POPULARITY
Today’s headline news for Canadian IT solution providers: Kaseya MSP Success ecosystem: Kaseya has launched MSP Success, a unified growth initiative led by EVP of Channel Dan Tomaszewski and backed by a 140-person global team. The ecosystem consolidates three programs: MSP Success Digital Marketing (AI-powered lead generation, website, and SEO/AEO tools in Express and Pro tiers), MSP Success Peer (combining TruMethods Peer and Technology Marketing Toolkit into a single accountability network), and the Kaseya Community hub at MSPsuccess.com. The launch is framed around a finding from Kaseya’s own 2026 State of the MSP Report: 71% of MSPs say acquiring new customers is their single biggest challenge. Zscaler agentic AI security: Zscaler has announced major innovations to its Zero Trust Exchange platform at Zenith Live 2026, including three new capabilities for securing agentic AI: Zscaler AI Broker (securing MCP and A2A agent communications via an integrated Agent Registry), Zscaler Endpoint AI Security (detecting AI-related threats in browsers, plugins, and local tools), and Zscaler AI Access Graph (mapping identities, apps, and data sources in real time, powered by the Symmetry Systems acquisition). The company is positioning this as the industry’s first complete Zero Trust platform for Agentic AI. FlexPoint AI agents for MSPs: FlexPoint launched what it describes as the first AI-powered agents purpose-built for the MSP back-office, built into its AI-native accounts receivable platform. According to FlexPoint, the agents automate billing, collections, payment reconciliation, and client follow-up workflows, and are designed to integrate into existing MSP toolstacks without requiring additional administrative headcount. Kaseya State of the MSP Report context: The 2026 Kaseya State of the MSP Report finds 48% of MSPs rank AI as their top client need, while difficulty hiring skilled technicians has risen from 9% to 16% year over year, compounding the business development challenges MSP Success is designed to address. DTEX behavior intelligence: DTEX Systems has announced a new behavior intelligence tool built specifically for its partner ecosystem, using behavioral science and machine learning to flag anomalies that indicate potential insider risk or accidental data loss events. ConnectSecure Patch 360: ConnectSecure launched Patch 360, a centralized patch management platform purpose-built for MSPs, offering consolidated visibility across endpoints and third-party applications to streamline remediation workflows. Tumeryk and CSA AI Trust Score: Tumeryk has announced a collaboration with the Cloud Security Alliance on the RiskRubric v2 AI risk framework, now covering agentic AI and MCP servers, and has launched its AI Trust Score assessment service in beta. Read Full Transcript Welcome to The Buzz from ChannelBuzz.ca, I’m Robert Dutt, today is Wednesday, June 10, and here’s what’s happening in the channel today. Kaseya yesterday launched MSP Success, a unified growth ecosystem designed to tackle what its own research identifies as the managed service provider community’s single biggest problem. According to Kaseya’s 2026 State of the MSP Report, 71% of MSPs say acquiring new customers is their primary challenge. MSP Success is Kaseya’s answer – a three-pillar initiative that consolidates the company’s existing growth programs under one roof. The first pillar, MSP Success Digital Marketing, is a new platform offering conversion-focused websites, AI-powered search and answer engine optimization, local search visibility, automated lead generation, and access to a dedicated marketing specialist. The platform comes in Express and Pro tiers depending on scale. The second pillar, MSP Success Peer, unifies two programs Kaseya has operated separately until now – TruMethods Peer and Technology Marketing Toolkit – into a single global accountability network with quarterly in-person meetings across North America, EMEA, and APAC. The third pillar is the Kaseya Community hub at MSPsuccess.com, a centralized resource and learning portal. The initiative is led by Dan Tomaszewski, EVP of Channel, supported by a 140-person global team. In a sector where technical excellence is table stakes, this is a signal that Kaseya is investing meaningfully in the business side of running an MSP, not just the tooling. Zscaler yesterday used its Zenith Live 2026 conference in Las Vegas to announce what it describes as the industry’s first complete Zero Trust platform for Agentic AI. The announcement extends Zscaler’s Zero Trust Exchange to address a challenge traditional security tools were not designed to handle: autonomous AI agents that operate at machine speed, create ephemeral identities, and access sensitive data in ways that conventional perimeter and identity-based tools cannot fully see or control. The centerpiece of the announcement is Zscaler AI Broker, which secures agent-to-agent and MCP-based communications through an integrated Agent Registry that governs what each AI agent is permitted to access. Alongside that, Zscaler introduced Endpoint AI Security, targeting threats hidden in browsers, plugins, extensions, and local AI tools that many legacy endpoint products miss. A third new capability, AI Access Graph, powered by Zscaler’s earlier acquisition of Symmetry Systems, maps how identities, applications, and data sources connect across an enterprise to enable real-time policy enforcement and data lineage tracking. For MSSPs building managed AI security practices, this is a significant platform update from one of the key SASE and zero trust providers in the market. FlexPoint yesterday launched what it is positioning as the first AI-powered agents purpose-built for the MSP back-office. The company, which operates an AI-native accounts receivable platform for service providers, says the new agents are designed to automate the financial workflows that consume significant administrative time inside MSP operations – billing, collections, payment reconciliation, and client follow-up. According to FlexPoint, the agents integrate directly into existing MSP toolstacks and are designed to work without requiring dedicated back-office headcount. The core argument from FlexPoint is that MSP revenue growth often stalls not because of a shortage of clients, but because back-office operations don’t scale proportionally. That framing aligns with the theme emerging from Kaseya’s research and this morning’s news – that the constraint on MSP growth is increasingly on the business operations side, not the technical side. In Brief – Kaseya’s announcement follows its own 2026 State of the MSP Report, which also finds that 48% of MSPs rank AI as their top client need and that difficulty hiring skilled technicians has nearly doubled year-over-year. DTEX Systems announces a new behavior intelligence tool built for its partner ecosystem, designed to detect insider risk through behavioral analytics and machine learning anomaly detection. ConnectSecure launches Patch 360, a new patch management platform purpose-built for MSPs, offering a centralized view across endpoints and third-party applications. Tumeryk and the Cloud Security Alliance announce a collaboration on RiskRubric v2, an AI risk assessment framework that now covers agentic AI and MCP servers, with Tumeryk launching its AI Trust Score assessment service as part of the ecosystem. Later today on In The Channel, ESTI Consulting Services‘ Earl Gosick brings a Prairie data center perspective to a conversation about AI infrastructure, cyber resilience, and why the storage conversation is the one Canadian partners should be having right now. And if you haven’t heard it yet, yesterday’s episode features AWS Canada’s Martin Brazonet and CGI’s Dinesh Bhavsar on the launch of the AWS Partner Innovation Hub in Toronto – and why the gap between AI prototype and production is where the real partner opportunity sits. That’s how we’re seeing the headlines today. I’m Robert Dutt for ChannelBuzz.ca, thanks for listening. Have a great day.
A newly disclosed attack called HTTP/2 Bomb can crash major web servers in seconds using a single computer and a modest internet connection. Researchers say the attack combines two known techniques into a powerful memory-exhaustion exploit affecting widely used platforms including Apache, NGINX, Microsoft IIS, and Envoy. The attack also highlights a growing trend in cybersecurity research: the use of artificial intelligence to uncover dangerous combinations of existing vulnerabilities. The episode also examines President Trump's new executive order creating a voluntary framework for reviewing advanced AI models before public release. The administration says the goal is to improve cybersecurity and national security visibility while avoiding mandatory regulation or licensing requirements. Next, a new Cloud Security Alliance report warns that organizations are struggling to keep up with the growing volume of vulnerabilities. Security teams increasingly face difficult choices about which flaws to patch first as cloud environments, containers, APIs, and third-party software continue to expand the attack surface. Finally, CISA warns that attackers are actively exploiting both a newly patched Android vulnerability and a years-old Linux flaw. The contrast highlights a simple reality: cybercriminals do not care whether a vulnerability is new or old. They care whether it remains exploitable. Stories in this episode HTTP/2 Bomb Can Crash Web Servers in Seconds Researchers disclose a denial-of-service technique capable of exhausting server memory in under a minute, while OpenAI's Codex helps uncover a novel attack chain. Trump Creates Voluntary AI Security Reviews as Government Seeks Visibility Into Frontier Models A new executive order establishes voluntary reviews of advanced AI systems before public release, raising questions about visibility, oversight, and national security. The Cybersecurity Industry's Patch-Everything Strategy May Be Breaking Down A Cloud Security Alliance report suggests organizations are overwhelmed by vulnerability volume and increasingly forced to choose which risks to address. CISA Warning Shows Attackers Don't Care Whether a Vulnerability Is New or Old Active exploitation of both a newly patched Android flaw and an older Linux vulnerability demonstrates that attackers focus on opportunities, not disclosure dates. Cybersecurity Today brings you the latest cybersecurity news, threat intelligence, breach reports, vulnerability disclosures, ransomware developments, cybercrime investigations, and security research affecting organizations around the world. #Cybersecurity #CyberSecurityToday #InfoSec #CyberNews #Ransomware #ThreatIntelligence #VulnerabilityManagement #AndroidSecurity #LinuxSecurity #ArtificialIntelligence #HTTP2 #CISA #CloudSecurity #OpenAI #PatchManagement
Episode 293 A two-week shoot, a half-million dollar budget, and not a single human behind the camera, welcome to the future of Hollywood.This year at Cannes, the most talked-about presence on the Croisette wasn't a movie star; it was artificial intelligence.The Cloud Security Alliance is sounding the alarm on a new breed of AI system that doesn't just answer questions, it takes action, on its own, across your entire digital infrastructure.GitHub just confirmed that roughly 3,800 internal repositories were compromised, and the attacker didn't need a zero-day exploit, just a poisoned developer tool your engineers trust every single day.Google API Keys: Here's a question every incident responder needs to answer: if you delete a compromised credential and the attacker keeps using it for the next twenty-three minutes, did you actually stop the breach?The same AI technology making phishing attacks more convincing may also be our best shot at catching them, and this week, a listener's inbox put that to the test.Spotify and Universal Music Group just agreed to let fans remix their favorite songs using AI, and for the music industry, it's the clearest sign yet that the question is no longer whether this happens, but who controls it when it does.In a spring full of AI doomsday commencement speeches, Steve Wozniak walked onto a stage in Michigan and reminded a room full of nervous graduates that they already carry the most powerful intelligence in the room.Welcome back, everyone. We're glad you're here for Episode 293 of the AI, Privacy, and Security Weekly Update. It's May 26th, 2026, and this week we are going big. We're starting in Cannes, we're going to swing through some genuinely alarming security stories, and we're going to land somewhere a little more hopeful at the end. Let's get into it.Find the transcript to this podcast here.
The corporate attack surface is expanding as autonomous AI agents and developer tools dissolve traditional security boundaries. The software supply chain is now a strategic vulnerability, allowing compromised “trusted tools” to bypass legacy defenses and move directly into internal environments.Recent incidents demonstrate the scale of the risk. GitHub confirmed unauthorized access to roughly 3,800 repositories after a malicious VS Code extension compromised a developer device. Google Cloud infrastructure also exposed a critical “time-to-vulnerability” gap: deleted API keys remained active for an average of 16 minutes, and in some cases up to 23 minutes, despite appearing revoked in the UI. These delays create exploitable windows for autonomous systems to access AI services or sensitive data before responders can intervene.The Cloud Security Alliance warns of an emerging “agentic threat” driven by excessive privileges, weak configurations, prompt injection, poor accountability, and flaws in machine-to-machine interaction. The challenge is no longer simply malicious code, but malicious intent expressed through natural language.Meanwhile, the labor market reflects a “low hire, low fire” reality rather than mass AI unemployment. Layoffs remain historically normal, but hiring and career mobility have slowed as firms adopt leaner operating models and assess automation's long-term impact. Entry-level opportunities are narrowing as companies demand higher productivity from fewer employees using generative tools.Industry leaders remain divided. Steve Wozniak argues AI cannot replace human creativity, while figures such as Sam Altman and Elon Musk warn disruption may eventually require interventions like Universal Basic Income. Many firms are also using “AI transformation” narratives to justify restructuring and post-pandemic cost corrections.Creative industries are shifting from resisting AI to monetizing it. The AI-generated film Hell Grind reportedly required a $500,000 budget, with most costs tied to compute power. Maintaining visual consistency demanded prompts averaging 3,000 words, revealing that AI production remains management-intensive rather than effortless. Spotify and Universal Music Group are also developing licensing frameworks where artists retain control over AI-generated remixes while platforms monetize premium AI creative tools.Technology companies now face growing friction between rapid AI deployment and user trust. Google's “disregard” search glitch showed how AI systems can misinterpret user queries as commands, undermining reliability. Apple's roadmap, including context-aware Siri capabilities and private cloud compute, highlights the industry's push toward personalized assistants.Ultimately, AI adoption depends on trust. Consumers will embrace assistants only if companies prove the infrastructure behind them is reliable, accountable, and secure enough to protect personal data.
