A

You're listening to the CyberWire network powered by N2K. Welcome to Afternoon cybertea where we explore the intersection of innovation and cybersecurity. I'm your host, Dan Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews and captivating stories to stay one step ahead. Welcome to Afternoon cybertea. I'm Ann Johnson and today I am joined by Tony Sager, who is the senior Vice president and Chief evangelist at the center for Internet Security, more commonly known as cis. Tony works across strategic partnership and outreach efforts in the cybersecurity community and he is closely associated with the work behind the CIS controls, a widely used consensus based best practice for improving cyber defense. Tony, it's great to have you on afternoon cybertay.

B

Thanks Anne. It's great to be here.

A

So, Tony, we're at this moment where cybersecurity feels more urgent and also more complicated. You have AI acceleration, there's growing software supply chain risk, there's a tremendous amount of geopolitical tension and increasing pressure on leaders to get security right. From your vantage point, what feels fundamentally different about today's security moment compared to even five or ten years ago?

B

Wow, five or ten. Well, I'm approaching 50 years in this. Just to let you know one thing I occasionally remind the team of. I saw this in some management thing, right? The rate of change we're experiencing now is the slowest it will ever be in our lifetimes. So everything is accelerated, the change is just getting faster. And I grew up in a world where we would count on the government. Is this technology safe for government use or private sector use? Well, they'll hire a room full of smart guys, sit there, study it for a year, then it'll come out, yes, it's safe or no, they need to fix this. No one's got time for that. So things are moving so quickly and we've become used to a world of both great opportunity, new capabilities, but we accept some level of flaws that are in it, and then every once in a while those flaws go from minor to on year, catastrophic. So that's really the difference is we don't have the time for kind of traditional approaches to giving ourselves confidence in software or systems or whatever is going on. And that's the world that we live in.

A

I think it's fair to say that for years we've been somewhat reactive in cyber. You said you've been doing it 50, I've been doing it 26. This is your finishing year. 26. But lately there's been this push to be much more proactive, much more secure by design, much more on the front foot. Right. And taking responsibility. Earlier in life cycle, we like to talk about shift left. We like to talk about a lot of things, however, the industry, we're talking about it, but the industry has been pretty slow to make that shift. Why do you think it is that we're being so slow to go from being more reactive or why is it so slow that, you know, from being more reactive to shifting to being more proactive?

B

Yeah, it's certainly true. You know, as I look back across the industry, the majority of it is there in reaction to flaws in protocols, bugs in software, in dealing with that and any other domain of risk in your life. Right. We learn prevention is more effective than reaction. And that's just a truism that happens to be true. But it's been really hard to get there because of the economics. So we have proven as social creatures, we will accept flawed software in exchange for much better features than we had before. And that just became part of the way we operate the industry. Right. And so it's a rational decision on the part of the vendor. They could study and scrub out bugs for another year, but they've missed the market. And my vendor friends will say things like, second to market is last to market. And that means exactly what it says. People expect the public is willing to pay for things sooner rather than later. I used to joke about, again, I grew up in a government world where you took your time. It may take 10 to 15 years to build a new radio for the US army in the 70s and 80s. And now people are patient for 10 or 15 minutes. And whatever they see in the current headlines, well, I hold newspaper as though we read them now, but whatever new we want now. And no one's waiting for the government or a regulatory agency to tell them it's safe. They want to get into it right away. But this need to push earlier in the life cycle is really important. And it's because so much is a risk. It's just there is no economy without it. Right. There is no social life anymore without that. And so it's become so embedded in our way of life that it's fundamental to everything that we think, do or say. And so you have to say, what do we need to demand as citizens? What would be the sort of bare essentials that we'd expect in public safety or employee safety or financial safety? We just don't know the language for now. The IT Stuff, cyber stuff is complicated. There's so many variables and so many things that can go wrong. And by design, it's a worldwide market. Most of our pieces don't come from sources that we know much about or that we can have much trust in. But that's the choice that we have made, I'd say implicitly rather than openly.

