A

All right, this is Rich Stroffolino with the Department of. No, Krista Arendt, Associate CISO over at St. Luke's University Health Network. I gotta ask, what is your priority this week?

B

That's a loaded question. Longer than a CVS receipt, I would say. My top priority is making sure that I don't get socially engineered by my own calendar and my email. My AI assistant, Doug, that's an inside joke. Apparently even my schedule is now a threat actor, so. Love it.

A

Yeah, I mean, your schedule was always aggravating, but now it's, you know, just trying to fish you at all times. So that's. Yeah, always, always reassuring. At least it gives you something always to keep top of mind. You can't rest on your laurels, which is always a nice thing. Jason Shockey sees over at Cedar fsb. I got to ask, what is your priority this week?

C

Optimizing human potential. So I've been at Cedar for five years and we have a program that's mature now. I'm going to refocus on the people.

A

I like that. It's like the Amazon model, right? We just got to keep reinvesting, making it better. I like that. Poor process is over there feeling neglected. But he was a special child for a long time, so let's just hold off here. All right, producer Steve, let's run that opening from the CISO series. It's Department of no. Welcome to the Department of no. Your virtual Monday strategy meeting where neither snow nor rain, nor heat nor gloom of night stays this show from the swift completion of our appointed news coverage relevant in the weather of the times here. Our sponsor for today is Conveyor, the only trust center with an AI agent that completes questionnaires. Remember to get involved in our YouTube chat live. We have some people joining us there already. I see some people getting involved. It brings joy to my stodgy heart. So thank you so much for joining us there. We're live every Monday at 4pm Eastern on the CISO Series YouTube channel. So make sure you're joining us there or you can email us feedbackisoseries.com Quick reminder that the opinions expressed on the show by our guests are in fact their own, not necessarily those of their employers. Let's just jump right in to our no or no segment. So much news out there during the week. Can't cover it all with in depth discussion, but we can quickly get some security layers to tell us. Do we need to know more about this? Is this a no? Thanks. So let's get it started here. First up, LastPass backup slink scam. A phishing campaign is spoofing LastPass maintenance notices and urging users to create backup within 24 hours. This is being done to steal master passwords by going to a fake password or, excuse me, a fake LastPass site. LastPass says it never asks users to backup vaults or reveal master passwords. Thanks LastPass for that reassurance. It's a challenge getting people to maintain their passwords generally. And when the trusted players are involved in problems like this, it definitely doesn't help. Like the optics on this for some people. Not great. Christopher, you. Do you need to know a little more about this or is it a no? Thanks for you.

B

I want to make a joke. This is serious business. But you know, in health care, with the speed of business and I know finance is similar, the same way, you know, when you have a legitimate notification, they don't respond within 24 hours anyway, so. So maybe the people problem actually helps us in this situation. I would say I'd like to dig into it a little bit. You know, MFA alone isn't going to continue to help us and you know, to. To the point earlier, focusing on the people and how we can utilize our resources better and optimize that. I think that's a fascinating input there. So I definitely would love to know more. I don't know, it's, you know, the. I'll get into it like I did earlier. It's the psychology of people and how they interact with. With technology in general and how do you get them to listen?

A

Yeah, therein lies the rub. Jason, what about you? How is the story striking? Do you want to know a little more about this? Are you bringing this to your team to as kind of a refresher for these kind of issues?

C

No, I think this is for me, it's not so much. No, thank you. It is a reminder though, like we're just talking about, you know, the authenticator assurance levels are there for a reason. Get the 22 plus, you know, use MFA. Use fobs when you can. But the urgency part is the thing that always gets me. Like Krista was talking about, I don't need to do anything within 24 hours, especially if you're telling me to change my password.

A

All right, next up here, Gemini prompt injection flaw exposes calendar info. The dreaded calendar. They're coming from inside the date. A prompt injection issue in Google Gemini lets attackers hide instructions inside calendar invites. When users ask Gemini basic scheduling questions, the model copied private meeting details into a new calendar event visible to the attacker. You know, this is why we can't have nice things. Every employee relies on calendaring. Perhaps there's a need to address culture and organizations to reinforce critical thinking. Maybe. Have we reached our limit? Jason, what about you? Do you want to know a little more about this or is it a.

