A

From the CISO series, it's cybersecurity headlines.

Hey, everybody, this is Sarah Lane with the department of no. Jason Shockey, CISO of Senlar fsb. What is your priority this week?

B

My focus this week is finding and training the next generation of cyber leaders and cyber operators. Or as I like to say, looking for a younger, less hairy me.

A

Mike Lockhart, CISO at Eagleview. What is your priority this week?

C

Oh, my priority is the unenviable task of trying to wrap up our 2026 roadmap, planning and negotiating time and energy with all the different components of the business that have to play ball with me.

A

Oh, gotta love it. Especially going into the holidays. Well, everyone, welcome to the Department of no. Your Monday cyber security standup. I am Sarah Lane, filling in for Rich this week. This is where we kick off our week by looking at the stories, the trends and the issues that should be on your radar as a security professional. Think of this as your virtual Monday strategy meeting. We're here to help you start your week informed and ready. Our sponsor today is adaptive security security awareness training built for deepfakes and AI. Joining me today are Jason Shockey, CISO at Sendler fsb, and Mike Lockhart, C at Eagle View. Now, Jason, if I'm not wrong, this is your first appearance here.

B

This is my first time, yes.

A

Well, how do you feel?

B

I feel great.

A

I feel great, too. Thank you so much for joining us. Now, Mike, Mike, you've been with us a couple times back in May of last year, 2024, and then just a couple months ago in October. Thank you so much for coming back.

C

It's a pleasure to be here again.

A

If you are watching live on YouTube, and many of you are, drop your thoughts in the chat. We love hearing from you. We'll be watching for your comments throughout this show. And if you're listening to this as a podcast, remember, you can join us live every Monday at 4pm Eastern. Just go to CISO series.com, hit the events dropdown and look for the Department of no. You can also send us feedback anytime at feedbackisoseries.com and just a disclaimer, we always do this. Opinions expressed are those of our guests. All right, we've got about 30 minutes, so let's dive in to our no or no segment. That is no or no you want to know or you say no? I'm going to run through some stories from the past week and we want your quick takes. Is this something that is a security professional issue that you need to know about? Is it signal or is it noise? I. All right, so story number one. Microsoft Defender outage is disrupting threats. Microsoft Defender for endpoint experienced a 10 hour portal outage affecting XDR features including advanced threat hunting alerts and device visibility. Microsoft attributed the disruption to a CPU spike from high traffic or portal components. Mitigation steps have restored access for most customers. They though some organizations are still facing issues. So the question we got a lot of people and organizations that rely on Microsoft Defender to defend them. All tech organizations suffer disruptions. On occasion this happens, but should they be held to a higher standard? What do you think? Know a little more or no thanks, Jason. We'll start with you know a little more.

B

You know, who defends the defenders is a, is a quote that I use a lot. But it does show fragility in the systems that we have that are critical. So I know a little more.

A

All right, Mike, what are your thoughts?

C

I would fully agree with that. Adding on to it, not just ask the question of who defends the defenders, but make sure that everybody remembers that in the ever connected security society, platforms like Microsoft Defender, Crowdstrike or any other vendor that we're dependent on, we have to think about what happens when they go down. And it's not if they go down, but it's a when they go down, do we have appropriate mitigations in place to address that outage, be it one hour, one day or one week.

A

I mean, we're really past the point where something like an outage would only affect a corporation. Right. We're too intertwined at this point.

C

Yep, 100% agree. Everything is tied together.

B

Yeah. Talks to that systemic risk because it's not just the individual that is actually using the Microsoft product, but all the, let's say vendors or the clients that are relying on that initial, you know, service to be provided.

A

All right, story two. Shadypanda turns browser extensions into spyware. A China linked group called Shadypanda, perhaps you've heard of them, spent seven years turning once legitimate Chrome and Edge extensions into spyware affecting more than 4.3 million installs. Several extensions received malicious updates in mid 2024 that allowed hourly remote code execution, full browsing surveillance, encrypted data, exfiltration and adversary in the middle attacks. Here's the question similar to the Microsoft Defender question. We all need browsers and lots of people use extensions and for the most part they're great. They're part of a lifestyle. Know a little more or no thanks, Jason.

