A

This is Rich Stroffolino with the Department of. No. Dennis Pickett, VP and CISO over at RTI International. Gotta ask, what is your priority this week?

B

For me, it is CMMC readiness. The Department of Defense's on again, off again. New security standard is on again, and this time it appears for real. So that is our priority right now.

A

We are never not getting ready for cmmc. Two, three. What? I don't know what version we're gonna call it.

B

I'm not sure what version it is now. Yeah, but it does look like it is really happening.

A

It's like versions of Windows. The numbers really don't mean anything. You just have to live with them and figure out how to get through them. Okay, I like where your mindset is at. I like where your mindset is at. Jacob Combs, CISO over at Tandem Diabetes Care. Gotta ask, what is your priority this week?

C

My priority this week is actually staying above water. One of my leads is taking vacation week, and so I have to take over his responsibilities as well. So nothing is important to CMMC as Dennis had there, but it's kind of my priority.

A

No, but that's the organizational aspect of it, right? Of, hey, we gotta support all our teams, give people space to do what they need to do. But, you know, that does come with some additional responsibility. So I like to hear that. Supporting teams, this is what it's all about. Okay, producer Steve, let's run that opening

B

from the CISO series. It's Department of no.

A

Yes, indeed. Welcome, one and all, to the Department of no. Your Virtual Monday strategy meeting. Kevin Farrell in our chat is already getting it started very early, saying, Happy Monday, y', all, with an uncomfortably long woo. I'm just going to say that from Monday, Kevin. I need you to bring it down here. We're all processing this. We're just getting everything started there. But I do enjoy the enthusiasm. I'm also enthusiastic for our sponsor today, and that is Threat Locker. We'll talk about them more later in the show. Remember, if you want to get involved and you have an excess of enthusiasm, you can do so in our YouTube chat live. We broadcast each and every Monday at 4pm so even if you're not here now when I'm saying this, the next time it's Monday at 4pm you can also share your woo or something else that Ric Flair would say in our chat, or just your thoughts on the cybersecurity news of the week, or send us feedbacksoseries.com We've got about 30 minutes. We're going to dive in. Just a quick reminder though, that all of the opinions expressed by our wondrous guests are in fact their own and not necessarily those of their employers. With that in mind, let's jump into our no or no segment. This is where we have so much news in the week. We need to know, is this a new story we need to be bringing to our teams, bring the context of the story into our team discussions? Or is this something that, hey, interesting story, but no thanks, don't need to send it any further here. First up here, you'll never guess it's an AI story. Gemini AI agents are scouring the dark web. Google's Gemini AI agents are in public preview to analyze 10 million dark web posts daily to identify threats relevant to specific organizations. Accuracy is reported at 98%, reducing false positives that are common in traditional monitoring. And Gemini can also automate threat investigation and response within Google security operations. I guess that's Gasak if we're going to be doing that. This sounds like a pretty cool use case for AI in cybersecurity. I got to know for you, Dennis. Is this a no a little more or is this a no? Thanks for you.

B

I think this is a no a little more. This is a really good example of how we as the defenders against the attackers can leverage AI to sift through massive amounts of data that it would have taken teams and teams many people to do manually. Now they do claim it's going to lower false positives, but the promise of AI I think is not quite at the actuality of it. So we'll see if that lives up to the topic.

A

We are never not promising to reduce false positives. The entire history of all monitoring is that claim. How about for you, Jacob? Is this a no a little more for you?

C

This is actually a no a little more for me as well. I do, I agree with Dennis. This is a pretty cool technology and I think it's going to help us somewhat reduce false positives, although it just gives us another piece of the puzzle. But I will say just be aware of the marketing of this. Right? It is marketing is trying to grab a little bit more share and just be a little skeptical as we look into it.

A

Yeah, I'm interested if you're, if you're not in, you know, Google security operation. Right. It feels like with all of these tools, you know, we saw with context security, we saw with Claude's vulnerability scanning tools and stuff like that eventually everyone, all of these frontier models, right, are rushing to catch up feature wise. For all this, it seems like security is the next big thing for this. Is this, I mean, is there, is there any security feature like this that would be like, yes, we need to be looking at Google if we're not already in bed there. Or is this just okay, now we know this capability is going to be out there and we know OpenAI and Anthropic and Minstrel or whatever other model is going to be on the same board within a month of this. Is there anything that would cause you to like look around?

