
Loading summary
A
Cybersecurity Today is brought to you by Nordlayer. Teams today work across multiple tools and devices, but security often remains fragmented. And this is exactly what NORD layer can help you address. NORD layer gives your company centralized control over access by individuals and teams and keeps connection secure from anywhere with no additional hardware required. Visit nordlayer.com cybersecurity today and use the discount code NLSUMMER26 for a special discount on your purchase. Welcome to Cybersecurity Today on the weekend. I'm your host, Jim Love. We have our regular panelists, Laura Payne from White Toque. Welcome, Laura.
B
Hey, Jim. Great to be here as always.
A
And David Shipley from Frederick. You're actually in Fredericton.
C
I'm actually in Fredericton. I'm bound for Texas tomorrow. So my time home has once again come to an end. But on the road again.
A
Yeah. And a new panelist, Mike Kim. Mike, I'm gonna let you introduce yourself, but I'm still fascinated by the fact that your name is a palindrome. Wow. Yeah, welcome, Mike.
D
Yeah, super excited to be here. Hopefully I'm known as the cyber security palindrome. So that's my little thing.
A
Wow, nice branding. Yeah, we had, we had a pre show thing. Throw in a little. Laura said, throw in a little quantum and you've got your. You're there.
D
Yeah, exactly.
A
Tell us a little bit about yourself, Mike, because everybody knows the other two panelists.
D
Awesome. Yeah. Mike, I'm the co founder and CEO of a company based out of Toronto called Croft. We help companies manage and automate their compliance in highly regulated industries like SOC2, ISO 27001, CMMC. And I think we call ourselves like the people that are using AI to help defend yourself in areas that. Or boring, maybe tedious. And yeah, we're, we're been in the industry for about a decade and a half, worked with the hyperscalers to have SMBs everywhere. So yeah, it's exciting to be here
C
and I can give an endorsement for Mike. We just got our ISO 27001 and it was the most pleasant process I've ever gone through. This is our recertification. It was a major push. We upgraded, it didn't suck. Mike's team was fantastic to work with and my CISO was less grumpy, which for all of you listening out there, that means a lot to me.
D
Well, we hope to have a lot more less grumpy cisos.
A
Yeah, I don't think we're going to see it didn't suck on your website, but we Appreciate.
D
I think we do kind of see some of that in the messaging.
A
Great. I want to share something with you guys before we get started on some of the topics today, because this came through and it. Those of us who. Who. Or those of you who know or listen to the program, know what a fan I am of Operation Shamrock and the idea that people are being preyed on by what amounts to fraud, phishing, all of these things. And they are done. This is done to vulnerable people. Romance scams, old people who are alone. Guess what authors are now in the club. I have, because I'm coming out with my second book and I'm doing a lot of advertising. I have been pitched by so many fraudsters, and I look at this stuff and I wonder, though, as I read these things, if I didn't have a cybersecurity background, if I was a person who was passionate about their book and I. I put their. Would I be fleeced for $1,000 and then $5,000 and then $10,000? So that my dream. And you have to understand, for every author that actually sells something, as an indie author, there are a thousand people out there who've got a book in their heart. And just one more example. So if you're out there and you are, if you're doing anything like where you've got a passion and you see something that comes across and somebody recognizes you, have a little moment of ego, release and say, wait a minute, I'm just an indie author. Nobody's discovered me like this. And if they have, it'll wait a day while I check them out because I've been pitched by Penguin. And it's amazing what it feels like when you see this. This even for me, and I'm already inherently suspic, but when Penguin Random House writes you a letter saying they love your book and they want to talk to you, and then you realize it's a cleverly constructed fraud, because I write the fraud line and say, does this person really work there? Or I know enough to check the email address. So just. It goes to all of these things. Anytime someone is vulnerable or passionate, there is someone to take advantage of that. And two things I urge you. Get educated. Share this knowledge with people. And for God's sakes, get involved with Operation Shamrock and make a pitch in your community to try and save some of these people who are vulnerable. That's my commercial.
C
I think it's really good to constantly talk about these things. We're seeing Beauceron is seeing a ton of fake family office investments Offers to buy. And again, this is literally our space. So I don't know whether to be honored or insulted by these criminals. It's just. This is like, just, we're going to go after the. The king. If you watch the Wire, as Omar says, if you're going to go after the king, you best not miss. And so it's interesting by the dot shop domain's a pretty good giveaway on that. But I think, Jim, you highlight a real key point. Whether you're an author, an entrepreneur, someone who's lonely. It's the emotion that's the target. It's not how smart you are. It's not about that. It's capitalizing on that moment of real human vulnerability. Slow down, take a breath. The deal, if it's real, will still be there.
D
As someone that's actually received a lot of these offers as well. And it's interesting because I also have different entrepreneurs, different founders. Ask me about it. Have you heard of these investors? And it's. I think there's this adage, if it's authors or even in entrepreneurs or whatever it is, it's. I think it's always this weird taboo that you want to keep this good news almost to yourself. But I think it's. It's. I think it's important to let your community know almost because, like, somebody just could be like, hey, that they're not real or it's just a science. So I think that human connection is incredibly important, but it just angers me the fact that they're exploiting on that lack of human connection. And so it's probably exacerbated as a result.
B
Right.
C
So one of. One of the strategies I love about what you just said, Mike, is something I recommend to friends, and it's called the phone a friend. Right? When something. You just need to talk it through. Even in the process of calling your friend up and talking about whatever this thing is, relationship, deal, opportunity, in my case, dangling in front of me, a used car of a certain roadster variety. I've got friends I can call and they'll go, it is not a good deal. Walk away. It's not real. You're not going to get it for that price. It's not. Okay, that. That's really important. Phone a friend. Laura, I don't know if you have any thoughts.
B
Oh, all of the above, but the common theme is preying on people who are under roles that are under hardship, right? Some sort of hardship or duress in a striving kind of manner. And then. And then Loneliness, Right. Or isolation. And it's not because you don't have people physically around you, but because the role or the activity that you're undertaking is one of those things that's solo or where the buck stops with you. And that's a common theme that we see. Right. And that's where the attackers go. Right. People who are easy to separate from the herd. And it's also why David said, call a friend. It's important to have friends. And that's a little bit flippant to say, but it's true that it's hard to make genuine connections with people that you would feel okay being vulnerable enough to say, this is going on in my life and I would like you to give me an opinion on it.
