A

This is Rich Drofalino with the Department of no. Jonathan Waldrop, CISO over at Acoustic. I have to ask, what is your priority this week?

B

Well, we're well into March and we're about to round out Q1 in 2026. So we're looking at our to do list that we had at the beginning of the year and seeing what all we need to cram in the next couple of weeks to get done.

A

We should do that in business and truly throughout the course of all the quarters of our lives. That's how I measure all my life milestones in quarters as well. Now, Chris Reiff, same question for you, the field CTO over at gigao. What is your priority this week?

C

I'm leaning hard into the Automate all the things, but you know, with our agentic overlords keeping track of that, we

A

just have to have the incantation don't hate Automate on hand at all times to appease them. Then Claude will be happy. All right, producer Steve, we know where everybody's mind's at. Let's run that opening from the CISO series. It's Department of Know. Yes indeed. A heartfelt welcome to the Department of Know, your Virtual Monday strategy meeting. The most heartfelt strategy meeting you will ever have on the Internet or in meetspace, if you will. A huge thanks to our sponsor for today, Adaptive Security. Protect your company from deepfake powered phishing. Remember to get involved in our YouTube live chat that will be broadcast every Monday at 4pm Eastern and you can also email us feedbackes.com those are all the ways to get involved in the show. We would love to have you, however you want to join in the show. We would love it. Just a quick reminder before we jump into some of the news and analysis, that the opinions you're about to hear on the show are in fact those of our guests, not necessarily those of their employers. We've got about 30 minutes, so let's dive in. We're going to start out with a little no or no. These are stories from the past week. We need to know is this something that you're bringing to your security teams that other security professionals need to know about, or is this more noise than signal? First up here, OpenAI rolls out a vulnerability scanner shortly after Anthropic rolled out vulnerability scanning in Claude code. OpenAI did the same now with Codex Security. This was previously known as Aardvark, I guess less marketable name there. So sure. Thanks for changing it. In testing, OpenAI said Codex found over 10,000 high severity issues in projects like Chromium, Open SSL, PHP and GNU TLS. So I have a question here. Is AI powered vulnerability scanning a no, a little more or a no? Thank you. For you Jonathan.

B

For me I think it's really be aware of it. Right. It's a new thing. There's all sorts of new and crazy things happening with AI and different versions and all this kind of stuff. So it's definitely something to keep track of. Is it ready to take over your full vulnerability management stack? I guess it's probably not, but hey, who knows, maybe it is or maybe if you're just starting out and you don't have the, you don't have the budget item to go buy a tool, maybe it's good enough for now until you do develop some of that level of maturity.

A

Chris, what about you? Is this a no, a little more or a no? Thank you?

C

For you this is know a little more but probably not for the reason that you guys think. AI vulnerability scanning, it's automating discovery of technical debt. So unless you have a team that already solved or has plans to fix the majority of their vulnerabilities, you're probably not asking for hey give us more vulnerabilities that we don't know about. This is the reason I say no more is because this is a good example of knock on effects. Yeah, AI is going to give you better insights, better observability, better analysis of your environment to discover security weaknesses. But unless you're prepared to fix them, it's not going to do you much good.

A

Yeah, this is automated stress increaser. I feel like yeah for a lot of teams out there. But the argument there is the only way then to get out from underwater when we're talking about any kind of debt is you kind of got to know what's out there. But still if you're not built to handle that, it doesn't help to know how precisely screwed you are. I guess so you can't secure what

B

you don't know though.

A

This 100%, 100%. So with these like obviously OpenAI anthropic, the two of the giants right in this industry. When we see Microsoft's version of this that's running on X background, when we see the GROK version of this, are all of these things that you're are going to want to dip your toe into or is it we have the big boys like let's see how this plays out and then we'll see how this, this industry matures. I'm just Curious. Keeping tabs on this kind of technology. Like outside of the big players, are you still keeping tabs on everything that's coming out there?

B

I think by now probably most people have their kind of preferred AI platform and you're going to be following that particular platform and their, their developments. Maybe you make a pivot from one to another, but more or possibly depending on your use cases internally, maybe you've got a couple of different models that you support. Again, I think, you know, there's, there is a limit to knowing more is better because you can know too much and have way too much information and then you're just inundated, you're underwater as you were, as it were rather rich when your comments a minute ago. So I do think it's important to be aware to Chris's point, you know, at some point the level of information stops being useful though.

