Department of Know: VoidLink threatens multi-cloud, flaw threatens Claude extension, China practices on infrastructure - Cybersecurity Headlines

Summary6 min read

Cybersecurity Headlines: Department of Know

Episode Date: February 17, 2026
Theme: Analyzing emerging multi-cloud threats, new AI and extension vulnerabilities, and the impact of evolving nation-state cyber activities on infrastructure resilience.

Episode Overview

This episode, hosted by Sarah Lane, features John Collins (Field CTO, Gigaom) and Adam Palmer (CISO, First Hawaiian Bank), exploring the rapidly transforming cybersecurity landscape. Main topics include:

The AI-generated VoidLink malware threatening multi-cloud environments
A high-risk flaw in Anthropic's Claude extension
How China's cyber range rehearsals are shifting attack preparedness and resilience
Ongoing debate about governance and policy lagging behind technology

Key Discussion Points & Insights

1. The "No or Know" Segment: Reacting to Current Threats

(Starts ~02:00)

SolarWinds Web Help Desk Vulnerabilities

Adam Palmer [02:29]: "Internet exposed internal administrative tools are a high risk... attackers reuse the trust relationship."
- Emphasizes exposure over brand—tools exposed to the internet are never really internal anymore.
John Collins [03:05]: Calls for broader reflection beyond SolarWinds—urges organizations to review every remote software package with internal access.

OpenClaw AI Agent Platform Vulnerabilities

John Collins [04:32]: "I think it's a not yet, if I'm honest ... It's more of a people thing than a technology thing."
- Warns that shadow AI risks are budding and need policy now, especially among dev teams.
Adam Palmer [05:20]: "Shadow AI is evolving faster than most security programs... focus should be bringing attention to visibility and governance."
- Stresses the speed at which ungoverned, powerful AI agents can proliferate inside organizations.

Intel TDX Vulnerabilities

Adam Palmer [07:14]: "Severity doesn't automatically equal urgency."
- Notes the importance of response context and that not all patched high-severity bugs are urgent for every org.
John Collins [08:06]: Relieved issues are patched upstream: "If this is literally, we found some stuff and we fixed it ... let's get on with our lives."

Google’s $32B Acquisition of Wiz (Cloud Security)

Adam Palmer [09:10]: Considers platform consolidation risks: "M&A can reshape risk quietly ... affects negotiation leverage and integrations."
John Collins [09:56]: Points out possible security architecture shifts if Google bundles Wiz’s kernel-based tools.

Notable Quote

"Market consolidation affects long-term platform dependencies and ... our negotiation leverage."
— Adam Palmer [09:10]

2. Deep Dive: Multi-Cloud Malware and AI-Generated Threats

(VoidLink segment starts ~12:40)

Context: VoidLink can persist across AWS, Azure, GCP, Alibaba, Tencent—using AI-written code, credential theft, and system fingerprinting.
AI-generated threat design: LLM-coded, little human review.

John Collins [13:08]:

"Everything’s moving faster than security policies and practices... any exploitable thing ... will be worked through one by one, very damn fast over the next six months. The velocity of this stuff is astounding." - Stresses urgent need for understanding software provenance and supply chain security.

Emphasizes that attackers are no longer limited by human speed—AI now enables methodical exploitation at scale.

Adam Palmer [14:39]:

"Attackers don’t care what cloud you’re in, they just care who they can impersonate. ... AI doesn’t make malware smarter, but it can make it cheaper and easier to produce." - Focuses on the efficiency and cross-cloud targetability of new malware.

Debate on Red Flags and Automation:

John Collins [16:09]: Reflects on the shift: “We’ve spent decades relying on attackers’ human limits... but now, every possible combination can be tried microsecond by microsecond.”
Describes a temporary “window” where attackers have more material than can be exploited—until automation closes that gap.

Adam Palmer [18:52]:

"The efficiency, the scale and the adaptation of attackers ... is likely to only increase." - Long-term concern is about malicious scalability, not just novelty.

3. Governance Gaps: Claude Extension Zero-Click Flaw

(Anthropic story ~20:45)

Flaw: Zero-click code execution on >10k Claude desktop extension users, triggered by malicious calendar events, no sandboxing.
Anthropic’s response: Declined to fix, says issue is outside threat model (it’s up to users to manage extension permissions).

