Nicole Bukala

You're listening to the Cyberwire Network, powered by N2K.

Katie Jenkins

As we take a short break for.

Nicole Bukala

The holidays, we want to thank you.

Katie Jenkins

For being part of our community and.

Nicole Bukala

For tuning in throughout the year. Today we're bringing you a Special Encore Episode 1.

Dave Bittner

We'll hope you enjoy revisiting or hearing.

Nicole Bukala

For the first time however you're spending the season. We wish you happy Holidays, a safe and restful break, and as always, thank you for listening.

Dave Bittner

Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

Nicole Bukala

This episode is brought to you by State Farm.

Dave Bittner

Listening to this podcast Smart move Being financially savvy smart.

Nicole Bukala

Another smart move. Having State Farm help you create a competitive price when you choose to bundle home and auto bundling. Just another way to save with a personal price plan. Like a good neighbor, State Farm is there. Prices are based on rating plans that vary by state. Coverage options are selected by the customer.

Dave Bittner

Availability, amount of discounts and savings and.

Nicole Bukala

Eligibility vary by state.

Michael Mastrol

Hi, this is Joe from Vanta. In today's digital world, compliance regulations are changing constantly and earning customer trust has never mattered more. Vanta helps companies get compliant fast and stay secure with the most advanced AI, automation and continuous monitoring out there. So whether you're a startup going for your first SoC2 or ISO 27001 or a growing enterprise managing vendor risk, Vanta makes it quick, easy and scalable. And I'm not just saying that because I work here. Get started@vanta.com.

Dave Bittner

Foreign. And welcome to this N2K CyberWire Special Edition Beyond Cyber Securing the Next Horizon. I'm your host, Dave Bittner. Today we're looking past firewalls and phishing emails to explore the future of security, where strategy, innovation and AI converge to defend a rapidly shifting threat landscape in this episode, we're joined by a powerhouse lineup of guests who are shaping that Future. First, Dave DeWalt, founder and CEO of NightDragon, takes us inside the high stakes world of cyber investment, where the next wave of security innovation is getting its fuel. Then we hear from Nicole Buccala, CEO of Databee, who breaks down the reality. For today's CISOs, it's not just about tech. It's about time, talent and trust. Next, we hear from Michael Mastrol, VP of sales engineering at Dataminer and bringing us into the world of agentic AI, showing us how smarter tools are helping security teams detect and respond before the damage is done. We'll also hear from Joe Levy, CEO of Sophos, on why the future of cyber defense depends on tighter integration from cloud to endpoint, and why innovation without coordination is a risk itself. And Katie Jenkins, CISO at Liberty Mutual, sharing what's keeping CISOs up at night? What's giving them hope? So whether you're leading a security team, building the next great startup, or just want to stay one step ahead, stay tuned, because the next horizon isn't just coming, it's already here. Our first guest knows the cyber industry, from the boardroom to the battlefield. Dave DeWalt, founder and CEO of Night Dragon, has been at the helm of some of cybersecurity's biggest names. Now he's investing in the future, betting on the next generation of security innovators. He joins us to talk trends, risks, and where smart capital meets smart defense. It is always my pleasure to welcome back to the show Dave DeWalt. He is the founder and CEO of NightDragon.

Michael Mastrol

Dave, welcome back, Dave, thanks for having me.

Dave DeWalt

Look forward to another RSA coming up and lots of opportunity to see friends and kind of family, this whole cyber community. So thanks for having me on the show again and thanks for all you do as well.

Dave Bittner

Well, thank you. I appreciate it. And speaking of RSAC, this year, NightDragon is hosting the Nightdragon Innovation Summit, which I will mention, N2K CyberWire. We are media partners with that event and very pleased to be taking part in that. So if folks haven't checked out the information on that, please do. Again, it's the Night Dragon Innovation Summit. Dave, as we're heading up towards RSA conference this year, what are you planning on looking around for? What do you have your ear to the ground when it comes to innovation in the cybersecurity sector?

Dave DeWalt

Yeah, there's so much every year, Dave. It's always amazing to touch base with so many different people. Nightdragon we have a very specific strategy. We try really hard to unite as much as we can of our ecosystem of portfolio companies, our partners, our advisors, into forums like you mentioned, the Innovation Summit, but really create a balance of that where we can see some of the most young and exciting technology that's emerging, like AI and even quantum areas now, but also hear from the large titans in the industry as well, the Palo Alto Networks, the crowdstrikes, the Checkpoints, the Microsofts, and really see what they're doing. And we all know the word platformization from last year, which is a lot of the buzz again coming in this year because many of the large companies are doing extremely well. They're continuing to grow. But we've also had some unparalleled and unprecedented events over the last year. It's not just the geopolitical environment we could talk about, but also the acquisition wiz by Google for $32 billion. I mean, look at the history of cyber. I mean, this is very unprecedented. And so there's a lot of good buzz coming into it, a lot of nervousness and I think anxiety a little bit too, because, you know, what once was a pretty strong public private partnership model with the government still has yet to be kind of vetted out. So we're kind of anxious about it in some ways, excited about all the technology in other ways, and really happy to see friends and family and all our partners and portfolio companies at the same time all in one place. San Francisco, exciting times.

