Department of Know: GSA's CMMC requirements, AWS intruder AI heist, Moltbook raises the stakes

A

This is Rich Trofalino with the department of no Nick Ryan, former ciso. I got to ask, what is your priority going into this week?

B

It's got to be how are we securing the vibe coding the AI, especially after that Super bowl commercial from base 44 yesterday.

A

Don't forget Codex too. It's for builders.

C

Yay.

A

I like that super bowl vibe coding angle. I like this. I like this. Chris Ray Field CTO over at gigaom. Gotta ask, what is your priority this week? Did you pull anything from a Super bowl ad by chance?

C

I did not. I wish mine was exciting as Nick, but I'm just working on sales collateral and use cases and case studies so.

A

That'S got me going useful. Listen, you're both way ahead of me right now. I'm just thinking of where am I going to put the next batch of snow that's coming. I have a mound by my driveway. I can't get it anywhere. We all have different priorities this week. It's all a lot of fun. Producer Steve, let's run that opening from the CISO series. It's Department of no. Yes indeed it is the Department of Know your Virtual Monday strategy meeting. Our sponsor today is Threat Locker. Remember to join Threat Locker for the most hands on cybersecurity learning event of the year. That's March 4 through 6 in Orlando. We'll talk more about that later and you can get involved in our YouTube live chat. We broadcast every Monday at 4pm Eastern. If you're listening to us later, so make sure you join us next week and Eastern. Email us feedbackisoseries.com for electronic mail. Quick reminder that all the opinions expressed on the show are in fact those of our guests, not necessarily those of their employer or really anyone else. It's none of their business. Dang it. It's their opinions. We've got about 30 minutes, so let's just jump right in. We're going to start out with our no or no segment. So much news in the week it's tough to keep track of it all. We just need to go through some stories real quick and decide are these things we need to know more about or maybe a little bit of a no thank you. Move on. Next story please. First up here, I saw this one getting a lot of buzz this week. React Native Metro bug from researchers at JFrog. They found that threat actors are exploiting a flaw in Metro, the native JavaScript bundler for React native projects on Windows. The bug allows for executing arbitrary OS commands through post requests while on good Old macOS and Linux. It can allow for limited parameter control on arbitrary executables, which sounds worse, even though I don't think it is. There are currently about 3,500 exposed react native Metro servers online. So I got to ask, is this a problem that can impact a wide range of organizations or is this, you know, like, what is the scope here that we're dealing with this, Nick, Is this a, is this a know a little more or a no, thank you for you?

B

Yeah, I mean, I want to say no, thank you, but the only thing that was interesting about the story to me was that this was a case where you had the, the development environment that actually bled into production.

A

Right?

B

And so to me, that's the angle that is more of concern and something that I would definitely bring to the team of, hey, how do we make sure that, you know, the sandboxes stay the sandboxes and you can't just get out? And I don't care how much somebody actually wants to test something and how close to real it is, we cannot let those environments touch.

A

Chris, what about you? Is this a no, a little more or no thanks. Is it a close call for you? Let me ask. No, not a close call.

C

I do agree with Nick. This is a know a little bit more, you know, if, if your mobile teams using React native, an unpatched dev laptop on a corporate VPN could be the initial entry point for full breach. I think too often people, we use deployment tools, really, we're looking at them like they're just testing, they're for building, playing around with. Another way to look at them. And this is fun, is they're your production grade liabilities. We treat dev environments like sandbox playgrounds, right? But if they listen on external interfaces, they're just unmuted front doors to your network.

A

Wow, that makes the story much more terrifying than I had initially thought. We're doing the Lord's work here. All right, next up here, the dangers of Vibe coding. This blew up last week. We got to address it a little bit more. We talked about it last week too, but Mult Book, this is a Reddit like forum designed for use by AI agents. It was Vibe code in existence by Matt Schlicht about a week ago. And it has over a million people that are a million bots that signed up. It gets weird when you're talking about this thing, but it had a flaw in its database that allowed for read write access to its entire production database. Leaking data on account holders just, you could edit anything. I mean it's what would happen if you had full access to a production database. This whole mult book story, the viral popularity of it, the dystopian sci fi ness of it, the complete slop of its actual setup. Chris, for you, is this no, a little more? Is this a no, thank you?

