Beyond cyber: Securing the next horizon. [Special Edition]

Cyberwire Network

You're listening to the Cyberwire Network, powered by N2K.

Dave Buettner

Hey everybody, Dave here. Join me and my guests Outpost 24's Laura Enriquez and Michaelo Steppa on Tuesday, May 13th at noon Eastern time for a live discussion on the biggest threats hitting web applications today and what you can do about them. We're going to talk about why attackers still love Web apps in 2025. The latest threat trends shaping the security landscape, how to spot and prioritize critical vulnerabilities fast along with scalable practical steps to strengthen your defenses.

Laura Enriquez

Again, the webinar is Tuesday, May 13th.

Dave Buettner

For our live conversation on the state of modern Web application security. You can register now by visiting events.thecyberwire.com that's events.thecyberwire.Com we'll see you there. And now a word from our sponsor. Spy Cloud identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization.

Laura Enriquez

Traditional defenses can't keep up.

Dave Buettner

Spy Cloud's holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.

GMC

The Hoover Dam wasn't built in a day and the GMC Sierra lineup wasn't built overnight. Like every American achievement, building the Sierra 1500 heavy duty and EV was the result of dedication. A dedication to mastering the art of engineering. That's what this country has done for 250 years and what GMC has done for over a hundred. We are professional grade. Visit gmc.com to learn more. Assembled in Flint and Hamtronic, Michigan and Fort Wayne, Indiana of US and globally sourced parts.

Dave Buettner

Hello everyone and welcome to this N2K CyberWire Special Edition Beyond Cyber Securing the Next Horizon. I'm your host Dave Buettner. Today we're looking past firewalls and phishing emails to explore the future of security, where strategy, innovation and AI converge to defend a rapidly shifting threat landscape. In this episode, we're joined by a powerhouse lineup of guests who are shaping that Future. First, Dave DeWalt, founder and CEO of NightDragon, takes us inside the high stakes world of cyber investment, where the next wave of security innovation is getting its fuel. Then we hear From Nicole Bukala, CEO of Databee, who breaks down the reality for today's CISOs, it's not just about tech. It's about time, talent and trust. Next we hear from Michael Mastrol, VP of Sales engineering at Dataminer, bringing us into the world of agentic AI, showing us how smarter tools are helping security teams detect and respond before the damage is done. We'll also hear from from Joe Levy, CEO of Sophos, on why the future of cyber defense depends on tighter integration from cloud to endpoint, and why innovation without coordination is a risk itself. And Katie Jenkins, CISO at Liberty Mutual, sharing what's keeping CISOs up at night? What's giving them hope? So whether you're leading a security team, building the next great startup, or just want to stay one step ahead, stay tuned, because the next horizon isn't just coming, it's already here. Our first guest knows the cyber industry.

Laura Enriquez

From the boardroom to the battlefield.

Dave Buettner

Dave DeWalt, founder and CEO of Night Dragon, has been at the helm of some of cybersecurity's biggest names. Now he's investing in the future, betting on the next generation of security innovators. He joins us to talk trends, risks, and where smart capital meets smart defense.

Laura Enriquez

It is always my pleasure to welcome back to the show Dave DeWalt.

Dave Buettner

He is the founder and CEO of NightDragon. Dave, welcome back, Dave.

Dave DeWalt

Thanks for having me. Look forward to another RSA coming up and lots of opportunity to see friends and kind of family, this whole cyber community. So thanks for having me on the show again and thanks for all you do as well.

Laura Enriquez

Well, thank you. I appreciate it. And speaking of RSAC, this year NightDragon is hosting the Nightdragon Innovation Summit, which I will mention N2K CyberWire. We are media partners with that event and very pleased to be taking part in that. So if folks haven't checked out the information on that, please do again. It's the Night Dragon Innovation Summit. Dave, as we're heading up towards RSA conference this year, what are you planning on looking around for? What do you have your ear to the ground when it comes to innovation in the cybersecurity sector?

Dave DeWalt

Yeah, there's so much every year, Dave. It's always amazing to touch base with so many different people. NightDragon, we have a very specific strategy. We try really hard to unite as much as we can of our ecosystem of portfolio companies, our partners, our advisors into forums. Like you mentioned, the Innovation Summit, but really create a balance of that where we can see some of the most young and exciting technology that's emerging, like AI and even quantum areas. Now, but also hear from the large titans in the industry as well, the Palo Alto Networks, the crowdstrikes, the Checkpoints, the Microsofts, and really see what they're doing. And we all know the word platformization from last year, which is a lot of the buzz again in this year because many of the large companies are doing extremely well. They're continuing to grow. But we've also had some unparalleled and unprecedented events over the last year. It's not just the geopolitical environment we could talk about, but also the acquisition whiz by Google for $32 billion. I mean, look at the history of cyber. I mean, this is very unprecedented. And so there's a lot of good buzz coming into it, a lot of nervousness and I think anxiety a little bit too, because, you know, what once was a pretty strong public private partnership model with the government still has yet to be kind of vetted out. So we're kind of anxious about it in some ways, excited about all the technology in other ways, and really happy to see friends and family and all our partners and portfolio companies at the same time all in one place. San Francisco. Exciting times.

