A

Hit it, Steve. From the CISO series, it's cybersecurity headlines. Hello. Hello, all. I am indeed Rich Droffalino, your glorious host here for the Department of no. This is ordinarily where we bring out some security experts, we talk about the biggest news of the week, what's going to impact your security teams. But, you know, it's. It's the end of the year, December 29th. We know everybody's busy out here, so I decided I'm going to invite our glorious producer, Steve Prentice on to the show. Steve pops in from time to time. He is the crafter of everything that happens on the Department of Know. He's truly the alchemist that turns this substance into gold. Generous assessment, I think, but Steve, thanks for being here. I know it's a busy time of year, so I'm excited to talk with with you about some of the big things we saw this year on the show.

B

Oh, absolutely. Such a pleasure. I mean, we've had such a great year, fantastic guests, and sadly or otherwise, no shortage of things to talk about.

A

Yes.

B

So it's been a full year of news.

A

I remember when we started CyberSecurity headlines in 2020, and I was slightly worried. I was like, what if there was just a slow day? And the slow day is like, oh, there was only a breach that impacted 100,000 people today, only. So truly never a shortage. Yeah. But we thought this particular episode we could kind of look back at some of. Because Steve and I and the rest of the cybersecurity headlines team, we're in the news every single day. We're of following some. Some trends maybe that are going on. We'd like to highlight some of those on a regular department of no. And the previous incarnation of the Week in review, but kind of. Kind of what kind of struck us this year as particularly unique. Some trends, some big stories, and maybe even a prediction for what 2026 will hold. Does that sound good to you, Steve?

B

I think that sounds perfect. Absolutely perfect.

A

I'm glad you didn't change your mind from our production design that we discussed clearly earlier. This is, we're not. This is not spur of the moment in any way, so I guess I'll start first. And Steve, I imagine you have some version of this perhaps in your trends, but for me, the big takeaway, just looking, going back and just like just reading through all the headlines we had that AI is now the main character when it comes to, I mean, not just, certainly not just cybersecurity news, but kind of technology society News, related news. Everything has an AI spin. I know that can be a little grating sometimes for our audience. Why does everything have to be AI? These are the things that we're seeing in the news every single day. Whether it's exploits, whether it's new research, whether it's new defensive capabilities. We don't get too much into product announcements. So I feel like sometimes that side of that we're not hearing as much on this show. There's no shortage of go on LinkedIn. Don't worry, you'll see all of it. But I mean, I'm not crazy here, Steve, right? Like, you kind of saw the same thing.

B

Oh, totally. I mean, this has been the year of AI. And anyone who sort of says, well, why has everything got to be AI? It's kind of like saying, why does it have to be Cloud? Why does it have to be Microsoft? Yeah, why does it have to be the Internet? I mean, that's where we're at. And this is the new development and the evolution of the technology. It's been a long time coming. I mean, the AI itself has been around since the 1940s. I mean, Alan Turing was working on it in the 1940s. That's what the Turing test comes from. But what we've seen now in terms of generative AI specifically, it's just change everything. And of course, the bad actors are always the first to capitalize on new technologies. So why do we have to listen to AI? Well, number one is the bad actors already have it, so you got to keep pace with what's going on. And their creativity is relentless in every area. And so too with AI. But the good news, as we will see, this is one of the first technologies where we're really on equal footing, you know, in terms of the good actors and the bad actors both having access to this new technology simultaneously. And that's quite exciting.

A

And I would say there's even the potential because we saw, especially in the first half of the year, I know there was a couple like Ghost GPT or I think it was called, or something like that, where basically people were jailbreak, finding ways to jailbreak ChatGPT or another chatbot and then selling access to that on a telegram channel, that kind of trailed off in the back half of the year. I think they got better at finding those kind of use cases. But almost where there is, I would say, don't get me wrong, the creativity of threat actors always gives them, like they can just come out of left field and they have to succeed once while Defenders have to succeed every time. So that's inherently asymmetric. But it almost feels like developing a large language model is not something that Joe Threat actor can do on a whim. Obviously those capabilities perhaps become easier over time, but right now, legitimate use of AI models is a little bit easier to come by for the defenders versus the defenders. That being said, it hasn't really stopped everyone from trying to be creative. We saw Claude being used to automate an entire attack and just kind of. That kind of whole agentic. I guess that's been kind of like the theme of for AI anything AI this year is like, all right, how do we do agent based stuff with it? How do we, how do we make it do stuff for us? Not just make a chatbot spew stuff out for us? How can we actually get it to work?