C

For you, this is no, a little more until it happens about 10 more times. I think this highlights the AI gold rush risk. Right? Teams are using AI to build tools fast and they're skipping the 101 level security checks. You know, vibe coding is just shadow it with a better marketing department. Speed is worthless if you're racing towards that cliff. Right. Building an AI social network without any basic database permissions. This isn't innovative, it's negligence.

A

Nick, what about for you? Where are you at with this story?

B

Yeah, no, I agree this is something where I joked about it, but it is true. You see the super bowl commercial and they make it look so easy, right? Like, hey, look at the app you can make, right? And famously, in security, we know that the minute we tell somebody no, they can't do it, right. They're trying to figure out ways to get around it, to jump over, to go under. And this is where I think a lot of those ideas that used to be just poor cyber hygiene things that they would do well, now they can go and build an application and then, you know, are you going to be able to find out that they're putting data in there that they shouldn't. It's production data. Are we going to be able to track that? You know, I think there's just a lot of questions and you know, I get the excitement of it, of, you know, you get to bring to life this new application, this new thing that's going to help you. But yeah, I don't know. The other part of it too is how do you trust these, you know, vendors and suppliers? Like for example, if you use Lovable, the they have a thing in there, it talks about, well, here's our security. Do a. Press the button, it'll do security review. Well, what's the review it's doing right? And then it has a try to fix this all for free button. And it's like, okay, is that. Did it actually fix it? Do we know what we're mapping to? I mean, there's a lot of questions. This is something you absolutely have to start getting your arms around. Yeah.

A

And this multiple thing, like to me, this is the best case scenario, right. It's like a dude made this and people decided to make it go viral but it wasn't. Oh, this is like to your point with lovable or you know any of these, these kind of citizen developer. Right. Like integrated enterprise tool where it's like, oh, I pushed this. I'm suddenly the owner of software that I have no idea how I even made. Like to me that that is the way more scary thing in some ways like yes, this is bad because oh, I saw this on Hacker News. So I'm going to check this out because it looks cool. Like okay, yeah, my, my email got leaked or my auth tokens. Like so there's a lot of bad stuff could happen. But like, like to me it's yeah. When it's kind of rolled into business process without having that those controls in place or like having answers to those questions, that to me is the way more terrifying thing with this. But yeah, good to keep. And Chris, I love that. Yes, at some point this will be like a ransomware attack that impacts like 100 people. We're going to be like yawn. Yes, it, it's the top of the hour. Of course that happened immediately. Next up here, APT28 attackers abused Microsoft Office zero day. This was a newly discovered zero day that was quickly pounced upon and exploited not only in Ukraine, but in several other countries. It shows the speed and sophistication of state actors. In this case, good old Fancy Bear. Given how much we all depend on Microsoft, is this a no, a little bit more or a no? Thanks for you, Nick.

B

Okay, I'm going to go a little controversial here. I'm actually going to say no thanks. And the reason for that for me is, look, we could just get fatigue of all the different zero days and all the things that are coming out. And I just try to be very careful with my team of what are the things that we actually ring the alarm bell for that we're trying to make sure we're deep diving into because, and I know Chris has the same experience, there's so many times where we'll have a lot of concern about something and then we'll have the teams go and deep dive and they come back and say actually we're not impacted at all. Right. Or it's one machine. And you do that enough and you start to realize, okay, maybe I just don't need to be screaming wolf every five seconds when something comes out like this.

A

Yeah, the CISO who cried patch. We can exhaust your team very quickly here, Chris. Same thing. I'm curious from your perspective, know a little bit more about this or you know Is this, is this exhaustion?