A
Be the friend and then be the friend too. This is something that people need that we as cybersecurity professionals have a responsibility to do, I feel. And that is we need to open non judgmental discussions with everybody and raise these things. That's why I talked about being pitched myself, because I've could fall for it too. So first, that non judgmental opening that says you could talk to me about this. I will make time for anybody who calls me or asks me about this stuff. The second thing is in just making sure that we make people aware. And like I said, I think we have a responsibility as an industry because we know of it. And I wouldn't have spotted some of the stuff if it hadn't been for my cybersecurity training. Just wouldn't have been.
C
I think the key message here to end on is be aware and care. We'll go with that. And now I want to flip the script on being judgmental because we're going to get into some interesting sort of opinionated conversations related to cybersecurity headlines for the month. And the first one I want to throw out to everyone is June was the month where all of a sudden Mythos gave rise to fable and everyone got excited. I remember when in our anthropic usage Fable appeared and we were like, oh, it's so exc. Super excited. And it was like a day later it's gone. It was like Wednesday it was out and Friday it was gone. And all of a sudden we had this obscure US Government regulation export controls, which are usually tied to things like you're not selling this tank, this fighter jet, this high powered computer chip. And for the first time we saw an AI model export controlled. And I'm curious for the other panelists, thoughts, what was your take when you Saw this government rug pull only for America, for limited time only, and eventually it was reversed. But that didn't happen until July. Maybe I'll start with Jim, because you are the resident AI expert. So I'm curious about what was your gut reaction when all of a sudden it was like, gone.
A
It's changed over the past, even the past few days, and we could be proud of being skeptical. You have to be critical and not skeptical. When Mythos came out, the first thing that I thought was, oh, yeah, good marketing, right? And I think there's a heart of that in this. It's. Is it better at finding bugs than anything else? Is it going to. Yes, perhaps. Is it going to destroy the world? But when you tear it apart and you ask what it is, and it's an AI model, a mixture of experts model, it's well trained in security, of course it's going to work like that. It also consumes an amazing amount of.
B
Of.
A
Of computing power. But. So it came out, it amazed everybody. And then Fable came out and everybody went, wow, we got Fable. And then it was taken away. And you wonder, is this, you know, is this something that we should be thinking about only in those terms? No. The OpenAI came out with a model and this and just a couple of days ago came up with an incredible model. There are open source models. There are. There's. Grok has just released another model. All of these models are capable of that. And I think the thing we have to go back to is the concept. These things are good at code because they're good at language. Code is a language. It has syntax, it has grammar. They're really great at this. That's why that's the first place that people are making money is selling this for coding. So of course it's going to be able to find the vulnerabilities. But Linus Torvald made a speech just a couple days ago and I picked up on that and it was so great. He said, he, Linus Torvald, who you would think would be anti AI, he's not, by the way. He uses it for prototyping and he thinks it's great to find bugs, but the falling in love with one of these things to find the bugs is stupid in. In many cases because you have to fix them. And he said, these things, AI can find bugs and it can report them, and it can also report a lot of things where you fix the bug, but you still leave the problem. He said, when we'll be good at this is when people are responsible enough to take or intelligent enough to take responsibility for the code. In other words, use these to find the bugs. But you have to remediate them, which means you have to examine them, you have to look at them. I thought it's a wonderful thing concept to take a look at, get past the hype and understand what we found is a better way to find bugs. Thousands of millions of them, whatever. But we still have to do all the work to make sure that we've kept track of them, that we've recorded them, that we've analyzed them, that we fixed them. And you can't get paralyzed by the hype. And that's my sort of vision of the week.
C
So Mike, your product leverages AI models and stuff to deliver your services. So what was your first reaction when you're like model available, model gone. Would this have any impact in your business? Was it a curiosity? Was it? Yeah. I'm curious for your thoughts.
D
Yeah, I think for ourselves we obviously experimented for a few days, but we actually have our own evaluations. Right. Is it going to be like used right away? Like basically it came and then went away during the evaluation phase on ourselves. So we could have roll it out, but we do see like similar companies that just roll it out and then it just goes away. But for us, to be honest, we have it on the use case for cybersecurity. We're still experimenting with it. We're also looking at the new GPT models as well. To be honest with you, it's great at finding novel problems, but what we see with our customers is they're still catching up on basics. Honestly. Like I know we're talking about like bleeding edge stuff. Everybody's. We found this novel exploit that like chained together like 500 things that endeavor, whatever it is. But like we're still, I think at a state as an industry is still catching up on basics right now. And I think it just, it's almost as if like it had. It's. It doesn't. I would say it's. It would be an understatement to say it doesn't make an impact, but doesn't make like a material impact that like it changes our business model. It does not. So that's what I would say. And I just. Yeah, like 4, 8, 46 still very good at the use cases that we're trying to do. Like even the other models like Gemini and AI and Grokket, they're all still foundationally great at the models that we're trying to do. And I think my first reaction was like a lot of hype. I'm still and maybe a little bit contrarian to say I think models are hitting I think they're trying to find double ways of using the model. But I feel the foundational model behind everything is not as like breakthrough as we thought from like when we went from 2.5 to 3.5 for GPT. So like it's for me for someone that's like playing on the bleeding edge and experimenting on the bleeding edge, I haven't seen it as like almost drop everything moment gap is what I'll say.
C
And Laura, I want to turn to you because you've worked in regulated industries. You work with customers large and small. And one of the things that I observed and we covered a bit on the show over the course of the month is a lot of countries were very put off that the United States decided nope, you can't have this. It's no foreign nationals. The language usually associated with high grade military weapons applied to this. And France is already getting pretty antsy about American tech. Europe has gotten nervous because of the International Court of the Criminal International Criminal Court sanctions against a particular judge. I'm curious for your thoughts. Do you think enterprises were particularly non American companies around the world were like do we really want to build dependencies and stacks on tech that could get pulled back from us?
