From Line Cook to CISO: How Eric Freeman Thinks About AI, Access Control, and Building Security Teams

Watch on: Spotify, Apple, YouTube

Eric is the CISO at Writer, an AI-native company that has built its own large language model called Palmyra. Before that, he worked across blockchain, crypto, and emerging technology environments. Before any of that, he was a line cook working six days a week in a restaurant kitchen. That background shapes everything about how he leads, builds teams, and thinks about the problems the cybersecurity industry refuses to simplify.

How AI Is Changing Cybersecurity Offense and Defense at the Same Time

Eric's position on AI in cybersecurity is that LLMs aren't doing anything fundamentally novel in terms of discovering new types of vulnerabilities. What they're doing is finding things faster that have existed for a long time. The difference is speed, access to analysis, and precision.

On the offensive side, open source tools like Shannon, Pent-AGI, and CAI are letting people point LLMs at targets and rapidly attempt to exploit them. The models have strong understanding of coding practices from their training data, which means they can synthesize and act on vulnerability information at a pace humans can't match.

On the defensive side, the opportunity is using that same speed to validate and respond. Eric walked through a specific workflow: an alert fires that an engineer shipped a vulnerable package. Instead of just flagging it, the LLM evaluates what codebase it's in, determines whether the vulnerability is reachable from the outside, checks where else it exists, and assesses whether a patch would break the production build. That entire chain can happen in the time it would take a human to open the first ticket.

He framed this using a concept from Gary Tan: thin agents and fat skills. The agent is lightweight and dynamic. The skills are the tools and methodology it draws on to attack the problem. For practitioners, this is a clear picture of how AI-powered security workflows function in practice. For vendors, it's the standard your products will be measured against.

Why Context Is the Only Thing That Makes AI Useful in Cybersecurity

Without proper context, LLMs add no value. They have incredible speed and inference capability, but speed without understanding is just noise. Eric pointed out this is the same fundamental problem the industry has always had with humans. Now it's the same problem with compute.

His approach to building context on a team starts with understanding how each person learns. Some are visual learners who need to watch something done multiple times. Some retain information after reading it once. Some need to try it on their own and fail before it clicks.

Once he understands their learning style, he has them use analogies rooted in something they already care about. Eric's own anchor is cooking. When he needs to learn a new concept, he asks the LLM to explain it in terms of working a line in a restaurant kitchen. For a team member who's a Patriots fan, he framed building a purple team agent as a two-minute drill where the quarterback reads the field and checks each route.

This works beyond management. The model gives better output when you give it a frame of reference that forces you to actually think through the problem. And the person retains the information because it's anchored to something with real emotional weight for them. It's a learning framework that applies to how anyone uses LLMs more effectively.

What a Line Cook's Career Path Teaches Us About Cybersecurity Hiring

Eric taught himself BackTrack (which later became Kali Linux) while working in a restaurant, using it to investigate whether someone was fraudulently using his signature. A former CCIE he worked with saw what he was doing on a work laptop, recognized the initiative, and told him to stop working in restaurants and go get a Cisco certification.

He quit, studied, got his CCNA, and networked his way to a meeting with the CISO at the MTA in New York. That CISO looked at a resume that said "line cook" and "CCNA" and saw exactly what he needed. Someone creative enough to put things together. Someone with the grind to teach themselves networking on their own time. And someone who understood that forensic analysis is fundamentally about storytelling, the same way building a recipe is about assembling a picture from individual components.

Eric got the job and has said yes to everything since. His advice for people entering the industry: find a startup, get your hands dirty across every system you can, and understand that the more you learn about how things relate to each other, the more context you bring to every problem. In the age of AI, understanding relationships between systems is the skill that compounds.

For hiring managers and investors, this is a challenge to rethink what a "qualified" candidate looks like. Work ethic, curiosity, creativity, and willingness to say yes aren't on a certification list. But they're the skills that made Eric a CISO.

Why Security Is Exactly Like Working a Dinner Service

The cooking analogy wasn't a passing reference. Eric built out a full comparison that reframes how people think about cybersecurity operations.

In a restaurant kitchen, most of your day isn't dinner service. It's prep. You're breaking down ingredients, building sauces, organizing stations, and setting timers so that when orders start coming in, you can execute without thinking. The actual service is a small fraction of the day, but it only works because of the hours of preparation.

Security operates the same way. The majority of the job is implementing controls, grouping users based on roles, building authentication layers, setting up least privilege access, writing runbooks. All of that is prep. When the incident happens, that's dinner service. You execute based on the systems you've already put in place.

Both jobs are high intensity, high stress, and require staying level-headed under pressure. The people who are best at the high-pressure moments are the ones who invested the most in preparation beforehand.

Access Control Is the Only Mental Model That Matters

Eric has a mental model for cybersecurity that he applies to everything, including AI threats. He breaks security into two buckets: bad business logic and misconfiguration.

Bad business logic is when a workflow or piece of code creates an unintended outcome, like a coupon system that accidentally becomes an infinite money printer because the logic was poorly written. Misconfiguration is when something is left exposed that shouldn't be, like an open port, SSH exposed to the internet, or default credentials on a production system.

Both buckets tie back to one thing: access control. Every attacker is ultimately trying to get more access, pivot further, and reach data or systems they shouldn't have. That's true whether they're exploiting a traditional vulnerability or trying to manipulate an LLM.