Dave Bittner

Well, what sort of themes are you seeing from founders right now? Are there, are there any categories or types of companies that feel particularly hot? And then on the flip side, are there some things that might be a bit overhyped?

Dave DeWalt

Yeah, you can take, you know, just take a look at the last 84 days of this administration and you can kind of a little sense of some things that are quite hot because of some of the administrative policies. One of the areas is third party risk management. I mean, how many companies right now are trying to figure out what the tariff impacts are on them? How do we understand what the tariff impacts? So supply chain risk management, I think is one of the hottest areas right now because it hasn't been really deployed much. It needs to get deployed more. We need more visibility. It's not just a tariff risk or threat, but the cyber elements of it all too, because we see now a focus on China and other countries when it relates to threats and risks of tariffs and how does it affect your supply chain. So that's one like, I hate to call it, you know, du jour, but it's like a big important one. But the bigger themes, Dave, are also really important. We're watching the wave of AI really manifest itself into really pragmatic, usable solutions at scale now. I mean, the last two, three years I've been there hosting events and AI summits and things, you know, a lot of ideas and a lot of visions becoming reality. And this is really attractive to many defenders that are out there, because if we can begin to scale our operations through autonomy or now agentic AI, it gives a defense, a powerful lever against the offense for the first time. And many CISOs are restrained by the number of humans they can put in their SOC operation or the number of people they can afford or contractors they can support. Autonomy has a way now of creating good bots and good capabilities to scale. So I'm really looking at RSA this year as the year of agentic AI. And we can see it, agentic AI being used for a lot of different reasons. Agentic responses for faster response to a threat. Agentic scale for humans, pen testing areas of autonomy, threat management with autonomy. So you're going to hear autonomy and agentic AI, and if you just count the number of times they're set in every keynote, we can make a bet here for how many nickels we could win.

Dave Bittner

You know, with all this innovation that we're tracking here, and you alluded to this earlier, how are you seeing cisos balancing between Best of Breed and best of Suite platforms? There's a little bit of attention there.

Dave DeWalt

Yeah, a lot of, bit of tension there, Dave. It's a pendulum I've talked about for many, many years. Two decades, you know, best of breed versus best of sweet. And it's like a pendulum. And you can almost watch it over the years, you know, as the threat environment got more and more difficult, it would move to best of breed because you would typically see the need for new vendors filling holes that the bigger vendors couldn't solve quick enough. And then as the market maybe, you know, calm for a little bit, you'd see the best of suite emerge. Now we have like almost both of those happening. You have the rise of the titans, I like to say, which are the largest cyber titans, Palo Alto Networks, Zscaler, crowdstrikes, checkpoints, Fortinet types. But you also have the rise of the cloud titans who have massive businesses as well. Microsoft, aws, Google, now with all the acquisitions, especially of Wiz. But Mandiant, they've spent nearly 40 billion buying into the cyber market over the last two years. So you're watching this clash of titans and it's a really interesting dichotomy of young companies filling new areas of threats and risks while platform vendors try to gobble it all up. And it's going to be, I believe, the hottest topic yet again, maybe outside of the government, and what's the government going to do, but platformization, best of breed, best of suite. It's a real important topic and it's hard for CISOs to balance because they don't want to get too much economic dependency on a big vendor. But they also know they can get advantage in a single suite that's integrated. So how do you create a balance of the two? It's really a popular topic. Many CISOs are veterans at this because the average number of vendors is somewhere over 50, average around 80 vendors per large enterprise. Anyway, so they're used to it, but would they like to create efficiency and cost economies? Absolutely. But they got to make sure there's no new threats and risks, so they need the new vendors. It's a really interesting. It's such the shape of cyber and the world of cyber. I find it super fascinating.

Dave Bittner

Yeah, let me put you on the spot a little bit here. As you're looking ahead towards the next year or so, maybe into the following year, is there anything on your radar that you think isn't getting the attention that it deserves? Something that's kind of lurking in the shadows, that may surprise people?

Dave DeWalt

Yeah, I have several and these are important to keep an eye on. You know, my entire career, 25 years of being in cyber security, largely has been all about the transmission of malware in a physical form factor, almost like a digital factor, meaning files and remote access tools and spear phishing and other types of ways to deliver payloads into a network or onto an endpoint. But it's changing and we're seeing the world of electronic warfare begin to meet cyber. And this is a little scary when it comes to the ways in which we can create denials of service, disrupt protocols and channels using RF or radio frequencies. We're watching the emergence because of wars in Russia and Ukraine and Israel, where The inertia of EW or high performance microwave HPMs really now create a next threat level in the world of cyber. Because if I'm able to steal your data from your phone, say, or from your computer, from your data center using RF or electronic capabilities, I don't really have any defenses for that yet. So we're watching offense really hurtling towards capability in the areas of electronic warfare. I think we're going to be talking about it. I don't see any keynotes on it at RS say yet, but having my pulse to the ground as I do things, I see this is in the war theaters already. Offense has these capabilities, defense is really fire behind and we got to catch up. And then the second one quickly is Quantum. We're watching what once was. Everybody's thinking horizon two or three, you know, maybe 20, 30. We'll see the world of Qubits and Quantum capabilities. Man. Wow, is that happening fast. Almost like AI did. Like all of a sudden Transformers came about and next thing you know we had amazing capabilities, chatgpts and deep sea glass years and like, wow, look at all this stuff happening. I think Quantum is going to surprise a lot of people. In fact, one of my showcases at the Innovation Summit is around Quantum as well as AI, of course, but we're trying to show like what's coming in the next kind of 12 months, 18 months, Dave. And keep an eye on Quantum, keep an eye on electronic warfare and there's other areas of course in AI and model drifting and model management, that's really important as well. But two ones on the horizon, Quantum and electronic warfare.

