Cyber Security Headlines: Department of Know

Episode: Promoting Passphrases, Questioning International Security Conferences, Gift Card Hackers
Date: October 27, 2025
Host: Rich Strofalino (A)
Guests: Bill Harmer, Operating Partner & CISO at Craft Ventures (B); Sasha Pereira, CISO at Wash (C)
Special Appearance: David Spark, CISO Series (D)

Episode Overview

This episode of the Department of Know kicks off the cybersecurity week by focusing on key industry stories and trends that security professionals should prioritize. Host Rich Strofalino is joined by two experienced CISOs—Bill Harmer and Sasha Pereira—to dissect automation, generational shifts in security, the future of passwords, ongoing cloud threats, and the provocative idea that artificial intelligence could end cybersecurity as a profession. The tone is lively, irreverent, and deeply practical, encouraging critical thinking and candid opinions.

What’s Top of Mind This Week?

(02:29 – 03:22)

Automation as Priority (B):
"For me it's automation. I've been doing a lot of work with Supabase the last couple months, and for me, I'm just about automating everything..." (02:29)
Rethinking Generative AI Security (C):
"I think for me it's more GenAI security. ... A lot has changed in the last six months, and policies and things that we put in place need to be revisited." (02:58)
— Reminder: The rapid evolution of AI mirrors the smartphone boom—adoption and risk creep up fast and can catch you off guard.

“Know or No” – What Security News Matters?

(04:41 – 13:55)

1. AWS Outage Crashes Multiple Major Services

Both guests agree: Need to Know (04:41)
Bill: "Everybody's built off Amazon... The domino effect was massive... This is part of resiliency." (04:41)
Sasha: "F5 Networks was one of those people in that list... abnormal AI is email security... Not having your email security working for you... was a huge bad thing for us for 15 hours." (05:14)

2. Windows Updates Causing Login Issues

Sasha: "It's a light no... Once we identified what it was, it wasn't affecting a lot of employees so we were able to contain it." (07:00)
Bill: “Hard no... Microsoft screwing something up again. It’s par for the course. And I don’t use Windows.” (07:36)

3. Meta Launches Anti-Scam WhatsApp/Messenger Tools

Bill: "If they're in there able to check out for scams, that means they're in there reading what's going on. So your fully encrypted end to end WhatsApp message is no longer secure, or maybe it never was." (08:17)
Sasha: "Hard no for me... We block and we don't support any meta product, including WhatsApp." (08:58)

4. Microsoft Copilot Offered for Exchange Server—With Cloud Data Risks

Both: No thank you. (09:46 - 10:04)
Sasha: "Hard no because I do not want to send Exchange data to train." (09:46)
Bill: "I ain't sending them anything." (10:02)

5. Lazarus Hackers Targeting European Defense Companies

Bill: "We need to know about it. ... We're either not doing a good enough job of getting people to understand that these job offers are fake..." (11:11)
Sasha: “We should know... The techniques they're using... the average detection time is nine months. ... Even if it does not specifically apply to you, the methods they're using are going to happen to you.” (12:36)

Key Insight:

The real value in tracking these attacks isn’t just the news cycle—it's understanding attacker tactics, which inevitably diffuse from headline targets to the rest of the business world.

Passphrases, Passwords & Beyond

(15:35 – 21:11)

The Case for Passphrases

Bill: "They're way stronger [than traditional passwords], they're easier to remember. ... But we're going to run into the same problems ... [with] requirements. ... We've spent 20 years hammering how important passwords are ... and now we're going to run out and go, ah, passwords are really nothing. Go to a passphrase." (15:35)
Sasha: "Complex passphrases are great, but ... you have to have some kind of combination of things, planning for the quantum [future]... MFA as well ... biometric... passwordless authentication. But again ... passphrases ... that's something you should be doing immediately. But looking long term vision, it's got to be something more than that." (16:46)

Memorable Moments:

On user education misconceptions:
Sasha: "I get a text message from someone on the C-suite saying, hey, I just read in the Wall Street Journal that it's passwordless now, so that means I don't have a password anymore." (18:36) Bill: "There's exactly the problem, right? We've told them about these passwords and now they're like, oh, I don't need my password anymore." (18:53)
On password rotation habits:
Sasha: "We noticed about 10 people had the same password ... they were changing it by the season. And so everyone picked the same way to season and capitalize and use the year." (20:42)