C

I'm a little more contradictory. I'm going to contradict you, Nick. I'm going to say I do want to know a little more, but really emphasize, underscored a little more. I don't really care about the patching aspect of this. Like this could be anything. It's that it underscores the time from the release of the patch to the time of the application of the patch is like what, two or three weeks? You know, for most organizations, if they're really on the ball, the nation state actors live in that two to three week window. So if that's a concern for your organization, which isn't for everybody, but if that's an organizational concern is that nation state level capability, that two to three week window is where your attacker is living. You need to focus on that.

A

All right, our last story here. CISA gives federal agencies one year to remove end of life devices. This directive is in response to ongoing and widespread exploitation campaigns from sophisticated attackers. It mentions load balancers, firewalls, routers, IoT edge devices, a lot of stuff in there which remain vulnerable, especially from those with ties to nation states moving legacy equipment. Always, always tough to know what you have and how to address it. Here, Chris, for you, is this no, a little more or no thanks for you?

C

I'm barely on the know a little bit more. I could be talked out of it, you know. I mean. Yeah, barely, barely, barely. This is why MFA and Zero Trust aren't just buzzwords though. For me. I mean, this is the only way to catch someone who's already has the keys, right? But at the same time it's like, what's the scope of this? Who's really going to be concerned, Nick.

A

What about for you? Are you, are you as on the fence with this as Chris, or are you feeling more strongly one way or the other?

B

Yeah, I am, but my reason's a little bit different. I mean, the only thing for me that C said like there's some really great collateral and things that you can use to kind of bring back home to show, you know, executive teams and whatnot, this to me would be used for that case specifically of, hey look, even CSA is telling us now end of life devices have to go because you know, this is the kind of technical debt that every organization has something, right? There's something in some old server room covered in dust that should not be running, but it is because somebody screamed loud enough to keep it a lot, you know, keep it online. And so to me, I think I would Just use this as kind of a little bit of a hey look, see, everybody's getting rid of it. We should too, you know. But yeah, I think it's barely a no.

A

That's what I want to know from our audience, either in our chat or feedbacksoseries.com I want to know when you see this story in particular. This to me, stood out to me. I made a little short video for it over on Our CISO Series YouTube channel. Some of the things that CISA is asking civilian federal executive agencies to do here seem so table stakes to me. Right. Of know what you have, see if there's a patch available, maybe look to deploy it. I know that it's not simple in all instances. I don't mean to make it sound like oh, this is a click of a mouse, but some of the things that were asked in that seemed so low stakes to me. I want to know, is that something that you can use to say, hey, everyone's struggling with this? Even if we're struggling with this, we can make some progress. Here's a timetable that CISA can meet. If they can meet it. Maybe we can. I want to know, I want to hear from you. Would love to feature some of those next week on the show. Before we move on to our deep dive stories of the week, got to thank our sponsor for today who of course are the fine folks at ThreatLocker want real zero trust training. Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join them March 4 through 6 in Orlando. Plus there's a live CISO series episode on March 6. Yes, the big boss man David Spark will be there. Get $200 off with the code ztw ciso26.com all right, we've got, we've got some stories here. We need to be digging into some, some stuff here. First up here, AWS intruder becomes admin in under 10 minutes with AI assistance According to research from Sysdig, a digital intruder broke into an AWS cloud environment and in just under 10 minutes went from initial access to administrative privile thanks to an AI speed assist. The November 28 break in stood out for its speed as well as multiple indicators that suggest the attacker used large language models to automate most phases of the attack, from reconnaissance and privilege escalation to lateral movement, malicious code writing and LLM jacking. The attackers initially gained access by stealing valid test credentials from public Amazon S3 buckets. They didn't break in they logged in. I guess this is every. See some version of every CISO's current nightmare. Right? Like, how do you deal with the possibility of this, this, this idea of, you know, kind of this AI speed boost. Nothing net new here, but all of a sudden much more capable, much more quickly. Nick, I'm curious from your perspective, like, how does the story strike you?