Dave Bittner

Well, the Night Dragon Innovation Summit is happening at RSAC 2025. We'll have a link to that in the show. Notes. Dave Dewalt is founder and CEO of Night Dragon. Dave, thanks so much for taking the time for us.

Dave DeWalt

Thanks for having me, Dave. Look forward to seeing you there too. Thank you.

Dave Bittner

Today's CISOs are juggling more than ever. Threats, tools, compliance and burnout. Nicole Bukala, CEO of Databee, knows this struggle firsthand. She shares what she's hearing from security leaders in the trenches and what it really takes to build resilience in an overwhelmed world. So we are coming up on database 2 year anniversary since the launch from Comcast. I have to say, first of all, time flies. But I'm also curious, how is it going? How's it been for you all two years into your startup mode?

Nicole Bukala

It's been a really exciting, rewarding and learning filled journey. One of the most amazing things about this journey has been the deep interaction with practitioners. It's why I came to Comcast to start this business to begin with. As a quick reminder for anyone who's not familiar, datab is a commercial version of a security data fabric that was invented by Comcast's own global ciso. And so as we build out more and more use cases for database, we actually interact with and are inspired by a variety of different groups at Comcast. So whether it's the Governance, Risk and compliance team, or the Vulnerability Management team, or the IT team that works with the CMDB and the Asset Inventory or the Threat Hunting team, there is just so much learning that happens all around with a beautiful interaction between those practitioners and then the variety of highly skilled software developers and customer facing professionals that have joined the datab team from a variety of different companies. Amazingly, we're already over 120 people strong worldwide and we have employees across three continents and six countries, the solutions available both in the US and in Europe for sale. And it's just been so great to see customers implement it and just be so happy with the results.

Dave Bittner

Well, let's talk about some of the data challenges that CISOs are facing today. What sort of things do you find they're grappling with?

Nicole Bukala

So the number one thing I find them to be grappling with is the increasing demand for reporting to show compliance with certain security frameworks. We have customers that follow NIST CSF 2.0. We have customers that need to show compliance with the PCI DSS 4.0 regulations, and then we have customers that have to show a set of dashboards that align to the Gartner ODM metrics, and we have customers that have a mandate to align to the CIS controls, all 18 of them. And so this need for reporting has created a lot of pressure on these security and risk teams and they're looking for ways to automate the reporting and to have higher fidelity in the data that underlies the reporting. And so it's been really interesting to see such a wide variety of frameworks be adopted, yet the mission is all the same, which is, how can I have better faith in what I have and where the gaps are and what I need to do to close those gaps. And then sometimes customers need to prove, whether it's to regulators or to their board, that they have certain controls, that they know where the blind spots are and that they're doing things to cover those blind spots.

Dave Bittner

Well, help me understand how organizations do that. How do you connect the dots between the different security data that you have to be able to demonstrate compliance?

Nicole Bukala

Yeah, that's a great question. And this is an old problem. You know, I think a traditional approach that folks took was to, you know, output a data file, a static data file, to something like a CSV, which is a spreadsheet. And then they found themselves working with data in different spreadsheets and trying to merge that data into some sort of dashboard with your typical images like pie charts and bar charts and trying to tell a story. The problem with that traditional approach is as soon as you export data to a CSV, the data is now old. And so if you have a need to do reporting continuously, or if not continuously, then on some recurring basis, perhaps quarterly or yearly, the act of having to wrangle everything together in spreadsheets ends up creating an inaccurate submission at the end of the day. And so what we do is we have a proprietary ingest, parsing, normalization and correlation technology that allows for this data to be continuously ingested and, and not just ingested, but parsed and then arranged and then triangulated with each other so that the dataset is always ready for that analysis. And on top of that, we actually provide an alignment with the frameworks that I just mentioned, reports and dashboard templates that draw on that data and render the data into over 30 of the most common controls metrics that a leader of security and risk in a regulated company want to see today.

Dave Bittner

So suppose I'm under more than one data regime here, or I should say regulatory regime. I'm covered there as well.

Nicole Bukala

Yeah. So we actually built into the tool the ability to toggle between different regulatory frameworks because the reality is that, you know, if you need mfa, you need mfa, and many different frameworks call for that. Same with endpoint detection and response. Many different frameworks call for that. Now they may meas the control slightly differently or they may include different aspects of that control, but we actually have built the ability to toggle between them. And so that just further aids in the automation and reduces the amount of manual work that any sort of data reporting team is going to have to do.

