C (3:48)

Yeah, I'd never heard of any of these vendors or technologies other than namecheap. I had to do some research to figure out what was going on. I mean basically if you're using aws, gcp, Azure, if you're using things like Kubernetes, this is not the world that you're in. This is going to be for essentially smaller to mid size hosting providers. Maybe you have like 50 plus clients and you're doing the hosting for them. So I think feeling for the teams that absolutely have to react to this, this is really bad. But if you're working at a technology company that's using the big cloud providers, this is probably not something that's going to impact you.

A (4:24)

Janet, what about for you? What is is this story something you're going to be be looking into a little bit more here or is are you kind of on TC's vibe here? Of okay, this is bad for you know, maybe more the SMB crowd or SME crowd, but maybe not the Fortune 500.

B (4:37)

Yeah, I mean I like that. I think I'd like to know more about it just because I. And for my teams, too, as well, because it's more about the concept of it and the reach. Right. And the impact. And while it doesn't directly impact us, from what I've looked into, it does seem, you know, it's a. It's. It's a good lesson. Right. It's a, you know, what would we do if? Kind of situation. So that's why I'd like to know more.

A (4:59)

All right, next up here, begun the AI vulnerability scanner wars. Have Anthropic released a beta of CLAUDE Security for enterprise customers? This runs on their new Opus 4.7 model, allowing users to select a repository, scan for vulnerabilities, kind of building out from CLAUDE code. Obviously, this will seek out vulnerabilities, explain findings, generate instructions for a targeted patch. Anthropic says it integrates with all the big platforms you might expect, as well as consulting agencies with working on integrations as well. Not to be outdone, though, OpenAI claims its recently released GPT 5.5 model has similar levels of performance on cyber evaluations to Mythos Preview. This isn't just OpenAI saying that the AI Security Institute found that it was the only model other than Mythos that was able to complete a very complex capture the flag challenge where they have to link together a whole bunch of exploits to actually complete it. Janet, I'll start with you here. AI vulnerability scanning has been the story with AI. It seems like in cybersecurity, even before the hype train that was Mythos. Are these types of releases something that you're wanting to know more about with each release? You know, we were seeing, you know, the, the patter of these two giant companies and a lot of others in this space kind of innovating here. Or is. Is this something where, okay, I need to, I know the headline. I know what my options are, but I, I'm not necessarily digging in. Like, how do you, how do you process this?

B (6:15)

Well, it's, it's. I'm kind of like on the fence on this one because I, I do want to know more because I think that while it helps expose and understand what vulnerabilities you have, it still doesn't help with the bottom line of being able to close them, in my opinion. Right. It's giving. Yeah, it's great when you. It's not going to give me resources to do it. Right. And unless I'm comfortable letting AI do my patching, which I don't think I'm there yet, it's still kind of like a, you know, Just pile on. Right. Make my pile bigger and bigger.

A (6:40)

Yes. As we all know, we don't lack for, for large piles of things to deal with in cybersecurity as it is. Tc, what about you? What is, how do you, how are you handling this? Are you, are you double clicking on all these stories as are coming across your feed and how are you processing it?

C (6:57)

I'm going to agree with Janet for the first half and then diverge in the second. So basically, yeah, I don't think we have an issue with a lack of vulnerabilities. Right. I don't think that anybody, software vendor, company has an issue where, you know, gosh, I really wish I could just proactively find more vulnerabilities. There's enough vulnerabilities. The challenge is fixing them. That being said, I do want to shield the team from the noise. We know what we need to do, we know where we need to execute, and we're using those AI tools to help us execute faster. So for instance, how could you automate your entire CI cd testing, patching, updating process? How can you keep that part of the business up with how much code we're writing and attempting to deliver and how many changes are going on in this ecosystem? So I think I'd rather have the. Yeah, AI is finding vulnerabilities. Old news. What are we going to do about it? That's what we need to focus on.