John Collins [21:48]:

"Maybe contractually right, but ethically wrong... You can't just say, 'it's not the fault of the first system.'" - As integration and agentic approaches proliferate, vendors must assume responsibility for tool chaining risks.

Adam Palmer [23:25]:

"AI agents can't be treated like junior employees with superuser access... Automation without guardrails is really just accelerated risk." - Highlights the need for treating AI as privileged insiders with clear governance and monitoring.

Notable Quotes

"User consent alone is not what I would consider a sufficient threat model."
— Adam Palmer [23:25]

4. China’s Cyber Range Rehearsals: From Prevention to Resilience

(China cyber range segment ~24:35)

China uses the “Expedition Cloud” to simulate attacks on critical infrastructure across Asia, employing AI-driven automation.

Adam Palmer [25:29]:

"Cyber resilience is now part of national resilience... Focus shifts from perfect prevention to resilience, recovery, and coordination." - For organizations near military targets (like Hawaiian banks), cyber and geopolitical risks are intertwined.

Difference for Hawaii-based Institutions:

Adam Palmer [26:57]: "My threat landscape is the same as all the military operations that I share with..."
- Attacks against military targets are likely to “spill over” to local institutions due to network proximity.

Business-Critical Infrastructure Lessons (John Collins [28:06]):

"Not all infrastructure is national critical, but ask: what amounts to business critical? ... You can’t counter everything, but you can have a damn good think about the most likely attacks and how to mitigate or react to them." - Advocates for clear business continuity, disaster recovery (BCDR), and practical risk-register exercises.

5. Final Advice: Staying Ahead in a Rapidly Evolving Threat Landscape

(Advice wraps ~29:52)

John Collins [30:12]:

"The speed at which cyber is going to change over the next six months ... is staggering. You need speed of awareness, speed of action." - “Don’t be that guy” who ignores the oncoming wave—prepare now.

Adam Palmer [31:13]:

"Security is a trust function, not a technology stack. ... The CISOs that will be successful will be those who design trust and effective decision making into their programs." - "The future CISO should be and is a trust architect."

Notable Quotes & Memorable Moments

"Shadow AI is evolving faster than most security programs." – Adam Palmer [05:20]
"You can't just say ... it's not the fault of the first system. Everyone has to take some commit into that integration situation." – John Collins [21:48]
"Automation without guardrails is really just accelerated risk." – Adam Palmer [23:25]
"Cyber resilience is now part of national resilience." – Adam Palmer [25:29]
"Security is a trust function, not a technology stack." – Adam Palmer [31:13]
"Don’t be that guy, don’t be that girl ... Not only do you need to keep up to date, but you need speed of awareness, speed of action." – John Collins [30:12]

Segment Timestamps

| Segment/Topic | Timestamp | |--------------------------------------------------|------------| | Opening/CISO Priorities & Show Intro | 00:00–01:40| | No or Know: SolarWinds Web Help Desk | 02:00–03:50| | No or Know: OpenClaw AI Vulnerability | 03:49–06:25| | No or Know: Intel TDX Vulnerabilities | 06:25–08:31| | No or Know: Google Acquires Wiz | 08:31–11:15| | FEATURE: VoidLink AI-assisted Multi-cloud Malware| 12:40–19:27| | FEATURE: Claude Zero-Click Extension Vulnerability| 20:45–24:35| | FEATURE: China’s Cyber Range & National Resilience| 24:35–29:52| | Final Advice from Guests | 29:52–31:50|

Tone Summary

Insightful, practical, and candid — with both guests openly debating and agreeing the biggest concern is the accelerating gap between technological evolution and governance or policy adaptation. Repeated emphasis on the need for trust, governance, and practical risk response — not just technical fixes.

Takeaways for Security Leaders

Prepare for multi-cloud malware persistence at machine (not human) speed.
Do not rely solely on vendor boundaries or user consent—integrations expand your threat model.
Governance, risk prioritization, and trust-building are more vital than ever.
Shift focus: From pure prevention to resilience, especially amid nation-state activity.
Anticipate exponential change—act now, not later.

For full stories, insights, and links to guests, visit CISOseries.com.

