Podcast Summary: Cyber Security Headlines – Department of No: CISO Hiring Warning, Critical Threat Actor Law, Microsoft Defender Outage

Date: December 9, 2025
Host: Sarah Lane (CISO Series)
Guests: Jason Shockey (CISO, Senlar FSB), Mike Lockhart (CISO, Eagleview)
Theme: Weekly cyber “standup” breaking down key security news, trends, and CISO-level insights, with a focus on practical takeaways for security leaders.

Episode Overview

This episode dives into current security disruptions (Microsoft Defender outage), persistent threats (browser extension attacks, hypervolumetric DDoS), evolving legislation (ransomware payment bans, U.S. cyber strategy, threat actor law), and cultural challenges (CISO hiring: engineering vs. holistic). The panel discusses what should be actively monitored versus background “noise,” how to assess real risks for organizations, and the often blurred line between practical and performative government action.

Key Discussion Points

1. Leadership Priorities and Introductions ([00:06]–[01:45])

• Jason Shockey: Focused on “finding and training the next generation of cyber leaders and operators. Or as I like to say, looking for a younger, less hairy me.” ([00:16])
• Mike Lockhart: Busy with 2026 roadmap planning, requiring negotiation across all business units. ([00:31])

2. Weekly News "No or Know" Segment

Microsoft Defender Outage ([02:23]–[04:34])

• Massive 10-hour outage affecting endpoint XDR features.
• Panel consensus: It’s critical to “know a little more.”
  • Jason: “Who defends the defenders?” Outage exposes system fragility. ([03:32])
  • Mike: Outages are inevitable; “do we have appropriate mitigations in place to address that outage, be it one hour, one day, or one week?” ([03:43])
  • Sarah: “We’re really past the point where something like an outage would only affect a corporation. Right. We're too intertwined at this point.” ([04:07])

Shadypanda Turns Browser Extensions into Spyware ([04:34]–[06:25])

• China-linked actors spent years corrupting popular browser extensions (~4.3M installs) into surveillance tools.
• Jason: “Extensions equals code, code equals risk...it could be extremely critical for people to make sure that they know more.” ([05:20])
• Mike: Supply chain threats are holistic, not just engineering. “Threat actors [find] new and novel ways to get an initial foothold.” ([05:55])

Record-breaking DDoS Attacks ([06:25]–[08:59])

• Cloudflare absorbed a 29.7 Tbps DDoS via millions of compromised IoT devices; half of new attacks are hypervolumetric.
• Mike: “No thanks. This is no different than behavior we’ve seen throughout the years.” ([07:10])
• Jason: It’s BAU risk; “You should be routinely testing your incident response and business resilience.” ([07:56])
• Practical advice: Plan for critical vendor failures, be ready to operate without them.

UK Proposes Ransomware Payment Ban for Critical Infrastructure ([08:59]–[11:32])

• Requires transparency for ransom payments; bans payment in most public/critical infrastructure cases with limited exceptions.
• Jason: “Should I notify regulatory agencies? Yes. Should we notify our clients? Yes...But forcing someone to not pay...removes all of the freedom from that company.” ([09:40])
• Mike: Legislation has “gray lines”—impact varies globally; may remove decision-making authority from organizations best equipped to assess their own risk. ([10:22])

US Draft Cybersecurity Strategy ([11:35]–[14:17])

• Six new pillars expected: offensive ops, unifying regulations, workforce, procurement, infrastructure, future tech.
• Mike: “This is going to be an abject dumpster fire of guidance...will create more chaos than good.” ([12:32])
• Jason: Pillars aren’t new, “just an additional level of compliance that’s already in the regulatory environment.” ([13:07])

Virtual Kidnapping Scams with AI/Deepfakes ([14:17]–[16:26])

• Social engineering scam uses AI-altered “proof-of-life” images/videos for extortion.
• Jason: “No thanks...If you have a family member...prob reach out to those people and then probably contact the local law enforcement very quickly...Just noise.” ([14:54])
• Mike: “No, no more”—CISOs have a duty to train staff in street smarts they can use at home, because scams keep evolving. ([15:21])

3. Deep-Dive Discussions

Engineering vs. Holistic CISO ([17:18]–[24:57])

• Referencing a Dark Reading article: Are CISOs best as tech architects or broad leaders?
• Jason: “It’s not binary...You have a team. If I have an engineering problem, I go give it to an engineer.” ([18:25])
  Attributes of an effective CISO: “Enthusiasm, intelligence, and integrity...with humility.” ([21:01])
• Mike: “Marketplace mindset is stuck in the past. The bifurcation between the holistic CISO versus the engineering CISO really does not do service...” ([21:37])
  • Executive CISOs can learn engineering, and vice versa, as long as you “understand systems-level thinking, can partner and fill in your knowledge gaps, and ‘transit all the different layers of the business.’” ([21:37])
• Both emphasize the CISO role is about seeing the big picture, speaking many “languages,” and fostering a complementary team.