GitHub confirms a breach tied to a malicious VS Code extension. Anthropic fights a Pentagon blacklist as the White House weighs new AI security rules. Drupal scrambles to patch a critical flaw. Cisco Talos tracks the evolution of BadIIS malware-for-hire. Signal adds anti-phishing safeguards, Microsoft cracks down on malware-signing services, and China says foreign spies hijacked domestic routers for phishing operations. Wireless carriers collaborate to kill dead zones. Our guest is Rob T. Lee, Chief AI Officer, Chief of Research, SANS Institute, discussing The Cloud Security Alliance's “AI Vulnerability Storm” report. A book about misinformation contains helpful examples. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Rob T. Lee, Chief AI Officer, Chief of Research, SANS Institute, sharing Cloud Security Alliance's The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program. Selected Reading GitHub confirms breach of 3,800 repos via malicious VSCode extension (Bleeping Computer) Trump AI executive order seeks early government access to frontier models (Axios) DC Circuit slams Pentagon blacklisting of Anthropic as overreach (Courthouse News Service) Drupal Issues Urgent Warning for Highly Critical Core Vulnerability (Beyond Machines) From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat (Cisco Talos) Signal adds security warnings for social engineering, phishing attacks (Bleeping Computer) Disrupting Fox Tempest: A cybercrime service that turned “verified” software into a pathway for ransomware (Microsoft) China's state security authorities uncover foreign agency using domestic routers as cyberattack proxies; users notice only slower speeds (Global Times) ‘The Future of Truth' Contains Quotes Made Up by A.I. (The New York Times) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
The floor at RSAC Conference 2026 had one dominant frequency, and it was not subtle. Every booth, every hallway, every late-night conversation kept circling back to the same question: how do enterprises adopt AI agents without losing control of them? In a post-conference follow-up, Itamar Apelblat, Co-Founder and CEO of Token Security, translates what he heard on the ground into what the data now confirms. Token Security arrived at RSAC with a fresh set of findings, produced in collaboration with the Cloud Security Alliance and released alongside the event. The report, Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises, puts numbers to what practitioners already suspected: 65 percent of organizations have experienced an AI agent-related incident in the past twelve months, and 82 percent discovered agents running in their environment that no one had authorized. Only 21 percent have a formal process for decommissioning agents — a gap Itamar Apelblat flags as a low-hanging attack path. The short version from the conversation: visibility is the starting line, not the finish line, and the path from discovery to intent-based enforcement is where most programs are stuck. This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlight GUEST Itamar Apelblat, Co-Founder and CEO, Token Security | https://www.linkedin.com/in/itamar-apelblat/ RESOURCES Learn more about Token Security: https://www.token.security/ Download the CSA + Token Security Report — Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises: https://cloudsecurityalliance.org/artifacts/autonomous-but-not-controlled-ai-agent-incidents-now-common-in-enterprises Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Itamar Apelblat, Token Security, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, AI agents, agentic AI, non-human identity, identity security, shadow AI, CSA report, Cloud Security Alliance, intent-based access, AI agent governance, agent decommissioning, RSAC Conference 2026 Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Claude Mythos dominated the AI security conversation for two weeks straight, from the Cloud Security Alliance's strategy briefing to sharp public skepticism to yesterday's Bloomberg report that unauthorized users on Discord have been accessing Mythos since its limited launch. Host Jason Kikta cuts through the noise to separate the contested vendor claims from the established trend.In this episode:Why the Mythos debate misses the point, and the independently verified AI security milestones that predate it (XBOW topping HackerOne, DARPA's AI Cyber Challenge, Google Big Sleep, Claude Opus 4.6's 500+ high-severity findings)A careful look at the numbers behind Anthropic's system card, including the Firefox exploit rate dropping from 72.4% to 4.4% once pre-discovered bugs are removedThe CSA's top CISO recommendations that hold regardless of which Mythos claims you believe: patching, segmentation, egress filtering, MFA, defense in depthThree concrete actions to take this week, including the governance conversation most security leaders are overdue to have with the businessGood security starts with good IT. The trend is stable. The claims are contested. Anchor your planning accordingly.Links and sources:CSA briefingProject GlasswingMythos technical writeupOttenheimer system card teardownTom's Hardware on the 198 manual reviews: Bloomberg on the Discord leak
Förra veckan presenterade AI-företaget Anthropic sin senaste AI-modell ”Mythos”. Anthropic valde att inte släppa den direkt till allmänheten. De meddelade i stället att enbart en utvald skara företag får förhandsåtkomst till modellen. Det hade nämligen visat sig att Mythos var oroväckande bra på att hitta sårbarheter. Tilltaget hade kunnat avvisas som en marknadsföringsinsats. Anthropic gör sig redo för en börsnotering och Mythos-lanseringen har gett företaget enorm publicitet. Tyvärr visar Anthropics egna upptäckter att påståendena är mer än bara hype. KTH-professorn Pontus Johnson säger rent av att han ”inte har sett ett cyberhot som har varit så akut någonsin”. I veckans podd pratar Peter och Nikka om den allvarliga situationen. Nikka förklarar att allt hänger på hur stort framsteg som Mythos har gjort för AI-modellers förmåga att upptäcka och utnyttja sårbarheter. Om framsteget är för stort kan det rent av bli samhällsfarligt. Sårbarheter kan då börja upptäckas och utnyttjas i ett tempo som vida överstiger världens förmåga att åtgärda sårbarheterna. Podduon tipsar också om konkreta åtgärder som Cloud Security Alliance har låtit namnkunniga cybersäkerhetsspecialister sammanställa. Peter och Nikka avslutar med att diskutera varför Anthropics nya uppfinning inte bara utgör ett hot utan också kan ha blivit räddaren i nöden. Se fullständiga shownotes på https://go.nikkasystems.com/podd347.
When Anthropic announced Project Glasswing, the headline was the capability: an AI model that found a 27-year-old flaw in OpenBSD and a 17-year-old remote code execution vulnerability in FreeBSD — fully autonomously, no human in the loop after the initial prompt. But the story underneath the capability is a structural one about who gets early intelligence, who sets the disclosure timeline, and what happens to every organization that wasn't in the room. In this edition of Lens Four, Sean Martin examines Project Glasswing through three lenses: the intelligence asymmetry it creates for security programs, what it reveals about the broken assumptions underneath CVE, CVSS, and NIST, and why the equity framing in Glasswing's messaging doesn't survive contact with the data.
When Anthropic announced Project Glasswing, the headline was the capability: an AI model that found a 27-year-old flaw in OpenBSD and a 17-year-old remote code execution vulnerability in FreeBSD — fully autonomously, no human in the loop after the initial prompt. But the story underneath the capability is a structural one about who gets early intelligence, who sets the disclosure timeline, and what happens to every organization that wasn't in the room. In this edition of Lens Four, Sean Martin examines Project Glasswing through three lenses: the intelligence asymmetry it creates for security programs, what it reveals about the broken assumptions underneath CVE, CVSS, and NIST, and why the equity framing in Glasswing's messaging doesn't survive contact with the data.
At RSAC Conference 2026, Sean Martin caught up with Rich Mogull at the Cloud Security Alliance booth for a candid conversation about where enterprise security programs stand -- and what it takes to keep pace with AI. Mogull, who joined CSA as Chief Analyst in October 2025, brings a practitioner's instinct to a research-first organization, and he arrived with a clear mandate: help organizations stop treating security frameworks as shelf documents and start treating them as operational tools. CSA operates across three pillars -- cloud, zero trust, and AI -- and Mogull is the first to acknowledge the identity tension that comes with that breadth. But his argument is consistent: each pillar represents a transformational technology that exposed the limits of existing security practices. "Our sweet spot is these transformational, disruptive technologies," he says. The same challenge that played out with cloud adoption is now repeating itself with AI, and CSA's job is to help security teams navigate it with research that is genuinely actionable. One of the most anticipated deliverables from Mogull's first year is the AI Security Maturity Model -- a structured framework that gives enterprise security programs a lens for assessing and improving their AI security posture. Modeled on CSA's Cloud Security Maturity Model (which Mogull also authored), it is built around measurable KPIs and designed to be as automatable as possible. After its first public draft drew over 600 comments from 60 international reviewers, Mogull is in the final stages of revision. The model covers governance, identity and access management, security monitoring, model security, AI infrastructure, agentic applications, MCP servers, and AI developer enablement -- a purpose-built lens for enterprise AI security programs, not a generic maturity template. Beyond the model itself, Mogull is building the operational infrastructure to help CSA members actually use it. The new Enterprise Membership program -- launched in March 2026 -- centers on the Operational Maturity Roadmap: a structured, year-long engagement where CSA analysts work directly with member organizations, providing monthly guidance, specific recommendations, and an annual progress report tied to measurable outcomes. The goal is to move CSA from research producer to implementation partner -- and to deliver the kind of decision support that scales beyond what any individual consultant can provide. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Rich Mogull, Chief Analyst, Cloud Security Alliance LinkedIn: https://www.linkedin.com/in/richmogull/ RESOURCES Cloud Security Alliance: https://cloudsecurityalliance.org CSA Enterprise Membership Program: https://cloudsecurityalliance.org/membership CSA AI Controls Matrix: https://cloudsecurityalliance.org/research/working-groups/ai-controls-matrix CSA Cloud Controls Matrix: https://cloudsecurityalliance.org/research/cloud-controls-matrix Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Rich Mogull, Cloud Security Alliance, CSA, Sean Martin, AI Security Maturity Model, cloud security, zero trust, AI security, enterprise security, security maturity model, RSAC Conference 2026, brand spotlight, brand marketing, marketing podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
What does it mean to be the person responsible for AI ethics inside a 30,000-person company? Shelby Tallent lives this every day. As the leader of AI ethics, responsibility, and compliance for Alaska Airlines, Shelby works at the intersection of technology, governance, and human trust. Her career across Amazon, Nordstrom, and TeleSign has shaped a perspective that blends policy rigor with product execution. In conversation with host Shannon Peavey, Shelby shares why AI ethics is not about slowing innovation but about guiding it. She explains how ethical value systems become practical decision frameworks, how individuals can hold their ground when goals conflict, and why keeping humans in the loop is not optional. AI should not be looked at as a way to “get us out of things,” she said, rather, we should let it expand our capacity to do what once felt impossible.00:00 Introduction 01:49 How Alaska Airlines structures the AI Safety & Compliance role02:18 The ways responsibilities map to company values04:45 Where foundational principles for AI implementation originate05:50 Navigating different AI rules per country07:32 The “9-to-5” of AI Responsibility13:02 Types of risk and how we mitigate16:30 A path of many hats23:00 Keeping humans in the loop29:30 Why we should be optimistic33:00 Shelby's challenge to your thinking and approach
Every influencer is drooling over Claude Code skills files. Every product team is chasing the next model release. But for two years, the data has been screaming the same thing: capability isn't the bottleneck. Context is. This edition unpacks what that actually means — why structured business knowledge is the highest-leverage investment a product team can make, what the “context wars” look like from the inside, and why the teams winning aren't the ones with the best models. They're the ones whose AI actually understands their business.What You'll Learn in This EditionThis edition confronts the structural reason most AI products fail — they're missing the context that makes capability useful.* Why Juan Sequeda from ServiceNow says “hope is not a strategy” — and what to build instead of better prompts* The three-layer knowledge framework that gives AI a shared language across your entire organization* CNBC's “silent failure at scale” investigation reveals why 91% of AI models degrade without anyone noticing* Microsoft just adopted ontology — the same concept Juan has championed for 20 years — as the foundation of its agentic AI architecture* Citadel Securities data shows software engineer job postings rising 11% YoY despite the displacement narrativeEpisode 3: Context Is the New Moat — Why Your AI Needs Business Knowledge, Not Better PromptsEvery influencer is drooling over skills files and prompt templates. Juan Sequeda, Principal Scientist at data.world (acquired by ServiceNow), has spent 20 years proving that none of it works without structured business knowledge underneath. In this episode, Juan breaks down the three-layer framework — business metadata, technical metadata, and the mapping layer that creates real semantics — and explains why the teams investing in ontology today will compound value across every AI use case they build next. His blunt assessment of skills files as a production strategy: “Hope is an interesting strategy. It's not one that I add to my strategy.”“If you just edit in skills, I don't think that's gonna be the solution to your problem. You'll have a great POC. It'll work for the use cases you tested on. Are you willing to put your career on the line and put that in production?” — Juan SequedaListen on Spotify | Apple Podcasts | YouTubeContext isn't a nice-to-have. It's the architecture layer that determines whether your AI product delivers consistent, measurable value or drifts into silent failure. PH1 built this framework to illustrate what Juan Sequeda has been researching for two decades: intent, background, examples, and templates aren't prompt engineering tricks — they're the structural foundation that transforms an AI system from a “forever intern” into a strategic partner. Without them, you're hoping the model figures out what “order” means in your business. Hope, as Juan puts it, is not a strategy.RAG Was the Answer. Now It's a Symptom of the Real Problem.RAG dominated for two years as the default way to give LLMs context. But as context windows expanded from 8K to a million tokens, the question shifted. This video breaks down when RAG still matters — vast, dynamic datasets and cost efficiency — and when long context windows make the retrieval layer unnecessary. The strategic implication for product teams: RAG was always a workaround for a deeper problem. The real question was never “how do I retrieve the right document?” It was “does my system actually understand my business?” That's the context layer Juan Sequeda is building — and it sits beneath RAG, long context, and every other implementation detail.In spite of the displacement signals, software engineer job postings are up 11% year over year. But read the fine print: a posting titled “Software Engineer” increasingly means “engineer who can operate LLMs in production” or “build RAG pipelines.” The title stayed the same — the job changed. If your team hasn't redefined what “engineering” means in the context of AI-augmented workflows, you're hiring for yesterday's role.Product Impact ResourcesThe pattern across these resources is consistent: the teams pulling ahead are the ones investing in context, knowledge, and governance infrastructure — not chasing the next model release. Capability is table stakes. The moat is how deeply your product understands the business it serves.