Loading summary

Transcript61 lines

[00:00]
A
This is Sarah Lane with the department of no. John Collins, field CTO over at gigaom. What is your priority this week?
[00:10]
B
This week? Well, we're halfway through February and January kind of didn't happen. So it's just getting everything done that I meant to do before Christmas. So there's a lot of work on in this season.
[00:20]
A
I think a lot of people share that sentiment. Adam Palmer, CISO at First Hawaiian Bank. What's your priority this week?
[00:28]
C
Well, aloha, and this week I'm doing what most CISOs are doing. I'm trying to get ahead of next quarter's risks while still dealing with all of last quarter's surprises.
[00:40]
A
All right, well, sounds like you're both very busy people. We are excited to get into the show. Thank you so much for being with us. All right, producer Steve, let's run that opening from the CISO series. It's Department of no. Welcome one and all to the department of Know your Virtual Monday strategy meeting. Our sponsor today is Conveyor, the only trust center with an AI agent that completes questionnaires. Remember to get involved in our YouTube chat live. We broadcast every Monday at 4pm Eastern time. It's fun. You should join us or email us@feedbackisoseries.com with any feedback that you may have. Disclaimer. As always, opinions expressed are those of our guests. All right, we've got about 30 minutes. Let's dive in. We're gonna start with our no or no segment. Everybody knows how this works. We all know the rules. I'm gonna run through some stories from the past week and we want your quick take. John and Adam, do you care about it? Is this something that you know is keeping you up at night or is it a past? All right, so let's start with story number one. Attackers are exploiting vulnerabilities in SolarWinds web help desk. SolarWinds obviously been in the news quite a bit. According to Microsoft and Huntress, this is the latest, There are about 170 vulnerable systems online allowing attackers to use living off the land tools and remote management software to move laterally, deploy tunnels, forensic tools, and target high value assets. So it's another Solar Wind story because it completely won't end. But is this a no or a no? Let's start with you, Adam.
[02:30]
C
I think this is a no. K N O W. And this is really a classic example of why Internet exposed internal administrative tools are a high risk. The brand is really secondary. It's exposure here that's the real issue. Attackers reuse the trust relationship rather than brute force for the attack. So internal tools exposed to the Internet are never really internal.
[03:04]
A
All right, so John, what do you got?
[03:06]
B
Yeah, that's fair. I'd put it on a no as well, if that's a K N O W no. But what it says to me is it's, it's actually. I mean, I feel sorry for SolarWinds obviously, again, but this actually talks to every remote software package that people may be using and it's a good opportunity to review, to reflect on everything that's being used that could have internal access to systems and whether or not that's a valid interface to be using right now across all the operations tools. And there's probably 50 of them.
[03:50]
A
All right, well, let's get to our second story today. According to Security scorecard, more than 135,000 Internet exposed instances of the open source AI agent platform OpenClaw, we've heard a lot about OpenClaw lately, are vulnerable in part because the software listens to all network interference interfaces rather by default. And, and a lot of users just never change that setting. This could give attackers access to credentials, files, other sensitive data across both personal and corporate systems. Now, OpenClaw has gotten a lot of buzz in the news over the last week or so. John, do you think this is a no or a no?
[04:32]
B
I think it's a not yet, if I'm honest. I think we need to think carefully about how we're using these relatively new tools and it's still in user land and it's still very scary about the kind of consumerization of AI. Great opportunity to be doing what you should be doing anyway, which is to be putting policies in place around how people are using tools in the first place, such as these, particularly in your developer teams. And the risks that it's causing are probably relatively small at this point, but they need to be stamped upon now. But it's more of a people thing than it is a technology thing, because it ain't just this one.
[05:17]
A
Adam, is this something that you're concerned about within your own team?
[05:21]
C
So I will have a friendly disagreement with John and I will say this is a no, a K N o W. I believe this highlights shadow AI risk at scale, though. Powerful AI agents are deployed with insecure defaults and little governance, and it's outside, as often the case, outside of it security visibility. So if I could summarize my concern and why I think this is important is that shadow AI is evolving faster than most security programs. And for me, this story is more about governance, then it's about governance, but not slowing innovation. But the focus should be bringing attention to visibility and governance.
[06:15]
B
I think we're going to end up on violent agreement there. It's about getting those policies right right now across all of these tools. As you say, in the shadow AI.
[06:26]
A