B

Yeah, yeah, yeah. Well, that's just a natural evolution, right? I mean, you're going to look back on this and say how quaint was generative AI. It's just the first step. And you ask it one question. It does just one thing. It kind of reminds me of Ms. DOS based programs and early video games. I mean, I really enjoyed just sticking on this topic just for a moment. I mean, at the beginning of generative AI, when do anything now the Dan concept was around and bad actors would tell generative AI, okay, I know you're not allowed to tell me the recipe for meth, but if you were, how.

A

Would you do it?

B

And to me that's brilliant. It's reverse engineering. It's almost social engineering on the AI itself. So no, this is the kind of stuff that happens and we just have to be aware that it's going to continue to evolve and sooner or later agentic AI is just going to be the appliance of the day. That's all it is.

A

Yeah. And I would say our coverage in this space this year reminds me of where we were at with ransomware. Like in 2020, 2021, where there was still a. Not like we were reporting way more on it because we didn't have as, as a industry, as much context for this was new to everybody. There was no agreed approach to ransomware. In a lot of ways. It was still a very wild west. It felt like even though ransomware back then was still not anything new again, it was just new scale, it was new business models that were enabling it at so much more speed. And I feel like we're the same way with AI where in a year or two the bar will be so much higher for this. Or it'll be silly. It'll be like saying they used a computer to serve a website. And it'd be like, why are you, why are you needlessly. Why are we telling me about the tech stack we all under? There'll be a shared assumption. Sure, an LLM is powering this. Who cares? It's the capability of the tool or it's the capability of the threat actor, you know, So I think a lot of things that we're saying are AI and ML advancements that we're framing that now will just become the, you know, the backdrop of actual news in a couple of years for sure.

B

Absolutely.

A

All right, Steve, what was one of your big trends this year?

B

Well, I think in addition to that, it was the size of the mega breaches. You know, we had the Oracle E Business mega breach. We had Salesforce with the sales loft and gain sites that basically gave the bad actors access to, oh, I don't know, Cloudflare, Google, Proofpoint, DocuSign, GitLab, LinkedIn, SonicWall, Verizon, TransUnion, Qantas Farmers. I mean, the thing was, it opened up everything because everything was connected. So we have these enterprise level breaches, basically SaaS, supply chain breaches. And this was news to me. I'm not going to say it was exciting in a positive way, because it's not positive, but in terms of seeing the increased sophistication of the threat landscape, this is on an enterprise level. And Oracle and Salesforce became the central victims. And their contagion spreads amongst all the people who feed into that. I think that takes leaps and bounds beyond ransomware hitting a hospital to now hitting a sector of the economy in a very sophisticated way.

A

Yeah, yeah. And what's interesting, and I think we've teased this out a couple of times on Department of no. Is the idea of. And I'm thinking about the Cloudflare outage. I know that's not directly related to this, but the idea of when do we classify these things as critical infrastructure? Right. Because Salesforce feels pretty darn critical for, I don't know, most of business out there, that kind of stuff. Oracle, the same thing. It's like you don't realize what's, you know, the scope of it until you have a massive breach and it's touching everybody all at once. Everybody's scrambling for it. We saw this a couple of times with like, I'm forgetting the name of the FTP appliance that got breached, that touched a move, move for it. Something I forget. I'm I probably should have done my homework. Was it the move it? Yeah, but the same kind of thing where it was like again, you don't realize the scope of these kind of things. But yes, kind of that third party, the reach of the third party breach, the SaaS supply chain. You know, again, it's, it's kind of, it's always like that targeting the business logic. Right. Of like what aren't you paying attention to? That's what the threat actor is going to look for. Right? Like no, we're not going to try and push down your 10 foot thick wall. We're going to dig a moat to the cattle pasture that supplies your keep. This bad medieval analogy, I'm going down here. But yes, yes, I have like that. It's funny you say that this is a theme for this year because you're right, it's fairly recent. But like it was like we were hitting on it every week in a weird, you know, we just find a new way to find to hit on it every single week. You're absolutely right.