* Gartner predicts 80% of enterprises pursuing AI will use knowledge graphs by 2026 to enhance context and reasoning. The shift from “better prompts” to “structured knowledge” is no longer theoretical. The Role of Knowledge Graphs in Building Agentic AI Systems* Microsoft adopted ontology as the foundation of its agentic AI architecture — Fabric IQ, Foundry IQ, and Work IQ create a semantic layer that gives agents shared business understanding. Microsoft Adopts Ontology-Based IQ Layer for Agentic AI* Nathan Lasnoski argues that enterprise knowledge graphs are the foundation for moving from vibe coding to scalable agentic development — without semantic grounding, agents can't reason across systems. Building an Enterprise Knowledge Graph for the SDLC* HBR analysis reveals AI adoption stalls because of employee anxiety about relevance and identity — not technical limitations. The behavioral barriers are harder than the technical ones. Why AI Adoption Stalls, According to Industry Data* WEF data shows organizations with strong governance and >5% IT budget allocated to AI see 70-75% positive outcomes vs. 50-55% without. Governance is infrastructure, not a bottleneck. Strong AI Governance Is a Business Advantage, Not a Bottleneck* Deloitte's agentic AI strategy report calls for governance and observability as first-class product features — agentic systems should expose provenance, tool-call traces, and policy decisions by default. Agentic AI Strategy* Teresa Torres warns that AI without product discovery just means “shipping the wrong stuff faster.” The line lands directly on this edition's thesis — capability without context is an accelerant of bad decisions, not good ones. Strong potential guest. Shipping the Wrong Stuff Faster * Roger Wong unpacks Jenny Wen's (Anthropic Head of Design) “ship fast, iterate publicly, build trust through speed” approach as a new design paradigm for AI products. Jenny Wen is a compelling guest lead given her role building Claude's product experience. The Design Process Is Dead * Meta's alignment director had an OpenClaw agent start rapidly deleting her inbox — she thought it would confirm first. It didn't. She ran to a Mac mini “like I was defusing a bomb.” Stuart Winter-Tear's breakdown is a vivid, concrete case study of agentic AI failure in practice. Human in the Loop Is a Job * Academic paper in Communications Psychology (Nature) argues that friction in AI design is a feature, not a bug — challenging the default “make it seamless” paradigm. Co-authors from U of T, Wharton, and Yale. Emily Zohar is a strong potential guest with a contrarian take that plays well on the podcast. Against Frictionless AI Product Impact NewsThe news this edition reinforces a single uncomfortable truth: the biggest AI failures aren't technical — they're contextual. Systems that lack business knowledge don't crash dramatically. They drift silently, producing outputs that look right but are wrong in ways no telemetry catches.* CNBC investigated “silent failure at scale” — a beverage manufacturer's AI ordered thousands of excess cans because it couldn't contextualize new holiday labels. 91% of ML models degrade over time, and most enterprises never detect it. ‘Silent Failure at Scale': The AI Risk That Can Tip the Business World Into Disorder* Agentic AI's dominant failure mode isn't catastrophic breakdown — it's silent drift. CIO reports that only 6% of organizations have fully deployed agents, and the Cloud Security Alliance now classifies cognitive degradation as systemic risk. Agentic AI Systems Don't Fail Suddenly — They Drift Over Time* Gartner predicts 40% of agentic AI projects will be scrapped by 2027. 90% of legacy agents fail within weeks. The primary driver is governance, not technology. Why 40% of Agentic AI Projects Will Fail* Internal Microsoft data shows only 30% of Copilot enterprise licenses see weekly active usage after 6 months — despite unmatched distribution through Office. Workflow friction and unclear ROI are the barriers. Microsoft Copilot Adoption Stalls at 30% Active Usage* Virtana surveyed 350+ senior IT leaders this month: 75% of enterprises report double-digit AI job failure rates, a third exceed 25%. Meanwhile, 59% of executives think they're prepared — but 62% of practitioners report fragmented systems and visibility gaps. The disconnect is the risk. 75% of Enterprises Report Double-Digit AI Failure Rates* Citadel Securities rebuts the AI displacement narrative with data: software engineer postings up 11% YoY. But job postings requiring AI literacy grew 70% YoY — the title stayed the same, the job changed. Software Engineer Job Postings Are ‘Rapidly Rising'* Tech Mahindra and Microsoft launched an ontology-driven agentic AI platform for telecoms — the first major enterprise deployment built on Microsoft's Fabric IQ semantic layer. The context wars are real. Tech Mahindra and Microsoft Launch Ontology-Driven Agentic AI PlatformKey takeawaysThe throughline is unmistakable: the AI products failing at scale aren't missing capability — they're missing context. From CNBC's investigation into silent failures to Microsoft betting its entire agentic architecture on ontology, the market is converging on what Juan Sequeda has been saying for 20 years: structured business knowledge is the highest-leverage investment you can make.* Context is infrastructure, not a feature. Skills files and prompt templates are band-aids. The teams compounding value across AI use cases are the ones that defined “what does order mean?” before they shipped anything. If your AI can't disambiguate your business terminology, it can't deliver consistent results.* Governance accelerates adoption. The WEF data is clear: organizations with strong AI governance see 20 percentage points higher positive outcomes. Governance isn't the thing slowing you down — the absence of it is why 40% of agentic projects get scrapped.* The job didn't disappear — it transformed. Software engineer postings are up 11%, but the role now requires AI literacy. The same is true for product managers, designers, and strategists. The question isn't whether AI will replace you. It's whether you'll invest in the context that makes AI actually useful.Check Out Recent EpisodesEpisode 2: Defensibility > Capability — Five Actions to Defend Your Product Value $73.6 billion went into GenAI startups in 2025, but 85% of AI startups will be out of business within three years. This episode tackles the economics of abundance and delivers five specific actions to redirect investment toward what actually survives: workflow depth, outcome visibility, and trust engineering. If you're competing on features, you're already exposed.Episode 1: Why Your AI Metrics Are Lying to You The bullseye framework for AI products — Power, Speed, Impact, and Joy. Most teams are measuring Power and calling it success. This episode introduces a three-layer evaluation approach and shows why completion metrics hide the signals that actually matter for growth.AI Strategy Jobs* Staff Product Designer, AI Workflows — ServiceNow (Remote/Hybrid)* AI Product Manager — ServiceNow (Remote)* Product Designer, ChatGPT — OpenAI (San Francisco)* Product Designer, Platform & Tools — OpenAI (San Francisco)* AI Product Manager, Strategic Roadmap — IDC (Remote)* Principal Product Manager, AI Personalization — Cedar (New York)* Senior Product Designer, Generative AI — Coda (Remote)* Product Designer, AI Agents — Simular (Palo Alto)* Director, Product Design, AI Transformation — Element AI (Santa Clara, CA — On-site, 65% travel)* Product Designer — Fidelity (Merrimack, NH / Jersey City, NJ / Westlake, TX — Hybrid)If your AI product demos well but can't prove it drives value in production, that's a context problem — and it's the gap PH1 closes. We help teams build the measurement and knowledge infrastructure that turns AI capability into measurable business impact. From defining what success means to proving it with data. ph1.caThank you for supporting the Product Impact PodcastEvery episode goes deeper than the headlines to uncover what actually drives AI product success — and what's quietly killing it. If Juan's take on context and ontology challenged how you think about your AI product's foundation, share this episode with your team. Follow the show so you never miss one. That's how we grow this community of builders who refuse to settle for capability without impact.Browse all episodes at productimpactpod.com — filter by topic to find the episode that fits what you're working on right now. We're at 56 episodes across the two seasons. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit productimpactpod.substack.com
On this week's Security Sprint, Dave and Andy covered the following topics:Opening:• TribalHub 6th Annual Cybersecurity Summit, 17–20 Feb 2026, Jacksonville, Florida• IT-ISAC, Food & Ag ISAC Ransomware Reports!• Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Rulemaking; Town Hall Meetings • What to Know About the Homeland Security Shutdown New York Times 15 Feb 2026Main Topics:South Korea blames Coupang data breach on management failure, not sophisticated attack – Reuters – 10 Feb 2026. “'It's more of a management problem than an advanced attack,' Choi Woo-hyuk, deputy minister for cyber security and network policy, told a press conference, citing lax oversight of authentication systems.” South Korean authorities released findings on a massive Coupang data leak, concluding that a former engineer exploited known authentication weaknesses and a retained signing key to access customer accounts for months, exposing personal data on about 33.7 million users. AI Threats & Mitigation• GTIG AI Threat Tracker: Distillation, Experimentation, and Continued Integration of AI for Adversarial Use — Google Cloud Blog — 12 Feb 2026. Google Threat Intelligence Group describes observed adversary use of AI across multiple phases of the attack lifecycle and highlights rising model extraction and distillation activity. • What CISOs need to know about ClawDBot, I mean MoltBot, I mean OpenClaw CSO Online — 16 Feb 2026. The article outlines enterprise risk considerations around OpenClaw and similar autonomous agent tooling that can execute actions on behalf of users with broad system access. It includes the warning that “The problem with running this is that these tools can do basically anything that a user can do,” says Rich Mogull, chief analyst at Cloud Security Alliance. Awareness of Preoperational Surveillance Tactics Associated With Terrorism Offers Opportunities — Joint Counterterrorism Assessment Team First Responder's Toolbox, ODNI — 13 Feb 2026. CISA's 2025 Year in Review: Driving Security and Resilience Across Critical Infrastructure. Notable highlights include: • Strengthened Collective Defense: Published more than 1,600 products and triaged 30,000+ incidents through CISA's 24/7 Operations Center – keeping critical systems secure. • Blocked Malicious Activity at Scale: Stopped 2.62 billion malicious connections on federal civilian networks and 371 million within critical infrastructure. • Enhanced Preparedness Nationwide: Led 148 cyber and physical security exercises with 10,000+ participants, helping partners refine emergency plans and boost local and national resilience. • Following Executive Order 14305, “Restoring American Airspace Sovereignty,” CISA published the Be Air Aware™ suite of security guides in November to help organization detect, respond to, and safely manage Unmanned Aircraft System Threats. Quick Hits:• Improving your response to vulnerability management — NCSC, 10 Feb 2026• Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 – CISA – 03 Feb 2026• CISA Helps Johnny Secure Operational Technology: New Guidance Addresses Cyber Risks from Legacy Protocols. CISA released the guidance Barriers to Secure OT Communication: Why Johnny Can't Authenticate. • Poland energy sector cyber incident highlights OT and ICS security gaps • CISA Updates BRICKSTORM Backdoor Malware Analysis Report• Blended Threats: Axios Future of Cybersecurity – Axios – 10 Feb 2026• A Defector Explains the Remote-Work Scam Helping North Korea Pay for Nukes Wall Street Journal 16 Feb 2026• Hacktivism today: what three years of research reveal about its transformation • Pakistan mosque attack highlights worsening militant threat
In this episode of CISO Tradecraft, hosts G Mark Hardy and Ross Young discuss the extensive redesign at CISO Tradecraft and introduce a series of free cybersecurity tools and templates available on their website. The tools, created with the help of AI, range from a Cybersecurity Budget Template and Gen AI Risk Assessment to a Personal Values Exercise and Process Improvement exercise. They also cover topics such as AI coding, CMMC Compliance, Cloud Security Alliance's AI Control Matrix, and the Cyber Six Pack for improving vulnerability management. Additionally, they share insights on tools rationalization exercises, such as the cybersecurity murder board, and the importance of aligning tasks with personal values. Tune in for detailed walkthroughs of these innovative resources designed to enhance your cybersecurity strategies without breaking the bank. Templates can be found here: https://www.cisotradecraft.com/freetemplates
Dennis is joined by Rich Mogull, chief analyst at the Cloud Security Alliance, cloud security trainer, and all around good guy to talk about the Cloudflare outage, why the internet is now just six companies, and what, if anything, organizations can do to improve their resilience in the current environment. Support the show
Segment 1: David Brauchler on AI attacks and stopping them David Brauchler says AI red teaming has proven that eliminating prompt injection is a lost cause. And many developers inadvertently introduce serious threat vectors into their applications – risks they must later eliminate before they become ingrained across application stacks. NCC Group's AI security team has surveyed dozens of AI applications, exploited their most common risks, and discovered a set of practical architectural patterns and input validation strategies that completely mitigate natural language injection attacks. David's talk aimed at helping security pros and developers understand how to design/test complex agentic systems and how to model trust flows in agentic environments. He also provided information about what architectural decisions can mitigate prompt injection and other model manipulation risks, even when AI systems are exposed to untrusted sources of data. More about David's Black Hat talk: Video of the talk and accompanying slides: https://www.nccgroup.com/research-blog/when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls/ Talk abstract: https://www.blackhat.com/us-25/briefings/schedule/#when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls-46112 Slide presentation only: https://i.blackhat.com/BH-USA-25/Presentations/USA-25-Brauchler-When-Guardrails-Arent-Enough.pdf Additional blogs by David about AI security: Analyzing Secure AI Architectures: https://www.nccgroup.com/research-blog/analyzing-secure-ai-architectures/ Analyzing Secure AI Design Principles: https://www.nccgroup.com/research-blog/analyzing-secure-ai-design-principles/ Analyzing AI Application Threat Models: https://www.nccgroup.com/research-blog/analyzing-ai-application-threat-models/ Building Security‑First AI Applications: A Best Practices Guide for CISOs: https://www.nccgroup.com/building-security-first-ai-applications-a-best-practices-guide-for-cisos/ Building Trust by Design for Secure AI Applications: Tips for CISOs: https://www.nccgroup.com/building-trust-by-design-for-secure-ai-applications-tips-for-cisos/ AI and Cyber Security: New Vulnerabilities CISOs Must Address: https://www.nccgroup.com/ai-and-cyber-security-new-vulnerabilities-cisos-must-address/ Segment 2: Should we replace the CIA triad? An op-ed on CSO Online made us think - should we consider the CIA triad 'dead' and replace it? We discuss the value and longevity of security frameworks, as well as the author's proposed replacement. Segment 3: The Weekly Enterprise News Finally, in the enterprise security news, Slow week for funding, older companies raising via debt financing A useful AI framework from the Cloud Security Alliance two interesting essays, one of which is wrong Folks are out here blasting unencrypted data to and from Satellites, while anyone can sniff and capture it getting hacked during a job interview LLM poisoning is far easier than previously thought F5 got breached Be careful when patching your Jeep ('s software) All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-429
