Trends shaping the future at RSAC. - CyberWire Daily

Summary8 min read

CyberWire Daily: Episode Summary – "Trends Shaping the Future at RSAC"

Release Date: April 29, 2025
Host: Dave Buettner, N2K Networks

1. Overview of RSAC 2025 and Emerging Cybersecurity Trends

The CyberWire Daily kicks off with Dave Buettner providing an insightful overview of the inaugural day at RSAC 2025 held in San Francisco. Highlighting the conference's key themes, Dave outlines the major trends poised to shape the future of cybersecurity:

Artificial Intelligence (AI) in Cybersecurity: Beyond automation, AI is being leveraged for real-time analysis, training, and enhancing security operations.
Identity Security: A significant emphasis is placed on managing vulnerabilities related to both human and non-human identities, reflecting the growing complexity of identity management.
Unified Security Platforms: Vendors are moving towards consolidating visibility, management, and response tools into single frameworks to mitigate security tool fragmentation.
Continuous Security for Post-Launch Applications: The focus is shifting towards proactive, ongoing security measures throughout the entire software lifecycle, indicating a move from reactive to continuous protection strategies.

Dave summarizes, “Cybersecurity is leaning hard into smarter automation, consolidation, and preemptive threat detection,” capturing the essence of the conference's direction (00:02).

2. Innovation Sandbox Competition: Project Discovery Takes Top Honors

The highlight of Day One was the 20th Anniversary Innovation Sandbox Competition, where Project Discovery emerged victorious for its groundbreaking open-source platform. Project Discovery’s flagship tool, Nuclei, is praised for automating attack surface monitoring and aiding security teams in rapidly detecting and remediating vulnerabilities.

Dave shares, “Project Discovery earned top honors for its open source platform that helps security teams rapidly detect and remediate vulnerabilities” (03:42). He teases an upcoming interview with Project Discovery's CEO, promising insights into their journey and future plans.

3. Federal Cyber Workforce and Leadership Challenges

A panel discussion featuring former CISA chief Chris Krebs sheds light on critical issues within federal cybersecurity agencies. Krebs vehemently criticized the efforts to reduce the federal cyber workforce, warning that such measures could severely weaken national defenses at a pivotal time.

Dave notes the “notable absence of current NSA and CISA leaders at the conference highlights deeper instability,” attributing it to factors like budget cuts and leadership vacancies (05:25). This absence underscores the ongoing struggles within US Cyber agencies, exacerbated by political pressures and resource constraints, which are undermining their ability to lead and protect effectively in a hostile digital landscape.

4. On-the-Street Insights: Kevin McGee Reports from RSAC 2025

Introducing a fresh perspective, Kevin McGee, Global Director of Cybersecurity Startups at Microsoft, takes on the role of an intern reporter, delivering a personal account of his experiences at RSAC 2025. Kevin shares his enthusiasm for networking, discovering new trends, and scouting for innovative startups.

He outlines his focus areas for the week:

AI Transformation in Cybersecurity: Exploring how AI is building resilience alongside security measures.
Future of Compliance: Understanding evolving regulatory landscapes.
Automation as a Business Advantage: Leveraging automation to enhance governance.
Empowering People and Building Leadership: Strengthening the human aspect of security.
Evolving Security Operations Centers (SOC): Scaling smarter, not just larger.
Cybersecurity as a Growth Driver: Shifting perception from a cost center to a strategic asset.

Kevin’s segment adds a dynamic layer to the coverage, emphasizing the multifaceted nature of the conference (05:25).

5. Recent Cybersecurity Incidents

a. Massive Power Outage in Spain and Portugal

A significant event reported is the massive power outage affecting Spain and Portugal, which left millions without electricity. The outage disrupted transportation systems, halted metro services, and grounded flights. Emergency services operated on backup generators, and traffic lights across both countries were non-functional.

Authorities have ruled out cyberattacks as the cause, attributing the outage to a "massive disconnection within Spain's power grid" (07:43). This incident raises alarms about the vulnerability and resilience of Europe’s interconnected electricity infrastructure, as cited by NPR.

b. Unauthorized Access to Classified Nuclear Networks

An alarming security breach involved two members from Elon Musk's Department of Government Efficiency gaining unauthorized accounts on classified nuclear networks. Although officials confirmed that these accounts were never activated and no classified material was accessed, the incident exposes weaknesses in access controls.