B

Yeah, I mean, this is definitely a huge concern, especially when you have a lean, a lean team. Right. And you don't have the bodies that you need. I think the other thing that you're. We're going to see soon what this kind of goes into is when you have AI so prominent to where you have people that are literally not thinking anymore using their own brains, but they're just leveraging the exoskeleton of the AI LLM to become this much more capable, all these things. Well, now we have some big concerns. Where do they actually know how these things got escalated? Can we actually find that out? But also I think the other piece that comes to my mind is this is really where it becomes important to be looking for behavioral signals that we really got to pull out and say, okay, whoa, that should not have happened. How did that happen instead of just looking at alerts and all the red on the screen.

A

Chris, what about you? I mean, is behavioral the answer here or a bigger part of the solution here or what is your takeaway from this story?

C

Yeah, so I do agree. Behavior is a part of it. I try to anchor any strong opinion and some sort of security fundamental. That way at least I can argue it and look like I know what I'm saying. Bucket behavior as you know, one layer in the defense in depth strategy. Right. This is a, the key under the MAT exposed S3 credential. That's a failure of basic hygiene. But the AI Speed Assist is the wake up call here. We need automated circuit breakers that kill sessions the moment suspicious behaviors and privilege escalation is detected. We know the AI hasn't changed what attackers are doing. What has changed is it's the tempo, it's the speed at which things happen. We're still human speed defense going up against machine speed attacks. If your SOC relies on a human to click approve on an alert, you're already lost.

A

Yeah, this reminds me, I mean it's the constant people process technology triangle. I think of this and this is really that intersection into process. Right? Because you're right, it's like, how do we make this decision faster so we can make the right decision? And that definitely it feels like now it is completely indispensable to have technology at some point, like leading into that in a way that I don't. I'm sure there have been other instances of this that, that are just escaping me, but that the, the latency in that transfer, it seems like it's now down to like nothing anymore. And that seems to be like a challenge and a huge opportunity. Right. For threat actors that don't kind of have to deal with that same problem Again, nothing new. Oh, defenders have it harder. Like breaking news here. But, but yeah, that, that to me is just what you were saying, like, really got me thinking along those lines.

B

But Rich, the other thing I would throw in there too about is if I'm thinking about, okay, so now we have the AI assistant on the attacker side. Okay, well then I'm sure very soon it's going to be on the defender side. It's, hey, how do we patch these up? And then we're using AI there and then it just becomes like this pong battle back and forth of, you know, the LLMs, cat and mouse, which is going to be exponentially faster than what we as humans can do. But yeah, I think that's where we really got to focus on behavior and getting our arms around it.

C

So what's interesting is I talk to probably 300 vendors a year about a variety of security topics. And I ask them all the time, where are you guys at with your AI actually doing practical soc stuff, like, you know, interventions, interdictions, that sort of thing. And they're like, you know, honestly, it sounds really good and people ask us about it, but then when we sit down and tell them what it would do, what it won't do, they're just not ready for it. So until the buyers, until the people who are implementing these technologies are comfortable with AI taking actions on their behalf, you're not going to see that growth, that maturation in the technologies we have, the capabilities, obviously. I mean, the attackers are using AI. It's there, it exists, but buyers aren't ready to adopt it.

A

Do stories like this help tell that story? Right, of like, this is the timetable now that you have 10 minutes, right. From like initial point of access to.

C

There's some vendors that are, they've already released capabilities that are machine speed defense mechanisms, but they're not building them and releasing them because buyers are asking for it. These are vendors that are very forward leaning and they're saying, we're betting that this is how the future of defense is going to work.