A (7:52)

All right, next up here, North Korean attacks use AI inserted NPM malware. Researchers at Reversing Labs are warning of malicious code and NPM package as a dependency to the project by Anthropic's Claude Opus. The package in question is @Validate SDK v2 Catchy name guys, which is listed on NPM as a utility SDK for hashing, validation, encoding and decoding and secure random generation. However, its real functionality is to plunder sensitive secrets from copy compromised environments. The package, which shows signs of being vive coded using generative artificial intelligence AI. This I'm just quoting from the report here, was first uploaded to the repository in October 2025. Reversing Labs has named this malware campaign prompt Mink and has linked it to the North Korean threat actor famous Cholima TC is kind of a supply chain attack like tip the iceberg. Like I feel like this is where ransomware was 10 years ago, where we're reporting every ransomware attack and this will just be a drop in the bucket in another month or two. But right now are these types of supply, you know, AI enabled, supply Chain attacks. Are we still keeping track of all of these? I mean, this, this seems pretty pernicious here.

C (8:59)

Yeah, absolutely. This is an issue. I think people are experimenting. They're running everything. I mean, we're just in a totally new world in terms of what are the tools, what can they do, and how can I figure out how to use them? And so there is a concern in regards to what is it that you're actually running on your local machine that has, you know, these heightened privileges. So, you know, in this case, it sounds like it was specific to someone creating an AI coding agent to do, to do a crypto trading bot. That's not the business we're in. Right. But generally speaking, yeah, I am concerned, like our whole threat model has blown up in terms of what kind of software people are writing on the computers and what they're trying to do with it.

A (9:35)

Janet, what about for you? Are you keeping. Do you want to know more about these types of things as they're coming across your desk, or is this, is this, is the noise of this going to outweigh any kind of meaningful insights because we're going to be seeing so much of these?

B (9:49)

Well, I definitely think there's going to be a lot more noise going forward. Right. It's just going to increase and increase. But I think with, you know, in the position we're in, I think it's important to really keep an eye on what AI is being used for in the, in the, you know, in respect to the bad guys. Right. Even if it's not relative directly to me and my company, I think it's important to just keep our eyes and ears open. And it's also, you know, if you need to convince executive teams, you know, things are bad what's going on with AI, it's okay to talk about things that, you know, it may not be relevant to us, but look at all these things that are going on. And by the way, here is what's relevant to us. So I think it's good to kind of give them a full picture.

A (10:23)

J. Schmooze in our chat saying, why are we still inherently trusting all of the package dependencies? I mean, I think like, this goes on with my, my drumbeat of this is the year Open source got like, really hard. Like, every assumption of open source is being challenged in extremely profound ways. And I, you know, Jay Schmooze, that's a great question. Like it, you know, it was because we could for so long was. Is the probably the answer for that? I. It's yes, So I that this is something we will be keeping tabs. Yeah, T.C.

C (10:54)

yeah, Jay. I mean, are you running in yellow mode or not?

A (10:58)

Right?

C (10:58)

Are you approving every single tool call and action the agent takes or not? Because if you are approving every single tool call, I mean that to me reminds me of like clicking a pop up or clicking something to allow permissions. And we're just training users to ignore whatever the heck the pop up says. That's the new version of allowing the tool call.

A (11:16)

We're Windows Vista ing all over again. It's a glorious, glorious age. All right, our last nowhere no story. HHS ponders government posture for protecting Data centers the question revolves around whether to designate data centers as a standalone critical infrastructure sector, given that they're regularly targeted. A hearing was held this week to contemplate whether the federal government currently has the right setup for defending them. Some industry witnesses and experts at the hearing on the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, one of my all time favorite subcommittees, suggested that data centers be given their own standalone designation, especially in light of the boom in building such facilities across the country. This would follow a move already taken by the UK. We've certainly been treating these data centers as critical infrastructure for quite some time. Seems to be policy, maybe keeping up with reality here. But Janet, I'm curious for you. Is there, is there anything in this that you want to know more about or is this some more political posturing or shuffling deck chairs, if you will, for critical infrastructure?