Realm, very early days, there's a lot of hand wringing and a lot of fud, but. But a lot of folks who are on your side of the board trying to figure out, okay, how do these tools work for us without hindering us as well? All right, we got another story here. Google and intel found five vulnerabilities and more than 35 bugs in Intel's Trust Domain Extensions or TDX, a hardware based confidential computing feature designed to protect vulnerability virtual machines in cloud environments. It's always a bummer when the tools that we might be using for protection end up having vulnerabilities of their own. So, Adam, is this a no or a no?
[07:15]
C
I'm going to say a no and oh on this. And my reason is that this is technically serious, but it was responsibly disclosed and patched, so it's important to have that context. But it's not something that I would raise in a leadership meeting with a focus unless it was really there was confidentiality or something at the core of the business that was at risk. This is a good lesson that severity doesn't automatically equal urgency.
[07:53]
A
Yeah. I mean, if it doesn't affect your company, then, I mean, you care about it, you want to track it, but you're not necessarily going to scramble and do things differently as a result. John, how are your feelings here?
[08:06]
B
I get the impression that it was for intel to do the patching and they've done it, so hooray. Thank goodness. Because I hate patching. I've got enough things to patch and it always goes wrong. So if this is literally, we found some stuff when we fixed it and we can all get on with our lives. Let's get on with our lives. There's other things to be getting on with. All right, so it's a no from me.
[08:32]
A
I think it's an no across the board. All right. All right. Well, let's see where this one gets us. Google has secured unconditional EU antitrust approval for its $32 billion acquisition of Cloud security firm Wiz. Perhaps you've heard of it. Google's biggest ever deal, by the way. And that's saying something because that's Google. European regulators said the purchase wouldn't raise competition concerns because customers still have alternatives to Google in cloud infrastructure like from Amazon and Microsoft. Right. I mean Google's like, yay. Is this a no or a no story for you, Adam?
[09:11]
C
So I will say it's, it's a no K N o W and I will, I'm going to focus on the M and A aspect of it. And I believe looking at this, this is strategically relevant. Market consolidation affects long term platform dependencies and it also can affect as a ciso, it affects our negotiation leverage and how we integrate tools. So looking at it through that CISO lens, M and A really can reshape risk quietly, sometimes even more quietly than major incidents do and how we, how we manage our program.
[09:53]
A
John, what do you think?
[09:57]
B
Can I have a need to know like a no, but a no like but not everyone needs to know but they something in the middle somewhere? Well, because actually it's interesting at the architectural level as well because Wiz's model is kernel based and so you can do clever things within the, within the kernel that you can't do just by kind of having a outside in tooling. So it does affect how, how you would architect for security as well. If this is going to start being bundled within, within what Google's doing that that will affect the security architecture, the security platform architecture.
[10:44]
A
Is there anything from either of you, knowing what you know about Wiz that you would hope Google would either change or not change?
[10:52]
C
I think it's a great, strong company, a great technology and many of the capabilities that Wiz offers should be built in to some of the existing security offerings of Google. So I would hope that they continue.
[11:10]
A
Google doesn't trash that stuff.
[11:11]
B
The good stuff.
[11:12]
C
Exactly, exactly. I think it's a strong technology.
[11:15]
A
All right, well we have some other stories to talk about today, but before we get to that, we would like to thank our sponsor, Conveyor. If you ever dream of giving customers instant answers to their security questions without ever filling out another questionnaire, and you might say, yeah, that's me. Meet Conveyor's new Trust center agent. The agent lives in your Conveyor Trust center and answers every customer question, surfaces, documents and even completes full questionnaires instantly so customers can finish their review and be on their way. Top tech companies like Atlassian, Zapier and more are using Conveyor to automate away tedious work. Learn more@conveyor.com all right, let's get into some stories that deserve a little bit more of our attention this week. We're going to start with researchers add on to new on TINU rather that Analyzed a Linux based malware framework called Void Link that can persist across enterprise and multi cloud environments including aws, Azure, Google Cloud, Alibaba and Tencent. Kind of runs the gamut there. It steals credentials, fingerprint systems, escapes containers and hides at the kernel level while using encrypted traffic that mimics normal web activity. Analysts say the code shows clear signs of AI assisted development with leftover debug logs and structured phase labels suggesting it was generated by an LLM with limited human review. All right, so question for both John and Adam here. You get the LLM, limited human review. Sounds dangerous. We're seeing increasing amounts of AI assisted so called evil doing inside the enterprise. It's got to have a lot of folks spooked. What does this announcement mean for you? John, we'll start with you.
