A

From the CISO series, it's cybersecurity headlines. Welcome to the Department of Know youw Monday Cybersecurity Standup. I'm Rich Strofalino. I am your intrepid host. And this is where we kick off the week by looking at the stories, the trends, indeed the very issues that should be on your radar as a security professional. What you need to be talking about with your peeps. Think of this as your virtual Monday strategy meeting. We're here to help you start your week informed. Ready? We're going to be cozy. It's going to be a fun time. Of course, we couldn't do it without our sponsor for today, Vanta Compliance. That doesn't suck too much. Joining me in this meeting today are going to be two of our fantastic guests, Jacob Combs, the CISO at Tandem Diabetes Care, and Ross Young, co host at CISO Tradecraft. Gentlemen, thank you so much. Really appreciate your time here. We're going to be digging into kind of where your mind's at and everything like that. But thank you so much for spending your Monday. I know everyone's most treasured day of the week here with us on the department of Know. Ross, it's so nice to have you back. And Jacob, I cannot wait to have you as a regular. I feel like this is going to be a warm and fuzzy relationship. Thank you so much for being here.

B

Thank you. It's a pleasure to be back here. Super excited and I'm glad we don't have as many contests to make me look stupid this time around. So I'm sure it'll be a great one.

A

I mean, we could throw something together. You know, that's, that's super. Cyber Friday is usually where my masochism or my sadism, depending on how I'm feeling that comes through. But Ross, I'm always game for a challenge there. So just remember, if you're watching on YouTube, drop your thoughts over in the chat. We love hearing from you and we'll address your comments throughout the show. If you're listening as a podcast, remember, hey, we're here live every single Monday, 4pm Eastern. Just go to the events page@cisoseries.com and look for the Department of Know. You will see my smiling face, which you can't see if you're listening to this as a podcast. I just realized just look for someone that's wildly attractive. I guess that's, that's would just generally be my thought process here. And you can also Send us email feedbacksoseries.com Common case that description did not actually help you find the image that you were looking for. Before we get into anything, though, we have to let everybody know that the opinions expressed by our guests are in fact, their own opinions, not necessarily those of any employers or really anyone else in their lives. We're all living in Plato's cave. We're all born and die alone. And that's how their opinions are by themselves. We're going to start out here kind of with the Monday mindset here. So this is where I need to know, Jacob, I want to hear from you. Where is your mind at? What are your priorities this week in cybersecurity? And maybe what you're sharing with your team, too.

C

Well, really, that's a great question. After looking at all the topics and things that have been happening in the world, it's really an identity access management, not just technology, but also process and discipline and everything around it.

A

Yeah, it's amazing what each week the news brings out. I think for me this week it was the power of collaboration. Weirdly, in the news this week, there's a lot of stories about people working together, together, and it's oddly inspirational. Ross, what about you? Where is your mind at? What are your priorities this week in cybersecurity?

B

You know, I'm really focused on cost and effectiveness. How do we maximize the outcomes per dollar? And particularly this week, I'm really interested in how do we look at AI? You know, 10 years ago, we learned some really important lessons when we adopted the cloud and we overspent by all the misconfigurations. What are the misconfigurations we're going to be making in AI right now that are going to cost our business thousands to millions of dollars?

A

Yeah, I mean, I was just kind of getting into IT media kind of right when cloud was taking off. And I just remember, like, the first time, like, I heard about egress charges and I was like, oh, yeah, like, you know, kind of in that same vein, like, yeah, what are the. What are also going to be the egress charges for AI? The equivalent of that. That's. Oh, man, I love, love where your mind is at. And I need to know where your mind is at when we get into the news here. And that's why we need to move into our next segment. A little something we like to call no or no. This is where we run through a couple of stories from the past week and we need a quick take. Is this something security professionals need to know about? Is this something you're gonna be bringing to your team or this is just more noise than signal here. Our first story here. Organized crime cyber crooks steal cargo. This is part of my collaboration theme here. Researchers from proofpoint say cybercriminals are teaming up with organized crime groups to hijack cargo shipments through hacked logistics systems. Attackers gain access to US Freight broker load boards, post fake jobs, and then infect logistics firms with remote monitoring tools, then intercept delivery info and redirect goods to their own addresses. I mean, a good example of criminals joining forces beyond simply stealing money or data. Jacob, for you, do you need to know a little more or no thanks.