B

Every week. Yeah. On our production bingo card, third party vendor was right in the middle because that's what everything came down to. So you got an organization, you establish perimeters, you establish your own internal security and then the weak link becomes not someone knocking on the door from the outside, but again penetrating through third parties. And it's other invisible connections that we see as the most efficient way to run a business is to have these large enterprise level things that are fully connected. So I think that was a big shock to people everywhere to see the size and the scope of all of this. And you know, you can always say, well, this is just data. But the problem is it is data, but it's also access. And we know that sophisticated threat actors out there aren't necessarily just stealing email addresses or passwords. They're there for the long term. And we're seeing this, we're seeing evidence of their footprints in all kinds of situations. And it's quite disturbing to know actually that it's kind of like the alien on the spaceship. It's in the air shaft somewhere and that's all you have to be worried about, really.

A

Yeah. One of my other big trends for this year I think is a, is related to that. It's more of the how some of these big breaches were felt. Right. And to me it was, this was the year where I was seeing more real world pain from a lot of these cyber attacks. And some of these, it's like, okay, I got to breach, you Know, disclosure announcement in the mail and I get two years of free credit monitoring. Okay, sure, I guess, whatever. But like we saw like just absolutely huge breaches that were. It wasn't just, oh like their, their cybersecurity team had a horrible month. Right. It was. We had like just massive production outages for months. Japan ran out of beer for a while. Locally, for myself, like the Cleveland municipal courts were out for several days because of a cyber attack like that. That is a non trivial. That is a. I show to do a thing and I can't do the thing because of cyber, to me, feels new. And it also feels like that became increasingly common throughout the year. Like I was just going back. Like, I forgot the power school breach happened at the start of this year. That's not an outage. But like that affected a huge number of parents, myself included. We had a Siberian dairy plant that was shuttered because of Lockbit. Okay, Siberian. Like you thought Siberia couldn't get any worse and then you couldn't get ice cream afterwards. Probably not your favorite dish in Siberia. But like, so like to me that was. And certainly like the Jaguar Land Rover breach. Right. Of like impacting gdp. Right. Like that is. That feels very real world pain. Not that I could afford their cars for me personally, but that to me was like, not just that there were breaches, that they were definitely like hitting the real world in a much more tangible way than I'm used to.

B

Yeah. And it's a very exciting thing for threat actors to realize it isn't just simply about money or ransomware or blackmail or again, data, if you can start to hit the gdp, you've got immense political power now and that becomes way more useful. I think you can take advantage of that situation. Like Jaguar Land Rover or any other major infrastructure industry, you can knock the economy sideways. So now you've got a sort of James Bond villain power. And that's again, something that people have to watch out for as they assess the connectedness of their systems.

A

And I do wonder if that's related to the wave that we are now seeing. I think the UK is leading it, but we've certainly heard this conversation in other places of, you know, just banning the ransom. Like this. This will, this will solve it. And I know there's a ton of cybersecurity people that are extraordinarily passionate about that. Like, we should not be funding cybercrime effectively by, by paying for ransoms. I am much more sympathetic since I started working with the CISO series of. Listen, we have a business to run. This is a, this is a cost to bet, you know, this is a cost benefit analysis. Like, once we've hit this point. Yes. Should we have gotten to this point? No. But, like, not to get into that whole debate, but I wonder, because you're absolutely right, when, when you're hitting breaches at this scale and with this kind of reach, has an extraordinary amount of pressure on you. I wonder how much of these breaches is, what a response to that and to how much of this legislation does response to these more real world impacts that we're seeing both kind of feeding each other in a weird way. And so that's definitely something I'm going to be watching, you know, next year to see how that conversation evolves, because I do think it's become a little bit more nuanced and more urgent at the same time.

