A

Hello, everyone. This is Sarah Lane with the Department of no. John Barrow, CISO at J.B. poindexter Company. What is your priority this week?

B

This week we're mid flight with three major technology implementations, so we're focused on those as well. As, you know, prepping for RSA is coming up in a few weeks, so trying to get ready for that. Those are kind of the main things, you know, prep for this week.

A

And Derek Fisher, director of the Cyber Defense and Information Assurance Program at Temple University. What's your priority this week?

C

So this week we actually have the Women in Cybersecurity conference coming up starting on Wednesday. So I'm heading down there tomorrow night once I get done teaching. And, yeah, I'll be there for three days and doing a lot of volunteer work, probably pretty much morning to night every day. So looking forward to it. Should be a lot of fun.

A

Well, John and Derek, we're happy, very happy to have you both on the show today. All right, let's get into it. Producer Steve, let's run that opening from the CISO series.

B

It's Department of no.

A

Welcome everyone, to the Department of no. Your Virtual Monday strategy meeting. Our, our sponsor today is Drop Zone AI. You can visit them at rsa, the conference. The Drop Zone Diner is what they call it, and it's booth 4:55. Put it on your calendar. And remember to get involved in our YouTube chat live. We broadcast every Monday at 4pm Eastern Time. And you can email us@feedbackisoseries.com disclaimer. As always, opinions expressed are those of our guests. All right, we've got about 30 minutes. Let's dive into some news. We start with our no or no segment. So I'm going to run through some stories from the past week, and I want both of your quick takes. Is this something security wise, that you think as a professional is very important to you, or is it more noise than signal? You never know. You never know. All right, Derek, let's start with you. An iPhone hacking toolkit called Karuna has likely infected tens of thousands of devices and may have originated as a US government tool. The toolkit exploits 23 iOS vulnerabilities to silently install malware when users visit a compromised website. Considering that pretty much everybody has their own phone, even if they have a company issued one as well, is this something to know or now for you and your team?

C

I, you know, I think this is the typical type of, I don't want to say background noise, but there's a lot of, you know, we see tax like this all the time. And so I'm more curious actually about the. How it got here. Right. And, and with these types of espionage tools being turned into, you know, targeted type of tools for targeting specific people. You know, really, to me, it's more interesting of how it got to that point. And I think one of the most curious things about it is that these tools that were first initially developed to target very specific individuals or groups of people with very specific technology, it always escapes. We saw that with Stuxnet. We see this with all kind EternalBlue. We see this with all these different types of hacking toolkits that are developed that you can't keep it contained. It's eventually going to get out. So I think it's a constant reminder that we have these problems that come up periodically. I think in terms of what to know here is understanding what the indicators of compromise are, making sure that our teams are prepared to look for those IOCs and make sure that we have the right table stakes in place in terms of a well defined security program.

A

And John, I don't know how many of your employees are running iOS on their devices, but how much does this disturb you or not?

B

Well, I think it's kind of like Derek was saying. I don't think it's something we necessarily need to be a top priority or anything, but I think being aware of any new attack vectors and indicators of compromise and validating whether or not we're impacted in our environment or not is important. But I'm not gonna pause any major, you know, things that we're doing right now, major priorities or initiatives to, to focus on this. But, but like when anything comes out, you know, you know, any threat notification, I'm always, hey, are we impacted? Let's validate, let's do some proactive threat hunting to make sure we don't see any of these IOCs in our environment, you know, but it's kind of a quick sweep and then on to the next thing.

A

Well, speaking of onto the next thing, this one seems to be coming back around all the time. An oldie but a goodie. LastPass is warning of a phishing campaign using faked LastPass emails urging users to click links like report suspicious activity, which then leads to a fake login page that then captures credentials. Humans get caught by this type of put on. You might be smart, you're having a bad day, catch you off guard. It happens. So, John, is this something to know or no?

B

I think kind of similar to my last answer. I mean, I don't think It's, I mean as long as your security awareness program and your email security like layer defense is, is set up correctly, I mean a lot of this should be blocked. But as long as you're educating and constantly, you know, making sure that you're, you're, your team members and your employees are aware of this, I mean, it's just another tactic. I mean, I don't think it matters that it's LastPass per se. I think it's just this kind of typical baseline phishing tactics. Right.