A

All right, next up here, meta apps offer scam protection. These are being applied to Facebook messenger and WhatsApp to warn users about suspicious activity before interaction, including unusual device linking attempts on WhatsApp and warnings for suspicious friend requests on Facebook. I'm curious, are such warnings helpful? Are they just noise? In other words, do we need to know a little more or no? Thank you, Chris. What about for you?

C

I'm going to split the difference and go both ways. I'll say no for my corporate security team, but K and O W for our employees. Maybe you do a personal newsletter like hey, this is what's happening from your personal identity standpoint. Here's some good things to know. It's like the McDonald's. It reminds me of that caution contents are hot label on a coffee cup. Right? It's a necessary legal disclaimer. It's good, but it doesn't stop people from burning their tongues when they drink hot coffee. Right. So we should be focusing on building cooler coffee, you know, whatever that identity protocol changes rather than a louder warning.

A

Jonathan, what about you? Are you thinking along the same vein here?

B

Yeah, both great points I think there. If you're a social heavy company, it's probably more salient than a big behemoth enterprise type of organization. Great for your security team to get some kudos and props to taking care of the person rather than the data and the bits and bytes type of thing. And show your customer base, your employees, that you're out to help protect them and not just the organization.

A

All right, next up here, salt typhoon apathy possibly killing momentum for tougher telecom security rules, despite the fact that just two years ago seems like Just yesterday, Chinese hackers were found to have compromised at least 10 US telecoms, giving them broad access to phone data, impacting nearly all Americans. Those in charge of bolstering the country's cyber defenses state that constituents struggle to understand why this should be a concern, thus depriving policymakers of the public pressure needed to the nation's telecommunications cyber, cyber security. Some officials speculate that Americans just have become numb to data theft and data for profit. So additional breaches like these are just another drop in the bucket. Very much feels like a variation on alert fatigue here, you know, kind of on the other side of cybersecurity here. Instead of, you know, focusing on threat management, defense in depth, we also must deal with just general public morale and commitment from people that we are trying to protect. Oh, there's no point. I see about this every single day. I'm curious your thoughts on this. When you see something like this, Jonathan, does this say no, a little more or no thank you for you?

B

You know, again, I think it's kind of split for the corporate security team. It's probably, unless you're in one of those telecoms maybe, it's probably interesting to know about, but we're not going to focus any, any corporate cycles on that. From a personal standpoint, I still want to know when my data's out there. Like people that say, oh, I don't have anything to hide. You just, you haven't found it yet, I think. And honestly, you know, the only way we build awareness is by being aware. And so we have to have, we have to know when these things are happening because we have people that are being born every day that have new identities to protect. Right. And we shouldn't just give up. We're not going to do that. You know, one, one security team that, that has an incident, they don't just, well, we're screwed. We're going to give up and go home. No, you keep, you keep plugging at it, you keep, you keep chopping away at it. So I think it's definitely something as an industry from a governance standpoint and from a regulatory position, I think we have to hold companies accountable. That process, lots of data. We should hold ourselves accountable to that same standard. So again, I think on the broader picture, I think it's something definitely to dig in and know KN more about.

A

Chris, what about you? How did the story strike you?

C

I'm going to say no a little more, but as a culture check. Right. Kind of taking what you said, rich public apathy isn't fatigue in My opinion, it's a rational response to a broken market. When companies lose our data, they face zero consequences. The public realizes that it's security theater and not so much protection. I base a lot of my thoughts and analogies because that's kind of like a gut check for me. If the analogy doesn't make sense, then maybe my fundamental understanding of the problem doesn't make sense. But in this case, it's like, you know, if a town had several restaurants in it and a public health department and everyone once a month got sick from eating at those restaurants, but the sticker on the window said Grade A Public Health, they wouldn't stop checking. They would stop checking the grade A stickers. Right? They wouldn't be numb to it. They just accept the fact that, hey, there's something broken here and we have to figure this out on our own.