Segment 1: David Brauchler on AI attacks and stopping them David Brauchler says AI red teaming has proven that eliminating prompt injection is a lost cause. And many developers inadvertently introduce serious threat vectors into their applications – risks they must later eliminate before they become ingrained across application stacks. NCC Group's AI security team has surveyed dozens of AI applications, exploited their most common risks, and discovered a set of practical architectural patterns and input validation strategies that completely mitigate natural language injection attacks. David's talk aimed at helping security pros and developers understand how to design/test complex agentic systems and how to model trust flows in agentic environments. He also provided information about what architectural decisions can mitigate prompt injection and other model manipulation risks, even when AI systems are exposed to untrusted sources of data. More about David's Black Hat talk: Video of the talk and accompanying slides: https://www.nccgroup.com/research-blog/when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls/ Talk abstract: https://www.blackhat.com/us-25/briefings/schedule/#when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls-46112 Slide presentation only: https://i.blackhat.com/BH-USA-25/Presentations/USA-25-Brauchler-When-Guardrails-Arent-Enough.pdf Additional blogs by David about AI security: Analyzing Secure AI Architectures: https://www.nccgroup.com/research-blog/analyzing-secure-ai-architectures/ Analyzing Secure AI Design Principles: https://www.nccgroup.com/research-blog/analyzing-secure-ai-design-principles/ Analyzing AI Application Threat Models: https://www.nccgroup.com/research-blog/analyzing-ai-application-threat-models/ Building Security‑First AI Applications: A Best Practices Guide for CISOs: https://www.nccgroup.com/building-security-first-ai-applications-a-best-practices-guide-for-cisos/ Building Trust by Design for Secure AI Applications: Tips for CISOs: https://www.nccgroup.com/building-trust-by-design-for-secure-ai-applications-tips-for-cisos/ AI and Cyber Security: New Vulnerabilities CISOs Must Address: https://www.nccgroup.com/ai-and-cyber-security-new-vulnerabilities-cisos-must-address/ Segment 2: Should we replace the CIA triad? An op-ed on CSO Online made us think - should we consider the CIA triad 'dead' and replace it? We discuss the value and longevity of security frameworks, as well as the author's proposed replacement. Segment 3: The Weekly Enterprise News Finally, in the enterprise security news, Slow week for funding, older companies raising via debt financing A useful AI framework from the Cloud Security Alliance two interesting essays, one of which is wrong Folks are out here blasting unencrypted data to and from Satellites, while anyone can sniff and capture it getting hacked during a job interview LLM poisoning is far easier than previously thought F5 got breached Be careful when patching your Jeep ('s software) All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-429
Segment 1: David Brauchler on AI attacks and stopping them David Brauchler says AI red teaming has proven that eliminating prompt injection is a lost cause. And many developers inadvertently introduce serious threat vectors into their applications – risks they must later eliminate before they become ingrained across application stacks. NCC Group's AI security team has surveyed dozens of AI applications, exploited their most common risks, and discovered a set of practical architectural patterns and input validation strategies that completely mitigate natural language injection attacks. David's talk aimed at helping security pros and developers understand how to design/test complex agentic systems and how to model trust flows in agentic environments. He also provided information about what architectural decisions can mitigate prompt injection and other model manipulation risks, even when AI systems are exposed to untrusted sources of data. More about David's Black Hat talk: Video of the talk and accompanying slides: https://www.nccgroup.com/research-blog/when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls/ Talk abstract: https://www.blackhat.com/us-25/briefings/schedule/#when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls-46112 Slide presentation only: https://i.blackhat.com/BH-USA-25/Presentations/USA-25-Brauchler-When-Guardrails-Arent-Enough.pdf Additional blogs by David about AI security: Analyzing Secure AI Architectures: https://www.nccgroup.com/research-blog/analyzing-secure-ai-architectures/ Analyzing Secure AI Design Principles: https://www.nccgroup.com/research-blog/analyzing-secure-ai-design-principles/ Analyzing AI Application Threat Models: https://www.nccgroup.com/research-blog/analyzing-ai-application-threat-models/ Building Security‑First AI Applications: A Best Practices Guide for CISOs: https://www.nccgroup.com/building-security-first-ai-applications-a-best-practices-guide-for-cisos/ Building Trust by Design for Secure AI Applications: Tips for CISOs: https://www.nccgroup.com/building-trust-by-design-for-secure-ai-applications-tips-for-cisos/ AI and Cyber Security: New Vulnerabilities CISOs Must Address: https://www.nccgroup.com/ai-and-cyber-security-new-vulnerabilities-cisos-must-address/ Segment 2: Should we replace the CIA triad? An op-ed on CSO Online made us think - should we consider the CIA triad 'dead' and replace it? We discuss the value and longevity of security frameworks, as well as the author's proposed replacement. Segment 3: The Weekly Enterprise News Finally, in the enterprise security news, Slow week for funding, older companies raising via debt financing A useful AI framework from the Cloud Security Alliance two interesting essays, one of which is wrong Folks are out here blasting unencrypted data to and from Satellites, while anyone can sniff and capture it getting hacked during a job interview LLM poisoning is far easier than previously thought F5 got breached Be careful when patching your Jeep ('s software) All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-429
Segment 1: David Brauchler on AI attacks and stopping them David Brauchler says AI red teaming has proven that eliminating prompt injection is a lost cause. And many developers inadvertently introduce serious threat vectors into their applications – risks they must later eliminate before they become ingrained across application stacks. NCC Group's AI security team has surveyed dozens of AI applications, exploited their most common risks, and discovered a set of practical architectural patterns and input validation strategies that completely mitigate natural language injection attacks. David's talk aimed at helping security pros and developers understand how to design/test complex agentic systems and how to model trust flows in agentic environments. He also provided information about what architectural decisions can mitigate prompt injection and other model manipulation risks, even when AI systems are exposed to untrusted sources of data. More about David's Black Hat talk: Video of the talk and accompanying slides: https://www.nccgroup.com/research-blog/when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls/ Talk abstract: https://www.blackhat.com/us-25/briefings/schedule/#when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls-46112 Slide presentation only: https://i.blackhat.com/BH-USA-25/Presentations/USA-25-Brauchler-When-Guardrails-Arent-Enough.pdf Additional blogs by David about AI security: Analyzing Secure AI Architectures: https://www.nccgroup.com/research-blog/analyzing-secure-ai-architectures/ Analyzing Secure AI Design Principles: https://www.nccgroup.com/research-blog/analyzing-secure-ai-design-principles/ Analyzing AI Application Threat Models: https://www.nccgroup.com/research-blog/analyzing-ai-application-threat-models/ Building Security‑First AI Applications: A Best Practices Guide for CISOs: https://www.nccgroup.com/building-security-first-ai-applications-a-best-practices-guide-for-cisos/ Building Trust by Design for Secure AI Applications: Tips for CISOs: https://www.nccgroup.com/building-trust-by-design-for-secure-ai-applications-tips-for-cisos/ AI and Cyber Security: New Vulnerabilities CISOs Must Address: https://www.nccgroup.com/ai-and-cyber-security-new-vulnerabilities-cisos-must-address/ Segment 2: Should we replace the CIA triad? An op-ed on CSO Online made us think - should we consider the CIA triad 'dead' and replace it? We discuss the value and longevity of security frameworks, as well as the author's proposed replacement. Segment 3: The Weekly Enterprise News Finally, in the enterprise security news, Slow week for funding, older companies raising via debt financing A useful AI framework from the Cloud Security Alliance two interesting essays, one of which is wrong Folks are out here blasting unencrypted data to and from Satellites, while anyone can sniff and capture it getting hacked during a job interview LLM poisoning is far easier than previously thought F5 got breached Be careful when patching your Jeep ('s software) All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-429
Parce que… c'est l'épisode 0x644! Préambule Ce n'est pas CMMI… mais CMMC!?! Shameless plug 12 au 17 octobre 2025 - Objective by the sea v8 14 et 15 octobre 2025 - ATT&CKcon 6.0 14 et 15 octobre 2025 - Forum inCyber Canada Code rabais de 30% - CA25KDUX92 4 et 5 novembre 2025 - FAIRCON 2025 8 et 9 novembre 2025 - DEATHcon 17 au 20 novembre 2025 - European Cyber Week 25 et 26 février 2026 - SéQCure 2026 Description Introduction Ce podcast de la série PME réunit Nicholas, Cyndie et Dominique pour aborder un enjeu crucial auquel font face les petites et moyennes entreprises : les certifications de sécurité. La discussion explore comment les PME doivent réagir lorsqu'un client majeur leur demande si elles possèdent une certification spécifique, une situation qui peut rapidement devenir problématique si l'entreprise n'y est pas préparée. L'évolution des certifications : d'un avantage à une obligation Les certifications de sécurité les plus courantes incluent l'ISO 27001, le SOC de type 2, et pour le secteur de la santé au Québec, la certification TGV. Historiquement, ces certifications étaient réservées aux grandes entreprises et représentaient un avantage concurrentiel permettant de se distinguer et de garantir un certain niveau de sécurité aux clients. Cependant, la réalité a considérablement changé. Aujourd'hui, ces certifications ne sont plus un simple atout commercial, mais bien une obligation pour maintenir des relations d'affaires avec les grandes compagnies. Les entreprises qui ne possèdent pas la certification requise risquent de perdre des clients existants, une situation nettement plus dommageable que de ne pas en acquérir de nouveaux. Le rôle des certifications et l'alternative des questionnaires Les certifications font appel à un tiers de confiance qui garantit que l'entreprise respecte certaines normes de sécurité. Comme l'explique Dominique, il s'agit de déléguer à un organisme externe la vérification de la sécurité, généralement des comptables, bien qu'il existe également un processus d'audit interne à l'entreprise. Le choix du cadre normatif doit être stratégique : l'ISO convient mieux au marché européen, tandis que le SOC 2 est privilégié pour les affaires aux États-Unis. L'une des principales raisons pour lesquelles les entreprises recherchent ces certifications est d'éviter de répondre à d'innombrables questionnaires de sécurité. Bien que le Cloud Security Alliance ait développé le Consensus Assessment Initiative Questionary pour standardiser ces évaluations, cette initiative demeure peu connue. En l'absence de certification, les entreprises doivent répondre à des questionnaires exhaustifs de 100 à 150 questions, une expérience que les participants qualifient de « violente ». Face à ces questionnaires, les répondants se divisent en deux catégories : ceux qui embellissent la vérité et ceux qui mentent. Cette situation découle du fait qu'avouer ne pas avoir certaines mesures en place pourrait entraîner la rupture d'un contrat, transformant ainsi un enjeu de sécurité en enjeu purement commercial. Le problème s'aggrave lorsque le même questionnaire est envoyé à toutes les entreprises, qu'elles comptent trois ou deux mille employés. De plus, les personnes qui envoient et évaluent ces questionnaires ne sont pas toujours des experts en sécurité, ce qui signifie qu'une réponse négative sera simplement enregistrée comme telle, même si l'entreprise a mis en place des mesures alternatives tout aussi efficaces. L'importance cruciale du périmètre Un aspect fondamental abordé dans le podcast concerne la définition du périmètre de certification. Contrairement à ce que l'on pourrait croire, même les grandes organisations ne certifient pas l'ensemble de leur structure. Elles fragmentent leurs environnements et ne certifient que les lignes d'affaires qui en ont réellement besoin. Pour les PME, la stratégie recommandée consiste à choisir le plus petit périmètre conforme qui répond aux exigences du client final. Il faut absolument éviter la mentalité du « tant qu'à y être » qui augmente inutilement le périmètre et les coûts associés. Les certifications touchent l'ensemble de l'organisation : les personnes, les lieux physiques, la technologie, la sécurité physique, la sécurité humaine et la conformité légale. Il ne s'agit pas simplement d'une question informatique. L'ISO 27001, par exemple, repose sur le pilotage de la sécurité par la gestion des risques business, tandis que le SOC 2 garantit que l'entreprise respectera ce qui est marqué dans les contrats clients grâce aux contrôles mis en place. Conformité versus sécurité : une distinction essentielle Un point crucial soulevé par les experts est que conformité et sécurité ne sont pas synonymes. Une entreprise peut être conforme sans être véritablement sécurisée. Par exemple, avoir réalisé un test d'intrusion sans corriger aucune vulnérabilité identifiée ne rend pas l'entreprise conforme, mais ne l'a pas rendue plus sécuritaire non plus. Cette distinction frustre souvent les professionnels de la cybersécurité, car des mesures de sécurité efficaces peuvent ne pas être reconnues du point de vue de la conformité, tandis que certaines exigences de conformité peuvent être inefficaces d'un point de vue sécuritaire. L'exemple de PCI illustre bien cette problématique, avec des exigences qui sont restées longtemps inefficaces avant d'évoluer. L'amélioration continue comme philosophie Les cadres de certification reposent sur le principe d'amélioration continue plutôt que sur la perfection immédiate. Ils n'exigent pas que l'entreprise soit parfaite le jour de la certification, mais qu'elle ait mis en place un système de contrôle permettant l'amélioration continue. Ces certifications engagent le management et la direction à maintenir cette démarche d'amélioration, ce qui constitue un principe philosophique bénéfique à long terme. Cependant, l'entreprise doit être réellement prête à s'engager dans cette démarche, car il ne s'agit pas simplement d'un argument commercial ou d'un logo attrayant à afficher. Conseils pratiques pour les PME Pour les PME qui démarrent ce processus, il est recommandé d'adopter ou de s'inspirer d'un cadre normatif pour faire les premiers essais à leur propre rythme, avant qu'un client ne les pousse à le faire dans l'urgence. Cela permet de mettre en place les revues et contrôles nécessaires sans dépenser des sommes faramineuses. Les participants encouragent les entrepreneurs à poser des questions à leur réseau professionnel, car ceux qui ont vécu l'expérience de la certification, bien que souvent « traumatisante », seront heureux de partager leurs apprentissages. L'important n'est pas d'être parfait, mais de démontrer un engagement sincère envers la sécurité, d'être proactif, de poser les bonnes questions et d'établir des échéanciers réalistes. Être en mouvement et éviter la fossilisation constituent la clé du succès dans cette démarche. Collaborateurs Nicolas-Loïc Fortin Cyndie Feltz Nicholas Milot Dominique Derrier Crédits Montage par Intrasecure inc Locaux virtuels par Riverside.fm