C

I wanted to know a little more about this one actually. And there's two reasons behind it. One is that now we're getting to the cyber physical world and there's more reason and rationale for attackers to take on these kind of, these kind of risks. And there's another way to earn money. The other one is this the sophistication of the attack, right? It was multiple, multi step and then it led to a actual physical attack. So that's to me, it's two things I want my team to be aware of.

A

Ross, what about for, you know, a little more or no thanks for you?

B

I'm going to say no thanks. This reminds me of porch pirates come every Christmas season, right? There's always going to be someone who's stealing physical things and I'm just going to call up the manufacturer and say, hey, I still didn't receive the shipment. You guys are still on the hook for sending it to me. Otherwise I'm just going to cancel my credit card purchase. I think I would just take it that way.

A

A little different order of magnitude, right? It's different when it's your food processor, but if it's a whole cargo container of food processors, I think Amazon, that's slightly less of a rounding error. Andy Jassy has to let out two couch cushions to pay for that one. What is interesting about this story for me is to me this is like attack the business logic, right? It's that all of these brokers have to move super fast. They're all super competitive. And so when these orders are coming in like that, that to me was, was kind of the takeaway of it turns out, business logic, unassailable thing to target if you're a threat actor. I absolutely love it.

B

But maybe the key here is if this happens to your company and you're the one selling, does your insurance cover this or how are you going to pay for that? Right?

A

Yes, that's what. Yes. If you are in logistics shipping, that should be schmoozing our chat that says stick with it. Fell off the boat.

C

Schmooze.

A

Don't give them good ideas. Next up here, GDI flaws could enable Windows remote code execution CheckPoint research revealed three newly patched Windows GDI flaws that could allow remote code execution and information disclosure through fuzzing of EMF and EMF plus files. They involve out of bounds memory access, affecting text rendering, thumbnail generation and print job initialization. EMF and EMF plus files. Know a little more or no thanks Ross how about from you?

B

I'm going to be very honest, I don't even have a clue what most of this is. But. But typically, you know, adding remote code vulnerabilities, that's a bad thing. You're going to scan it, your volumes are going to say, you know, patch this thing. But it's very much super in the weeds. Maybe not at an executive level that I would bring up.

A

Jacob, what about from, you know, a little more or no thanks.

C

Yeah, this is certainly not for the executive level, but it is for my team. Right. So looking into what EMF files are, they're actually meta instructions for images, like telling it how to render the image. And that's any kind of instructions you can send should be, you know, sanitized and handled in some way. So that's what actually stuck out for me. Just making sure my team understands that type and maybe we look at our EDR and be able to look for these types of files and how they're maliciously used.

A

All right, keeping up with our collaboration theme here. Scattered Spider Lapsis and Shiny Hunters join forces. Three major cybercrime groups, the three I just mentioned, have merged into a new collective called Scattered Lapsis Hunters. Guys, we need to do some branding here folks. I know you're threat actors, but you can try a little harder. Slh I guess.

C

Sure.

A

You sound like a K pop band. Then running an extortion as a service model and possibly developing its own ransomware. Shiny Spider spelled in the word first Leadspeak startup spelling you have ever seen. Trustwave describes the group as blending profit driven crime with hacktivist theatrics, using Telegram for coordination and reputation building. Really just a who's who of awful there. And again, whoever came up with the name there, please seek out new employment here. Know a little more or no thanks for you Jacob on Shiny Hunter Lapsus Hunters Lapsis Spider Scatter so so we're.

C

Given the name but no, no thanks for me in this one, this. Is this the same thing at the end of the day? I mean it is interesting to see that they're working together and that's, you know, spirit of collaboration is alive and well in the criminal underworld. But it's just, it's, it's another day at the office, right? It's another Tuesday. It's the same thing we're always dealing with. But I would want my team to just understand this is happening but nothing deeper needed.

A

Ross, what about from, you know, a little more or. No thanks.