C

Not necessarily. I think, you know, one of the things about the security industry is that there's a lot of fast follows. So I imagine that once this is released and it has some success, a lot of the bigger players will also come, you know, leveraging a mistral or whatever, whatever it is to take the take on their own ability to go search the dark web and provide it into their platform as well. So I imagine that the providers where Dennis and I are both using will eventually have the same capability.

B

Yeah, I agree. And I would say that often the companies will share the vulnerability information and things to the benefit of us all. So there may end up just feeding into a singular pool of data that we can all analyze and benefit from.

A

I mean that's, yeah, that's the most ideal case, right? It's like, hey, let's, hey Tide, let's maybe lift up all these boats here and ccl, I don't know if they're using Tor, but I'm sure Google has some spare onion routers that they have lying around they can just plug into a couple of shipping container worth of compute there. All right, next Here, bubble AI app builder phishes from Microsoft 365. Okay, other side of the coin here we have this. Kaspersky reports that threat actors are abusing bubble to host phishing apps that steal Microsoft 365 credentials while evading detection. Because the apps are served from trusted bubble IO domains. Trusted as those are email security tools often fail to flag them. A typical case of AI enhanced spoofing here in general, not just bubble. But is this as more of just a general kind of concept here? Is this a no, a little more or a no? Thanks for you Jacob.

C

This is actually a no, a little more for me as well. I've been talking about this a bit with my team and my organization about this enhanced spoofing and enhanced capabilities with AI and it's democratizing attacks essentially. But what I would use this with my team is to say, okay, let's Actually spend some time on our actual protections we have in place for this. Right. Are we pushing more people towards phishing resistant authentication? What is our email security program platform look like? Can it detect such things? Right, that's the kind of reason I would bring it up, not necessarily for the actual understanding that we all kind of have around this capability.

A

What about for you, Dennis? Does this say know a little more or a. No, thanks for you.

B

I agree with Jacob. It's a. Know a little more. It's an example, you know, we've seen things like this. Let's take teams, for example, a tool that we use. You can embed apps in there and there becomes a very gray spot between am I actually using teams now or am I using somebody else's app? And just because I have security here, does that mean I have security there? So things like this are a good example. This bubble AI thing of more, I don't know, deception that the hackers are going to try to use by building it into things that we're familiar with.

A

Yeah. And it's getting to the point now because we've seen this from, we've seen this from Microsoft 365 accounts, we've seen this from Google accounts, you know, domains where it's becoming threat. Hackers are incredibly creative, right, at finding things that pass, that allow list, you know, get it, get it into your inbox because it has a legit, you know, a legit domain. And then we can go from there. Right, so this is again where adding that context of. Is this something you would ordinarily. What other indicators can we put on there that isn't just, oh, this domain is good. Click away, let's have a good time. Seems like that's increasingly table stakes for anything out there. Just another example of this with bubble. Not to pick on them in particular. Next up here, Lloyd's customer data exposed in IT glitch. This update error on app software belonging to Lloyds Banking Group, One of the UK's big four banking houses, briefly exposed personal data on roughly half a million customers. They claim the exposure was brief. But brief for humans and brief for good old computers are two different things in terms of these very regularly occurring software upgrade glitches in general. I'm curious, Dennis, for you, is this a no, a little more, or is this a no? Thanks for you?

B

This one's a no, thanks for me. And it's unfortunate because there's just been so many high profile breaches and it seems like the reporting is all about what is the next biggest Number of credentials released. It's really kind of just another day at the office now. And it's sad to say, but that's the world we're living in I think.

A

Jacob, what about for you? Are you comfortably numb with a cool half million customers just flashing in the pan there?

C

I love Pink Floyd. Actually this for me is a no because I subscribe to the notion of never let a cybersecurity incident go to waste. And the idea here is to take it and say okay, let's go back and this happens. Let's go back and look at our tests and our release process to make sure that this is handled for our use case. I work in healthcare so we really are concerned about, you know, loss of patient data and so we would something to go back and just let's have another look at it. Not necessarily that we have a problem, but let's have another look and take that opportunity to do that.