Laura Enriquez

Well, what sort of themes are you seeing from founders right now? Are there, are there any categories or types of companies that feel particularly hot?

Dave Buettner

And then on the flip side, are.

Laura Enriquez

There some things that might be a bit overhyped?

Dave DeWalt

Yeah, you can take, you know, just take a look at the last 84 days of this administration and you can kind of a little sense of some things that are quite hot because of some of the administrative policies. One of the areas is third party risk management. I mean, how many companies right now are trying to figure out what the tariff impacts are on them? How do we understand what the tariff impacts? So supply chain risk management, I think is one of the hottest areas right now because it hasn't been really deployed much. It needs to get deployed more. We need more visibility. It's not just a tariff risk threat, but the cyber elements of it all too, because we see now a focus on China and other countries when it relates to threats and risks of tariffs and how does it affect your supply chain. So that's one like, I hate to call it, you know, du jour, but it's like a big important one. But the bigger themes, Dave, are also really important. We're watching the wave of AI really manifest itself into really pragmatic, usable solutions at scale now. I mean, the last two, three years I've been there hosting events and AI summits and things. A lot of Ideas and a lot of visions becoming reality. And this is really attractive to many defenders that are out there, because if we can begin to scale our operations through autonomy or now agentic AI, it gives a defense, a powerful lever against the offense for the first time. And many CISOs are restrained by the number of humans they can put in their SOC operation or the number of people they can afford or contractors they can support. Autonomy has a way now of creating good bots and good capabilities to scale. So I'm really looking at RSA this year as the year of agentic AI. And we can see it agentic AI being used for a lot of different reasons. Agentic responses for faster response to a threat. Agentic scale for humans, pen testing areas of autonomy, threat management with autonomy. So you're going to hear autonomy and agentic AI, and if you just count the number of times they're set in every keynote, we can make a bet here for how many nickels we could win.

Laura Enriquez

You know, with all this innovation that we're tracking here, and you alluded to this earlier, how are you seeing cisos balancing between Best of Breed and Best of Suite platforms? There's a little bit of attention there.

Dave DeWalt

Yeah, a lot of, bit of tension there, Dave. It's a pendulum I've talked about for many, many years. Two decades, you know, best of breed versus best of Sweet. And it's like a pendulum. And you could almost watch it over the years, you know, as the threat environment got more and more difficult, it would move to best of breed because you would typically see the need for new vendors filling holes that the bigger vendors couldn't solve quick enough. And then as the market maybe, you know, calm for a little bit, you'd see the best of Suite emerge. Now we have like almost both of those happening. You have the rise of the titans, I like to say, which are the largest cyber titans. Palo Alto Networks, Zscaler, Crowdstrikes, Checkpoints, Fortinet types. But you also have the rise of the cloud titans who have massive businesses as well. Microsoft, aws, Google now with all the acquisitions, especially of Wiz. But Mandiant, they've spent nearly 40 billion buying into the cyber market over the last two years. So you're watching this clash of titans and it's a really interesting dichotomy of young companies filling new areas of threats and risks while platform vendors try to gobble it all up. And it's going to be, I believe, the hottest topic yet again, maybe outside of the government. And what's the government going to do? But platformization, best of breed, best of suite. It's a real important topic and it's hard for CISOs to balance because they don't want to get too much economic dependency on a big vendor. But they also know they can get advantage in a single suite that's integrated. So how do you create a balance of the two? It's really a popular topic. Many CISOs are veterans at this because the average number of vendors is somewhere over 50, average around 80 vendors per large enterprise anyway, so they're used to it. But would they like to create efficiency and cost economies? Absolutely. But they got to make sure there's no new threats and risks. So they need the new vendors. And it's a really interesting. It's such the shape of cyber and the world of cyber. I find it super fascinating.

Laura Enriquez

Yeah, let me put you on the spot a little bit here.

Dave Buettner

As you're looking ahead towards the next.

Laura Enriquez

Year or so, maybe, maybe into the following year, is there anything on your radar that you think isn't getting the attention that it deserves? Something that's kind of lurking in the shadows that may surprise people?

Dave DeWalt

Yeah, I have several and these are important to keep an eye on. You know, my entire career, 25 years of being in cyber security largely has been all about the transmission of malware in a physical form factor, almost like a digital factor, meaning files and remote access tools and spear phishing and other types of ways to deliver payloads into a network or onto an endpoint. But it's changing and we're seeing the world of electronic warfare begin to meet cyber. And this is a little scary when it comes to the ways in which we can create denials of service, disrupt protocols and channels using RF or radio frequencies. We're watching the emergence because of wars in Russia and Ukraine and Israel, where The inertia of EW or high performance microwave HPMs really now create a next threat level in the world of cyber. Because if I'm able to steal your data from your phone, say, or from your computer, from your data center using RF or electronic capabilities, I don't really have any defenses for that yet. So we're watching offense really hurtling towards capability in the areas of electronic warfare. I think we're going to be talking about it. I don't see any keynotes on it at RS say yet, but having my pulse to the ground as I do things, I see this is in the war theaters already. Offense has these capabilities. Defense is really fire behind and we got to catch up. And then the second one quickly is Quantum. We're watching what once was. Everybody's thinking horizon two or three, you know, maybe 2030. We'll see the world of Qubits and Quantum capabilities. Man. Wow. Is that happening fast. Almost like AI did like all of a sudden Transformers came about and next thing you know we had amazing capabilities, chatgpts and deep sea glass years and like, wow, look at all this stuff happening. I think Quantum is going to surprise a lot of people. In fact, one of my showcases at the Innovation Summit is around Quantum as well as AI, of course. But we're trying to show like what's coming in the next kind of 12 months, 18 months, Dave, and keep an eye on Quantum, keep an eye on electronic warfare and there's other areas of course in AI and model drifting and model management. That's really important as well. But two ones on the horizon, Quantum and Electronic Warfare.

