Cynthia Kaiser (11:47)

Foreign.

David Moulton (11:54)

Tactics and emerging tech to meet these threats is developing all the time On Threat Vector, we keep you a step ahead. We dig deep into the threats that matter and the strategies that work. How do they help that customer know.

Sarah Pawczyk (12:07)

That what they just created is safe.

Stacy Cameron (12:09)

The future is now and our expectations are wrong?

David Moulton (12:13)

Join me David Moulton, Senior Director of thought leadership for Unit 42 at Palo Alto Networks Networks and our guests who live this work every day.

Unknown Speaker (12:22)

We're not just talking about some encryption.

Stacy Cameron (12:24)

And paying multi million dollar ransom. We're talking about fundamentally being unable to.

Cynthia Kaiser (12:29)

Operate automated eradication and containment, so being able to very rapidly ID what's going on in an environment and contain that immediately. They're hiding in plain sight.

David Moulton (12:45)

So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to Threat Vector your front line for security insights.

Sarah Pawczyk (13:00)

CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1 and without securing them trust, uptime outages and compliance are at risk. Cyberark is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyberark helps modern enterprises secure their machine future. Visit cyberark.com machines to see how compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. VANTA really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V a n T a dot com CYBER My guest today is Sarah Powisek from UC Berkeley's center for Long Term Cybersecurity. We're discussing her proposed nationwide roadmap to scale cyber defense for community organizations.

Cynthia Kaiser (15:43)

Cisa, the Cybersecurity and Infrastructure security Agency, started an initiative a couple years ago called the High Risk Community Protection Initiative. And this was really their effort to focus on nonprofits and other high risk community organizations that really weren't getting the full force of federal attention because obviously the federal government concentrates on national security threats and usually journalists, nonprofits, food banks don't really qualify. That effort wound down after a year. It was a bit of a sprint for them. And moving out of that work, we worked with them to say, what is the next step of the High Risk Communities Protection Initiative? What is the next step of trying to protect more systemically these types of small organizations that don't really get a lot of federal assistance, that are never going to meet that threshold of a national security threat, but are still very vital to their communities. And that is how we started this group called the Cyber Resilience Corps. It's co chaired by the UC Berkeley center for Long Term Cybersecurity, CLTC and the CyberPeace Institute. And between our two organizations, we convened several dozen experts on community cyber defense, whether or not they're running a cyber volunteering program, whether or not they run maybe an affordable or free to use managed service provider to talk about some of these issues that community organizations are facing and what we need to do as a cybersecurity field in a community to better protect them. So that's really the impetus for this report.

Sarah Pawczyk (17:11)

You know, one of the things that caught my eye reading through the report is this notion of a cyber poverty line that some ways we can describe things as the people being the haves and the have nots. Can you flesh that out a little bit for us, what the reality there is?

Cynthia Kaiser (17:29)

Yeah, I Think that everybody in cyber has a different word for these types of organizations. But I think we're all very familiar with what this looks like. So cyber poverty line, target rich, resource poor I think is CISA's term. Basically any organization that can't afford the basics for cybersecurity, which is a lot of them. So whether or not that's a small organization or a large organization that just has a very small budget, these are the types of institutions that uphold our public life. So think about the Boys and Girls Club, the local food banks, your church or synagogue or mosque, think about your local dentist's office. But also things like small water utilities, small hospitals, things that you'd anticipate having more resources. But actually when it comes to cybersecurity tend to be very under invested in the field. So we need to think about all these together. I think as a field we typically think about these in terms of sector, what can we do for the water sector, what can we do for the hospital sector. But there's actually a lot in common between these types of small organizations across sectors than there is maybe between a very, very small rural hospital and a very, very large metropolitan area hospital. So that's what we like to refer to as the cyber poverty line.

Sarah Pawczyk (18:42)

When the report talks about this notion of a roadmap and this co responsibility model, can you describe that for us?