A

Yeah, well, it's a global economy. It's an IT economy. Right. And we're sitting here. I have a couple more questions about Secure by Design, but I just want to make comment for the audience. We're sitting here live at RSAC 2026, which is the 35th anniversary of the RSA Conference. And the entire conference has been about AI and agentic, which means that we're not only have been moving fast in the past five years, we're going to be moving at light speed in the next five years. People are going to be innovating, they're going to go into new markets, they're going to be bringing new products out and they're going to be trying to improve their productivity and their speed once again, acceleration with AI. With that in mind, secure by design, right? So we love to talk about secure by design as an industry. We've talked about it for several years. But it's hard, right? People will tell you that secure by design is hard. I have the sense that it's going to be getting harder because now you have agents, you have things that are essentially bots that you're saying, hey, these are now safe in our environment. Talk to me a little about why secure by design historically has been hard. And then if you have any perspective of why the agentic world is going to change it.

B

I mentioned the economics of prevention of problems, building them in. Everyone knows that that's wiser. I was around for the heyday of formalized computer security was in the 1980s. And there was a group that was associated with Fort Meade in my first career. And some of the biggest brains on earth worked through all those problems of secure operating systems. And the notion was if I could build a secure operating system, then all these good security properties would, would flow to the real life environments. And it was great technology, but it kind of ignored the market. That is, if it didn't run PowerPoint, no one was going to use it. If it didn't run Excel, it would never be in the marketplace. Right. So you have to start from why do people get computers? It's not because they want security, it's because they want features. And so they will focus on that people also didn't realize the systemic problem. If you say, I'm going to study the security of this for a year, again, you lose market opportunity. Others, maybe with less incentives or less scruples, will enter that market ahead of you and take over. So it's a different kind of risk, right? So if the government is slow, others will fill that gap with even riskier things. So getting that in earlier is hard, but it also required a set of tools and analyses that we didn't have back in the 70s and 80s, you know, the ability to craft these kinds of things and have great confidence in their output. But the explosion, and this is, you know, before there was AI, there were all the, like you said, a worldwide IT market and the use of open source. So systems. In the old, I'll call it old days, you wrote software, you built a system from scratch. Now you kind of assemble it from pieces, all kinds of libraries and other components that get brought together, a lot of which were not under your control. So you're counting on those things, right, to have certain security properties. Well, as we've seen in some of the big open source, I mean, a lot of great people work on that, but they didn't write this for every possible application, right? From household to nuclear weapons control. And yet that's where it gets used. And so this stuff gets reused a lot in places that it was not designed for, and it introduces these risks that can pervade the system. You know, I was on that cybersafety review board, one of the founding members of that, and a couple of those reports looked at this issue, right? Where it's a case where an individual company might make a rational decision. I need a piece of software for this. What's the FBI using? What's NSA using? What's the DoD using? Hmm, that seems like a safe choice, right? I can't go analyze it. So you kind of go with where others have gone. And then one day you wake up and you realize, wow, the entire US government is dependent upon this piece of open source that was not written for this purpose, but it's now 75% of our environment. And that's a system level risk that no one really anticipated, no one was tracking. But that's what happens, right? The software does what it says until someone manipulates it in a particular way. And so that, that, that was the precursor to this. It's everywhere. There's no thing I control. So the traditional security models are based on loosely, conceptually, here, control and inspection. You could pay a room full of people like me to inspect software, to say, does it do anything funny? Are there any zero days in it, that sort of thing? No one has the ability to control that anymore. And no one can say I've studied this till I believe it's highly secure and I'm just going to lock it down and no one's going to change it. That's unrealistic in today's market. But the AI stuff just accelerates that dramatically. Use that word. I mean, when the buzz really took off, not that long ago, it's accelerant. That's what is happening. This is like throwing gas on the fire. Things are getting more complicated, more dispersed, harder to control. AI will just a thousand X that. And that's really what's happened, I think. And that's the way you described it, I think Exactly.

A

Well, it's machine speed, right? We're now, you know, we've gone from human hackers and human hackers aided by machine learning or human hackers aided by some tools or some capabilities to actually the machine being the hacker over the fullness of time, right? We're not seeing as much of that. We're still seeing a bit more AI aided hacking, right, Or AI aided targeting, I would say. But at some point in time, the machine is actually going to become the adversary itself. And that's when it becomes necessary, I think on the other side, for the machine to become the defender also.