B
I think it plays a lot into the yeah that bigger geopolitical conversation that's happening right now around sovereignty and just to debuzz wordify sovereignty because it gets kind of thrown around in a lot of different ways but specifically the ability to have autonomy to make choices about how your data, how your functions, how your processes and procedures so in a kind of a corporate context can apply to a country as well are going to be managed and used. And it doesn't mean sovereignty doesn't mean not using things outside your control. It means having choices about what you use and being able to shift or move or regain that that control or that function. So I think the risk that this highlighted and the risk was always there. But we are creatures of short memories and like to forget the our history lessons when we've come through a period of kind of we had a golden era of borders opening and things being generally accepted as being flow through across different boundaries and that our friendships will never change and our allies will always be our allies and those are not things that have ever been true in any point in time in history. There's been no point in history where it's like that thing has been Those two have been friends forever and they've never had any conflict. That's just not true. Right. So I think this is a bit of a reminder, a bit of a wake up call that nothing is forever from that perspective and that you always had that risk and people. I think in some ways it was fortunate that it was so short that this was a real wake up call before anybody had linked anything. Hopefully three days. I hope nobody linked anything business critical to it or country critical to this new shiny model.
D
You would be surprised, Laura. You would be surprised that I industry.
B
Fair enough, fair enough. But okay. Anyway, I would hope. Clearly my hopes are dashed. That's neither here nor there. But that idea, it could be clawed back. That could happen to many things. And there are things that are significantly more structural to corporations at this point, but AI certainly is certainly coming into that space. So it's a good reminder. Right. What do you do if it goes away? And it could be for any number of reasons. Right. Government interference is, is a new and unusual one for us. But there's always been technical resilience issues. Right. We saw that when AWS had a major outage. Right. And whole data centers that, you know, many thousands, probably even millions of businesses were relying on were just not available. Or half the Internet broke for a day and then that wasn't available anyway. All of there's many reasons why things can be not available and that needs to be planned for. We're also seeing this really interesting tension playing out between the idea of political power and where geographic boundaries lie versus what's been taken for granted on the Internet is that geographic boundaries kind of don't matter as much. And I was having another thought on this earlier, is that the social media has been already laying the groundwork for flouting government rules and we didn't see that play out so much in business space. So for business software and things like that, because in general businesses. So let's take Microsoft as an example. I'm not picking on them, they're just an easy example. As a multinational, they would set up offices in every country where they operated and would align to government rules in that area. Even though headquarters was still in the U.S. right. There were ways that they were learning to play within geographic boundaries. Even though services were still often delivered outside of that country. They don't set up data centers in every country in the world. Right. So we saw that kind of playing out. The social media side, they would set up sort of sales offices in different countries. Right. But they really were still very Much headquartered and run very centrally. And you can see how heavily they lobby for rules to be in their favor. And that media space really lobbies for content to be very open and unrestricted because they make their money off of engagement. I think with AI, what we're seeing is they learned a lot of things from social media about how to flaunt government rules. And it's going to be really interesting to see in the AI space now that we have this convergence of really social participation with deep technical capability. Social media is not really deep technical capability. Right. But now deep technical capability. And see how that starts to play out in that tension between governance and yolo.
C
And I'll just mention this briefly because it's that weird part of my day job is being the CEO of Beauceron and my other hobby is working on public policy. And there, there's a particular badge of honor where I, I managed to get the head of public policy at Meta quite upset at me because I was testifying before a parliamentary committee on online fraud in Canada and pointing out statistics about social media companies and pointing to the Reuters story that we covered where meta unfortunately made $16 billion selling fraudulent ads to scammers. Tying back to our very first conversation. And they're very much doing everything they can to fight any kind of regulatory powers by governments. And whether it's, you don't have the right to tell us that or rein us in on fraud or hold us accountable. And I can tell you, legislators in Canada said, whoa, whoa, whoa, whoa, you know what? Government's still a thing. We can do things. And it was one of those moments. And committees are interesting because for some reason I've now done eight of them, five in the last three months. And you get invited to be there, but they can compel you. And when you're there, they have significant powers to compel things. In the end of that hearing, Facebook in Canada was compelled to provide evidence with respect to how much fraud is happening on their systems, etc. Back to the committee chair. I think governments are trying to find the best way to phrase this in a family friendly show. They're finding their voice again. And whether it's Australia, whether it's other things, whether or not, and we'll separate the public policy debates, whether the it's the right policy or the wrong policy. Not getting that. But governments are starting to get loud. And the last thing I'll end off on the AI theme is of course in Canada we had tragedy that kind of blends the impact of social media on youth with AI in the Tumblr Ridge shooting. And the government of B.C. at the just at the end of June, filed a lawsuit in Canada and in California suing OpenAI because of their alleged role in that tragedy. So we're seeing governments play a role that we haven't seen before. The previous role for government was to be the booster of the Internet, the booster of globalized trade, the getting rid of trade irritants and those type of things. And all of a sudden we're seeing a retrenchment and it's not unique to the United States. As I said, Australia is doing something, Canada is doing something, France is doing something. It's happening all over the world.
A
But even those people who think that government should stay out of regulating technology need to at least take a think to this. I'll give you a couple of examples of things that have happened. Anthropic, the poster child for responsible AI got caught with a piece of code that was tracking people using. They say it was just an experiment. They also announced a service that they have that monitors all your usage for you. And let's leave that there. The power that they have is regulated only by your belief in them. And so you have. We're all either doing what. What is happening in the US which is you're going to do a 1.4 trillion dollar lawsuit against Meta, you're going to try and use the courts as a big club, or you're going to have these companies will trust them to be responsible. I think there's a role in the middle of that for some standards that we have. That's piece one. The other piece of this though, is that we use AI as a huge part of what we do in our jobs, in our companies. We're going to become more and more reliant on it and what it can do. And so that trust comes in. David, you're going to love this. I don't know if people followed this, but we've discovered now that actually AI has an internal voice, much like it's. I don't want to say it's human consciousness, but there's. They've discovered this thing that, where AI can actually have an internal voice and it represents what it's thinking about. And I'll give you an example of this just to play it out. You have an internal voice in your head and it is running all the time. So if I went to my AI and I said, tell me what feed I would use to get more milk. I didn't use the word cow. They found Using this analysis, that there's actually a place in the consciousness of this AI if you want to call it whatever you want to call it that in the working space, let's call it that. It's more technical that that represents the word cow, you can find it. And by the way, so I'll. So I'll give you another example. If I had the word ant in there. So I said, give me something that crawls around, looks for sugar and stuff like that. I don't mention the word ant. There would be the word ant in there. And I asked it, how many lakes does that have? It would answer six. But if I intercepted that and I put. And I changed the ant to a spider before it answered, it would answer eight. Now that starts to go back to the things of think. Don't think of a pink elephant. Anybody? Okay. Don't think of a pink elephant. No matter what, you don't think of a pink elephant. That's the mentalist trick. That would. If I asked you your a color eight minutes from now, you'd say pink. We have. There's more to these things than we think. And the. As I've said before, I've called it an impossible architecture or a one of the most insecure architectures, but there's a lot more than we know about them yet. And that's where analysis and some regulation has to come from somewhere and it's not. And that scares me.