Dave Bittner

I want to switch gears with you a little bit. We have RSAC 2025 is coming up fast. I'm curious, what kinds of things do you expect to see and what are you looking forward to this year?

Nicole Bukala

You know, I expect to see AI everywhere and then the latest buzzword, which is agentic AI. Right? Yeah, I think that's still going to be very much the talk of the town. And it seems that there has been a maturation in how folks are thinking about AI. And I'm really seeing two themes in the security space. One is how do I better prepare my data for AI so that I get high fidelity results because the power of the AI and particularly the generative AI, which is the AI that learns, is only as good as the data upon which it learns from. And so we're seeing more and More focus on understanding data. For some companies, that's really daunting and for others, you know, they're prepared. But I think there's going to be a lot of intellectual discourse there. The other area is around using AI to replace certain human tasks. And I'm seeing more and more suggestions around how can frontline security analysts, how can that role actually be replaced by an AI chatbot? Or how can you use an AI chatbot to suggest alerts to look into and to suggest playbooks for response. So I think there's probably going to be a lot of hands on demonstrations and opportunities for folks to experience AI at the conference. And I'm really excited to see what's gonna be available on the show floor.

Dave Bittner

Yeah, it's a really interesting insight. My personal take is that we kind of started off with unbridled excitement for AI and then we kind of went through this what I'll call the eye rolling phase, where it was everywhere and everything and was going to do everything for everyone. But I feel like we're kind of on the other side of that and we've distilled it into the things that are really useful and kind of recognize what it can and can't do. Do you think that's an accurate perception of what's going on out there?

Nicole Bukala

Yeah, I completely agree. I think we're on the backside of that for sure. I still think there may be a little too much buzz. And you know, buzz is only deleterious when it means that someone skips over the fundamentals. But that's where I think a lot of the data companies like ours come in. Because they serve as a reminder to folks that AI is not just a band aid or a panacea. There are prerequisites, there are foundations that have to be put in place first. And so I think we are seeing more purposeful discourse about that. We're also seeing discussions about how to use AI in the workplace productively without actually adding inefficiencies, so that there can be places where AI can actually add inefficiencies if it is used to deliver a result that actually isn't 100% accurate and then requires rework or management oversight. So we're now seeing more discourse about company policies around AI, around training, around AI, so that people use it in a way that's helpful and not in a way that actually leads to rework.

Dave Bittner

You know, Data B is coming up on your two year anniversary since launching from Comcast. Looking ahead to the next two years, how do you plan to Stay ahead of the curve. How do you, how do you stay relevant in a rapidly changing field like cybersecurity?

Nicole Bukala

It's a great question. One of the things that we have to our advantage is Comcast actually acquired a company called Blue Vector in 2019. This company is 12 or 13 years old in a very well established market space, network detection and response. And that industry itself has undergone peaks and valleys with the approach of network encryption and then the incoming fad around SaaS. And so now we're seeing a lot of folks move back to actually standard on premises deployments of network monitoring capabilities. And so we actually have a pretty cool integration between Blue Vector and datab and it leverages Suricata and Zeek and some really, really cool data to really get ahead of the curve from a threat hunting and detection standpoint. And so that's one of the very unique pieces of the Datab portfolio is that Blue Vector piece. I think the other thing that, you know, we're really focused on over the next two years is again going back to the roots of how we began, which is just being so ingrained with the practitioner mindset and the practitioner challenges. For example, as there become more and more varied responses to insider threats, you know, we have the ability to, with our insider threat use case, actually help companies get the evidence they need to launch criminal investigations into insiders. And so I think we're seeing a maturation of law enforcement response to cybersecurity attacks. And so that's going to be an interesting area over the next couple years as well.

Dave Bittner

We'll be right back. Ford Blue Cruise hands free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach.

Nicole Bukala

E. Available feature on equipped vehicles Terms apply.

Dave Bittner

Does not replace safe driving.

Nicole Bukala

See Ford.com BlueCruise for more details.

Dave Bittner

Abercrombie Kids is bringing the cheer all.

Nicole Bukala

Holiday season and the gifts too. No matter how long their wish list is, there's always room for just one more. Whether it's a new winter coat, an extra pair of jeans or cozy matching sweatsets, get gifting with looks they've been waiting for all year.

Dave Bittner

Shop Abercrombie Kids in the app online and in stores. Artificial intelligence isn't just a buzzword. It's becoming a critical part of cyber defense. Michael Mistral, VP of Sales engineering at Data Miner, unpacks how organizations are actually putting agentic AI to work. He shows us how it's helping security teams stay ahead of fast moving threats and where it still has room to grow.