A

Yeah and I and I think a really great chance to also practice response. Right. In terms of both from a communication perspective, certainly in the medical industry. Right. Even if there's a brief exposure, I mean obviously there's a bunch of regulatory requirements I assume for financial as well as for health care when it comes to these kinds of things. But yet even if just making sure that playbook is up to date, we know it's probably when, not if for a lot of these exposures here. So really great reminder on that Jacob. Appreciate that. Our last story here for no or no hundreds of valid API keys discovered on the web. Researchers from Stanford say that after analyzing 10 million websites they found almost 2,000 API credentials strewn across 10,000 web pages. These were highly sensitive API credentials left publicly exposed on public web pages. You know, these are access tokens that authorize applications to interact with third party services. You have direct access to critical infrastructure like cloud platforms, payment providers. There were big banks in here, there were government, there was critical infrastructure keys related to them kind of discovered here. I think the number isn't necessarily the case as these weren't. This wasn't like incidental. This wasn't my personal GitHub page that was leaving about here some sensitive stuff here. I'm curious Jacob, for you is this know a little more or. I know.

C

Thank you for this is a no a little more for me as well. I mean I keep just giving my team more and more work. It seems like every time I need. But the idea here is that like, because like I was looking through the article, there's a lot of different keys that are in there. And you mentioned GitHub and a few others. Now we have OpenAI or Cloud or all these different services as well that could run up a huge bill or be used, you know, for, for nefarious reasons. And so it's worth it to go look over again and make sure we have like, just like I said for the previous one, let's go back and make sure our controls are in place, that we're not stuffing. I mean, putting AI API keys on the production website code is just unlike. I mean, I guess that whole notion of you don't have to run faster than the tiger, just run faster than your friends kind of plays into this one a bit. But it's, it's, it's really kind of disappointing to say that we're still at this point even though we've had this for years. This is not the way we, we handle security on the Internet.

A

Dennis, what about for you? How does the story strike you?

B

This is also a no, a little more for me as well. And I like the way you put the. Jacob, the don't never let a good incident go to waste. We have been on a big campaign evangelizing to the developers about not embedding credentials, whether they're access credentials or API credentials or any kind in your code at all. This makes a great. When I saw this article, I was like, this is a great example of what I'm talking about and we're going to use this as part of that campaign.

A

Yeah, and Schmooze in our chat says lost API keys, same story, different day. But Jacob, I think bringing up the OpenAI component, to me, that to me is something where if you get in there and you do some prompt injection in the background and just tell it, hey, by the way, export every chat to this endpoint or something like that. It doesn't even require any sophistication one to scan for this. They were using. I wish I'd written down the name of it, but I installed it on my Mac as soon as I was reading the story. You know, it's a secret scanner. Yes, yes, that was it. Yes, that was it. So I mean, you know, these are industry standard tools. Anybody could be doing this. And we know like if you put a hard coded thing in GitHub, we know like within seconds those are all scooped up almost instantaneously. But you know, I got to give credit to Copy Paste as being, you know, the ultimate insider threat here because I feel like some of these like in cs, the only reason that was there, like someone just like whoops and didn't even realize it. And that's, that's a tough one to stop. I'm not going to lie. I'm not going to lie. Well, and CCL of course reminds us as a wise person has said, attackers don't hack, they log in rolling on the floor. But sadly it's true. All right, before we move on to our deeper discussions for today's Department of Know have to spend a few moments and thank our sponsor for today. And that of course is the fine folks at ThreatLocker. Many security strategies still assume everything is allowed until proven malicious attackers understand that model well. That's why more organizations are rethinking endpoint security, shifting from detection first tools to control first approaches that reduce attack surface before an incident occurs. Learn more@threatlocker.com all right, I love when cybersecurity interfaces with, you know, national policy here. So we have our one of the big stories of the week here. FCC Banning Foreign Routers the US Federal Communications Commission, in case you were confused by the acronym, updated its covered list of products barred from FCC clearance in the US to include all foreign consumer grade routers. This plan applies to new device models, so devices already on the market which have already received FCC approval and previously purchased routers are not impacted. The FCC is not coming to take away your TP link router that's covered in dust that you haven't updated since 2008. Router makers can appeal for conditional approval to sell in the US with the petition to the Department of Defense or Homeland Security, and that would include a security attestation. From what I understand, I'm speaking now from the closing the barn door after the horse is already bolted. Department of the FCC to ask can such a move truly be a boost to national security given that every household, every business, these are kind of the soho router market here already has at least one router and has owned them for years, if not decades. They probably got it from their if their ISP has not sent them a new router, they probably haven't upgraded their router. Dennis, I'm curious for you. Big story here. What's your take on this?