B

I actually want to know a little bit more on this one. So I know we're playing the opposite sides of the field, but I mean, look at these, these ransomware groups, they've been extremely successful in Fortune 500 companies and telecoms and going after major casinos and others. And so now when you combine this social engineering org plus this other one who has a lot of technical, I think their skill set is going to get really, really good and pivot in some new ways that we haven't seen. So this would be one I'd put in my threat intel reporting.

A

I do think it's we're in this interesting point here where we're in this collab or this consolidation phase, right. With a lot of threat actors where we've hit this commodification mark where it's super, the barrier to entry is like super low when you just want to vibe code some malware and be a jerk. But then to like to be the extortion as a service, right, to charge that premium. I feel like there's more pressure for these groups to get together in a weird way. It's very business driven in a very, very odd way. Thank you AI for yet another knock on effect. Really appreciate that one. Next up here, cybersecurity program not effective after staff cuts Shrug emoji The Federal Reserve's Office of Inspector General found the Consumer Financial Protection Bureau cybersecurity program ineffective after staff cuts and reduced contractor support. Everyone share your shocked gif. The audit noted the agency is not giving up with its system authorization, relying on undocumented risk acceptance. Oh, that sounds so gross. And using outdated software. The program dropped to level 2 maturity in 2025 from level 4, which last time I checked is two levels remaining. Staff has been implementing mitigations including ransomware response process and weekly risk meetings while legacy IT modernization continues. Ross, for you know, a little more. No thanks.

B

I think this is kind of as expected, so I don't know if I need to know a little bit more I mean you have government sector, which is usually one of the worst paying ones in cybersecur in general. And then you have the massive federal kind of exodus and early out plan. So everybody's leaving and then what does that mean? It means the people who are left are, you know, doing triple the amount of work that they used to do. And if you're already funded to begin with, it's just a bad scenario and bad outcome. So I think this is, you know, par for the course and we're probably going to see this in a lot more government agencies.

A

Jacob, what about for, you know, a little more or. No thanks.

C

I think I'm on the same page as Ross on this one here. It's par for the course, what I was expecting. But it is good to see at the end of the article they were articulating that they were taking actions to improve their legacy it and maybe building on more modern systems that will make them be able to function with less at the end of the day. So maybe at the end of the day it will be a wash. But it is kind of interesting to see that this is of course what we expected.

A

All right, and we're getting our last story here for no or no. And this is where our live audience. Hi Cheddarbob. Thanks for joining us here. Some of our other favorites here. Kevin for Farrell. We already gave some love to Schmooze. We got some other people in the chat. I need everybody, I need your no or no no a little more no thanks here in the chat for this last story here. This may be. I'm going to put this up on the Mount Rush. More of headlines here. Louvre's video security password was reportedly Louvre analysis of one of the most brazen museum robberies in history. The theft of the French crown jewels from the Louvre museum in Paris shows that the password for video surveillance system was in fact Louvre. And this was according to a security audit performed in 2014, which is a while ago. Key parts of its security software were more than two decades old and was unsupported by its developer. Know a little more? No, thanks. For you, Jacob?

C

No, thanks. I mean this is table stakes. At least they put the password in for another language so it's harder to detect.

A

Right. I thought it was er, who could have known?

C

But the other, the other part of the article that made me more upset was that the person offered to resign. It's like that's not the right signal to send. Like the organization is clear not supporting you. You should stand up for yourself. A little bit.

A

There's probably a litany of emails, right. Of them being pissed off about this producer Steve Prentice jumping in here. Steve, what do you got to say?

D

The learning opportunity I took from this one is the fact not so much about the password, but the fact that the people who stole the stuff parked a ladder truck outside the building against the traffic in high vis construction clothing, went straight up the window and came out with this stuff. The lesson there is you look around your office and you see someone you don't recognize. Maybe we should stop and challenge them. Because it wasn't just the audacity of the password stuff. It was the fact that like some 1950s slapstick comedy, they just drove up there and walked straight out. Nobody cared. They just drove them around them.

A

Yeah. This is the start of a Three Stooges, right? Bit like they're gonna do this. Ross, though, we need to hear from you though, know a little more or know. Thanks with Louv Password admin Louvre to log in.