A

Yeah, that does seem to, it does seem like a cop out, right? To be like, I, I realize at a certain level, like everything, when you would get high enough, right, there is some going to be. Need some political will, right, if we're going to pass any kind of regulation or anything like that. We saw that with the changeover in the fcc, right. They were already changing over how they were kind of following up on Salt Typhoon. So I get that there is an element of that, but I also feel that's a complete cop out of, oh, well, people don't care. Like, they don't care if you don't. I don't know, there's, there's, there's a, there's a flywheel there. You need to kickstart, right, if you want people to care about this. And it's seems like a foreign adversary hacking all the telecom Systems in the U.S. i don't know, like, feels like we could make some hay about that if we really wanted to. I know there are other. I know this is not, you know, there is a, there is a limit, right, to public attention spans. But yeah, that feels like. But Chris, I like that. Keep the analogy. Gut check. I feel like we need some more of that. All right, and our last no or no here is SEO poisoning for fake VPN clients. Microsoft Threat Intelligence is reporting on a credential theft case campaign using SEO poisoning to distribute fake VPN clients. Users searching for legitimate VPN software are redirected to malicious sites. The malware is digitally signed to appear legitimate and maintains persistence through a Windows run. Once key, it seems more common that malware is bypassing Microsoft authentication processes in general is not the first one we've seen on this. Does this type of malware become know a little more or a no, thank you for you Chris, I'm going to

C

say no a little more and bucket it under immediate action kind of thing. We've built a Persona that Google it is probably a decent security strategy when you don't know what to do. Just Google it and figure it out. Right? I mean how many times have we told somebody that somebody told us google it and figure it out. We're taught, and users are taught that the first couple results are probably going to be the most salient, probably the most important results and to check those first. Right. But we kind of now know that that's not a strategy anymore because the first results are often the highest bidders malware. So you know, we can't trust the delivery mechanism, the search engine in this case any more than we can trust the payload that we're downloading from the Internet.

A

Yeah, any, any, yes any easy solution. Right. Without any kind of verification mechanism on it is, is doomed to be game. Although we get down the rabbit hole enough, there's ways to game anything there. But Jonathan, what about you? How did this, how did this story strike you?

B

Yeah, I remember battling this years ago when Zoom became really popular and people would download Zoom and you'd have all those side loaded spyware and adware and stuff like that. Right. To me this is a great advertisement that to your employees that hey, if you need something that relates to your computer, please call your IT department, call your security desk, ask somebody internally, don't just Google it. Right. That's great for home PCs. Well maybe not in this case but, but particularly on a corporate asset, call your IT department. That's what they're there for. They're there to help. And IT departments, hey make it difficult for basic kind of security controls here can help prevent this with restricting local admin having some secure web gateway software that's going to help identify and flag these but also kind of rolling back into the Metascam or the meta scam alerts article from before. Like Google needs to do a better job of, of vetting some of these. Right. And, and not just who's the highest bidder but, but how do, how are we, how are we putting some checks and balances on, on these returns those results?

A

And I'm just going to say, I mean we've, we've seen the starts of this before but by the end of the year this story will come up again but it'll be LLM poisoning for the exact same thing. And that, that to me is even more, that to me even feels more dangerous because you're not even getting a list of links right. And one or two of them might be bad. It's you get answer and, and, but again it's, it's when you don't have either that trust with your IT or the instinct isn't to go to your IT department first. Right. Through a variety of reasons, right. You, you've had bad experiences or you know you're going to get, you think you're going to get told no all of those kinds of, you know, classic tropes when you then feel like you're forced to do that for whatever reason. Nothing, nothing but bad things come out of that for regardless of where you're turning to after that point. See. All right. Oh, sorry about that. I was just checking out some of our awesome comments. Thank you, Parks Holt, for joining us on LinkedIn. Love, love, love that. All right, before we get on to our deeper discussions here, I have to spend a few moments and thank our sponsor for today. Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. AI is rewriting the cybersecurity rulebook because attackers can now scale persuasion as easily as they scale code. The real target isn't just your systems anymore, it's human trust. If you aren't actively testing your organization against AI driven phishing, vishing and deepfakes, you're leaving a gap. Criminals will exploit adaptive runs, realistic simulations and delivers tailored, engaging training so teams respond correctly when it counts. Learn more@adaptive security.com all right, one of the big stories that we saw this week, Stryker goes offline after wiper malware attack the medtech company Stryker went offline last week after a wiper malware attack claimed by an Iranian linked pro Palestinian hacktivist group listed them on their leak site. Information was stolen and data was wiped, supposedly with a breach of Microsoft in tune. This is essentially one of the many war related stories that we must face as the conflict war, whatever you want to call it in Iran is going on. Very serious ongoing story for a week. I'm curious Chris, what are your thoughts on this kind of ongoing situation here?

