Kim Jones (12:47)

It's good to be back. Thanks Dave.

Dave Buettner (12:49)

Well, let's talk about the episode that you're kicking off this season with and it's titled Is the Cyber Talent Ecosystem Broken? I have to say this is an intriguing title to me. I have my own thoughts, but I'm curious what led you to decide this was how you're gonna lead off the system and what went into creating this episode?

Kim Jones (13:10)

Well, one of the approaches that I wanted to take this season was to focus on depth of issues. So there's a lot of big tractable things out there that CISOs face that either get passing consideration during a 30 minute podcast or usually a session at a conference and that we don't go into any depth in except maybe at the bar after the conference session. So what I wanted to do with this podcast is to take a multi episode arc regarding some of those more tractable problems that are out there and one of the ones that I hear about regularly and that we talk about regularly is the cyber talent ecosystem. So what we're going to do through the bulk of this season is talk about various aspects of the talent problem. So I wanted to start with an overview of what we are seeing out there within the market space and some of the challenges that we're facing via the various ways that people can come into cyber versus some of the complaints that we have as senior cyber leaders regarding what the ecosystem is or is not doing for us. And look at what not only the ecosystem could do better, but frankly what we could do better to make it, to make it work for us. Because I think that's a problem that we haven't addressed for, hell, decades now.

Dave Buettner (14:43)

You know, I think it's fair to say that this is a hot button issue for a lot of people. This kind of disconnect between, you know, the one hand is saying we have all these missing, we don't have enough people to fill the positions in cyber, and then the other side are people who are newly have earned their credentials and they're saying, nobody will hire me. And there's a lot of sort of talking past each other and trying to get past this frustration. Is that a frustration you've seen and one you share?

Kim Jones (15:15)

It's one that I have seen, absolutely. It's one that I share slightly. And I say slightly because one of the things I try and do is walk the talk, if you will, and normalize things in my environment and eat and breathe what I say that I want within the environment. And that includes doing things like creating a proper job descriptions, creating pathways that don't require everyone to go to college, hiring people from non traditional pathways, and doing the things that. So that we're consistently solving all pieces of that problem. What we're going to talk about, starting with this episode and throughout the season, is many cases what lots of people are doing are just tackling one piece of that and then still complaining as to why things aren't working well. You know, we complain that the individual who has come up through a training or career transition program doesn't have the skills that are needed yet when we sit down and I actually use this example in my first, you know, in this first episode, I've sat down with a handful of Fortune 500 CISOs and said, Tell me what you want. And then when you try to ask them to tell them what you want and you say, okay, so if I can build what you want, you'll hire these folks, right? And then everyone starts backpedaling. Then when you push them to say tell me what you want, you get a. I'm not avoiding the question, I'm not telling you because we're really not sure. And you know, if you don't know where you want to go, then any destination will get you there or no destination will get you there, as Lewis Carroll used to say. So, yeah, it's a frustration for me that after almost 40 years in this profession, we still can't figure out what we want to be when we grow up and help people get there. And that's wrong.

Dave Buettner (17:04)

Yeah. Are you hopeful or optimistic that we're perhaps able to take a serious look at this and fix it?

Kim Jones (17:14)

Any good cyber professional is always optimistic because you can't be a pessimist and do this work, plain and simple. What I am hoping to do through the course of the season is provide listeners all of the pieces and parts for them to put together. And then as we look at each episode, Here are some things that you can do to address this piece. Here are some things that you can do to address this piece so that they have a strategic viewpoint on this problem. And it's not just me. I'm inviting in subject matter experts and other guests, et cetera, to bring their perspective to the problem as well. So it isn't just me railing at the microphone every week. It's truly bringing people who say, okay, here's the starting point. I use the analogy what we're doing is we're setting the table. And that's just me talking about what I see in this beginning, in these pieces as we begin the episode. Then we invite experts to dine with us and then I bring somebody else in and we deep dive on that piece of it. And then we do that and just build, hopefully a look at all of the aspects of the challenge and give people a holistic. I won't call it a roadmap, but I'm not fully caffeinated, so I probably will. So a roadmap in terms of things to consider in terms of solving it. So I'm ever hopeful, man.

Dave Buettner (18:40)

Yeah. Well, the show is CISO Perspectives. It is part of Cyberwire Pro right here on the N2K CyberWire network and Kim Jones is the host. Kim, thanks so much for joining us.

Kim Jones (18:51)

Looking forward to it, man. And I'm looking forward to talking to you about our next episode.

Dave Buettner (18:56)

Next week we'll do it.

Kim Jones (18:58)

Thanks.

Dave Buettner (19:06)

On this week's preview of the Threat Vector Podcast, David Moulton, director of thought leadership at unit 42, is joined by Rob Wright, Security News director at Informa TechTarget. They're discussing the stories the industry overlooks overhyped AI security fears and the real risks posed by certificate authorities.

David Moulton (19:29)

Hi, I'm David Moulton, host of the Threat Vector Podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. In my latest episode of Threat vector I sat down with Rob Wright, security news director at Informa Tech Target, to ask a deceptively simple are we actually paying attention to the threats that matter? Rob's been covering cybersecurity for over a decade, and in this conversation he unpacks the stories the media often misses and the ones it may be getting wrong. We talk about the uncomfortable truth behind certificate authorities, why deepfakes might be getting too much credit, and how AI headlines can obscure more than they reveal. If you've ever wondered what goes on behind the scenes in cybersecurity journalism and what industry risks are flying just under the radar, you're going to want to hear this. Check out the episode wherever you listen to podcasts. Rob, this may be a loaded question given the current news media landscape, but how do you view your role as a cybersecurity journalist and what drives your approach to covering this industry?