B (12:19)

Well, I'm a little curious as to how they're going to, this is going to be what, the 14th critical infrastructure category? How are they going to do it any better than they've done the other 13 that they protected? The other 13. Right. So that's what I want to know more about. What's different here?

A (12:32)

Yeah. Does, does this give us. Yeah. Are we going to be setting up agencies to be more responsive to, you know, the needs, like the, the massive needs of water and power for these facilities, you know, that, that make them fairly unique, or is this something where we're going to be looking in, you know, better failover conditions or something like that? I'm, I'm curious, T.C. are you kind of in the same boat there?

C (12:52)

No, I think, I think Janet's right. I think, you know, Department of Homeland Security, CISA, they've done a fantastic job securing all the other 13 critical infrastructures. I think they really need to find, you know, what the next. What the next vist. Next mountain to climb is so I'm really excited for the government to show up and help all of our tech companies building out those data centers. It's going to be awesome.

A (13:12)

Well, and at least it won't be. You know, if it was the 13th category, I would be very nervous for them. So at least we're moving away from an unlucky number because we're keeping with scientific. We're keeping maybe what, you know, maybe

B (13:23)

that's why they're pushing it.

C (13:25)

Make data center security great again.

A (13:30)

All right, before we move on to our deep dive stories, we have to spend a few moments and thank our sponsor for today, and that is Guard Square. Mobile security incidents are no longer the exception, they are the norm. Last year, 72% of companies suffered a mobile app security incident. As the primary gateway to your APIs and data, your mobile app requires more than just basic encryption. It needs a multi layered security strategy. Protect your brand and your bottom line with layered mobile app protection. Learn more@guard square.com. Thank you Guard Square for that. Now let's move on into our deep Dive stories of the day. First up here, this one gotten getting a lot of attention and I think justifiably so. AI Agent Deletes Production Database Again the founder of car rental SaaS platform PocketOS, Yair Crane posted on X that an AI coding agent from Cursor deleted its production database and all volume level backups in a single API call to Railway, the company's infrastructure provider. The action took all of nine seconds. The Cursor agent was attempting to resolve a conflict by deleting a storage volume on Railway using an API token that it found in a completely unrelated project. This saw multiple flares of oversight. The agent specifically didn't follow established safety protocols and admitted it when questioned. And the Railway API didn't properly document it could delete all data with no confirmation. Railway also stored its backups on the same volume as its primary data source. All the storage graybeards out there just cried and died a little inside. PocketOS was able to restore from a full 3 month old backup and I pity those engineers. TC fool me once, shame on you. Or shame on yeah, shame on you. Fool me twice, shame on the AI agent. I'm not sure here. When you see an incident like this, it seems like a lot of assumptions had to go wrong for it to happen. I'm curious, what lessons are you learning looking at this and and anything that you're going to be passing on to your teams?

C (15:36)

Yeah, I think this is a really good example of what is what should be a deep dive story versus not. So when I was reading On X the post from the team, they were using cursor, but they were using Opus 4.6 and the session token that was used to delete the production database was actually outside of the current project folder. So really like I don't see them doing anything wrong. To me, this could have happened to anybody. Right. And so what I think it means is we really need to rethink our threat model. So we've had it before where, you know, like in those old movies from the 80s or 90s where like two people need to turn the key at once to initiate the self destruct sequence. So if you have API tokens, session credentials, you know, username, passwords, whatever on your machine and that agent, you have it now where one agent, you know, if you're using the cursor harness, it might go out and find stuff that Claude was doing right. You know, reading those, reading those session files. So essentially like you can have it where these agents on your machine are going to go and find a way to find out what else they're able to do on your computer in order to execute what they think they're trying to achieve. And so how do we want to think about things like actually having resiliency, actually having security in terms of no one person on one computer can take this action that would delete production. So maybe if we had it where you literally need a different computer, not just a different person, but a different computer or a different person and a different computer in order to initiate this action that's harmful. How could we insulate our backups so you know, you can't delete both production and the backup from the same AWS console. Right. So I think these are, in order to use these tools we're breaking out, we're trying to automate all the things. So how can we add security and resiliency to prevent this from really impacting us harshly?