Laura Enriquez

While the Night Dragon Innovation Summit is happening at RSAC 2025.

Dave Buettner

We'll have a link to that in the show. Notes.

Laura Enriquez

Dave Dewalt is founder and CEO of Night Dragon.

Dave Buettner

Dave, thanks so much for taking the time for us.

Dave DeWalt

Thanks for having me, Dave. Look forward to seeing you there too. Thank you.

Dave Buettner

Today's CISOs are juggling more than ever, threats, tools, compliance and burnout. Nicole Bukala, CEO of Databee, knows this struggle firsthand. She shares what she's hearing from security leaders in the trenches and what it really takes to build resilience and in an overwhelmed world.

Laura Enriquez

So we are coming up on database.

Dave Buettner

2 year anniversary since the launch from Comcast.

Laura Enriquez

I have to say, first of all, time flies. But I'm also curious, how is it going? How's it been for you all two years into your startup mode?

Cyberwire Network

It's been a really exciting, rewarding and learning filled journey. One of the most amazing things about this journey has been the deep interaction with practitioners. It's why I came to Comcast to start this business to begin with. As a quick reminder for anyone who's not familiar, datab is a commercial version of a security data fabric that was invented by Comcast's own global ciso. And so as we build out more and more use cases for database, we actually interact with and are inspired by a variety of different groups at Comcast. So whether it's the governance risk and compliance team, or the Vulnerability management team, or the IT team that works with the CMDB and the Asset Inventory or the threat hunting team, there is just so much learning that happens all around with a beautiful interaction between those practitioners and then the variety of highly skilled software Developers and customer facing professionals that have joined the datab team from a variety of different companies. Amazingly, we're already over 120 people strong worldwide and we have employees across three continents and six countries. The solutions available both in the US and in Europe, for sale. And it's just been so great to see customers implement it and just be so happy with the results.

Laura Enriquez

Well, let's talk about some of the data challenges that CISOs are facing today. What sort of things do you find they're grappling with?

Cyberwire Network

So the number one thing I find them to be grappling with is the increasing demand for reporting to show compliance with certain security frameworks. We have customers that follow NIST CSF 2.0. We have customers that need to show compliance with the PCI DSS 4.0 regulations. And then we have customers that have to show a set of dashboards that align to the Gartner ODM metrics. And we have customers that have a mandate to align to the CIS controls, all 18 of them. And so this need for reporting has created a lot of pressure on these security and risk teams. And they're looking for ways to automate the reporting and to have higher fidelity in the data that underlies the reporting. And so it's been really interesting to see such a wide variety of frameworks be adopted. Yet the mission is all the same, which is, how can I have better faith in what I have and where the gaps are and what I need to do to close those gaps? And then sometimes customers need to prove, whether it's to regulators or to their board, that they have certain controls, that they know where the blind spots are and that they're doing things to cover those blind spots.

Laura Enriquez

Well, help me understand how organizations do that. How do you connect the dots between the different security data that you have to be able to demonstrate compliance?

Cyberwire Network

Yeah, that's a great question. And this is an old problem. You know, I think a traditional approach that folks took was to, you know, output a data file, a static data file, to something like a CSV, which is a spreadsheet. And then they found themselves working with data in different spreadsheets and trying to merge that data into some sort of dashboard with your typical images, like pie charts and bar charts, and trying to tell a story. The problem with that traditional approach is as soon as you export data to a CSV, the data is now old. And so if you have a need to do reporting continuously, or if not continuously, then on some recurring basis, perhaps quarterly or yearly, the act of having to you know, wrangle everything together in spreadsheets, ends up creating an inaccurate submission at the end of the day. And so what we do is we have a proprietary ingest parsing, normalization and correlation technology that allows for this data to be continuously ingested and, and not just ingested, but parsed and then arranged and then triangulated with each other so that the data set is always ready for that analysis. And on top of that, we actually provide an alignment with the frameworks that I just mentioned, reports and dashboard templates that draw on that data and render the data into over 30 of the most common controls metrics that a leader of security and risk in a regulated company want to see today.

Laura Enriquez

So suppose I'm under more than one data regime here, or I should say regulatory regime.

Dave Buettner

I'm covered there as well.

Cyberwire Network

Yeah. So we actually built into the tool the ability to toggle between different regulatory frameworks because the reality is that, you know, if you need mfa, you need mfa, and many different frameworks call for that. Same with endpoint detection and response, many different frameworks call for that. Now they may meas the control slightly differently or they may include different aspects of that control, but we actually have built the ability to toggle between them. And so that just further aids in the automation and reduces the amount of manual work that any sort of data reporting team is going to have to do.

