Podcasts about ciso

Jeff and Jim sit down with David Llorens, principal at RSM, to break down the RSM 2026 Attack Vectors Report. Drawing from real-world offensive security engagements, David explains why identity continues to be the primary attack surface, how AI chatbots are creating new vulnerabilities through prompt injection, and what separates organizations that get breached from those that don't. The conversation covers MFA gaps, the explosion of non-human identities, why PAM is the top investment priority for 2026, and how CISOs can align security spending with business objectives. Plus, the episode wraps up with soccer stories and some quality trash talk.Connect with David: https://www.linkedin.com/in/david-llorens-009a3310/Review RSM's 2026 Attack Vectors Report: https://rsmus.com/insights/services/risk-fraud-cybersecurity/rsm-attack-vector-report.htmlConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS0:00 - Intro and Jim's big personal news4:51 - Main topic intro: RSM 2026 Attack Vectors Report5:55 - David's origin story and how he got into cybersecurity9:53 - What a principal is at RSM and David's current role11:16 - What the Attack Vectors Report is and how it is created14:40 - Why identity security is a dominant theme in this year's report17:19 - What separates organizations that get breached from those that don't18:18 - MFA as the first line of defense18:45 - Privileged access management as a growing priority19:40 - Detecting lateral movement through identity anomalies21:00 - Credential rotation as an advanced defensive technique22:26 - Non-human identities and service account risks24:37 - Middle market challenges and budget constraints25:17 - Is it the size of the budget or how you spend it?28:29 - Using internal audit and cross-department collaboration for security wins30:15 - Cybersecurity as a business enabler, not a deterrent32:45 - Non-human identities and agentic AI creating new attack surfaces35:51 - Prompt injection attacks and AI chatbot vulnerabilities39:42 - Actionable recommendations for practitioners42:41 - MFA implementation gaps and session hijacking45:02 - The case for FIDO2 and layered conditional access46:35 - Is identity security a board-level issue?49:47 - Three things CISOs should focus on through 202650:52 - PAM as the top investment priority51:28 - Removing unnecessary privileges from users56:11 - Redefining what privilege means in your organization57:43 - Social media accounts as privileged access58:42 - Credentials stored in SharePoint and OneDrive59:38 - Wrap up and where to find the report59:58 - Lighter topic: David's soccer background and playing semi-pro1:05:06 - Best trash talk stories1:07:03 - Jim's trash talk philosophy: scoreboard1:08:00 - Jeff's basketball trash talk and calling his shots1:10:00 - Final thoughts and sign offKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, David Llorens, RSM, attack vectors report, offensive security, penetration testing, identity security, MFA, multifactor authentication, privileged access management, PAM, non-human identities, service accounts, agentic AI, AI security, prompt injection, lateral movement, credential rotation, FIDO2, conditional access, session hijacking, middle market, CISO, board-level security, certificate-based authentication, active directory, configuration management, shadow AI

Send a textCameron and Gabe sit down with Girish Redekar, co-founder and CEO of Sprinto, to pull back the curtain on one of the most misunderstood areas of security: compliance.Girish built his first startup, RecruiterBox, to 3,500 customers before selling it, and it was the painful, expensive, duct-taped compliance process he experienced firsthand that sparked the idea for Sprinto. Today, Sprinto helps companies move beyond point-in-time audits into something far more valuable: continuous, autonomous trust.In this episode, we dig into:Why passing a SOC 2 or ISO 27001 audit doesn't mean you're actually secureThe three stages of compliance maturity — and how to climb themWhat "compliance debt" is and why it's quietly eating your businessHow smart CISOs use their security posture as a revenue driver, not a back-office cost centerThe "$100/month" challenge: what actually moves the needle for startupsHow AI is reshaping compliance programs — for better or worseWhy Girish spent over a year talking to customers before writing a single line of codePlus: the "sell more jeans" framework every CISO should know, Rich Hickey, The Mom Test, and the toilet paper question.

Alexis and Kevin sit down with Mike Miller to discuss what brought him from the back of a garbage truck to his current position as a Virtual Chief Information Security Officer (VCISO). He breaks down how a VCISO differs from a CISO, and discusses the two types of clients looking for VCISO services: those looking... Read more »

Alexis and Kevin sit down with Mike Miller to discuss what brought him from the back of a garbage truck to his current position as a Virtual Chief Information Security Officer (VCISO). He breaks down how a VCISO differs from a CISO, and discusses the two types of clients looking for VCISO services: those looking... Read more »

All links and images can be found on CISO Series. This week's episode is co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Mark Eggleston, CISO, CSC. In this episode: Breaking trust to test it Technical controls over testing The measurement imperative Fire drills, not gotchas Huge thanks to our sponsor, Scanner All your security logs end up in cloud storage like AWS S3. Scanner makes them searchable in seconds and runs real-time detections directly on that data. No pipelines, no re-ingestion. 100x faster than traditional data lakes, 10x cheaper than SIEMs. Loved by analysts. Built for AI agents. Learn more at scanner.dev.

In this episode of Life of a CISO, Dr. Eric Cole sits down with cloud and AI expert Matt Lea to unpack the real risks and opportunities shaping cybersecurity today. They dive into AWS outages, cloud resiliency strategies, and how organizations should think about redundancy instead of blindly trusting a single provider. The conversation explores how CISOs can balance cost versus risk when designing cloud architectures and why insider issues, burnout, and knowledge silos often pose bigger threats than external attackers. Matt shares practical insights on AWS AI tools like Bedrock and SageMaker, when to adopt them, and how AI is changing cloud operations at scale. The episode also covers startup lessons, building resilient teams, and the importance of documenting knowledge to avoid single points of failure. Plus, they discuss Cloud War Games, a hands-on approach to training teams under real outage scenarios. If you're a security leader, cloud architect, or technologist navigating AI and cloud transformation, this episode delivers actionable guidance on building resilient systems, managing risk, and preparing for the next wave of cyber challenges.  

In this episode of the CISO Tradecraft podcast, PKWARE Field CTO EJ Pappas joined host G Mark Hardy and Ross Young. The group talked about many challenges and solutions for modern data security. One critical component is the shift from platform-centric to data-centric security. The experts also discussed the barriers to data visibility that CISOs face and how discovery solutions bring clarity. No conversation could be complete without AI and its role as both a defensive framework and the threats it carries. Tune into this engaging conversation with takeaways that are practical and useful.