Michael Mastrol

Dataminer is the real time information company that helps global organizations detect early signals of emerging risk so they can know first and act faster. You know, when I talk to security officers, they discuss to me their struggles with third party risk vendors and threat intelligence. And some of the challenges they face are late or non notifications of third party vendors that have been breached. As an example, another one could be prioritizing last minute vulnerability disclosures over others and kind of fight this emergency change control process. We may see them as like a vendor comes out and says we're disclosing a vulnerability today and it's being widely exploited. So that's a struggle. And then another struggle they face is they've employed quite a bit of people or pay more than one vendor to monitor the dark web. And really what they don't know about this problem, essentially all of the data that they would need to kind of solve these issues actually live within the public domain. They just really never had a way to systematically dig through it at scale to find relevant information. So we built a platform that leverages AI in a scalable way to parse all of this public data. And that data can include text, images, Voice, video and IoT sensor data and distill it down to actionable alerts that are pertinent to our customers and whatever they're looking for. So really we just turn chaos into clarity in real time and empower these security teams with actionable information.

Dave Bittner

Hmm. So help me understand here. When we're looking at today's risk landscape, how does an organization best dial in the sorts of things that Dataminer provides?

Michael Mastrol

As customers use the Dataminer platform each day, we've helped them thwart losses and reduce risk. And I'll just give you a few sample areas. One is executive risk and travel protection. We help executives move around the world more safely avoiding the risks of travel. And we just saw recently the shooting in the Toronto airport. Another, just to give you a cyber example, vulnerability intelligence. We help our customers coin a term that an insurance company gave us, help them look around the corner as to what their vendors will be disclosing in the future as far as a vulnerability, because we're kind of will pick up something on the dark web. And another example is third party risk by providing them early notifications of issues with disturbances and outages from some of the platforms that they're using from these third parties. So if people Come to see us at a trade show or chat with one of our team members, we'd be happy to show them what we call a data miner in action example, which shows a timeline of specific examples that have happened within the physical or the cybersecurity space to show them how we can give them more time and a better way to respond to these threats. So we're kind of like an early warning system for the most pressing risks.

Dave Bittner

You know, one of the hot topics, of course, at this year's RSAC conference is AI, and specifically agentic AI. What part does that play in the types of things that you all are doing?

Michael Mastrol

Okay, by integrating agentic AI into workflows and fostering this AI human collaboration, businesses can strengthen their crisis management, their operational efficiency, and long term resilience at an evolving risk landscape. So with both agentic and AI, and AI cybersecurity teams can achieve greater confidence through enriched context more quickly than by using conventional methods of gathering this information.

Dave Bittner

Where do you suppose we're headed here? I mean, when we're looking at how these innovations evolve and we're advancing our capabilities around AI, what do you see in terms of AI being a tool to a CISO out there?

Michael Mastrol

To summarize it real quickly, it's efficiency. So let me give you an example. So the BCG Group at the end of last fall released a bit of research that says that, and I quote, protecting digital assets has increased the ranks of the world's CyberSecurity workforce to 7.1 million people, but another 2.8 million jobs remain unfilled. We believe AI can help close this gap and assist CISOs with relevant alerts about threats to their businesses, to their people, their customers and data, and help provide actionable intelligence necessary to help them thwart these threats during times like this. And this ultimately will help CISOs help their people operate more efficiently and reduce what I call the risk gap scenarios.

Dave Bittner

Well, the company has certainly had some success. And along with that, you recently announced a good amount of funding, $85 million in funding. What's on the horizon there? What will that funding enable Dataminer to do?

Michael Mastrol

That's right. As a matter of fact, on March 18th, Dataminer announced that we secured $85 million in new funding from Night Dragon and HS. In addition, on April 24th, we also announced another $100 million from Fortress, bringing that to a total of $185 million raised in the last two months. So to add the second part of your question, what will we do with it? This new Capital will allow Dataminer to accelerate its growth trajectory and continue to really pioneer trailblazing generative AI and agentic AI capabilities that shape the future of real time information. And we will also use this funding to expand our international go to market and power new products in new verticals.

Dave Bittner

What's your advice for folks who are out there and they're shopping around for this sort of thing? What sort of questions should they be asking to make sure that what they end up with aligns with their needs?

Michael Mastrol

Sure. Really just understand it's important that they communicate with us to understand what their challenges are with respect to third party risk as well as other information that they need to protect themselves in a way that they protect themselves quickly and how they prioritize the risk and do they have the context needed to help them with this cost prioritization data miner? Actually we're very good at helping customers with this and with this prioritization in such a way that they can protect.

Joe Levy

Their business as best as possible.

Dave Bittner

The attack surface has exploded, but defenses are still playing catch up. Joe Levy, CEO of Sophos, makes the case for better integration across cloud, network and endpoint. He explains why security tools need to work together, not just coexist, and how innovation can't succeed in silos. So congratulations on a year as the new CEO of Sophos. I would love to check in with you and just hear what that journey has been like. How has it been for you and your colleagues?

Joe Levy

Well, thanks Dave. It's been a very exciting year and I would have to say that this has been one of the most transformative periods in my entire career for me and for, I think, Sophos as well. It's interesting to be able to make the transition from technology leader. I've been chief technology officer of a number of different cybersecurity companies for quite a long time over the years and had never really imagined myself stepping into the CEO role. But the opportunity presented itself and it felt like the right thing to do. And the past year has sort of proven to me that it was indeed the right decision, certainly for me and I would like to think for the company as well. So I could say that it's been an incredibly rewarding and gratifying transition for me.