Laura Enriquez

I want to switch gears with you a little bit. We have RSAC 2025 is coming up fast. I'm curious, what kinds of things do you expect to see and what are you looking forward to this year?

Cyberwire Network

You know, I expect to see AI everywhere and then the latest buzzword, which is agentic AI, right? Yeah, I think that's still going to be very much the talk of the town. And it seems that there has been a maturation in how folks are thinking about AI. And I'm really seeing two themes in the security space. One is how do I better prepare my data for AI so that I get high fidelity results because the power of the AI, and particularly the generative AI, which is the AI that learns, is only as good as the data upon which it learns from. And so we're seeing more and more focus on understanding data. For some companies, that's really daunting and for others, you know, they're prepared. But I think there's going to be a lot of intellectual discourse there. The other area is around using AI to replace certain human tasks. And I'm seeing more and more suggestions around how can frontline security analysts how can that role actually be replaced by an AI chatbot? Or how can you use an AI chatbot to suggest alerts, to look into and to suggest playbooks for response? So I think there's probably going to be a lot of hands on demonstrations and opportunities for folks to experience AI at the conference. And I'm really excited to, to see what's gonna be available on the show floor.

Laura Enriquez

Yeah, that's a really interesting insight. My personal take is that we kind of started off with unbridled excitement for AI and then we kind of went through this what I'll call the eye.

Dave Buettner

Rolling phase, where it was everywhere and.

Laura Enriquez

Everything and was going to do everything for everyone. But I feel like we're kind of on the other side of that and we've distilled it into the things that are really useful and kind of recognize what it can and can't do. Do you think that's an accurate perception of what's going on out there?

Cyberwire Network

Yeah, I completely agree. I think we're on the backside of that for sure. I still think there may be a little too much buzz. And you know, buzz is only deleterious when it means that someone skips over the fundamentals. But that's where I think a lot of the data companies like ours come in. Because they serve as a reminder to folks that AI is not just a band aid or a panacea. There are prerequisites, there are foundations that have to be put in place first. And so I think we are seeing more purposeful discourse about that. We're also seeing discussions about how to use AI in the workplace productively without actually adding inefficiencies. So that there can be places where AI can actually add inefficiencies if it is used to, to deliver a result that actually isn't 100% accurate and then requires rework or management oversight. So we're now seeing more discourse about company policies around AI, around training around AI, so that people use it in a way that's helpful and not in a way that actually leads to rework.

Laura Enriquez

You know, Data B is coming up on your two year anniversary since launching from Comcast. Looking ahead to the next two years, how do you plan to stay ahead of the curve? How do you stay relevant in a.

Dave Buettner

Rapidly changing field like cybersecurity?

Cyberwire Network

It's a great question. One of the things that we have to our advantage is Comcast actually acquired a company called Blue Vector in 2019. This company is 12 or 13 years old in a very well established market space network detection and response. And that industry itself has undergone peaks and valleys with the approach of network encryption and then the incoming fad around SaaS. And so now we're seeing a lot of folks move back to actually standard on premises deployments of network monitoring capabilities. And so we actually have a pretty cool integration between Blue Vector and Datab. And it leverages Suricata and Zeek and some really, really cool data to really get ahead of the curve from a threat hunting and detection standpoint. And so that's one of the very unique pieces of the Databee portfolio portfolio is that Blue Vector piece. I think the other thing that we're really focused on over the next two years is again going back to the roots of how we began, which is just being so ingrained with the practitioner mindset and the practitioner challenges. For example, as there become more and more varied responses to insider threats, you know, we have the ability to, with our insider threat use case, actually help companies get the evidence they need to launch criminal investigations into insiders. And so I think we're seeing a maturation of law enforcement response to cybersecurity attacks. And so that's going to be an interesting area over the next couple years as well.

Dave Buettner

We'll be right back.

Bank of America

Out here, there's no one way of doing things, no unwritten rules, and no shortage of adventure. Because out here, the only requirement is having fun. Bank of America invites kids 6 to 18 to golf with us for a limited time. Sign them up for a free one year membership, giving them access to discounted tee times at thousands of courses. Learn more@bankofamerica.com Golf with us. What would you like the power to do? Bank of America restrictions apply. See bfa.comgolfwithus for complete details. Copyright 2025 bank of America Corporation.

Uber

You know that feeling when someone shows up for you just when you need it most? That's what Uber is all about. Not just a ride or dinner at your door. It's how Uber helps you show up for the moments that matter. Because showing up can turn a tough day around or make a good one even better. Whatever it is, big or small, Uber is on the way. So you can be on yours. Uber on our way.

Dave Buettner

Artificial intelligence isn't just a buzzword. It's becoming a critical part of cyber defense. Michael Mistral, VP of Sales engineering at Dataminer, unpacks how organizations are actually putting agentic AI to work. He shows us how it's helping security teams stay ahead of fast moving threats and where it still has room to grow.