Dave comments on the severity, “Experts say simply halving accounts could allow limited requests for classified information,” highlighting the potential risks associated with unauthorized access (07:43). This situation underscores the heightened tensions over data handling and national security amidst federal restructuring.

6. FS ISAC Launches Cyber Fraud Prevention Framework

In response to the surge in online fraud, the Financial Services Information Sharing and Analysis Center (FS ISAC) has launched the Cyber Fraud Prevention Framework. This initiative aims to unify cybersecurity and fraud teams within financial institutions around a common structure and language, enabling earlier detection and prevention of scams.

Dave elaborates, “The framework unites cybersecurity and fraud teams around a shared structure and language, aiming to catch threats earlier in the attack lifecycle” (07:43). This development comes at a time when the FBI reported $9.3 billion in crypto scam losses, and Google warned billions of Gmail users about sophisticated phishing tactics.

The framework is particularly beneficial for smaller banks and fintechs, though large institutions might find implementation more straightforward. Overcoming organizational cultural resistance remains a critical hurdle for effective fraud and cybercrime prevention.

7. The Rise of Real-Time Deepfake Fraud

Real-time deepfake technology has transitioned from a theoretical threat to a practical tool for scammers, as detailed in a recent 404 Media investigation. Fraudsters now utilize accessible software to alter their appearance and voice during live video calls, enabling convincing impersonations.

Dave highlights the gravity of this threat: “The sophistication of these deepfakes poses significant challenges for detection, as traditional verification methods may not suffice” (07:43). This advancement has been exploited in romance scams, where victims are deceived into trusting and interacting with seemingly genuine individuals.

The accessibility of deepfake tools necessitates urgent enhancements in security measures and public awareness to effectively combat this evolving form of digital deception.

8. Threat Vector: Privacy and Data Protection in the Age of Big Data and AI

In the Threat Vector segment, host David Moulton engages in a compelling conversation with Daniel B. Rosenzweig, a leading data privacy and AI attorney. They delve into the complexities of privacy compliance amidst the proliferation of big data and artificial intelligence.

Key Discussion Points:

Regulatory Challenges: Rosenzweig emphasizes the necessity of aligning technological implementations with legislative intents. “They [legislators] are looking for an outcome. They've set the intent and you need to invent those technologies and interpret them based on what they want for the people they represent” (15:24).
Transparency and Accountability: The mantra “Do what you say and say what you do” is underscored as essential for building trust and ensuring compliance. Rosenzweig warns against the pitfalls of misleading privacy practices, where companies claim to honor data protection policies but fail to implement supporting technologies effectively. “Regulators aren't stupid and plaintiffs aren't either” (16:27).
Ad Tech and User Privacy: The conversation navigates the delicate balance between targeted advertising and user privacy. Rosenzweig critiques the industry's tendency to follow buzzwords rather than substantive solutions, stressing the importance of clear communication and genuine compliance with privacy rights. “Ad tech companies and publishers...are implementing technologies to support targeted advertising...then not actually configuring the technology in a way that fulfills those requirements” (18:13).
Future of Privacy and AI Regulation: Looking ahead, Rosenzweig anticipates more prescriptive laws addressing AI’s use of personal data, including specific requirements for training purposes and broader AI system regulations. “I think it will continue to be what you can do, at least in the privacy space, what you can do with personal data as it pertains to AI” (21:09).

This insightful discussion provides organizations with actionable advice on navigating the intricate landscape of privacy compliance and AI integration.

9. Additional Highlights

a. CrowdStrike’s Adam Myers on Detecting North Korean Cyber Spies

During a panel session, Adam Myers from CrowdStrike shared a unique method for identifying North Korean operatives infiltrating Fortune 500 companies. He humorously suggested, “Just ask, how fat is Kim Jong Un? Apparently, they hang up faster than you can say Laptop Farm” (07:43). These operatives often create fake LinkedIn profiles and establish a local presence to climb corporate ranks and steal intellectual property discreetly.

The FBI warns that such infiltrations frequently result in malware installations and significant security breaches, advising tightened hiring processes and rigorous verification to mitigate these threats.

Conclusion

The RSAC 2025 conference, as covered by the CyberWire Daily, underscores a pivotal shift towards integrating advanced technologies like AI in cybersecurity, emphasizing continuous and proactive security measures. However, challenges such as federal workforce reductions, unauthorized accesses, and sophisticated fraud techniques like deepfakes highlight the ongoing vulnerabilities within the digital infrastructure.

Expert insights, particularly from Daniel B. Rosenzweig, provide a roadmap for organizations to navigate the intricate terrains of privacy compliance and AI regulation, emphasizing transparency, accountability, and strategic technological implementations.