Cynthia Kaiser (18:50)

Absolutely. So when we were thinking about how to propose a path forwards for all these very different organizations in that we thought would be meaningful, we had to split it into a few different sections. So the first section was what can we do right now that we think will make a difference? And there was some disagreement in the group on this. I mean, there's a million and one things that you can do to help organizations. A lot of it has been tried already in the industry. Can we give them free tools? Can we give them free software? What if we send someone out to go and help for a little bit and they come back, what is actually really going to be effective? And the way that we were able to drill down into that was by developing a co responsibility model. We had to agree amongst ourselves what we thought was the organization's responsibility for themselves and what we thought was more the community's responsibility to help protect them. And we decided as a group that there should always be some amount of responsibility that lies within the individual institution. Right. We can't take away all of the cybersecurity responsibility from a nonprofit and say none of it is your responsibility because it would remove their buy in Right. We need some level of investment at the institutional level for the CEO to say, I'm worried about cyber risk. I'm going to make sure that I allot an IT budget. I'm going to hire someone who will help make these decisions for me. So that's what we left within the responsibility of our organization is that institutional understanding of risk and investment in that risk. But everything else, we take the position that the industry should be doing a better job of providing those services. And that's mostly the talent. Right. A nonprofit's budget of IT is sometimes approaching zero. We don't anticipate that changing. So we need to be more creative about the ways that we expect nonprofits to use cybersecurity technology and tools. We can't expect that they're always going to have a ciso, let alone an IT full time staffer. And so we structured the report around how can we find creative ways to provide that sort of hands on technical assistance, assuming that those institutions aren't going to have that in house.

Sarah Pawczyk (20:54)

Well, share with me some of the suggestions here. What are some of the practical things that the community can do to better protect everybody?

Cynthia Kaiser (21:02)

Yeah, the core of our solution for the short term is really relying on cyber volunteering programs. Folks might have heard of things like cyber clinics where students are learning to give risk assessments to local institutions as a part of their schooling. And there are also programs like the state civilian Cyber Corps, where volunteers at the state level form sort of an auxiliary corps and they're called in to help with incident response and training for local cities and hospitals and other types of organizations. So they're these really low cost programs that rely on community resources that are very decentralized, that we like to say they form a cyber safety net. And what we want to do is strengthen that safety net. So try and scale up the number of volunteers that are active in different communities around the country. Scale the skilling that each of them have so that we can reach a consistency of services across whether or not you're working with a clinic or a state civilian cyber corps or a nonprofit cyber volunteering program. You're getting what you need out of it. And we want to connect these sort of short term band aid solutions, which is everybody needs help now, we need to get it to them as quickly as possible to more long term solutions, such as a affordable managed service provider or managed cybersecurity service provider. So those were really the recommendations around how do we scale these types of models? How do we make sure that they're consistent and providing good service. And then how do we connect them to this cybersecurity ecosystem and give them a sort of on ramp into more systemic cyber resilience?

Sarah Pawczyk (22:42)

What would your call of action to be for the people in our audience who may be looking for opportunities to give back? Do you have guidance for where's a good place to start?

Cynthia Kaiser (22:54)

Yeah, that's a great question. I know that folks might be tired of reading reports in this day and age. And that's why along with it, we also released a platform called cybervolunteers Us. I'm going to say that again so that I make sure I get the URL right. We released a platform at cybervolunteers Us where anybody can go to learn about cyber volunteering programs across the United States to figure out what program might be right for them. If they're interested in volunteering, or if you know of a local organization that's in need of help, they can go to that website to find a program that they would qualify for to receive free assistance. But again, our biggest hurdle here is trying to increase the number of volunteers and increase the number of volunteering programs. So especially the folks who listen to this podcast that might be leaders that have communities of their own that are interested in volunteering, come and talk to us and start up a new program where you can recruit your friends and your colleagues to start providing some of these pro bono services to organizations in need.

Sarah Pawczyk (23:55)

That's Sarah Pawczyk from UC Berkeley's center for Long Term Cybersecurity. This week is of course, Black Hat USA 2025. We've got a special Woman on the street segment with Halcyon's Cynthia Kaiser and their CISO Stacy Cameron.

Stacy Cameron (24:26)

So I have a multifaceted value proposition that I that I do here. One is I really like to do a lot of networking, reach out to other leaders in the field. And you know, we kind of share horror stories and success stories. And so that is, to me, that's a very value added to really grow and build that network. But additionally to that is coming in, hearing some of the briefings, meeting, sitting on the panels, listening to awesome people. Leaders in the field really go over and sort of expand everything that I know and things that I don't know and that educational aspect of it as well. Also use it as a chance at being the Chief Information Security Officer. I use it as a chance to meet with all my vendors and some of my potential vendors. As a ciso, anyone in that field understands that you're always getting accosted I would say, by a lot of vendors. But they're really trying to sort of help, help the role. But some certain things that I need to do as I'm continuing to improve our security posture and mature our security posture at Halcyon is uses as an attitude. This one and other conferences just let's set up, let's talk, let's, let's go over some things and let's just knock it all with one, with one bank. So I use it for two purposes. I use it get out there. Sometimes we're talking to customers, sometimes I'm talking to partners, sometimes I'm at debrief and able to learn and educate myself and educate others. I've met someone that almost like in a mentor role since I've been here, been able to really provide that guidance for up and coming folks in the profession. So those types of things just sort of happened by happenstance and that was kind of a byproduct of being here. But yeah, there's just so many ways that I can use this as an, as an, as an opportunity to really grow in the security space.