Gift Card Hackers—The “Jingle Thief” Campaign

(21:11 – 24:51)

New Threat: Palo Alto Networks Unit 42 warns of hackers exploiting cloud infrastructure to steal gift cards by gaining long-term footholds within retail and consumer orgs.
Sasha: "We actually put a honeypot out ... watching them do it ... how they actually do that. So it's really important to study these sort of attacks to understand how ... what tools they're using and what's the sequence of events." (22:18)
Bill: "It’s the techniques... whether it’s gift cards or your intellectual property... once in... they are moving very fast laterally... I think we've built far too many environments that have that hard candy shell on the outside and they’re soft and squishy on the inside." (23:45)

Is AI the “End of Cybersecurity”?

(24:51 – 31:39)

A Provocative Statement

Jenny at Audit Board event: "If we're able to build and deploy and govern these incredibly powerful technologies in a secure way, I believe it will lead to the end of cybersecurity." (paraphrased, 24:51)

Debate:

Bill: "The attacks are going to come at machine speed. The defense will be at machine speed. ... Having said that ... I take a little exception to the businesses are consciously making the choice to ignore safety to get to market faster. ... As long as anything, as long as it's in this world, it's going to break. ... I don't think cyber itself will go away, but I do believe a good portion of what we do will become automated. Thus is why I said at the beginning of the show, I am after automation." (26:02)
Sasha: "I would categorize it under 'aged like milk.' ... There's no end of cybersecurity. ... Attacks will get more sophisticated, but hey, it works from both sides, right? ... I do feel like, yes, there's definitely a change in the way you look at cybersecurity... it's going to augment what we do. ... There'll be certain functions ... I'm not going to 100% trust, leaving them completely to AI." (27:54)
David Spark: "She knows what she’s doing. And what’s quite amusing is [such] an intelligent, bright, well-respected person making that statement... because you know, we get these sort of armageddon statements from loons and we're like, all right, whatever." (30:18)

Quote from Chat (Listener CCL):

"AI will not take the job away, but someone with an AI skill definitely will." (31:39)

Notable Quotes & Memorable Moments

Bill (on automation): "I'm just about automating everything..." (02:29)
Sasha (on generational change): "It's going to be generational. As the next gens ... come up ... they'll be more adept, ... know these scams better and faster..." (11:46)
Rich (on user resistance): "...don't touch my start menu. You have one innovation, Microsoft, please don't put it in there." (10:27)
David (on cyber job security): "No, I'm just saying it was definitely poking the bear. ... And she got one and we talked about her on this show." (31:39)

Important Timestamps

(02:29) – Top-of-week priorities (automation & GenAI security)
(04:41 – 13:55) – Rapid-fire news analysis: AWS outage, Windows updates, Meta scams, Copilot/Exchange, Lazarus hackers
(15:35 – 21:11) – Discussion: Passphrases and the true future of passwords
(21:11 – 24:51) – Deep dive: Jingle Thief gift card hackers; attacker dwell times
(24:51 – 31:39) – Is AI the end of cybersecurity? Engaged debate
(31:39) – Listener input and final takeaways

Final Thoughts

This episode blends humor, hard-won skepticism, and technical rigor. The Department of Know reinforces that security isn’t about chasing trends or absolutes (“end of cybersecurity”), but about understanding attacker tactics, evolving technological risks, and the slower, generational process of cultural security change. Automation, layered defenses, user education, and technical controls remain essential—while AI, for now, is as likely to change cybersecurity roles as to end them.

Memorable sign-off:
"AI will not take the job away, but someone with an AI skill definitely will." — Chat Listener (31:39)

Follow the show live on Mondays, and check out cisoseries.com for daily infosec news.

Cyber Security Headlines: Department of Know

Episode Overview

What’s Top of Mind This Week?