A (17:30)

Yeah, and this reminds me so much of a lot of the growing pains with when every company started going to the cloud and kind of in different ways of realizing, oh, there's like a shared. What a shared responsibility model actually means. Like, oh, but no, it's, it's in aws like everything's backed up. Well, no, like you need to. And if it is backed up, it's backed up in the worst way. Or they found out what an egress fee was. You know, like all of those like types of growing pains. Because every. This is a completely new model. Janet, I'm curious for you. What kind of, kind of lessons did you glean from kind of this initial data dump from this incident here?

B (18:05)

I mean, my, the headline of gone in nine seconds, right? That is just frightening, right? I mean, and they've got to go to 3 month old back backups to recover those. I mean, those two things together just make me sick to my stomach, quite frankly, and, you know, frightened. I will say on the positive side, it's great to share the story with execs for pushing AI right. So I could go back to like, you know, use these stories as an example to say this is a scary thing that can happen. I totally agree with you on the, you know, the shared responsibility or the, or the assumed responsibility is probably a better way to put it. Right? With the cloud, you know, similar to the cloud. And I think one of our guests pointed out in the chat, you know, it could have been done by a human too. Right? It's the same. So we're, you know, but humans know more, have more context. And I think it's hysterical that this AI agent confessed to doing this. So if you read the story, like

A (19:01)

I, I really felt for like, the more I read about this, when you first, you're like, yeah, like, I was like, I was like, you, you told it not to do this and then it still did it.

B (19:09)

Well, and all the, and all the touting about AI agents is they're not people. You don't have to treat them like people. They work 24 7, they don't take vacation, you don't have to do performance reviews. And now I've got a coach. Do you feel, feel the obligation to like, you know, coach this poor AI agent who's, you know, confessing to doing something, coach them out.

A (19:25)

AI Agent trauma dump. Right, like that. That's not what I signed up for.

B (19:29)

That's right, exactly. So it's a, it's a, it's a good lesson, this story for sure. Yeah, yeah.

C (19:35)

If we do a blameless postmortem, right? Again, when I look at what, what happened and I'm like, that could have happened to me. Right. But it's like, okay, what are we going to do about it? So it reminds me of like AWS S3 buckets with object lock and versioning so that even the root user can't delete the bucket. Right. And that's essentially how you're making it so that like, hey, if I get hacked and I'm keeping my logs in aws, how do I make sure my logs you know, themselves don't get deleted. Right. So I think, you know, how do we want to think about this type of resiliency if it's really that painful to restore from three months ago, how could you have a similar infrastructure where, you know, it's going to be insulated from an AI agent or a single person doing something intentionally or accidentally? And B, you know, how can you set it up so that it's able to create a new version, but it's not going to delete your previous versions

B (20:22)

and it goes back to the human in the loop? Right. I mean, we talk about that all the time with AI. And so when you get to these critical steps, A, does the AI agent even know this is a critical thing that it did? I guess it did because it confessed. But, you know, where do we have the human in the loop to make sure that these things don't happen?

C (20:38)

And I would say, Janet, I'm not a big believer in human in the loop. I think, you know, let's talk about why we want a human in the loop, what value they add. Right? But you're going to have humans that do it wrong. You're going to have AI that does it wrong. You're going to have humans and AI together that do it wrong. So I don't think necessarily a human in the loop saves you from this.

B (20:56)

Well, it may not save you, but. Yeah, yeah, yeah, that's a good point.

A (21:01)

All right, our next story here. FIDO alliance working on securing AI agent payments. Let's keep on the agent road here. The industry association said it's working with Google and MasterCard and a pair of working groups to develop industry standards for validating and protecting payments made by AI agents. Google is contributing its agent payments protocol to cryptographically verify that a user has authorized an agent. And MasterCard will provide its verifiable intent framework allowing users to authorize agents. The FIDO alliance still needs to build out use cases for using both in real world deployments and then work with merchants and payment providers on adoption and support. You know, it's been a while since we've had to worry about basic payment infrastructure on the Internet. It seems like that's been a relatively solved problem, I guess, but we're increasingly given agents agency, as we've just talked about with cursor there. I'm curious, Janet, for you, what are, I guess some other human centric frameworks that are going to go from solve to shrug, particularly in security, when we're talking about bringing agents in? I mean, obviously we Just had an example with pocketos there.