B

Yeah, I mean, I think What I think about is the. That one statistic always comes to my mind that IBM published a few years ago, which is the amount of the average time in which an attacker stays in your environment before you find out about them. Right. And it's crazy. It's like six months or four months or something along those lines. And so whenever I hear stories like this, I'm like, okay, was it only, you know, even though the actual action might have been, you know, within minutes? Right. It's the bigger question of, well, how long were they in for? How long were they case in the place, and, you know, how many things did they try before it actually got through? Right. There's just a lot of things that go into that as well. But I think the other piece of it is it just kind of hammers home the importance of identity management, right? Like privilege control, access control, like these things that, you know, like Chris brought up before, I mean, it's. It's kind of the table stakes for everything, right? With MFA and all these different things, like, we really got to make sure that those T's are crossed and I's are dotted, you know, and hopefully that helps out in a lot of this escalation.

A

Don't leave out the lowercase JC there. All right, our next story here. CISA is silently updating vulnerability notices. CISA's known exploited vulnerability catalog has become industry mainstay for patching and for providing guidance on patching timelines for government agencies. In fact, they're mandated to have to hit certain patch dates. However, Gray Noise researcher Glenn Thorpe noted that the agency is not giving notice when it changes its known ransomware use indicator from unknown to known. He argues this represents a material change in risk posture that changes organizational priorities. In the analysis, Thorpe identified 59 flip vulnerabilities impacting Microsoft. No surprise there. But also Ivanti Fortinet and Zimbra, some big names there. Of these, 39% confirmed to be used in ransomware campaigns in 2025 were added before 2023. So these had been kind of unknown for a while. And they were updating some stuff for some pretty old stuff here. Sisa. Of course, it's probably not good for them that we're mentioning them two times in this show, but their struggles and the shift in that agency, we've documented quite well on the show here, most recently the possibility of a new CVE structure based in Europe. I'm curious, does this quiet change of status concern either of you in terms of cease's ongoing shifts in priorities, or perhaps how it protects your own organization. Chris, I saw you smiling there a little bit. What are your thoughts on this?

C

Yeah, it irritates the hell out of me. CISA is trying to be the source of truth, but if they lose transparency, they lose the industry's trust. Right? Defenders need the delta. So what's changed? Not just a list or the whole dump that's been put out. Telling me there's a bug that's exploited is like a 5 out of 10 on the scale, right? Telling me it's been used for ransomware makes it an 11 out of 10. Hiding that update is a failure in communication.

A

I mean, Nick, is there anything. What did you think when you saw this story? I'm curious.

B

Yeah, same thing about the list. I think one of the problems that we've had with vulnerability management for a lot of years is the missing piece of context, which I don't know if you can ever really get from a publication of sorts like CSUN this way, because obviously, every organization is different. You have different risk tolerance, and there's a lot of different unique intricacies of all these organizations. Right. There might be, you know, that same ransomware vulnerability for, you know, Chris might be an 11 out of 10, but for my organization might be a 2.

A

Right?

B

It might not have anything that's impacted by it. There's no way you could get it, those kind of things. So, yeah, I mean, I think, you know, there just needs to be, like Chris is saying, I think the. When I read it in my mind, I'm thinking, like, you say, you've got to get your stuff together, right? Like, so many people go to you for guidance and for, you know, some structure when they don't have structure. So we have to get this right. And so anyways, I just was reading the story thinking, man, I wish they could just get this thing, you know, dialed in and not just be blah.

A

You know, this to me, I always. It's like whenever there's, like, someone, a company gets in trouble because they updated their terms of service, and they're like some weird terms in there that everyone got upset about that was just because some lawyer didn't talk to anybody. I almost think, like, in this case, like, someone. Like, this is, like, boring data entry that no one thought was, like, that was completely disassociated from the. I mean, you talk about context, the context of why this would matter to someone, because I think if you had anyone that had any skin in the game, right, they would. I don't know, it just seems so common sense. Of like this completely changes how you would react to, to a vulnerability if you know, it's you know, actively exploiting the wild versus academic POC or you know, whatever or unknown to me is. It just, it shows me, it makes me question who is looking at this before it goes out. And I, as a former data entry person, I'm not blaming any data entry people. I respect you. You have thankless, horrible job.

