
Carl is candid about what haunts defenders: "The signal I missed. That's what I lose sleep over."
He worries about the unknown, not just industry-wide supply chain breaches, but the subtle signals his team might overlook or choose not to invest in. Those are the misses that stick.
Advice to Vendors: Support Matters More Than AI
His advice to vendors trying to break into enterprise environments? "Your post-sales support engineering needs to be incredible. That's what makes integrations work."
He stresses that real-world deployments always need tweaks, and support loops should feed directly into product design. A fast integration path, real engineering support, and platform flexibility trump flashy feature sets every time.
Wrapping Up
My conversation with Carl Steeves was a masterclass in pragmatic security leadership. From tuning out AI noise to investing in team-level force multipliers, Carl showed that good security is about knowing where to spend time and what not to chase.
Whether it's missed signals, supply chain uncertainty, or internal risk tradeoffs, his focus is always the same: reduce risk with maximum leverage, automate where it counts, and support your people..
Stay secure, and stay curious, my friends.
Damien
Loved this line: “It’s not the false positives that bother me. It’s the true positives that still mislead". That distinction feels so important, not just in security, but in how we engage with AI in general.
I’ve been writing about this from different perspective, how scaling AI without reflection just multiplies distractions that look useful but cost attention, energy, and judgment.
The systems that win won’t be the ones with the most data, they’ll be the ones built around people who still know what not to act on.