B

I think that's right. And people often ask about is this trend better for offense or defense? And here's my experience with advanced technology. I often say, if you want to see capitalism in action in this space, study bad guys, not good guys. So bad guys are inherently more efficient. And they say, I don't need to write tools, I buy the tools, I don't need to build a recon network, I rent the recon information. They're naturally Darwinian. They naturally divide up functions, right? And one reason they can do that is because their objectives are clear. It's not nearly as fuzzy as let's defend ourselves, right? It's I need this target, I'm trying to extract wealth from it or whatever. So you can see early adoption on the attack side is a natural because that's been the history of the business. On defense, though, defense is crippled by things like oh, cranky users. When I make a change, things break, more expense, my boss doesn't care, I don't have a budget for it. All these real life problems that are really non technical, but they're more about how do I marshal the resources or get the attention. But I'll say, having dealt with in my first career, particularly things like threat intelligence and incident response and all that, there is so much grunt work in the nature of defense that there's great opportunities for automating, lots of that, for bringing data together. I mean, watching people handcrafting, moving, scripting, translating data from this to that, it's like the people that deal with incidents for living our heroes. I mean they. In the dod, we saw this bad guys know to attack on long holidays because everyone's home. Now we gotta pay double overtime for everybody to come in. They know how to manipulate the environment. And the folks that have done that, you know, basically working with Bronze Age tools in the space age, have really struggled. So that's also a great opportunity though, for massive scale and massive improvement and to get, you know, there are jobs still that we believe only humans can do. Right, the sort of judgment and explain.

A

Oh, absolutely.

B

But, but all. There's so much of this grunt work in defense that I think there's great opportunity to. And I think you're going to see some of that here in other places. And I really, on balance, I lean towards the optimistic rather than the pessimistic.

A

Yeah, we'll get to that. Okay. Because I end every podcast talking about cyber optimism. So think about that one. You know, one of the things that strikes me, you said our former ciso, Brett Arseneaux is now very much enjoying his retirement, his well deserved retirement. Used to talk about how in your security operations center, you had kind of two modes, right? You either had firefighting, which then you're getting diminishing returns because people are exhausted, they're working long shifts and you never have enough people. Or you had that really mundane tactical work, which is like handing somebody a Lego kit and telling them to build the same Lego over and over and over and over again. That's great. And they're getting, you know, they don't want to do that work because it's repetitive and mundane. And I'm hoping that what AI can do is help those defenders remove, automate all the Monday stuff and then help them in times of crisis so that we aren't burning out human beings or we're sett saying next best action. We've automating as much as possible. We're helping them in their judgment. Right. Which comes to my next question, which is about leadership. One of the things I admire about the work you do is you often talk about cyber, about being a leadership issue, about being an accountability issue. So I have a provocative question. Please. Where actually does the accountability for cybersecurity sit in most commercial organizations? We won't talk about government. And then in your mind, where should it sit?

B

Well, that's a great question. So there's a tendency to blame the technologists for the problem. You know, say CISO level and you know that's the hired to be fired. Right. That's the life of the ciso. But there's really an executive level responsibility. So the a healthy trend over the last quite a few years has been the shift of cyber from an exotic sort of add on to mission to fundamental. Which means the decision to invest in cyber or what to have a strategy for is really a board level executive decision. Right. It happened quite a few years ago. Every tech company or tech conference had what every board member needs to know or every executive needs to know about cybersecurity and vice versa. People were starting to learn the language of each other and I think there was a migration of this problem and how do I compete investment in cyber with investments in things like employee safety or financial security and that's kind of the right place for that to happen. There's a quick story. So my dad was an army sergeant, three war veteran, never fired a gun in anger. But he was, every once in a while I do something and the dad would have been proud to me. I was talking to, I believe it was a two star general in the army and there was a hack that hit the army in a bad way. And we're talking, he said we need to find the person responsible for not getting the patch in place in time and make an example of them. This is a command level responsibility. I said, sir, a enterprise that allows its lowest paid, least ranked employee to bring down the enterprise for something like that is guilty of not having bad. It's not bad people, it's bad strategy on our part. Right.

A

It's bad leadership. Yeah.

