Afternoon Cyber Tea with Ann Johnson

Episode: The Best of Afternoon Cyber Tea 2025
Date: January 6, 2026

Episode Overview

In this special "Best of" episode, Ann Johnson gathers highlights from pivotal conversations throughout 2025, showcasing thought leaders, CISOs, academics, and industry storytellers. The episode reflects on how the cybersecurity industry has moved from theorizing about future threats and technology shifts to living them, focusing less on predictions and more on actionable responses. Across discourse on psychological safety, risk and resilience, transparent communication, community, and the ever-persistent "human element," guests share candid insights on leading and thriving in an era shaped by technological transformation and relentless cyber threats.

Key Discussion Points & Insights

1. Psychological Safety: The Bedrock of Cyber Teams

Guest: Amy Edmondson, Novartis Professor of Leadership and Management, Harvard Business School

• Definition & Importance: Psychological safety is not about comfort, but about a culture where people can raise concerns, dissenting views, or mistakes without fear (02:06).
  • “The term itself has a kind of implication of comfortable and cozy and nice, and that's just not what it is… it describes a climate in which people believe their voice is welcome…” – Amy Edmondson [02:06]
• Early Warning Signs: Lack of "bad news" or dissent is paradoxically the biggest red flag. Teams with true safety bring problems to the surface early.
  • “If you are a leader of a team and you're hearing an awful lot of good news… that is probably a warning sign that you don't have enough psychological safety…” – Amy Edmondson [03:40]
• Leadership Role: When leaders openly acknowledge complexity and fragility, it legitimizes speaking up, making reality "discussable" and fostering resilience.

2. Strategy, Misconceptions, and Cross-Functional Collaboration

Guest: Christina Murillo, Head of Information Security, NY Giants

• Assessing Teams with Curiosity: Eschew checklists for active listening and understanding cultural nuances before shaping strategy (06:06).
• Security as Business Risk: A pervasive misconception is seeing cybersecurity as purely IT's job, when it's actually a strategic business risk (07:08).
  • “The truth… is that [cybersecurity] is a business risk issue, not just a technical [one].” – Christina Murillo [07:12]
• Risk Communication: Storytelling around business impact, not just compliance or technical metrics, drives real organizational buy-in.
  • “Risk isn't always about the math, it's about the story…” – Christina Murillo [08:52]
• NFL Community Collaboration: Success is rooted in community—frequent intel sharing and mutual support between information security leaders across all teams (10:35).
  • “At the end of the day, we all have the same shared goal… protect our fans, protect our clubs, protect the overall league.” – Christina Murillo [10:50]

3. Transparent Communication & the Power of Narrative

Guest: Frank Shaw, Chief Communications Officer, Microsoft

• Communicating Cyber Risk: The challenge is to inform without inciting undue fear, tailoring messages for action not paralysis (12:13).
• Transparency in Crisis: Rapid, honest disclosure and sharing learnings enables others to benefit from mistakes and incidents (13:02).
  • “Our ability to… talk about what has happened… in a way that allows others to learn from it is absolutely critical.” – Frank Shaw [12:58]
• AI’s Double-Edged Sword: AI accelerates response, but also increases crisis complexity and the velocity of misinformation.
• Behavior Change as a Metric: Internal friction—a sign that people must act differently—is proof that awareness campaigns are working (14:25).
  • “I do look at that little friction in the system… as a good sign that we're landing our messages internally and that behavior has shifted.” – Frank Shaw [14:32]
• Localized Storytelling: Cultural differences must be respected—what works in one region may backfire elsewhere.
• Optimism Amid Crisis: Collaboration and the dedication of smart, driven people are sources of hope for Frank and the cyber community (16:55).

4. The Human Element in Industry Events

Guest: Dr. Hugh Thompson, Managing Partner at Crosspoint Capital Partners; Executive Chairman of RSA Conference

• Conference Planning: Building an inclusive conference begins 18 months out, with themes increasingly focused on "the human element" (18:55).
  • “Cyber really comes down to people…the folks you're trying to protect, the defenders…or the attackers.” – Hugh Thompson [19:12]
• Programming for All Audiences: Balancing highly technical with broad, accessible sessions ensures wide appeal (20:07).
• Optimism from Community: The shared mission and care among attendees foster industry-wide optimism and progress (21:13).
  • “You just can't [leave RSA Conference]…and not be optimistic about what we can accomplish if we band together as a community.” – Hugh Thompson [21:50]

5. Data Breach Fatigue and the Reality of Disclosure

Guest: Troy Hunt, Security Researcher, “Have I Been Pwned”

• Disclosure Dilemmas: Most organizations prioritize shareholder value above customer transparency, disclosing only when mandated (22:58, 25:23).
• The New Normal: Data breaches have become so routine the public risks apathy—what matters is resilience and structuring for the expectation of breaches.
• Human Factors in Security Failures: Even seasoned professionals get phished—attackers exploit stress, fatigue, and urgency (24:40).
  • “I'm the have a bemponed cybersecurity guy and I got phished earlier this year, like proper successfully phished... People have moments of weakness…” – Troy Hunt [24:45]
• The Power of Transparency: Sharing the truth, even mistakes, builds credibility and community trust.
• Regulatory Landscape: Actual obligations vary widely; legal requirements for disclosure are often more limited than people realize (25:23).