Recorded live at Black Hat 2025, this episode takes you straight to the frontlines of cybersecurity innovation. Host, Raghu Nandakumara first sits down with Bennett Moe, a cartographer turned N2K CyberWire VP, reveals how mapping skills can turn massive data into actionable cyber insights and why fundamentals still matter in an AI-driven world. Then, Jim Reavis, CEO of the Cloud Security Alliance and ISSA Hall of Famer, shares his urgent warning on cloud risks, the impact of generative AI, and why security leaders must rethink old playbooks.We discussed:How cartography principles help prioritize and visualize cybersecurity data The evolution of AI in security and where it's moving beyond buzzwords Why fundamentals like security hygiene and the right people in the right roles are still critical Systemic risks in cloud environments and why old security playbooks may no longer suffice How security leaders can become their company's most informed voices on AI The importance of actionable insights over overwhelming data for decision-makingThe role of cloud as a foundation for AI innovations like ChatGPT Distinguishing between securing AI and defending against AI-powered attacks How continuous learning, communication, and community collaboration are essential in cybersecurity The CSA's mission and legacy as a navigator for the cybersecurity community Stay Connected with our host, Raghu on LinkedInFor more information about Illumio, check out our website at illumio.com
The Weekly Enterprise News (segments 1 and 2) This week, we've had to make some last minute adjustments, so we're going to do the news first, split into two segments. This week, we're discussing: Some interesting funding Two acquisitions - one picked up for $250M, the other slightly larger, at $25 BILLION Interesting new companies! On the 1 year anniversary of that thing that happened, Crowdstrike would like to assure you that they're REALLY making sure that thing never happens again Flipping the script How researchers rooted Copilot, but not really talks to check out at Hacker Summer Camp detection engineering tips the Cloud Security Alliance has a new AI Controls Matrix sending in the National Guard to handle a breach! and how to read an AI press release Interview: Guillaume Ross on Building Security from Scratch Guillaume shares his experiences building security from scratch at Canadian FinTech, Finaptic. Imagine the situation: you're CISO, and literally NOTHING is in place yet. No policies, no controls, no GRC processes. Where do you start? What do you do first? Are there things you can get away with that would be impossible in older, well-established financial firms? Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-418
The Weekly Enterprise News (segments 1 and 2) This week, we've had to make some last minute adjustments, so we're going to do the news first, split into two segments. This week, we're discussing: Some interesting funding Two acquisitions - one picked up for $250M, the other slightly larger, at $25 BILLION Interesting new companies! On the 1 year anniversary of that thing that happened, Crowdstrike would like to assure you that they're REALLY making sure that thing never happens again Flipping the script How researchers rooted Copilot, but not really talks to check out at Hacker Summer Camp detection engineering tips the Cloud Security Alliance has a new AI Controls Matrix sending in the National Guard to handle a breach! and how to read an AI press release Interview: Guillaume Ross on Building Security from Scratch Guillaume shares his experiences building security from scratch at Canadian FinTech, Finaptic. Imagine the situation: you're CISO, and literally NOTHING is in place yet. No policies, no controls, no GRC processes. Where do you start? What do you do first? Are there things you can get away with that would be impossible in older, well-established financial firms? Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-418
The Weekly Enterprise News (segments 1 and 2) This week, we've had to make some last minute adjustments, so we're going to do the news first, split into two segments. This week, we're discussing: Some interesting funding Two acquisitions - one picked up for $250M, the other slightly larger, at $25 BILLION Interesting new companies! On the 1 year anniversary of that thing that happened, Crowdstrike would like to assure you that they're REALLY making sure that thing never happens again Flipping the script How researchers rooted Copilot, but not really talks to check out at Hacker Summer Camp detection engineering tips the Cloud Security Alliance has a new AI Controls Matrix sending in the National Guard to handle a breach! and how to read an AI press release Interview: Guillaume Ross on Building Security from Scratch Guillaume shares his experiences building security from scratch at Canadian FinTech, Finaptic. Imagine the situation: you're CISO, and literally NOTHING is in place yet. No policies, no controls, no GRC processes. Where do you start? What do you do first? Are there things you can get away with that would be impossible in older, well-established financial firms? Show Notes: https://securityweekly.com/esw-418
The Weekly Enterprise News (segments 1 and 2) This week, we've had to make some last minute adjustments, so we're going to do the news first, split into two segments. This week, we're discussing: Some interesting funding Two acquisitions - one picked up for $250M, the other slightly larger, at $25 BILLION Interesting new companies! On the 1 year anniversary of that thing that happened, Crowdstrike would like to assure you that they're REALLY making sure that thing never happens again Flipping the script How researchers rooted Copilot, but not really talks to check out at Hacker Summer Camp detection engineering tips the Cloud Security Alliance has a new AI Controls Matrix sending in the National Guard to handle a breach! and how to read an AI press release Interview: Guillaume Ross on Building Security from Scratch Guillaume shares his experiences building security from scratch at Canadian FinTech, Finaptic. Imagine the situation: you're CISO, and literally NOTHING is in place yet. No policies, no controls, no GRC processes. Where do you start? What do you do first? Are there things you can get away with that would be impossible in older, well-established financial firms? Show Notes: https://securityweekly.com/esw-418
In this episode of Campus Technology Insider Podcast Shorts, host Rhea Kelly discusses the latest stories in education technology. Highlights include the launch of LawZero by Yoshua Bengio to develop transparent 'scientist AI' systems, a new Cloud Security Alliance guide on red teaming for agentic AI, and OpenAI's report on the malicious use of AI in cybercrime. For more detailed coverage, visit campustechnology.com. 00:00 Introduction and Host Welcome 00:15 LawZero: Ensuring Safe AI Development 00:52 Cloud Security Alliance's New Guide 01:27 OpenAI Report on AI in Cybercrime 02:06 Conclusion and Further Resources Source links: New Nonprofit to Work Toward Safer, Truthful AI Cloud Security Alliance Offers Playbook for Red Teaming Agentic AI Systems OpenAI Report Identifies Malicious Use of AI in Cloud-Based Cyber Threats Campus Technology Insider Podcast Shorts are curated by humans and narrated by AI.
In this episode of Cybersecurity Today, host Jim Love delves into the topic of SaaS (Software as a Service) security. Sharing his early experiences promoting SaaS, Jim elaborates on its inevitable rise due to cost-effectiveness and shared development resources. The episode highlights security concerns with SaaS, such as shadow IT and weak access control, especially in the face of an influx of AI software. Jim introduces Yoni Shohet, CEO and Co-founder of Valence Security, who discusses the SaaS security landscape, focusing on the independent 'State of SaaS Security' report by the Cloud Security Alliance. Yoni outlines the importance of monitoring API tokens, ensuring proper configurations, and the challenges posed by non-human identities. The discussion underscores the evolving nature of SaaS security, encouraging stronger collaboration between security teams and business units to manage risks effectively. 00:00 Introduction to SaaS Security 00:01 The Evolution and Benefits of SaaS 01:33 Challenges and Security Concerns with SaaS 02:08 Introduction to the State of SaaS Security Report 02:34 Interview with Yoni Shohet: Background and Experience 03:06 Yoni Shohet's Journey in Cybersecurity 08:33 The Rise of SaaS Security Issues 14:03 Key Findings from the SaaS Security Report 17:32 The Importance of SaaS Security Measures 21:36 Managing SaaS Security in Organizations 33:43 Valence Security's Approach to SaaS Security 36:59 Conclusion and Final Thoughts
Looking to network in the cybersecurity world? Fortunately, there's no shortage of industry associations to choose from. Today, we're putting the spotlight on the Cloud Security Alliance, or CSA. The Cloud Security Alliance is the world's leading organization committed to awareness, practical implementation, and certification for the future of cloud and cybersecurity. Whether your goal is to develop a secure cloud strategy, gain customer trust, empower your workforce, enhance brand awareness, or engage in diverse networking opportunities, CSA membership is the solution. To learn more, visit https://cloudsecurityalliance.org. See the full list of associations at https://cybersecurityventures.com/cybersecurity-associations.
The Cloud Security Maturity Model (CSMM) is a practical blueprint for improving the security of your public cloud deployments. Developed in partnership with the Cloud Security Alliance, IANS, and Securosis, the model covers 12 categories, such as network security and application security, across 3 domains. It describes 5 levels of security maturity, and includes process... Read more »
The Cloud Security Maturity Model (CSMM) is a practical blueprint for improving the security of your public cloud deployments. Developed in partnership with the Cloud Security Alliance, IANS, and Securosis, the model covers 12 categories, such as network security and application security, across 3 domains. It describes 5 levels of security maturity, and includes process... Read more »
Tammy Klotz is a cybersecurity leader with over 20 years in IT and a decade as a CISO for global manufacturing firms. She has transformed cybersecurity programs, driven cultural change, and championed women in technology through mentorship and active involvement in groups like WiCyS and the Cloud Security Alliance. At Versum Materials, she developed a cloud-centric cybersecurity strategy, and at Covanta, she built a program from scratch, later serving as CTO and IT co-leader. Currently, as CISO at Trinseo, Tammy oversees cybersecurity for 24 manufacturing sites and 11 R&D facilities. She shares leadership insights in her 2024 book, Leading with Empathy and Grace: Secrets to Developing High-Performing Teams. 00:00 Introduction 02:40 Tammy's origin story 05:06 The harsh truth 08:57 Compliant does not mean secure 14:57 AI has always been around 32:00 Empowerment 41:36 How to communicate properly to your team 48:00 Book signings, follow, and connect with Tammy ------------------------------------------------------------- To learn more about Tammy visit https://www.linkedin.com/in/tammyklotz/ To learn more about Dark Rhiino Security visit https://www.darkrhiinosecurity.com
In this episode, we sit down with StackAware Founder and AI Governance Expert Walter Haydock. Walter specializes in helping companies navigate AI governance and security certifications, frameworks, and risks. We will dive into key frameworks, risks, lessons learned from working directly with organizations on AI Governance, and more.We discussed Walter's pivot with his company StackAware from AppSec and Supply Chain to a focus on AI Governance and from a product-based approach to a services-oriented offering and what that entails.Walter has been actively helping organizations with AI Governance, including helping them meet emerging and newly formed standards such as ISO 42001. Walter provides field notes, lessons learned and some of the most commonly encountered pain points organizations have around AI Governance.Organizations have a ton of AI Governance and Security resources to rally around, from OWASP, Cloud Security Alliance, NIST, and more. Walter discusses how he recommends organizations get started and where.The U.S. and EU have taken drastically different approaches to AI and Cybersecurity, from the EU AI Act, U.S. Cyber EO, Product Liability, and more. We discuss some of the pros and cons of each and why the U.S.'s more relaxed approach may contribute to economic growth, while the EU's approach to being a regulatory superpower may impede their economic growth.Walter lays our key credentials practitioners can explore to demonstrate expertise in AI security, including the IAPP AI Governance credential, which he recently took himself.You can find our more about Walter Haydock by following him on LinkedIn where he shares a lot of great AI Governance and Security insights, as well as his company website www.stackaware.com
Send us a textNate Lee discusses his transition from a CISO role to fractional CISO work, emphasizing the importance of variety and exposure in his career. He delves into the rise of AI, particularly large language models (LLMs), and the associated security concerns, including prompt injection risks. Nate highlights the critical role of orchestrators in managing AI interactions and the need for security practitioners to adapt to the evolving landscape. He shares insights from his 20 years in cybersecurity and offers recommendations for practitioners to engage with AI responsibly and effectively.TakeawaysNate transitioned to fractional CISO work for variety and exposure.Prompt injection is a major vulnerability in LLM systems.Orchestrators are essential for managing AI interactions securely.Security practitioners must understand how LLMs work to mitigate risks.Nate emphasizes the importance of human oversight in AI systems.Link to Nate's research with the Cloud Security Alliance.The future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
A new assessment standard to guide how Pentagon components evaluate and approve zero-trust cybersecurity solutions for responsible use will soon be finalized and ready for release, according to a senior official overseeing its making. During FedTalks 2024, hosted by Scoop News Group on Tuesday, Les Call — director of the DOD's Zero Trust Portfolio Management Office — provided the latest update on his team's unfolding pursuits to drive this implementation, and to continue “progressing at a fast rate.” Call said Pentagon officials are working closely with a range of industry partners and representatives, including the Cloud Security Alliance, to pinpoint compliant capabilities that can accelerate DOD components' paths to fully achieving zero trust. A key component of the landmark executive order on artificial intelligence issued by President Joe Biden last year was to meet a handful of requirements aimed at bolstering the AI talent pool throughout the federal government. And according to a new Government Accountability Office report, those benchmarks have been cleared. The congressional watchdog said Monday that 13 AI management and talent requirements in Biden's order were fully implemented by the March 2024 deadline, checking off boxes that the GAO said would effectively lay the groundwork for governmentwide AI efforts. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on on Apple Podcasts, Soundcloud, Spotify and YouTube.