Trump tells diplomats to fight digital sovereignty. DeepSeek allegedly trains on banned Nvidia chips. Google knocks out Gallium. Hackers tamper with patient records in New Zealand. Popular mental health apps leak risk. Wynn confirms a ShinyHunters breach. Telecoms dodge New York cyber rules. Russia targets Telegram's founder. And a defense insider heads to prison for selling cyber weapons to Moscow. Andrew Dunbar, CISO of Shopify, discusses how identity and trust become the new perimeter and how commerce needs both. Barking backlash brews beneath big-game broadcast. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Andrew Dunbar, CISO of Shopify, to discuss how identity and trust become the new perimeter and how commerce needs both to be engineered into the platform. Selected Reading Exclusive: US orders diplomats to fight data sovereignty initiatives (Reuters) Exclusive: China's DeepSeek trained AI model on Nvidia's best chip despite US ban, official says (Reuters) Google disrupts Chinese-linked hackers that attacked 53 groups globally (Reuters) Patient data changed as major NZ health app MediMap hacked (RNZ News) Android mental health apps with 14.7M installs filled with security flaws (Bleeping Computer) Wynn Resorts Confirms Cyberattack & Extortion Threat, Claims Data Deleted (Casino.org) Verizon successfully dodged data security rules from state regulators (Times Union) Russia opens probe of Telegram chief, claiming app has been used for terrorism (Washington Post)  Former Defense Contractor Sentenced to 87 Months in Prison for Selling Secrets to Russia: Peter Williams Trade Secrets Case Concludes (TechNadu) $10,000 bounty offered if you can hack Ring cameras to stop them sharing your data with Amazon (Bitdefender) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

What does autonomous IT really look like when you move beyond the slideware and start wiring systems together in the real world? At Dynatrace Perform in Las Vegas, I sat down with Pablo Stern, EVP and GM of Technology Workflow Products at ServiceNow, to unpack exactly that. Pablo leads the teams focused on CIOs and CISOs, building the workflows and security products that sit at the heart of modern IT organizations. From service desks and command centers to risk and asset management, his remit is clear: enable AI to work for people, not the other way around. We began with ServiceNow's deepening multi-year partnership with Dynatrace. While the announcement made headlines, Pablo was quick to point out that the real story starts with customers. This collaboration is rooted in a shared goal of helping joint customers reduce outages, improve SLA adherence, and shrink mean time to resolution. The vision of autonomous IT operations is not about hype. It is about connecting observability data with deterministic workflows so that insight can evolve into coordinated, system-level action. Pablo walked me through the maturity curve he sees emerging. First came AI-powered insight, summarizing data and surfacing signals from noise. Then came task automation, drafting knowledge articles, paging teams, triggering predefined playbooks. The next step, and the one that excites him most, is orchestrated autonomy. That means stitching together skills, agents, and workflows into systems that can drive end-to-end outcomes. It is a journey measured in years, not months, and it depends as much on digitizing process and building trust as it does on technology. We also explored root cause analysis, still one of the biggest time drains in IT. By combining Dynatrace's AI-driven observability with ServiceNow's workflow engine, enterprises can automate forensic steps, correlate events faster, and shorten the time spent on major incident bridges where teams debate ownership. Even incremental improvements in accuracy can save hours when incidents strike. Trust, of course, remains central. Pablo was candid that full self-healing systems are still some distance away. What we will see first is relief automation, controlled failovers, scripted actions suggested by machines but approved by humans. Over time, as confidence grows and processes become fully digitized, the balance will shift. Beyond the technology, a consistent theme ran through our conversation. Outcomes have not changed. Enterprises still want higher availability, faster resolution, better employee experiences. What is changing is the how. ServiceNow is reimagining its platform to deliver those outcomes at a much higher standard, not through incremental tweaks, but through rethinking workflows for an AI-first world. From design partnerships with banks building pre-flight change checks, to internal teams acting as the toughest customers, this was a grounded, practical conversation about where autonomous operations are headed and what it will take to get there. If you are a CIO, CISO, or IT leader wondering how to move from theory to execution, this episode offers a clear-eyed look behind the curtain.      

Most organizations view security as a cost center, a "check-the-box" expense rather than a strategic investment. This mindset leads to chronic underfunding, reactive, panic-driven decision-making, and high staff turnover. It also hampers innovation, strategic initiatives, and customer trust. What if security was viewed as a business enabler, not a cost center? Elyse Gunn, CISO at Nasuni, joins Business Security Weekly to discuss how to make security a business enabler, turning security from a cost center into a profit center. Elyse discusses why aligning security initiatives to business drivers is the key to addressing trust, both internally and externally, and how it solves the biggest security priorities for organizations, including: Data Privacy AI Security, and Nth Party Risk In the leadership and communications segment, With CISOs stretched thin, re-envisioning enterprise risk may be the only fix, To Lead Through Uncertainty, Unlearn Your Assumptions, Leaders, Consider Pausing Before Acting on Employee Feedback, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-436

Send a textWelcome to the newest episode of the Serious Privacy podcast, where hosts Paul Breitbarth, Ralph O'Brien, and Dr. K Royal address the hot topic of agentic AI and the risks to #privacy, #dataprotection, #security, and #humanrights. We cover the basics as well as human attributes (or not) along with how to take the risks into consideration as a professional.  If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Two weeks ago on Reimagining Cyber, we explored how agentic AI could become the next major security choke point. Since then, things have escalated.Enterprises are restricting — even banning — AI agents. Security teams are scrambling to regain visibility. Vendors are rushing out “agent security” features. And early warning signs are already surfacing.In this episode, Tyler Moffitt answers the critical question: Did agentic AI just move from innovation to crisis?What changed in just a matter of weeks?This discussion breaks down:Why AI agents are fundamentally different from traditional automation and service accountsHow autonomous reasoning + persistent system access creates a new attack paradigmThe identity and API sprawl problem most organizations didn't realize they hadWhy compromised agents could give attackers automation at scaleThe growing wave of enterprise bans — and what they signalWhether regulation or a high-profile incident is likely to come firstTyler explains how agents don't just generate responses — they take action. They hold API keys, access internal systems, modify code repositories, interact with cloud infrastructure, and execute workflows. When deployed without guardrails, logging, or least-privilege controls, they can quietly multiply an organization's attack surface overnight.The core issue isn't that AI is malicious — it's that AI has become an acceleration layer. And when autonomy meets overprivileged access, traditional security models break.You'll also hear practical, immediate steps security teams should be taking now — from credential rotation and agent inventories to sandboxing and behavioral monitoring.This isn't an anti-AI episode. It's a maturity wake-up call.Because the organizations that build guardrails now will move faster and safer. The ones that don't may learn the hard way.If you're a CISO, security architect, developer experimenting with agents in production, or executive evaluating AI adoption — this is a conversation you can't afford to miss.As featured on Million Podcasts' Best 100 Cybersecurity Podcasts Top 50 Chief Information Security Officer CISO Podcasts Top 70 Security Hacking Podcasts This list is the most comprehensive ranking of Cyber Security Podcasts online and we are honoured to feature amongst the best! Follow or subscribe to the show on your preferred podcast platform.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com