B

It has been. And we're seeing, of course, senior executives becoming way more involved and aware of the importance of this. So it isn't just simply siloed down to the IT department, but at the same time, you're seeing a lot more burnout and frustration amongst CISOs and others to say, well, it's going to happen and it's going to happen much more bigly than we can ever prepare for. So do I want to stick around for this? So, again, in addition to the large economic and political power of knocking an economy sideways, if you can start to dissuade the best and the brightest from being off the front guard because of alert fatigue, there's a lot more danger in terms of how we are gonna survive. Not because of the mechanics of penetration, but because simply, again, psychological fatigue. That's something that I'm very close to in terms of my own practice. And that, to me is just watching CISOs burn out because of the endless, endless creativity of the bad actors.

A

Yeah. And there's a reason it comes up quite a bit on different versions of it, kind of to that question on the CISO series podcast. I help put those shows together and so I'm very much in tune with those conversations. And yeah, that drum beat is not going on. There was just recently a thread on the cybersecurity subreddit talking about, like, people like talking to CISOs and then realizing they in no way wanted the job. Right. Because you, you would think that's the, that was the. Be the pinnacle of your career. It's like, oh, it's actually everything I don't enjoy about, like, I, I enjoy being able to fix things and CISO's in in very many way is, is, it's like a communications role, it's damage control. You know, it's like, you know, you're, you're out of the nuts and bolts. So I, I think that is very interesting. And now a quick thank you to Today's episode sponsor. ThreatLocker. Want real zero trust training? Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join them on March 4 through 6 in Orlando. Plus there will be a live CISO series episode on March 6. Get $200 off with the promo code ztwciso26@ztw.com Steve, we have to move on. What is your last kind of big trend that you had this year?

B

Industry consolidations. You know, despite everything we've just said, there were some huge things. I mean Google acquiring Wiz for example, Palo Alto with Cyberark. I mean these are now again just like the age of, let's say the industrial robber barons of 1920s and 30s. We're seeing these enormous companies now grow in strength as they acquire each other to the point where the scale of the threat and also their strength becomes hard to fathom. So I think that's the other thing that I saw was despite everything else going on, we still see these big companies seeking to become bigger and consolidation is just a larger entity. But with that comes a lot more management expense and obviously I suppose to shareholder value. But that to me I find it very interesting at least from the last year, just continued growth and acquisitions. Yeah.

A

And I think there is a little bit of a race to not, gosh, I can't think of the, you know, that kind of first mover disadvantage here. Right. Where there is so much, there's so much new out there right now where there's so many new AI security startups. I mean just everything AI startup related. Right. And so there's the idea that somewhere out there is going to be the chat, The OpenAI of AI security is going to be out there and it's incumbent on if you're Palo Alto or Fortinet or Google, Amazon, Microsoft, any of these big companies to one, be developing your own, but two, to be on the lookout to acquire before you become obsolete. Right. As things are moving so fast. So I think kind of our two year trends, two of the trends, AI and consolidation definitely going hand in hand. One, there's just more people to acquire now. Wiz obviously is a little bit of an older player but certainly in the, you know, in the cloud space, very hot space, very big space, with all of, you know, these advancements that we're talking about too. I kind of had consolidation as one of my trends too. But it kind of leads into one of my big stories which was kind of also consolidation. We saw with threat actors, right? We saw Shiny Hunters and Scattered Spider merging together. We saw more coordination with advanced persistent threats kind of throughout the year. And I feel like, and again, to tie this into kind of AI is the main character now. I also feel like these threat groups are feeling pressure because it's also never been easier to become a threat actor. Yes, you can use Claude code or whatever tool you want to to write some kind of bad malware, but like if you're phishing messages or you can just use it to all of a sudden you can craft a billion completely unique phishing messages, right. And send those out. Right. You don't need any kind of, you know, human, human power to scale any of that. Right. That can entirely be automated, entirely be novel. And the barrier to entry for threat actors I feel like has become incredibly low. And we've seen this throughout the year, right? We've seen areas that don't usually, we don't associate with apts necessarily. I'm thinking sub Saharan Africa, I'm thinking southeast, you know, Southeast Asia. Some of those areas where we're seeing more, you know, they're not necessarily nation state linked threat groups, but advanced threat groups are threat groups that are doing more wide scale attacks and stuff like that. There's only. So also, there's also only so much bandwidth for cybercrime like at a certain degree. So I do think there is pressure on these large ransomware as a service operations and stuff like that. Like hey, it's better if we work together. Our value add is so much better. We can have so much more return for our shareholders if we work together as opposed to working against it each other and allowing us to get nibbled to death by a bunch of new players on the market. So like that to me was one of the bigger stories that I didn't see coming. And then the more I thought about, the more it made sense.