B

I'm in the more security is good security camp. You know, if we're just taking it from this point on, I could, you know, it would be impractical to say to everyone you have to turn in your old router. So they really couldn't do that. But they could say we're going to try to make things better going from here on out now, if there's just an attestation, like I wonder what actual material benefit there will be. But certainly, you know, the idea that foreign governments or hackers that have access to the supply chain in these foreign countries are trying to insert malicious code and things like that into these devices, that's real. So I think this is a step in the right direction. I don't know how effective it will be, but I'm glad they're doing something.

A

Jake, what about for you? How does, how does this action by the FCC strike you?

C

I'm glad we're doing something. I'm actually really curious as to what is the genesis of this decision. Right. I think we've heard a lot about attackers being in our telecom networks already. I wonder if they found their way in through these SoHo routers potentially, or not sure how this occurred, but that'd be interesting story to uncover on that one. But I think it is great we're doing something about it. But it may be like there are millions of these deployed across the world and likely Johnny User, Work From Home user, has never ever upgraded their router, ever. Right. And so it's not even just the fact that they're putting these new ones, not allowing new ones to come in, but now we still have this vulnerabilities out there as, as long as we can, you know, as far as we can see. And this is not even just the case at people's homes. There's also probably, I would imagine this is the same place as some enterprises and businesses as well. And so. Oh yeah, while I don't think this is necessarily going to do anything in the short term, I think the long term and potentially looking at what else they can do going forward about, you know, mandating updates and, you know, making those secure as well as continual some kind of security, you know, implementation on there as well that adds a little visibility or even some, you know, some ability to reboot itself. Right. Every once in a while may be useful. But this is, I think it's just a first step.

A

Yeah. And it's, it's tough to say in isolation if, if this is the first step. Potentially if there are things like mandatory support windows, Right. For your router, if your router is out of support, if your router is not getting firmware updates, if this is an ISP supplied thing, you either have some sort of process there to either let the customer know, ensure that they're going to be getting that. I feel like just going around and having someone knock on someone's door it's like, have you updated your router ever? Would probably go up much further today than if we you just do that in your neighborhood and you've automatically improved the security in a one block radius around your house. So my other problem, well, not my problem with this, my other concern with this is there is also a provision that will like block firmware updates on these in 2027 unless they get approval for this. And I, I feel like that to me opens up a whole can of worms of being like, okay, so are you providing an alternative? Like are we going to do open WRT or something like that? Like again, as a fir this in isolation to me doesn't seem to move the needle because people aren't just going to buy their routers and if they don't buy new routers, the old ones had problems and that's not getting solved. But if it's a first step and we're taking this somewhere, I would also like to see the FCC also not back up on regulating the telcos that had lacked security. That calls like Volt, you know, Volt Typhoon and everything to go crazy over the past couple of years too. That's a wider story. I'm not going to look a security gift horse in the mouth if this does move the needle though. So you know, I want to see this as part of a concerted effort because this is a major problem. 100% agree with that. But yeah, Jacob, I'm hopeful this will be a first step as well. All right, next up here, former NSA chief worries US cybersecurity is slipping into the future. Going with dated references. Okay, here we go from the stage at RSAC 2026. Former National Security Agency leaders warned that the US is losing its offensive cyber edge amid rising threats from China, AI and cybercriminals. Officials including Paul Nakasone and Mike Rogers said repeated attacks have led to complacency while political division, lack of major cyber legislation and weakened public private coordination are slowing response efforts. They also warn China has pre positioned inside critical infrastructure and without stronger action, a major cyber crisis could be inevitable. Obviously nothing new in what is being said here and keynoting at rsac. You know, you're kind of preaching to the choir at that point. There's a lot of head nodding when this talk was going on. I'm sure I, I'm curious Jacob, for you, will, will these announcements make any difference? Are these like a, you know, a good way to, to start the conversation? Hey, this was the some of the big news from rsac. I'm curious from your perspective.