C
So we'll move on from the unknown, as former U.S. defense Secretary Donald Rumsell would say of AI, to something that's become all too known and way too frustrating in so many respects. So I was joking before the show started that there are certain buzzwords in cybersecurity and in tech that you just get so tired of. And I think Laura was joking that whether it was quantum or for me, it's zero trust. I zero trust in zero tr.
B
I don't know.
C
I don't know if we can get zero trust squared. Miles.
D
Is this resilience? Because nobody knows what that means, but
C
this one is getting so much usage. Third party breaches and in particular Salesforce has been at the core of some massive issues. Not because Salesforce itself was breached, but because some app plugged into Salesforce gets owned. And it's been. It started with an AI app that they stole the OAuth tokens and they rode through that. And then in June, there was a platform for sales intelligence called Clue and it managed to get compromised. And in the breach was a bunch of cybersecurity firms Huntress and others all got caught up in this yet again. And I can't help but think, when is it going to end? It's just seems every other month and then it's a third party breach. We, we've got the story just this week on Accenture gets hit and we don't know if that 35 gigabytes is a nothing burger or real. But again, another third party breach and maybe I'll. I'll start with Laura and then we'll go from there. But I'm curious, are you sick of third party breach? Are we just going to have to ride this out for X number of years? Can we come up with a new term at least?
B
Yeah, there's a. There's an awful lot that can be encompassed in third party breach. Right. And a big difference between a live service that is inextricably, effectively embedded in the functioning of your business. So let's take authentication to your web site and your website is your business. That's a big difference. As far as a breach versus their code was breached. But you host on prem and then the whole spectrum in between. Right. Your data is with them. So in the example of a consultancy, right, your data is with them and they've been breached. But maybe that's really old data, maybe it's not relevant. So I think from the perspective of. Is this term getting tired? Sure. And it's non specific. Right. It means some part of you did something with at some point in time, had a breach. Maybe we need some more specific terms to deal with that. And it also, it's really important from the perspective of fatigue. Right. And I'm going to bring this theme up again on one of our upcoming topics. But not all breaches are not equal, Right. And it's really fatiguing to have to look into every single thing that comes across your feed. And a lot of human response is to just start shutting down.
C
Right.
B
We just start ignoring. And now in the spirit of the boy who cried wolf, if everything that comes up in my feed is a breach that's just not applicable to me, I stop paying attention and it makes me really vulnerable then to the time when I do need to pay attention. So that's my little ramble on third party breach. They're happening all the time, right. So how do. And there are services that help weed out what you don't need to pay attention to. But that is really the challenge, right? How to not get fatigued by it and be able to deal with the ones that do matter.
C
And Mike I want to turn to you from a. Because you've, you were involved in some of the development of some of the standards when it comes to compliance and other things. And I'm just wondering, it's like I've now heard people saying we've got to track third party, fourth party, fifth party, sixth party. And I'm like, the party's over. But I'm curious like how hard is this making compliance?
D
I'll probably start with the fact that it's. If you actually go deep down into each of them, I'm pretty sure it's just a wide circle that you end up being a first party at the end of the day as someone that's actually seen it from like the hyperscalers. And like when we like it was incredible because what happened for us, like when we were working on like the hyperscaler audits for like SOC2 and the ISOs and stuff, they what happened was like the pace of adding third parties is like absolutely uncontrolled. Right? And then you, you start to realize, okay, compliance, we're going to try to enforce some standards, we're going to send them questionnaires and try to get some posture and basically it's just a losing battle. And I'm just going to say it straight up, like, compliance is not the thing that solves for third party risk. There's no amount of regulation that's going to for it. Even though things like cmmc, which is like the Department of Defense that's mandating it now that you have to get this level of certification, standards associated with it is like, it's awesome. It's great because it's now enforcing people to like adhere to a certain standards. But is that going to solve for the third party breach problem? Probably. I can almost guarantee you it's not because people lie about it. Auditors can also be gamed. There's a lot of like incentive to not follow the rules almost. So that's what I would say. And then the other big part about this is the compliance, like where does the buck stop? That's the problem with compliance is like are you going to try to regulate the third party? Okay, awesome. Then now what about fourth parties? What about fifth parties? What about the actual like supply chain itself? So like it's just, it's a never ending battle in my opinion. And it's just like everybody. And the problem that I've also seen and I think it happens across the board is like, it's a blame game. They like pass it through. Oh, I'm going to blame the third party because they caused something and it created my risk. Like that's my frustration with this whole industry. In my opinion.
C
No, it's perfect, Jim. And then Jim wins. Bring the cuteness factor to 10 out of 10 with me.
A
Lou there is that it wants to be part of the show. There's a. One of my favorite books is is Dirk Gently's Detective Agency which is where he investigates the interrelatedness of all things. Which leads you to an insane conclusion. And I think that's part of the problem we have with this third party thing is you. It goes back to my old saying because you can't do everything doesn't mean you can't do anything. This is a huge problem. It's not going to go away. You gotta do what Laura's talking about. You gotta rise above it and say where's my biggest risks? Let me work at those one by one. Otherwise the only other path is insanity and we do the best. And Mike, I think you hit the nail on the head. Standards are a good thing. Yeah, they can sometimes be gamed, sometimes they're a problem, but they make the part of the problem go away. And if we can stick between focus and standards, we at least can protect our businesses which is about as good as you're going to get.