As cybersecurity threats continue to evolve, the themes and discussions from RSAC 2025 offer critical guidance for industry leaders aiming to stay ahead in an increasingly hostile digital environment.

Notable Quotes with Timestamps

Dave Buettner [(00:02)]:

"Cybersecurity is leaning hard into smarter automation, consolidation, and preemptive threat detection."
Daniel B. Rosenzweig [(15:24)]:

"They [legislators] are looking for an outcome. They've set the intent and you need to invent those technologies and interpret them based on what they want for the people they represent."
Dave Buettner [(03:42)]:

"Project Discovery earned top honors for its open source platform that helps security teams rapidly detect and remediate vulnerabilities."
Daniel B. Rosenzweig [(16:27)]:

"Regulators aren't stupid and plaintiffs aren't either."
Daniel B. Rosenzweig [(21:09)]:

"I think it will continue to be what you can do, at least in the privacy space, what you can do with personal data as it pertains to AI."

For a comprehensive dive into these topics and more, tune into the full CyberWire Daily episode "Trends Shaping the Future at RSAC." Stay informed and stay secure.

Loading summary

Transcript17 lines

[00:02]
Dave Buettner
You're listening to the CyberWire network. Powered by N2K, traditional pen testing is resource intensive, slow and expensive, providing only a point in time snapshot of your application's security, leaving it vulnerable between development cycles. Automated scanners alone are unreliable in detecting faults within application logic and critical vulnerabilities. Outpost 24's continuous pen testing as a service solution offers year round protection with recurring manual penetration testing conducted by Crest Certified pen testers, allowing you to stay ahead of threats and ensure your web applications are always secure. RSAC 2025 is well underway and Kevin the intern files his first report. Authorities say Spain and Portugal's massive power outage was not a cyber attack. Concerns are raised over Doge access to classified nuclear networks. The FS ISAC launches the Cyber Fraud Prevention Framework. Real Time deepfake fraud is here to stay. On today's Threat vector, host David Moulton speaks with Daniel B. Rosenzweig, a lead data privacy and AI attorney, about the growing complexity of privacy compliance in the era of big data and artificial intelligence and protecting your company with a fat joke. It's Tuesday, April 29th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. We are once again coming to you from San Francisco at RSAC 2025. Day one announcements from the conference point to several clear trends shaping cybersecurity. Artificial intelligence is taking center stage not just for automation, but also for real time analysis, training and security operations. There's a major focus on identity security as companies push solutions that manage vulnerabilities tied to human and non human identities. Unified platforms are another big theme as vendors work to reduce security tool fragmentation by consolidating visibility, management and response into single frameworks. Finally, protecting post launch applications and external digital threats is gaining attention, signaling a shift toward proactive continuous security across the entire software lifecycle. Overall, cybersecurity is leaning hard into smarter automation, consolidation and preemptive threat detection. RSAC 2025 kicked off yesterday with the Innovation Sandbox competition and right down to the end it was a nail biter.
[03:31]
David Moulton
Who is the winner of the 2025.
[03:35]
Dave Buettner
20Th Anniversary Innovation Sandbox Competition?
[03:43]
Daniel B. Rosenzweig
Project Discovery.
[03:50]
Dave Buettner
Project Discovery earned top honors for its open source platform that helps security teams rapidly detect and remediate vulnerabilities. The company's flagship tool, Nuclei, automates attack surface monitoring and is already widely used by defenders worldwide. Later this week we'll share my interview with Project Discovery's CEO to discuss their journey from open source upstart to industry standout, how they plan to scale their impact, and what this win means for the future of automated security tooling. Stay tuned. You won't want to miss it. In a panel discussion Monday, former CISA chief Chris Krebs criticized efforts to shrink the federal cyber workforce, warning it could weaken national defenses at a critical time. The notable absence of current NSA and CISA leaders at the conference highlights deeper instability. Budget cuts, leadership vacancies, and a hesitance to engage publicly are hampering US Cyber agencies visibility and influence. Together, these stories paint a concerning picture. While policy and research are pushing for stronger security practices, political pressures and resource cuts are undermining the federal capacity needed to lead and protect in an increasingly hostile digital environment. Kevin McGee is global director of Cybersecurity Startups at Microsoft. But for this year's rsac, we had different plans for Kevin. He files this report.
[05:26]
Kevin McGee