C

No thank you for you, I think it's no more in two areas. One, AI governance. Make sure that the guardrails are there and make sure you can actually have the visibility, the alerting and the monitoring that's there to know that something is going on. And then also it's just operational security to your point. So back on the people part, everyone knows what they're supposed to be doing. Don't put sensitive data inside calendars, don't put attachments that have sensitive data, if you can, within those calendar invites and within your calendar just to limit the attack surface.

A

Krista, what about you? Are you living off your calendar as much as I am here? Is this worrying you?

B

I'm at the point, so definitely no more. And I'm at the point where I can't even keep up with my calendar. And I think everybody here is probably triple booked on a regular basis too, so they're relying on the speed necessary of business. And I'll tell you, I've been in finance, I've been in crypto, I've been in healthcare. I've been in a lot of verticals, both long standing institutional and, and bleeding edge. And it continues to be an issue due to the speed. Right. And, and the pressure pressures that. I know we'll get into it later, but like geopolitical pressures, you know, regulatory pressures, financial pressures of our organizations. But I will tell you like straight out, this is something we were actually talking about internally over the last couple months is building more threat modeling and, and defensive and you know, responsive security controls because this isn't the first time. There was actually another one recently where they tried to do this as well. And it's losing my. I'm losing my mind. So it's losing my mind to be ciso. So building threat models that consider language context as an attack surface and not just code patterns would be interesting to me.

A

Yes, yes. This has been like my takeaway this whole past year with all of this LLM stuff and prompt injections kind of allowing not new attacks, but new attacks at scale. It's just like business logic is undefeated as a prime target for all of this stuff. And it's just like when their calendar says to show up somewhere, you click on the thing and you do the thing that your calendar says, they all want you to do it all the time. So I can totally see why this would be effective here. Every calendar app is shoving notifications in front of you. Click on this thing, execute this app. So I could totally see why this would be effective here. Next up here, Smarter Mail auth bypass flaw now exploited despite patch threat actors are exploiting an authenticated ByPass vulnerability in SmarterTools Smarter Mail Email server and collaboration tool that allows resetting admin passwords otherwise, you know, pretty run of the mill. But in this case, Smarter Mail released a fix on January 15th. However, researchers at Watchtower found evidence that suggests the attackers had reverse engineered the patch and found a way to leverage the flaw. Still reverse engineering of patches. Christopher Yu, do you want to know a little more about this or no thanks.

B

No, I don't. This is a long standing problem in general of protection and defense, right? Like the red team, blue team stuff. So I mean my takeaway is I need to strengthen patch orchestration and risk brace prioritization and assume active exploitation at all time. Which you have to, right? Because to your point, like we're never going to get ahead of threat actors and you know, things are released and people exploit them, especially with AI more quickly than you can even read the news these days. So it is typical, you got to refocus on hygiene and just figure out how to do it, you know, better, faster, quicker to try to stay above water.

A

Jason, what about you? Do you want to know a little more about this or is it a no thank you for you?

C

Yeah, no thank you. You know, one of the pillars of a mature cybersecurity program is vulnerability and patch and you're patching cadence. So meantime to detect, meantime to remediate. So all of those things should be in place in addition to what was mentioned earlier, the defense in depth. So even though there might be some sort of compromise on the outside or the on the surface, there's still a little bit more that the attackers are going to have to go through some hurdles are going to have to jump over in order to actually get to that, the data. So no thanks.

A

Okay. I'm feeling like I'm feeling more calm. This is a good place to be. Let's see if we can elevate the stress level throughout the rest of the show here. Our last story in no or no an alternative to CVE appears a wild CVE alternative, the Global CVE Allocation System or gcve. That's going to. Folks, bear with me here. Will be maintained by the Computer Incident Response Center Luxembourg as an alternative to the traditional CVE program. CISA's recent troubles expose the program's dependencies on a single funding source. We all remember that from last year. The proposed GCVE avoids reliance on a centralized system. Do you think this will fly? Is this know a little more or no? Thanks.