C

Yeah, so there's really two things. The first one's really easy. I was, I was in an office with some, some teammates last week when, when this came out and I heard somebody say and you hear about that ransom at Stryker. I was like, wasn't ransomware guys. This was just scorched earth. This was not ransomware. This is maybe the same technical mechanisms on the back end, but this is a whole different problem. You know, aside from analogies, which I love to make because it helps me remember things and it gives me that gut check, there's also, I try to be very principled in my approaches to do I need to know more, do I need to know less? What are the actual problems we're trying to solve here? And in this case, this is an availability problem. Like our, our teammates in the OT security space, which is not often talked about, they have always had the AIC triad, not the CIA. They've always put availability first because in ot, availability is paramount, not so much confidentiality. And this really underscores that. Even in it, availability can be paramount. We've spent 20 years obsessing over the confidentiality, but Wipers are proving that if you lose availability, the rest doesn't really matter.

A

Jonathan, what about you? Like, what struck you about this? I mean, just a lot of what is fascinating to me about this and Chris, I'm absolutely right there with you, that there it is increasingly like this Venn diagram of really tricky, complicated things, technical, political, economic, incentive wise. As you pointed out, ransomware without the ransom. Scorched earth. Like what struck you about this, Jonathan?

B

Yeah, you know, it hit the trifecta for me of interesting articles, right? It was a attributed attacker for, you know, some, somebody in the geopolitical scene right now in a big way, a medical device industry where you've got potentially patients and patient care that's impacted out of this. But it's also, it's going to hit close to home, right? Executives across the business are going to hear about this and think, oh man. And you know, security leaders need to be formulating your answer of how are we, how are we protecting against this, how are we identifying, how are we, how are we setting ourselves up to be. To, to fend off this, this sort of event. I think this is one that's, that we're going to hear about for, for a little while longer. If it really was in tune that was compromised, that's going to be another big news, right? Of, of how that happened. How are we gonna, are we gonna fix that up? You know, really this one is just, there's, there's just a lot of bad news in this one. There's no, there's no bright side, I don't think.

A

Yeah. And CCL in our chat pointed X got flooded with how important intune admin role is when this, when the story was going live. Yeah, for sure. And that's there's a couple of other elements to this where understandably Stryker, at least initially, not a lot of details coming out about what they're experiencing. I'm sure a lot of it is just purely damage control and assessing the situation. There is relative ambiguity over this was an existing hacktivist group. But how close of ties does this have to state sponsored actors that all intentionally operates in an extremely gray space there. This comes along with the story that we're going to be talking about later with the new US Cyber strategy about like this is kind of like a ground zero for just a number of different issues that I feel like are going to become even more and more important. So definitely wanted to give it this time this week with this coming up here. Next up here, Russians targeting encrypted messaging app users. The Netherlands Defense Intelligence and Security Service published details about a Russia related campaign targeting signal and WhatsApp users. Rather than cracking the app's end to end encryption, the threat actors are posing as support team members warning specific users and targeted users about data leaks and trying to get their pin codes. This could open the door to getting all future messages in the case of signal or just all messages in the case of WhatsApp, just how their individual systems work there. But again, it becomes a question of technology being seen as so secure. There's nothing wrong with the encryption schemes on either of these. So bad actors look to exploit the human factor through spoofing. Social engineering. We've certainly already talked about scam warnings and we've hit on kind of the personal implications of that. But I'm curious, what does this technique of hey, the encryption is rock solid. Let's not go against that. Oh, we have these squishy humans on either end here. Jonathan, what about the story that stood out to you?