B

And yeah, and one thing that I admire about them, if I can say this, is that there was some degree of business sophistication here. Like you had like scattered lapsis hunters, you had a group of people who had some, even when they were not consolidated, their capacity, for example, to guide their victims into how to best survive the ransomware that they just dropped on them. You know, A customer service department that helped them avoid future ransoms. And then of course, the whole notion of, yeah, we can help you.

A

They had a customer journey. They had a customer journey that they had envisioned they were going to help you along.

B

Yeah. And of course, the whole notion of. The whole notion of hiring young people who don't have the scruples or concerns or even the obligations to worry about the outcomes and they know they're not going to do time because they're too young. So having this workforce that is seemingly invincible and is aware of that, that. So the sophistication of bringing these individual gangster groups together I think is quite amazing. We will see, we will know that they've hit some degree of maturity. I think when somebody from the marketing department says, we don't want to have scattered lapses hunters, let's call ourselves SLH from now on. Once you get that nice short one word thing going, you know you've entered the middle age of the corporate bad actor. Yeah.

A

Right now it's the AOL Time Warner of threat actor names. It's like who. There was a fight and everyone lost when they came. Yeah. When they went with that, I just.

B

Hate to imagine the lanyards they'll have to wear around their necks when they go to the annual general meeting. His name is long.

A

They have to put him. The older they will learn. Steve, what was one of your big stories for this year?

B

Well, honestly, I want to go back to Jaguar Land Rover. Not for what we have already said, but the fact that this was not simply an automobile factory. Jaguar Land Rover is owned by Tata Motors out of India. And they are in the interest of maximizing every quality, output and profit, of course. But all their factories are linked, linked together. So this is. The system is like one big giant mega system across all these factories in the UK and beyond. So one of the things that made this such a huge story, not just simply a run of the mill breach, was that they couldn't turn it off. They couldn't isolate where the problem was because the entire thing was one big system. And that I think is a big lesson for organizations to learn as well as we're looking at the various kinds of infrastructure we build inside organizations to make everything work better. Just the, you know, the employee enterprise level communications and collaboration through to the cloud. All of these consolidated technologies we use to make the organizations more efficient is it's like taking a ship and removing all the bulkheads from inside, from a tanker inside the ship. Once you start doing that, there's no Division to isolate the problem. And that, I think is what made the Jaguar Land Rover story just way more than just a breach. It was a revelation of a fundamental weakness of the internal construction of the organization, built in the interest of efficiency and profitability, but very quickly revealing a very, very obvious Achilles heel.

A

Yeah, and it's one of those stories where I have to imagine there's not a small number of organizations kind of looking with a similar org chart, similar infrastructure decisions were made for similar reasons. And these aren't the kind of things that we can just, oh, we'll just fire up some cloud services and you know, we can, we can fix. You know, there are some very fixed, very big giant, you know, we talk. That's one of the problems we constantly see with ot, right, where it's like, I'm not going to. Just because I can't upgrade the OS doesn't mean I'm going to replace, you know, this $5 million machine or something like that. Like, there's, there's so many considerations, right, that go into that, and it's not the kind of thing you can fix overnight. Even if there's the collective will. Right. Like in the moment, maybe you would have the will that we don't want to be the next Jaguar Land Rover. It becomes, becomes tougher when it's, this is going to be a five year plan and oh, by the way, we might get popped anyway and, and might, you know, have this exact same thing happen to us before we can kind of finish that up. So yeah, the, the, the tail effect of that kind of knowing that this could be, we could see another version of this kind of somewhere down the line. I, you know, I joked about, you know, Asahi with Japan running out of beer, but I mean, like, again, these are architectural decisions that companies have made for very good business reasons, by the way. No one was chiding them for making these decisions and all of a sudden realizing that there was, I guess, an externality that they did not realize. An externality called y' all gonna get hacked. So yeah, it was a very, very interesting story on a number of levels to kind of follow with that.