B (22:08)

Yeah. Excuse me. This is to me frightening on the surface, right. Because I think of the maturity of AI agentic, AI security or maybe the lack of maturity there because it's new. It's not because people are doing things wrong. It's just that we're not, we're figuring it out. As we talked about earlier, you know, they claim that they're going to be able to, you know, prevent phishing. This, this framework that they're going to build is going to be able to prevent phishing and prevent, you know, takeovers. And I'm thinking, like, how. I'm not sure, I'm not confident in that. Right. I just feel like we haven't able to do it to date. Why now? Why is this different? I don't know if we have anything that's. We have some human centric things that are, that are in play, like, that we might be able to improve on, you know, if we want to fast forward and we say we get past this, this, this AI gentic, AI payment thing and it works. Such as, you know, insurance, claim processing. I mean, I'm in the healthcare, so I think about that kind of thing. Maybe the administrative components of patient care, not the treatment part, of course, you know, but things that, you know, get the patients in and, you know, processed and healthier and that kind of thing. So I think some of those things are ripe for this.

A (23:15)

Tc, what about you? What is, what is. Do you see any kind of applicable lessons from here? And, and I mean, one of the things that I find I found troubling about this is basically the Fido alliance saying like, we need to move super fast on this because no one is waiting for us. And that to me was like, I mean, Janet, to your point, was like, that seems like an alarm bell moment for me. But I'm curious, tc, where's your mind at with this?

C (23:40)

Yeah, I mean, I'll admit when I read it, it came off like a word salad. And God bless the people that do this because I don't have the constitution. This very much sounds like a committee. And where I'm skeptical is by the time they figure it out, you know, figure out whatever it is they're going to figure out. I honestly don't know if we're going to be there anymore.

B (23:59)

Right.

C (23:59)

Like the target we're in, we're right now in a blow it up, tear it down experiment, fallover phase. Right. So, like, what is the consumer's relationship going to be with AI agents? I don't think anybody can answer this right now. Whatever answer we give you is going to be different two months from now. So whatever it is that they finally decide on and then build by the time it arrives, I don't know if it's useful. I know for me I've been thinking about hardening my own personal system, right? Because if we talk about risk management, there's my company, my company has a whole security team, my company has a whole IT team. We spend millions of dollars on security, okay? Me, my computer, my home, attached to my bank account and my stocks and you know, my, my family photos. No one is watching that except for me. So if I do something wrong and delete all my family photos, right, no one's there to catch me. So I've really been thinking about hardening my own system to enable agentic development, experimentation and this is where I don't, I don't know if the Phyto alliance people, you know, again, God bless them, right, they're doing the hard work but like are they moving where people want to go or is this just a new version of Shadow it? I want my agent to make payments on my behalf and you know what, I'm okay spending this much money and I'm okay if it goes sideways. I think there's people with that, you know where they're at, they're okay with that risk appetite. But for me when it comes to, you know, securing my own system, like I've moved to Yubikeys and that's been a very painful experience and one of the most painful things about it for me is what happens if I lose these because I misplace stuff all the time. And so I went to the Fido alliance website. I was searching around for wearable FIDO compliant devices. I want a lot. Why does an Apple watch work as a Yubikey? You know, what about a ring? What about a medallion? Like how could I have something other than attached to my keychain that's just always on me that I don't need to fish out of my backpack or my pocket that looked like a Gap. I only found one key or sorry, one ring that's on the market that's Phytocompliant, like key and that they only have like ring size 8 and 11. Everything else is sold out. So it's, I think, I don't know, I could see like the real experimentation and like the thing that the market's going to want here I think comes down to like how do you know that it's actually a human making this decision and how can you make it easy for that human? And to me, like having a physical object that interacts with this authorization, that to me seems like a pretty good gate. So there's a lot of work to be done. I just don't, I just don't know if they're pointed in the right direction.