B

Well, your 18 character complex password is really only secure as long as nobody else knows about it. Right. And so, you know, attackers don't hack in, they log in. And social engineering is, is still, you know, a really, really soft target, if you will, for attackers because we all have, you know, we all have soft spots. We all have vulnerable things about our lives and our, our, our behaviors, interacting with technology. And, and this is just another, another, you know, notch of proof that, that you can have the best encryption. But if you've, if you've got keys or duplicate keys out there, then it's really, it's really pointless. So you know, really, you know, the, the Russian angle here is kind of interesting, but I Think it's just another, another, another pointer to, to say, hey, we, we've got to learn how to, how to protect ourselves and how to recover from it quickly. Like if it does happen, what do you do? You need to know kind of the steps you would take to reset that password or regain control of that account, for example.

A

Yeah, that to me is what stood out here is nothing theoretically wrong with any kind of technical implementation here, but it's people not realizing how these services will reach out to you. Right. Like Signal should. The only thing I want to hear from Signal is please donate to me. Okay. Like that's the only, that's the only thing Signal should ever be sending me. But Chris, for you, what stood out to you on this?

C

I think this is a really good example of when we talk about the post exploit era. What does that actually mean? That means attackers know the zero day is expensive from money time ingenuity standpoint. For what you may not be guaranteed the outcomes that you want. So attackers aren't looking for zero days in code anymore. They're looking for the zero days in the human psyche. You know, it's like the weakest link. This is the strongest, weakest link. Your $10,000 lock is useless if the $15 an hour employee just gives away the key to anybody who asks for it. Right, so that's. Yeah, go ahead.

A

No, no, go ahead, go ahead.

C

I was just gonna say that's, that's where I'm sitting with it. You know, encryption and the way it's managed, it's, it's, it's become a very high hanging fruit at this point. It's not going to be the source of an attack.

A

Yeah, this reminds me of, I don't know, this seems like the story seems like it was 12 years ago, but it was probably two months ago when you know, they had the screenshots of, oh, there's DOD members that are, have Signal group chats. Right. They're using Signal and there was this very conflicting thing of wait, I thought Signal was the secure thing that I'm supposed to use as opposed to, you know, sending Instagram DMS or something like that. And it's, it's kind of that whole point of, yes, the core technology is fine. It's that there isn't a DOD vetted support system entirely around it. And you're, you're essentially having one off, you know, an individual having, being responsible for securing that. Some of that could be easily targeted. Not easily targeted, but certainly targeted. Way easier than breaking, you know, very strong ended encryption, that Signal or WhatsApp or any of these apps kind of using the back end. So, yes, this is kind of like here is what everyone was afraid of when that story broke. I think it's always important to, to kind of put those pieces together here. We're going to stick with the US Government stuff that I just brought up as a very smooth segue there that I'm now pointing out and completely ruining the U.S. unveils a new cyber strategy. The U.S. administration's new National Cybersecurity Strategy outlines six policy pillars focused on strengthening U.S. digital defenses and countering foreign cyber threats. The plan emphasizes proactive measures, including offensive cyber operations, closer public private partnerships, and investments in emerging technologies like AI and quantum computing. Other priorities include securing federal networks, protecting critical infrastructure and supply chains, streamlining regulations, and expanding the cybersecurity workforce. I feel like some of those pillars touch on everything else that we've talked about already today. I'm curious, Chris, for you, what are your thoughts on this new strategy here?

C

It's kind of exciting. I feel like the strategy is the government finally admitting, hey, voluntary security is a failed experiment. The shift towards this, this like, harmonized regulation, it means the era of pinky promise, you're going to be secure. That's done and over with. I think it's a good thing. You know, my, my analogy in my head when I formulated this earlier today was it's, it's sort of how we shifted from you as an individual, a citizen of the United States or whatever country you're in, you're responsible for securing your own water supply, purifying it, making sure it's not going to kill you, and then shifting that as you move into the cities and suburbs to a centralized water purification system that's delivered safe, securely and pure to your house. Right? This is the government shifting from each individual part of this massive organization needs to be secure. Instead, let's move it to big it, Big Tech, whatever the case is, and let's do what we can there to secure our downstream members of this organization.

A

Jonathan, what about you? Are you getting jazzed about all these pillars in this new strategy?