Michael Mastrol

Dataminer is the real time information company that helps global organizations detect early signals of emerging risk so they can know first and act faster. You know, when I talk to security officers, they discuss to me their struggles with third party risk vendors and threat intelligence. And some of the challenges they face are late or non notifications of third party vendors that have been breached. As an example, another one could be prioritizing last minute vulnerability disclosures over others and kind of fight this emergency change control process. We may see them as like a vendor comes out and says we're disclosing a vulnerability today and it's being widely exploited. So that's a struggle. And then another struggle they face. They employed quite a bit of people or pay more than one vendor to monitor the dark web. And really what they don't know about this problem, essentially all of the data that they would need to kind of solve these issues actually live within the public domain. They just really never had a way to systematically dig through it at scale to find relevant information. So we built a platform that leverages AI in a scalable way to parse all of this public data. And that data can include text, images, Voice, video and IoT sensor data and distill it down to actionable alerts that are pertinent to our customers and whatever they're looking for. So really we just turn chaos into clarity in real time and empower these security teams with actionable information.

Dave Buettner

So help me understand here, when we're.

Laura Enriquez

Looking at today's risk landscape, how does.

Dave Buettner

An organization best dial in the sorts of things that dataminer provides?

Michael Mastrol

As customers use the Dataminer platform each day, we we've helped them thwart losses and reduce risk. And I'll just give you a few sample areas. One is executive risk and travel protection. We help executives move around the world more safely avoiding the risks of travel. And we just saw recently the shooting in the Toronto airport. Another, just to give you a cyber example, vulnerability intelligence. We help our customers coin a term that an insurance company gave us, help them look around the corner as to what their vendors will be disclosing in the future as far as a vulnerability, because we're kind of will pick up something on the dark web. And another example is third party risk by providing them early notifications of issues with disturbances and outages from some of the platforms that they're using from these third parties. So if people come to see us at a trade show or chat with one of our team members, we'd be happy to show them what we call a Data Miner in Action example, which shows a timeline of specific examples that have happened within the physical or the cybersecurity space to show them how we can give them more time and a better way to respond to these threats. So we're kind of like an early warning system for the most pressing risks.

Laura Enriquez

One of the hot topics, of course, at this year's RSAC conference is AI.

Dave Buettner

And specifically agentic AI. What part does that play in the.

Laura Enriquez

Types of things that you all are doing?

Michael Mastrol

Okay. By integrating agentic AI into workflows and fostering this AI human collaboration, businesses can strengthen their crisis management, their operational efficiency, and long term resilience at an evolving risk landscape. So with both agentic and AI, and AI cybersecurity teams can achieve greater confidence through enriched context more quickly than by using conventional methods of gathering this information.

Laura Enriquez

Where do you suppose we're headed here? When we're looking at how these innovations evolve and we're advancing our capabilities around AI, what do you see in terms of AI being a tool to a CISO out there?

Michael Mastrol

To summarize it real quickly, it's efficiency. So let me give you an example. So the BCG group at the end of last fall released a bit of research that says that, and I quote, protecting digital assets has increased the ranks of the world's CyberSecurity workforce to 7.1 million people, but another 2.8 million jobs remain unfilled. We believe AI can help close this gap and assist CISOs with relevant alerts about threats to their businesses, to their people, their customers, and data help provide actionable intelligence necessary to help them thwart these threats during times like this. And this ultimately will help CISOs help their people operate more efficiently and reduce what I call the risk gap scenarios.

Laura Enriquez

Well, the company has certainly had some success. And along with that, you recently announced.

Dave Buettner

A good amount of funding, $85 million in funding. What's on the horizon there? What will that funding enable dataminer to do?

Michael Mastrol

That's right. As a matter of fact, on March 18th, Dataminer announced that we secured $85 million in new funding from Night Dragon and HSBC. In addition, on April 24th, we also announced another $100 million from Fortress, bringing that to a total of $185 million raised in the last two months. So to add the second part of your question, what will we do with it? This new capital will allow dataminer to accelerate its growth trajectory and continue to really pioneer trailblazing generative AI and agentic AI capabilities that shape the future of real time information. And we will also use this funding to expand our international go to market, empower new products in new verticals.

Dave Buettner

What's your advice for folks who are.

Laura Enriquez

Out there and they're shopping around for.

Dave Buettner

This sort of thing?

Laura Enriquez

What sort of questions should they be asking to make sure that what they.

Dave Buettner

End up with aligns with their needs?

Michael Mastrol

Sure. Really just understand it's important that they communicate with us to understand what their challenges are with respect to third party risk as well as other information that they need to protect themselves in a way that they protect themselves quickly and how they prioritize the risk and do they have the context needed to help them with this prioritization? Data miner actually we're very good at helping customers with this and with this prioritization in such a way that they can protect their business as best as possible.

Katie Jenkins

Foreign.

Dave Buettner

The attack surface has exploded, but.

Laura Enriquez

Defenses are still playing catch up.

Dave Buettner

Joe Levy, CEO of Sophos, makes the case for better integration across cloud, network and endpoint. He explains why security tools need to work together, not just coexist, and how innovation can't succeed in silos.

Laura Enriquez

So congratulations on a year as the new CEO of Sophos. I would love to check in with you and just hear what that journey has been like. How has it been for you and your colleagues?