C
So we'll stay on the third party theme but I'm going to dig deeper into the kinds of third party breaches that I and vulnerabilities and issues that I hate the most. These would be my green eggs and ham of third party breaches. And it's security companies when they become the source of the breach. And we've got everything from a scene which is supposed to be the thing that you're putting all of your security logs to to give you the insights. And it has a high critical vulnerability, remote code execution. It's poor old Fortinet who regular listeners would know. We. We actually had to create a special segment of the show because of all the vulnerabilities which to their credit I'll acknowledge this, we've now managed to go more than 30 days and we're. They're still on the quarter challenge. It's very much a fitness challenge we've introduced to them to say can you go 90 days without a critical CVE? So hope springs eternal. And of course the headlines in June were dominated by fortableed which it's always those fun moments when a vendor comes forward and goes it's not us, it's you this time. And so it wasn't an rc, it wasn't a critical vulnerability, it was reuse creds but it was a lot 40,000, then it was 75,000, then it was 80,000 and of course the ransomware crews rolled in and I guess maybe I
A
think you need to explain what you mean by 70,000.
C
No. So these were fortinet boxes, whether they were firewalls, other things that ended up getting pwned. And I think the tally was we left June was 3500 ransomware attacks had been initiated with dozens successfully cashing in. So it was interesting for the first time we actually had the party hat funnel of okay, this many vulnerable devices, this many criminal crews, this many actual successful ransomware attacks and turns out start at the top 80,000 and you end up with dozens. But people are paying 6, 7 figures
B
so the money's good.
C
So I guess and maybe I'll start with Mike. Third party breaches, security firms.
D
I'm going to be a little bit of a devil's advocate here. David is yes, I agree, I don't think it's tolerable. But the other part of that equation is that they're usually the prime and the most treasure trove of targets. It's like exactly what Laura was saying. It's like where is the risk? Where's the concentration of these things? People knock on about defeating breached and active directory getting breached and like Microsoft being not secure, I'm like of course. But the thing is like the thing about like defenders is like you gotta be right all the time, right? And then the volume of attacks that go against you is it's so high that sometimes it's impossible. And I think that like security companies should get. Not necessarily, I'm not going to say it's they should get slack for it but like they also do have an elevated level of risk that do face them in my opinion. So that's what I would say as like defending against it. But like the things that I've seen that I would say when I see vulnerabilities that come up from like technical vulnerabilities that's I think I usually give them a little bit of slack. But when I see things like reuse credentials like basics is where I'm like what are you doing? It's clearly something went wrong. That's where I usually get annoyed is like technical vulnerabilities. I usually give a lot of companies as much slack as possible. But like when it's like a process oriented things that they like fall through the cracks, it's for me that's like, as someone that's like, that works in compliance and like sees like operational processes in and out, it's usually like a sniff test. I'm like, oh, something's rotten on the inside. There's like this probably a symptom of a wider problem and we want to build on it.
C
The reason why I've been so hard on Fortinet is they've been an incredibly successful company. They have done really well, they have made good technology, they are very popular, they helped make security very affordable for a number of companies. And so they are a market leader in this space. And when you look at some of these bugs that they've had, it's like they keep slapping duct tape on a problem that should require them to do a tear down and a rebuild. There's whole classes of bugs. They just seem to go to the first layer. Yeah, okay, we patched it out the door it goes. And as we're learning with these AI models to tie to the start of the show, what these things are really good at is when they figure out there's a pattern, they're going to be like, okay, you've got a problem with SQL Injection. Let's work SQL injection at scale and speed and see all the places you could have screwed up SQL Injection. So you know, I think I joked in our last monthly panel, can Anthropic, can you do Fortinet a solid and give them some of that mythos goodness so that they can get on this side of things? And the other running joke that I've had with Jim on the show is that it's been a consistent set of vendors and maybe there's confirmation bias. And I'll acknowledge this because we're in the news, we reported a lot. But it's, it's Cisco, it's Avanti, it's Fortinet. And I feel like that scene, and I've referenced this before from Harry Potter When Professor McGonagall is looking at the three main characters, like, why is it always you three? It's not always those three, but you get tired of seeing some of the same suspects in the headlines reporting back on it. And I don't know, Laura, if you have your other thoughts on these guys,
B
okay, so I have an immediate theory. It's just theory. I have no facts to back this up. But if you look at the ones that are getting a lot of headlines and the market that they extend into, you have these like, these kind of appliances because you can get some pretty cost Effective or like really big name recognition. So they're easy to find and acquire. You've got folks who are implementing them who really don't understand what they're doing, and that leads to a lot of openness. So here's the number one way to not have a breach on your Fortinet appliance. Don't expose the admin portal to the Internet. Like, just don't do that. And not just Fortinet on all your appliances. Just don't make the admin portal available on the Internet. That solves like the vast majority of the. It doesn't solve all of them, but the vast majority of them. Now if they didn't ship with that capability, that would. That. That's something the vendor could do is. Yeah, just stop doing that. You got a VPN in and be on your internal. That would be better. But anyway, so that aside. But if you look at Palo. I don't know a lot of small businesses buying Palo Alto firewalls, right? We don't hear a lot about Palo Alto in these breaches. I don't know whether it's because they really are that much better technically or whether it's because the people who are implementing them have better security hygiene.
C
Just a theory.
D
That's a hot take, but I have some theories on that. But that's a whole separate thing that I can't talk about because people are going to hate me for it.
C
Oh, no, Mike. All right, sorry. We're gonna.
D
We're gonna.
C
Jim's not gonna. The hook.
A
No. Hey, no. David's still getting invited to fortnet lunches, so say what you want.
B
We.
C
Jim and I did discuss. We weren't can. We weren't 100% sure this was an attempt to push me off of a boat at that.
B
Who knows?
A
I let him go. I wasn't going.
C
No, no.
D
I only think it's a combination of issues like where you see, it's like. I don't know where to put the blame, but I would probably say it's a common. I think I would weigh quite heavily on the implementation because I think usually the enterprises that are adopting the more sophisticated tools tend to. You know what? Here's my thought. If you're trying to save money on cybersecurity, that's the first kind of like that just tells you everything. I think
C
bought the cheapest security I could find is not a line that you want to be as a CISO telling a boy in the midst of something. Just as a regular reminder, a good friend of mine John Proctor once pointed this out. When you play it back in your head, you're like, oh, I've got a budget, I'm working on it, et cetera. But when you say that line, I bought the cheapest thing I could find, it suddenly doesn't feel as good.
