Podcast Summary: Cyber Security Headlines – "Department of Know: MITRE's Weaknesses List, DoD Goes Postquantum, Coupang Fallout"

Date: December 15, 2025
Host: Rich Drafalino
Guests: Andy Ellis (Principal at Duha), Johnna Till Johnson (CEO & Founder at Nemertes)
Theme: A lively roundtable tackling current information security headlines through candid debate, expert commentary, and practical advice.

Episode Overview

This episode features a dynamic exploration of timely cybersecurity topics. The hosts and guests dissect high-profile stories, debate their actual significance, and offer concrete advice on major vulnerabilities, government cryptography transitions, insider threats, ransomware normalization, and more—all while mixing insight with humor and a critical eye towards actionable security strategy.

Key Discussion Points & Insights

1. Holiday Priorities & Security Mindset

• [00:11] Andy’s Priority: Focus on real, attainable year-end wins; don’t overcommit:
  "If you’re not going to succeed at a thing, your time is very valuable right now. Make sure you hit your wins." – Andy Ellis
• [01:02] Johnna’s Priority: Prevent AI or foreign operatives from slipping through hiring: "Just want to make sure that none of my clients accidentally hire AIs or North Koreans posing as legitimate IT hires." – Johnna Johnson

2. 'No or Know?' — Deciding What to Focus On

AI Poisoning (LLM Manipulation)

• [02:55] Andy: Old problem at new scale. "If you have to worry about brand, you should already be worrying about this."
• [03:17] Johnna: Not surprised; underscores lack of trust in AI output.

  “If you’ve been trusting AI results all this time, then you’re making a huge mistake.” – Johnna Johnson

Humanoid Robot Cybersecurity

• [04:22] Johnna: Overhyped; same issues as IoT:

  "Yes, we need to deal with it, but just because it’s robots doesn’t make it...more serious than...tools in your manufacturing floor."

• [04:55] Andy: Movie-plot threat; not novel.

  "If anybody remembers Mirai, that was wormable malware on security systems with cameras. So we’re in the same world..."

Marquee Software (Fintech) Hack

• [06:39] Johnna: Important for those in financial sector; illustrates ongoing third-party/supply chain risk.

  “If you don’t have somebody that’s monitoring the CVEs at least every week, you should. It’s pretty straightforward.”

• [08:05] Andy: Questions focus on perimeter defense only; calls for attention to lateral movement.

DoD Post-Quantum Cryptography Transition

• [09:19] Andy: Disappointed that migration isn’t happening faster; crypto agility should be long in place.

  "The fact that we still have people saying we can’t do that until 2030, honestly, completely unacceptable."

• [09:52] Johnna: In practice, crypto agility is lacking due to slow vendor updates and ecosystem complexity.

  "The real reason I think this is a 'know more' is that maybe people have been on top of crypto agility, but I can tell you most of them haven’t."

Key Quote:

"Nation-state actors have a technique called, you know, harvest now, decrypt later. So if you’re in any kind of an industry that might be a target for nation state actors... you are a target." – Johnna Johnson [10:36]

3. Deep Dives: Security Weaknesses, Coupang Fallout, and Ransomware

MITRE’s 2025 Top 25 Software Weaknesses List [14:59]

• [15:24] Johnna: Actionable focus should be on exploited vulnerabilities by vendor, not just archetypes.

  "It’s a lot more helpful to know who’s got vulnerabilities, which of those vulnerabilities are actually getting exploited than what...types of vulnerabilities exist out there."

• [16:55] Andy: List value lies in training new AppSec engineers; list seldom changes.

  "This list is going to look the same next year...similar to the OWASP top 10."

Coupang CEO Resignation After Insider Attack [18:59]

• [19:55] Andy: Rare for CEOs to resign over breaches; wonders if it’s genuine accountability or internal politics.

  "It’s not just the CISO who’s taking the fall. Like, it’s your idol, it’s the CEO actually said, I’m gonna be responsible for security here."

• [21:06] Johnna: Emphasizes importance of rigorous offboarding and background checks; views much security response as “performance theater.”

  "All security is simply performance theater...very few of them [breached companies] go out of business, very few...suffer even a long term stock hit."

• [23:02] Johnna: Automation/zero trust can eliminate persistent access issues:

  "If you had Zero Trust in place, this would have been completely automated..."

Ransomware Payments Top $4.5B [23:43]

• [25:02] Andy: Laments normalization of lateral movement and poor fundamentals.

  "Why are we not paying more attention to the lack of phishproof authentication, the lack of controls on admin access..."

• [26:02] Johnna: Ransomware is addressable; calls for basics: backups, Easter-egg testing, and war gaming.

  “If you haven’t dealt with it, make 2026 your year to deal with it. ... Most companies aren’t doing any of those things.”

• [27:31] Andy: Resistance to fundamental security because it’s not “exciting”:

  "The things we have to do aren’t very exciting. ... This is just blocking and tackling."

• [28:20] Johnna: Many orgs fail to configure systems properly or conduct meaningful preparation; cost avoidance is shortsighted.

  "...it’s a couple million dollars to get these people in a room for a day, but that saves us hundreds of millions…"

Testing for Backup 'Easter Eggs' (Ransomware Persistence) [29:10]

• Practical tip: Multiple vendors exist to scan backups for dormant threats; find with basic research.

[Actionable Takeaways & Closing Advice] [30:09]

Andy Ellis:

• Sell security incrementally and focus on meaningful, if unglamorous, wins:

  "How do you sell these things and do the slow incremental work to be ready? ... deliver meaningful wins out of work that is not like super exciting..."

Johnna Till Johnson:

• Prioritize rigorously—the only thing you have the same as everyone else is time:

  "Spend that 24 hours wisely on the things where you have the greatest risk. Not necessarily...the fun things..."

Notable Quotes & Memorable Moments

• On moving past splashy headlines to substance:

  "The building blocks of zero trust is provable authentication. ... It’s just blocking and tackling." – Andy Ellis [27:31]

• On security theater and corporate incentives:

  "All security spending is marketing spending, which is terribly, terribly cynical, but not crazy." – Johnna Johnson [21:06]

• On the stubborn persistence of old vulnerabilities:

  "This list is going to look the same next year...similar to the OWASP top 10..." – Andy Ellis [16:55]

Timestamps for Important Segments

• AI Poisoning (LLM) – [02:30]
• Humanoid Robot/IoT Cyber – [03:27]
• Marquee Software Hack – [06:12]
• DoD Post-Quantum Crypto – [08:41]
• MITRE Weakness List – [14:59]
• Coupang Insider Incident – [18:59]
• Ransomware Normalization – [23:43]
• Testing Backups for Ransomware – [29:10]
• Final Advice – [30:09]

Resources & Further Reading

• Andy Ellis: Free eBook “How to CISO – Everything you need to know about risk” [howtociso.com] [31:48]
• Johnna Till Johnson: Report on IT background check best practices [nemertes.substack.com] [32:30]

Summary in a Nutshell

The episode delivers practical insights into persistent and emerging cybersecurity threats, emphasizing that most breaches and high-profile incidents are failures of fundamentals rather than new or exotic issues. The inertia in remediating well-known vulnerabilities, the lack of crypto agility, and insufficient offboarding/inventory controls remain critical drivers of breaches. Ransomware, too, remains rampant—and addressable if organizations commit to the basics.

Final thought:
Focus your limited resources on real, impactful risk reduction, and champion incremental, meaningful security improvements over shiny, short-term fixes.