[13:08]
B
I'm going to go back to something that Adam said earlier, which is that everything's moving faster than security policies and practices.
[13:19]
C
And.
[13:21]
B
What we're seeing, all the great news around Claude code and about very exciting things you can do with vibe coding and so on, pluses, minuses on that side is we're at a juncture, just reading about it recently where AI is starting to generate AI and AI is starting to generate code, et cetera, and it's already being exploited by the bad guys. We cannot afford to not understand our provenance of software, our security supply chain. And that's what I would be looking at immediately and locking down as best as I can, because any exploitable thing, any holes I've left in my environment are literally algorithmically and methodologically going to be worked through one by one very damn fast over the next six months. The velocity of this stuff is astounding. So we've got to move really fast to get ahead of knowing what we've got in our environment and knowing what needs fixing, because the bad guys aren't going to hang around.
[14:28]
A
Well, and Adam, in your experience, what does that look like when you're saying, all right, we know there's something that could potentially affect us. Where do you start?
[14:39]
C
So I would start by saying that attackers. What I believe this story tells us is that attackers don't care what cloud you're in, they just care who they can impersonate. And I would also add that AI doesn't make malware smarter, but it can make it cheaper and easier to produce. So when I read this, I believe it matters fundamentally because it reflects a structural change in attacker assumptions that we may make. Malware is really designed here to persist across multiple cloud environments. It tells us that the adversaries again don't respect boundaries or provider boundaries. Not that they did before, but even more so now. And that AI assisted development again isn't about right now necessarily increased intelligence, but it's about efficiency, it's about speed and it's about scale. So for me what matters about this story is attacker efficiency, not necessarily novelty.
[15:46]
A
And if it was generated by an LLM with, I mean a human had to be involved at some point. Right. But well, talk to me in a week. Maybe things will change between now and then. But. Does it raise any new red flags saying I see what's going on here. This doesn't even sound human originated.
[16:10]
B
I think the open door is the fact that we've spent 30, 40, 50 years building things with a certain reliance on the fact that the bad guys are all limited by their own humanity if you like. There's only so much you can do in a day and so any problems that's going to be found generally it operates at human speed. I mean there's exceptions to that and there's libraries built and so on and so forth.
[16:36]
A
But yeah, it was all came from human brains for good or bad right at human pace.
[16:43]
B
But when you can try every single possible combination of keys, you know, very Matrix 2 like you've got the, the whole wall of options and you're just going to try them one by one, microsecond by microsecond, you'll get in one way or another. The, the only upside, if I can just hold on to the baton, I know that you know, if this is about stealing credentials, they got so many credentials already. Yeah, there's, there's more ransomware credentials already stored than there is people available to, to, to exploit them. But that'll go away as well. So the fact that there's more material to, to exploit is also going to be automated. So there's a window between those two automations.
[17:36]
A
And when you say that'll go away, what do you mean?
[17:41]
B
When I spoke to for example the, the head of Cyber Security, National Cyber Security Agency, he said the attackers, when they do a ransomware attack these days if people don't pay, they just move on because they, there's, there's more, there's more easily exploitable sites than there are attackers to attack. If you, then there are more attacking parties. They got, they, they got too much to do. They, they, they're pigs in muck. They, they, the attackers. So in some ways it's less as it used to be about car Crashes only ever happened to other people and you hope to security by obscurity. We've moved away from that now. This is not security by obscurity. It can happen to you, but the risk of something bad happening because you've been attacked is less than it's going to be in six months time because they don't have the algorithms to exploit the things that they've already attacked. If you like, Adam, do you think.
[18:48]
A
That they're going to get those algorithms anytime soon?
[18:53]
C
It's difficult to predict how things are evolving because so quickly. But I will say my overall view is, again, this is, this is important for security leaders to pay attention because of the efficiency, the scale and the adaptation of attackers and across different cloud boundaries. But again, it's not so much that it's novel and unique as to what they're trying, but rather the efficiency with which they're doing that. And I believe that is likely to only increase.
[19:28]
B
Well, and if I could, if I can jump in one last thing, if we've got time. But Adam, I don't know what your experience is like, but when I was trying to get money to fix stuff or to train people or whatever, I'd have the conversation with the CFO and they'd say, do I have to do this? And I'd be like, well, maybe, yeah, I think so. And if I couldn't say, yes, absolutely, I couldn't get the money because there was.
