Podcast Summary: Cyber Security Headlines – Department of Know: Overconfidence New Zero-Day, FCC Torches Salt Typhoon Rules, AI Uninsurable
Date: November 25, 2025
Host: Rich Stroffolino
Guests: Keith Townsend (Host, CTO Advisor Podcast & Advisor Bench), Howard Holton (CEO, GigaOM)
Episode Overview
This episode dives into the latest and most debated topics in cybersecurity, including DDoS attacks vs. infrastructure flaws, the FCC’s controversial rollback of telco cyber rules, increasing liability risks in AI and cyber insurance, and the persistent problem of security teams being overconfident and underprepared. The hosts critically examine regulatory effectiveness, collective industry responsibility, and the evolving threat landscape, offering pointed, experience-informed opinions and practical takeaways.
Key Discussion Points & Insights
1. Navigating AWS re:Invent and Industry Events
- [00:06–02:55]
Both Keith and Howard are prioritizing preparations for AWS re:Invent. They discuss sensory overload, the impossibility of seeing all sessions, and the importance of in-person networking over formal content.- Memorable Quote (Howard, 01:15):
“Re Invent is the only conference that I go to that is like sensory overload... I had so many meetings back to back that I never left the lobby... So it's really about like meeting people in person. I do 10 podcast recordings that week. It is just an insane level.” - Keith’s Conference Strategy:
He’s skipping the analyst program to set up a lightboard studio for interviews and learning from replay instead.
- Memorable Quote (Howard, 01:15):
2. Azure DDoS Attack vs. Cloudflare Outage: What’s the Bigger Deal?
- [02:55–07:17]
- Azure: Hit by a 15.72 Tbps DDoS attack targeting Australia, originating from a botnet with 500,000 IPs.
- Cloudflare: Suffered its biggest outage since 2019 due to a database permission misconfiguration, affecting services including ChatGPT.
- Howard:
Configuration issues like that at Cloudflare are more concerning than DDoS attacks because they’re unpredictable and keep recurring.
Quote (Howard, 04:50):
“Configuration issues you cannot plan for... If I knew about them before, probably would have solved them already, wouldn't be so surprised by them.” - Keith:
Trusted providers like Cloudflare going down have much broader impact than targeted DDoS attacks. Change management failures are consistently problematic.
3. FCC to Scrap Salt Typhoon Cyber Rules: Back to Voluntary Measures?
- [07:17–11:23]
The FCC is repealing rules from the post-2024 salt typhoon attacks, which required telcos to use basic protections like MFA and regular patching, instead opting for “collaborative” measures. - Keith:
Sees policy swings as noise—frustration with lawmaking that changes every administration.
Quote (Keith, 08:00):
“Until we get...an intelligent enough Congress to help us pass laws that don't change from administration to administration, it's noise to me.” - Howard:
Deeply critical of the rollback, points out telcos have failed on security for years.
Quote (Howard, 08:36):
“The fact is, if private business could have solved it, they would have solved it. They chose not to…We let the burglars in. We knew they were in, they're still in. And we sent the police home.” - Consensus:
Minimal required standards were not onerous and were already outdated best practices. Their rollback is seen as a dangerous abdication by a sector of critical national importance.
4. PowerSchool Breach: Schools Sharing Blame
- [11:23–14:32]
Canadian regulators blame schools for failing to require specific security provisions from PowerSchool and not monitoring vendor MFA. - Howard:
Points out shared responsibility, but schools are underfunded and need more guidance and standards from regulators. - Keith:
U.S. OMB requirements exist for a reason, but most school districts lack the resources to adequately implement them. - Chat Comment Noted:
Schools should have lobbying power similar to telcos—highlighting industry imbalances.
5. SEC Drops SolarWinds CISO Charges: Is It Safer to Be a CISO Now?
- [14:34–17:33]
Dropping charges against SolarWinds and its CISO is seen as cold comfort, as there’s still no legal precedent. - Keith:
“One thing you'll never see in my job title is CISO... No desire to be anywhere close to having this level of legal responsibility.” - Howard:
Shifted careers to avoid the legal exposure, noting CISOs get minimal support and then “get told to shut up...then the SEC might come after me. No, I'm out.” - Lack of Clarity:
Dropping the case doesn’t create new rules, leaving the profession exposed until actual legal boundaries are defined.
6. Overconfidence: The New Zero-Day for Security Teams
- [17:45–24:53]
Discussing a report that finds security teams are overconfident but underprepared—they perform poorly in exercises, take too long to contain infections, and often skip non-technical roles. - Keith:
Only direct experience or full engagement (not vendor pitch) reveals true preparedness.