Eric is blunt about AI security fitting this same model. Prompt injection is social engineering for machines, sneaking specific inputs to get an unintended output. An agent is a script with more dynamicness using a human's credentials. A hallucination is functionally similar to a human fat-fingering a database command. The jargon is new. The underlying problem isn't.

For practitioners, this mental model simplifies how you evaluate any new threat. For vendors building AI security products, this is how the CISO on the other side of the table is thinking. If your product doesn't ultimately address access control, it's solving for the wrong layer.

Why Cybersecurity Is Too Stressful and What Would Actually Fix It

Eric didn't hold back on why the industry burns people out, and his analysis goes deeper than workload.

Security teams are cost centers. They're only visible when something goes wrong. If everything is working, nobody notices. If something breaks, everyone asks why you didn't prevent it. You're a firefighter who only gets called when there's a fire, working in a role built around risk mitigation rather than revenue generation.

He added a layer specific to the current moment: vibe coding. Engineers using LLMs to solve immediate problems are generating code that works but doesn't account for compatibility, reusable patterns, or existing schemas. Every shortcut creates tech debt that compounds, and the security team is running against that tidal wave daily.

His proposed fix is structural. Eric compared it to credit scores, where banks evaluate people based on a standardized risk metric. If there were an industry-standard security score that was mandatory, businesses would be incentivized to invest in security because it would directly affect their ability to do business. Security Scorecard attempted something in this direction, but Eric's vision has regulatory teeth: a consistent, legally accountable standard.

For investors, this is worth paying attention to. If something like this emerges, it reshapes buying dynamics across the market. For practitioners, it validates what most already feel: the stress isn't a personal problem, it's a structural one.

How to Build a Security Culture That Engineers Actually Adopt

Eric's approach to building security culture inside an engineering organization comes down to developer ergonomics.

He takes the industry concept of "paved roads" one step further. Instead of just building secure pathways that developers naturally follow, build developer tools that eliminate foot guns entirely. If a developer needs a secret or token for an automation, give them a CLI tool that provides exactly what they need without broad access. If they need to rotate a key, make it faster through the secure path than through the insecure workaround.

Developers are incentivized to move fast. If the secure way is slower than the insecure way, they'll choose speed every time. But if security actually makes their workflow faster, you've aligned incentives. They get speed. You get control. Nobody sat through a training.

For his own team, Eric describes himself as "professionally unprofessional." He keeps things light and tries to create an environment where people can be open. But he also writes code, runs threat hunts, and looks at data alongside everyone else. That combination of approachability and willingness to do the work earns a loyalty that goes further than any title.

The Three Camps of Cybersecurity Buyers and Why Fear Still Sells

Eric sees three camps in how the industry buys and sells security, and the framework is relevant for vendors, investors, and practitioners.

The first is the software engineer turned security person who wants to build everything internally. The second is the generalist security engineer who uses tools, does some scripting, and bridges technical and business functions. The third is the compliance-focused business information security officer who outsources what they can to meet regulatory obligations.

Two of those camps buy based on UI and reporting because they're not deeply technical. That's why security still sells on fear. The pitch, "you're going to get breached and here's the tool that prevents it," works because those buyers are in reactive, firefighting environments where the message lands.

The third camp wants tools that automate end-to-end and integrate into engineering workflows. They're harder to sell to with fear because they understand the technical reality underneath the marketing.

For vendors, this is a segmentation framework: know which camp your buyer is in and adjust. For investors, it explains why fear-based positioning dominates and where the opportunity lives for products that sell on engineering value. For practitioners, it's worth asking which camp you're in and whether that's where you want to stay.

Why This Conversation Matters for the Cybersecurity Ecosystem

Eric's perspective is shaped by an unconventional path, a deep understanding of emerging technology, and a refusal to overcomplicate things. Whether it's reducing all of security to access control, comparing incident response to dinner service, or challenging the industry to build a credit score for companies, his thinking cuts through the noise the cybersecurity industry generates around itself.

That's the kind of conversation The Cybersecurity Ecosystem Show is built for. Not just how to do cybersecurity, but how to think about it, lead it, and fix what's broken.

Frequently Asked Questions

How is AI changing cybersecurity defense? AI-powered tools are finding known vulnerabilities faster than humans can, enabling automated validation of whether vulnerabilities are exploitable, reachable, and patchable. Defensive teams are using LLMs to run evaluation chains that assess risk across codebases in minutes rather than days.

What is the most important cybersecurity mental model? Eric Freeman reduces all of cybersecurity to access control. Every attack, whether traditional or AI-related, is ultimately about gaining more access. Every defense is about limiting it. Bad business logic and misconfiguration are the two paths attackers use to get there.

How do you build a security culture with engineering teams? Build developer tools that make the secure path faster than the insecure workaround. Align your security incentive with their speed incentive and adoption follows naturally.

What career advice do CISOs give to people entering cybersecurity? Find a startup, say yes to everything, prioritize work ethic over credentials, and learn how systems relate to each other. Understanding relationships between tools and environments builds the context that makes you effective, especially as AI pushes the industry toward generalist output.

Why is cybersecurity so stressful? Security teams are cost centers only visible when something breaks. The role is about risk mitigation, not revenue generation, which limits recognition and creates constant pressure. Structural changes like an industry-standard security score could shift the incentive model.

The Cybersecurity Ecosystem Show connects practitioners, investors, vendors, regulators, and everyone in between. New episodes drop weekly. Subscribe so you don't miss one.