Ann Johnson (11:21)

Foreign.

Dave Bittner (11:25)

Testing is resource intensive, slow and expensive, providing only a point in time snapshot of your application's security, leaving it vulnerable between development cycles. Automated scanners alone are unreliable in detecting faults within application logic and critical vulnerabilities. Outpost 24's continuous pen testing as a service solution offers year round protection with recurring manual penetration testing conducted by Crest certified pen testers, allowing you to stay ahead of threats and ensure your web applications are always secure. And now a word from our sponsor, Black Kite. If third party risk is keeping you up at night, you're not alone. It's a constant battle. Black Kite's third party cyber risk platform is built on real world threat intelligence straight from their research team's ongoing breach analysis, dark web monitoring and attacker tactics. That means you get a hacker's eye view of your supply chain to proactively spot risks. And speaking of research, they just dropped their 2025 third party breach report, breaking down last year's biggest trends and what's coming next. Grab the report now at www. Do black kite.com Microsoft's Ann Johnson is host of the Afternoon Cyber Tea podcast. And in today's segment, Ann speaks with Christina Murillo, head of Information Security at the New York Giants.

Christina Murillo (13:17)

Today I'm excited to welcome Christina Murillo who is the head of information security at the National Football League's New York Giants. Welcome to Afternoon Cybertea. Christina.

Ann Johnson (13:28)

Thank you so much, Anne. Thanks for having me.

Christina Murillo (13:31)

So when you think about your journey and you think about new organizations and different roles, how do you go about assessing where the team is on their cyber journey? And what is your approach to actually taking and shaping a strategy that meets them where they are but gets them to the place of maturity where you want them to be?

Ann Johnson (13:47)

So that's always a tough one. One thing that I will say is that I never walk in with a checklist. I always walk in with curiosity. One of my first moves is to listen across functions, right? I want to know how people have experienced security, if they understand security, what our corporate leaders, how they feel about security, where there are any gaps in terms of the culture as well. That's super important for me. In parallel, I also assess fundamentals, right? I look at our policies, architect, our identity, awareness, detection But I'm not really just looking to audit. I'm kind of looking for alignment. I'm looking to see where our security goals are in sync with business priorities, where they're not in sync. And then I build the strategy rooted in where we are, right? Not where we wish we were.

Christina Murillo (14:36)

So cyber is full of misconceptions, right? How do you go about helping people get from that misconception to actually having a really mature understanding of the industry and a responsible understanding?

Ann Johnson (14:49)

That's such a great question. One of the biggest misconceptions that I see within cybersecurity is that it's just an IT thing. It's it's job, it's something technical that sits off to the side, it will take care of it, it falls under it, and that's it. The truth, as we both know, is that it's a business risk issue, not just a technical one. So part of what I do is, you know, I work really hard to bring security into broader conversations like with operations, with finance, even with hr, in terms of identity and onboarding and all of that stuff, so that people understand how their day to day decisions impact the organization's risk posture. Something else that I see a lot is if we're compliant, we're secure, just check the box and that makes us secure. That's not true. And that's something that I have to emphasize over and over again. I try to incorporate real world examples. There's so many breaches and examples nowadays, I feel like we see one every other week. Where companies are fully compliant and still got hit. Right? Because maybe they weren't actually secure where it mattered the most. Right. Maybe there was a process failure as an example, not necessarily a technical one. So my real focus is just to make security relatable right across the organization.

Christina Murillo (16:12)

How do you think about risk when you're building a security strategy and how do you think about compliance and how do you get your leadership and your peers aligned around the risk and aligned about the cyber risk, even if it isn't related to compliance?

Ann Johnson (16:27)

I will say that that is always a journey. It's a never ending journey. But one thing I've learned is that risk isn't always about the math. It's about the story. Right. Or your ability to tell the proper story. So for me, you know, when I get pushback, I don't really argue. I what I try to do is I try to reframe the conversation around business impact and again, I go back to those real world scenarios. You know, I'll say Like, hey, here's how this type of risk has played out for others, or, hey, if this happened here, what would this cost us in downtime or reputation or how would this impact football operations? Right. So I always start with that business impact and what's at stake if the risk plays out. I've. In terms of, like, revenue, reputation, operations, et cetera. I listen for pushback, of course. I tell stories around it, I give examples. I. I listen at scale. I try to understand where the pushback is coming from. If there's just like a lack of awareness, if there's a misconception somewhere. And then ultimately, if things start to feel a little bit subjective, I try to turn them into decision points. You have to be flexible. You have to pivot. I think the most important thing, though, is to keep protecting the mission. Top of mind, like, whatever our mission is, right? If our mission is to win football games, if our mission is to delight our fans and our customers, I have to keep that at the forefront.

Christina Murillo (17:55)

Well, let's talk about, you know, strategy is only successful if it's well adopted and if you measure it right, and if you continually measure it and then continually get feedback, get everyone on board going on a journey. How are you collaborating across the internal departments and with key stakeholders across the other NFL teams? And what is the key to managing those relationships?

Ann Johnson (18:15)

So it's amazing. I mean, I won't take credit for, like, the community that has been set up. That's, you know, credit to the NFL CISO and his information security office. They've done a great thing with bringing us all together, like the 32 clubs. So we're, you know, we're always on phone calls multiple times a month. We have, we share threat intel. We meet in person a few times a year as well. At the end of the day, we all have the same shared goal, right, which is to protect our fans, protect our clubs, protect the overall league. One of my favorite elements of this entire journey has been meeting other information security officers across the different teams and learning more about their strategy, their processes, and us kind of like comparing and exchanging notes. That has been a joy because it's like our own little security community. I'm always encouraging people to share more externally so that the overall cyber community can get more of this goodness. But it's all about relationships. I think it really, for me has been about relationship building, making that time not only when they're urgent moments, but just overall.

Dave Bittner (19:27)

You can check out the full episode of Afternoon Cyber Tea right here on the N2K CyberWire network, or wherever you get your favorite shows. Let's be real. Navigating security compliance can feel like assembling Ikea furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times. And the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber that's V-A-N t a.com and finally, what happens when you mash up a 19th century art icon and a retro CPU from the golden age of microcomputing? Apparently you get the RC 2014 Mini 2 Picasso. This limited edition Z80 based single board computer runs Old School Basic, 4th and CPM, but does so with a flair even your art teacher would admire. Think standard RC 2014 guts, but laid out like Picasso himself dropped by with a soldering iron and no regard for straight lines. Resistors pirouette over each other, components are skewed like cubist portraits and no two boards look exactly the same thanks to a wild mix of silkscreen colors and socket styles. It's a PCB that says I contain multitudes and 8 bit computing nostalgia. Available via Z80 kits. This delightful mashup of silicon and surrealism is a refreshing reminder that PC boards don't have to be neat. They can be expressive, eccentric and maybe just a bit 1990s rave chic too. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian show every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Ann Johnson (23:51)

Foreign.

Dave Bittner (24:02)

What'S the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, Entra, ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise, powered by Spectrops. Head to SpectorOps IO today to learn more. Spectrops see your attack paths the way adversaries do.