A

Is it something that you repeatedly have to go through with the folks that work for you at the company?

B

No, not really. I mean I do send out org wide communications from time to time just for awareness. Like hey, we're seeing, getting reports of these types of things like the, you know, there was a while there with tolls, the toll roads, you know, like a lot of people, the toll road,

C

like yeah, all the text messages that were coming out about the, you know, paying your bill or something like that and people were clicking.

B

Right, right. And it's kind of the same thing. I mean we'll send out a notification like for people to be aware of it. But you know, our, our email security protections in place should block most of these. Right. Like, so I think it's same as any other, you know, fishing thing. I don't think it, I don't think it makes it more important because it's LastPass. I mean granted I know that what LastPass does, but I think it's just as long as your, your folks are aware and you know, I think that's kind of it. I don't think you really need a deep dive too much on it.

A

Well, and what about you, Derek, over at Temple? You know, how do you, how do you minimize the risk of somebody getting got?

C

Yeah, I think it, it is one. I'm, I, like, I got off the last pass years ago and you know, it's tough because it's a single point of failure. You know, if you're using it extensively, not just for passwords but for notes and for keeping tracks of, of numbers and things like that. It, it's, it's got a lot of the keys to the kingdom. So you know, it is a little concerning from that sense. But I think the, the attacks, they don't, you know, it's, they don't really, I shouldn't say they don't change, but they don't change. I mean this is a phishing attack that's, you know, basically preying on people that, you know, either aren't paying attention or are just, you know, being social engineered into entering in a master password, which happens, you know, and it's last pass today, it's gonna be somebody else tomorrow. So I think it is, you know, it's concerning. And it's something that I would chalk up to like a security awareness, you know, avenue, as opposed to something like drop everything, you know, we got to focus on this type of thing.

A

I actually am a LastPass user. I have been for years, and there have been some concerns on my end about whether or not I should move everything over to another password manager. Of course, when you get caught up in a system for long enough, you know, that ecosystem is extremely annoying to leave.

C

It took me. It took me a while to get off the last pass and move over to. I'm on bit warden right now, but. And I'm not advocating, you know, I know, you know, I'm not advocating for one over the other. I just, I. After the last past episode, years ago, I just, I kind of was done with it. And it wasn't so much because, you know, that they were. They had a breach and they had a security incident. It was more their handling of it that didn't really instill confidence in me. And that's why I jumped right with you.

A

And what about you, John? I mean, outside of work, are you rocking a password manager?

B

I don't. I don't. Outside of work, I'm kind of like the mechanic that has his car on blocks in front of his house. Once I leave the office, I don't want to touch computer. I mean, obviously sometimes things happen and everyone's got to jump on for something. But. No, not in my personal life. Not really.

D

From a no or no standpoint, would you say this would make it easier to argue for biometrics and pass key team becomes aware of just how limited the password system is. Even with programs like LastPass and 1Password.

C

I mean, I would say that, but I think the problem is that you have. Not everybody's using passkeys or not everybody's accepting passkeys. So it's sort of whether we like it or not, passwords holds up 90% of what we do online. And until we get more momentum behind other types of. Whether it's Fido or other types of passwordless types of tech or something like that, you know, we're kind of stuck with this. And attackers know that, you know, and we.

B

And we are looking at different biometric options, you know, for like our plant workers specifically. Right. Like, you Know, because, you know, like, like a lot of companies in that space where you have like a shared kiosk where they, multiple people use it to, you know, log in, log off for the day and things like that. I mean, it has minimal access to anything on our network. But I think just for efficiency, right, like biometrics might make sense on a plant floor, but we haven't, you know, implemented, we've done some testing.

C

But I was going to say that from a usability standpoint, something like that would, would be helpful, you know, because especially if you're forcing difficult passwords, you know, complexity and entropy on your passwords and stuff like that, nobody on the floor is going to Type in a 22 character password, right? Biometrics speaks a lot of time.

B

You want to try to avoid that sticky note sitting on the computer.

A

Oh, the sticky note. Oh, the sticky note. Well, speaking of usability, even though 6G networks are a little bit of a ways off still, a coalition of western countries, including the US are cooperating on a secure by design approach, including diversification of the 6G supply chain to prevent systemic threats and support for quantum resistant cryptography. So, John, is 6G on your radar? And if so, is it a no or a no?