B

I actually want to learn a little bit more because I didn't know if they had fixed it in 2014 or if it was still, let's say, vulnerable. Because if the bad actors can use the wireless for the physical security and see, hey, there is nothing guarding this floor and then they're able to get in. Does the insurance behind the Louvre say, hey, your practice was so negligent that we don't actually reimburse you the crown jewels and paintings that were lost. Right. So I think there's going to be a negligence play here. But I don't know if this is two separate things or if this password still carries 10 years later and hasn't been changed. Right.

A

I just know that the day after this story broke, like, every CISO at a museum was just like, just in case, like, like, are we. We're good, right? And of course, like the, the. What is it? The Hirshheim. I can't think of any other museum, Lou.

B

So.

A

Schmooze added, need to add. Same stuff, different day as an option. No, no. Or ssdd. All right, before we move on to our next story, getting diving in deeper into some of the discussion, we gotta spend a few moments and thank our sponsor for today, and that is thanking vanta. What's your 2am Security worry? Is it, do I have the right controls in place or are my vendors secure? Or the really scary one, how do I get out from under these old tools and manual processes? Enter Vanta. Vanta automates manual work so you can stop sweating over spreadsheets chasing audit evidence and filing endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security. At scale, Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risk, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and get back to sleep. Get started@vanta.com headlines. That's V A N T A dot com headlines. All right, let us dive in here. First up, we need to talk about Sleepy Duck. Using Ethereum to keep command servers alive, threat intelligence firm Secure Annex found a malicious Visual Studio extension called Sleepy Duck that can install a remote access Trojan. It looks legitimate at first, but turns malicious after roughly 14,000 downloads. Secure Annex says that the attackers use an Ethereum contract to Dynamically update their C2 address to evade blocking, while tracing the group behind Sleepy Duck to other rogue VS code extensions that mine Monero through PowerShell scripts. Jacob, you kind of brought this story to our attention. Kind of wanted to talk about for more of a deep dive here. What about it speaks to you?

C

Well, really a few things and this hit on I think a number of our weak points as an industry. The first is that the developers are the target, which is always the case. Always the pushback you get as a security leader always get pushback. You're stopping innovation or making us miss deadlines. And so it's hard to push on developers as one and that's the exact target they use for this. The second was this was a very like a novel and very clever. Frankly, establishment of dynamic configuration for an application makes it very, very hard to detect. Right. Which is the third piece? Like do we even have the sophistication or even do a lot of companies have EDRs that are capable of detecting such an attack? And so these three things really stood out to me is why this is important to kind of understand and dive into this one deeper. And on top of it, it's pretty cool to see him using a crypto capability. Right. To dynamically update an app. And we only use one function, right. Just the server name. There could be many things they could do to make it dynamically updatable.

A

I do like that there was the crypto guy on the malware team that's always throwing out these ideas and finally they're like, all right, Larry, yeah, okay, that's actually really smart. I actually really like that. Ross, what about for you?

B

But.

A

People being clever targeting business logic. What about this is speaking to You.

B

I think this is a really clever attack and it reminds me of mobile apps that are malicious that they put out on the Play Store. And at first you listen out and you're like, can't Google and Apple just freaking detect these apps? But it's actually really hard because they have like shell code and then there's nothing there that they can actually look and find that's malicious. And then after, you know, it's deployed, there is like a dynamic update with the malicious stuff. And if you have something like Ethereum, which is really designed never to go down, that's really hard to do a cease and desist.

C

Right?

B

You know, people are going to be calling their zero foxes of the world and saying do a brand takedown and copyright and all these things, but when the whole design of these distributed systems that can scale massively and can't be controlled, what a brilliant technique to go in and do this malware, right? So I think this is the start of what we will see a lot more going forward.

A

Jacob, I want to touch on something that you had brought up here. How do you use the story like this to start a conversation with developers, right? Can you use this as an in, like, hey, not to be like, here's the cautionary tale, like, you know, Aesop's Fable, but like, is there a way you can pivot with this and use it kind of organically to be like, oh, I'm really not trying to be sick of the one here, guys.