Guests: Jim Reavis, CEO at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/jimreavis/Illena Armstrong, President at at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/illenaarmstrong/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesJoin Sean Martin as he hosts an in-depth discussion with Illena Armstrong, President of Cloud Security Alliance, and Jim Reavis, CEO and Founder. Illena shares her excitement for celebrating the 15th anniversary of the organization while highlighting the industry's shift towards cloud adoption and AI technology. She emphasizes the importance of maintaining security controls, especially in the context of regulatory compliance and cloud provider obligations. The conversation also touches on the rising trend of zero trust security frameworks and the global perspective on AI integration in cybersecurity practices.Jim Reavis adds valuable insights into the intersection of AI and cloud security, highlighting the need for a holistic approach that combines human intelligence with AI capabilities. He emphasizes the role of security as a catalyst for innovation and business transformation, citing examples of innovative approaches taken by European banks. The discussion also covers thesignificance of shared responsibility in cybersecurity and the collaborative efforts required to address evolving threats.The CSA AI Summit promises an engaging lineup of speakers, including industry leaders from Google, Microsoft, and Zscaler, who will shed light on key topics such as incident response, secure development, and business transformation. The full-day event, which kicks off the week at RSA Conference, aims to bring together a diverse audience, ranging from C-suite executives to developers and compliance professionals, fostering meaningful discussions and knowledge sharing. Attendees can expect thought-provoking sessions that explore the intersection of AI and cybersecurity, providing valuable insights for enhancing security practices in the digital age.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:
Guests: Jim Reavis, CEO at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/jimreavis/Illena Armstrong, President at at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/illenaarmstrong/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesJoin Sean Martin as he hosts an in-depth discussion with Illena Armstrong, President of Cloud Security Alliance, and Jim Reavis, CEO and Founder. Illena shares her excitement for celebrating the 15th anniversary of the organization while highlighting the industry's shift towards cloud adoption and AI technology. She emphasizes the importance of maintaining security controls, especially in the context of regulatory compliance and cloud provider obligations. The conversation also touches on the rising trend of zero trust security frameworks and the global perspective on AI integration in cybersecurity practices.Jim Reavis adds valuable insights into the intersection of AI and cloud security, highlighting the need for a holistic approach that combines human intelligence with AI capabilities. He emphasizes the role of security as a catalyst for innovation and business transformation, citing examples of innovative approaches taken by European banks. The discussion also covers thesignificance of shared responsibility in cybersecurity and the collaborative efforts required to address evolving threats.The CSA AI Summit promises an engaging lineup of speakers, including industry leaders from Google, Microsoft, and Zscaler, who will shed light on key topics such as incident response, secure development, and business transformation. The full-day event, which kicks off the week at RSA Conference, aims to bring together a diverse audience, ranging from C-suite executives to developers and compliance professionals, fostering meaningful discussions and knowledge sharing. Attendees can expect thought-provoking sessions that explore the intersection of AI and cybersecurity, providing valuable insights for enhancing security practices in the digital age.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:
Federal Tech Podcast: Listen and learn how successful companies get federal contracts
The first part of this interview is a fascinating description of how John Kindervag produced the concept of Zero Trust. In the early days of networking, many users were described as “trusted users.” John questioned as to why they did not take the next step and verify then. The response was classic – because it would be rude. Fast forward a few decades and we see countless breaches and billions of dollars of intellectual property lost because of fear of offending the sensitivities of users. Back to 2011. Interfaces on firewalls could have varying levels of trust associated with them; the question from John Kindervag was, “why any levels at all?” His idea of zero trust resonated in the commercial and federal marketplace. For example, an Executive Order was issued in May of 2021 mandating the adoption of zero trust for the federal government. During the interview John Kindervag presents a fascinating contrast between the attack surface and the protect surface. This is a framework to allow federal leaders to prioritize what data to protect. To gain a better understanding of how to deploy Zero Trust, The National Security Telecommunications Advisory Committee was established. It presents a five-step model and shows how to build Zero Trust one protects surface at a time. Listen and learn about the Cloud Security Alliance and myriad ways to develop expertise in the nuances around incorporating Zero Trust into your federal network. Mentioned in the interview: What is Zero Trust Architeture? https://www.illumio.com/blog/what-is-a-zero-trust-architecture
Chris and I cover all kinds of items in this one. Why should we care that there is a ZT certification now from the Cloud Security Alliance? Is that a good thing? What about other certifications? Why is the industry still doing the same stuff and nothing changes? Do the big players muscle out the little guys to the detriment of us all? Those and more on this one!
Episode SummaryIn today's episode, AI Safety Initiative Chair at Cloud Security Alliance, Caleb Sima, joins Matt to talk about some of the myths surrounding the quickly evolving world of AI. With two decades of experience in the cybersecurity industry, Caleb has held many high-level roles, including VP of Information Security at Databricks, CSO at Robinhood, Managing VP at CapitalOne, and Founder of both SPI Dynamics and Bluebox Security.Today, Caleb talks about his inspiring career after dropping out of high school, dealing with imposter syndrome, and becoming the Chair of the CSA's AI Safety Initiative. Is AI and Machine Learning the threat that we think it is? Hear about the different kinds of LLMs, the poisoning of LLMs, and how AI can be used to improve security. Timestamp Segments· [01:31] Why Caleb dropped out high school· [06:16] Dealing with imposter syndrome.· [11:43] The hype around AI and Machine Learning.· [14:55] AI 101 terminology.· [17:42] Open source LLMs.· [20:31] Where to start as a security practitioner.· [24:46] What risks should people be thinking about?· [28:24] Taking advantage of AI in cybersecurity.· [32:32] How AI will affect different SOC functions.· [35:00] Is it too late to get involved?· [36:29] CSA's AI Safety Initiative.· [38:52] What's next? Notable Quotes· “There is no way this thing is not going to change the world.”· “The benefit that you're going to get out of LLMs internally is going to be phenomenal.”· “It doesn't matter whether you get in now or in six months.” Relevant LinksLinkedIn: Caleb Sima Resources:Skipping College Pays Off For Few Teen Techiesllm-attacks.orgSecure applications from code to cloud. Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Cloud security is essential to safeguarding sensitive data and ensuring the reliability of digital services in an increasingly interconnected and data-driven world. In this episode, Sean Heide shares some of the top threats to cloud computing that he's seeing as technical research director at the Cloud Security Alliance. Resources: CSA's 2022 Top Threats to Cloud Computing report CIS Critical Security Controls Shared Responsibility Model in the Age of Cloud
Earlier this year Cloud Security Alliance covered the big debate around should you buy or build for your Cyber Asset Attack Surface Management (CAASM) solution. As luck would have it, Ken Liao recently reached out to me regarding the new company that he works for who handles this very topic. In this episode I had a chance to talk with Sevco Security's Chief Strategy Officer, Brian Contos, on this very topic. The timeliness is very apt, as Gartner recently named CAASM as an emerging technology that enables security teams to solve persistent asset visibility and vulnerability changes.Talking Points:What is Asset Intelligence?How has it evolved Various Use Cases Where it's heading (Security, IT Ops, Risk Management) Is 4D Intelligence is more than just marketing fluffEpisode Sponsor: This episode is sponsored by Sevco Security. Sevco Security is a CAASM security vendor based out of Austin Texas.Episode Charity:This episode's charity is Latinas in Cyber. LAIC is focused on continuing to break barriers and open paths for those who chose to pursue careers in cybersecurity. Our mission is to empower through mentorship, networking, support, and representation.
Rich Mogull, SVP of Cloud Security at FireMon, joins Corey on Screaming in the Cloud to discuss his career in cybersecurity going back to the early days of cloud. Rich describes how he identified that cloud security would become a huge opportunity in the early days of cloud, as well as how cybersecurity parallels his other jobs in aviation and emergency medicine. Rich and Corey also delve into the history of Rich's involvement in the TidBITS newsletter, and Rich unveils some of his insights into the world of cloud security as a Gartner analyst. About RichRich is the SVP of Cloud Security at FireMon where he focuses on leading-edge cloud security research and implementation. Rich joined FireMon through the acquisition of DisruptOps, a cloud security automation platform based on his research while as CEO of Securosis. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having starting working hands-on in cloud over 12 years ago. He is also the principle course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.Rich is the Security Editor of TidBITS and a frequent contributor to industry publications. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).Links Referenced: FireMon: https://www.firemon.com/. Twitter: https://twitter.com/rmogull Mastodon: [https://defcon.social/@rmogull](https://defcon.social/@rmogull) FireMon Blogs: https://www.firemon.com/blogs/ Securosis Blogs: https://securosis.com/blog TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is Rich Mogull, SVP of Cloud Security over at FireMon now that I'm a bit too old to be super into Pokémon, so I forget which one that is. Rich, thanks for joining me. I appreciate it.Rich: Thank you. Although I think we need to be talking more Digimon than Pokémon. Not that I want to start a flame war on the internet in the first two minutes of the conversation.Corey: I don't even have the level of insight into that. But I will say one of the first areas where you came to my notice, which I'm sure you'll blame yourself for later, is that you are the security editor behind TidBITS, which is, more or less, an ongoing newsletter longer than I've been in the space, to my understanding. What is that, exactly?Rich: So, TidBITS is possibly the longest-running—one of the longest-running newsletters on the internet these days and it's focused on all things Apple. So, TidBITS started back in the very early days as kind of more of an email, I think like, 30 years ago or something close to that. And we just write a lot about Apple and I've been reading about Apple security there.Corey: That's got to be a bit of an interesting experience compared to my writing about AWS because people have opinions about AWS, particularly, you know, folks who work there, but let's be clear, there is nothing approaching the zealotry, I think I want to call it, of certain elements of the Apple ecosystem whenever there is the perception of criticism about the company that they favor. And I want to be clear here to make sure I don't get letters myself for saying this: if there's an Apple logo on a product, I will probably buy it. I have more or less surrounded myself with these things throughout the course of the last ten years. So, I say this from a place of love, but I also don't wind up with people threatening me whenever I say unkind things about AWS unless they're on the executive team.Rich: So, it's been a fascinating experience. So, I would say that I'm on the tail end of being involved with kind of the Mac journalist community. But I've been doing this for over 15 years is kind of what I first started to get involved over there. And for a time, I wrote most of the security articles for Macworld, or a big chunk of those, I obviously was writing over a TidBITS. I've been very lucky that I've never been on the end of the death threats and the vitriol in my coverage, even though it was balanced, but I've also had to work a lot—or have a lot of conversations with Apple over the years.And what will fascinate you is at what point in time, there were two companies in the world where I had an assigned handler on the PR team, and one was Apple and then the other was AWS. I will say Apple is much better at PR than [laugh] AWS, especially their keynotes, but we can talk about re:Invent later.Corey: Absolutely. I have similar handlers at a number of companies, myself, including of course, AWS. Someone has an impossible job over there. But it's been a fun and exciting world. You're dealing with the security side of things a lot more than I am, so there's that additional sensitivity that's tied to it.And I want to deviate for a second here, just because I'm curious to get your take on this given that you are not directly representing one of the companies that I tend to, more or less, spend my time needling. It seems like there's a lot of expectation on companies when people report security issues to them, that you're somehow going to dance to their tune and play their games the entire time. It's like, for a company that doesn't even have a public bug bounties process, that feels like it's a fairly impressively high bar. On some level, I could just report this via Twitter, so what's going on over there? That feels like it's very much an enterprise world expectation that probably means I'm out of step with it. But I'm curious to get your take.Rich: Out of step with which part of it? Having the bug bounty programs or the nature of—Corey: Oh, no. That's beside the point. But having to deal with the idea of oh, an independent security researcher shows up. Well, now they have to follow our policies and procedures. It's in my world if you want me to follow your policies and procedures, we need a contract in place or I need to work for you.Rich: Yeah, there is a long history about this and it is so far beyond what we likely have time to get into that goes into my history before I even got involved with dealing with any of the cloud pieces of it. But a lot about responsible disclosure, coordinated disclosure, no more free bugs, there's, like, this huge history around, kind of, how to handle these pieces. I would say that the core of it comes from, particularly in some of the earlier days, there were researchers who wanted to make their products better, often as you criticize various things, to speak on behalf of the customer. And with security, that is going to trigger emotional responses, even among vendors who are a little bit more mature. Give you an example, let's talk about Apple.When I first started covering them, they were horrific. I actually, some of the first writing I did that was public about Apple was all around security and their failures on security disclosures and their inability to work with security researchers. And they may struggle still, but they've improved dramatically with researcher programs, and—but it was iterative; it really did take a cultural change. But if you really want to know the bad stories, we have to go back to when I was writing about Oracle when I was a Gartner analyst.Corey: Oh, dear. I can only imagine how that played out. They have been very aggressive when it comes to smacking down what they perceive to be negative coverage of anything that they decide they like.Rich: Yeah, you know, if I would look at how culturally some of these companies deal with these things when I was first writing about some of the Oracle stuff—and remember, I was a Gartner analyst, not a vulnerability researcher—but I'm a hacker; I go to Blackhat and DEF CON. I'm friends with the people who are smarter than me at that or have become friends with them over the years. And I wrote a Gartner research note saying, “You probably shouldn't buy any more Oracle until they fix their vulnerability management process.” That got published under the Gartner name, which that may have gotten