B

It's more of a no, no. I mean, I think we're still a few years out. I think it's something we can think about. But again, I, I mean I, I have a pretty lean team. I mean, we have a million different competing priorities. So I think until 6G becomes a little more realistic or, you know, it's happening, you know, I think at that time it might make sense. I mean, as I say that, I'm thinking, well, you know, you need to be proactive and kind of get things that get ahead of it. But I mean, they've been talking about 6G for how many years now, So I don't know how, you know, how urgent it is to really focus on that.

C

Mm.

A

Derek, what are your thoughts?

C

I mean, this is playing into like what I, you know, my, sort of my sandbox, which is, you know, product security, building security and from the, from the get go. And I think getting ahead of this and getting, you know, a group together to really tackle this and decide, you know, make early decisions on how we going to make this secure. I like that, I like that direction and I think that's the correct direction because, you know, 5G is, is a thing, right? We have it, it's out here, you know, and there's a lot of promises and some met some Missed. But in terms of being able to enable IoT smart cities, connected vehicles, like all that stuff is with, with something like 6G is going to accelerate, especially when you start layering in things like AI, quantum encryption, all that stuff that's going to be layered into 6G. I think it's important for us to start tackling those things now because if we don't get it right from the start, we're going to have a lot of problems that we had with bolting on Security and 5G later on.

A

That was going to be my follow up question. So Derek, thank you for setting that up for me. For John, is there anything that 5G does not provide that you really want 6G to work with?

B

Well, well, I think Derek touched on it is, you know, from what I've read about 6G, it sounds like it's secure by design.

C

Right?

B

Like they actually thought of security from the beginning. I know with 5G it was more about signal and speed and performance. I think security was kind of an afterthought. So I am glad that they're thinking of it more from the beginning from a secure by design. I think that's going to be critical. You know, as he was talking about like with IoT and AI and all the different things that are going to leverage 6G. So that I'm glad that that's what they're, that's the route they're taking, you know, because I think they learn quite a bit from not doing so with 5G. But I'm kind of a skeptic or a cynic, you know, I mean, that's what I'm reading. But hopefully it's the case.

C

I think, you know, just to sort of piggyback to. I think one of the concerns with 6G right now is. And the story that we were bouncing around on this topic was related to how China and not China countries are sort of approaching 6G and we have to sort of square the fact that, and this happened with 5G as well is that a lot of the technology and engineering that's being done and the hardware that's coming out is being developed by China and we can cut off some of those companies if we want, but then you have sort of a mixed playing field of technology and we know that that doesn't always work out well. So I think, you know, it's going to be interesting to see whether we as a globe decide to coalesce around certain standards or we start having this again, this jagged approach of, you know, one area of the world Taking on different sort of designs compared to the rest of the world. And, you know, that could lead to more security issues.

A

Indeed. All right, are you guys ready to go fishing again? We're going to do it. The.arpa arpa domain is a special top level domain reserved for Internet infrastructure rather than normal websites used for reversed DNS lookups. Researchers at Infoblox say that threat actors are using that to drive users to phishing sites. All right, so, you know, our last fishing conversation, both of you were sort of like, keep an eye on it, maybe not. Not the end of the world. Is this something your team needs to know or know about, Derek?

C

I would say no in turn, KN o w because I think, you know, one of the, one of the things I took away from this was that, and we're seeing more of this is how do attackers sort of get into the flow so it looks normal, you know, and I think that's the entire point of this type of phishing attack is, you know, how do we make this. How do attackers make this so that it looks like it's a normal flow of data and therefore doesn't raise any alarms? And I think we're going to see more of that. And I think it's, again, not really an, I don't want to say an awareness thing, but it's definitely an awareness thing for the security teams to know that just because you have trust in a certain workflow or you have trust in a certain set of data flowing through a particular path doesn't mean it should be trusted. Because there could be. This is a prime example of, you know, using a legitimate workflow to do illegitimate work.

A

Somebody in our chat said that.arpa domain for phishing is a doozy one and very creative, to be honest. John, have you seen this floating around?