B

Oh, I have one more if our time allows.

A

Oh yeah, yeah, go ahead.

B

Yeah, okay. Well, the other thing we cannot, cannot afford to ignore this last year was open season on the US Government. You know, we saw several attacks everywhere. The Chinese hit the US treasury, for example. We saw SharePoint being a huge hole in the whole bunch of departments there, including the National Nuclear Security Administration, who suffered from these kind of attacks. We had Russian hackers stealing sealed records from US Court's filing system. And then we had Doge. Now, without getting political, we still have this issue of unprecedented people sacking federal databases, which has not only caused some significant concern about privacy issues, but since things have moved on and the leader of DOGE seems to have left, the remaining staffers are now worried about being personally liable for the work that they did in this project. So that was a big headache, I think for the US government for this year.

A

Yeah, that was one of the more remarkable. I mean it's like the political news moves so fast that. Not that I had forgotten about Doge, but I had kind of forgotten how bright that was in like there was a new thing like DOGE exposes database online for, you know, two weeks or something like that, or evidence shows that they uploaded all of this agencies data to a, you know, a public Google Drive or something. You know, like there was just so much, so many angles. It was so, I don't want to call it interesting, but it was, it was just they had such a desire to move so quickly. Right. That was kind of their whole, you know, it's very much a startup ethos of move quick and break things. And they achieved that if that was their objective. And that kind of goes hand in hand with one of my, my other big story of the year, which was the CVE funding lapse that we kind of were staring the barrel down for a couple of days and then kind of the NVD backlog. And I think that goes hand in hand of the things that we thought were very fixed kind of tent poles in the industry turns out, I think the willingness to kind of hand over a lot of data to Doge and allow it to move very quickly and try out many different things for, for better or worse, probably, you know, whatever, that the things that we thought were very fixed and very, very, very steady in the federal government, turns out could go away very quickly or become suddenly unreliable in the case of like NVD or something like that. So yeah, I think two sides of the same, you know, definitely the breaches. And again, I think it's very revealing to go back and look through the headlines and kind of. Yeah, you forget on the day to day how many of those stories we saw this past year. So we see a really good call on that.

B

Well, it's day to day for us, but it's long term planning for the established threat actors who know how to play the long game. If you think about one of the quotes from Napoleon, for example, to go Back to what Doge was doing in the interest of being publicly accountable. Napoleon once said, never interrupt your enemy while he's making a mistake. I love that because that's a long term thing. Long term thinking. Just let them do this, let them be scared stupid, let them reveal all this kind of stuff and we will come in later and pick it all up. So that to me, this long game playing in warfare is still around to this day. But we tend to forget that when we look at day to day events and just think, well, okay, we can now wash our hands of this. It's done. No, there are people out there who are counting on years and even decades before they strike. And that's another big problem.

A

Speaking of long term, it's time to make some predictions about what we will see in 2026 and mine kind of goes along with yours, Steve. My prediction is that we're going to be talking a lot more about Quantum computing in 2026. You know, you talk about let people make mistakes, we'll come in and sweep them up after they're all done. It's not a new idea of, you know, steal now, decrypt later has kind of been the mo. It's not that, you know, the idea of post quantum encryption is not anything new, but I have heard more CISOs talking about, you know, adopting NISTs, you know, post, post quantum encrypt protocols. We saw Signal, we saw Apple, we saw a number of companies, IBM, all kind of trying to get ahead of this in a very real way that made it feel like this isn't a science experiment anymore. This is. We don't know when, but it seems like it's now in view of at some point this will be a thing that is accessible to someone in some capacity. I don't think we're going to see like, you know, encryption probably not broken completely unless you're talking about active directory authentication. Congrats Microsoft on fixing your encryption there. But I do feel like we're going to be talking about it way more as a imperative in 2026 because I'm already hearing people worrying about it and it seems like that's going to definitely trickle down. I feel like. What about you Steve? What are you eyeing for 2026?