Hi everyone. Normally I'm Kevin McGee, Global Director of Cybersecurity for Microsoft for Startups. But this week I am just Kevin the intern for the Cyberwire doing Kevin on the street interviews live from the RSA Conference 2025. Now, I've never really been an interviewer for a major media company before. Honestly, I pictured myself walking around with all this super high end gear, complicated microphones, maybe a mini controller board strapped to my back. But nope. Dave just met me in the lobby of my hotel, handed me a simple voice recorder and said, you know, just to be safe, he taped over all the buttons I shouldn't touch. So hopefully this goes well. If you see me looking lost, wandering around the Moscone center, or more likely hanging out near the bookstore, I'm a proud member of the Cybersecurity Canning Committee after all. Come say hi. So you've survived it. The hundreds of Are you going to RSA emails, the inmails, the texts, the signals you've been invited to the dinner, the reception, the axe throwing, or whatever creative event the vendors are hosting this year, you've made the long flight packed with half your LinkedIn connections, checked in your hotel, maybe had a pre day event. And now you're ready. It's officially RSA time. Well, so am I. What I love about being here is simple. Running into old friends, rehashing old stories, finding out what's new, and, let's be honest, tracking down the best after party. But you gotta come to RSA with good walking shoes and a game plan. So here's mine. This week I'll be diving into a few key themes. How AI is transforming cybersecurity and how we build resilience alongside it, the future of compliance, and how automation can turn governance into a business advantage. Empowering people, building leadership skills and a stronger human side of security evolving the SOC scaling smarter, not just bigger and how cybersecurity is increasingly becoming a growth driver, not just a cost center. I'll also be keeping an eye out on the startup scene, looking for the next big innovator and disruptor in our space. And yes, I made sure to leave extra room in my suitcase for new cybersecurity books from the bookstore. Throughout the week, I'll be filing my Cyberwire report, interviewing interesting people, figuring out how to get the audio back to Elliot without breaking anything, and just thoroughly enjoy myself. So from Arrival day here at rsa, this is Kevin the intern man on the street from the Cyberwire signing out.
[07:44]
Dave Buettner
Stay tuned for Kevin McGee updates from the RSAC conference throughout the week. We reported yesterday on the massive power outage that left millions in Spain and Portugal without electricity. It disrupted transportation systems, halted metro services and grounded flights. Emergency services operated on backup generators and traffic lights were out across both countries. By this morning, power had been restored to over 99% of affected areas. Authorities have ruled out cyberattacks as the cause of the outage. Investigations are ongoing to determine the exact origin, with initial reports suggesting a massive disconnection within Spain's power grid. The event has raised concerns about the stability and resilience of Europe's interconnected electricity infrastructure, NPR reports. Two members of Elon Musk's Department of Government Efficiency were given accounts on classified nuclear networks, though officials insist the accounts were never activated. Neither had prior clearance or nuclear experience. The Department of Energy initially denied any access but later admitted the accounts existed, stressing no classified material was accessed. Experts say simply halving accounts could allow limited requests for classified information, though strict controls remain. The incident adds to growing concerns about Doge's handling of sensitive data across the government. The situation reflects rising tensions over the politicization and management of national security systems during ongoing federal restructuring efforts. The FS ISAC has launched the Cyber Fraud Prevention Framework to help financial institutions better detect and stop scams before money's lost. The framework unites cybersecurity and fraud teams around a shared structure and language, aiming to catch threats earlier in the attack lifecycle. The shift comes amid a surge in online fraud, with The FBI reporting $9.3 billion in crypto scam losses and Google warning billions of Gmail users about new phishing tactics. Crime syndicates, particularly from east and Southeast Asia, are expanding their global operations, forcing banks like those in New Zealand to adopt stricter protections. While large institutions may find it easier to implement fs, ISACS stresses that smaller banks and fintechs also stand to benefit. Experts note that while frameworks are critical, overcoming cultural resistance within organizations remains a key hurdle to truly effective fraud and cybercrime prevention. Real time deepfake fraud has evolved from a theoretical threat to to a practical tool for scammers, as detailed in a recent 404 Media investigation. Using accessible software, fraudsters can now alter their appearance and voice during live video calls, enabling them to impersonate others convincingly. This technology has been exploited in romance scams, where victims are deceived into believing they're interacting with someone they trust. The sophistication of these deepfakes poses significant challenges for detection, as traditional verification methods may not suffice. The increasing accessibility of such tools underscores the urgency for enhanced security measures and public awareness to combat this emerging form of digital deception. Coming up after the break on our Threat Vector segment, David Moulton and his guest tackle the growing complexity of privacy compliance and protecting your company with a fat joke. Stay with us. Let's be real. Navigating security compliance can feel like assembling Ikea furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture by without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times and the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber that's v a n t a dot com cyber Secure access is crucial for US public sector missions, ensuring that only authorized users can access certain systems, networks or data. Are your defenses ready? Cisco's security service Edge delivers comprehensive protection for your network and users. Experience the power of zero trust and secure your workforce wherever they are. Elevate your security Strategy by visiting cisco.comgo.sse that's cisco.com go SSE Foreign David Moulton and his guests tackle the growing complexity of privacy compliance.