B

I think on, on, I agree with what Chris said, but I also, you know, when I first read the six pillars, it's like, well, yeah, duh, like, yeah, what's the big deal? But when you think about how the government works and operates and anybody who's ever worked in the government or there's, there's tons of great civil servants that are out there working really hard every day to keep the government up and running. And, and, and when we have the, the way, just by virtue of how IT functions, it's slow to operate. And sometimes that's good and sometimes that's bad. In technology, it tends to be not great because the technology is advancing and threat vectors are changing all the time. But these six things I think are really relatable to the average person. But also certainly they have really salient points to the technologist or to the cyber leader that's out there. And I think it's good to see a cohesive strategy for that. A lot of companies, organizations, particularly in the defense space, but then also other major corporations kind of tend to follow suit. You know, it was only a few years ago that the White House released their zero trust strategy. Right. And so we've got some of these kind of modernizing technologies and security strategies, it strategies that we're really be gaining some kind of traction on and saying, hey, this really is the right way to do it. To Chris's point, this is how you get clean water to every house. This is how we protect Data from those 10 telecoms that got popped in the last few years. Here's the plan to help protect that. But again, I think on the surface it's like, well, yeah, these are kind of obvious, but to put a strategy around it for the government, who's planning, you know, in the next, you know, couple of decades, not just in the next, you know, I'm planning next year's budget, they're planning, you know, 2040. So it's, it really gets complicated really quickly.

A

Yeah. And what was exciting at least or interesting to me was kind of the emphasis on public private partnerships. And I've already, there was already an announcement just today or yesterday about the online services accord against scams from basically the who's who of big tech like Google, Microsoft, Meta, Amazon, OpenAI, Adobe Match Group, basically all saying like, hey, we're going to get together, going to organize, you know, formal information sharing process for scams operating on our platforms, indicators of activity, sharing that with law enforcement and with each other, trying to, you know, what, what we're seeing is working with, building our tools and that kind of stuff. And I know some of those. And, and this is, you know, kind of Chris going against one of the things you're saying there is no teeth to this particular thing. But I think is as if we're saying, I mean, and certainly I'm not saying other administrations weren't open for this, but saying, hey, we're open for let's, let's, let's work together. Right? Like build your consortium. That can move relatively quickly. I know, big bureaucracy moving quickly, but compared to the government probably can move a lot quicker. Right. Than you know, if it was just a government led organization. Loop us into here and maybe, you know, we can start getting better signals intelligence, if nothing else. So I think it's interesting just to even see you start on that. Something I know we've talked about scam several times already over the course of this, just this episode. So definitely like a big major concern there. I guess when we're talking about more either when we're talking about more offensive cyber operations. I know the, the Huntress CEO had an op ed in cyberscoop. Kind of being very bullish about this public private partnership earlier today. What I'm curious if there's any kind of not downside to public private partnerships, but kind of more of that onus on the private sector or is that like let's let the dogs loose. This is what these companies are already doing and let's figure out a way that we can benefit from this. We know the adversaries are running these cyber operations. Right. I'm curious, do you see any kind of, expect any kind of pushback, I guess as we expand more into kind of this more privatized area here? Chris,

C

what's interesting is there was something that popped up while we were talking that I was like, ah, how am I going to work this in? Because this is interesting. But you just kind of, you gave me a segue there. So you know, we're talking about that public private partnership. We're also talking about these six pillars. Now it's natural for our brains to look at six related items and give them all equal weight and importance. Right. I would say don't do that though. Look at the shape, adversary behavior pillars. That's the interesting one here. And it kind of ties into what you're saying. It's promoting an active defense stance. It means we're no longer just playing the goalie. We're, we're finally starting to play offense. We're trying to find a way to disrupt the economics of cybercrime. I mean that's, that's a major component here. If you take away the money, then what you're left with is just hacktivism.

A

Yeah. And there will always be either someone in it for purely political, you know, North Korea is not going to stop, stop doing this. Although they do want to get paid too. But there will always be people in it for the lulls, people in it for the chaos, people in it for the political points. But yeah, if you can disrupt multibillion dollar operations that are running effectively successful industries, yeah, that does change the equation. Jonathan, any thoughts on the public private kind of the change in dynamics there?