B

And that same person, if he had said could we take down the mail server for a couple hours because we're way behind in patching, you would have said no, mission essential. So you're going to give him conflicting requirements. He's got bronze age tools dealing with the space age problem. He's running a network that's in sandy deserts right in the Middle east fighting wars with stuff that was meant for consumers and you want to blame that. So that is completely the opposite of really where the responsibility lies right now. What the tech community struggled to do was frame the problem in ways that make sense to executive decision makers.

A

Completely agree.

B

Yeah. And we had not the model. I grew up, I often describe, I grew up on the wizardry model. This is magic. And there's weird looking people. I'm not sure. I know we need to pay them.

A

And we talk in weird language. We talk about sandboxes and detonation chambers and all these, you know, we can, all these strange things.

B

We can confuse you with all that stuff. But that doesn't help. That just impresses, right. I just said that model is great job security for old folks like me, but it's terrible for public policy or executive decision making. It doesn't put the decision in a frame that allows it to compete in its rightful spot. So long answer. But it was the world from I need to find the poor private. You know, and you remember in the press fire the intern who didn't do the right thing or made a misconfigure. Oh, these are your least equipped, lowest paid. If you collapse because of that, shame on you. Right. You should have built around that. These are good people doing the best they can. They don't live this technology. There's no reason to expect them to. So you have to say, what is the executive responsibility? Where have we failed? Well, we didn't understand. Again, I put a lot on my community, right? Wizardry doesn't allow us to support the decision makers. At the end of the day, we have to help them make responsible decisions. And you know, I grew up again in the, in the military world. You would. How many times I was in a room where the executive decision maker says, you know, I'm listening to all the techno gobbledygook and they just give up and they go, I accept the risk, I sign the waivers, the paper or whatever. They're not doing that because they felt confident that there's a knowing acceptance. They're just frustrated. No one will help them. So they, and by the way, they have wars to fight in that world I grew up in. Right. They have really important, dangerous things to do and they're going to do them right at some level of confidence. And again, our responsibility as technologists who live this is to help them understand what the risks are and support them with the best decision that they can make. And that's, you know, again, it took us, I think many of us a long time to really see that.

A

I think that's really fair. And I fundamentally think that most security people are very mission driven and most people who make a career of this actually are trying to do the right thing. Right. They may not always get It.

B

Right.

A

But they're trying. With that in mind, when you think about leaders who are trying to do the right thing to improve security within their organization, what are the most common mistakes you see for people? I'm going to improve security fundamentally in my organization, mistakes that they make.

B

I think there is a dramatic under appreciation for the fundamentals of defense. And people will say it right. There's a term that I used to call this, the most used, least defined term in our industry, cyber hygiene. And you'd hear, and people say, we need better cyber hygiene. For example. Patrick, we need better hygiene. For example, wash your hands. You know, the equivalent of wash your hands. Right. And it's well intended, but you can't build a program upon examples. So at cis, we formalized a definition of essential cyber hygiene for a specific purpose. These are the things you need to do. We have the data to back it up, and we feel very confident in it. But the idea was, if you want that, but you have to describe it in a way that people can execute it. Correct. Now we accept as citizens, Right. When we tell people, wash your hands, get your shots, don't cough on others. We believe in our hearts that scientists in the back room are studying that. And what they did, though, is they take all that complicated science about virology and so forth that we don't understand, and they translate into behaviors. Okay. So I often talk about the work at ceis, we are translators. We study all the stuff that every enterprise wishes they could study but can't. Adversary trade craft, summary of attacks over the last year, the role of technology in business. And we try to put all that together. We translate it into behaviors, and that's something you can execute, you can build a proven program on, and so forth. And that is a really important. So my background's in math. There's a term, the 8020 rule. You might hear the Pareto principle. Right. But basically it's philosophy, not mathematics. But it's in many endeavors, in our risky lives or in our lives, you get 80% of your value from 20% of your sources or variables or choices. So the idea is, if you pick well, you get most of your value. But partly because of the wizardry model, it's like no matter what you do, I'm professionally trained to find flaws and things. I can't help myself. So you could do lots of things. Yeah. But I know five more ways to get you. And at some point that's no longer helpful. Right. Because to bankrupt your company in the name of good security is terrible. Business. So at some point you have to decide what's the risk reward here? And you need help doing that. You'd like to then make those first choices. By the way, 80% of doctors agree that I need a cardiac treatment. I'm willing to go with that in almost any endeavor of my life. So the idea was we underappreciate the fundamentals, we overstate the sort of wizardry, right. That is again, professionals like me, we find flaws for a living and have no responsibility to fix it, by the way. So at the end of the day, you have to make a decision, right? How much is good enough? And so building a program of improvement gets you very far along on the path and is the foundation. So that's the approach that we take. We're a little counter to the marketplace, Right. The marketplace is noisy, tells you you need a new thing, a shiny object, magic beans or whatever. And we're more focused on what is the foundation of defense. And if you can get to there and you move into a riskier business model or have more at stake, you can build upon it. You don't throw away and start over, but you build upon that. So that was the intention of a lot of the work, but it's sort of the two end of the extreme, right? Sure. Get the fundamentals. Right. And I discussed this a lot with general officers back in my prior career. They would say, yeah, that hygiene stuff, that's great. But what about the nation state adversary? Well, number one, nation state adversaries all use the same garden variety stuff when they can.