Joe Levy

Well, thanks Dave. It's been a very exciting year and I would have to say that this has been one of the most transformative periods in my entire career for me and for I think Sophos as well. It's interesting to be able to make the transition from technology leader. I've been chief technology officer of a number of different cybersecurity companies for quite a long time over the years and had never really imagined myself stepping into the CEO role. But the opportunity presented itself and it felt like the right thing to do. And the past year has sort of proven to me that it was indeed the right decision certainly for me and I would like to think for the company as well. So I, I could say that it's been an incredibly rewarding and gratifying transition for me.

Dave Buettner

Well, congratulations.

Laura Enriquez

And you know, over the past year or so, Sophos has certainly faced a number of threats on its own. You all have published some research about China targeting cybersecurity vendors and your efforts to fight back. Can you touch on that a little bit for us?

Joe Levy

Certainly. We disclosed a series of reports which we have called Pacific Rim that describe this five year long battle that we found ourselves in with some nation state Chinese adversaries And the distillation of this effectively states that if you are a successful IT vendor where you have some material presence of infrastructure on the Internet, in other words, if you have been commercially successful and you have a lot of customers who are using your perimeter devices, whether they're routers or switches or remote access points or firewalls or zero trust network access, whatever it is, if it's a device that sits on the Internet and its purpose in life is to provide connectivity, that utility alone will predict that you are going to become the target of these nation state attackers that are attempting to establish some sort of a foothold within the points of presence on the Internet. And then we see the adversaries using this in a variety of different ways. They could use it to establish a botnet, which they can subsequently use the proxy network to attack other victims, or they can attack the customers themselves, and in some cases they can attempt to attack the vendors who are building the software and building the hardware on the perimeter.

Laura Enriquez

So I think it's fair to say that at the RSAC conference this year, AI and machine learning are going to continue to be hot topics. In fact, it's probably malpractice if you and I don't discuss it a little bit here today. I'm curious, how are you dialing in.

Dave Buettner

The degree to which you're integrating AI.

Laura Enriquez

Across the Sophos product stack?

Joe Levy

AI is absolutely an obligatory topic of conversation within cybersecurity. And it's interesting the way that the attitudes have shifted over the past few years. We've gone from a healthy dose of skepticism, from those who have been doing cybersecurity and information security for the longest about the practical benefits and utility of AI to what I think is reasoning with it in a way that is cautiously optimistic, is how I would put it. And it's clear the benefits that we can operationally get out of it. And I think that that attitude and that perception is beginning to take over the entire cybersecurity industry, still with a kind of a cautious optimism, I would say. And the history of how we've used AI has primarily been around simple classification. Is this file good or bad? Is this website good or bad? Is this email good or bad? And it was practically quite useful. But now, naturally, with the evolution of large language models, we're seeing a demonstration of an A that can actually reason in ways that previous generations couldn't. And we're starting to see some really good, practical, beneficial applications of that kind of use within security operations. And I think the goal here, of course, is to be able to simulate the intuition of a human analyst as accurately as possible, where you get all the benefits of what a good security operations practitioner will be able to produce without any of the downsides which are primarily understood as hallucinations today. But you could effectively just think of those as another form of false positive, which is something that the industry has dealt with for a very long time. So really, really interesting time in the evolution of machine learning and artificial intelligence in service of cybersecurity.

Laura Enriquez

As a leader, as the CEO, how do you talk to the folks that you work with there at Selphos about getting on board with AI, but also not getting carried away with the hype.

Dave Buettner

Train of it as well?

Joe Levy

Yeah, that is a very important balance to try to strike in any organization, not just within a cybersecurity company, but within any company. I think we're seeing these simultaneous pressures to ensure that we're not just throwing things at the wall randomly to see what's going to stick, because that wastes cycles within a business. And whether you're trying to do that within your go to market or your support organization or your marketing organization, you have to be very thoughtful and very deliberate about what you're introducing into your environment. Not just for the utility of it, whether you're actually going to get an roi, but for the security implications of that as well. And then if you are a technology vendor and we can focus specifically on cybersecurity and you're thinking about how do you bring this into your portfolio so that you can use it for the benefit of your customers and your partners. The same sort of judiciousness needs to apply. You need to be really deliberate in the decisions that you're making. And you have to have a kind of an internal framework. And we're fortunate. We saw this coming years ago. We instantiated a governance body that helps us to deal with AI across the entire organization, whether it's for our own internal use or in service of the products and services that we're building for our customers. And that's really been helpful to us in steering those decisions.

Laura Enriquez

You know, at RSAC this year we.

Dave Buettner

Have the Nightdragon Innovation Summit, which I.

Laura Enriquez

Know your company will be featured at, and, and we here at Cyberwire will be participating in as well. And one of the things that they previewed that they're going to be talking about is this notion of platform versus best of breed.

Dave Buettner

I would love to get your insights.

Laura Enriquez

On how you parse out the difference between those.

Joe Levy

I think this is a great topic And a really important one. And for those of us who have been in the industry for a long time, we've seen these expansion contraction cycles and we've seen this debate go on and we've seen the pendulum swing both ways. Where I think we are at this point is, number one, people want to ensure that they have the best possible tools for the job, which would imply that best of suite is really where you're going to get the most benefit. But at the same time, as we continue to see the proliferation of tools within security operations and we just continue to see the increasing complexity of the way that our systems work, just, just imagine all of the upstream and the downstream interconnections that you have in the way that you build your IT systems today, they're more complex than they've ever been before, which means that there is greater complexity in their operation and insecurity tends to lurk at those interconnections. The greater the complexity, the more difficult it is to actually assess the security of a thing. Therefore, there's also this motivation to move toward consolidation, which is best of sweet. So you don't want to sacrifice anything in the quality of the individual tool, but at the same time you probably get greater operational benefit from having a collection of tools that can operate within a unified and a consolidated operating paradigm. I think that's the direction that the industry is going to head for the foreseeable future.