Sarah Pawczyk (26:21)

And I guess as ciso, you kind of have a target on your back because you do have purchase authority.

Stacy Cameron (26:28)

Yes, but can't purchase everything. Don't need to purchase everything, but we do need to purchase something. So let's put it on that aspect. But yeah, so it's, it's one of those things where it's actually beneficial sometimes because it opens a lot of doors. Right. So if I'm trying to do something, but on the other side, it opens a lot of doors. You get a lot of phone calls, and some I take and some I don't.

Sarah Pawczyk (26:56)

Yeah. Well, Cynthia, as you're heading into this year's Black Hat, what's your sense in terms of the tone, how people are meeting the needs and the challenges of the industry this year? What's the temperature that you're sensing there?

Unknown Speaker (27:12)

You know, I've met so many people who. It's their first black cat, which I found kind of surprising. I mean, actually I'm the first black cat attendee too. But being able to, I think, have people come and there's such a sense of like wanting to learn not only from the presentations themselves, but a real interest in learning from each other. Stacy said it well, like, it's the people, right? Like, you come and you get to meet people. And I sense that there's a lot of excitement across industry for what we're going to be able to accomplish with some of the New technology or, you know, new ish at this point, technology that we're able to do. And I think from my vantage point of doing our soft launch of the Ransomware Research center last week, I'm just excited to meet with all these companies that are willing to share, really to partner and like want to actually put stuff together so that we can have a difference against cyber adversaries.

Sarah Pawczyk (28:19)

Well, Cynthia, what is the specific type of networking and connections that you're looking to make there with the launch of this Ransomware Center?

Unknown Speaker (28:29)

You know, I'm trying to gather information about how people may want to partner and why and I think that we've had a wide spectrum of interest in that. I've spoken with startups, especially, you know, small companies, medium sized companies, and we've talked through how we can take our good information that we have and we can all put it out. But you know, it's of okay value and maybe sometimes good value, but it's niche. But if we all put it together, we can do something much more comprehensive. And I think there's a lot of interest, especially across the startup community and being able to pursue that. Also been talking to various companies who say, I'm not going to want my name on the website, but I'd love to share data because I want to put it all together. We want to get information together and gift wrap it and give it back to the government so they can do something about all these problems. And I think that's been really fun. And third is the policy element, people who want to talk about what are the solutions that we can drive as a collective across industry and talk about with policymakers, especially with Sean Carecross being confirmed over the weekend.

Sarah Pawczyk (29:44)

You know, Stacy, as the ciso, a lot of folks who are just starting off in the industry here certainly would find you to be an inspiration, someone to look up to, perhaps turn to for mentorship. As you're walking around a show floor like this, it strikes me that people might be hesitant to strike up a conversation with someone at your level. But, but my sense is that you want to talk to those people.

Stacy Cameron (30:11)

Absolutely. And a lot of times there's introductions and already happening this week. Right. So we're already out here. We came for some of the pre events and people who I've just met are now introduced me to more people and people that are coming, trying to break into this space and a lot of people don't really understand like within cyber security there's so many ways and so many skills that are transferable. So whether You're a lawyer or a project manager. So many ways that they apply to cyber. And the question is, well, how do I break in? How do I get in there? And I Actually, it's. I'm glad you asked this question because I was just telling a young lady earlier that Cynthia got to meet, so I wanted to make sure I introduced her so she can start expanding. The young lady can start expanding her network. And it was. She's asking like, how do I do this? I'm like, just walk up and talk to people. Because just like you said, people may not want to talk to you. I'm like, they have a badge on. They're here. A lot of people are here to. And they're going to enjoy the networking aspect of it. They're here for exposure and to be exposed. So those types of things is, yes, I encourage you. I have a smile on my face, so I try to be welcoming. So a lot of people come in, they'll just say hi, and we'll just start talking. They're like, oh, you're a ciso. And now. And then we just go from there. And it kind of helps them and promotes that to give them more confidence and where they're talking and just sharing information, just asking them about their journey and being interested. And yes, I know we're going from meeting to meeting, but we do have to take that time to talk to the people. So, yes.