Dave Bittner

Well, congratulations. And you know, over the past year or so, Sophos has certainly faced a number of threat threats on its own. You all have published some research about China targeting cybersecurity vendors and your efforts to fight back. Can you touch on that a little bit for us?

Joe Levy

Certainly we disclosed a series of reports which we have called Pacific Rim that describe this five year long battle that we found ourselves in with some nation state Chinese adversaries. And the the distillation of this effectively states that if you are a successful IT vendor where you have some material presence of infrastructure on the Internet, in other words, if you have been commercially successful and you have a lot of customers who are using your perimeter devices, whether they're routers or switches or remote access points or firewalls or Zero trust network access, whatever it is, if it's a device that sits on the Internet and its purpose in life is to provide connectivity, that utility alone will predict that you're going to become the target of these nation state attackers that are attempting to establish some sort of a foothold within the points of presence on the Internet. And then we see the adversaries using this in a variety of different ways. They could use it to establish a botnet which they can subsequently use the proxy network to attack other victims, or they can attack the customers themselves, and in some cases they can attempt to attack the vendors who are building the software and building the hardware on the perimeter.

Dave Bittner

So I think it's fair to say that at the RSAC conference this year, AI and machine learning are going to continue to be hot topics. In fact, it's probably malpractice if you and I don't discuss it a little bit here today. I'm curious, how are you dialing in the degree to which you're integrating AI across the Sophos products stack?

Joe Levy

AI is absolutely an obligatory topic of conversation within cybersecurity. And it's interesting the way that the attitudes have shifted over the past few years. We've gone from a healthy dose of skepticism, from those who have been doing cybersecurity and information security for the longest about the practical benefits and utility of AI to what I think is reasoning with it in a way that is cautiously optimistic, is how I would put it. And it's clear the benefits that we can operationally get out of it. And I think that attitude and that perception is beginning to take over the entire cybersecurity industry, still with a kind of a cautious optimism, I would say. And the history of how we've used AI has primarily been around simple classification. Is this file good or bad? Is this website good or bad? Is this email good or bad? And it was practically quite, quite useful. But now, naturally, with the evolution of large language models, we're seeing a demonstration of an AI that can actually reason in ways that Previous generations couldn't. And we're starting to see some really good, practical, beneficial applications of that kind of use within security operations. And I think the goal here, of course, is to be able to simulate the intuition of a human analyst as accurately as possible, where you get all the benefits of what a good security operations practitioner will be able to produce without any of the downsides which are primarily understood as hallucinations today. But you could effectively just think of those as another form of false positive, which is something that the industry has dealt with for a very long time. So really, really interesting time in the evolution of machine learning and artificial intelligence in service of cybersecurity.

Dave Bittner

As a leader, as the CEO, how do you talk to the folks that you work with there at selfos about getting on board with AI, but also not getting carried away with the hype train of it as well?

Joe Levy

Yeah, that is a very important balance to try to strike in any organization, not just within a cybersecurity company, but within any company. I think we're seeing these simultaneous pressures to ensure that we're not just throwing things at the wall randomly to see what's going to stick, because that wastes cycles within a business. And whether you're trying to do that within your go to market or your support organization or your marketing organization, you have to be very thoughtful and very deliberate about what you're introducing into your environment, not just for the utility of it, whether you're actually going to get an roi, but for the security implications of that as well. And then if you are a technology vendor and we can focus specifically on cybersecurity, and you're thinking about how do you bring this into your portfolio so that you can use it for the benefit of your customers and your partners. The same sort of judiciousness needs to apply. You need to be really deliberate in the decisions that you're making. And you have to have a kind of an internal framework. And we're fortunate. We saw this coming years ago. We instantiated a governance body that helps us to deal with AI across the entire organization, whether it's for our own internal use or in service of the products and services that we're building for our customers. And that's really been helpful to us in steering those decisions.

Dave Bittner

You know, at RSAC this year, we have the Nightdragon Innovation Summit, which I know your company will be featured at, and we here at Cyberwire will be participating in as well. And one of the things that they previewed that they're going to be talking about is this notion of platform versus best of breed. I would love to get your insights on how you parse out the difference between those.

Joe Levy

I think this is a great topic and a really important one. And for those of us who have been in the industry for a long time, we've seen these expansion contraction cycles and we've seen this debate go on and we've seen the pendulum swing both ways. Where I think we are at this point is number one, people want to ensure that they have the best possible tools for the job, which would imply that best of suite is really where you're going to get the most benefit. But at the same time as we continue to see the proliferation of tools within security operations and we just continue to see the increasing complexity of the way that our systems work, just, just imagine all of the upstream and the downstream interconnections that you have in the way that you build your IT systems today. They're more complex than they've ever been before, which means that there's greater complexity in their operation and insecurity tends to lurk at those interconnections. The greater the complexity, the more difficult it is to actually assess the security of a thing. Therefore, there's also this motivation to move toward consolidation, which is best of sweets. So you don't want to sacrifice anything in the quality of the individual tool, but at the same time you probably get greater operational benefit from having a collection of tools that can operate within a unified and a consolidated operating paradigm. I think that's the direction that the industry is going to head for the foreseeable future.