Dave Buettner

From supply chain chain exposures to AI driven attacks, the threat landscape isn't slowing down. Katie Jenkins, CISO at Liberty Mutual, gives us a candid look at the risks on the horizon and the trends in innovation that might just outpace them.

Laura Enriquez

So I want to check in with you as we are in RSA conference session season here. What are some of the emerging threats and trends that you're tracking as a CISO heading into conference season?

Katie Jenkins

Well, I'm sure the go to answer would be AI security solutions, which to be fair, it's something I'm definitely interested in, particularly in looking to see how these solutions have evolved, have become really essentials for enterprises our size. But with rsa, I'm also keen to connect with my network of peers and partners and exploring other trends. Right. I'm curious about things like how others are achieving process efficiency and workforce strategies. Team reskilling. I always pick up tidbits around budget trends and pulse checking topics like fraudulent IT workers post quantum preparedness. So, you know, maybe the best part about RSA is that there's like no doubt that I will pick up things that hadn't been on my radar, but will quickly be on my radar.

Laura Enriquez

Do you have a strategy for that? As you're making your way around the show floor, the presentations, one on one conversations, how do you budget your time?

Katie Jenkins

Yeah, so I am fairly meticulous about laying that all out in advance. Being there for, you know, the relatively short period that I'm there. I just really need to make the time super worthwhile. So I pick out key partners that I know will be there with, you know, new information, new announcements. I work in, you know, healthy handful of emerging and startup type organizations. I cherry pick some of my favorite networking events where I know there'll be, you know, like minded peers and folks that kind of collaborate with. So regrettably or intentionally, I don't leave a lot of margin for casualness in that schedule. It's, it's pretty, pretty packed dance card, as they say.

Laura Enriquez

Yeah, it's definitely that kind of event. But you know, I'll say, like, for me personally, one thing I'm intentional about is kind of making a lap around the very edge of the show floor because you never know when you're gonna run into somebody who has this up and coming idea that might be something you never knew you needed a solution to until you cross paths with them. Is that an experience we share?

Katie Jenkins

Serendipity, huh?

Cyberwire Network

Yeah.

Katie Jenkins

You know, I think that's awesome that that has been your experience. I, I don't think that experience is exclusive to, to the, to the floor. Right. I think that there are so many interesting events going on that the opportunity to meet new people and introductions happen super organically. That yes, I have always come away with. I did not expect to hear about that. And now this is something new for me to pursue.

Laura Enriquez

Yeah, you mentioned AI. I'm curious what your approach is to that. I mean, how do you filter through the hype around AI?

Dave Buettner

We've got agentic.

Laura Enriquez

AI is a hot topic this year.

Dave Buettner

What's your approach?

Katie Jenkins

I definitely don't think AI is just hype for Liberty Mutual. It's already well in use, it's creating real value for us and quite honestly, it's making me rethink about how my security team operates, how we can best leverage it to optimize our functions. But with that I am cautious, I'm cautious about the hype surrounding the readiness of these solutions. I think many of us have been in the position of hearing pitches or seeing pitches that look great in a PowerPoint but aren't really ready for prime time. And yet there's still value in that. Right. These ideas can still help me anticipate what is coming. We are experimenting in house with our own security AI tool development. I think it's really healthy to realistically weigh the pros and cons of build versus buy decisions. There's really good value to me in understanding from my peers, such as here at rsa, what's really working for others. I have to be keeping a pulse on things so I don't get swept up in just the fiction that AI is the magical solution for all security challenges. And I'm looking for a healthy dose of reality here.

Laura Enriquez

What about collaboration as you're keeping in touch with your fellow CISOs around the industry, both colleagues in organizations that are similar to Liberty Mutual, but I suppose other organizations as well. How do you keep those communication lines open to make sure that you have a broad spectrum of information at your disposal?

Katie Jenkins

Yeah, I think those connections are really essential in these times. I participate in many different formal and informal peer groups, but I think it's a real bright spot of this industry that collaboration continues to be a strong force. And quite frankly, I believe it's one of the reasons why we gather in San Francisco each year. Right. To strengthen our relationships, be ready to share insights from our experiences, our successes. I'm biased in thinking I have an exceptional team, as many of us are fortunate to have, but the threats we face are real. And learning from each other's missteps, each other's successes is really invaluable to me. If I were to add to that, I would say that, like me, many of my CISO peers are genuinely motivated to improve not only their own organizations, but also have impact and make improvements across the broader cybersecurity landscape. So with that in mind, this collective collaboration and effort is really essential in the spirit of being able to achieve more together than we can as individuals.

Laura Enriquez

Looking broadly at the industry, I'm curious if there are any particular pain points that frustrate you. Are there things that you think to yourself, I wish we could shift this one thing across the industry. I wish there were something that we could change. Is there anything that comes to mind in terms of aspirations for positive change over the coming year or so?