U.S. “Critical Cyber Threat Actors” Law ([24:57]–[29:44])

• New bill would let U.S. formally label and sanction designated foreign threat actors.
• Mike: “Completely meaningless...Nothing more than a paper tiger...Typically [these countries] already have sanctions.” ([25:58])
  • If it changes anything, it may only “unencumber” the government or companies in retaliation—it’s not clear.
• Jason: “Labeling is good if it helps orient people, but if it doesn’t move the needle, why are we doing it? As long as we don’t change the threat models and the way we align our defenses, it doesn’t matter.” ([27:15])
• Mike: “The focus really shouldn’t be on the cyber threat in and of itself. It should be on the outcome...where’s the money going? Let’s follow the money. That’s where there’s potential benefit.” ([28:34])

Notable Quotes & Memorable Moments

• “Who defends the defenders?” – Jason Shockey ([03:32])
• “It’s not ‘if’ they [defender platforms] go down, but ‘when’...do we have appropriate mitigations?” – Mike Lockhart ([03:43])
• “Extensions equals code, code equals risk.” – Jason Shockey ([05:20])
• “Supply chain security is a holistic problem. It’s not just a single point problem...” – Mike Lockhart ([05:55])
• On DDoS attacks: “No thanks. It is what it is.” – Mike Lockhart ([07:10])
• On ransomware payment bans: “You remove all of the freedom from that company, which you need...to take risk where they need to take risk.” – Jason Shockey ([09:40])
• On new U.S. cyber strategy: “An abject dumpster fire of guidance...” – Mike Lockhart ([12:32])
• On CISO hiring: “It’s not binary...You have a team below you, an iceberg of people, hopefully.” – Jason Shockey ([18:25])
• “Enthusiasm, intelligence, and integrity. Those are the three qualities I look for...” – Jason Shockey ([21:01])
• “It’s not about whether you’re holistic or engineering. What matters is: Do you understand systems-levels thinking...and can you fill in the gaps where you have knowledge?” – Mike Lockhart ([21:37])
• On legislation labeling threat actors: “Completely meaningless...nothing more than a paper tiger.” – Mike Lockhart ([25:58])

Timestamps for Key Segments

• 00:06 – Hosts & guest intros; leadership priorities
• 02:23 – Microsoft Defender outage discussion
• 04:34 – Shadypanda extension hijackings
• 06:25 – Record-breaking DDoS attacks
• 08:59 – UK ransomware payment ban
• 11:35 – Draft U.S. cybersecurity strategy
• 14:17 – Virtual kidnapping scams / security education
• 17:18 – Deep dive: The CISO talent dilemma
• 24:57 – Deep dive: U.S. threat actor legislation
• 29:44 – Final thoughts

Tone & Style Reflected

• Informal, practical, occasionally irreverent (especially around government action: “dumpster fire,” “paper tiger”)
• Direct, professional, peer-oriented advice ("BAU," "test your disaster recovery," "think like an attacker")
• Strong focus on actionable analysis—not just news, but a CISO’s view on what really matters.

Takeaways for Security Professionals

• Build resilience expecting your core vendors/services will eventually have major outages—plan and test around them.
• Browser extensions and supply chain vectors remain core threats; supply chain security is not just a development or IT problem.
• Large-scale DDoS and systemic internet disruptions are now “noise” to be factored into business-as-usual risk management.
• Ransomware legislation is increasingly a global patchwork, with real-world impacts on retention of risk and freedom to operate.
• CISO roles require broad competency; look for leaders with vision and integrity, not just technical/engineering skills.
• Government policies often lag attacker sophistication; legislative efforts may be more for show than for substance.
• Education and communication, both within organizations and for end-users, are a CISO’s underutilized superpower.

For more stories, resources, and to join the live Monday “Department of No” series, visit: CISOseries.com