A

Yes, because it works. Yes.

B

And it hides them in the noise. Right. It doesn't distinguish them. You don't give away zero days unless you really need to. Yes, but I said, suppose we do learn about these rascally nation state folks and their clever tradecraft. What are you going to do about it? And the general, this is a conversation with a three star. We're going to tell everybody and warn them, aren't we? You're going to send email to every system administrator in the DoD. Is that what you're going to do? I said no. They're going to turn to their technology and execute something, find something, block something, remove something. Correct. So if you don't, that's the foundation of defense. So you might have greater, more specific, finely tuned intelligence information. But at the end of the day, you still need an action architecture.

A

Right.

B

Which you have to build first. Otherwise that stuff is just noise to you. It's just filling up the inboxes of system administrators.

A

It is. And I talk a lot about cyber hygiene. I had the pleasure at one point in my career of running the Microsoft DART team, our customer incident response team. And we published a blog that we refresh and republish periodically about the five top things that cause really major events. And we say things like attackers don't break in, they log in. But at the end of the day you also can't tell a customer you need to patch everything because they can't patch everything.

B

Right, Exactly.

A

You can say them. You need to use MFA 100% of the time. That's a reasonable statement. That's what you need to understand. And we also need to talk a lot about probability of attack. The one thing I love to say about. We love to talk about advanced persistent threats. And I always say they don't have to be advanced, they just have to be persistent. Because there is something in your environment that's unpatched. There's something in your environment that's unmanaged. We all have technical debt. The question is understanding your risk, understanding what is the stuff that cannot be impacted and making sure you've built the right defense and depth around that.

B

That's right.

A

It's hard though. We talk in these languages. And I'll tell you, I'll one final point on that. The way I. The analogy I like to use, which I think you'll appreciate because you've talked a lot about your military background is I talk about the fall of ancient Rome. Ultimately what took down ancient Rome was they poisoned the water source from the outside. If they had had more resilience in their water supply, which is the same thing nation state actors do to us today. Right. They find that one. And that is hygiene. That is fundamental hygiene. And people. Yeah. People are like, oh, I kind of get that. But we also have to talk in a language. We can't scare people.

B

Why?

A

About. About over 10 years ago I went to work for Qualys and I worked for them for a period of time. And I remember when I first I was so excited, right? We're gonna attack vulnerabilities. I had been at RSA for almost 14 years. I go to Qualys, I'm like, this is different. I'm excited. And I remember CISO saying to me, good friend, he said, ann, do not come in here and hand me a 400 page report of everything I have to patch and then say have a nice day. Cause that's kind of what you do. And it just occurred to me that at that moment, seriously was this moment for me that the industry has to change. We actually have to make the job easier as an industry. We have to make the job easier for the CISOs. We have to make things more automated. I'm optimistic about the world we're in today because I'm optimistic with AI, one of the fundamental things it could do for us is make things more automated. And then we're not handing out 400 page patching reports, we're doing automatic patching and updating and those type of things.