C

For you, Jason, I would say no more. This is something that if someone defines a new term, as long as there's mapping to the previous kind of framework that people are using CVSS or the QDS that we use within sendlr, which is based on cvss, if there's a mapping between the two or Rosetta Stone, that's a good thing. Now, if all of Europe uses the gcve, that's great as long as we can actually talk the same language. When I'm talking about a CVSS or qds, then it relates back to what they're speaking about. As long as we know what a critical is and what a zero day is, then there's some semblance of speed to patch. So that's a good thing.

A

Krista, what about for you? Is this just a hey, as long as the mapping works out, we're all good, or do we need a little more about this?

B

I as a governance nerd, I want to know more for me, is there and a threat manager, right? If you're building a robust threat management system, do you use or embrace new vulnerability identifiers to better classify AI vulnerabilities? I don't know. And make it more dynamic. So yeah, I mean, I'm interested.

A

But Jason, I like your idea. I want to form my own protocol to map GCV e to cve and then we can fork that for. For some. For some national sovereignty and then it'll be mapping all the way down. That's what everyone intended when that system was founded. All right, before we move on to our deeper discussions for the day, I have to spend a few moments and thank our sponsor for today. And that is Conveyor. Ever dream of giving customers instant answers to their security questions without ever filling out another questionnaire? Meet Conveyor's new Trust center agent. The agent lives in your Conveyor Trust center and answers every customer question, surfaces, documents and even completes full questionnaires instantly so customers can finish their review and be on their way. Top tech companies like Atlassian, Zapier and more are using Conveyor to automate away tedious work. Learn more@conveyor.com that's C O N V E Y O R Conveyor. All right, we are diving in here for some deeper discussion. First up here, UK and China try to ease cyber attack tensions. Bloomberg sources say the UK and Chinese governments have created a forum called Cyber Dialogue to discuss allegations of cyber attacks believed to be the first of its kind, particularly with China. This will provide a single mechanism for senior level discussions of cyber incidents directly rather than working through back channels or more diffuse methods. This comes as China is in the midst of negotiations to build a new super embassy in London and as the UK government announced a total reset in its national cybersecurity policy. Definitely a major inflection point for the UK here. Lots to unpack. First up, the patchy, no pun intended, history of international agree to agree agreements. Second, the fact that China does not tend to play by, I don't know the rules. And third, that the carrot and stick is a super embassy which involves a custom building in a place that could easily house all types of, of, I don't know, espionage toys. And fourthly, that the UK is licking its wounds over recent cybersecurity policy gaffes. We've seen all sorts of announcements coming out as they're doing this kind of comprehensive reset here. Krista, for you, lots of, lots of issues here. Where would you like to go with this? What stands out to you with this?

B

I mean I'll just table the ego Olympics and like the, the power peacocking that is probably going on there and say that geopolitical events, I mean, Jesus, ever since I was young, my career and I worked in the DoD is something that should be tracked at a, for an enterprise risk level. Right? It affects your business. I know in health care it's, it's going to affect, you know, your financials, how it bleeds down regulation, etc. You know, the, the world's defensive postures, what, what data you can put across. But you know, at the end of the day I think you made the point exactly the way I was thinking. Like, okay, great, we're getting together and high fiving each other and playing, you know, chess in person. But are we really going to share the information that we should be sharing there factually? And would you ever know? Because to your point, there's no with between China and us. China typically doesn't disclose the appropriate or factual information. So I come from my scientific background. Like go to, go to the source of data and figure it out yourself. Because you're never, it's like getting a freaking bad actor to be like, yes, you know, this is how I did it. And trying to be factual. So you can patch it or, you know, defend against it in the future. So I just think it's like it's a lost cause.

A

Jason, for you, is this completely hopeless or is there any, any kind of silver lining we can get out of this other than a super embassy? Does sound super cool.