B

Yeah, it's really refreshing to hear again, large support for these kind of things. We've had, you know, small circles of networks of friends and colleagues and co workers for a long time who share details about, you know, breaches or hacks or whatever you want to call it. But to have this again, this kind of broader focus on how we can help learn from each other. You know, going back to the water department analogy, find a water department who couldn't learn something from the water department from the county next door and say hey, how can we do this better, faster, cheaper, cleaner, whatever the case may be. Right. Infraguard is a good example of that where it's an organized space and I think we have to make it easier to share information across organizations. We've started to kind of normalize that security breaches happen despite our best efforts again as we've all heard. But that doesn't mean we should ignore them and give up and go away. I, I really do think there are some, some ways that we can help share information safely and securely to people that we can trust. Right. We don't want to share all the information with, with the bad guys too. Right. There's always a risk of that but, but it really is about sharing information across. What impacts me is going to impact Chris is going to impact somebody else, it's going to impact another team down the road because there's, there's lots of good guys and, and fewer bad guys I think hopefully. So we've got to, we gotta have that partnership.

A

And on the impact I'll get up on this question from CCL here. Will the government also create laws to protect private companies and citizens from criminal and civil liability for any kind of he phrases as attacking foreign entities. But you know, as you just even starting to move into that more offensive space. Right. Like that would be the component I would feel like I would want in place before I get too bullish on that. Obviously any of these kind of consortium based information sharing that does not get into to that area of that. But CCL I think that is, I would be, that would be top of mind. Right. For depending on how far down that kind of rabbit hole you want to go. We don't know how far what conversations these companies are having with the government. So that may be above my pay grade also as well, but definitely something I would want an answer to if I were before I would engage in anything like that. A lot of big, big meaty topics we're handling here today. Help us all, help us all just distill it down here. Jonathan, if you have one piece of advice for our audience just based on our conversation today, what would it be? What would you leave our fine listeners with?

B

We've talked a lot about all the bad things that have happened this week in the news. Don't forget to have fun. Find some way to have fun. Make a new friend, find a new teammate. Don't forget to laugh, Take your pto. All these things. Go have a walk, go touch grass outside, right? It's not all about technology. Don't forget to have fun. Remember, we're all people. We're all humans. We're all in this together.

A

We're all squishy encryption breaking people.

C

No.

B

You ruined it, Rich.

A

It's hard for him to leave on hope. No, I really do think that's a beautiful sentiment to get out on. Chris, what advice do you have for our, for our audience on the way out here?

C

I'm so thankful that you covered that angle because it's important. You have to be human and find ways to enjoy what you do. And if you can't do that, then find ways to really enjoy what you do when you're not working. I'd say the stories, the things we talked about this week, there's still a common thread, security. It's no longer about building the biggest wall to keep people out. It's not, it's not about building the best weapons system to keep people from attacking you. It's still about building a better basement, right, so you can survive when they eventually get in. Whatever that analogy draws to mind. Even if that's tape backups, good tape backups are a thing still because they're effective. They work because they're resilience in a physical form that you can ship off somewhere. Whatever your resilience is, stay resilient.

A

Well, how I stay resilient and how I find joy in my everyday is I host the show and I get to talk to cool people like Jonathan Maldrop, the CSO over at Acoustic, and Chris Ray, the field CTO at gigaom. Thank you both so, so much for, for lending your expertise, your wisdom, and indeed your good humor to the show. Thank you so much. We will have links to their profiles for their LinkedIn profiles in our show notes. If you want to give them a follow and I highly, highly recommend you. Thanks also to our sponsor for today, Adaptive Security. Protect your company from Deepfake powered Phishing. Remember to send us your feedback anytime. Nighter Day 365 I won't read it till standard business hours, but feedbacksoseries.com the Inbox is always open. Join us again next Monday at 4pm Eastern for another edition of the Department of Node. To register for the live event on YouTube, just head on over to cisoseries.com click on the events menu. We have tons of stuff coming up. We've got Trust Month coming up in April. If you want more details about that, head over to the Events page at ciso. You can see all of the fun things we got coming up in April. So until the next time we meet, for myself for our glorious producer Steve Prentiss, for Jonathan and Chris for the big boss man David Spark and the rest of the CISO Series team, here's wishing you and yours to have a super Sparkly day. Cybersecurity headlines are available every weekday. Head to CISO series.com for the full stories behind the headlines.