Switch From the Department of No to the Department of Know with Ty Sbano

“What even is trust?” asks Ty Sbano, CISO, Webflow, in the latest episode of Where Trust Meets AI. Tune in as host and CEO, Drata, Adam Markowitz, welcomes Ty for a deep dive into what your ideal security program should look like. Together, they unpack how trust evolves in an AI-driven world, why continuous compliance matters more than point-in-time reports, and how security leaders can shift from the "department of no" to the "department of know”." Whether you're navigating vendor risk in a post-SOC II world, building AI-ready security programs, or figuring out how to augment your team without losing fundamentals, this conversation cuts through the noise with hard-won insights on what actually moves the needle on trust, risk, and business enablement.

What You’ll Learn:

How to reframe security's role from blocker to enabler - the "department of know"
The critical gap between certification and continuous trust

The skill set that actually matters in an AI-native GRC world

How to evaluate whether an AI tool is trustworthy, going beyond just vendor legitimacy

Why questionnaires, policies, and vendor reviews are your fastest onboarding accelerators

The hidden risk no one's talking about: permission creep with AI agents

Hit play to explore how organizations can harness AI's acceleration while maintaining the fundamentals that actually matter: consistency, transparency, and human judgment.

Episode resources:

Ty Sbano on LinkedIn: https://www.linkedin.com/in/tysbano/

Webflow Website: https://webflow.com/

Adam Markowitz on LinkedIn: https://www.linkedin.com/in/markowitzadam

Drata Website: https://drata.com/

Highlights:

00:00 Introduction and Meeting Ty Sbano

02:57 From Banking to Startups: 20 Years Building Security Programs

05:01 Redefining Trust in an AI World

06:55 Why AI Magnifies Old Risks Faster

09:47 From "Department of No" to "Department of Know"

13:44 AI in Practice: Workflows, Superpowers and the Responsibility Gap

18:11 SOC 2 Is Table Stakes Now: The Evolution of Vendor Trust Over 15 Years

22:17 Continuous Compliance: Building Trust Centers That Drive Growth

24:38 The Trust Center as Growth Enabler: Positioning Security as Strategic

27:32 Fundamentals First: Why AI Automation Can't Replace Risk Management Skills

32:38 The Skills That Matter in a GRC World

34:50 Making Security Documentation AI-Ready

36:14 What CEOs Should Ask CISOs: Uncovering Blind Spots and Hidden Risks

38:19 Most Influential Reads, Podcasts, and People in Ty's Career

41:01 Know Your Worth: Boundaries, Integrity and Career Longevity

42:36 Final Thoughts: The Future of Compliance and Continuous Assurance

Quotes:

“When the early days of knowing and figuring out what it was like to break into sites and do certain things, they painted such a unique picture of how storied and how whimsical and all these things that go with hacking things in the reality. It's not as fun or sexy, but tinkering, hacking, the communities that are out there, it is a very colorful environment of people and characters.”
"Being a leader as someone that has an opportunity and I'm blessed to be able to go into these startups and build, but also work with founders and feel the value that goes in and the outcomes that actually occur. When you share those sort of ambitions together in that pace, it can lead to an amazing thing."
"If you're too nice, if you leave too many doors open, I think a lot of folks will take advantage of that, and being too polite can actually be to your detriment. It's a hard balance between being direct and being rude, but you have to know your worth by knowing your boundaries."
"You have to know your worth by knowing your boundaries. That, to me, changed everything in how I operate and where I'm at today. It's not just about being protective—it's about being strategic in how you allocate your most valuable resource: your time."