B

Yeah, and I think, I agree with Derek. I think this one's a little different from the previous one we talked about. This one's a little more, you know, because with our email security layers, you know, some of the previous ones we, I'm not too concerned about. But this one, like he was saying, the data flow, like it's harder to detect and from your tools. And so that this is something that I'd want my, you know, I'd want my team to dive in a little deeper. And not just my team, but I would go to my email security vendors and, you know, ask them what they're doing, you know, to be able to update their capabilities, to be able to detect this and identify and prevent these type of phishing attacks to happen.

A

Do you ever get in situations where you go to those vendors and say, hey, what's going on? And they say, we haven't heard much about it. And then you kind of have to take another path.

B

Not necessarily specifically with my email security vendor, but there have been other ones where they're like, oh, yeah, we didn't hear about that. You know, that's a little scary. You know, when they're, they're not aware,

A

everybody isn't aware of the news, then, you know, it turns into a little bit of a whack. A mole.

B

Right, right. Yeah, you would hope they would have heard of it before you did.

A

All right, well, those were our no or no stories of the day. We are now going to have a word from our sponsor. Drops own AI. Here's a number worth knowing. Before rsa the conference rsac, the average enterprise SOC sees tens of thousands of alerts per day. Most get triaged, a fraction get thoroughly investigated and the rest sit in the queue or get auto closed. DropZone AI puts AI SOC agents on every one of those alerts. Every alert investigated end to end across your full tool stack around the clock. Over 300 deployments in production tool today again, they are going to be at the RSA conference this year at booth 455. Dropzone AI slash RSA 2026 AI diner. They got an AI diner. Pretty fun. All right, let's get into some stories that deserve a little bit more of our attention this week. So Google's Chrome team is testing quantum resistant HTTPs certificates to protect against future attacks by quantum computers. The initiative uses something called Merkle Tree certificates, which replace traditional certificate chains with compact proofs, reducing TLS handshake data and integrating transparency into issuance public deployment. And a dedicated quantum resistant root store is planned for 2027. Now, before we get into this, I know that Steve has a pretty good description of what, what that Merkle Tree certificate looks like.

D

Yeah, it's kind of a nicely described concept. Kind of like a tree, really. It's just when you have a large set of data to prove that it is all trustworthy without having to show all the data. Imagine the big tree, okay? Each leaf is a small piece of data, like a public key. Each pair of leaves is hashed together to form a branch and those branches are hashed together until you reach the root at the top. And what that means is if you trust the root, then you can trust any leaf by checking, you know, checking them out a few hashes along the path. So that's what makes it kind of extremely efficient, is I guess, safety in numbers or safety by association.

A

Thank you, Steve. That, that's, that actually is, is quite a good visual. Okay, so the question for you, John and Derek, Quantum computing awareness is sometimes eclipsed by the day to day and sometimes raging AI explosion that we're going through now. So where do you feel like we are in terms of quantum readiness and what should people be doing or thinking now? John?

B

Well, I think, I mean you're hearing more and more about it. Like you know, every conference, every summit I go to, we're talking about it, you know, pqc. I think it's something we definitely need to get ahead of because we know the adversaries are already like doing data harvesting and gathering encrypted data and hoping to be able to decrypt it once, you know, that quantum computing matures. So I think it's something we definitely need to get ahead of, but I think that people are still kind of wrapping their arms around it. You know, what exactly that means. I know the government put out a mandate where it was saying, I think it's something by 2035 or something like that where, you know, everything has to be fully migrated to quantum cryptography. And so I think we have some time, but I think, you know, it's gonna, it's gonna be here, you know, I mean, sooner than later. And I think that, I mean even last week I met with a startup that was kind of just an ideation, but this is, you know, I'm sure there's others out there as well that are trying to build something to help with this, this path, right? Like first of all identifying, you know, where, where your cryptography is, where what, you know, where it needs to be updated, which systems will be vulnerable, you know, and things like that to kind of get you ready to make that transition and help you formulate a plan to migrate everything, which could be a multi year project. Right? And so I think it's, it, it's one of those situations where unfortunately I think a lot of organizations are going to wait to the last minute and then the adversary is already going to have a ton of their data. And I don't know if that's just fear marketing, but, but it's kind of scary, you know, if you really think about it, you know, they're just waiting for that maturity and then they can decrypt it and have a lot, a lot of your crown jewels.

A

Derek, do you agree with John that it's something to kind of Keep, keep an eye on and just try not to, to fall behind on or do you think that, that companies have already been leapfrogged?