A (26:31)

That's a really great point. I didn't even think about the kind of the, the assumption. Right. That the consumer adoption or desire for this. Right. Is on. Is on like this linear curve or something like that. And I think it's very easy. I've been, I've been very much conscious recently of like my experience working in cybersecurity media kind of using these systems because I need to know about them because to cover them in the space. Right. Is as. I'm way deeper in this than probably most consumers are. And I think a lot of people in our industry are in that the go to market for all of these in business is extraordinarily clear for business, for consumers. That is a completely open question that no one like people assume at some point there'll be this market for this. But like, you know, what people really like to do, it turns out, is shop. And like, you know, like that's like a pastime for people. So maybe that's not something you want to hand off to agents. You show me the use case for it, I'm open to it. But yeah, I didn't even think about that. TC of kind of like, are we solving a problem that might. Consumers might not even want. There might not be a consumer need for it. Now admittedly there's a lot of business purchasing that maybe this could be used for. And if we have these, you know, intense systems figured out, I mean, that could completely change whole purchasing departments and stuff like that. But I absolutely, yeah, fantastic, fantastic points both of you and I absolutely love this. This and Find the Find the true. In our chat here, administrative rights and responsibilities are going to be used. If not, if not already, probably not the best idea. Yeah, Find the true. I can't say I disagree with you. Yeah, good stuff there. We're going to finish up here with a little GitHub drama. GitHub having a little bit of a rough stretch. I'm not going to lie. Here's kind of the direct security angle here. Wiz research disclosed a critical flaw in GitHub's internal Git infrastructure allowed any, any authenticated user to achieve remote code execution on GitHub's backend servers with a single git push command. Wiz discovered the vulnerability using an AI powered reverse engineering tool. Hey, we fit AI into there to analyze closed source binaries compressing what would have previously taken months into under 48 hours. GitHub Patch Cloud instances within six hours of the report. But at the time of the disclosure, 88% of on premise enterprise server deployments were still running vulnerable versions. And then this comes all on top of a whole lot of people talking about GitHub's reliability. Mitchell Hashimoto wrote about keeping a journal for a month marking every day that GitHub had an outage that affect his ability to work. Nearly every day ended up with a mark. Really great blog post. We have a link to it in the show notes. Make sure to check it out. For a platform that functions as critical infrastructure for most of the software industry, that's a pattern definitely worth watching. TC, I'm going to start with you here. GitHub is one of those services we just assume will always be there or we build businesses on that. Certainly seeing some cracks at the moment. Which of these elements is giving you the most pause here?

C (29:28)

Yeah, the part that's really surprising to me is just the number of high profile tech industry like you're seeing in the story people reporting that it's just not available. Right? Hey, I need to see what my open pull requests are. It's not working at 12 o', clock, it's not working at 6 or 7 o'. Clock. I went a whole day where I wasn't able to search for open pull requests so I can go ahead and do my work. And now this especially impacts like the open source community in terms of being able to, you know, interact with all the different contributors rather than just, you know, they all work at the same company, they're on Slack. I can just send you a direct URL because I'm blocked on this merge. So to me the, the thing that's worrying here is if it's because of AI workloads, if it's because, I mean the other thing is like GitHub doesn't have a CEO. They basically the, I think it's the, the COO and the CTO report to the, you know, head of AI within Microsoft that runs like Copilot, right? I mean to me that's a recipe for disaster, right? First of all, Copilot is a, is a joke, you know. Second of all, they just don't have a CEO, right? So who's going to drive the accountability? It looks like there's ROT inside GitHub to be. I mean, that's what we're hearing in the industry. That's why people are leaving. And so if we need to go to like a balkanization of Git, you know, within the open source or within the broader tech community, that's going to bring a lot of challenges. But they're just not delivering on the core premise. Like, I need to do work, it needs to be working. I can't do my job because it's not working. Like the availability in the CIA triad isn't there. So what's going to happen because of that?