Most organizations view security as a cost center, a "check-the-box" expense rather than a strategic investment. This mindset leads to chronic underfunding, reactive, panic-driven decision-making, and high staff turnover. It also hampers innovation, strategic initiatives, and customer trust. What if security was viewed as a business enabler, not a cost center? Elyse Gunn, CISO at Nasuni, joins Business Security Weekly to discuss how to make security a business enabler, turning security from a cost center into a profit center. Elyse discusses why aligning security initiatives to business drivers is the key to addressing trust, both internally and externally, and how it solves the biggest security priorities for organizations, including: Data Privacy AI Security, and Nth Party Risk In the leadership and communications segment, With CISOs stretched thin, re-envisioning enterprise risk may be the only fix, To Lead Through Uncertainty, Unlearn Your Assumptions, Leaders, Consider Pausing Before Acting on Employee Feedback, and more! Show Notes: https://securityweekly.com/bsw-436

Most organizations view security as a cost center, a "check-the-box" expense rather than a strategic investment. This mindset leads to chronic underfunding, reactive, panic-driven decision-making, and high staff turnover. It also hampers innovation, strategic initiatives, and customer trust. What if security was viewed as a business enabler, not a cost center? Elyse Gunn, CISO at Nasuni, joins Business Security Weekly to discuss how to make security a business enabler, turning security from a cost center into a profit center. Elyse discusses why aligning security initiatives to business drivers is the key to addressing trust, both internally and externally, and how it solves the biggest security priorities for organizations, including: Data Privacy AI Security, and Nth Party Risk In the leadership and communications segment, With CISOs stretched thin, re-envisioning enterprise risk may be the only fix, To Lead Through Uncertainty, Unlearn Your Assumptions, Leaders, Consider Pausing Before Acting on Employee Feedback, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-436

Most organizations view security as a cost center, a "check-the-box" expense rather than a strategic investment. This mindset leads to chronic underfunding, reactive, panic-driven decision-making, and high staff turnover. It also hampers innovation, strategic initiatives, and customer trust. What if security was viewed as a business enabler, not a cost center? Elyse Gunn, CISO at Nasuni, joins Business Security Weekly to discuss how to make security a business enabler, turning security from a cost center into a profit center. Elyse discusses why aligning security initiatives to business drivers is the key to addressing trust, both internally and externally, and how it solves the biggest security priorities for organizations, including: Data Privacy AI Security, and Nth Party Risk In the leadership and communications segment, With CISOs stretched thin, re-envisioning enterprise risk may be the only fix, To Lead Through Uncertainty, Unlearn Your Assumptions, Leaders, Consider Pausing Before Acting on Employee Feedback, and more! Show Notes: https://securityweekly.com/bsw-436

Every employer knows to conduct background checks. However, conducting background checks on IT professionals requires an extra layer of verification, given the privileged access they typically have to IT systems and tools. Moreover, in this AI era, background checks need to be deeper and more effective than before–in the past we didn't need to verify... Read more »

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining them is Vikas Mahajan, vp and CISO, American Red Cross. In this episode: Questionnaires aren't risk management The good old days were worse Buying or building your SOC Start the conversation, not the checklist Huge thanks to our sponsor, Adaptive Security Sponsored by Adaptive Security—the first cybersecurity company backed by OpenAI. AI impersonation and deepfakes have made trust the new attack surface. Adaptive runs realistic social-engineering simulations and instantly turns threats, policies, and compliance needs into interactive, multilingual training. Trusted by Fortune 500s. Learn more at adaptivesecurity.com.

Every employer knows to conduct background checks. However, conducting background checks on IT professionals requires an extra layer of verification, given the privileged access they typically have to IT systems and tools. Moreover, in this AI era, background checks need to be deeper and more effective than before–in the past we didn't need to verify... Read more »

Flavius Plesu is the founder and CEO of OutThink, a revolutionary Human Risk Management Platform (SaaS) empowering CISOs by targeting the source of 90% of all data breaches: human behavior. In this episode, he joins host Scott Schober and Adam Keown, CISO at Eastman, to discuss social engineering, humans, and why it's so important to train them. Culture Shapes Security is a Cybercrime Magazine podcast series brought to you by OutThink. To learn more about our sponsor, visit https://outthink.io.

Most cybersecurity people talk at CFOs instead of with them. What if there were a simple test to know when a CFO wants to learn about cyber risk versus when they just need someone to trust? Let's find out with our guest James Wheeler, a highly experienced CFO who now runs kept.pro, providing fractional accounting teams to businesses across the country. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.   LinkedIn: https://www.linkedin.com/in/jamesdavidwheeler/   "Fire Doesn't Innovate" by Kip Boyle: https://a.co/d/0bYatohy

Link to episode page This week's Department of Know is hosted by Rich Stroffolino with guests Montez Fitzpatrick, CISO, Navvis, and Peter Gregory, author. Thanks to our show sponsor, Adaptive Security This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI-powered social engineering. AI is changing phishing, because persuasion now scales like code. And it's not just email anymore; attackers hit SMS, voice calls, and multi-step scams that jump channels. Adaptive runs AI-powered phishing simulations across email, SMS, and voice, including OSINT-based spearphishing and BEC-style scenarios, so employees practice what attacks look like. Learn more at adaptivesecurity.com. All links and the video of this episode can be found on CISO Series.com

There's concerns among experts following the latest medical platform hack that's left an impact on Kiwis. MediMap is widely used across New Zealand, particularly in aged care, disability, hospice, and community health. Some users' information had been changed, including altering ages, changing patient's names to Charlie Kirk - and claiming living users were deceased. CISO Lens Country Manager Nadia Yousef says it's unclear why this happened, and there's nothing hinting towards extortion or blackmail just yet. "It's not clear who did it, it's very unclear why - there's, I think, a lot more to follow over the next few days." LISTEN ABOVESee omnystudio.com/listener for privacy information.