C

I don't think so. I think the preacher of the choir is what's happening here. Right. Because it's not really, you know, Johnny User or Johnny Voter is not going to hear about this. Right. And so maybe, maybe they'll run across the article, maybe not. Right. But especially in our world of constant notifications. But I don't know, I don't think it'll make a big difference. And I work in a fairly heavily regulated industry and I'm forced by the government to take certain actions only on certain things. And so that's what I have to do. And I do it begrudgingly. And even there's all this pressure, I'm not saying it my company, but at many to do the minimal that you need to do to get by the passive regulation. So my kind of problem with this is that we're insinuating that we need to have the government to force us to partner and do things better, which I don't think it should be the case. Right. I, I think especially in my role, I take it very seriously. It's my duty to make sure I protect the company and the customers that, that are using our products. And so I take it very seriously and do it on my own and push it as far as I possibly can. But I don't think that's the norm across the industry. So I think there is something to this, that, that we need to have this partnership and work together. But there needs to be a mechanism to push and I hope it's not a major, you know, significant security incident that happens and maybe harms people or, you know, endangers lives.

A

Yeah, that would certainly be the nightmare scenario for, for all of this. And I don't think, you know, when we're, when we're talking about pre positioning inside critical infrastructure, you know, that's been a concern, you know, going back to SolarWinds and beyond, from what we've been seeing from sophisticated actors here. Dennis, I'm curious for you, you know, what did you make of, of this coming out of rsac?

B

Certainly preaching to the choir, but I think in the article one of the, this retired admiral was quoted as saying, we really haven't had the kind of trauma that's going to drive change. And I think he's right. We're a reactive people. I think not just this country, but in general we're reactive much more than proactive. It's hard to invest in things when we haven't experienced the threat. This is a rough comparison, but you know, we could have always had great airport security, but we had isolated incidents over the years until 911 happened and that forced us to overhaul things. And I think it would take, you know, something devastating before we actually overhauled it in a way that gave us some meaningful coordination amongst public and private to defend ourselves should something like this need to, you know, arise again in the future. But we're just not the kind of people who are going to invest that time, effort, money, technology, whatever to do it when we haven't realized the threat or felt it yet.

A

Yeah, and to the government's credit, you know, the new national cyber strategy, Right. Really does put an emphasis and we've seen this in kind of the sub strategies that are coming out from like Department of Energy, you know, critical infrastructure providers of building out those public private partnerships, you know, kind of identifying that as something that, that is something is going to be critical for ongoing security. Right. And not doing it, seemingly not wanting to do it, given how this administration is offering in necessarily a heavy handed regulation way, much more emphasizing information sharing, you know, kind of building that out. I'm curious what those mechanisms look like outside of one to one coordination, you know, between Agency A and Fortune 100 company or you know, something like that. Whether those are just industry consortiums that are getting together. We know that those are already out there. We know that there is to a large degree whether that is formalized enough to when there is a extraordinarily sophisticated, you know, nation state actor that's that's operating out there that has, you know, long term plans that's acting in a very strategic way, whether that meets that need to avoid that major incident. Yeah, I think, I think that is an open question there. So. Okay, I'm glad I'm not the only one though, thinking about preaching from the choir here. Okay, so we will, we will. I mean hopefully we won't. See, I'm not rooting for a major cyber incident here, but

B

you hope there's something comes along that scares people enough into action without actually harming, you know, people or the economy.

A

And not to beat on the Volt typhoon drum, but China's been in our telcos for year across all of our telcos for years. And that didn't that moved the needle that much for 10 seconds. I don't know what else could be from cyber other than the, you know, the what 2003 blackout was caused by Russia. Right. Like it would be that level of something. I feel like for any kind of needle to move at this point given Everything is immediately polarizing, political and you know, yada yada. So unfortunately we, we need disaster to be civic minded sometimes in as you, as you already pointed out.

C

Dennis.