B

No more. So I think this is part of the core of everyone's cyber threat intelligence platform. Extensions equals code, code equals risk. So this is an apt most likely likely that is in for the long game. So your cyber threat intel should be tuned towards how could something downstream actually affect you. This could be based on the risks that I saw in the article. It could be extremely critical for people to make sure that they know more.

A

Mike, how do you feel about this extension situation?

C

Oh, definitely. No. It's a good reminder to all security practitioners that supply chain security is comes through multiple different vectors, be it browser extensions, software your users are installing in their endpoints packages that your software engineers use to build your software. So supply chain security is a holistic problem. It's not just a single point problem that affects an engineering organization. And this one really goes to show the continuing evolution that we see from threat actors and finding new and novel ways to get an initial foothold inside of systems.

A

Well, speaking of threat actors, we have a record breaking DDoS attack that this most recent attack fired off. A massive 29 rather 0.7 terabit per second attack that Cloudflare had to absorb. It was through a rentable army of up to 4 million hacked routers and IoT devices. Uzbek Cloudflare says nearly half of those attacks are now hypervolumetric. And one recent wave even disrupted parts of the US Internet despite not even being the intended targets, at least as far as we know. All right, so question. Hyper volumetric sounds kind of bad. Sounds like something you don't want to get in this flu season. Is this know a little more or no thanks, Mike, I'm going to start with you this time.

C

I'm going to maybe go against the grain here and say no thanks. This is no different than behavior we've seen throughout the years. And it's just continuing to scale as capacity across the Internet scales and systems capacity grows. It is just a normal part of risk management for any business. It's going to happen and there's very little you can do to defend against it. Clear. Cloudflare goes down, that means that they have the means that none of us can prevent against. So it just. It is what it is.

A

Jason, do you agree?

B

Agree? No, thanks. It's part of the noise. It should be built into everyone's business resilience plan. You're looking at your business impact analyses. So it should be just part of the normal business as usual or BAU processes.

A

Now, I mean, let's say this happens again. What would be your advice to any company that relies on Cloudflare?

B

I'd say the takeaways, you always have to be aware of these things. Not to complete. Like I say, no thanks. It is part of the signal. But that's why I mentioned bau. If you're not routinely testing your cyber incident response processes and your business resilience and disaster recovery processes, that is a significant problem. You should be doing that. It shouldn't be drowned out in the normal bau. You should be as if when you test these things and when you exercise these things like we used to do in the military, you know, you are actually putting yourself in the situation as if you were about to go under as a business, as if you were about to be attacked by the adversary and it is not a good day. You should put yourself in that mindset to make sure that you iron out all of those wrinkles before something bad happens.

C

Yep. Couldn't agree more. All organizations have to understand their critical supplier ecosystem and go through that at least tabletop exercise of asking what happens when they go down. The reason that they go down is less consequential than what the impact is to you as an organization when you're no longer able to use your critical suppliers.

A

All right, let's move on to our next story. The UK government is moving forward with a proposed ban on ransomware payments for public sector and critical national infrastructure organizations with national security exemptions to avoid life or death dilemmas. That's according to Security Minister Dan Jarvis. The legislation would also require other businesses to notify authorities if they plan to pay a ransom. So question here. This debate is about whether to pay a ransom that has been waging for a while, or is this type of decision impacting companies and governments worldwide? Know a little more or no thanks, Jason?

B

Know a little more. Definitely keep aware of what's being mandated to the organization. I think as a company we should be able to. I'm, I'm fine with the transparency piece based on the business impact. Should I notify the regulatory agencies? Yes, we should. Should we notify our clients and our customers? Yes, we should, within, you know, a reasonable amount of time. But one thing that I think is incorrect is forcing someone to not pay because then you give. You remove all of the freedom from that company, which you need that company to be free to take risk where they need to take risk. But I think it's definitely something we should pay attention to.