Nik Seetharaman is a special operations–trained cyber leader turned founder, known for bringing an operator's mindset to some of the most sensitive security programs in American industry. A former JSOC advance‑force operator attached to an East Coast Naval Special Warfare squadron, he ran advanced cyber warfare and close‑range reconnaissance missions before crossing over into the world of high‑stakes defense technology and enterprise security. In industry, Nik helped build and lead security at three of the most influential defense‑tech companies of the last decade. He served as head of cybersecurity operations at SpaceX and later led international cyber defense programs at Palantir, giving him a front‑row seat to how software, data, and security shape modern national power. He then became CIO and CISO at Anduril Industries, where he built the company's cybersecurity and weapons‑system security programs from the ground up while Anduril was racing to field autonomous systems for the Pentagon. Today, Nik is the founder and CEO of Wraithwatch, a cyber defense company born from his frustration that defenders are almost always forced to react second. At Wraithwatch, he is focused on “weaponizing” AI for defense at scale—using advanced models to help blue teams pre‑empt and out-iterate attackers instead of learning only from breaches and red‑team reports. Across each chapter of his career, he has carried forward the same core idea: apply special operations discipline, speed, and clarity of mission to how software, security teams, and AI‑driven defenses are built and run. Join the Waitlist - https://theglacierapp.com/waitlist Shawn Ryan Show Sponsors: Get started with Claude today at https://Claude.ai/srs Visit https://mauinuivenison.com/srs for a special deal for listeners of this show only. Go to https://helixsleep.com/SRS for 27% Off Sitewide. Go to https://shopbeam.com/SRS and use code SRS to get up to 50% off Beam Dream Nighttime Cocoa—grab it for just $32.50 and improve your sleep today. Try Rho Nutrition today and experience the difference of Liposomal Technology. Use code SRS for 20% OFF everything at https://www.rhonutrition.com/discount/SRS Nik Seetharaman Links: LI - https://www.linkedin.com/in/nikseetharaman Wraithwatch - https://www.wraithwatch.com X - https://x.com/nikseeth Learn more about your ad choices. Visit podcastchoices.com/adchoices

In this episode of the Shift AI Podcast, Scott Roberts, CISO at UiPath, joins host Boaz Ashkenazy for a deep dive into how agentic AI is reshaping enterprise security and automation—both for customers and inside UiPath itself.Scott shares his 25-year security journey spanning Microsoft's early Security Response Center days (including the era that produced Patch Tuesday and the Security Development Lifecycle), product security work across Windows and Xbox, time at AWS, and leadership roles at Google where he helped build the Android Security Assurance and Pixel Security teams and the Android Monthly Security Update process. He also discusses his work in security standards across IPsec, HTML5 encrypted media, GSMA device security, and most recently, contributions to emerging agentic AI security standards.The conversation then explores UiPath's evolution from traditional RPA into a unified platform that combines deterministic automation with agentic workflows. Scott walks through a real-world healthcare billing example where agentic automation increased deduplication accuracy dramatically by handling complex, variable inputs that classic RPA struggled with—while still keeping humans in the loop and feeding outcomes back into the system to improve over time.Boaz and Scott go deep on what's changed for CISOs in the post-LLM world: the need for guardrails, identity and entitlements for AI agents, and the challenge of end users copying sensitive information into consumer AI tools. Scott explains UiPath's approach: enable adoption while using nudges and policy controls to redirect sensitive workflows into enterprise-safe environments rather than relying solely on blocks.The episode closes with an eye-opening look at UiPath's internal “agentic threat analyst” system—an orchestration of 60+ agents that can investigate SIEM alerts end-to-end, generate structured incident writeups, and compress hours of analyst work into roughly a minute and a half. Scott's future-looking takeaway: as AI models evolve beyond “read-only” into potentially “read-write” systems that can update their foundational knowledge, the acceleration could be truly mind-blowing.This episode is essential listening for security leaders, enterprise operators, and automation teams trying to understand how agentic systems change not just productivity, but the entire security operating model.Chapters[00:01] Scott's Security Journey: Microsoft, Google, Coinbase, UiPath[01:33] Security Standards Work: From IPsec to Agentic AI Standards[04:08] What UiPath Does: Process Orchestration, RPA, and Enterprise Automation[06:28] RPA vs Agentic Automation: A Healthcare Billing Deduplication Example[09:17] The Agentic Stack: Canvas, Guardrails, and the AI Trust Layer[10:31] How LLMs Change Security: Data Controls, Access, and Governance[12:14] Internal Adoption at UiPath: AI Tooling by Persona (Legal, Finance, Engineering)[13:13] Code Velocity and Security: Agents Generating Code, Agents Verifying It[15:53] Two AI Security Worlds: Orchestration Platforms vs End-User Chat Interfaces[17:11] Securing End Users: Enterprise LLMs, Nudges, and Browser-Based Controls[19:07] Sovereign AI and Data Boundaries: Keeping Data in the Right Region[21:00] Over-Permissioning Meets Agents: Why AI Makes Old Problems Obvious Fast[22:21] The Next Wave: AI Transforming the Entire SDLC End-to-End[24:53] Security Pitfalls in Agentic SDLC: Misaligned Incentives and Permissions[26:02] UiPath's Agentic Threat Analyst: 60+ Agents, SIEM to Writeup Automation[30:07] What Changes for Humans: Faster “Time to Truth” and Higher-Leverage Work[32:09] Two-Word Future: “Mind Blowing” and Read/Write ModelsConnect with Scott RobertsLinkedIn: https://www.linkedin.com/in/scottroberts6/Connect with Boaz AshkenazyLinkedIn: https://www.linkedin.com/in/boazashkenazy/Email: info@shiftai.fm