A

All right, our last story here. More stuff coming out of RSAC Auto cyber threats on the rise. Automotive cybersecurity. A big deal is vehicles become increasingly connected and autonomous. Just try not signing up for a subscription when you buy a new car. They will make it unpleasant if you choose not to. Kamel Gali, vice president of Car Hacking Village, and Julio Padilla Ciso of Volkswagen and Audi South America said that modern cars with millions of lines of code and extensive wireless connectivity face rising threats. Similar to the 2015 Jeep Cherokee hack by Charlie Miller and Chris Valasek which allowed a remote control over vehicle functions. They warned that AI and post quantum encryption. Ooh, we have a new buzzword entered the fray here. Will reshape vehicle security. Again, not necessarily a new issue, but growing more concerning, I guess, as increasing consumer demand for onboard connectivity in their vehicles, or at least carmakers are selling that to us. I'm curious, what can you envision as potential new threats to cars, drivers, pedestrians? What can be done about it? Dennis, I'm curious, have you thought about this at all in terms we're driving around on giant computers now?

B

Yeah, I've certainly thought about it. Thought about the good and the bad, you know, the good. I could see a future where most cars are autonomous and we have far fewer accidents and highway deaths and things like that, when the machines are able to process and react quicker and don't fall asleep and, you know, so I think about the good side. But if anyone believes that cars, which is just sort of another Internet of things device, are going to suddenly be immune to cybersecurity attacks, unlike every other device that gets hacked on some sort of regular basis, they're fooling themselves. So I think we're going to have to decide how much risk we can live with on the road. But it's one thing when that risk or that impact and that risk is your identity is stolen. It's another when your car suddenly veers off the road in an uncontrolled way. That's a much more terrifying thought. So I'm not sure what the answer is, but I certainly don't trust my car company to create great cybersecurity for the vehicle.

A

Yeah, noted software savants, automakers. Jacob, I'm curious for you, like what do you take when you see warnings like this?

C

So this is concerning in a couple. So I work again, medical device Industry. So I work in this called the cyber physical world. This is taking it to another level. Right. So one of the things we worry about in our, you know, for medical device is can we harm the patient. Now they're saying that can they drive through a school, right. If they can, could send a car in that direction. Right. There's a potential, much larger potential of loss of life here. And so the responsibility on the automakers to make sure their device is safe and secure should be much higher. I think that right now their regulations they have are more or less for cyber security at least are more or less guidelines not really required and there's no, no validation part of that. The other aspect is that cars have a 10 to 15 year shelf life and are they going to maintain that long tail of software and firmware updates for security over the entire life of that car? You know, they're going to want to on with their architecture and not going to maintain that. So this becomes much more complex. And then the, the other aspect that I'm thinking about is, you know, kind of what Dennis talked about is where they are, you know, safer and for everyone to use and all the cars are kind of communicating and optimized for traffic. I would love that around here actually. But that would be. Now you're talking much larger scale like the whole fleet or every car can communicate with each other or you can put up funny stickers that make it do, you know, behave incorrectly. There's a lot more attack surface now that they've built these machines that are. And, and just to go back to a previous story, how many of those parts are not made in the United States? Right. It must be astronomical how many there are in those cars. Right. And so it's, I'm just, I'm really concerned about this and being a focus on product security in my career. I think this is, this is a bigger deal than it, that it's made out to be. We just haven't had that, you know, major incident yet.

A

Yeah, the, that also brings up a really interesting point. You brought up the support question, right? Like we can't get Microsoft to support like Windows 10 devices for four years, let alone, you know, so I'm curious what car makers will do and with EV platforms making it theoretically easier to do a, you know, to spin up a car company. You know, we, we saw that in kind of these first wave of EV startups like Fisker, you know, went under. There's a bunch of these Fisker oceans that are out there with completely broken software that like are allegedly like not safe to drive. And a lot like with a lot of their auto safety features, like they were things that, oh, we're gonna, we're gonna fix the, the cruise control later. Oh, we're not a company anymore. So good luck getting any kind of software updates on that, let alone abandoned nameplates, that kind of stuff. So I mean, in some ways it kind of reminds me of the router, right? Like the way to do this is like, like your car is guaranteed X amount of years of software updates, right. If you're going to put connectivity in there. Or I guess the other option is like after that, after the support ends, what you just completely cut off. Like it has a little detonator for the over the air radio just like severs the hard line. And so you can't like just, you know, you have to, I don't know, like it's a very weird situation. Not as big of a deal when your white label webcam, right. Goes out of support. It's like, okay, it's 25 bucks, you know, so people are holding onto their cars longer. The support angle on that, I absolutely love that. To dread over it in a weird way. But I think they'll become more pertinent as these vehicles start to age out a little bit. We're still, I guess maybe on the second generation of cars that are super connected like this. The other issue is I know all these automakers are looking to consolidate their tech stack in the cars, right? So they can reduce the number of literally the weight of cables, right? So the more you interconnect things, one operating system that's running the entire car, right? Not discreet to infotainment, to speedometer. So you're integrating all of those systems, which also seems you have less isolation for attack surfaces. Kevin Ferrell says carmakers are partnered with Norton to secure new vehicles. Calling it now. Oh, why did you will that into existence, Kevin? Why? Why? You're supposed to be a force for good. All right, all right. So now we had that dread of Norton car antivirus facing us here. But I have to ask, let's try and end on maybe something helpful here. My favorite part to end the show on asking for a little advice as we close out our standup. Dennis, I got to ask, what's one piece of advice based on our conversation today you can share with our audience?