some attention and created some headaches and borderline legal threats and shade and all those kinds of things. That's an organization that looks at security as a PR problem. Even though they say they're more secure, they look at security as a PR problem. There are people in there who are good at security, but that's different. Apple used to be like that but has switched. And then Amazon is… learning.Corey: There is a lot of challenge around basically every aspect of communication because again, to me, a big company is one that has 200 people. I think that as soon as you wind up getting into the trillion-dollar company scale, everything you say gets you in trouble with someone, somehow, somewhere, so the easiest thing to do is to say nothing. The counterpoint is that on some point of scale, you hit a level where you need a fair bit of scrutiny; it's deserved at this point because you are systemically important, and them's the breaks.Rich: Yeah, and they have improved. A lot of the some of the larger companies have definitely improved. Microsoft learned a bunch of those lessons early on. [unintelligible 00:07:33] the product in Azure, maybe we'll get there at some point. But you have to—I look at it both sides a little bit.On the vendor side, there are researchers who are unreasonable because now that I'm on the vendor side for the first time in my career, if something gets reported, like, it can really screw up plans and timing and you got to move developer resources. So, you have outside influences controlling you, so I get that piece of it. But the reality is if some researcher discovered it, some China, Russia, random criminals are going to discover it. So, you need to deal with those issues. So, it's a bit of control. You lose control of your messaging and everything; if marketing gets their hands in this, then it becomes ugly.On the other hand, you have to, as a vendor, always realize that these are people frequently trying to make your products better. Some may be out just to extort you a little bit, whatever. That's life. Get used to it. And in the end, it's about putting the customers first, not necessarily putting your ego first and your marketing first.Corey: Changing gears slightly because believe it or not, neither you nor I have our primary day jobs focused on, you know, journalism or analyst work or anything like that these days, we focus on these—basically cloud, for lack of a better term—through slightly different lenses. I look at it through cost—which is of course architecture—and you look at it through the lens of security. And I will point out that only one of us gets called at three in the morning when things get horrible because of the bill is a strictly business-hours problem. Don't think that's an accident as far as what I decided to focus on. What do you do these days?Rich: You mean, what do I do in my day-to-day job?Corey: Well, it feels like a fair question to ask. Like, what do you do as far as day job, personal life et cetera. Who is Rich Mogull? You've been a name on the internet for a long time; I figured we'd add some color and context to it.Rich: Well, let's see. I just got back from a flying lesson. I'm honing in on my getting ready for my first solo. My side gig is as a disaster response paramedic. I dressed up as a stormtrooper for the 501st Legion. I've got a few kids and then I have a job. I technically have two jobs. So—Corey: I'm envious of some of those things. I was looking into getting into flying but that path's not open to me, given that I have ADHD. And there are ways around it in different ways. It's like no, no, you don't understand. With my given expression of it, I am exactly the kind of person that should not be flying a plane, let's be very clear here. This is not a regulatory thing so much as it is a, “I'm choosing life.”Rich: Yeah. It's a really fascinating thing because it's this combination of a physical and a mental challenge. And I'm still very early in the process. But you know, I cracked 50, it had always been a life goal to do this, and I said, “You know what? I'm going to go do it.”So, first thing, I get my medical to make sure I can actually pass that because I'm over 50, and then from there, I can kind of jump into lessons. Protip though: don't start taking lessons right as summer is kicking in in Phoenix, Arizona, with winds and heat that messes up your density altitude, and all sorts of fun things like that because it's making it a little more challenging. But I'm glad I'm doing it.Corey: I have to imagine. That's got to be an interesting skill set that probably doesn't have a huge amount of overlap with the ins and outs of the cloud business. But maybe I'm wrong.Rich: Oh God, Corey. The correlations between information security—my specialty, and cloud security as a subset of that—aviation, and emergency medicine are incredible. These are three areas with very similar skill sets required in terms of thought processes. And in the case of both the paramedic and aviation, there's physical skills and mental skills at the same time. But how you look at incidents, how you process things algorithmically, how you—your response times, checklists, the correlations.And I've been talking about two of those three things for years. I did a talk a couple years ago, during Covid, my Blackhat talk on the “Paramedics Guide to Surviving Cybersecurity,” where I talked a lot about these kinds of pieces. And now aviation is becoming another part of that. Amazing parallels between all three. Very similar mindsets are required.Corey: When you take a look at the overall sweep of the industry, you've been involved in cloud for a fairly long time. I have, too, but I start off as a cynic. I started originally when I got into the space, 2006, 2007, thinking virtualization was a flash in the pan because of the security potential impact of this. Then cloud was really starting to be a thing and pfff, that's not likely to take off. I mean, who's going to trust someone else to run all of their computing stuff?And at this point, I've learned to stop trying to predict the future because I generally get it 180 degrees wrong, which you know, I can own that. But I'm curious what you saw back when you got into this that made you decide, yeah, cloud has legs. What was that?Rich: I was giving a presentation with this guy, Chris Hoff, a good friend of mine. And Chris and I joined together are individual kind of research threads and were talking about, kind of, “Disruptive Innovation and the Future of Security.” I think that was the title. And we get that at RSA, we gave that at SOURCE Boston, start kind of doing a few sessions on this, and we talked about grid computing.And we were looking at, kind of, the economics of where things were going. And very early, we also realized that on the SaaS side, everybody was already using cloud; they just didn't necessarily know it and they called them Application Service Providers. And then the concepts of cloud in the very early days were becoming compelling. It really hit me the first time I used it.And to give you perspective, I'd spent years, you know, seven years as a Gartner analyst getting hammered with vendors all the time. You can't really test those technologies out because you can never test them in a way that an enterprise would use them. Even if I had a lab, the lab would be garbage; and we know this. I don't trust things coming out of labs because that does not reflect operational realities at enterprise scale. Coming out of Gartner, they train me to be an enterprise guy. You talk about a large company being 200? Large companies start at 3000 to 5000 employees.Corey: Does that map to cloud services the way that AWS expresses? Because EKS, you're going to manage that differently in an enterprise environment—or any other random AWS service; I'm just picking EKS as an example on this. But I can spin up a cluster and see what it's like in 15 minutes, you know, assuming the cluster gets with the program. And it's the same type of thing I would use in an enterprise, but I'm also not experiencing it in the enterprise-like way with the processes and the gating and the large team et cetera, et cetera, et cetera. Do you think it's still a fair comparison at that point?Rich: Yeah, I think it absolutely is. And this is what really blew my mind. 11 or 12 years ago, when I got my first cloud account setup. I realized, oh, my God. And that was, there was no VPC, there was no IAM. It was ephemeral—and—no, we just had EBS was relatively new, and IAM was API only, it wasn't in the console yet.Corey: And the network latency was, we'll charitably call it non-deterministic.Rich: That was the advantage of not running anything at scale, wasn't an issue at the time. But getting the hands-on and being able to build what I could build so quickly and easily and with so little friction, that was mind-blowing. And then for me, the first time I've used security groups I'm like, “Oh, my God, I have the granularity of a host firewall with the manageability of a network firewall?” And then years later, getting much deeper into how AWS networking and all the other pieces were—Corey: And doesn't let it hit the host, which I always thought a firewall that lets—Rich: Yes.Corey: —traffic touch the host is like a seatbelt that lets your face touch the dashboard.Rich: Yeah. The first thing they do, they go in, they're going to change the rules. But you can't do that. It's those layers of defense. And then I'm finding companies in the early days who wanted to put virtual appliances in front of everything. And still do. I had calls last week about that.But those are the things that really changed my mind because all of a sudden, this was what the key was, that I didn't fully realize—and it's kind of something that's evolved into something I call the ‘Grand Unified Theory of Cloud Governance,' these days—but what I realized was those barriers are gone. And there is no way to stop this as people want to build and test and deploy applications because the benefits are going to be too strong. So, grab onto the reins, hold on to the back of the horse, you're going to get dragged away, and it's your choice if your arm gets ripped off in the process or if you're going to be able to ride that thing and at least steer it in the general direction that you need it to go in.Corey: One of the things that really struck me when I started playing around with cloud for more than ten minutes was everything you say is true, but I can also get started today to test out an idea. And most of them don't work, but if something hits, suddenly I don't have the data center constraints, whereas today, I guess you'd call it, I built my experiment MVP on top of a Raspberry Pi and now I have to wait six weeks for Dell to send me something that isn't a piece of crap that I can actually take production traffic on. There's no okay, and I'll throw out the junky hardware and get the good stuff in once you start hitting a point of scale because you're already building on that stuff without the corresponding massive investment of capital to get there.Rich: Yeah well, I mean, look, I lived this, I did a startup that was based on demos at a Blackhat—sorry, at a Blackhat. Blackhat. Did some demos on stage, people were like, “We want your code.” It was about cloud security automation. That led to doing your startup, the thing called DisruptOps, which got acquired, and that's how I ended up at FireMon. So, that's the day job route where I ended up.And what was amazing for that is, to add on to what you said, first of all, the friction was low; once we get the architecture right, scalability is not something we are hugely concerned with, especially because we're CI/CD. Oh, no, we hit limits. Boom, let's just stand up a new version and redirect people over there. Problem solved. And then the ability to, say, run multiple versions of our platform simultaneously? We're doing that right now. We just had to release an entirely free version of it.To do that. It required back-end architectural changes for cost, not for scalability so much, but for a lot around cost and scheduling because our thing was event-driven, we're able to run that and run our other platform fully in parallel, all shared data structures, shared messaging structures. I can't even imagine how hard that would have not been to do in a traditional data center. So, we have a lot of freedom, still have those cost constraints because that's [laugh] your thing, but the experimentation, the ability to integrate things, it's just oh, my God, it's just exciting.Corey: And let's be clear, I, having spent a lot of time as a rat myself in these data centers, I don't regret handing a lot of that responsibility off, just because, let's not kid ourselves, they are better at replacing failed or failing hardware than I will ever be. That's part of the benefit you get from the law of large numbers.Rich: Yeah. I don't want to do all of that stuff, but we're hovering around something that is kind of—all right, so former Gartner analyst means I have a massive ego, and because of that, I like to come up with my own terms for things, so roll with me here. And it's something I'm calling the ‘Grand Unified Theory of Cloud Governance' because you cannot possibly get more egotistical than referring to something as your solution to the biggest problem in all of physics. The idea is, is that cloud, as we have just been discussing, it drops friction and it decentralizes because you don't have to go ask somebody for the network, you don't have to ask somebody for the server. So, all of a sudden, you can build a full application stack without having to call somebody for help. We've just never had that in IT before.And all of our governance structures—and this includes your own costs, as well as security—are built around scarcity. Scarcity of resources, natural choke points that evolved from the data center. Not because it was bad. It wasn't bad. We built these things because that's what we needed for that environment at the data center.Now, we've got cloud and it's this whole new alien technology and it decentralizes. That said, particularly for us on security, you can build your whole application stack, of course, we have completely unified the management interfaces in one place and then we stuck them on the internet, protected with nothing more than a username and password. And if you can put those three things together in your head, you can realize why these are such dramatic changes and so challenging for enterprises, why my kids get to go to Disney a fair bit because we're in demand as security professionals.Corey: What does FireMon do exactly? That's something that I'm not entirely up to speed on, just because please don't take this the wrong way, but I was at RSA this year, and it feels like all the companies sort of blend together as you walk between the different booths. Like, “This is what you should be terrified of today.” And it always turns into a weird sales pitch. Not that that's what you do, but it at some point just blinds me and overloads me as far as dealing with any of the cloud security space.Rich: Oh, I've been going to RSA for 20 years. One of our SEs, I was briefly at our booth—I'm usually in outside meetings—and he goes, “Do you see any fun and interesting?” I go—I just looked at him like I was depressed and I'm like, “I've been to RSA for 20 years. I will never see anything interesting here again. Those days are over.” There's just too much noise and cacophony on that show floor.What do we do? So—Corey: It makes re:Invent's Expo Hall look small.Rich: Yeah. I mean, it's, it's the show over at RSA. And it wasn't always. I mean, it was—it's always been big as long as I've been there, but yeah, it's huge, everyone is there, and they're all saying exactly the same thing. This year, I think the only reason it wasn't all about AI is because they couldn't get the printers to reprint the banners fast enough. Not that anybody has any products that would do anything there. So—you look like you want to say something there.Corey: No, no. I like the approach quite a bit. It's the, everything was about AI this year. It was a hard pivot from trying to sell me a firewall, which it seems like everyone was doing in the previous year. It's kind of wild. I keep saying that there's about a dozen companies that exhibit at RSA. A guess, there are hundreds and hundreds of booths, but it all distills down to the same 12 things. They have different logos and different marketing stories, but it does seem like a lot of stuff is very much just like the booth next to it on both sides.Rich: Yeah. I mean, that's—it's just the nature. And part of—there's a lot of reasons for this. We used to, when I was—so prior to doing the startup thing and then ending up at FireMon, I did Securosis, which was an analyst firm, and we used to do the Securosis guide to RSA every year where we would try and pick the big themes. And the reality is, there's a reason for that.I wrote something once the vendors lied to you because you want them to. It's the most dysfunctional relationship because as customers, you're always asking, “Well, what are you doing for [unintelligible 00:22:16]? What are you doing for zero trust? What are you