[19:50]
A
Scare them into it.
[19:51]
B
There was so many priorities. So we need to get this to scale level one or, or whatever the, the right scale level is it so that when I can go to the CFO and say, and they say, do I have to do this? You say, yeah, absolutely. Look at the, look at the wasteland out there that this is causing and you need to do something about it now. And until I can have that conversation. So we need to turn this into evidence, if you like. Not just there. There's a potential attack, but this attack is causing companies to fall down left, right and center. And until we get that, then we won't necessarily have the resources to deal with it.
[20:32]
C
That's exactly right. I was going to say prioritization and explaining risk in business terms is exactly how a CISO earns value.
[20:44]
A
We've got another story here. This is an interesting one. Anthropic related. It has nothing to do with super bowl ads. Layer X researchers found a zero click vulnerability in Claude desktop extension that could let attackers execute code on a victim system using a malicious Google Calendar event affecting more than 10,000 users and earning a coveted CBSS 10.0 rating. The flaw stems from how the extension chains chain tools together with full system privileges and no sandboxing, letting low risk inputs trigger high risk actions. Layer X says Anthropic declined to fix it because based on the fact that the issue falls outside its threat model because users they choose which extensions and permissions to enable. Anthropic says that's not on us. All right, so this is a big question for you, John and Adam. Interesting answer. Does it fall outside the threat model and does that bother you? Is Anthropic in the right or the wrong here? What do you think, John?
[21:49]
B
Maybe contractually right, but ethically wrong? I think it's inexcusable for people to say nana, it's sorry, it's outside my jurisdiction when you're dealing with these complex chains of tools. Because this is how we're going. As we move into agentic approaches, literally everything is going to be changed. I'm going to be joining this database to that service, to that MCP server, whatever, and chaining is going to be the norm. And so we need to have organizers, we need to have vendors on our side looking at how they interface with other with other systems and how I can remember back when I was a programmer the biggest juiciest problems were always integration problems where something going wrong in one system would trigger something happening in the other system. You can't just say, well it's not the fault of the first system. Everyone has to take some commit into that integration situation. So I don't think it's acceptable from Anthropic on this occasion.
[23:02]
A
Now Adam, John was just talking about the fact that sometimes you have to really make sure that the CTO or whoever is writing checks knows that something is a very big deal before it gets fixed. If Anthropic doesn't have the capacity or the money for this, the money part I doubt, but what do they do?
[23:26]
C
So I'll just say I agree with what John John's comment. And AI agents can't be treated like junior employees with super user access. And I think these stories and this taken together for me, they expose a governance gap. The AI agents are being granted authority to act, to chain tools, to access files, to execute without enterprise level accountability. User consent alone is not what I would consider a sufficient threat model. AI agents really need to be treated as privileged insiders with explicit clear authority, monitoring and power by the security team for revocation. I'll just close and summarize that by saying that my takeaway from this is that automation without guardrails is really just accelerated risk.
[24:35]
A
Well said. All right, well, we've got some leaked technical documents reviewed by recorded future showing China using a secret cyber range platform called Expedition Cloud to rehearse attacks on the critical infrastructure of nearby countries. The system replicates real world power transport and smart home networks, letting reconnaissance and attack teams practice operations and analyze results in detail, potentially with AI assisted automation. The platform suggests state sponsorship and potential evidence of China preparing offensive cyber campaigns despite official denials. So officials saying, no, we're not doing this. But that isn't always true depending on what, what state sponsored actor you're talking to. All right, so Adam, how much does this, does this affect you? And, and are you worried about it?
[25:30]
C
Oh, as a CISO based in a small island where the headquarters for the US Pacific Fleet is also based, I'm very aware that cyber resilience is now part of national resilience. Certainly in the case of the United States and for our bank, this story really matters because it shows preparation and it's not just a prediction. Cyber operations are really now being rehearsed and embedded into the national strategy of governments. And this shifts our focus as a CISO from perfect prevention, trying to block every attack, to really focusing on resilience, recovery and coordination. I also attend regular meetings with government authorities to recognizing that our bank is very likely to be impacted by any attacks, also against military and government targets within the area where we operate.