C

No more. This is something to definitely track. I think it depends on a couple of things. Attendance, trust, and transparency. So kind of what was hinted at earlier was, okay, who is being sent to these meetings? What talking points do they have? Are they trusted sources and are they transparent about that? So depending on those levels of each of those three things, it might be a nothing burger, it might be a super nothing burger. And then on top of that, it might be. I read an article last week or maybe the week before where civilian companies in the United States might be conducting offensive cyberspace operations, or oco, which would change a little bit of the dynamic in the geopolitics for conducting offensive cyber operations. And that might be brought to the table, but depending on who goes to the table, it might be a nothing burger.

A

I do. You know, one of the things that since we started cybersecurity headlines that really has become apparent is that the idea that, you know, cyber warfare and conventional warfare, however we want to define that, are essentially one hand in hand now. Right? We really can't separate those. We've seen numerous hot wars now where there's just a hand in hand, cyber component to all of that. And we see this as just part of people's playbooks. Now at this point, I do wonder if this kind of center, to me, this almost is like sitting down for like a, you know, for arms control agreements, right. It's. It's the fact that you at least have someone directly to talk to. Now, to all of your point, is there any trust or transparency or even if you have a relationship with this person, do they have the authority, you know, to move this up the, the Chinese governmental chain to actually enforce any change? Giant open questions that, you know, may.

B

And not just hold on, not just authority, but then the knowledge base. So, so I think you guys made a good point is how. What about the congressional hearings that go back and forth about technology and these people remember when AI just got really big a couple of years ago on all of our landsc? Again, even though, you know, components have been around forever and you have people at these congressional hearings that literally don't like, are. Are spreading false information about AI because they're not AI experts. So, like, is it doing more Harm and good to your point because of the people that they're sending here and like really taking us three steps backwards instead of making any progress.

A

I like this comment we got on LinkedIn. As the saying goes in geopolitics, there are no permanent friends, no permanent enemies, only permanent interests. Interesting. I think yes, they both have interests and talking. Maybe we'll get them one thing, not hacking.

C

One near term goal that might come out of that is hopefully if you create an exploit, you have a corresponding remediation that goes with that exploit to be released at some point. Maybe that's like in the lane of the kind of the arms race or the cyber arms race. Don't just create a bunch of exploits and have no remediation. Just leave everybody out to the pasture. It's maybe that's something that we could come together on.

B

That's interesting because you make me think of medicine. You know all the stuff we see on, on TV is like there is always an antidote but is there?

A

All right, well if there isn't one, maybe we can ask AI to create one for us. That brings us into our second story. AI generated malware touches the Void Link. An advanced Linux malware framework called Void Link offers sophisticated cloud focused tooling like custom loaders, rootkits and modules for evasion across cloud providers. Initially we covered on cybersecurity headlines. Researchers at Checkpoint believed it was the work of Chinese developers due to its sophistication. However in a follow up report they now say it shows clear evidence that the malware was produced predominantly through AI driven development believed to be the work of a single person. Iterating on it for about a week using an AI enhanced IDE. Something that would take they estimated 16 to 30 weeks for a human team. Krista here seems like, I don't know, a problem that we're going to be talking about for a while. AI created malware. It's here. This isn't theoretical anymore. I'm curious, what are your thoughts when you see something like voidlink?

B

I feel like I'm at the roulette table in Vegas and the stakes are raised, right. So I just put everything down on red. So I don't know for me we really need to focus more on anticipation when it comes to Red team Blue team exercises. But you know, how do we leverage that same capability to help us anticipate more accurately because you know our anticipation and you know you can always have a feeling. But red team Blue team is always again based on, on data and what they're seeing. You know, my boss says 25.5, he's awesome. He's, he's still in the military. And you want to see beyond your front door. You want to see like what's in the corner, what's over there. And, and for us you can't anticipate and a lot of places don't have the resources to anticipate accurately enough because you don't have those data feeds. So we really need to focus on refining the data feeds and really contextualizing this stuff in a way that you can action it for. Red team, blue team.