C

Yep, I would fully agree with that. You definitely need to know more and you know, thinking about it in the long term strategy here as well too. What happens over the Next three, five, ten years as other national governments potentially follow this pattern as well too. So there's an impact on strategic decision making for businesses, especially those that operate on the global scale. And this type of legislation also toes a very gray line. And you know who gets to decide what is actually the right decision? They make the comment life and death. Well, there's a lot of variability to that. You don't understand the circumstances, employees in a company and that company, if they were to go down due to a ransomware that they weren't able to pay and that puts that company out of business, there are knock on effects. So this is an example of where legislation can potentially have negative consequences for business and remove that decision making authority from the organization that knows best and is able to make an informed choice about what level of risk they're willing to take and how they're willing to get themselves out of a bad situation.

A

And I think it's interesting because.

You have certain schools of thought who say don't pay the ransom. If you pay the ransom, then you're just encouraging more of this behavior. But like you both have mentioned, it really depends on your company and how you stay afloat.

C

Yep, a hundred percent, definitely.

A

All right, next story. Draft U.S. cybersecurity set for January release. So the current administration here in the US plans to release a five page set, six part national cybersecurity strategy next month. This could also be followed by an executive order that would spur implementation. The six pillars in the document continue to focus on offensive cyber OPERA cyber operations, making cyber regulations more uniform, strengthening the federal cyber workforce, streamlining procurement, protecting critical infrastructure and planning for emerging technologies. So the question, clearly this is going to impact CISOs on some level. Maybe it's exactly what you're implementing already, but probably not. Organizations everywhere are going to need to take this into consideration, even just preparing for it. So do we want to know a little more or no? Thanks Mike, we'll start with you.

C

I hate to say it, but we do need to know a little bit more. But the reason we need to know a little bit more is my individual hypothesis is this is going to be an abject dumpster fire of guidance coming from this administration who has shown a complete lack of understanding of the cybersecurity space, what it takes to actually set national sustainable strategy. And it's been an effort for multiple administrations, but in this one in particular, go put your bets on the polymarket right now. I bet it's going to be something that is incredibly ill conceived and will create more Chaos than good, Jason.

B

No more. It's, you know, those pillars that are identified or expected to be identified. Everyone has their authorities, everyone has their responsibilities. I think if you follow an industry standard framework, let's say it's the CIS18 controls, to get to that compliance line is a great thing. Now, defending forward past that, you know, doing what you can do as far as, you know, let's say you're at a mortgage bank like I am. How much can I defend forward in cyberspace? Well, that depends on my cyber threat intelligence and then my tech stack and my security stack to see, you know, operations drives maturity. So if I say that or if I see a hacker group doing something, I can't actually defend so far forward that I go offensively against them, but I can think like an attacker on how they would attack me. And these are basic things. I mean, that's part of the sys 18 controls. Do you conduct pen tests where you would have some cyber threat emulation against your security stack and your technical tech stack to see where your vulnerabilities are, to remediate those before the attackers get a chance to exploit those? So I think it's no more, but I think it's just an additional level of compliance that's already in the regulatory environment.

A

All right, we got another one involving virtual kidnapping scams. Ooh, doesn't that sound fun? A new extortion trend involves criminals altering social media photos of people as proof of life as they contact family members with a ransom demand. This includes altering the photos into short videos and using timed messages that disappear quickly to avoid victims scrutinizing them too closely. So, question. The story belongs in a file regarding street smarting. People to not get fooled through panic. Right. Know a little more or no thanks, Jason.

B

No, thanks. I think this is part of just general awareness. People need to be aware that these techniques are being used. But if you have a family member, let's say, in another country that's traveling or somewhere else, and there's a possibility that, you know, they've been kidnapped, you probably reach out to those people and then probably contact the local law enforcement very quickly. So, you know, it might be a scare, but then, yeah, it's just noise.

A

Mike, what do you think?