B

So.

A

So Chris, I see you smiling again. Does that hold any water for you? Is that complete BS on my part?

C

No, I think you're pulling the right thread here. There's definitely some sort of quality check that was lacking.

A

All right, so I mean hopefully like you said, we're all utilizing cisa, right. This should be a resource for everybody. And I think that's the frustrating part right is when it's like it seems like you have a very core job. We seem to understand what your job should be and that there's. Yeah, that disconnect. So we will keep an update with more CC news if we get a response from this. Maybe some changes on that end as, as they come out. The last story here for today. GSA embeds CMMC like cybersecurity requirements into civilian contracts. General Services Administration is expanding the use of mandatory cybersecurity maturity language across civilian federal contracts, including IT and professional services vehicles. While not branded as CMMC, the requirements mirror the principles by enforcing NIST 800171 alignment system, security plans, incident reporting and supplier accountability as contractual obligations obligations rather than guidance. This effectively broadens CMMC style enforcement beyond DoD contractors to a much wider civilian vendor base, many of whom may not be viewing themselves as federal cybersecurity regulated. I'm curious, what does this mean for organizations and companies? Is this a major shakeup in your opinion here, Nick?

B

Oh, I do think it is. I mean I spent the last three years working with CMMC and the Department of War. And I mean that the, the CMMC program impacts like 330000 contractors in the United States. Right. So this for GSA, which that's also, you know, even if the government buys a commercial off the shelf product from your company, you have a GSA contract, right? So it's a purchasing vehicle. This is going to impact a lot of people. I think it's one of, you know, it's going to probably play out a lot like CMMC where people said okay, yeah, it's in our contract, great, that means we're not going to do anything about it. But once the teeth start coming and there starts to be lawsuits from the DOJ and people are actually being held to what their contracts say. I think this is going to be huge and it's going to turn into the expanded CMMC program that we've seen for the Department of War. It's going to get even broader with the government agencies across the board.

A

Andrea Simpson, in our chat sharing, when CMMC came out, other agencies were bound to follow the standard. Chris, I'm curious, curious, do you agree with that? What are your, what are your thoughts on this?

C

Yeah, this is gonna. So like you said, Nick, 330,000 organizations. How much do you want to bet most of those don't have much of an IT budget? Probably like 98% of them. Right. The, the compliance era where it's, it's no longer self estation, self attestation, pinky swearing. Right. The GSA is effectively ending the paper security for civilian contractors by embedding NIST 800, 171 into contracts. They're making cybersecurity a binary gate for revenue. If you can't prove it, you can't sell to us.

B

I love that. I mean it's one of those things where we've known that we should be doing this. And like Andrea said in the comment, it's like this has been around and in contracts for a long time. Right. It's just now there's teeth behind it to make sure people actually do it. But I mean, I know for me, just as an American, you're sitting here saying like, yes, we should actually care about our data that we have and you know, controlled on classified information. I mean, you know, even if it's something silly, it's like, well, yeah, but it's still going to an army base, right? Still going somewhere that we have concerns about and just taking it serious. You know, I always think of the movie War Dogs when they have, what is it, Jonah Hill and whoever else where they get like some crazy contract and it's like two kids, you know, and they're literally like becoming gun runners because they underbid the contract by whatever it was. I mean, I think about like what Chris is saying, the amount of people that have contracts that don't even have a formal IT staff, right. That they're, you know, swearing that they do everything in NIST 800171 and then as soon as that light gets shine on it, you're going to find out pretty quick that oh actually they had nothing, you know, it's going to be a problem.

A

Yeah, well, and yeah, it'll. So you were expecting messy transition, some, probably some saber rattling lawsuits to show, hey, we're, we're, we're ser about this. And then is this, I guess, does this reach a level of stability in let's say two, three years, you know, down the road in the, in the near term here.