A

Jason, what about you? Is context going to be king here for battling these pop up AI threats that only seem to proliferate over time?

C

Yeah, I think defending forward in cyberspace is something that I learned at the Cyber National Mission Force and definitely something that I use every day. How now I don't have the capabilities of the authority or I have the capabilities but not the authorities to actually go and conduct offensive cyberspace operations. But we do know what can happen. So why don't we use AI against AI, meaning we have automatic attack disruption within our Azure tools. So why don't we use a lot of the AI and ML that's embedded within the cloud native security tools to defend against something like this? Now it's not going to stop everything, but it does allow us to kind of match the speed that we're seeing. Like this person iterated over a week or so, maybe it was said, but back on the people theme, one person did this. Well, I can have a person on my side do the same thing, iterate against that and they can do that by threat hunting and using the tools and using, you know, Copilot for security or whatever kind of AI tools that they have at their disposal. So defend forward with the right people, but you got to get the right person and then train them and mentor them in the right way.

A

Can I just say my favorite part about this story is it's threat actors, they're just like us. Because the reason that we know pretty sure that this was the work of one person is that they left all of their development tooling exposed online like an unencrypted S3 bucket or something. So we just read all of their docs, we had their full chat history with how they were formulating and iterating on this. We know how they treated this like a regular software development project where they just asked the AI, okay, build me out a software development roadmap and then got a bunch of agents to go do that. One, I think that's really significant to show like everybody, like if you're bringing this to your teams, right, to say, like, hey, this is a real thing, like we actually have, like, here's literally what threat actors are able to do step by step, how easy this is, which I think is very valuable to have like that kind of insider look at that. But two, that just because you can develop this also doesn't mean you know how to secure your own infrastructure, which is very, you know, kind of shoe on the other foot in a very real way here.

B

I like this, the comment Preparation Jay, Schmooze preparation, prevention, resilience and blast radius minimization. We're at the point where we're still trying to discover and keep up with how AI is being utilized and exploited. Where it's almost like when you go into an organization, start a brand new security program, right. One of the things you really focus on is your resilience and recovery strategy. So it kind of buys you time to figure out the rest. And it's not like we always say, it's not if, it's when. And we can't, we're already talking about it, we can't keep up. Right. So how do you minimize the blast radius stuff like micro segmentation of assets to say, like, okay, you know, at least it's not going to take out your critical, you know, health care assets or solutions, you know, trying to sustain life, things like that, or to sustain business for core capabilities. Yeah, good point.

C

There's also something, yeah, there's also something in ENTRE called Continuous access evaluation or cae, where you can, you can just remove someone's identity with a couple of pushes of a button. So that's leveraging AI to actually meet that speed, where if you see something anomalous within some sort of user entity and behavior analytics, you can actually stop the attack.

B

Yeah, I'll tell you, we just got a tool to automate that too. I'm actually really excited because it's like when you have, I mean for us we have what, like 30,000 more identities and typical for an organization of our size and it's just going to proliferate with agents and you really need to. Yeah. Figure out how you can automate that as best possible and then compliment with. With human intelligence.

A

All right, our last story here. Kind of, kind of hand in hand with some of the themes we've been talking about. The problem of AI agents emerges at Davos. At the annual Davos World Economic Forum meeting, cloudflare co founder and President Michelle Zatlin said, with AI agents, you need to think about them as an extension of your team, an extension of your employee base. This was echoed by other luminaries who suggested ensuring ongoing quality assurances the same way that calls are recorded for quality purpose. So from a cybersecurity perspective, the issue has become one of recognizing AI agents as part of the team, not just as a standalone tool or something like that. Is this something that you're already comfortable with, Jason? I've kind of heard the methodology. Hey, you need to treat it like a junior team member, right? You don't want to give them the keys of the kingdom, but you need to be able to build some trust with them over time.

