Podcast Summary: Cybersecurity Headlines – "Department of Know: Davos worries, UK-China tensions, calendar concerns"
Date: January 27, 2026
Host: Rich Stroffolino
Guests: Krista Arendt (Associate CISO, St. Luke’s University Health Network), Jason Shockey (CISO, Cedar FSB)
Main Theme & Purpose
This episode provides expert commentary on the latest cybersecurity headlines and industry trends, with a focus on how emerging threats and rapid technological change (especially AI) are re-shaping defensive strategies. Topics span phishing scams exploiting trusted platforms, AI-driven attacks, vulnerabilities in collaboration tools, international cyber diplomacy, and governance challenges posed by AI agents.
Key Discussion Points & Insights
1. Weekly Security Priorities: People and Process
-
Krista’s Focus: Avoiding "social engineering by my own calendar and email," highlighting the threat of calendar-based phishing and AI assistants as potential attack vectors.
"Apparently even my schedule is now a threat actor." – Krista (00:15)
-
Jason's Focus: Optimizing human potential, revisiting people-centric approaches as his organization's cyber program matures.
"Optimizing human potential... refocus on the people." – Jason (00:49)
2. Rapidfire “No or Know”: Do We Need to Dig Deeper?
a. LastPass Phishing Scam (01:27–04:18)
- Scam: Fake LastPass maintenance notifications urge users to “create a backup” and steal master passwords via phishing sites.
- Takeaway: People are often slow to act on urgent notifications, which ironically may be a protective factor in fast-paced environments. MFA is necessary, but not sufficient.
- Notable Quotes:
"MFA alone isn't going to continue to help us...it's the psychology of people and how they interact with technology." – Krista (02:58)
"The urgency part is the thing that always gets me...I don't need to do anything within 24 hours, especially if you're telling me to change my password." – Jason (03:56)
b. Google Gemini Prompt Injection & Calendar Risks (04:18–06:40)
- Flaw: Prompt injection vulnerability lets attackers hide malicious instructions in calendar invites, leaking private info through AI.
- CISO Insight: Limit sensitive information in calendar invites, reinforce critical thinking, and build governance around language-context as attack surface—not just code.
- Notable Quotes:
"Building threat models that consider language context as an attack surface...not just code patterns would be interesting to me." – Krista (05:29)
"AI governance...Make sure the guardrails are there and you have visibility, alerting, and monitoring." – Jason (04:55)
c. SmarterMail Auth Bypass Exploitation (06:40–08:52)
- Flaw: Auth bypass in SmarterMail rapidly exploited despite recent patch.
- Advice: Strengthen patch orchestration and assume continuous exploitation. "Defense in depth" is crucial beyond patching.
- Krista: “Typical, gotta refocus on hygiene and just figure out how to do it, better, faster, quicker.” (07:49)
- Jason: “Patching cadence, meantime to detect, meantime to remediate... defense in depth.” (08:28)
d. Global CVE Allocation System (GCVE) Emerges (08:52–10:42)
- Context: Luxembourg’s GCVE seeks to decentralize vulnerability identification away from the US-dominated CVE system.
- Discussion: Mapping between systems is vital to prevent fragmentation—“Rosetta Stone” between frameworks is key.
- Quotes:
"If all of Europe uses the GCVE, that's great as long as we can actually talk the same language..." – Jason (09:32)
"Do you use or embrace new vulnerability identifiers to better classify AI vulnerabilities? ...I'm interested." – Krista (10:18)
3. Deeper Dives
a. UK-China Cyber Dialogue – Can Cyber Detente Succeed? (12:54–16:48)
- Context: UK and China establish a direct cyber incident dialogue, amid embassy talks and a UK cybersecurity policy reset.
- Skepticism: Information sharing unlikely to be candid—political posturing and mutual distrust loom large.
- Quotes:
"I'll just table the ego Olympics...Geopolitical events...should be tracked at an enterprise risk level." – Krista (12:54)
"Attendance, trust, and transparency...Depending on those levels…it might be a nothing burger." – Jason (14:13)
"In geopolitics, there are no permanent friends, no permanent enemies, only permanent interests." (16:29, LinkedIn comment cited)
b. AI-Generated Malware – The VoidLink Case (17:19–22:23)
- Story: Highly advanced Linux malware (VoidLink) turns out to be largely AI-generated, developed solo in a week.
- Implications: AI accelerates attack development, lowering the barrier for sophisticated threats. Defensive focus should be on context, anticipation, and using AI against AI.
- Memorable Moment:
"It's threat actors—they're just like us...They left all their development tooling exposed online...So we just read all of their docs." – Rich (20:21)
- Advice:
"Defend forward in cyberspace...Why don't we use AI against AI?" – Jason (19:19)
"Preparation, prevention, resilience and blast radius minimization." – Krista (21:17)
c. AI Agents as Team Members: Davos, Governance & Guardrails (22:45–29:14)
- Highlight: Panel at Davos urges treating AI agents as an extension of the workforce, not just tools; governance and ongoing quality assurance are vital.
- Key Guidance:
- AI needs identity and oversight, just like staff.
- Build in governance from the start; automation is essential, especially for resource-constrained teams.
- Quotes:
"I'm always in the yellow zone, so I'm never comfortable about anything...AI governance or the guardrails built into the models..." – Jason (23:37)
"The continuous checks and balances from a technical perspective with identities... How are you then going to automate and get that visibility..." – Krista (25:25)
Business Alignment:
CISOs should enable business agility—AI can accelerate productivity, but only if cyber risk is managed in tandem.
"Business pushes forward with cybersecurity along the way, meaning it's baked in..." – Jason (27:36)
"Continuous conversation...the governance conversation should have started...the minute someone mentioned AI." – Krista (28:16)
Notable Quotes & Memorable Moments
- On Calendar Threats:
"Apparently even my schedule is now a threat actor." – Krista (00:15)
- On People as a Security Factor:
"The psychology of people and how they interact with technology in general and how do you get them to listen?" – Krista (02:58)
- On Defending Against AI Malware:
"Defend forward... Why don't we use AI against AI?" – Jason (19:19)
- On International Cyber Diplomacy:
"It's like getting a freaking bad actor to be like, yes... this is how I did it..." – Krista (12:54)
- On Security & Business:
"I'm a business enabler. I am trying to help the business use every technology out there to give us a competitive advantage." – Jason (27:36)
Key Timestamps for Important Segments
- 00:00–01:00: Weekly priorities – people focus, calendar risks
- 02:00–10:45: “No or Know” – LastPass phishing, Gemini flaw, SmarterMail exploit, GCVE system
- 12:54–16:48: UK-China cyber talks & skepticism over diplomatic progress
- 17:19–22:23: AI-created malware, VoidLink, and response strategies
- 22:45–29:14: AI agents as team members, governance, business-cybersecurity alignment
- 29:28–31:07: Final CISOs’ advice for the week – resilience, frameworks, “trust but verify”
Final Advice from the Guests
-
Krista:
“Trust but verify, especially if it’s your calendar... Nothing else that I can give you that you don’t already know, your calendar will ultimately betray you.” (29:28)
-
Jason:
“Adopt a framework... SYS 18. Get to Implementation Group 3 as fast as possible. Cycle your OODA loop faster than the business... Find single points of failure and fix them before it occurs.” (29:57)
Closing Thoughts
Throughout the episode, humor and practical insights underscore the human element in cybersecurity—how both adversaries and defenders are adapting rapidly as technology (especially AI) becomes ever more entwined in daily operations, threat landscapes, and even international affairs.
The message is clear: prioritize people, build resilient processes, govern new tech early, and above all—never put blind trust even in your own calendar.