C

So the, the practical side of this is hundreds of thousands of vendors to the government who's enforcing this, who's actually verifying, right? If it's, if it's a matter of submitting attestations to a portal on a government website, somebody actually looking at that or they're just saying yeah, they submitted it. Like is, does this actually do what it set out to do or does it just sound really good on paper? We'll have to see because there are real impacts to this. You know, like I said, 98%. Those are just numbers pulled out of thin air. But I guarantee you it's a number close to that. These places don't have an IT budget, they don't have anybody on staff. They're relying on third parties to, to do their technical stuff. They're also key to the supply chain of the US Government, the military, the Department of Defense. You can't just get rid of them. You can't just force them to do something. It's going to take time.

B

I mean, the only thing I would add there too is this is something that I think it's going to take time to fully mature and people are going to be taken serious. But I agree there's going to be an enforcement catch up of the Department of Justice can only go so far and it's probably going to get the most egregious cases. Right? And then hopefully it's just one of those situations where it's like the rising tide raising all boats and we can all get there. But I also worry that this is going to be in the AI era. This is going to turn into hey chachi pt how do I get this government nist 800171 thing satisfied without actually satisfying it? Give me some plot that I could stick in that'll get through their lawyers and blah, blah, blah, blah. Right? And then all of a sudden we're not that much better than where we were before this came out.

A

Thank you Andrea for contributing in the chat there on LinkedIn. Also we do stream on LinkedIn. I never mentioned that, but thank you Andrea for finding us. Do appreciate that. Make sure you come back next week. Tell a friend before we get out of here. We have time for Our advice bot. One of my favorite parts of the show here. Nick, I'll start with you. What's one piece of advice just kind of based on our conversation that we've been having today here that you'd like to share, kind of a takeaway that you'd like to share with our audience here?

B

Yeah, I mean, I think if you're CISO or you're an executive, there are people in your organization right now that are building applications that you have no idea about. And so I think getting ahead of that and trying to figure out what they're doing, how you can put some kind of control in there, communicating with them, you don't want to shut them all down, but at least have the conversations. So yeah, that's something where I would get in front of that before it becomes a bigger problem.

A

Chris, what about you? What do you want to leave our audience with today?

C

So I'm going to tag on a little bit to nix there and just say there are technical things that you can do as a ciso, as a, as a leader in the organization to implement to get a handle on your shadow AI or whatever you want to call it. From my opinion, I say, you know, whether it's, it's AI assisted attackers seizing control in minutes or the government turning best practices into legal requirements, this episode makes it clear the era of good enough security is dead. The era of automated verified resilience. It's coming.

A

I like it. I like the. We're, we're recognizing the dawn of the new era that we are already in. Thank you both so much. Nick Ryan, former ciso, and Chris Ray, the field CTO over at Giga, for being on the show. Amazing, amazing stuff. Thank you to both of you. We will have to have you on before too long if you want to follow them on the cyberspace, we have links to their LinkedIn profiles on our show notes. So make sure you check those out, give them a follow and maybe ask for a connection. I don't know how liberal you are with either of that gentleman, so I can't guarantee success. I'll just say they're both worth follow. Thanks also to our sponsor for today, Threat Locker. Join Threat Locker for the most hands on cybersecurity learning event of the year. That's March 4th through 6th in Orlando. And remember, you can send us feedback anytime. Feedbackisoseries.com if you're using some of the stories that we're talking about on our show to bring things to bring up with your security team, we'd love to hear from you. Feature that on the show would be so awesome. Join us again next Monday, 4pm Eastern, for another edition of the Department of Know to register for the live show on YouTube. Just head on over to the CISO Series or our events page@cisoseries.com thanks for joining our Monday standup. Have a great week. And for myself, for our glorious producer Steve Prentice, for the big boss man David Spark and all of us here at the CISO Series, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to CISO series.com for the full stories behind the headlines.