C

I'm always in the yellow zone, so I'm never comfortable about anything. I think that's what makes me kind of give. Gives me an edge in my job. It's not the most, you know, healthy thing, but it's definitely something that helps. As a Chief Information Security Officer, I think, as I mentioned earlier, the AI governance or the guardrails that are built into the models, the guardrails that are built in for the. Because I definitely want the enterprise workforce to use AI, it definitely optimizes human potential, optimizes human effectiveness, and then operational business effectiveness. One of the things that I think has to occ occur is identities. Like we were talking earlier, if you have to have something to keep track of these agents and as they start to access additional items within the environment, they cannot just run around free. They have to be those guardrails. Again, I can't say guardrails enough. It's like it's becoming a buzzword around where I work. But I would say also if people are nervous about. I've always considered AI an extension of my workforce. AI is just the next tool. It's been around for 50 years. Generative AI and agents have not been around that long. But it is just another tool to let you. Like Steve Jobs says, a computer is a bicycle for your mind. So if you get on the wrong bike or if you have the wrong person get on, you know, a bike, you're not going to go that fast. So these are tools to allow us to optimize our work. So make sure that you understand these, how to use these tools. Because if your job, if the tasks that you perform can be run by AI, you're going to be in trouble. As far as your workload, your job has to be more than the task, and then you'll be able to use AI instead of AI using you.

A

I like that. I like that. Chris, I see some head movement there. Where are you at with the story?

B

I mean, he pretty much took the words out of my mouth and really I'm going to add again, automation to that. The governance is key, right, because you don't have the right checks and balances in your leadership system. Say like we will and will do. Not that. How, how the heck is security going to keep up if you can't even make a decision? Put guardrails around that. So for me, again, the, the continuous checks and balances from a technical perspective with identities, because essentially you're the agents are just identities who you're giving access to to make kind of autonomous decision making and putting those guardrails in place. How are you then going to automate and how are you going to get that visibility into a place where, you know, your small team, especially in healthcare, you know, can keep up? So automation is key, especially with the limited resources.

A

We have TJ Williams in our chat saying mapping is going to get huge and then someone else chipped in and complex probably, you know, some, some wise, some wise takeaways there. So I like that we're, we're in a court of that, it seems like. Now my question though, to kind of close this out here with this discussion is that all sounds good, right? Guardrails, automation, governance, that all sounds great. I imagine there are not a few CISOs that are in the position of we need to press the gas on all of our AI agent deployments and they don't want to also be the Cassandra saying please stop, please slow down. I'm curious, like, how do you, how do you start that conversation with your team to like to get some buy in for the need for these guardrails, this governance, if that's not already immediately.

B

Obvious to them, can I, without even answering that question, just hop in and say, you know, they're either going to be the Cassandra or they're going to be the Karen and ask to speak to your manager when he, when he just do it.

A

That's, that's fair.

C

That's fair.

A

By the way, I want that to be my new business book. Cassandra or Karen. That's the dynamic.

B

Yes, I would read them in the Gartner quadrant.

A

Jason, Jason, what about you? Like, how do you, can you have that conversation? Like, is it already too late, right? If people are like, let's put the, so let's go pedal to the metal on all this AI agent stuff. Is it already too late to be asking about guardrails and stuff.

C

I think it's never too late to talk about guardrails because some, you know, what you want I think is it's a good thing for the business to push forward, but moving together would be best. Business pushes forward with cybersecurity along the way, meaning it's baked in as everybody always says or tries to say or tries to get done. I think if business didn't push the envelope, then we wouldn't have, you know, business. Businesses are here to make money. We're here to secure the business so they can go farther and faster into more risky areas than they would if it didn't have cybersecurity. So I'm a business enabler. I am trying to help the business use every technology out there to give us a competitive advantage.