C

So I'm going to dissent a little bit on this one, say no, no more, for the sole reason that one of the most underutilized capabilities of a ciso, especially in larger organizations, is the opportunity to provide continuing education to the workforce that they can pass on their own personal life. And we've seen an evolution of these scams going from lost pets. It's a very common theme now with the advent of AI and the ability to match people's voices. We've heard these virtual, you know, ransomware or sorry, kidnapping calls that have come in. And now it's continuing to evolve. And so, you know, as a ciso, you know, I think all of us should take an opportunity periodically to educate our workforce. You know, remind them of things that are going to be threats that could be outside of the business, but are things that could have a negative impact on anyway. We're subject matter experts in this space and I think we do have a certain duty and responsibility to help continue to train our organization and things that they can take home and pass on to their older parents, to their peers, their friends, and also their kids as well too. And having that spectrum of education right there, the CISO is in a unique spot really, to just try to provide that consistent communication to the organization in a meaningful way.

A

Yeah, good answer. Before we get into some of our Deep Dive stories, we just want to thank our sponsor today. Adaptive Sponsors Security this episode is brought to you by Adaptive Security, the first cyber security company backed by OpenAI. AI is obviously rewriting the cyber security rule book because attackers can now scale persuasion as easily as they scale code. The real target isn't just your systems anymore, it's human trust. And if you aren't actively testing your organization against AI driven phishing, vishing and deepfakes, you're leaving a gap that criminals are going to exploit. Adaptive runs realistic simulations and delivers tailored, engaging training so teams respond correctly when it counts. Learn more@adaptive security.com.

All right, let's get into some stories that deserve maybe a little bit more of our attention this week. All right, here's the first. According to an article posted in Dark Reading by David Schwed, COO of Sovereign AI, when hiring for the CISO position, companies and organizations have to choose between two very different types, the engineering focused CISO or the holistic ciso. He says the choice can be risky depending on who you need for your org. An engineering focused CISO treats security as solely a technical problem which can build clean architecture preventative controls and but this approach can just kind of move the risk with attackers exploiting weaknesses elsewhere such as human workflow gaps. A holistic CEO, by contrast, understands security as a broader system involving people process technology designs for resilience, not just prevention. Okay, so Jason and Mike, does David Schwed's opinion resonate with you? Do you feel like these are the two kinds of CISOs that you would hire.

B

The topic resonates with me, but not necessarily the binary approach to it. There are different types of CISOs, but everyone that you know climbs the mountain eventually is going to see the same moon. We just take different paths to get there. Now that is an, you know, I kind of looking at it from the holistic viewpoint, as the author kind of spoke to. You're going to have whatever type of CISO you have and either one just have a ciso. The piece that comes to my mind is that it's not binary, is you have a team below you, an iceberg of people, hopefully. If not, go to a managed service provider and get some team. It's people, process and technology. If you have a good leader, regardless of background, you're going to make sure that the engineering is there. You're going to make sure that the strategic sticky stories are there to explain to the regulators and explain to the executives exactly what you're doing to be compliant. But then also, like we mentioned earlier, defend forward. So I think it's not as binary as the author describes, but there are obviously there. It is a fact that there are different types of CISOs. Now one thing that I've seen in my experience and that I suggest for all organizations is to hire the holistic ciso because then you're going to be able to attract the people that you need because.

Just a quick story. I majored in chemistry and I took physical chemistry in my undergraduate and it was one of, it's one of the most difficult classes across the country. And the instructor, who the professor is an expert in chemistry, mathematics and also physics, told us if he has a math problem, well, he just gives it to the math department. That always stuck with me, that story. So if I have an engineering problem, I go give it to an engineer. I don't have to be an engineer, but one thing I do tell my people is, you know, I don't expect you to be a computer scientist, even though we do have computer scientists on our team. I expect you to think like one. I need you to think logically and if you have a problem that you can't cover, reach out to a teammate to handle that. So it's not as binary. You can pick aciso, any ciso. I'd go with the holistic ciso because organizations these days need an executive in the CISO position that talks finance and talks people, process and technology.

A

It sounds like what you're describing is just a really great manager Somebody who's like, okay, I might not personally have every single, you know, check off every single box that my team does, but I know who to go to for that answer.