Have you ever wondered why "compliance" still gets treated like a slow, spreadsheet-heavy chore, even though the rest of the business is moving at machine speed? In this episode of Tech Talks Daily, I sit down with Matt Hillary, Chief Information Security Officer at Drata, to talk about what actually changes when AI and automation land in the middle of governance, risk, and compliance. Matt brings a rare viewpoint because he lives this day-to-day as "customer zero," running Drata internally while also leading IT, security, GRC, and enterprise apps. We get practical fast. Matt shares how AI-assisted questionnaire workflows can turn a 120-question security assessment from a late-afternoon time sink into something you can complete with confidence in minutes, then still make it upstairs in time for dinner. He also explains how automation flips the audit dynamic by moving from random sampling to continuous, full-population checks, using APIs to validate evidence at scale, without hounding control owners unless something is actually wrong. We also talk about what security leadership really looks like when the stakes rise. Matt reflects on lessons from his time at AWS, why curiosity and adaptability matter when the "canvas" keeps changing, and how customer focus becomes the foundation of trust. That theme runs through the whole conversation, including the idea that the CISO role is steadily turning into a chief trust officer role, where integrity, transparency, and credibility under pressure matter as much as tooling. And because burnout is never far away in security, we dig into the human side too. Matt unpacks how automation can reduce cognitive load, but also warns about swapping one kind of pressure for another, especially when teams get trapped producing endless dashboards and vanity metrics instead of focusing on the few measures that actually reduce risk. To wrap things up, Matt leaves a song for the playlist, Illenium's "You're Alive," plus a book recommendation, "Lessons from the Front Lines, Insights from a Cybersecurity Career" by Asaf Karen, which he says stands out for how it treats the human side of security leadership. If you're thinking about modernizing compliance in 2026 without losing the human element, his parting principle is simple and powerful: be intentional, keep asking why, and spend your limited time on what truly matters. So where do you land on this shift toward continuous trust, do you see it becoming the default expectation for buyers and auditors, and what should leaders do now to make sure automation reduces pressure instead of quietly adding more? Share your thoughts with me, I'd love to hear how you're approaching it.

In this video David speaks to Peter Bailey (SVP and GM of Cisco's Security business). AI agents are moving fast inside enterprises, and CISOs are hitting the brakes for one reason: the attack surface is expanding at machine speed. In this interview, we break down how agentic AI changes security, why MCP servers and agent tool access create new risks, and what a zero trust approach looks like when the “user” is a non-deterministic agent. We cover real-world problems like shadow MCP servers, agents touching sensitive systems and PII, and why traditional perimeter controls and firewalls are not enough when traffic is encrypted and actions happen too quickly downstream. You'll also hear what Cisco is doing across the AI lifecycle: AI Defense for model scanning, provenance and guardrails, plus new protections focused on agent identity, dynamic authorization, behavior monitoring, and revocation. On the networking side, we discuss how SD-WAN and secure access (SASE) can add visibility and policy control for AI usage, including prioritizing latency-sensitive AI traffic while still enforcing security. If you're a security engineer, network engineer, or CISO trying to move from AI hype to safe deployment, this video gives you a practical mental model and the controls to start building now. Big thank you to ‪@Cisco‬ for sponsoring this video and for sponsoring my trip to Cisco Live Amesterdam. // Peter Baily' SOCIALS // LinkedIn: / peterhbailey Guest Bio: https://newsroom.cisco.com/c/r/newsro... // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: www.twitter.com/davidbombal Instagram: www.instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: www.facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal YouTube: / @davidbombal Spotify: open.spotify.com/show/3f6k6gE... SoundCloud: / davidbombal Apple Podcast: podcasts.apple.com/us/podcast... // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 0:00 - Coming Up 0:30 - Introduction 01:15 - CISOs Problems with AI 02:35 - Real Issues with AI Agents 04:29 - Growth of the Attack Surface 05:34 - Concern of Poisoned AI and MCP 08:09 - What is the Kill-chain 10:16 - AI with Built-in Security 11:56 - Best Practises for AI Security 14:08 - Cisco Innovations for AI 16:48 - Cisco's Red Team for own AI 18:27 - Secure AI in Public Places 20:09 - Should You get into Cyber Security 21:26 - Advice To Your Younger Self 22:29 - Outro Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #cisco #ciscoemea #ciscolive

In this episode of The New CISO, host Steve Moore speaks with Dean Sapp, CISO and Data Protection Officer at Filevine, about one of security's most critical yet overlooked skills—written communication. Drawing from a brutal college English class that failed students for a single typo and over 20 years building security programs in the legal tech industry, Dean reveals why the ability to articulate security findings clearly separates average professionals from exceptional leaders who drive real business impact.After abandoning architecture when he learned it would take six years to become licensed, Dean leveraged his dual skills in computer-aided drafting and IT to launch a career at Novell, eventually earning nine certifications in two years and a master's degree from SANS Institute. His background in design thinking shapes how he approaches security program development—viewing it like building a structure that requires solid foundations, functional systems, and even window dressing like SOC 2 compliance.After interviewing over 100 candidates for SOC positions, Dean identifies the biggest missing skill as the inability to translate security findings into business language executives understand and act upon. He introduces the BLUF (Bottom Line Up Front) principle from military communications, explaining why security professionals have roughly eight seconds to capture executive attention. Dean champions radical transparency through simple frameworks—using stoplight systems or report card grades to communicate security posture, deliberately giving his own program failing marks in areas needing improvement to build trust.Dean tackles operational communication breakdowns that create real security risk, emphasizing mandatory peer review before escalating incidents. This two-person rule dramatically improves report quality while reducing false positives that waste senior leadership time. He shares how this high-standards approach helped Filevine achieve best-in-class cyber insurance rates, with underwriters calling their security program superior to any SaaS provider they'd evaluated. Drawing on Erik Durschmied's "The Hinge Factor," he illustrates how small communication failures doom missions—just as cavalry troops charging cannons failed because not one rider carried the nails and hammer needed to disable them.Throughout the discussion, Dean emphasizes holding yourself to impossibly high standards so that external auditors find you excellent. He advocates for brutal honesty about program gaps, documenting accepted risks clearly, and using tools like Grammarly Premium to improve writing quality. His philosophy combines military precision, architectural thinking, and pedagogical discipline—all in service of making security programs that actually work rather than just looking good on paper.Key Topics Discussed:* Why written communication is security's most critical missing skill* BLUF (Bottom Line Up Front): Capturing executive attention in 8 seconds* Using stoplight or report card systems for transparent board reporting* Giving your security program honest grades to build executive trust* Mandatory peer review before escalation to reduce false positives* How Filevine achieved best-in-class cyber insurance rates* The two-person rule for improving incident report quality* Lessons from "The Hinge Factor" about preparation and tools* Holding impossibly high standards so external auditors find you excellent* Translating technical findings into business impact languageLEARN MORE:

Chris and Hector sit down with an anonymous CISO who pulls back the curtain on how cybersecurity actually works inside large organizations. From security theater and boardroom politics to AI risk, bug bounties, and why CISOs are often the fall guy during major incidents, the conversation gets candid fast. Join our Patreon for weekly bonus episodes: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.patreon.com/c/hackerandthefed⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Send HATF your questions at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠questions@hackerandthefed.com

Send a textWelcome to the newest episode of the Serious Privacy podcast, where hosts Paul Breitbarth and Dr. K Royal discuss the privacy and data protection news of the past couple of weeks. This week, Paul rants about digital sovereignty, K discusses new American legislation, especially to protection children's data, and together they also talk about the latest WhatsApp decision from the Court of Justice of the European Union. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Steve Zalewski. Joining them is Tammy Klotz, CISO, Trinseo. In this episode: Accountability without authority Kill your hacklore Voice is no longer enough Studies that tell us what we already know Huge thanks to our sponsor, ThreatLocker Want real Zero Trust training? Zero Trust World 2026 delivers hands-on labs and workshops that show CISOs exactly how to implement and maintain Zero Trust in real environments. Join us March 4–6 in Orlando, plus a live CISO Series episode on March 6. Get $200 off with ZTWCISO26 at ztw.com.

How can you help your loved ones navigate and securely adopt AI tools ? Will Gardner, CEO of Childnet joins the show for a vital conversation about helping families use AI safely. We talk about Childnet's latest research and the practical ways you can become a digital role model and start better AI conversations at home.

Ron Green is the partner CISO at 5OH Consulting and former cybersecurity fellow at Mastercard. In this episode, he joins host Kris Lovejoy, Global Head of Strategy at Kyndryl, to discuss his shift from an organizational role to a strategic vantage point, what CISOs today should be aware of, and more. As the global leader in IT infrastructure services, Kyndryl advances the mission-critical technology systems the world depends on every day. Collaborating with a vast network of partners and thousands of customers worldwide, Kyndryl's team of highly skilled experts develops innovative solutions that empower enterprises to achieve their digital transformation goals. Learn more about our sponsor at https://kyndryl.com.

Link to episode page This week's Department of Know is hosted by Sarah Lane with guests Jon Collins, Field CTO, GigaOm, and Adam Palmer, CISO, First Hawaiian Bank Thanks to our show sponsor, Conveyor Ever dream of giving customers instant answers to their security questions without ever filling out another questionnaire? Meet Conveyor's new Trust Center Agent. The Agent lives in your Conveyor Trust Center and answers every customer question, surfaces documents and even completes full questionnaires instantly so customers can finish their review and be on their way. Top tech companies like Atlassian, Zapier, and more are using Conveyor to automate away tedious work. Learn more at www. conveyor.com. All links and the video of this episode can be found on CISO Series.com    

Tim Crawford and Isaac Sacolick, both former Chief Information Officers and world-class CIO advisors, join Michael Krigsman on CXOTalk episode 909 to break down why enterprise AI strategies are failing, what separates transformational CIOs from those who are drowning, and why earning your seat at the table matters more than ever in 2026.You'll discover:✅ Why Tim says both AI strategy AND IT execution are failing, and what CIOs are focused on instead of outcomes✅ The "three-legged race" framework: how CIO behavior, IT culture, and external perception must align for strategic credibility✅ Why most CIOs have only a "layperson's understanding" of their own business, and how that kills AI value✅ Tim's two swim lanes of AI success: invisible integration or robust training (there is no middle ground)✅ Why Isaac says AI is "reshaping" business but not yet "transforming" it, and the product management shift that changes everything✅ How to evaluate agentic AI: the human-in-the-loop vs. human-out-of-the-loop decision framework and why cybersecurity proves you can't wait✅ The shadow AI paradox: why the best CIOs encourage it (with guardrails) instead of shutting it down✅ The three skills every IT professional needs now: business acumen, critical thinking, and data literacy⏱️ TIMESTAMPS0:00 Cold open: "If you think you should have a seat at the table, you've failed"0:35 Why both AI strategy and IT execution are failing2:08 The productivity measurement problem with AI2:45 What CEOs and boards want from CIOs in 20264:28 Why CIOs don't truly understand their business6:54 Why organizations are stuck in AI pilot mode9:04 Tim's 2 swim lanes: invisible AI vs. training-wrapped AI11:23 Audience Q&A: Inside-out thinking vs. outside-in thinking14:34 The 3-legged race: earning your seat at the table17:09 Moving from AI efficiency to true business transformation20:03 The shift from project-oriented to product-oriented IT20:31 AI governance, CISO alignment, and data sensitivity27:15 Agentic AI: fully autonomous vs. human-in-the-loop34:46 Agentic AI strategy and the value equation (opportunity minus cost)38:46 Shadow AI: innovation source or security threat?43:00 Governance as culture, not a bolt-on46:00 The AI skills gap: business acumen, critical thinking, data skills, and curiosity49:46 Are survival-mode CIOs sabotaging their careers?52:15 What CIO greatness looks like in 2026

Join us as Marian explains what AI governance means for vSphere administrators and why it matters now. Marian walks through practical governance frameworks that vSphere admins need to understand, from IEEE 7000 series standards to mapping governance controls onto infrastructure you already manage. You'll learn what your CISO will ask for, how to respond using your existing VMware stack, and why governance isn't about slowing innovation� it's about enabling it safely. This episode covers real-world scenarios from data lineage and model transparency to integrating governance tools with existing infrastructure, and addresses the gap between compliance requirements and practical implementation for virtualized environments. Timestamps 0:00 Welcome & Introduction 5:16 Marian's Background in Tech & Governance 6:37 What is Governance? 12:45 IEEE 7000 Series Standards Overview 18:22 AI Governance for vSphere Admins 24:16 Data Lineage & Model Transparency 30:41 Risk Assessment Frameworks 36:52 Practical Implementation Strategies 42:18 Integration with Existing Tools 47:35 Common Governance Challenges 51:12 Vendor Landscape Discussion 54:27 Missing Innovation in the Space 58:09 Wrap-up & Resources How to find Marian: https://www.linkedin.com/in/mariannewsome/ Links from the show: https://ethicaltechmatters.com/

Cybersecurity Maturity Model Certification (CMMC) compliance is essential in the space industry. We explore space supply chain cybersecurity with Frank Chimenti, Director of Programs at Beyond Gravity, and Regan Edens, CISO at DTC Global. You can connect with Frank and Regan on LinkedIn, and learn more about CMMC compliance for space here. Remember to leave us a 5-star rating and review in your favorite podcast app. Be sure to follow T-Minus on LinkedIn and Instagram. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at space@n2k.com to request more info. Want to join us for an interview? Please send your pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