C

Yeah, I mean look at it this way, the technology is coming. It's not like Quantum is going to happen. I couldn't explain Quantum to save my life if I had to. I understand it enough to know that there's going to be massive leaps in technology when it becomes miniaturized enough for it to be, you know, ubiquitous. But you know, I look at this the same way that we had with Cloud, with AI, you know, with, we were talking about 5G, 6G earlier, now Quantum, it's like these technologies are coming on board and you know, we're starting to learn those lessons that in order to get secure from the start, we need to start having those conversations as early as possible. Quantum computing does exist. It's just, you know, it's, it's expensive, it's, you know, it's kind of in the hands of a few organizations or companies. But that's going to change in probably the next several years. And so if we're not getting ahead of it then we're going to be caught flat foot as usual in security. So it's good to see Google sort of pursuing something here that's going to at least protect, at least at the transport layer in terms of certificates, whether it's digital certificates or HTTPs and so forth. So it's good to see us making strides in that in that sense. But I'm sure that just like AI sort of caught everybody in security off guard. There's going to be edge case, you know, edge use cases and things like that with Quantum that we're just not thinking about today that we're going to have to be prepared for.

A

All right, let's talk war, shall we? The UK's National Cybersecurity center or NCSC is one of many organizations warning of potential Iranian cyber attacks amid the ongoing Middle east war. State sponsored and Iran linked hackers are believed to retain some operational capability despite Iran's ongoing Internet blackout. So question and we'll start with you John. Clearly this is what modern warfare is about. We're not going to get away from that. Iranians are not slouches when it comes to cyber warfare. What do you make of this in terms of real status as a war related threat that, that affects all of us?

B

Yeah, I think they're, they're definitely, if they haven't already, I'm sure they're targeting our, you know, critical infrastructure, energy, other areas, anywhere they can, you know, make an impact. I know there's several threat notifications from like CSA and NSA and FBI and DC3 about, you know, warning folks about Iranian cyber attacks. Right. And I forget where I read it, but somewhere they're already using, you know, like the commercial, like, surveillance systems, you know, offensive security for, you know, hacking into mobile phones and any. Anywhere they can make an impact. Right. I mean, I think this is my opinion, of course. You know, these, you know, these aren't facts, I guess, but, you know, they're going to do anything they can to, to hurt us, you know, because we've, you know, with, with the attacks, you know. Yeah, retaliation, exactly. So I think they're going to use any means they can to make it hurt for us.

A

Derek, what are your thoughts on this?

C

So I read it's called this is how they tell Me the World Ends. I think it was. I finished it up maybe two months ago or something like that. And it's about nation state actors and sort of the cybersecurity space over the past several decades and how, you know, we all sort of as nation, act adversarial against all these other nations. And even for somebody that's been in cybersecurity for a dozen years or so, it still was extremely eye opening. And I don't want to say I lost sleep, but I definitely was like, yeah, I mean, the stuff that. Some of the capabilities of some of these nation states, including Iran, are extensive and can have widespread impacts on a lot of critical infrastructure, financial services, the energy grid, like that kind of stuff, which is real. So this is certainly something that would be of concern, but I don't think it necessarily would catch anybody off guard. Any of the industrial control system organizations or those operating like, smart grids and, and things like that, they're aware of this threat. It just might be ratcheted up, you know, so it's not like it's brand new, like, oh, Iran is on the scene right now and we have to worry about them. It's like, no, we've known about this. Now they're hitting, you know, turning the dial up to 11. And so, you know, we just need to be prepared for that.

B

Yeah. And just to kind of piggyback off that, I mean, even, shoot, this was 10 years ago. I was at a conference in Vegas and Ted Koppel was the keynote. And he was talking about this, you know, he was saying, you know, like China and Russia and several other countries, we already knew, the government already knew that they had access to our, you know, our national power grids, but we all, we also had access to theirs. Right. So it was one of those things where no one would really do anything. But the biggest concern is when you get a rogue nation or someone that really has nothing to lose, that if they had access to our power grid, then they wouldn't.

A

Yeah, it's like less of that handshake agreement of like, yeah, we both got it, but no one's going to do anything.

B

Right.

A

And so as soon as somebody does, then, you know, the landscape changes.