B

That's right. Enthusiasm, intelligence, and integrity. Those are the three qualities that I look for in people and I expect of myself. The third, integrity. If that's not there, the other, the first two can be used as a weapon to manipulate people. So I'm always trying to find people that have those three qualities, but then heaps of humility, meaning if they don't know the answer, they're not going to pretend that they do know. That's the actual risk. If they, if they pretend that they know something when they don't actually know how to solve the problem, that's a huge risk.

A

Mike, what are your thoughts on engineering versus holistic?

C

I think it really shows that the marketplace mindset, the cultural mindset is still very much stuck in the past. You know, like Jason mentioned it, it doesn't really matter the path if we're all trying to climb towards the same summit. And the bifurcation between the holistic CISO versus the engineering CISO really does not do service to those people who can't evolve and grow into the role. To put that into contrast, you may have somebody who comes out with an MBA and comes up through those risk management ranks. Maybe they come from the finance world, maybe they come from a. Risk management is very much a component of what they do and eventually lands in a CISO role. Now they're going to be able to speak at an executive level. They're going to understand the broad strokes of risk management. They will understand the components of people, process, technology. Maybe they're not an engineer. And depending on the nature of the organization, they might actually struggle to have a very informed engineering conversation. If, say you're a SaaS platform provider, you know, or a pass platform, whereas you have somebody who is an engineer that may come up through those engineering ranks and spend a lot of time doing very, you know, offensive or defense security, deeply understands the technical components, who, you know, may struggle to grow into the larger executive role. But for the vast majority of people who are practitioners, they can eventually converge those skill sets. Somebody who is an engineer has the capability to learn the finance and the executive components of it. I went through that journey myself. You know, somebody who comes out of the MBA ranks, right, or, you know, Jason, I'll ask you a little bit. Your experience or on the military side, you know, comes out of the military, has a very systems level thinking to a large degree, but can adapt and, you know, take in new information, allows them to at least be informed and ask the right questions from the engineering workforce and drive towards those technical skills there. So tying it all back together, it's not about whether you're holistic or whether you're engineering. What matters is do you understand systems levels thinking, can you partner and find the right people to fill in the gaps where you have knowledge? And can you transit all the different layers of the business from the ICs all the way up to the board? And while you're going to be spending the majority of your time as a CISO working with your board, your executive leadership team, and your senior leadership team, you should be able to plumb the depths of the organization as well, too, regardless of what your background is. So, Jason, you know, any thoughts on that?

B

Oh, that's well said, Mike. Very well said. One of the things that I and I coach veterans and that's I joked when I said I'm trying, constantly trying to find a younger, less hairy me, I'm constantly looking to how do I take the 200,000 veterans that transition out of the military into the civilian space every year? How can I screen them for to show them they can have a successful cybersecurity career? That's what I'm constantly trying to do. One of the things that I try to teach them, anybody I can talk to, and this applies to non veterans as well, like Mike was alluding to, is I have found a way to actually translate complex technical concepts into business relatable terms to different audiences. And that could be to, let's say a cfo. It could be to a cio, it could be a non technical cio, it could be to a fifth grader, it could be to somebody that's in graduate school. Any of those concepts. I'm constantly, I have one leg in the engineering camp, one leg in the executive camp. How do I speak to both people and how do I speak to my peers as well is another huge element. So very well said, Mike.

A

All right, moving on to another discussion topic that I'm sure you will both have thoughts on. Representative August Pfluger reintroduced the Cyber Deterrence and Response Act. This lets the US Formally designate foreign hackers behind major cyber attacks as critical cyber threat actors subject to sanctions. The bill directs federal agencies, including the Office of the National Cyber Director, to attribute attacks with input from intelligence and threat firms. Targeted actors include those disrupting networks, stealing sensitive data, threatening critical infrastructure, finance, energy or elections. So we know what we're talking about here. Three questions here. All right, so does this designation make sense? Do we agree with that? And if we do, is this different than what the country is already doing? And is this proactively timely or some bit of political theater? Mike, we'll start with you.