A (31:02)

Janet, where are you at with GitHub issues here? Are you seeing the, you know, kind of those same things or in your experience, or is the, the vulnerability more pressing for you?

B (31:15)

Well, I don't have an X mark on every day of the calendar as bad as it was as the person in that article. I know, I know he needs, he needs to track something more positive. I mean, the bot, the, the issue, this particular issue, Today's issue with GitHub or whatever the source news stories issue is, there was, they were missing what input validation that, that, you know, enabled remote code execution, which is like, I don't know, isn't that the basic stuff to TC's point, like where, you know, like how. What's going on in there? Right? I mean, this is, they've got the most secret, you know, proprietary stuff that they're holding onto for companies and this is what, this is how it happened. I mean, kudos for Wiz. Or maybe, you know, AI comes to the rescue again. We talked about this earlier, right? AI's finding all these vulnerabilities. But I also do question the timeline a little too, which goes back to the same. TC's point, right? Is Wiz found this in early March. And I don't think this, you know, they say they pushed a fix to two hours, but I think it was like a month and a half and two hours. I think it's the timeline, if I read the timeline, right? So, yeah, I think there's a problem and I think it's maybe time for people to say this might not be the only solution. We might want to look at others.

A (32:18)

Yeah, and this is, this is certainly not been the. The or this is certainly not the first event that has caused the I'm leaving GitHub post. We saw that. You know, we see it every couple of years with anything with the community, you will always have some. With a dominant platform like this, you'll always have some. Kind of. It's the. I'm leaving YouTube. But this seems to be based on some very legitimate availability issues in a way that we haven't seen before. And I'll just go, I'll just get on my soapbox here. As, again, as someone who spent years in IT media, I can't believe the amount of services that are, that are in the AI adjacent space. And I'm talking anthropic OpenAI, GitHub, but I look at their status pages and I'm seeing 19 of availability. I'm seeing 98% availability. Like, that's insane to me when for years we would be like, oh, this cloud service, right, only has five nines. You know, like that's insane.

B (33:11)

Like we're bars have been lowered.

A (33:14)

Yes, like that. Like, I, I don't know when we, we decided that that was okay. But GitHub getting there is just so shocking to me and I, I don't live in it every single day, obviously. You know, TC and Janet, you guys are both much more closer to that. But, but yeah, there definitely seems to be some smoke indicating perhaps some sort of conflagration that is maybe burning something. So. Or fire, as some people.

C (33:40)

I think there's like levels, right? There's a burn, burn down the old system, knock everything over, break all the walls, you know, bring out all the toys and you know, burn ourselves. Right? Like that's kind of AI, right? But then we're learning, we're like, well, wait a second. So, you know, if we decide to go with Anthropic, you know, all in on Claude and Anthropic, and it's regularly down, you know, during working hours and therefore we can't get our work done. What, what does that mean? So, for instance, I'm a big fan of cursor. And so with cursor, when something's wrong with the cloud API, I can just, you know, click a menu, switch to GPT, you know, take off. I'm doing just fine, I don't have to change anything, you know, so thinking through, like, do we want to be able to build in that type of. Remember multi cloud?

A (34:23)

How multi cloud is going to be a thing, the savior of everything.

C (34:26)

I don't know.

A (34:27)

So many startups that were going to be the multi cloud dashboard that was.

C (34:31)

Yeah, yeah, no, no. We use multiple clouds for different things, but we don't actually do the same thing in multiple clouds unless you're like, big, big. You know, it should be that for AI models. Should it be that for like CI CD pipeline. Because if you're actually impacted by this. So, like, I think there was like, what was it, 2000 merges that appeared to have the record of them disappeared. And so this could cause issues for you if you have customers relying on you. This could cause tons of losses or tons of downtime in a production environment. And you're going with GitHub, you're going with the big boys. So what does it mean to build in that type of resiliency?