B
The fair and better way to put it is I bought the thing you allowed me to afford.
A
You know the funny thing is though, this is really true. There's a lot of people with who can shoot off some smart aleck type of stuff about nothing wrong with security that another quarter of a million couldn't fix. A buddy to their ciso and they're exactly the same guys are going, when you do have the breach, we're going, why didn't you tell me? Why would you. Why didn't you convince me Corporate. I'd given up on corporate culture long ago. That's and its discussions. But I do go back to this idea that Laura brought up and I think it's. I want to keep coming back to that is you can cut out 90% by doing things that aren't stupid and you refer to it as mike as well process. And I know it sounds oh, we should be talking about all these great things, but a questioning employee who doesn't click on a phishing email is worth their weight in gold and that. So I, I think we've got to keep, we have to keep ahead of these things. And yes, it'd be nice if Mythos could be applied to fortinet devices or everything and find all those vulnerabilities that would be wonder and I hope that happens. But in the meantime, toss away those, the jabs you get from the executives about what you're spending and all this other stuff and focus on the fact that we need to keep our places secure. And I'm going to have that conversation and I'm going to have it with you and I'm going to do it knowing that's the way we're going to protect ourselves.
C
So I'm going to, I'm going to shift the this topic order just slightly. I know we're getting closer time but I want to stick with the beleaguered CISO for a second and also regularly say this but Laura gives great advice and what we just heard earlier was billion dollar class advice A AKA device maker stop shipping admin interfaces that are open by default. Number one, here's that crazy even just don't allow it.
B
Like why, why would you have an admin interface on the Internet? Just don't Put it. It's not a feature, it's a bug. Yeah.
D
Do you know what's the biggest thing that we see on, like when I was doing like Fortune 500, like I sign for security audits, like Oracle databases, the default password not being changed. That was like literally the first thing that we were trained to check. I still remember the password. There's default data passwords for SAP, Oracle and all these things. Database is not checked.
B
Like the.
D
And then the Cecil's talking about, let's encrypt our database. I'm like, dude, buddy, you're on. So, like, your encryption isn't going to
C
feel like you need that T shirt. Mike, buddy, you're a customer.
B
Yes.
D
Like, I got in. And then we're like, what is this guy that like just got into our systems? I'm like, no, I just did literally the first step that you're supposed to do.
B
Right.
C
And that's where we are in 2026. It's still the basics, but let's go back to this idea of the CISO job. So one of the stories that we regularly cover is research surveying the health of the top security job. And not surprising to see yet another headline, yet another qualitative survey. CISO's no happy in 2026. More than ever are contemplating, maybe I need to do a career choice, maybe I need to change. And it's interesting because I think that the 10 that Laura and I just highlighted. How much budget do you have? I bought the cheapest thing I could get versus this is the budget I have. It seems like an untenable position. And so CISO burnout is breaking and it's rising. And what's interesting is they went from one of their number one concerns was personal liability. So you had the wake of the Uber case and a few others where CISOs were head personally liable and that freaked out. And I was in the room with a number of CISOs at national forums and I can tell you they were freaking out about that. That concern plummeted in its place. Everywhere. Shadow AI people doing AI executives. And I'm a CEO, so I'm going to own a mea culpa for all CEOs. Us wandering in a room and saying,
D
we got an AI app, we got
C
to get going on. This AI thing is probably not helping
D
IR out in my company.
A
Can I jump in for a second? David, this topic, and that's my, my. I have a friend, I'm not going to mention his name, but you probably know him, he who just retired, took early retirement. He was a CSO. He looks 10 years younger.
C
Yeah.
A
In two weeks. I'm not kidding you. This is a man who is a great guy, but he looks 10 years younger. And for anybody who wants to take this to a personal level, I used to be a cio C. So back in the days when I just. The company was large enough to have a cio, but not large enough to have two, the only time I ever laid awake at night with my stomach just aching and unable to sleep and wondering what the hell my life was going to be about the next day was when we were in a breach that just wouldn't go away. It was. And it was just. And my staff were working, we were working, the company was threatened and it was me. I was the one who was on the hook for it. And these are real personal things. So when people talk about making CISOs accountable with legal avenues, I look at it and go, good luck finding another ciso the first time somebody's convicted.
B
I think it's important to look at it as both from the company culture perspective and where that can help or hinder. And then also I think there is still there is a role for criminal liability because the problem that has emerged over the course of time is you get people who are willing to take a cool sounding title who don't know what they're doing. Doesn't tend to happen in the large enterprise, but you definitely see it in mid sized companies that are big enough to carve out a job for a ciso and you get somebody in that role and they really don't know what they're doing and they make extremely poor choices and they don't talk to the others in the company, they don't explain what's going on. And there is, I think, a liability to putting yourself in that position. You should figure it out pretty quick and then not doing what you need to do to get better or not getting yourself out of it. Right. So I think there is something in that where it's just you've done such a poor job that is criminal. The vast majority of CISOs are not in that category. Right. But there is something to that. So the other side of it is actually going back to the start of the show having friends, and in this case, your friends need to be the rest of the executive and leadership team and they need to not put it all on your shoulders to be the security person who does all the things to protect the company. Right. We talk about this often at the employee level, but I don't think we often talk about it at the executive level. So to use a much more broadly thought of business analogy, if the company's not making money, it's not the CFO's fault, and it's not necessarily just the sales and marketing person's fault and it's not just the delivery executive's fault and it's not just the CEO's fault. Everybody needs to be at the table working together to help the company make money and security is exactly like that. You have somebody who's your best expert, but everybody needs to be at the table helping with that. And then when there's a breach, if you establish that culture early and that's ciso would love working in that kind of a company. So more companies, you want to be like that. But then when you do have an issue, it's not everybody turning to the CISO and going, wtf man? It's everybody turning to the CISO and saying, we're here. How can we help?