All links and images can be found on CISO Series. Check out this post by Dr. Chase Cunningham, CSO at Demo-Force, for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is Brett Conlon, CISO, American Century Investments. In this episode: The experience paradox Who benefits from the narrative Kitchen sink job postings The aggregation problem Huge thanks to our sponsor, Scanner All your security logs end up in cloud storage like AWS S3. Scanner makes them searchable in seconds and runs real-time detections directly on that data. No pipelines, no re-ingestion. 100x faster than traditional data lakes, 10x cheaper than SIEMs. Loved by analysts. Built for AI agents. Learn more at scanner.dev  

Send a textWelcome to the newest episode of the Serious Privacy podcast, where hosts Paul Breitbarth, Ralph O'Brien, and Dr. K Royal connect with Josh Schwartz of Phaselaw to discuss the increasing use of data subject access rights (DSARs) as a weapon. The resources required to handle such requests can be quite extensive. How do companies keep up? Maybe Josh has some insight. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Greg Crowley is the CISO at eSentire. In this episode, he joins host Charlie Osborne to discuss the concerning jump in account compromise in 2025, how best to stop identity attacks, and more. eSentire is the Authority in Managed Detection and Response. eSentire's mission is to hunt, investigate and stop cyber threats before they become business disrupting events. To learn more about our sponsor, visit https://esentire.com

Please enjoy this encore of CISO Perspectives. In the season finale of CISOP, Kim Jones is joined by N2K's own Ethan Cook to reflect on the conversations that shaped this season. Together, they revisit standout moments from Kim's interviews, unpacking their significance and getting Ethan's fresh perspective on the cybersecurity workforce challenge—as someone viewing the industry from the outside. Since the mid-season reflection, Kim has explored a wide range of workforce issues, including skills mapping, talent identification, and the evolving strategies needed to close cybersecurity's talent gap. Survey: We want to hear your perspectives on this season, fill out our audience survey before August 31st. Learn more about your ad choices. Visit megaphone.fm/adchoices

The recent U.S. Executive Order 14365, Ensuring a National Policy Framework for Artificial Intelligence, is the administration's latest attempt to prevent the enforcement of most of the AI laws passed in individual US states. Because it is only an executive order (EO), it cannot directly nullify, supersede, forestall, or put a pause on state-level laws.... Read more »

All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining them is Russ Ayres, CISO, Principal Financial Group. In this episode: Metrics that matter Tool babysitting problem Automating the brokenness Stay connected intentionally Huge thanks to our sponsor, Strike48 Strike48 is the Agentic Log Intelligence Platform that actually puts AI agents to work, combining full log visibility with AI agents that investigate, detect, and respond 24/7. With pre-built agent clusters for security and a no-code agentic workflow builder, it's easy to get started. Learn more at strike48.com/security.  

None of Your Goddamn BusinessJohn Morgan Salomon said something during our conversation that I haven't stopped thinking about. We were discussing encryption, privacy laws, the usual terrain — and he cut through all of it with five words: "It's none of your goddamn business."Not elegant. Not diplomatic. But exactly right.John has spent 30 years in information security. He's Swiss, lives in Spain, advises governments and startups, and uses his real name on social media despite spending his career thinking about privacy. When someone like that tells you he's worried, you should probably pay attention.The immediate concern is something called "Chat Control" — a proposed EU law that would mandate access to encrypted communications on your phone. It's failed twice. It's now in its third iteration. The Danish Information Commissioner is pushing it. Germany and Poland are resisting. The European Parliament is next.The justification is familiar: child abuse materials, terrorism, drug trafficking. These are the straw man arguments that appear every time someone wants to break encryption. And John walked me through the pattern: tragedy strikes, laws pass in the emotional fervor, and those laws never go away. The Patriot Act. RIPA in the UK. The Clipper Chip the FBI tried to push in the 1990s. Same playbook, different decade.Here's the rhetorical trap: "Do you support terrorism? Do you support child abuse?" There's only one acceptable answer. And once you give it, you've already conceded the frame. You're now arguing about implementation rather than principle.But the principle matters. John calls it the panopticon — the Victorian-era prison design where all cells face inward toward a central guard tower. No walls. Total visibility. The transparent citizen. If you can see what everyone is doing, you can spot evil early. That's the theory.The reality is different. Once you build the infrastructure to monitor everyone, the question becomes: who decides what "evil" looks like? Child pornographers, sure. Terrorists, obviously. But what about LGBTQ individuals in countries where their existence is criminalized? John told me about visiting Chile in 2006, where his gay neighbor could only hold his partner's hand inside a hidden bar. That was a democracy. It was also a place where being yourself was punishable by prison.The targets expand. They always do. Catholics in 1960s America. Migrants today. Anyone who thinks differently from whoever holds power at any given moment. These laws don't just catch criminals — they set precedents. And precedents outlive the people who set them.John made another point that landed hard: the privacy we've already lost probably isn't coming back. Supermarket loyalty cards. Surveillance cameras. Social media profiles. Cookie consent dialogs we click through without reading. That version of privacy is dead. But there's another kind — the kind that prevents all that ambient data from being weaponized against you as an individual. The kind that stops your encrypted messages from becoming evidence of thought crimes. That privacy still exists. For now.Technology won't save us. John was clear about that. Neither will it destroy us. Technology is just an element in a much larger equation that includes human nature, greed, apathy, and the willingness of citizens to actually engage. He sent emails to 40 Spanish members of European Parliament about Chat Control. One responded.That's the real problem. Not the law. Not the technology. The apathy.Republic comes from "res publica" — the thing of the people. Benjamin Franklin supposedly said it best: "A republic, if you can keep it." Keeping it requires attention. Requires understanding what's at stake. Requires saying, when necessary: this is none of your goddamn business.Stay curious. Stay Human. Subscribe to the podcast. And if you have thoughts, drop them in the comments — I actually read them.Marco CiappelliSubscribe to the Redefining Society and Technology podcast. Stay curious. Stay human.> https://www.linkedin.com/newsletters/7079849705156870144/Marco Ciappelli: https://www.marcociappelli.com/John Salomon Experienced, international information security leader. vCISO, board & startup advisor, strategist.https://www.linkedin.com/in/johnsalomon/  Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Show NotesMost organizations treat cybersecurity as a technology problem. They invest in layers of defense, run phishing tests, and deploy identity and access management tools. Yet headlines about breaches keep coming. Dr. Keri Pearlson, Senior Lecturer and Principal Research Scientist at the MIT Sloan School of Management, argues that the real opportunity lies not in more technology but in changing how people across the organization think about and value cybersecurity.In this episode of the Human-Centered Cybersecurity Series, co-hosted by Julie Haney, Computer Scientist and Lead of the Human-Centered Cybersecurity Program at the National Institute of Standards and Technology (NIST), Dr. Keri Pearlson introduces her framework for cybersecurity culture built around values, attitudes, and beliefs. Rather than simply training employees on what to do, the focus shifts to shaping why they do it. When people genuinely believe cybersecurity matters, they take action without waiting for mandates or programs to tell them how.Dr. Pearlson shares vivid examples from her research: a CISO who hired a marketing professional to run the cybersecurity culture program, a CEO who opens every all-hands meeting with a five-minute cybersecurity story, and organizations that use creative rewards like chocolate chip cookies and digital badges to reinforce positive behaviors. She also outlines a five-stage maturity model for cybersecurity culture, from ad hoc efforts all the way to a dynamic culture that self-regulates as new threats like AI-driven vulnerabilities emerge.The conversation also tackles the relationship between organizational culture and cybersecurity culture, the role of group-level accountability, and why consequences matter just as much as rewards. Dr. Pearlson makes the case that cybersecurity should move from being viewed as an infrastructure play to a strategic advantage, one that can attract customers, reduce costs, and build competitive differentiation.For any leader looking to move the needle on security culture, this episode offers a research-backed roadmap and practical steps that anyone can take starting tomorrow.HostSean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/Guest(s)Dr. Keri Pearlson, Senior Lecturer and Principal Research Scientist at MIT Sloan School of Management | On LinkedIn: https://www.linkedin.com/in/kpearlson/Julie Haney (Co-Host), Computer Scientist and Lead, Human-Centered Cybersecurity Program at National Institute of Standards and Technology (NIST) | On LinkedIn: https://www.linkedin.com/in/julie-haney-037449119/ResourcesLearn more about Dr. Keri Pearlson's research: https://mitsloan.mit.edu/faculty/directory/keri-pearlsonLearn more about the NIST Human-Centered Cybersecurity Program: https://csrc.nist.gov/projects/human-centered-cybersecurityCybersecurity at MIT Sloan (CAMS): https://cams.mit.edu/The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcastRedefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYqKeywordsdr. keri pearlson, julie haney, mit sloan, nist, sean martin, cybersecurity culture, security culture, values attitudes beliefs, cyber resilience, human-centered cybersecurity, security awareness, phishing, cybersecurity maturity model, security behavior, cybersecurity strategy, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