B

Yeah. And that's a great story. And we're kindred spirits on the hygiene business. Again, it's not trivial. It is the foundation of other things that you will wind up needing to do anyway. You actually get tremendous value. We've studied it, and anyone who's studied it seriously gets that. Right. These foundational steps are the launch point. You get lots of value from them, but they also allow you to build upon them. So we're very careful about thinking about it. So. Yeah. And actually when I retired from government and then went first with initially small nonprofit, then cis, but one of my earliest friends was Qualys because it was kind of lined up with their business model anyway. But this idea of good management is really the foundation of good cybersecurity. Right. It's most of the early. And if you look at our work, you see what you see is good IT control, visibility, management, change management, all those kinds of things are just the foundation.

A

Great. Well, we're coming to the end. At the end of every afternoon, cybertea, I explained to the audience that I'm a cyber optimist. No matter how many bad things you see in the news, I know there's thousands of things that the industry has detected and blocked before they became bad things. So I still believe today we're ahead of the game. What are you optimistic about?

B

Oh, my goodness. Well, the standard story that I use, I said, you can't last for close to five decades now in cyber defense without being one of two personality types, complete cynic or hopeless optimist. So if you're a complete cynic, there's disaster to point out every day. Right. Other people's flaws and all that. But I made a choice to choose that hopeless optimism because that's constructive. I'm not interested in being on the street corner waving my fist, telling everybody what they've done wrong, because I've seen that doesn't change anything. And the goal is that we all live in a more secure, safer world. So I am optimistic in terms of the opportunity there. But I'LL tell you again. I spent that first 35 years at the National Security Agency and helped bring it out into the public for whatever you think of the NSA. I led the campaign in 2001 and beyond to really open into partnership. And my first talk here was in 2002, I think 2003, and have a long of opening that up. And it was because of this optimism, right. That and recognizing there was no perimeter for the US government to hide behind anymore. And what I found was the US government did not have, despite my training in house, did not have a monopoly on amazing smart people dedicated. And our business model at CIS isn't possible without our volunteer army. And the quality of people that will volunteer for the common good and put their energy towards the creation of security benchmarks and CIS controls and things that we do is off the charts. It is astounding. And we have volunteers that have been with us since 2000, since the founding of the company. And to a person, they all say something like volunteering for this kind of work, which is concrete, they get to create products of it and feel proud of it, is among the most satisfying things in their career. So the ability to when you have a community like that, incredible talent, goodwill, willingness to put their time into common good. I often say all we do is provide a vehicle to channel all this into something constructive. Right. I said to get the most value out of free labor, you need a professional infrastructure. So we define the roadmaps, deal with the vendors, publish the standards, keep things current, manage all that is why you need a professional company as a nonprofit to take this energy and turn it to good. So I have seen just extraordinary people want to do the right thing. Government, private sector, academia, all that. So what I hold out hope on my sort of final thing about optimism is that I've said this many times in public talks. We are not going to get better people than we have in this industry. I mean the talent is wonderful, the dedication is just astounding. What we learn need to do better is organize them. Because left to our own devices, will argue endlessly about angels on the head of a pin and how many vulnerabilities and flaws and patches. I mean, that's the nature of these small, smart, committed people. But turned constructively, there's nothing we couldn't do. And so that's my final year. That's what's kept me still working at this part of my life.

A

Tony, thank you so much for joining me on afternoon CyberTea.

B

My pleasure. Thanks for having me here.

A

And many thanks to our audience. Join us next time@afternooncybertea.com or wherever you get your favorite podcasts. This week on Afternoon cybertea, I am joined by Tony Sager, Senior Vice President and Chief Evangelist at the center for Internet Security, for a timely conversation of what it really takes to build security that lasts. Tony brings decades of experience from government to the private sector, to unpack why cybersecurity must move from reactive fixes to secure by design leadership, and why accountability for cyber risk ultimately sits in the executive and board level. We explore how AI is accelerating both opportunity and risk, why strong cyber hygiene remains a foundation of resilience, and what leaders must prioritize as technology becomes inseparable from daily life, business and national infrastructure. It is a thoughtful, practical discussion grounded in optimism and in the belief that with the right leadership, we can build a more secure digital future.

B

Future.

A

Listen now at afternooncybertea.com or wherever you get your favorite podcasts.