Podcast Summary: Cybersecurity Headlines – "Department of Know: Gemini scours dark web, NSA worries about cybersecurity, APIs run loose"

Date: March 30, 2026
Host: Rich Stroffolino
Guests:

Dennis Pickett (VP and CISO, RTI International)
Jacob Combs (CISO, Tandem Diabetes Care)

Episode Overview

This episode of the Department of Know, a weekly Monday strategy meeting from the CISO Series, features Rich Stroffolino in conversation with cybersecurity leaders Dennis Pickett and Jacob Combs. They dissect recent headlines and ongoing trends—AI’s dark web surveillance, API exposure, looming regulatory changes, national security anxieties, and the evolving cybersecurity landscape for everything from routers to vehicles. The episode blends humor, practical advice, and seasoned industry perspective.

Key Discussion Points & Insights

1. Current CISO Priorities

[00:00–01:18]

Dennis Pickett: Focused on “CMMC readiness,” alluding to the ever-evolving and seemingly perpetual process of adapting to the Department of Defense’s cybersecurity framework.
- “We are never not getting ready for CMMC. Two, three. What? I don't know what version we're gonna call it.” [00:22 A]
Jacob Combs: Prioritizing the organizational load of covering for a team member’s vacation—underscoring the balancing act of operational and strategic security leadership.

2. Gemini AI on the Dark Web: Promise vs. Reality

[02:55–05:19]

Headline: Google's Gemini AI agents analyze 10 million dark web posts daily, with claims of 98% accuracy in flagging threats.
Dennis Pickett: Cautiously optimistic—sees potential to reduce false positives, but “the promise of AI...is not quite at the actuality of it. So we'll see if that lives up to the topic.” [03:20 B]
Jacob Combs: Sees value but warns of “the marketing of this...just be a little skeptical.”
- Both agree AI tools will quickly become table stakes across providers due to “fast follows” in the industry.
- Dennis: “Companies will share vulnerability information...there may end up just feeding into a singular pool of data that we can all analyze and benefit from.” [05:19 B]

3. AI-Enhanced Phishing via Bubble App Builder

[06:23–07:32]

Headline: Threat actors use Bubble's cloud app builder to host phishing attacks, evading detection via trusted domains.
Jacob Combs: Urges teams to evaluate email security posture and move toward phishing-resistant authentication. “It’s democratizing attacks.”
Dennis Pickett: Sees it as another case of attackers exploiting user trust in ubiquitous platforms. Example: “There becomes a very gray spot between am I actually using Teams now or am I using somebody else's app?” [07:03 B]
Consensus: Raising user awareness and technical controls is critical as attackers become more creative.

4. Lloyds Banking Data Exposure: Is This Even Noteworthy Now?

[08:44–09:38]

Incident: A software glitch at Lloyds Banking exposed 500,000 customers’ data.
Dennis: “It's just another day at the office now...sad to say, but that's the world we're living in.” [08:44 B]
Jacob: Uses every incident as an opportunity to revisit company processes: “Never let a cybersecurity incident go to waste.”

5. API Keys Exposed Across the Web: Ongoing Epidemic

[09:38–12:16]

Finding: Stanford researchers discovered nearly 2,000 valid API credentials exposed on 10,000 web pages from major banks, governments, and more.
Jacob: “Putting API keys on production website code is just...unlike.” Urges teams to revisit controls, especially as new platforms (like OpenAI) generate added risk.
Dennis: Uses public incidents as teachable moments for developer outreach: “We are on a big campaign evangelizing...not embedding credentials...This makes a great example.”

6. FCC Bans Foreign Routers: Closing the Barn Door?

[14:57–17:22]

Policy Update: The FCC bars new foreign consumer-grade routers from US markets; existing devices are grandfathered in.
Dennis: “I'm in the more security is good security camp...But, if there's just an attestation, I wonder what actual material benefit there will be.” [15:24 B]
Jacob: Skeptical about short-term impact: “Millions of these deployed...likely Johnny User, Work From Home user, has never ever upgraded their router, ever.” [16:06 C] Calls for mandatory updates/support as potential next steps.
Rich (host): Draws parallels to the wider telco security ecosystem and wonders if blocking firmware updates will create new risks without providing sustainable alternatives.