Katie Jenkins

Let me take the aspirational angle to your question, because I don't think it's peaked as that pain point yet. But for me, I would love to see a major push for innovation in a strong focus on upskilling our security workforce at scale with the rapid developments in emerging technologies, the evolving tactics of the adversaries. I Think it's just crucial that we're preparing our security teams today with the skills that they'll need in the future. The challenge to this, right, is that we have day jobs that, that often turn into our night jobs, and those are incredibly demanding. So when I think about learning initiatives, these really need to be integrated into our current priorities. They can't just be an add on. We have to have these upskilling mindsets and opportunities be built into our daily routines, be part of our responsibilities. I certainly feel the responsibility to make sure that my team is equipped with to meet the challenges ahead without overwhelming their already packed schedules considering topics like burnout. So now is the time to be making this shift before it gets to that excruciating pain point. That is part of excruciating, but the pain point part of your question. It's just this pace of change in cybersecurity is clearly not slowing down. And we really, I feel a very strong sense of need to invest in our workforce, not just as an altruistic interest, but really being essential for continuing to be a resilient and effective security organization.

Laura Enriquez

Yeah. As someone who is in a high level leadership position in cybersecurity, what sort of advice do you have for folks who are coming up in the industry, maybe somebody coming up through school or considering a career change? Do you have any words of wisdom?

Katie Jenkins

Oh, my goodness. I think now is an exceptional time to be joining the workforce and joining security teams. The talent that we're bringing in right now is really the bright spot that makes me hopeful for this future. So my advice would be to just sink your teeth and have conversations to understand people's career journeys in security. Some people have been in security their whole lives. Some have come to security from, you know, a very unique set of backgrounds. And I think that to be new to this field, perhaps even new to your careers, you have maybe more latitude than you even realize to take the time to ask people about their journeys. What, what resources have been most instructive? What are people's favorite podcasts? Right. That's, you know, it's all part of finding your place and finding where you can make impact. But I'll tell you what, Dave, I mean, there really are some extraordinary individuals joining the team, and I hope they know they have an open invitation to explore and their own curiosities and interests to figure out where they, where they can make the biggest impact for us.

Laura Enriquez

So one of the things that I think security leaders face and confirm, if I'm correct here or not, is there's a lot of pressure to innovate but at the same time not compromise Trust. How do you balance that?

Dave Buettner

How do you balance speed with resilience.

Laura Enriquez

As you're looking at your own organization's strategy?

Katie Jenkins

Totally agree with your premise that there can be friction there. When I think about innovation, think about both the pressure or the need to keep keep up with the broader tech advancements in our organization and on the other side how we're using innovation and security to advance things like automation and efficiency in our processes. So you know, for me customer trust and integrity are very deeply embedded in Liberty Mutual's culture and that yields or means that responsible innovation is the ultimate goal there. So I'll share an anecdote from two days ago. Recently biased but I love it. We have an in house responsible AI committee and one of my leaders was bringing one of our R and D use cases through this responsible AI review and it delighted me when there were non security committee members challenging my security team with security questions around what we were bringing forward. And it just really emphasized the fact that security is recognized across the organization the way that it is. My CIO Monica Caldas loves to say stable and secure systems is job number one and this statement alone reassures me that we don't have to sacrifice speed for security and resilience and it all matters. So maybe the last point I would emphasize there is that to the speed versus resilience question, we've adopted a strategy prioritizes security at every stage of our innovation process. We have robust governance, we use a risk assessment framework that helps us innovate confidently. We know we're not going to be compromising our customers trust. So so really this allows us to embrace new technologies, experiment responsibly while ensuring that we're adhering to our standards and most importantly we're maintaining our customers trust.

Laura Enriquez

What also strikes me in the story you describe, I mean that speaks to a culture of having a safe place where people can express their concerns and know that they're going to be heard.

Katie Jenkins

Oh absolutely. And that has been a really intentional change that I've been trying to drive in the organization. I mean you don't have to go that far back in time where you think about was security scary or secretive and if I felt something wasn't quite right I best keep my mouth shut about that to like really inviting and making that space we were celebrating people that are reporting things that seem unusual or suspicious to them and that puts us in such a stronger place that it's not just on the security team to find the holes and the workarounds and the opportunities. You know, everyone's in it together. We use the tagline Responsible Defenders. We invite, you know, we invite our whole workforce to be, to be foreign.

Dave Buettner

And that's a wrap on Beyond Cyber Securing the Next Horizon. A huge thanks to our guests Dave DeWalt, Nicole Bukala, Michael Mastro, Joe Levy and Katie Jenkins for sharing their insights, stories and strategies. As we heard today, cybersecurity is no longer just about about defense. It's about vision, integration and bold innovation. The threats may be evolving, but so are the people, technologies and investments rising to meet them. If you like today's episode, don't forget to subscribe, leave a review and share it with a colleague. You can find more interviews and insights on our website, thecyberwire.com thanks for listening. I'm Dave Bittner. We'll see you back here next time. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt, Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra, ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by SpectreOps. Head to SpectorOps IO today to learn more. SpectreOps see your attack paths the way adversaries do.