Quote (Keith, 19:51):
“The only way to prepare your staff for this without actually going through it...is to train, is to train, train, train awareness.” - Howard:
Budget and governance issues contribute—exceptions (often for high-value targets) create easy vulnerabilities.
Quote (Howard, 22:16):
“If there's going to be an exception, it's guaranteed to be that exception. Yeah, okay, cool. That's also a hugely targeted account.” - Exception Anecdote:
Keith shares a story about a director angry over MFA on a USB at the White House, exposing how easily policies are undermined at senior levels.
7. AI Risks: Too Big to Insure?
- [24:53–34:13]
Insurers are seeking to exclude AI-related liabilities, citing unpredictable, systemic risk (e.g., 10,000 simultaneous claims). - Howard:
Some AI incidents (like Air Canada’s chatbot error) should not be insurance claims but operational failures.
Quote (Howard, 27:11):
“[Air Canada] deserved every inch of that, every second of that. That was 100% their fault. There's no two ways about it.” Also, insurance is being pulled for cyber too; policies were used as a cheap alternative to real investment. - Keith:
The business community is cautious with AI, learning from earlier “shadow IT” incidents. Leaders avoid deploying unvetted AI capabilities that could harm brands or customers. - Howard’s Ethical Catastrophe Thought Experiment:
Leaked sensitive data may have far higher real costs than current frameworks acknowledge—"Shouldn't I go to jail for that?"
8. AI Governance and the Need to Surface Biases
- [34:13–38:00]
AI can encode institution-level biases from historical data. Simply restricting generative/analytic power doesn’t fix the risk. - Keith:
Shares insights from a Fortune 50 CAIO: Restricting employee access to powerful AI to avoid risk of biased decisions. - Howard:
Argues the opposite: biases should be surfaced and rigorously eliminated—not hidden.
Quote (Howard, 36:41):
“We need to find our biases, uncover our biases and remove our biases, not create systems that obfuscate them.”
Notable Quotes & Memorable Moments
| Timestamp | Speaker | Quote/Highlight | |-----------|---------|-----------------| | 01:15 | Howard | “Re Invent is the only conference that I go to that is like sensory overload... I had so many meetings back to back that I never left the lobby...” | | 04:50 | Howard | “Configuration issues you cannot plan for... If I knew about them before, probably would have solved them already.” | | 08:36 | Howard | “We let the burglars in. We knew they were in, they're still in. And we sent the police home and said the homeowner who let the burglars in just decided to live with them and somehow that's okay.” | | 19:51 | Keith | “The only way to prepare your staff for this without actually going through it... is to train, is to train, train, train awareness.” | | 22:16 | Howard | “If there's going to be an exception, it's guaranteed to be that exception... That's also a hugely targeted account.” | | 27:11 | Howard | “They deserved every inch of that, every second of that. That was 100% their fault.” (re: Air Canada and AI chatbot mishap) | | 36:41 | Howard | “We need to find our biases, uncover our biases and remove our biases, not create systems that obfuscate them. Because...that data is going to be used for...a decision, automated or not.” |
Timestamps for Important Segments
- 00:06 – Welcome, conference talk, AWS re:Invent
- 02:55 – Azure DDoS & Cloudflare outage: which is more worrying?
- 07:17 – FCC telco cybersecurity rules rollback debate
- 11:23 – PowerSchool: third-party risk in education breach
- 14:34 – SEC drops SolarWinds CISO charges: impact on profession
- 17:45 – Overconfidence in security teams: simulation data
- 24:53 – AI insurance: why carriers are denying AI-liability coverage
- 34:13 – AI bias, governance, and the right approach
Overall Tone & Final Thoughts
Direct, analytical, and openly critical, this episode features industry leaders sharing personal war stories and policy critiques with candor and humor. Both guests advocate for more intelligent regulation, internal accountability, and investment in people and process over false confidence or mere technical controls.
Key takeaway:
Cybersecurity’s advance is being hampered by regulatory vacillation, organizational inertia, and overconfidence without experience or meaningful testing. The coming wave of AI risk forces both the insurance industry and business leaders to reassess exposure in ways the old models can’t keep up with.
Speaker Callouts & Resources
- Keith Townsend: Launched an AI grounded content aggregator at virtual.thectoadvisor.com
- Howard Holton: CEO at GigaOM
- For further engagement, tune in live Mondays 4pm ET on the CISO Series YouTube channel.
For more in-depth cybersecurity stories, visit CISOseries.com.