7. NSA at RSAC: Warnings of Eroding Cybersecurity Edge

[19:56–24:22]

RSAC Keynote: Former NSA heads warn the US is falling behind amid China’s rising threat and political inertia.
Jacob: “Preaching to the choir...we're insinuating that we need the government to force us to partner and do things better.” He advocates for self-driven responsibility while noting many only do the minimum for compliance.
Dennis: “We haven't had the kind of trauma that's going to drive change...It's hard to invest...when we haven't experienced the threat.”
Rich: Notes the government’s shift toward information sharing rather than heavy-handed regulation, questioning how effective coordination is pre-crisis.

8. Automotive Cybersecurity: Growing Threats for Connected Vehicles

[25:00–29:54]

Concern: Modern cars, with millions of lines of code and deep connectivity, are a growing cyber risk.
Dennis: Warns it’s naïve to think “cars...are going to suddenly be immune to cybersecurity attacks.” [26:09 B] The stakes are far higher than stolen data: “It’s another when your car suddenly veers off the road in an uncontrolled way.”
Jacob: Stresses the lack of enforceable, validated security standards among automakers, compounded by the 10–15 year lifespan of vehicles and uncertain support for software updates.
- “This becomes much more complex...the responsibility on the automakers...should be much higher.” [27:15 C]
- Multiple attack surfaces and supply chain risks due to globally sourced components.
Rich: Highlights the challenge of continued support for aging vehicles, drawing parallels to the router and IoT security lifecycle.

Notable Quotes & Memorable Moments

“We are never not getting ready for CMMC. Two, three. What? I don't know what version we're gonna call it.” – Rich Stroffolino, [00:22]
“The promise of AI I think is not quite at the actuality of it.” – Dennis Pickett, [03:20]
“It’s democratizing attacks.” – Jacob Combs, [06:23]
“Never let a cybersecurity incident go to waste.” – Jacob Combs, [09:07]
“Putting API keys on production website code is just...unlike.” – Jacob Combs, [10:52]
“We haven't had the kind of trauma that's going to drive change...we're just not the kind of people who are going to invest that time, effort, money, technology, whatever to do it when we haven't realized the threat or felt it yet.” – Dennis Pickett, [21:57]
“If anyone believes that cars...are going to suddenly be immune to cybersecurity attacks, unlike every other device that gets hacked on some sort of regular basis, they're fooling themselves.” – Dennis Pickett, [27:05]
“There's a gap between what we know we should be doing and what we actually are doing doing.” – Jacob Combs, [32:27]

Closing Advice & Takeaways

[31:33–33:04]

Dennis Pickett:
“People need to look at AI...the same way we did the cloud… At the dawn of AI, lots of mistakes are going to be made. Be on guard...you've got to be vigilant because it's going to be very easy to make mistakes even if they have good intentions.” [31:33]
Jacob Combs:
“There’s a gap between what we know we should be doing and what we actually are doing...Just go back and do the basics right...Use AI to enhance it and do faster, do better. But just do that and you’ll be better off.” [32:27]

Important Timestamps

Introductions and Priorities: [00:00–01:18]
Gemini AI Agents and AI in Security: [02:55–05:19]
AI-Enhanced Phishing: [06:23–07:32]
Lloyds Data Exposure: [08:44–09:38]
API Credential Leaks: [09:38–12:16]
FCC Router Ban: [14:57–17:22]
NSA at RSAC, US Cybersecurity Risk: [19:56–24:22]
Automotive Cybersecurity: [25:00–29:54]
Advice & Wrap-up: [31:33–33:04]

Tone and Language

The episode balances serious technical insights with dry, self-aware humor. The guests speak candidly, offering strategic advice while poking fun at industry cycles (“We are never not getting ready for CMMC”). The show’s tone is conversational and collegial, yet serious in its assessments of systemic risks.

Final Thoughts

This episode serves as both a rapid-fire headline review and a sober reflection on persistent gaps between best practices and real-world security. The hosts and guests stress vigilance, continual improvement, and the power of learning from—even routine—incidents. Underneath the banter is a clear call for action: get the basics right, address gaps, and prepare for the unexpected—before a true crisis forces sweeping change.