[26:40]
A
What would you say, and this is just a question I also have, but if anyone says, all right, well, so how would Hawaii based bank have to deal with things differently than the rest of the US or anywhere else in the world? What is different? What do you have to remind people of?
[26:58]
C
What I'm keenly aware, again, is that my threat landscape is the same as all of the military operations that I share with and that attacks against a military target are very likely to impact our bank as well. Just given our geographic and shared networks, we're also on an island, so we're inherently remote and vulnerable. And so geopolitical concerns, attacks, threats against issues against like Taiwan and others. If a war were to break out in the Pacific region, it's almost certain that our bank's cyber operations would be impacted. So my focus and goal is not about zero incidents, but it's ensuring that in a worst case scenario that their survivability.
[27:52]
A
John, we've been talking about nation states like China taking advantage of overworked infrastructure ot system environments. So how does this story make you feel. I know you're not in Hawaii, but you obviously have thoughts.
[28:06]
B
I'm living on an island and I live not far from GCHQ in Cheltenham because I used to work there. So I'm familiar with the, the challenges. I think that there's a lesson that all organizations can take from this, that not all infrastructure is critical, national critical infrastructure. But it's certainly worth asking yourself the question, which parts of our infrastructure do amount to being business critical? And ultimately then you've just got the risk register question, what are the kinds of attacks that might cause something, probability times impact, high impact on that part of the infrastructure and then how can we mitigate against that? A mitigation, as you intimate, Adam, might be, well, we can prevent attacks from happening or we can reduce the risk of attacks from happening or, or we can simply just know that we can pick it up and get going again. So clean room, backup environments, for example, knowing that your data is safe and secure or a copy of your data is safe and secure and untampered with somewhere else that you can then flip to. So just good BCDR practice applies here as well. And you can't counter for, I mean, we couldn't counter for coronavirus. Right. You can't counter for everything, but you can certainly have a damn good think about what are the most likely attacks and how to mitigate them and then how to react to them.
[29:52]
A
Well, that actually sets us up very nicely for a little advice that both of you have going into this week that we just started out as we close today's standup. What big piece of advice you had to pick? One. Just what's on your mind? Do you want to share with our audience? John Collins, you first.
[30:12]
B
Okay. So you know the film where you see the person messing around and you know the big waves coming or the big fire's coming or so and so forth and you know they're going to get it. Yeah, don't be that guy, don't be that girl. The speed at which Cyber is going to change over the next six months, year, 18 months, is going to be staggering. And so not only do you need to keep up to date, but you need to and have speed of awareness, speed of action in terms of the kinds of attacks that are literally just over the horizon right now. They're coming pretty fast.
[30:54]
A
Yeah. It's not just run from that wave, but don't get near that wave in the first place.
[30:59]
B
Just start preparing because winter is coming. Sorry. That's the cheery advice for the, for the spring.
[31:06]
A
But hey, you know this is advice, right? Adam Palmer, do you have similar advice or something different?
[31:14]
C
My advice would be for CISOs to be focused that security is a trust function, not a technology stack. And across I think all the topics that we discussed, the common theme that I would highlight is governance. Technology is evolving faster than accountability. And the CISOs that will be successful will be those who design trust and effective decision making into their programs. And I would summarize that and say that the future CISO should be and is a trust architect.
[31:50]
A
Well, we want to thank everyone in our audience for following along. Some of you are watching and listening live, some of you after the fact. But thank you for being with us. This was a lot of fun. Thank you very much to our guest, John Collins Field, CTO at gigaom and Adam Palmer, CISO at First Hawaiian Bank. We will have links to both of their LinkedIn information in our show notes. They're very smart people. You would probably like to connect with them. Thank you. Also to our sponsor, Conveyor, the only trust center with an AI agent that completes questionnaires. Remember, you can send us feedback anytime. Feedbackisoseries.com, we really want to hear from you. And join us again next Monday, 4pm Eastern for another edition of the Department of New to register for the live show on YouTube, just go to CISO series.com and click on Events. I am Sarah Lane. I want you to stay classy and secure. Thanks for joining our Monday standup. Have a great week. Cybersecurity headlines are available every week. Weekday head to cisoseries.com for the full stories. Behind the headlines.