doing for AI?” When those same customers are still just working on fundamental patch management and firewall management. But it doesn't stop them from asking the questions and the vendors have to have answers because that's just the nature of that part of the world.Corey: I will ask you, over are past 12 years—I have my own thoughts on this, but I want to hear your take on it—what's changed in the world of cloud security?Rich: Everything. I mean, I was one of the first to be doing this.Corey: Oh, is that all?Rich: Yeah. So, there's more people. When I first started, very few people doing it, nobody knew much about it outside AWS, we all knew each other. Now, we've got a community that's developed and there's people that know what they're doing. There's still a shortage of skills, absolutely still a shortage of skills, but we're getting a handle on that, you know? We're getting a bit of a pipeline.And I'd say that's still probably the biggest challenge faced. But what's improved? Well, it's a give-and-take. On one hand, we now have strategies, we have tools that are more helpful, unfortunately—I'll tell you the biggest mistake I made and it ties to the FireMon stuff in my career, in a minute; relates directly to this question, but we're kind of getting there on some of the tool pieces.On the other hand, that complexity is increasing faster. And that's what's made it hard. So, as much as we're getting more skilled people, better at tooling, for example, we kind of know—and we didn't have CloudTrail when I started. We didn't have the fundamental things you need to actually implement security at the start of cloud. Most of those are there; they may not be working the way we wish they always worked, but we've got the pieces to assemble it, depending on which platform you're on. That's probably the biggest change. Now, we need to get into the maturity phase of cloud, and that's going to be much more difficult and time-consuming to kind of get over that hump.Corey: It's easy to wind up saying, “Oh, I saw the future so clearly back then,” but I have to ask, going back 12 years, the path the world would take was far from certain. Did you have doubts?Rich: Like, I had presented with Chris Hoff. We—we're still friends—presented stuff together, and he got a job that was kind of clouding ancillary. And I remember calling him up once and going, “Chris, I don't know what to do.” I was running my little analyst firm—little. We were doing very, very well—I could not get paid to do any work around cloud.People wanted me to write shitty papers on DLP and take customer inquiries on DLP because I had covered that at the Gartner days, and data encryption and those pieces. That was hard. And fortunately, a few things started trickling in. And then it was a flood. It completely changed our business and led to me, you know, eventually going down into the vendor path. But that was a tough day when I hit that point. So, absolutely I knew it was the future. I didn't know if I was going to be able to make a living at it.Corey: It would seem that you did.Rich: Yeah. Worked out pretty well [laugh].Corey: You seem sprightly to me. Good work. You're not on death's door.Rich: No. You know, in fact, the analyst side of it exploded over the years because it turns out, there weren't people who had this experience. So, I could write code to the APIs, but they'll still talk with CEOs and boards of directors around these cloud security issues and frame them in ways that made sense to them. So, that was wonderful. We partnered up with the Cloud Security Alliance, I actually built a bunch of the CSA training, I wrote the current version of the CSA guidance, we're writing the next version of that, did a lot of research with them. They've been a wonderful partner.So, all that went well. Then I got diverted down onto the vendor path. I had this research idea and then it came out, we ended up founding that as a startup and then it got, as I mentioned, acquired by FireMon, which is interesting because FireMon, you asked what we did, it's firewall policy management is the core of the company. Yet the investors realize the company was not going in the right direction necessarily, to deal with the future of cloud. They went to their former CEO and said, “Hey, can you come back”—the founder of the company—“And take this over and start moving us in the right direction?”Well, he happened to be my co-founder at the startup. And so, we kind of came in and took over there. And so, now it's a very interesting position because we have this one cloud-native thing we built for all these years. We made one mistake with that, which I'll talk about which ties back to your predicting the future piece if you want to go into it, but then we have the network firewall piece now extending into hybrid, and we have an asset management moving into the attack surface management space as well. And both of those products have been around for, like, 15-plus years.Corey: No, I'm curious to your thoughts on it because it's been one of those weird areas where there's been so much change and so much evolution, but you also look at today's “OWASP Top 10” list of vulnerabilities, and yeah, they updated a year or so ago, but it still looks basically like things that—from 2008—would have made sense to me when I'm looking at this. Well, insomuch as they do now. I didn't know then, nor do I now what a cross-site scripting attack might be, but other than that, I find that there's, “Oh, you misconfigured something and it winds up causing a problem.” Well, no kidding. Imagine that.Rich: Yeah. Look, the fundamentals don't change, but it's still really easy to screw up.Corey: Oh, having done so a lot, I believe you.Rich: There's a couple of principles, and I'll break it into two sides. One is, a lot of security sounds simple. There's nothing simple at scale. Nothing simple scales. The moment you get up to even 200 employees, everything just becomes ridiculously harder. That's the nature of reality. Simplicity doesn't scale.The other part is even though it's always the same, it's still easy to think you're going to be different this time and you're not going to screw it up, and then you do. For example, so cloud, we were talking about the maturity. I assumed CSPM just wasn't going to be a thing. For real. The Cloud Security Posture Management. Because why would the cloud providers not just make that problem go away and then all the vulnerability assessment vendors and everybody else? It seemed like it was an uninteresting problem.And yet, we were building a cloud security automation thing and we missed the boat because we had everything we needed to be one of the very first CSPM vendors on the market and we're like, “No, no. That problem is going to go away. We'll go there.” And it ties back to what you said, which is it's the same stuff and we just outsmarted ourselves. We thought that people would go further faster. And they don't and they aren't.And that's kind of where we are today. We are dramatically maturing. At the same time, the complexity is increasing dramatically. It's just a huge challenge for skills and staffing to adjust governance programs. Like I think we've got another 10 to 20 years to go on this cloud security thing before we even get close. And then maybe we'll get down to the being bored by the problems. But probably not because AI will ruin us.Corey: I'd like to imagine, on some level, that AI could be that good. I mean, don't get me wrong. It has value and it is transformative for a bunch of things, but I also think a lot of the fear-mongering is more than a little overblown.Rich: No, I agree with you. I'm trying to keep a very close eye on it because—I can't remember if you and I talked about this when we met face-to-face, or… it was somebody at that event—AI is just not just AI. There's different. There's the LLMs, there's the different kinds of technologies that are involved. I mean, we use AI all over the place already.I mean my phone's got it built in to take better pictures. It's a matter of figuring out what the use cases and the, honestly, some of the regulatory structure around it in terms of copyright and everything else. I'm not worried about Clippy turning into Skynet, even though I might make jokes about that on Mastodon, maybe someday there will be some challenges, but no, it's just going to be another tech that we're going to figure out over time. It is disruptive, so we can't ignore that part of it.Corey: I really want to thank you for taking the time to speak with me. If people want to learn more, where's the best place to find you that isn't one of the Disney parks?Rich: That really is kind of the best place to find—no. So, these days, I do technically still have a Twitter presence at @rmogull. I'm not on there much, but I will get DMs if people send those over. I'm more on Mastodon. It's at @rmogull defcon.social. I write over at FireMon these days, as well as occasionally still over Securosis, on those blogs. And I'm in the [Cloud Security Slack community 00:30:49] that is now under the banner for CloudSec. That's probably the best place if you want to hit me up and get quick answers on anything.Corey: And I will, of course, include links to all of that in the show notes. Thank you so much for taking the time to speak with me today. I really appreciate it.Rich: Thanks, Corey. I was so happy to be here.Corey: Rich Mogull, SVP of Cloud Security at FireMon. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment talking about how at Dell these days, it does not take six weeks to ship a server. And then I will get back to you in six to eight weeks.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
“When we test cars no one would ever say that a brake test replaces a safety belt test. That would be silly. But when you get into software, sometimes people go, oh well I ran one tool. Why do I need these other ones? It's because you're testing different things. Maybe we do a disservice to our people that we work with of not clearly explaining that in understandable ways. You can say ‘Software component analysis' which makes sense to people in our industry.But if you're an executive may not make any sense.”In this episode we hear from Dennis Hurst, the Founder and President of Saltworks Security.He's been an application security leader since the earliest days of the industry. With over 30 years of experience across the entire software development lifecycle, he has helped launch startups and traveled the globe to aide multinational enterprises in successfully implementing their application security programs. Dennis is a recognized and trusted advisor for Fortune 500 companies that span multiple industries and concerns.Dennis is a founding member of the Cloud Security Alliance where he co-authored the first two versions of its Application Security guidelines. He is also a contributor and advocate for the Open Web Application Security Project.Rate and review the show on Apple Podcasts.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com
This week on Ask A CISO Podcast, Dr. Lee Hi Yang, Executive Vice President at Cloud Security Alliance Government Affairs joins host Jonar Marzan, Cyber Strategy Consultant at Horangi, to talk about the cloud control matrix (CCM), Cloud Security Alliance and what it does, and how they seek to educate users to use the cloud securely. - About Horangi Cybersecurity -- More information about the Ask A CISO podcast: https://www.horangi.com/resources/ask-a-ciso-podcast About Horangi Cyber Security: https://www.horangi.com - About the Guests -- Dr. Lee's LinkedIn: https://sg.linkedin.com/in/hing-yan-lee-b8a42b Website: https://cloudsecurityalliance.org/
In this episode of the We Hack Purple podcast host Tanya Janca met with Frank from Phoenix Security in the UK! We talked about this latest white paper ‘SLAs are Dead, Long Live SLAs!', how AppSec folks aren't necessarily ‘great' at maintaining their own SLAs, and how to empower a team to do their own governance and be responsible for their own risk. We talked about how to figure out the security maturity model you are looking for, and what kind of language we can use to help a client decide it for themselves. We also talked about how to get several industry experts to work on the same document together: spoiler alert, it's hard! Listen to hear more!The White Paper: SLAs are Dead, Long Live SLAs! Data Driven Vulnerability ManagementFrank's Podcast: Cyber Security and Cloud PodcastSeveral MORE White Papers from Phoenix Security:Priority: https://phoenix.security/whitepapers-resources/vulnerability-management-in-application-cloud-security/ Vulnerability management and regulation: https://phoenix.security/whitepapers-resources/whitepaper-vulnerability-management-in-application-cloud-security/ Upcoming Webinars with Frank!16/02 - 4m GMT - Brooks Shoenfield - SLA, application security and data driven programs : https://youtube.com/live/dfANH8WKavY?feature=share22/2 - 5 PM GMT - Chris Romeo - Data Driven Application security programs, how to measure maturity and scale : https://youtube.com/live/wqlC-cClqYE?feature=shareFrank's Bio:Francesco is a seasoned entrepreneur, CEO of the Application Security Risk based posture management Appsec Phoenix, author of several books, host of multi award Cyber Security & Cloud Podcast, speaker and known in the in the cybersecurity industry and recognized for his visionary views. He currently serves as Chapter Chair UK&I of the Cloud Security Alliance. Previously, Francesco headed the application and cloud security at HSBC and was Senior Security Consultant at AWS. Francesco has been keynoting at global conferences, have authored and co-authored of a number of books. Outside of work, you can find me running marathons, snowboarding on the Italian slopes, and enjoying single malt whiskeys in one of my favourite London clubs. Very special thanks to our sponsor: Phoenix Security!Phoenix Security ingests data from any security tool, cloud, or code, correlates vulnerabilities, contextualizes, prioritizes and translates into risk. Phoenix Algorithm selects the subset of vulnerabilities more likely to get exploited in the next 30 days, delivering them to the engineers' backlog. From Code to cloud contextualize, Prioritize enables security engineers to act on the risk that matters most without burning out. Join We Hack Purple!Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find We Hack Purple Podcast, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: IBM's and Ponemon's annual Cost of a Data Breach Report summary, analysis, and implications for healthcare Updated NIST guidance on HIPAA compliance approaches and expected practices Facebook (Meta) and healthcare providers targeted with multiple lawsuits over health data privacy practices GAO report warns of catastrophic financial loss due to cyber insurers backing out of covering damages from cyberattacks $100m cost reported for Tenet Healthcare's 2022 cyberattack Major breaches with healthcare vendors OneTouchPoint and Avamere impacting more than 1.5m people Cloud Security Alliance weighs in on third-party risk management in healthcare Large-scale cyberattack campaign targeting over 10,000 organizations in phishing and financial fraud scheme HHS Health Sector Cybersecurity Coordination Center alert about an increase in web application attacks on the healthcare sector New ransomware task force report targeting government interventions to disrupt ransomware attacks OCR issues 11 new financial penalties over HIPAA Right of Access failures
This episode talks about some exciting news for the Security In Five and your host's new roles. Cloud Security Alliance of MN - https://www.csamn.com/ Be aware, be safe. *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five or become a patron https://www.patreon.com/SecurityInFive Don't forget to subscribe to the Security In Five Newsletter. —————— Where you can find Security In Five —————— Security In Five Reddit Channel r/SecurityInFive Podcast RSS Twitter @binaryblogger YouTube, Stitcher Email - bblogger@protonmail.com
After the RSA showroom floor proved zero trust's popularity as a buzzword, how will its tenants be solidified and standardized to separate true adherents from charlatans? To find out, host Sean Cordero welcomes John Yeoh, global vice president of research at the Cloud Security Alliance, and Lauren Wise, senior director, global executive advisory at Zscaler to discuss the recently announced Zero Trust Advancement Center and its mission to become the vendor-agnostic industry "North Star" for the strategies and solutions that make up zero trust cybersecurity.
Top threats of 2022, Corel acquires Awingu, Cerebras Systems on AI compute in the cloud, and more. Cloud Security Alliance's top threats of 2022 Microsoft 365 function leaves SharePoint, OneDrive files open to ransomware attacks Cisco Live announcement about AppDynamics Ransomware gang creates a site for employees to search for their stolen data Corel acquires Awingu Cerebras Systems Founder and CEO Andrew Feldman on high-performance AI Compute in the cloud Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Andrew Feldman Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: CDW.com/IntelClient nureva.com linode.com/twiet