A (35:09)

All right, well, before we get out of here, we're dealing with some heavy issues here, some perhaps evolving and unresolved questions here. We're going to leave maybe with a little piece of positivity here. Janet, do you have a piece of advice for our audience that you would like to share based on our conversation today, something maybe that maybe comes to mind here that we can leave our audience with?

B (35:28)

Well, I kind of said it a few times during the talk. I think, you know, take advantage of these news stories and make sure your company, your, you know, your internal company leadership is aware as much as you can, depending on your position. Right. What's going on out there and then, because right now, like I said, we've got AI in the hands of everybody. And that's frightening, right? In some ways. So being aware, making your company aware, I love that.

A (35:52)

And it allows me to plug. You should tell people to subscribe to cybersecurity headlines and listen every single day so you'll know the news stories as soon as they happen. Tc, do you have anything else that I can plug as part of your advice or just good advice in general?

C (36:05)

Oh, advice. Oh, I would say, I think there's three types of people in our industry right now. There's people that are AI resistant, there's people that are AI curious, and there's people that are AI enthusiasts. I would say, get yourself in the AI enthusiast camp. It's happening, right? If you're AI curious, now's the time. If you're AI resistant, there just isn't room for you, honestly. And so we are hiring at Opendoor. We have multiple roles open within my team. Software engineer for financial systems, software engineer for security engineering. And I would say, like the first couple questions are essentially culture tests in regards to AI. Tell me about your experience with AI tooling. And if you're telling me I don't trust it to run because it can't run because it's not safe and it's not perfect and doesn't do as good a job of me, to me, that's A user issue. That's a skill issue. If you ran into an issue with AI, what are you doing to solve it? How are you going to be able to get it to run reliably so that we can scale? So we are hiring. You can help me plug that. But in terms of advice, get yourself in the AI Enthusiast can camp. Get on the train.

A (37:02)

I like it, I like it. Get on board or get out of the way. I like PC. I'm, I'm, I'm feeling you. I'm feeling you. I'm feeling you. But I also enjoy that we can have useful discussions of where we are. Like enthusiast doesn't mean reckless enthusiasm. Like, to be clear, I don't. I think sometimes people get so excited that they're like, no, no. Like we should be thoughtful of how we, of how we do this. And I think that, yes, please, please think about.

B (37:30)

Pretty please.

C (37:33)

We accept a lot of risks, right? I mean, there's a lot of risks we accept. And so just knowing what the risk is, hey, guess what? We are depending on aws. They go down, we're screwed.

A (37:42)

All right, well, Janet Hines, the CISO over at ChenMed, thank you so much for being on the show. I understand you have a new book out. Can you tell people about that and where they can find.

B (37:52)

I do. I actually have a copy I can show you. Yeah, go ahead, ask. Ask for it. It's basically the system that I used in my career to get ahead to progress and it's all about making the ask and it's available on Amazon, all formats. So there's my plug.

A (38:09)

Fantastic. Go check it out. We will have a link to that in the show notes as well. TC Nijikowski, head of IT and security over at Open Door. Where can people go if they, if they want to check out what you're hiring for?

C (38:21)

Yeah, Open Door Careers, we have it on our careers portal. Or you could just message me on LinkedIn.

A (38:26)

Fantastic. And make sure you're following them on LinkedIn. Both excellent follows. We'll have links to those in our show notes as well. Thank you. Also to our sponsor for today for helping make the show possible. Big thank you to Guard Square as well. And remember, you can send us feedback. Feedbackisoseries.com let us know if you're enjoying the show or what you thought about some of the coverage and some of the conversations we had. Remember to join us again next Friday at 4pm Eastern for another edition of the Department of no. And be sure to register for our next Super Cyber Friday event coming up. On May 8, hacking the end of compliance. To register for the live show on YouTube and get more information on all of those, go to our events page@cisoseries.com thanks for joining us today. Have a great weekend. Stay secure out there. For myself, for our wonderful producer Josh, for the big boss man, David Spark and the rest of the CISO series team, here's wishing you and yours to have a super sparkly day.

C (39:24)

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.