C

I think this is completely meaningless and I hope this legislation is written on a piece of paper that's shaped like a tiger, because at the end of the day, this is nothing more than a paper tiger. If you spend enough time in this space and you look at the countries that are typically correlated with these type of threat actions, a lot of them we already have sanctions in some form or another against. And so we're really changing nothing here. The only thing that I think this changes is at a strategy and policy level for the US Itself and potentially unencumbering the US Government to take actions maybe it hasn't previously taken, such as empowering government to hack back or to empower private industry to hack back. It really depends on the, the form and the flavor of what's actually going to be in the content here. But it fundamentally doesn't change anything whatsoever. It's not going to change the status quo. It's not going to really, you know, do anything beneficial. And just like I mentioned earlier with, you know, some of the executive branches, you know, proposed strategies are coming out in January is probably going to be more or less an ill conceived concept of trying to do something that is marketing material but lacks anything substantive at the end of the day. And again, hypothesis on that one. I haven't read the legislation myself, Jason.

A

Having had quite a bit of experience with the government, do you agree with Mike here?

B

I do. I think when we label things, it's good because then it orients people to okay, yes, now I know what that is. But if we already call them advanced persistent threats, maybe this helps on another side. Where, okay, if we call it, what are they calling it? A critical cyber threat actor, then it would be something to allow them to do something, meaning do more in a legal sense then it might help that group. But as long as we don't change, I think labels where the entire industry is moving in a certain direction with a momentum on a vector. I don't want people to get too dispersed. As far as, okay, I know what APT24 is or whatever the APT number is and I know how that organization responds or tries to attack certain organizations. That's what I can align to. That's what I've been aligning to. If I if the new designation changes any of that, that might change your cyber threat intel platform, and then it might change the way that you structure your security stack to protect that sensitive data and those sensitive systems. So I think if, you know, as far as moving the needle, time will tell. Like Mike said, I haven't seen the actual words and the language inside the document, but if it doesn't move the needle, why are we doing it? Because there's plenty of other things to.

C

Work on and there's also a meta layer to it that I this likely will not address. There's this mindset that we can go to a country, you know, or a tangible organization and attribute actions to them. But where this will likely fail to acknowledge things is that meta layer there where you have organizations like scattered lapses, who are completely decentralized. The country of origin, the country of action is completely irrelevant when you're talking about organizations like that. Now, to a degree. Can you track finances? Yes. You know, go. At the end of the day, where does it hurt them the most? It's in the wallet. But, you know, all the different cryptocurrency exchanges have made that a little bit harder now. And so now it's harder for us to, to chase the dollars. They can move things around, they can park it. There will still be countries that are secondary parties that are complicit in those money transfers as well too. So, you know, if, if we're going to do anything that's meaningful, the focus really shouldn't be on the cyber threat in and of itself. It should be on the outcome of that. And that is, where's the money going? Let's focus on the money, let's follow the money. And at that point you're really starting to get into an area where there's potentially tangible benefit. But just going for attribution sanctions against these countries and ignoring the meta layer of these decentralized groups just really misses the mark, in my opinion.

A

Well, we have come to the end of this illustrious episode. Thanks to both of you. Jason Chalky, CISO at Sendlar fsb. Thank you so much for being with us.

B

Thanks for having me.

A

Yeah, we hope to have you back again soon. Mike Lockhart, CISO at Eagleview. Thank you so much for being back with us and come back for our fourth time soon.

C

I appreciate it. Love being here.

A

We'll have links to both of their linkedins if you'd like to know more about where they've worked and why in our show. Notes. Thank you also to our sponsor, Adaptive Security Security Awareness Training, built for deep fakes and AI. And thank you to our live audience. Thanks for everybody who joins us live. Your participation makes the show a lot more fun. We can't always get every comment on screen, but we do see you and we appreciate you being here. Remember, you can send us feedback anytime between shows@feedbackisoseries.com Join us again next Monday at 4pm Eastern for another edition of the Department of no. You're going to learn a lot. To register for the live show on YouTube, just go to CISO series.com and click on Events. And if you need your daily cyber security news fix, of course you do. Don't forget cybersecurity headlines. You'll hear my voice there too. The essential news in about six minutes every weekday morning. Thanks for joining us on our Monday standup and have a great week and stay secure out there.

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.

C

It.