Unknown Speaker (31:41)

And Stacey, if I can add to that, I think sometimes it's hard to be a woman in cybersecurity, but one of the best parts is that I always find that I'm a little more recognizable and so people will come up and talk to. I find that people come up and talk to me all the time. Or I met somebody yesterday who was like, hey, I remember you from this conference in 2023. And it's so fun to be able to make those connections across the years, across the conferences, to know that you were able to have that conversation and share what you learned. And we were just at an event this morning where we were doing just that, where we were trying to share, like, what did we get right, what did we get wrong, and what's the advice we'd give to our prior selves.

Stacy Cameron (32:29)

And in showing up? So when they show up and they see us in certain places, like we're at panels and you're talking in events and those types of things, someone after that event this morning walked up into the elevator. I saw you earlier. So that was an entryway. You know, this is this Is this is how I can talk to these type of people. So, yes, I do get that. I will say, even from a mentor standpoint, I do have some mentees. I take mentoring very seriously, and I believe that there's a lot of time that goes into. So some people, if I don't have. I may not have the bandwidth to, you know, take on a bunch of mentees, but I will take time to have a coffee, to have a virtual coffee, to have a chat, because I think as I believe in the industry and I believe in emerging talent, and I want to make sure that people understand that they can be successful in this industry as well.

Sarah Pawczyk (33:17)

Well, before I let you go, I want to ask each of you, how do you measure success when you head home from a conference like this? What do you hope to take home with you? What do you hope to accomplish? Let me start with you, Cynthia.

Unknown Speaker (33:31)

I love taking home business cards and lots of LinkedIn connections, because what I'll do when I go home is I try to send a message to each of those people. Like, I know that we felt like we've identified some reason why we're connecting, why we're following up. And so success, to me is being able to continue the conversation after the conference is done.

Stacy Cameron (33:52)

I was going to say something similar. I know when I have, like, it's kind of like you have your meeting and you have your action items. Right? So if I don't leave here with anything new on my plate or even something that I'm already working on, a solution for that or maybe progression during that, then I don't think I've accomplished what I've come here to do. And as a ciso, I'm still working. Right. So I'm here, able to enjoy the conference, but I'm starting my day early, checking in with my team, making sure things are still going as planned, and then jumping in midday as well. But I really want to make sure those relationships are solid. I know Cynthia mentioned the business cards. I like pictures of business cards and definitely the LinkedIn connections. And I was thinking similarly, like, when you have those LinkedIn connections and you never reach out, it's like, is it really a connection if we haven't really spoken to each other? We're kind of just connected in theory. So.

Unknown Speaker (34:46)

Yeah. And I think, you know, in the end, you just want to learn one good thing.

Cynthia Kaiser (34:50)

Yeah, right.

Unknown Speaker (34:50)

If we can learn one good thing, attend one good talk, have that, you know, one really great new meeting, I mean, that makes it all worth it because you collect those and it just makes you better.

Stacy Cameron (35:03)

Oh, and then I loved all the wonderful, amazing women that we were meeting out here, these, these bosses out here in the streets, in the world of IT and cyber where it once was a, this was a man's world, right. And once it once was that. And I love that the men out there are welcoming our allies and advocates and just seeing so many women not afraid to excel and do what they need to do to succeed. So that's a, it's beautiful and amazing watching all of that actually being in the industry for going over 20 years.

Sarah Pawczyk (35:40)

Our thanks to Cynthia Kaiser and Stacy Cameron from Halcyon for joining us us from Black Hat in Las Vegas.

Dave Bittner (36:01)

On WhatsApp, no one can see or hear your personal messages. Whether it's a voice call message or sending a password to WhatsApp, it's all just this. So whether you're sharing the streaming password in the family chat or trading those late night voice messages that could basically become a podcast, your personal messages stay between you, your friends and your family. No one else, not even us. WhatsApp message privately with everyone.

Sarah Pawczyk (36:35)

And finally, helicopter parenting has officially hit the footwear aisle. Skechers new find. My Sketchers line quietly sneaks in a sealed compartment under the insole, perfectly sized for an Apple. Airtag not included. Of course, on the surface, it's a clever way to locate lost sneakers. In practice, it's parental tracking disguised as stylish kicks for toddlers to 8 year olds. The Internet, naturally, is divided. Some hail it as a lifesaver, especially for kids with special needs. Others see Big Brother lacing up early. The shoes look ordinary, but they whisper. I know where you are and so do your shoes. At 52 bucks a pair plus the airtag, they're priced for peace of mind or pint sized surveillance, depending on your view. From be home by dark to GPS enabled souls Childhood just got a firmware update and that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire document. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show Notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.