[14:14]
David Moulton
Hi, I'm David Moulton, host of the Threat Vector podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. In my latest episode, I sat down with Daniel Rosenzweig, founder and principal attorney at DBR Tech Law, to talk about one of the biggest challenges facing organizations today, privacy and data protection in the age of big data. Dan's advice? Say what you do, do what you say. It's a simple phrase with massive implications for compliance, trust, and your bottom line. As a recognized expert in data privacy and AI law, Dan brings clarity to the complex. This conversation will help you rethink how your teams align technology policy and practice. Check out the episode wherever you listen to podcasts Tan when you think about the legislatures that are trying to pass these laws, do they have a command of technology or does it not matter? They're looking for an outcome. They've set the intent and you need to invent those technologies and interpret them based on what they want for the people they represent.
[15:24]
Daniel B. Rosenzweig
Honestly, I don't think it's just a bright line rule. I think it's totally dependent on the legislator, dependent on the topic. But I think ultimately you're spot on in that. I think they're really focused on a conclusion, on an outcome. Right. And how can we get to that outcome? And sometimes the law is very prescriptive and says, hey, here's methods or ways to actually accomplish that outcome, or here's the technologies you can and should be using. And other times it's again like, you know, data privacy law is just honor a consumer's opt out or exercise the right to delete or things of that nature. But all in all, I think, you know, they're probably trying their best, but I think if you don't have the technical nuance and background, you're going to create ambiguity or create uncertainty and things of that nature. And the technology in that time, in that particular instance can be very powerful to get you to where you need to go.
[16:18]
David Moulton
Dan, with companies collecting and processing massive amounts of data, what do you see as the biggest privacy risk that organizations face today?
[16:28]
Daniel B. Rosenzweig
Yeah, so I think this is actually a pretty straightforward one in the sense of what the risk is. How to manage that risk is a different story. And we can talk through that as well. But really do what you say and say what you do. Right? Like have your, you can have your privacy policies you can have your public facing statements, you can have your contractual obligations. There are a ton of different instances and mediums where you're making representations about how you're handling data, whether in the AI context or the data privacy context or whatever. But actually again, making sure you're doing the things you say and honoring those statements and implementing the technology to support that is incredibly important. And regulators aren't stupid and plaintiffs aren't either. And that's what they're really focused on, that low hanging fruit. Hey, your privacy policy said you're going to honor my opt out. Then we go onto the website, easily exercise the opt out and see, oh, that's actually not happening or it's not working. So despite the disclosure saying you're doing it, the technology isn't supporting it. And finally, the risk that also comes with that is additional legal risk. Right? Meaning if you are not supporting the technology the way that you should be, or implementing the requirements per the law despite claiming that you are, that's a violation of the law in and of itself as an unfair and deceptive act under, you know, consumer protection law. So it's just really, really important to again, do what you say and say what you do.
[17:54]
David Moulton
Let's jump into some of the ad tech and user privacy topics that have been top of mind for me. Digital advertising is under a lot of pressure right now to balance the targeted advertising with user privacy. What do you think some of the biggest challenges are in ad tech right now?
[18:14]
Daniel B. Rosenzweig
So a bit of a quick history lesson. It's actually interesting that a lot of these laws, particularly laws like the ccpa, were actually passed as a response to target advertising. Right. So I think you're spot on to kind of home in on this and focus on this area because this is why a lot of privacy laws are where they are today as a response to targeted advertising, things of that nature. I think there's a couple of things that right now is being a little more difficult for publishers and folks in the ad tech space, which is one, ignoring the hype. It is amazing to me how many companies will come and try and approach certain things just in the name of using buzzwords and using technologies in a way that they think they have to. Right? Pets are actually a really good example of that. Pets in privacy, enhanced technologies and things of that. And even AI, right. You don't necessarily have to use those technologies to achieve a goal. And I think right now for targeted advertising in particular, a lot of companies are thinking we're going to implement these technical solutions that are going to mitigate