B

Yeah, I agree. Yeah. So sorry to chub, but I'm like I'm high fiving you, high tening you from over here because for us, especially with innovation and health care and how, you know, to do it better, faster, cheaper, essentially like everybody else is it like it affects patient lives. So for us, we can't continue to say no to new technology just because, you know, the FDA takes like two years to put it through cycle and it's already a couple revs behind in your, your operating system and you know, like your security updates. So for us and agree like it's a continuous conversation and you know, the conversation around governance should have started and what guardrails we're going to put in place and what are the right people to have as stakeholders. The minute someone mentioned AI or you know, it came out in the news. So always as a ciso, you know, we always have to be a step or two ahead, like Jason said, to enable the business to really be proactive so we're not being seen as that, you know, office of no. Even if we want to help.

A

All right, well, before we close out of our stand up here, let's get a little bit of advice from, based on kind of, I don't know, the vibes, the reaction to some of the news that we saw this week. Chris, I'm going to start with you. What, what's one piece of advice kind of based on our conversation, Dave, that you'd like to share?

B

Yeah. Taking medication is okay. If you're insecurity, it helps ease the pain. I'm just kidding. I'll stick with my stupid jokes because this is the way that, that I de stress trust but verify, especially if it's your calendar is gonna be my advice. Nothing Else that, that I can give you that you don't already know, your.

A

Calendar will ultimately betray you. All right, Jason, for you, what's one piece of advice you'd love to leave our audience with?

C

It seems the theme has been throughout all of these kind of headlines and each of these topics is speed. So adopt a framework. My Favorite is the sys 18. Get to Implementation Group 3 as fast as possible. Because once you have that framework in place, you can move as fast as the business can. Actually, you can cycle through your OODA loop faster than the business, which is what I try to do within cybersecurity. So we're one step ahead. Like Krista was kind of talking about. I was fortunate enough to hear an F1 mechanic for the McLaren team talk about kind of his experience. And the way that they talked about the thousand people or so that helped the two drivers get around the track as fast as possible is they have these. They run through every scenario that they could possibly think of that could go wrong and then fix it before they get to the race. And I'm thinking, yeah, it sounds a lot like the Department of Defense where we try to break things before we go out into the field and out into war to make sure that something, if something bad will happen, how are you going to react to it? So now that we're in the, you know, this resilient era where we are going to get breached, how fast can we recover? It deals with those, finding those single points of failure and then fixing those before it actually occurs.

A

That sounds like as an engineer, that'd be the most satisfying job in the world to do that for an F1 car. That's amazing. All right, Jason Shockey at Sunlar FSB. We're gonna have your LinkedIn profile in our show notes, but what else you got going on that you wanna let our audience know about?

C

I'm speaking at the MBA conference on February 18, talking about cybersecurity programs and AI security. But yes, please reach out to me on LinkedIn.

A

And Krista Arendt, the associate CISO over at St. Luke's University Health Network, what have you got going on that you wanna let people know about?

B

Trying to manage my day to day life, being a mom, a professional. I'll tell you coming up though, some of the big things. I am going to be at Vibe. It'll be my first time. I know that's really healthcare specific, but anybody who's going to be there, let's connect. And then Black Hat is what I'm really excited about. So I'm involved in Midnight in the War Room, which is a movie that came out, a documentary on cybersecurity where they have a bunch of well known hackers, well known leaders and stuff on there. So the world premiere is going to happen at Black Hat in partnership with them and it'll be my first time at Black Hat. So excited to see you guys there. And I'll be sure to turn my wi fi on my bluetooth off.

A

Well, thank you both so much for making the time. I know you are both busy making the time being here, helping drop some knowledge, helping contextualize a lot of these stories. It was a ton of fun. We'll have to have you back very, very soon. And also a big thank you to our sponsor for today, Conveyor, the only trust center with an AI agent that completes questionnaires. Remember, you can send us feedback anytime. Feedbackisoseries.com and join us again next Monday at 4pm Eastern for another edition of the Department of no. To register for the live show on YouTube, just go to CISO series.com and look for our Events page. We have information on everything that we have going on there. Super Cyber Friday Live events meetups. Yes, you can meet us in meet space there. So the events page@ciso series.com thank you so much for joining our Monday standup. I hope you have a great week. And for myself, for our glorious producer, Steve Prentice, for the big boss man, David Sparkett, everyone else with the CISO series, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.