B

What's playing out now? I mean, it wouldn't shock me and not trying to get all doomsday, but I mean, just think about that impact, right? Like even think of a city like New York, like if New York had no power, no water, like it would be immediately in the 1800s and they think about crime and I mean, just, it'd be an awful, an awful scene, you know. But yeah, kind of like Derek said, I mean, I don't think this is a new threat. I think this was an ongoing threat that everyone was aware of and has been aware of for many years.

A

Well, let's go back to Google for a sec. A report from the Google Threat intelligence group, or GTIG, says it tracked 90 zero day exploited vulnerabilities throughout 2025 and almost half of them were in enterprise software and appliances. So this is a 15% increase over 2024. 47 of the vulnerabilities targeted end user platforms, 43 targeted enterprise products. The most targeted enterprise systems were security appliances, networking infrastructure, VPNs and virtualization platforms, as these provided privileged network access and often lack EDR monitoring that comes from the Threat Intelligence Group. All right, so question for you, Derek. Given what we just talked about in regards to cyber warfare and the dangers that that presents, not super comforting to discover that our digital infrastructure seems to be at risk because of zero days that just keep happening. Is it unfair to lash out at a software company for releasing a product so often that then has to roll back certain things? Or is this just the cost of innovating quickly?

C

I think it's the cost of innovating quickly. I think again, what was sort of interesting to me was the fact that a lot of the, or the bulk of the zero days were in like, or being used in like spyware, you know, in order to target specific people and groups and things like that, which is always a little bit more concerning because that, that sort of rolls back up to the, to the nation state or organized type of activities where, you know, these, these zero Days sometimes are well known and, or they're identified and they're sat on and they're wait, you know, you wait for the opportune time to do something with a particular target. Whether it's, you know what we've, we've had cyber capabilities during this war in the Middle East. We've had cyber capabilities in, in Venezuela a few weeks ago, you know, those, we've had those and we're just sitting on them. We're waiting for them to, you know, to be effective. And I think that's concerning is that there were 90 that were identified in this report, but there were probably 100 that weren't, you know, that are still basically in a vault somewhere waiting to be used. And that's, that's a little more frightening.

A

So John, how much discomfort do you feel about this story?

B

I mean, yeah, that was the first thing I noticed, what Derek mentioned, 35% were commercial surveillance, you know, technologies. That's one of the first things that stuck out to me, you know, more than nation state actors. But another thing kind of pivoting on that is, you know, I think it's interesting that like, you know, CISOs and security teams and organizations are held responsible, you know, to make sure they're doing their due diligence and they're not negligent on ensuring their company's protected and against vulnerabilities being exploited and things like that. But like, and I know I've read something several, you know, several times throughout the years like that the government's going to make, you know, the big companies, the Microsoft's and the Googles more, make them answer for releasing software that they know is vulnerable or whether they didn't know it was vulnerable. And I know that is a cost of innovation, but also it's kind of a self licking ice cream cone. It's like the company that introduces the most vulnerabilities is also claiming to be a security company. So hey, if you invest in our security capabilities, we'll help you protect against the vulnerabilities that we introduce to the world.

A

And that gets tricky, right, because it's like, okay, if you're Google and there's a security part of the team that's working on stuff but is missing certain things, you know, that's, it's not on purpose, right? But if the company is like, well this is how we're going to keep all of the rest of you safe, then you, you end up having a conflict of interest.

B

Well, there has to be accountability on their side as well, right? The software vendors, you know.

A

Yeah.

B

You know, it can't, you know, I, I mean, it is, a lot of it is on us, you know, you know, protecting our organizations, but there seems like there has to be accountability on that side as well.

C

You know, we used to say a long time ago that, you know, companies could go bankrupt if they had a security breach. Right. That was the big thing. Right. We would say, hey, you know, if you had a breach, you could, you know, you could potentially go bankrupt. That's never happened. Well, I shouldn't say that's never happened. That doesn't happen to the, to the big companies. Microsoft's not going to go bankrupt if they release 10, 0 days tomorrow in Windows, you know, even if they. Well, if they know it's not zero day. But I'm saying, like, if they release an insecure product, they're not going to, there's no, there's no repercussions. You know, I think that's the, I think.

A

Right. The consumers don't just immediately say, oh, never mind, we're going to go to that other company.