our exposure for targeted advertising or replace targeted advertising. And while I think that can help, certainly it's not just apples to apples, right? I think you need to understand what is your business objective, what is your risk posture, what is are you trying to achieve here, and how do we need to manage our own risk as it pertains to those business objectives? So I think, yeah, again, ignoring the hype is going to be really, really important. And finally, I would say as it pertains particularly to ad tech is admit when you're using personal data, I think personal data has become such a, quote, negative word and it doesn't need to be like it's okay if you're using personal data for targeted advertising and you're using it in a way that fulfills a business objective while also giving consumers the ability to utilize your services. I think where companies are getting into trouble in the ad tech space is what we briefly talked about in the beginning of the chat, which is whether or not you're doing what you're supposed to do, right? So you're telling the consumer, hey, we use your data for targeted advertising. We are going to allow you to opt out of that if you want to. But please understand, here's what happens when you opt out, and if they're going to exercise that right to opt out, then honor that right to opt out. Right? Make sure that you implement the technology to support that. And I think that is where ad tech companies and publishers in particular are getting in a lot of trouble, to no fault of their own. As I said in the beginning of the conversation, it's that they're implementing technologies to support targeted advertising or enable choice for consumers and then not actually configuring the technology in a way that fulfills those requirements. And then they're continuing to use targeted advertising when they shouldn't be.
[21:00]
David Moulton
Dan, looking ahead, what do you think the biggest development in privacy and AI regulation will be in the next five years?
[21:10]
Daniel B. Rosenzweig
What will be the biggest development in the next five minutes? I mean, it's amazing how much things have changed and continue to change. I think it will continue to be what you can do, at least in the privacy space, what you can do with personal data as it pertains to AI. I think there's going to be some laws that speak to this a little more prescriptively to kind of align with how the AI systems are currently operating as it pertains to personal data. Meaning can you use personal data for training purposes? If so, here's what you need to do to do that. Are there exceptions to that? Are there mitigations that can be put in place? And I think on the AI space specifically agnostic to personal data Right now where we're seeing a lot of the laws focus are focused, particularly in the US are AI systems that are deemed high risk. I think we're going to see especially as the law continues to develop and again, I have no way of knowing this and I mean the technology continues to develop. I think the law is probably going to be a little more, you know, focused on AI generally. I don't know if it's always going to be limited to just AI high risk systems. I think it's going to be there's going to be requirements just to AI generally and some of those meet pretty benign requirements that are easily mitigated or easily compliant with and others may be, you know, more stringent will require a certain amount of time and effort to comply with those efforts. But I think that's ultimately where we're going to see things going.
[22:41]
David Moulton
If you like what you heard, catch the full episode now in your Threat Vector podcast feed. It's called Privacy and Data Protection in the Age of Big A, and it was released on April 24th.
[22:58]
Dave Buettner
Be sure to check out the Threat Vector podcast wherever you get your favorite podcasts. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, at a panel session Yesterday here at RSAC, CrowdStrike's Adam Myers had a wild tip for spotting North Korean spies posing as tech workers. Just ask, how fat is Kim Jong Un? Apparently they hang up faster than you can say Laptop Farm. Thousands of these operatives have infiltrated Fortune 500 companies using AI to craft LinkedIn profiles, borrowing Polish names they can't pronounce, and even running US Laptop farms to fake local presence once hired their top performers, mainly because they have an entire team helping one employee climb the ranks and steal IP in tiny, sneaky bits. FBI agents warn that if caught, these workers often leave behind malware and a whole lot of trouble. Deepfake interviews are also getting disturbingly real. The advice? Tighten hiring processes, require local check ins, and maybe think twice before hiring that remote hotshot who's just too good to be true. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com A quick program note on today's episode of CISO Perspectives, host Kim Jones sits down with Kathleen Smith, chief outreach officer@clearjobs.net, a longtime cybersecurity career advocate, to tackle one of the biggest hurdles for aspiring cybersecurity professionals. How do you gain experience without already having a cyber job? And a reminder that today's episode of Sysop is the final episode of the season available to everyone. The rest of this season will be available exclusively to our N2K Pro subscribers. If you'd like to continue following Kim's conversations and access the full season, head over to thecyberwire.compro to learn more about becoming a pro subscriber. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwide and see what attackers already know. That's spycloud.com cyberwire.