C

Well, there's always the fud, right, which is what you're alluding to first, right? Which we start with typically, but. But at this point it's really just because we, my company, at least the people I work with, typically we make critical infrastructure. It's like medical devices. And so we take this very seriously. And so I kind of point to that and say, look, you need to be very cognizant about what you're using to develop these devices because they go on people and the same thing here, right? You need to be very careful and you don't want to be the source of a breach, right? Because we'll figure out who it was at the end of the day. Right? And I don't think you want it to be you. And on the other hand, I try to think about it in a positive light. So let's start thinking about what you want to use and let's start making sure that they're safe for you to, to detect and, and work with. This one probably would have passed. I mean, besides it being Used for, you know, cryptocurrency, which we don't really use in our company. But besides that, it would have probably passed a smell test because apparently they had like 14,000 downloads or something like that. They're able to inflate these numbers to make it look like it's actually. This is used and fairly well and rated highly. Right? Or whatever it is.

A

Yeah. All the marks of authenticity there. Yeah, that's that to me is again like it's, it's studying kind of the human behavior. It's like, okay, what are all the things that you look for to make you think you can trust this? And Ross, don't feel bad. Kevin Farrell in our chat here was definitely one of the people saying, can't they just block them? I think it's the first, that's the first step in every security journey. All you have to do is. And then you find out all the reasons why.

B

I think this is a good piece here to understand. We've been using things like allow listing to say only install this software on the laptops because we don't want people installing video games and malware developers have had a double standard. They could install whatever packages, libraries to write their coding platforms, whatever. Now we're seeing them being attacked more and more and more. And so if that is the case, we're going to have to do something around this. Like if I work at a crypto company where my developers have access to writing the crypto, I can't just let them install every piece of software. I have to have a much closer look because if this is going to start harming my software that can steal thousands or billions of dollars, I'm not going to sleep well as a ciso. Right.

A

Let's shift gears to talk about some of the aggravates no. 1 passwords. The most common passwords are still the ones you and everyone else knows. This comes from research from Comparatec and they report that among the top 100 most used passwords of 2025, eight out of the top 10 are variations of 1, 2, 3, 4, 5, 6 with the other two being password and admin. Variations on these three pretty much occupy the entire top 100 with just five standouts. Gin. Like okay, it's not even that popular of a booze. I guess a row of 10/ asterisks. Root, India, 1, 2, 3 and Minecraft. Because your 12 year old nephew evidently is putting in passwords there. Cybersecurity Media talks a great deal about spending money on defense in depth technologies. And we need to be able to fail gracefully and all this stuff. Yet people still seem to be stuck on page one of the cybersecurity manual. I guess. What's the takeaway when you see these types of reports?

B

For you, Ross, I think the takeaway here is after no small amount of user awareness training, education, it's not working. It just clearly isn't working. So what I think we have to do is we have to rely on things like we're going to email somebody the password to log in. We're going to use the biometric on your phone as a second factor because if we just trust grandma or Bobby the intern to type in their passwords, they're going to do what's most convenient for them, which is probably not security.

A

Amish Runway in our chat here says, dear God, wow, we suck as humans. I see Amish Runway. I'm not going to poo poo our entire species here. I think we're humans. We're actually really good at being humans, which is why we keep doing this over and over and over again. I mean, Jacob, for you, like what, what is the takeaway here on this story?

C

Well, I do want to agree with something Ross said, which is that they're, the technologies that are coming are better, right? So a lot of things I log into more nowadays don't even ask me to log in. It just sends me a link to my email or whatever I have associated with it. So that's a great step in the technology direction. The other side, the takeaway for me is that this has been kind of bounced around security industry for a long time. But this pat the psychology of passwords, right? You either make them short and you change them all the time and therefore you reuse them, or you make them really long and difficult to use. And then there's just this back and forth trade off that you have to find the sweet spot for yourself. But we still as humans haven't found that, apparently. Hopefully. I'm hoping there'll be some compensating controls we can put in place to make this not be such a big of a deal. On the other hand, I feel like most people are so desensitized to their data being lost that it's not, you know, it's a wash at the end of the day.