C
I think it really can't be said better than what you just did. The worry that I have is that the people who sweat about the liability are the good ones who know what they're doing, who have that imposter syndrome. Am I good enough? Is this, am I going to get in trouble? And the dangerous ones, and I've seen a few over the years, they are so far on the Dunning Kruger curve of overconfidence on that side that they're like this all, they don't lose a wink of sleep about liability. So while I agree with you in broad principle, it is needed on that side. And I, I, I, I worry still about the impact on it. Although the survey does say that worry is sliding. Mike, you get a chance to see and work with CISOs all over the place. Laura mentioned culture. Is there anything else we can do for the beleaguered ciso?
D
I think there. So I used to have, I still have this theory. I think there's like profiles of CISOs, in my opinion. There's what I call the next generation of CISOs. And then there's like the old seen cult. They're like burnt out, tired. And the team CISOs, I mean, to get head.
A
Watch it, young fella.
D
And so what we've seen is I think the best CISOs that I've seen are able to balance like the limitation of the tooling. They recognize their own limitations. And to say this is what I can control, like the most fundamental principle. I think everybody, it's almost as if a lot of people Forget about it is like cybersecurity. Everybody talks about the triangle, right, and the confidentiality, integrity, availability and all that stuff. But if you go back to the foundational principles of it is like, it's a pure exercise of risk management. Where are you going to put your resources and tactically apply what you need to do? And I think the ones that, like, have the best sleep, in my opinion, and the ones that are the calmest usually have an incredible insight into understanding their posture. They have a very great context of why a certain decision was made. And so I think that's. And I think you can't know everything, but they are spread around the organization enough that they know something about everything, essentially. And I think it makes them a very effective CSO for what we've seen.
C
No, I love it.
A
One question I'd like to leave you with and dovetails off with Laura says, is you may get the CISO you deserve. Not. Yeah, maybe the team needs to think that through.
B
And you're really lucky Mary Poppins will show up and be your butt whip.
D
Yeah, yeah, yeah.
B
But don't get a Mary Poppins.
A
So true.
C
You get the CISO you deserve. It's funny, when I was listening to your point, Mike, I couldn't help but think about Rucker Hauer's speech in Blade Runner, right? I've seen things you wouldn't believe. And it's like there's that class of
B
CISO that's out there.
D
The best CSOs I've seen are usually, I, I, they, I don't know if they show it or not. They're usually the calmest, the best. See, so that I've seen was like we were in middle of an incident and then live attacked and just took over the room like a general.
B
Right?
D
And then everybody was like, everybody stay calm. You do this. This is what we do. And then they never made any rash decisions, and then we made it through, but it was a lot of work. I think the CISOs that we see are just, I think the ones that I agree, Dunning Kruger is very prevalent because a lot of people almost fall into the CISO role because they're like, fancy title, they want to go up and all that stuff. And then the overconfident ones versus the ones that know the limitations, I think are the ones that I tend to be the best, in my opinion.
C
Awesome. I want to leave the show on a positive note, so I'm going to talk about some wins for the good guys. So in June, the FBI and law enforcement around the world launched something they called Operation Riptide. And they went after criminal infrastructure, including large phishing. As a service providers, they have been squashing scattered SPIDER members left, right and center with the latest hauled into a Chicago court flown all the way from Europe trying to get around them. Although this kid.
D
Wow.
C
Again, charges have not been proven in court. But this Peter Stokes was nailed by a Windows global ID tied to the device. So he was hiding behind the VPNs. He was obfuscating. But he was also on the socials, posted the pictures. I kid you not. A diamond encrusted hacked the planet. Kids, you're opsec Cops aren't always fast, but they're persistent and they're funded. They are your apt. Maybe we'll call them the app. Right, the advanced persistent police. And they have tools.
A
I just think there was some cyber cop out there who was looking at these posts, these social posts of this kid who posted all this stuff. They found the identifier from his machine. He'd done everything technically, he'd done everything in the movie, circumvented all this sort of stuff. And I think there's the Clint Eastwood cop who's looking at going, go ahead kid, make my day.
C
You have to ask yourself if you're using Windows, do I feel lucky? Do you, punk?
A
But sometimes the good guys win. And just to take this back to. I don't want to be too serious about this. We talked about these, the political things that are happening, all of this stuff. I. One of the things I hope we can hold on to behind the scenes is this idea of all of these different agencies cooperating because we. They're starting to see some success with. When all of these countries get together and they band together, they use their resources to the best to go after some of these people and take out at least the big ones. Sometimes the good guys win and something
C
that's not always popular right now to say, and sometimes it's hard to come by. But the United States continues to show leadership in the global fight against cybercrime at the law enforcement side, particularly the FBI and others. And I've had the privilege of meeting some of the most senior leaders in the United States in these various agencies and they are still talking to their global counterparts. Politics, be the politics for once. We can set those two things aside. But cops are still working to do the right thing. And that's a hopeful notion. And we'll note that we're taping this after the 250th for the US and it's one of those things that gives me great hope for the future is people are still people, people are still connecting. Good guys are still gals are still finding ways to win. So I don't know, Laura or Mike, if you had any other thoughts about watching all these busts roll out, strategically communicated and just win after win. But it was nice change of pace from the headlines.
B
Yeah, I think it's important, and this is always the first step to seeing meaningful change from a criminal activity perspective. Right. Is people have to know that there is a strong possibility of getting caught for the laws to be any form of deterrence. So that's the first part. Now the second part is, are the laws going to be sufficient to get to conviction? And. And that is still a big challenge. Right. A lot of our laws are very old and they are. It's interesting they have persisted because they were written in certain broad strokes sort of ways that they could still be applied in interesting and sometimes unique sort of ways to keep up with the current challenges. But on the other hand, you. You really don't want to have to leave it up to the judge to pick apart whether the. This line of reasoning holds and still apply. So I think there's still a lot of work to do. But I'm not going to spoil the win of at least getting an apprehension and getting people into the country where they are being charged because extradition's also very challenging to coordinate.
C
And one of the things, I will give props to the American legal system on this because I think just in the. In where I am, in my head, I. They don't care how you get to the United States. Once they can get you. If they get you there through an extraordinary hearing, great. If they grab you in a van, the judge don't care. Once you land in an American courtroom, that argument's moot. It's. We're going to deal with the matter at hand and I gotta give them points to that.
B
I kind of. I'm gonna be. I don't know that I'm a big fan and because, yes, for every bad guy that gets manhandled that way, there's somebody who is innocent and of political interest who equally could be grabbed that way. So I will always fall on the side of due processes there for a reason.