(02:29 – 03:22)

Automation as Priority (B):
"For me it's automation. I've been doing a lot of work with Supabase the last couple months, and for me, I'm just about automating everything..." (02:29)
Rethinking Generative AI Security (C):
"I think for me it's more GenAI security. ... A lot has changed in the last six months, and policies and things that we put in place need to be revisited." (02:58)
— Reminder: The rapid evolution of AI mirrors the smartphone boom—adoption and risk creep up fast and can catch you off guard.

“Know or No” – What Security News Matters?

(04:41 – 13:55)

1. AWS Outage Crashes Multiple Major Services

Both guests agree: Need to Know (04:41)
Bill: "Everybody's built off Amazon... The domino effect was massive... This is part of resiliency." (04:41)
Sasha: "F5 Networks was one of those people in that list... abnormal AI is email security... Not having your email security working for you... was a huge bad thing for us for 15 hours." (05:14)

2. Windows Updates Causing Login Issues

Sasha: "It's a light no... Once we identified what it was, it wasn't affecting a lot of employees so we were able to contain it." (07:00)
Bill: “Hard no... Microsoft screwing something up again. It’s par for the course. And I don’t use Windows.” (07:36)

3. Meta Launches Anti-Scam WhatsApp/Messenger Tools

Bill: "If they're in there able to check out for scams, that means they're in there reading what's going on. So your fully encrypted end to end WhatsApp message is no longer secure, or maybe it never was." (08:17)
Sasha: "Hard no for me... We block and we don't support any meta product, including WhatsApp." (08:58)

4. Microsoft Copilot Offered for Exchange Server—With Cloud Data Risks

Both: No thank you. (09:46 - 10:04)
Sasha: "Hard no because I do not want to send Exchange data to train." (09:46)
Bill: "I ain't sending them anything." (10:02)

5. Lazarus Hackers Targeting European Defense Companies

Bill: "We need to know about it. ... We're either not doing a good enough job of getting people to understand that these job offers are fake..." (11:11)
Sasha: “We should know... The techniques they're using... the average detection time is nine months. ... Even if it does not specifically apply to you, the methods they're using are going to happen to you.” (12:36)

Key Insight:

The real value in tracking these attacks isn’t just the news cycle—it's understanding attacker tactics, which inevitably diffuse from headline targets to the rest of the business world.

Passphrases, Passwords & Beyond

(15:35 – 21:11)

The Case for Passphrases

Bill: "They're way stronger [than traditional passwords], they're easier to remember. ... But we're going to run into the same problems ... [with] requirements. ... We've spent 20 years hammering how important passwords are ... and now we're going to run out and go, ah, passwords are really nothing. Go to a passphrase." (15:35)
Sasha: "Complex passphrases are great, but ... you have to have some kind of combination of things, planning for the quantum [future]... MFA as well ... biometric... passwordless authentication. But again ... passphrases ... that's something you should be doing immediately. But looking long term vision, it's got to be something more than that." (16:46)

Memorable Moments:

On user education misconceptions:
Sasha: "I get a text message from someone on the C-suite saying, hey, I just read in the Wall Street Journal that it's passwordless now, so that means I don't have a password anymore." (18:36) Bill: "There's exactly the problem, right? We've told them about these passwords and now they're like, oh, I don't need my password anymore." (18:53)
On password rotation habits:
Sasha: "We noticed about 10 people had the same password ... they were changing it by the season. And so everyone picked the same way to season and capitalize and use the year." (20:42)

Gift Card Hackers—The “Jingle Thief” Campaign

(21:11 – 24:51)

New Threat: Palo Alto Networks Unit 42 warns of hackers exploiting cloud infrastructure to steal gift cards by gaining long-term footholds within retail and consumer orgs.
Sasha: "We actually put a honeypot out ... watching them do it ... how they actually do that. So it's really important to study these sort of attacks to understand how ... what tools they're using and what's the sequence of events." (22:18)
Bill: "It’s the techniques... whether it’s gift cards or your intellectual property... once in... they are moving very fast laterally... I think we've built far too many environments that have that hard candy shell on the outside and they’re soft and squishy on the inside." (23:45)

Is AI the “End of Cybersecurity”?