6. Storytelling, Empathy, and Changing Perspectives

Guest: Jack Resider, Creator & Host, Darknet Diaries

• Origins & Philosophy: The desire to fill a gap—sharing "old news" with narrative twists—drove Jack to start his podcast despite skepticism (27:46).
  • “If I want to hear it, and it's not out there, I've got to make it myself.” – Jack Resider [27:49]
• Making Stories Relatable: The secret is in unpredictability—the critical “twists and turns” that mirror real-life complexity (29:15).
• Empathy for Attackers: Jack challenges listeners to look beyond binary morality, uncovering backstories that drive people’s choices (30:08).
  • “What's my third reaction?…Tell me about your teenage years… and you start to get into this empathy situation…” – Jack Resider [30:22]
• Reality of Privacy: The asymmetry of data collection means the average person is far more exposed than they realize, but proactive privacy steps (burner info, fake names) can buffer against the inevitability of breaches (31:20).
  • “What you think is safe isn't safe, and what you think is private isn't private…and all this sort of thing is growing.” – Jack Resider [31:45]

Notable Quotes

• Amy Edmondson [02:06]:
  “Psychological safety…describes a climate in which people believe their voice is welcome…where they believe they can take the interpersonal risks of speaking up with an idea, a question, a concern, a mistake, a dissenting view…”

• Christina Murillo [08:52]:
  “Risk isn't always about the math, it's about the story…your ability to tell the proper story.”

• Frank Shaw [14:32]:
  “That sense that I have to do something differently is a good sign that we're landing our messages internally and that behavior has shifted.”

• Hugh Thompson [21:50]:
  “You can't walk away from RSA conference… and not be optimistic about what we can accomplish if we band together as a community.”

• Troy Hunt [24:45]:
  “I'm the have a bemponed cybersecurity guy and I got phished earlier this year, like proper successfully phished…People have moments of weakness, you know, they're tired, they're rushed, they're concerned about losing something.”

• Jack Resider [30:22]:
  “What's my third reaction?…Tell me about your teenage years… and you start to get into this empathy situation…”

Timestamps for Important Segments

• [02:06] Amy Edmondson: Definition/importance of psychological safety
• [06:06] Christina Murillo: Aligning security strategy via curiosity
• [07:08] Murillo: Cybersecurity as a business risk, not an IT silo
• [12:13] Frank Shaw: Communication challenges in security
• [14:25] Shaw: Behavior change as a sign of effective awareness
• [18:55] Dr. Hugh Thompson: The RSA Conference’s human element theme
• [22:58] Troy Hunt: Breach fatigue and company disclosure priorities
• [24:45] Hunt: Even experts get phished – human factors
• [27:46] Jack Resider: Origin story of Darknet Diaries
• [29:15] Resider: Twist-driven storytelling
• [31:20] Resider: Privacy realities for average users
• [33:17] Ann Johnson: The year’s unifying themes and closing optimism

Memorable Moments

• Amy Edmondson’s insistence that if you're only hearing good news, you're missing signals and psychological safety might be lacking.
• Christina Murillo’s emphasis on community and relationships as critical to effective cyber defense—especially in a high-profile sports setting.
• Frank Shaw’s strategic patience: seeing internal “friction” as progress and advocating transparency with an honest acknowledgement of friction as a sign of change.
• Hugh Thompson describing the collective optimism that emerges from seeing passion-driven professionals unite.
• Troy Hunt’s candid ownership of being phished—underscoring that skill, not perfection, is the goal and transparency benefits all.
• Jack Resider’s exploration of empathy for both attackers and defenders, and his practical advice for reclaiming privacy in an era of routine breaches.

Ann Johnson’s Closing Reflections

(33:17)
2025, Ann observes, was less about new adversaries and more about a new response. The year’s best lesson: “The best cybersecurity strategy is not the one with the most advanced tooling. It is the one built by teams that trust each other, organizations that learn from failure, and leaders brave enough to ask for help.” She expresses optimism for the industry’s future—not due to technological advances alone, but from visible shifts in culture, transparency, team resilience, and the elevation of human beings as both solution and purpose.

Summary prepared for listeners who want a thorough, insightful recap of this “Best of 2025” episode. For more, visit [Afternoon Cyber Tea].