A

Yeah, I mean that, that might be the biggest takeaway here, right. Is like we're all so numb to this at this point. CCL in our chat here, pointing out that human minds evolved to use connections and patterns, not randomness. Again, humans Being humans, we just want to add one to that password. We want something that's understandable to us. I would make an argument that's why at a very basic level for a consumer, a password manager makes a lot of sense. But why moving and adding complements to this and all of those other controls and stuff like that just get us to a much better, a much better place. Next up here. Operational technology Security Poses manufacturing risks despite rising awareness, manufacturers continue to face major operational technology security challenges. According to Dark Reading Legacy systems, sprawling access points to human error are leaving factories vulnerable while the integration of cloud and AI driven tools is expanding attack surfaces. Recent incidents, including a ransomware attack on Asahi, the Japanese beer giant, have highlighted both financial and supply chain impacts. Security experts say identity focused strategy, governance, governance and full visibility across OT assets are essential to reduce risks and improve resiliency. Jacob OT is one of those areas that doesn't seem to get top billing yet. It's the backbone of the economy. It turns out everything runs on OT when you go deep enough here. I'm curious what can be done to improve cyber defense in ot? Is this just the Gordian knot?

C

Pretty much. The article said it right. Is that the things you can do are limiting access, just minimizing the blast radius if you have such an outage radius or such an attack of that kind. But if you've ever worked with a manufacturing organization or the COO or whoever, they are always trying to squeeze every penny they can out of everything they do, right. And so it is very difficult to get them to change or update or do anything. Take downtime. It's just one of those kind of Gordian knots. Like you said, it's going to be so difficult to get out of it but at the same time it can be taken down and destroy the business or cause economic havre economic havoc. Right?

A

Ross, what about for you? I mean is this just contain the damage at this point? I mean is there any other higher level, is there anything more hopeful that we can try and pull out of this?

B

I think the root cause here which was pointed out earlier, is the manufacturing just doesn't spend the money in cyber that you would see from the banking and the financial sector. They don't have the same level of oversight which means nobody's asking them to have good cybersecurity so they can kind of sweep it under the rug. Probably the only thing that's going to change this is the massive ransomware attacks stopping production supply chain problems because when you can't, you know, sell Ford trucks, because the line in the production is stopped. Then from there you're going to be out millions or billions of dollars. And I think that is going to be the thing. But they don't actually care about the equipment that's already been sold, right. They don't have this. You have to maintain it for 10 years and ensure it's patched and upgraded, much like you would have other pieces of software. So I think we need to have, let's say more. This is going to sound terrible. We're going to have to have more litigation against these companies to say you screwed over your customers in order to force them to change. Because right now the incentives just aren't there for them to fix the security issues in play.

A

I mean, is this, is this, you know, we talk about ciso's job, right? Is really just. It's understanding risk, presenting that risk, cyber risk to the business, right? And then taking action based on how the business wants to do that. Is this just a situation where ot to your point, the pressures on using equipment, getting every single piece of value that you can out of, right. Don't upgrade the thing that's running Windows 95 because it's running great and we don't need to do it. Is that just always going to be. I can point out the risk to this all day, but the business is always going to to choose to accept that risk until something catastrophic. Like we see Jaguar Land Rover, for example, impacting British GDP growth. Right?

B

The problem really is that people think because it's on a quarantine network, it's totally safe and they just don't care. So take of like every hospital that you go to, there's probably a machine still running MRIs on Windows XP somewhere, right? And you're like, oh dear, how could that still be happening? It happens all the time in all of these places. And they're like, it's on a quarantine network until it isn't. Until somebody brings in a thumb drive, until somebody connects a WI fi hotspot, until somebody, you know, puts a cable in the wrong port and all of a sudden it's connected and nobody had any idea. That's kind of what's happening in the OT space. People just say, we're going to isolate it. We think we don't ever have to patch it and the manufacturer went out of business or they just don't care. So. So we're in this terrible place and people just accept it versus pushing for how does this actually get better?

A

We had a question in our Chat. Jacob, I wonder if you could maybe supply some perspective on this. Do attackers jump more from OT to IT or IT to ot?

C

I'd say it's probably more OT to it because ot, like we're talking about here is the weaker side typically not pay as much attention to. And then there's always some kind of point back that was made for some testing or some exception you have that you're not managing well that they can jump back into the IT network. So I would say that's the direction I remember.