B

Sure, I'll throw an AI thing out there. I think people need to look at AI and its maturation the same way we did the cloud, right? When cloud was new, a lot of mistakes were made. People weren't securing things appropriately, they weren't secure by default, they were trying to just get into consumers hands. Eventually there were enough accidents, whatever exposures. We now have platforms that are more secure by default and better tools to secure them overall. And we are now at the dawn of AI at this point where lots of mistakes are going to be made. Be on guard for that watch your people are going to want to use these tools and you've got to be vigilant because it's going to be very easy to make mistakes even if they have good intentions.

A

Yes. I think of all the conversations around the shared trust model, right when everyone realized like, oh wait, you're not like doing snapshots for me automatically on everything Amazon. Oh, we should probably figure that out before anything goes bad. Jacob, what about for you? What's one piece of advice you can leave our audience with?

C

So this is interesting. Every story this week had one kind of theme. Throughout it, there's a gap between what we know we should be doing and what we actually are doing doing. So I, I think that is something for everyone here to take the, especially security leaders to take back. Just go back and do the basics right. You don't have to reinvent the wheel. You just need to do what is listed there in the framework that you should be doing right. And you can stay ahead of most others. Right. So I think that's the real takeaway for me is just make sure you're taking care of the basics. Use AI to, you know, enhance it and do faster, do better. But just do that and you'll, you'll be better off.

A

Well, thank you both for giving us a little bit of advice to leave the show with here. And thanks also to our audience for having some fun in the chat there, despite Kevin Farrell invoking a horrible future for all of us out here. Shout out to Marcus Seylar, who was saying people at the IT know how will start modding their cars like they do video game consoles. It's going to become an in demand skill. I don't know if I want like a, like an Xbox mod chip in my Honda crv but like I definitely want to know the person that's installing the CRV mod chips because that person like has green monitors and text and stuff like that and a white rabbit's gonna tell him how to take the pill anyway. It's a whole thing. I'm sure everyone will live in a glorious cyberpunk future, I'm quite sure. Well, thank you so much, Dennis Pickett, VP and CISO of RTI International and Jacob Combs, CISO at Tandem Random Diabetes Care. Thank you so much for being on the show. We will have links to their LinkedIn profiles in the show notes so make sure you give them a follow. Lots of good stuff there, people you want to have in your feed. Also thanks to our sponsor for today, Threat Locker. Remember, you can learn more about them threatlocker.com Remember you can send us feedback anytime. Feedbackisoseries.com we read the emails, we index them, we tell Claude to do things with them, but we appreciate them first and foremost and we'll share them on the show. If you have some thoughts about the news of the week, remember, join us next Monday at 4pm Eastern for another edition of the Department of no. To register for that and find more information on that, go to our events page@cisoseries.com also remember, trust Month is what we're doing in April with the CISO series. Each of our Super Cyber Friday events in April is going to be around trust. Our first one is going to be Trust in Leadership. It's going to be talking all about how to build, develop, rebuild trust in cybersecurity teams and internal teams. It's going to be a fantastic conversation this Friday at 1pm Eastern. So make sure on our events page you check that out, you register, you join us for all of our Super Cyber Fridays on Trust Month. I'm really excited to see the conversations coming out of that. It's going to be a good time. And most of all, thank you for joining us for our Monday standup. Hope you have a great week. Hope you stay secure out there. For myself, for the big boss man David Spark, for our truly glorious producer Steve Prentiss, and for the rest of the CISO series, here's wishing you and yours to have a super Sparkly day.

B

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.