Dave Bittner

From supply chain chain exposures to AI driven attacks, the threat landscape isn't slowing down. Katie Jenkins, CISO at Liberty Mutual, gives us a candid look at the risks on the horizon and the trends in innovation that might just outpace them. So I want to check in with you as we are in RSA conference session season here. What are some of the emerging threats and trends that you're tracking as a CISO heading into conference season?

Katie Jenkins

Well, I'm sure the go to answer would be AI security solutions, which to be fair, it's something I'm definitely interested in, particularly in looking to see how these solutions have evolved, have become really essentials for enterprises our size. But with rsa, I'm also keen to connect with my network of peers and partners and exploring other trends. Right. I'm curious about things like how others are achieving process efficiency and workforce strategies. Team reskilling. I always pick up tidbits around budget trends and pulse checking topics like Fraudulent IT workers, post quantum preparedness. So, you know, maybe the best part about RSA is that there's like no doubt that I will pick up things that hadn't been on my radar, but will quickly be on my radar.

Dave Bittner

Do you have a strategy for that? As you're making your way around the show floor, the presentations, one on one conversations, how do you budget your time?

Katie Jenkins

Yeah, so I, I am fairly meticulous about laying that all out in advance. Being there for, you know, the relatively short period that I'm there. I just really need to make the time super worthwhile. So I pick out key partners that I know will be there with, you know, new information, new announcements. I work in, you know, healthy handful of emerging and startup type organizations. I cherry pick some of my favorite networking events where I know there'll be, you know, like minded peers and folks that kind of collaborate with. So regrettably or intentionally, I don't leave a lot of margin for casualness in that schedule. It's, it's pretty, pretty packed dance card as they say.

Dave Bittner

Yeah, it's definitely that kind of event. But you know, I'll say, like, for me personally, one thing I'm intentional about is kind of making a lap around the very edge of the show floor because you never know when you're gonna run into somebody who has this up and coming idea that might be something you never knew you needed a solution to until you cross paths with them. Is that an experience we share?

Katie Jenkins

Serendipity, huh?

Dave Bittner

Yeah.

Katie Jenkins

You know, I think that's awesome that that has been your experience. I, I don't think that experience is exclusive to, to the, to the floor. Right. I think that there are so many interesting events going on that the opportunity to meet new people and introductions happen super organically. That, yes, I have always come away with. I did not expect to hear about that and now this is something new for me to pursue.

Dave Bittner

Yeah, you mentioned AI. I'm curious what your approach is to that. I mean, how do you filter through the hype around AI? We've got agentic, AI is a hot topic this year. What's your approach?

Katie Jenkins

I definitely don't think AI is just hype for Liberty Mutual. It's already well in use. It's creating real value for us and quite honestly, it's making me rethink about how my security team operates, how we can best leverage it to optimize our functions. But with that I am cautious, I'm cautious about the hype surrounding the readiness of these solutions. I think many of us have been in the position of hearing pitches or seeing pitches that look great in a PowerPoint but aren't really ready for prime time. And yet there's still value in that, right? These ideas can still help me anticipate what is coming. We are experimenting in house with our own security AI tool development. I think it's really healthy to realistically weigh the pros and cons of build versus buy decisions. There's really good value to me in understanding from my peers, such as here at rsa, what's really working for others. I have to be keeping a pulse on things so I don't get swept up in just the fiction that AI is the magical solution for all security challenges. And I'm looking for a healthy dose of reality here.

Dave Bittner

What about collaboration? As you're keeping in touch with your fellow CISOs around the industry, both colleagues in organizations that are similar to Liberty Mutual, but I suppose other organizations as well. How do you keep those communication lines open to make sure that you have a broad spectrum of information at your disposal?

Katie Jenkins

Yeah, I think those connections are really essential in these times. I participate in many different formal and informal peer groups, but I think it's a real bright spot of this industry that collaboration continues to be a strong force. And quite frankly, I believe it's one of the reasons why we gather in San Francisco each year. Right. To strengthen our relationships, be ready to share insights from our experiences, our successes. I'm biased in thinking I have an exceptional team, as many of us are fortunate to have. But the threats we face are real. And learning from each other's missteps, each other's successes is really invaluable to me. If I were to add to that, I would say that, like me, many of my CISO peers are genuinely motivated to improve not only their own organizations, but also have impact and make improvements across the broader cybersecurity landscape. So, with that in mind, this collective collaboration and effort is really essential in the spirit of being able to achieve more together than we can as individuals.

Dave Bittner

Looking broadly at the industry, I'm curious if there are any particular pain points that frustrate you. Are there things that you think to yourself, I wish, wish we could shift this one thing across the industry. I wish there were something that we could change. Is there anything that comes to mind in terms of aspirations for positive change over the coming year or so?