A

I was in a briefing, Ross, to your point, I was in a briefing once. It was for like some Cisco router or something like that. It was Dell emc, it was some kind of server whatever. And they were touting. It's like, oh yeah, we have this great front panel here and we got this. And I just like there was this old security head like stood up and goes why are there us like don't show me those USB ports. Is there an option to get those just like off? Like I want nothing. I want to hot glue them is the first thing I'm going to do before when I get that in my environment, that's all I can think of is just like, man, someone just thought that cable got loose and plugged in that ethernet and the game is over for your MRI machine. It's just so, so brutal. Before we get out of here for today, we're just about out of time here on the department of. No. Is there any story in the news this week that we've discussed on the show? Just broader out here for you, Jacob, that you had a big thumbs up for it made you happy or you did a face palm. You couldn't believe it happened. What stood out for you this week?

C

This week the, the sleepy duck one to me is the, the one with the Ethereum. Is this so fascinating to see that being used now? And that's just opening up kind of a new realm of my research and trying to understand how these attacks could be pulled off. That's it for me.

A

Ross, what about for you?

B

Yeah, I think that's a really interesting one. I'm probably going to go back to this lapsis scattered spider merger. I think it's going to be really interesting what this, I don't know, Legion of Doom puts together and, and what they come up with on novel attacks. You know, maybe it's the, maybe it good thing, maybe they're all getting their jobs outsourced to AI so there's going to be less of them. But I, I Just don't know what, how this is going to play out. Right.

A

I, I, I love like just all the ruthless, the ruthlessness of all of this is so Ross, you've made me so happy about a super group of threat actors all getting together here. This is fantastic. Also makes me happy to see everybody having some fun in our chat. I see Anita Sailors, Cheddar Bob. I already said hi to you, but I will say hi to you once more. Getting in there. We're sharing emojis. We got Kevin Farrell in there. We have CCL on there under a weird name because YouTube changed stuff all of a sudden. Real quick, Ross, help us out here. I need to say I said a quick question. Does developer security ops belong in OT or the IT basket?

B

Developer security is in the IT basket. OT tends to be hardware and then developer tends to be software in my mind.

A

Fantastic. Helping you out, answering the questions, having some fun in that chat. If you're not joining us for the Department of Note each and every Monday at 4pm Eastern. I had to be reminded of the start time myself earlier today. You are missing out because we're having some fun here. So good times. Thank you so much. And thanks once again to our guest, Jacob Combs, CISO over at Tandem Diabetes Care, and Ross Young, co host at CISO Tradecraft. We will have links to both of your LinkedIn in our show notes. So thank you once again. But Ross, I know you've got some fun stuff coming out. Can you tell us a little bit more about it?

B

Yeah. So I'm writing a book called Cybersecurity's Dirty why Most Budgets Go to Waste. So if anybody is looking to maximize their outcomes per dollar, look at CISO Tradecraft. Follow me on LinkedIn and I'll be posting the book here on Amazon later this month.

A

Jacob, thank you so much for having your maiden voyage here on the good ship Department of no, we will have. I'm. My prediction came true. We will have to have you back because you were exceptional. Thank you both so, so much. All right, make sure also to give a big thank you in your heart of hearts to our sponsor for today, Vanta Compliance. That doesn't suck too much. And another big thank you to our live audience. You helped make the show so much fun. You made me smile. You made me laugh. You made me think. That's all I can truly ask for. And if you can't join us live, we understand we're all busy people. Feedbacksoseries.com it's electronic mail, no stamp required. Phil Collins, style. Join us again next Monday, 4pm Eastern, for another edition of the Department of Know. To register for the live show on YouTube, just go to the CISO series or just go to cisoseries.com and click on our Events tab. And if you need your daily cybersecurity news fix. And of course you do, don't forget cybersecurity headlines every single weekday. Give us about six minutes, you will be all caught up. And thank you once again for joining our Monday standup. Have a great week, stay secure out there and have a super sparkly day. Cybersecurity headlines are available every weekday.

B

Head to cisoseries.com for the full stories behind the headlines.