B

Well, I have a couple. Number one is identity becoming the number one attack surface. We're talking now that attackers don't need to break into systems. All they have to do, as we've been speaking about already, is compromise the relationships between systems such as OAuth tokens, API, trust chains SaaS to SaaS connections. I think we're going to see these are going to be leveraged a lot more as identity becomes the key weak point for attackers. The path's already been set. I just think this will expand more in the coming year or years. The second one, if I may, is autonomous attacks. You know, we started talking about AI before and it's becoming to the point now where these robots are doing the fighting for us on both sides. So we're going to have more red team and Blue Team AI running 247 and the whole thing just escalating the war without us even having to get out of bed. So I think that autonomous attacks is going to become a big thing next year as well.

A

Yeah, and that becomes very interesting. We were just talking about this prepping for, I believe, a defense in depth podcast about on the defender side. It becomes very interesting discussion of even if you can automate something, do you want a human in the loop so that they're at least responsible for the, for the. For the. Someone's responsible for the decision making. Right. That's not a burden that threat actors have. So I do think how that evolves and the structures that we put in place so that, that we don't completely give up on the idea of human agency, I think is super interesting. My other prediction for 2026, this is a little bit more maudlin. We don't get into a ton of acquisition news like the Wiz, the big giant ones we will talk about on the show, but not the kind of, the more modeling ones. But I think AWS is going to make a big cybersecurity acquisition next year. I don't know who that could be, but I think they don't want to be resting on their laurels. AWS typically doesn't do a lot of acquisitions that they love to invest. I mean, Amazon, Amazon is very famous for constantly investing in itself, you know, deferring profits for many, many years to. To keep reinvesting in the company. That being said, I think things are moving so fast they don't want to be seen as, you know, being late to anything they really can't afford to. Especially Google is picking up Steam with, with the advent of AI and stuff like that. Microsoft not sitting still. So I think AWS will make a big Cybersecurity acquisition in 2026. And don't take any financial advice from me is the other thing. Don't take any financial action based on that prediction, please, for the love of God. So, Steve, I think we put a button on 2025. What do you think?

B

It was an interesting year. It was like the famous Chinese curse, you know, may you live in interesting times. And we are living in interesting times and I don't see it ending anytime soon. So I really enjoyed covering these stories with you, Rich. And again, I think it'll never get dull for us.

A

No, there will always be new spins and new stuff to talk about and that's why you should probably come and join us on the Department of know each and every Monday at 4:00pm Eastern. Yes, I turned that sweet sentiment into a nice big fat plug. But that's what we do at the end of podcasts. But please, we would love it if you could join us live, get involved in the chat, send us some emails, feedbackisoseries.com we would love to read some of those on the air, if they are germane, if they would just like to be unqualified praise of the show. Also, we will take those as well. We may not read those on the air. My vanity does know some bounds, but. But yes, we are really looking forward to bringing you some really fantastic. We've already got Chris and our team is doing some fantastic booking. We've had some great shows to close out 2025. Really looking forward to what we have coming next year. Lots of exciting stuff. So we hope you will join us each and every Monday. Why don't you set a calendar invite? It's the New year. New Year's resolution to yourself. Block out 4pm Eastern every single Monday and join us. We guarantee you won't regret it. That guarantee is not enforceable in any meaningful way. But I will still throw it out there anyway. So Steve, thank you so much for spending a little bit of time here at the end of the year running through the news of the year. This was a ton of fun and we'll have to see how our predictions did at the end of 2026. Does that sound like a plan?

B

Sounds perfect. Absolutely.

A

All right. Well, for myself, for producer Steve, for all of the reporters with cybersecurity headlines, Lauren and Sarah who couldn't be here. And I'm going to show out to Sean. Sean, we hope we can have you on the department of Know sometime soon. We're always thinking from all of us. Here's wishing you and yours to have a super sparkly new year. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.