C
So we know who lawful order is and we know who chaotic good is in the conversation. Mike, did you have any thoughts about the positive winds of June?
D
I think so. Here's my thoughts. I think we have data, we have undisputable data that says sharing and sharing is caring essentially. Right. Like you got fs, isac, you got like different like sharing organizations across the board in private industry and public industry. So I think there's like undisputable data that needs to be a bit more enforced and almost as if the part that I really do cure, I do think about is is this where a lot of like laws could even enforce it. It's like you have to share all the information and have like, like specific sharing agreements across different boundaries and stuff. Because like it feels like a small win to me in my opinion. Or it's, it feels it doesn't. Maybe it's not as maybe I'm underestimating how difficult it would be, but it feels like a low hanging fruit with a very high roi. But that's just my thoughts.
B
Yeah.
C
Yeah. I think the war is far from over, as they would say. But it's nice to see some wins on the board and these are things only government can and let me be clear, should be doing. In terms of fighting back, which we've talked about the show before, I'm not a big fan of the let's all become cyber privateers. As cool as it sounds, there's a whole song here in Atlanta, Canada that talks about the ups and the downs of privateer life. But government has this unique role in place whether it's law enforcement or intelligence or military services, cyber branches this, we can't just keep taking punches. So it was nice to see a win and nice to end on some Hopium. Normally I'm doomsday Dave Bringer of the latest disaster, but it was nice to see some wins in June. Also Fortinet foe Fortinet accountability.
A
There you go, that's our show. Thank you very much to the panel to David Shipley, our usual resident culture critic, but I got it a couple of shots just to let you know, not totally out of it. Laura Payne always bringing the voice of reasonableness and keeping David from going into into serious manic states here. But also thank you Laura for being on the show and Mike Kim are for first time on the show and you know I'm looking at this and I'm going Mycroft Sherlock Holmes, smarter brother.
D
Yep.
A
And the name of the company. So there you go. I not only is his name a palindrome, but the name of the company is interesting as well. Thank you so much for being with us, Mike. Mike, Appreciate it.
D
Glad to be here.
C
Thank you.
A
And thanks to all of you for listening. If you've gotten this far, then you've shared this time with us, and we're glad that you did. David will be back with the news on Monday morning. Once again, we'd like to thank NORD Layer for their support in sponsoring this show. Teams today work across multiple tools and devices, but security often remains fragmented. This is exactly what NORD Layer can help you address. It provides a network security platform with easy to manage network access, monitoring and control, and without additional hardware or complex infrastructure. Nordlayer helps businesses of all sizes manage and secure access to company resources, going beyond what traditional VPNs can offer. And it provides encrypted connectivity connectivity with visibility across your entire network environment. And did we mention no new hardware required? Visit nordlayer.com cybersecurity today and use the code NLSUMMER26 for a special discount during their summer sale.
Podcast: Cybersecurity Today
Host: Jim Love
Date: July 11, 2026
Panelists: Laura Payne (White Toque), David Shipley (Beauceron), Mike Kim (Croft)
This panel episode explores the latest cyber threats and breach disclosures, the increasing risks enterprises face, and practical strategies for security. Key topics include AI export controls and their global repercussions, ongoing third-party breaches, the high-profile FortiBleed vulnerability, and the growing problem of CISO burnout. The discussion is rich with personal stories, expert takes, compliance realities, and several memorable, candid moments.
“For every author that actually sells something, as an indie author, there are a thousand people out there who've got a book in their heart." — Jim Love [04:13]
"It's the emotion that's the target. It's not how smart you are.” — David Shipley [05:12]
“Even in the process of calling your friend up and talking about whatever this thing is... That's really important. Phone a friend.” — David Shipley [06:31]
“We need to open non-judgmental discussions with everybody and raise these things... I’ve could fall for it too.” — Jim Love [07:57]
“Use these to find the bugs. But you have to remediate them ... You can't get paralyzed by the hype.” — Jim Love [11:51]
“We're still catching up on basics right now... The foundational model behind everything is not as like breakthrough as we thought.” — Mike Kim [13:40]
“It was so short that this was a real wake up call before anybody had linked anything... You always had that risk.” — Laura Payne [16:00]
“Governments are starting to get loud... We're seeing a retrenchment and it's not unique to the United States.” — David Shipley [21:34]
“The power that they have is regulated only by your belief in them... There's a role in the middle... for some standards.” — Jim Love [22:59]
“We've got to track third party, fourth party, fifth party, sixth party. And I'm like, the party's over.” — David Shipley [30:14]
“Not all breaches are not equal... It's really fatiguing to have to look into every single thing that comes across your feed.” — Laura Payne [29:03]
“Compliance is not the thing that solves for third party risk... There's a blame game.” — Mike Kim [31:55]
“It's always those fun moments when a vendor comes forward and goes, it's not us, it's you this time.” — David Shipley [35:02]
“Technical vulnerabilities... I usually give a lot of companies as much slack as possible. But when it's like a process oriented thing... something's rotten on the inside.” — Mike Kim [37:07]
“Just don’t make the admin portal available on the Internet. That solves like the vast majority of them.” — Laura Payne [39:54]
“The only time I ever laid awake at night... was when we were in a breach that just wouldn't go away... and it was me.” — Jim Love [46:10]
“If the company's not making money, it's not the CFO's fault... Security is exactly like that. You have somebody who's your best expert, but everybody needs to be at the table.” — Laura Payne [48:02]
“The best CISOs that I've seen are able to balance the limitation of the tooling. They recognize their own limitations... They have a very great context of why a certain decision was made.” — Mike Kim [51:16]
“You may get the CISO you deserve.” — Jim Love [51:47]
“The fair and better way to put it is I bought the thing you allowed me to afford.” — Laura Payne [41:57]
“Kids, your opsec... Cops aren't always fast, but they're persistent and they're funded. They are your apt... Advanced Persistent Police.” — David Shipley [54:06]
“Sometimes the good guys win... the idea of all these agencies cooperating... that's where we start to see some success.” — Jim Love [54:39]
“We have data, we have undisputable data that says sharing and sharing is caring essentially.” — Mike Kim [58:14]
This episode blends technical insights, practical advice, real-world context, and the very human challenges leaders face in cybersecurity today.