(24:51 – 31:39)

A Provocative Statement

Jenny at Audit Board event: "If we're able to build and deploy and govern these incredibly powerful technologies in a secure way, I believe it will lead to the end of cybersecurity." (paraphrased, 24:51)

Debate:

Bill: "The attacks are going to come at machine speed. The defense will be at machine speed. ... Having said that ... I take a little exception to the businesses are consciously making the choice to ignore safety to get to market faster. ... As long as anything, as long as it's in this world, it's going to break. ... I don't think cyber itself will go away, but I do believe a good portion of what we do will become automated. Thus is why I said at the beginning of the show, I am after automation." (26:02)
Sasha: "I would categorize it under 'aged like milk.' ... There's no end of cybersecurity. ... Attacks will get more sophisticated, but hey, it works from both sides, right? ... I do feel like, yes, there's definitely a change in the way you look at cybersecurity... it's going to augment what we do. ... There'll be certain functions ... I'm not going to 100% trust, leaving them completely to AI." (27:54)
David Spark: "She knows what she’s doing. And what’s quite amusing is [such] an intelligent, bright, well-respected person making that statement... because you know, we get these sort of armageddon statements from loons and we're like, all right, whatever." (30:18)

Quote from Chat (Listener CCL):

"AI will not take the job away, but someone with an AI skill definitely will." (31:39)

Notable Quotes & Memorable Moments

Bill (on automation): "I'm just about automating everything..." (02:29)
Sasha (on generational change): "It's going to be generational. As the next gens ... come up ... they'll be more adept, ... know these scams better and faster..." (11:46)
Rich (on user resistance): "...don't touch my start menu. You have one innovation, Microsoft, please don't put it in there." (10:27)
David (on cyber job security): "No, I'm just saying it was definitely poking the bear. ... And she got one and we talked about her on this show." (31:39)

Important Timestamps

(02:29) – Top-of-week priorities (automation & GenAI security)
(04:41 – 13:55) – Rapid-fire news analysis: AWS outage, Windows updates, Meta scams, Copilot/Exchange, Lazarus hackers
(15:35 – 21:11) – Discussion: Passphrases and the true future of passwords
(21:11 – 24:51) – Deep dive: Jingle Thief gift card hackers; attacker dwell times
(24:51 – 31:39) – Is AI the end of cybersecurity? Engaged debate
(31:39) – Listener input and final takeaways

Final Thoughts

Memorable sign-off:
"AI will not take the job away, but someone with an AI skill definitely will." — Chat Listener (31:39)

Follow the show live on Mondays, and check out cisoseries.com for daily infosec news.

Department of Know: Promoting passphrases, questioning international security conferences, gift card hackers

Powered by Wave AI

Summary

Cyber Security Headlines: Department of Know

Episode Overview

What’s Top of Mind This Week?

“Know or No” – What Security News Matters?

1. AWS Outage Crashes Multiple Major Services

2. Windows Updates Causing Login Issues

3. Meta Launches Anti-Scam WhatsApp/Messenger Tools

4. Microsoft Copilot Offered for Exchange Server—With Cloud Data Risks

5. Lazarus Hackers Targeting European Defense Companies

Key Insight:

Passphrases, Passwords & Beyond

The Case for Passphrases

Memorable Moments:

Gift Card Hackers—The “Jingle Thief” Campaign

Is AI the “End of Cybersecurity”?

A Provocative Statement

Debate:

Quote from Chat (Listener CCL):

Notable Quotes & Memorable Moments

Important Timestamps

Final Thoughts

Summary

Cyber Security Headlines: Department of Know

Episode Overview

What’s Top of Mind This Week?

“Know or No” – What Security News Matters?

1. AWS Outage Crashes Multiple Major Services

2. Windows Updates Causing Login Issues

3. Meta Launches Anti-Scam WhatsApp/Messenger Tools

4. Microsoft Copilot Offered for Exchange Server—With Cloud Data Risks

5. Lazarus Hackers Targeting European Defense Companies

Key Insight:

Passphrases, Passwords & Beyond

The Case for Passphrases

Memorable Moments:

Gift Card Hackers—The “Jingle Thief” Campaign

Is AI the “End of Cybersecurity”?

A Provocative Statement

Debate:

Quote from Chat (Listener CCL):

Notable Quotes & Memorable Moments

Important Timestamps

Final Thoughts