C

I mean, when Target, you know, they're too in trend. When Target had that breach, you know, the point of sale breach, whatever, that was like a decade ago. You know, the news I remember came out and was like, oh, my God, they're going to, their, their stock's going to tank. Everyone's going to leave. They're, you know, they're not going to go to Target. That never happened. You know, and of course it's a big company like Target, but there aren't, there are no, you know, as bad as it sounds, there are no repercussions. And I think everyone just sort of chalks it up as this is the cost of doing business is that every now and then you could have a breach. I mean, we don't stop living in homes because homes get broken into. Right. I mean.

B

Yeah.

A

Or burned down or.

C

Right. I mean, it's, it's just a risk that we've all sort of accepted as, you know, this is the risk of, you know, doing business.

A

Yeah. So that's actually a very good analogy. It's like, stay as safe as you can. That's what we all want to do. And some people do it better than others.

C

And that's, you know, that's our job in security is we manage risk. Right. We don't, you know, we're not, we're not here to say that, you know, our products are going to be 100 secure. Nobody's ever going to Say that, you know, you manage risk to the best, that the, you know what the risk appetite of the organization is. And, and that's what you manage as a security, you know, leader and professional.

B

Well, yeah, and you got to make that balance constantly, you know, like what, you know, ultimately the business exists to make money, right? So you have to do whatever you can to support that and not hinder their ability to make money, but also try to minimize the risk, you know, associated with that. And it's kind of the same thing like with software vendors. Like we know there is inherent risk with the Microsoft's and the Googles, but they also allow us to have a successful company as well. Right. So you kind of got to balance that.

A

Well, as we, as we close out today's stand up and this has been really fun by the way, we. What piece of advice, if you had to pick one, do you want to share with our audience today? John Barrow?

B

I would say the key to success of a cyber program is all about having relationships of trust and strong internal and external partnerships. It's all about communication. It's all about those relationships and that's internally with your executive leadership team, you know, with your peers, with all the department leaders, but also externally with all your third party partners. That communication, that trust, those relationships, I mean that's, that's key to everything. And I think it's extremely important to, you know, have continuous, transparent, honest communication and also balance your storytelling. Tell them, tell them all the good things your, your team's doing to protect the company, but also explain to them that, you know, we're not good. There's no, you know, we're constantly being, you know, attacked. There's constant attempts, you know, because that, because if you only tell them the good side, then you lose funding because why do we need to invest more? But also you want to highlight all the great things your team's doing. I know that was a lot, but it's ultimately, it's ultimately the relationships. It's the, it's the human element.

A

Very good advice. Very good advice. Derek Fisher, what's your advice?

C

Yeah, I mean, I would agree with John. I mean, it's, you know, it takes a village. I mean, we're all, you know, we can't all be experts in everything. You know, we have to, we have to rely on those that are. But I also say, you know, stay curious because, you know, things, things change so rapidly. You know, before ChatGPT came out, you know, it was such a quaint time before everyone got, seems like just yesterday yeah, it does. And that's the thing. It's like, you know, I mean, it's, it's been a couple years, but at the same time, it's like that overnight everything changed in security. And I mean, not just security, but technology changed. And by virtue of that, everything in security changed. And I think being able to stay curious and being able to stay nimble and being able to adapt to things as they change and getting yourself and your team prepared for that, I think is critical in security these days.

A

Well, thank you for your words of wisdom, both of you, and thank you to everybody who joined us and was chatting and asking questions while we did our show live. We'd do it again next week. So thank you to John Barrow, CSO over at J.B. poindexter and Company. Was really a pleasure to have you. And Derek Fisher, director of the Cyber Defense and Information Assurance Program at Temple University. We hope to have you both back and on the show very soon.

B

Thank you very much.

C

Thank you.

A

We'll have links to both of your linkedins in our show notes. People want to try to get a job from you because you both sound like pretty good people to work for. Thanks also to our sponsor, Drop Zone AI. Visit them at the RSA Conference RSAC at the Drop Zone Diner. That's booth 455. And remember, you can send us feedback anytime at feedback@ciso series.com we'd love getting all of your responses, all of your feedback. Join us again next Monday. We do it at 4pm Eastern for another edition of the Department of no. To register for the live show on YouTube, just go to CISO series.com and click on Events. We'll take it from there. I'm Sarah Lane. Stay classy and stay safe out there.

B

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.