Rob Wright (20:44)

Yeah, I do consider myself a cybersecurity news reporter in terms of what drives my approach. It's changed a lot. The urgency around cybersecurity has increased what feels like, I don't know, at least tenfold over the last few years. So we try to, I try to cover the stuff that I think has the biggest impact on the masses. So not just enterprise security, but also, you know, government and citizens at large, I guess, because it really has gone from the beat's, gone from enterprise to just, I mean, this is something the whole world, I guess, has to deal with now.

David Moulton (21:33)

So who do you see as your main audience?

Rob Wright (21:38)

We try to deliver our news with a hypothetical reader in mind. And that hypothetical reader is a practitioner, a technology practitioner, somebody that works in IT or IT security within an enterprise organization or government organization. But yeah, we try to deliver our content to the folks that are actually working with this stuff. There's always room for some of the general consumer news out there and obviously some of the beginners that are just getting into this business. But by and large we try to focus on the people that are really into this stuff, that are really working with it every day and that need to know about the types of technologies, the types of threats, the types of goings on that that are important to their jobs.

David Moulton (22:32)

So I kind of see using AI and how it works as in some ways like talking to another person. If I ask you describe your dinner from last night and then 10 minutes later ask you to describe it to me again, and if you use the exact same story to tell me about what you had, who was there, the overall vibe of dinner in a robotic Fashion in a classic compute model, I would be freaked out by you. But if a computer does that says the exact same thing over and over, I'm like, yeah, that's what I expect. It's a programming problem. I got some inputs, I get an output, it's always the same. And AI breaks that relationship with the machine in a way that causes us to step back and go, oh no. And sometimes you can't tell if it's just doing the analysis of what word next a little different or if it's just BSing you, right. And you don't know. Has it decided to hallucinate? That's a fun term. Or is it just telling you the story in a new way? And I think that's the part that causes me pause. In an industry like security, where you're going, is it telling me that this is a false positive and I move on? Is it telling me that this is an incident and I need to go after it and it doesn't really know it's mathematically assigned a rating and that can be, that's problematic. So solving for that is, I think that's going to be key.

Rob Wright (24:12)

Great.

David Moulton (24:13)

Rob, what strategies can cybersecurity professionals and journalists use to verify some of the claims about AI related security incidents to separate the hype that we're seeing from the reality, especially before reporting on them?

Rob Wright (24:29)

This is hard because I think there's a lot of AI washing and I think there's a tendency for people to kind of get carried away with applications for AI that are really neat and interesting. But like, it's not a one to one, it's not. Just because you can do something over here doesn't mean you can take that same technology and apply it over there. So for example, just because Deep Blue can beat the world's chess chance and you can build an application that is very, very specifically tailored to do one thing really well. Same with Google and AlphaGo, the, the Chinese game Go. It created this game and oh my God. And it beats the world's best Go players. Just because that is out there and you know that that works, doesn't mean you can just take that technology and bolt it on to a cyber security application and have it do wondrous things. I think the thing that people should be aware of, the practitioners out there is that a lot of the stuff is kept in a black box. But if you can get to the vendors and the providers out there that are using this technology and really touting it, just run some simple tests, just run, run simple tests and just see, start small, start innocuous. Don't ask it to like run your sock. Don't ask it to run, you know, don't ask copilot or whatever to just do these complex things. Just start small. I start small with AI. I asked Google AI very simple questions. I asked it a couple weeks ago, what are the what are the best selling American rock bands in the history of modern music? And it comes back with the Rolling Stones, Pink Floyd, acdc, Led Zeppelin. If you can't get that right, if you can't get that right, stop, stop. And you know, I'm not saying throw the vendor out, but just reevaluate. Just say come back to us in a few months when you have that cleaned up and we'll take another look. So I would start small with tasks like, okay, is it picking up these, you know, these, these login attempts from this IP address or the where we've got 100 attempts on this account in this amount of time from this region is a flag unit. Simple, simple stuff. And if it can't get that right, then just move on.

David Moulton (27:13)

If you like what you heard, catch the full episode now over in your Threat Vector podcast feed. It's called what Cybersecurity Blind Spots Could Lead to the Next major attack from April 10th.

Dave Buettner (27:31)

Be sure to check out the Threat Vector podcast wherever you get your favorite podcasts. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like Society and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. And finally, here at the Cyberwire, we rely on credible experts to provide context and clarity on breaking cyber and tech news. So imagine our concern over reports of a growing number of seemingly authoritative sources, from senior analysts to psychologists that started sounding a little too slick replying to quote requests faster than you can say generative AI. According to Press Gazette, some of these experts flooding journalist inboxes aren't real people at all. They're the product of PR platforms and clever prompts offering ready made commentary attributed to fabricated identities. Like Rebecca, a supposed science educator who's also a budgeting guru and a music industry analyst, or Barbara, who's been quoted by nearly every outlet imaginable but whose main online presence is tied to an adult toy shop. The problem is these fake Personas are often indistinguishable from the real thing until you scratch beneath the surface. In a landscape where trust is everything, this AI enabled fakery is more than a curiosity, it's a credibility crisis. Stay vigilant, my friends. Stay vigilant. And that's the Cyber Wire four Links to all of Today's stories Check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Piffner. Thanks for listening. We'll see you back here tomorrow. Looking for a Career where innovation meets Impact Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguardjobs.com.