What if the real risk isn't adopting AI agents, but refusing to? James Nettesheim, CISO & Head of Enterprise Technology at Block, argues that principled risk-taking beats playing it safe. James shares Block's journey co-designing the Model Context Protocol with Anthropic and building Goose, their open-source general-purpose agent that enables anyone in the company to write security detections using natural language.James also explores Block's Binary Intelligent Triage system achieving 99.9% accuracy, their data safety levels framework, and practical strategies for balancing autonomous AI capabilities with human oversight. James offers candid insights about implementing AI security principles, the evolution from tool experts to domain experts, and why open source remains fundamental to Block's mission of economic empowerment and technological innovation. Topics discussed:Co-designing of MCP with Anthropic and developing of Goose as an open-source general-purpose AI agentImplementing prompt injection defenses and adversarial AI concepts to harden Goose against malicious instructions and attacksRolling out AI responsibly through data safety levels modeled after CDC bio-contamination protocols for sensitive data handlingDemocratizing detection engineering by enabling anyone at Block to write detections using natural languageAchieving 40% of new detections created with AI assistance through recipes, playbooks, and automated tuning capabilitiesBuilding Binary Intelligent Triage system that analyzes historical alerts and investigations to achieve 99.9% automated triage accuracyBalancing autonomous AI capabilities with human oversight, requiring PR reviews and maintaining accountability for agent-generated codeTransitioning from tool expertise to domain expertise as the future skill set needed for detection and response professionalsBlock's commitment to open source development driven by economic empowerment mission and desire to build accessible financial tools Listen to more episodes: Apple Spotify YouTubeWebsite

The recent U.S. Executive Order 14365, Ensuring a National Policy Framework for Artificial Intelligence, is the administration's latest attempt to prevent the enforcement of most of the AI laws passed in individual US states. Because it is only an executive order (EO), it cannot directly nullify, supersede, forestall, or put a pause on state-level laws.... Read more »

Can cyber risk actually be measured in dollars? How do you know if your risk data vendor is any good? And is cyber insurance really worth the investment? Let's find out with our guest Scott Stransky, who leads the Cyber Risk Intelligence Center at Marsh and was named 2023 Cyber Risk Industry Person of the Year. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.  LinkedIn profile -- https://www.linkedin.com/in/scott-stransky-92659095/ Top 12 Report -- https://www.marsh.com/en/services/cyber-risk/insights/cybersecurity-signals.html                          Marsh Cyber Risk Intelligence Center -- https://www.corporate.marsh.com/solutions/cyber-resilience/cyber-risk-intelligence-center.html  

Link to episode page This week's Department of Know is hosted by Rich Stroffolino with guests Nick Ryan, former CISO, and Chris Ray, Field CTO, GigaOm Thanks to our show sponsor, ThreatLocker Want real Zero Trust training? Zero Trust World 2026 delivers hands-on labs and workshops that show CISOs exactly how to implement and maintain Zero Trust in real environments. Join us March 4–6 in Orlando, plus a live CISO Series episode on March 6. Get $200 off with ZTWCISO26 at  ztw.com. All links and the video of this episode can be found on CISO Series.com      

Please enjoy this encore of CISO Perspectives. In this mid-season episode, Kim takes a step back to reflect on the journey so far—revisiting key conversations, standout moments, and recurring themes that have shaped the season. During the episode, Kim sits down with N2K's own Ethan Cook to connect the dots across episodes, uncovering deeper patterns and takeaways. Whether you're catching up or tuning in weekly, this episode offers a thoughtful recap and fresh perspective on where we've been—and what's still to come. Learn more about your ad choices. Visit megaphone.fm/adchoices