Katie Jenkins

Let me take the aspirational angle to your question, because I don't think it's peaked as that pain point yet. But for me, I would love to see a major push for innovation and a strong focus on upskilling our security workforce at scale with the rapid developments in emerging technologies, the evolving tactics of the adversaries. I think it's just crucial that we're preparing our security teams today with the skills that they'll need in the future. The challenge to this, right, is that we have day jobs that often turn into our night jobs, and those are incredibly demanding. So when I think about learning initiatives, these really need to be integrated into our current priorities. They can't just be an add on. We have to have these upskilling mindsets and opportunities be built into our daily routines, be part of our responsibilities. I certainly feel the responsibility to make sure that my team is equipped to meet the challenges ahead without overwhelming their already packed schedules considering topics like burnout. So, you know, now is the time to be making this shift before it gets to that excruciating pain point that it's part of. Well, maybe didn't say excruciating, but the pain point part of your question. It's just this pace of change in cybersecurity is, is clearly not slowing down. And we really. I feel a very strong sense of need to invest in our workforce, not just as an altruistic interest, but really being essential for continuing to be a resilient and effective security organization.

Dave Bittner

Yeah. As someone who is in a high level leadership position in cybersecurity, what sort of advice do you have for folks who are coming up in the industry? Maybe somebody coming up through school or considering a career change? Do you have any words of wisdom?

Katie Jenkins

Oh, my goodness. I think now is an exceptional time to be joining the workforce and joining security teams. The talent that we're bringing in right now is really the bright spot that makes me hopeful for this future. So. So my advice would be to just sink your teeth and have conversations to understand people's career journeys in security. Some people have been in security their whole lives. Some have come to security from a very unique set of backgrounds. And I think that to be new to this field, perhaps even new to your careers, you have maybe more latitude than you even realize to take the time to ask people about their journeys. What resources have been most instructive, what are people's favorite podcasts? Right. It's all part of finding your place and finding where you can make impact. But I'll tell you what, Dave, I mean, there really are some extraordinary individuals joining the team, and I hope they know they have an open invitation to explore and their own curiosities and interests to figure out where they can make the biggest impact for us.

Dave Bittner

So one of the things that I think security leaders face and confirm if I'm correct here or not is there's a lot of pressure to innovate but at the same time not compromise trust. How do you balance that? How do you balance speed with resilience as you're looking at your own organization's strategy?

Katie Jenkins

Totally agree with your premise that there can be friction there. When I think about innovation, think about both the pressure or the need to keep keep up with the broader tech advancements in our organization and on the other side how we're using innovation and security to advance things like automation and efficiency in our processes. So you know, for me customer trust and integrity are very deeply embedded in Liberty Mutual's culture and that yields or reads that responsible innovation is the ultimate goal there. So I'll share an anecdote from two days ago. Recency bias. But I love it. We have an in house responsible AI committee and one of my leaders was bringing one of our R and D use cases through this responsible AI review and it delighted me when there were non security committee members challenging my security team with security questions around what we were bringing forward. And it just really emphasized the the fact that security is recognized across the organization the way that it is. My CIO Monica Caldas loves to say stable and secure systems is job number one. And this statement alone reassures me that we don't have to sacrifice speed for security and resilience. It all matters. So maybe the last point I would emphasize there is that to the speed versus you know, resilience question. We've adopted a strategy prioritizes security at every stage of our innovation process. We have robust governance. We use a risk assessment framework that helps us innovate confidently. We know we're not going to be compromising our customers trust. So really this allows us to embrace new technologies, experiment responsibly while ensuring that we're adhering to our standards and most importantly, we're maintaining our customers trust.

Dave Bittner

What also strikes me that in the story you describe, I mean that speaks to a culture of having a safe place where people can express their concerns and know that they're going to be heard.

Katie Jenkins

Oh absolutely. And that has been a really intentional change that I've been trying to drive in the organization. I mean you don't have to go that far back in time where you think about was security scary or secretive and if I felt something wasn't quite right, I best keep my mouth shut about that to like really inviting and making that space. We were celebrating people that are reporting things that seem unusual or suspicious to them. And that puts us in such a stronger place that it's not just on the security team to find the holes and the workarounds and the opportunities. You know, everyone's in it together. We use the tagline responsible Defenders. We invite, you know, we invite our whole workforce to be. To be.

Dave Bittner

And that's a wrap on Beyond Cyber Securing the Next Horizon. A huge thanks to our guests Dave DeWalt, Nicole Bukala, Michael Mistrol, Joe Levy, and Katie Jenkins for sharing their insights, stories and strategies. As we heard today, cyber security is no longer just about defense. It's about vision, integration, and bold innovation. The threats may be evolving, but so are the people, technologies and investments rising to meet them. If you like today's episode, don't forget to subscribe, leave a review and share it with a colleague. You can find more interviews and insights on our website, thecyberwire.com thanks for listening. I'm Dave Bittner. We'll see you back here next time. Been out here all morning.

Joe Levy

Not a single bite.

Michael Mastrol

Guess the fish finally figured it out. Just like hackers do when Cisco Duo's on guard.

Dave Bittner

With Duo's end to end fishing resistance, every login, every device, every user stays protected. No hooks, no catches, no bites. Cisco Duo fishing season is over. Learn more@duo.com.