Announcer (12:35)

Get in the game with the college branded Venmo Debit Card Wreck your team with every tap and earn up to 5% cash back with Venmo Stash, a new rewards program from Venmo. No monthly fee, no minimum balance, just school pride and spending power. Get in the game and sign up for the Venmo debit card@venmo.com collegecard the Venmo MasterCard is issued by the Vanccorp Bank N.A. select schools available. Venmo stash terms and exclusions apply at Venmo me stash terms max $100 cash per month.

Dave Bittner (13:12)

Kevin McGee is global director of Cybersecurity Startups at Microsoft for Startups but this week at the RSAC conference, Kevin is my intern.

Kevin McGee (Intern) (13:23)

What's your name please?

Dale Hoch (13:24)

Dale Hoch. I'm the CISO at regscale.

Kevin McGee (Intern) (13:27)

Welcome to the show. Great to see you again. Now we've go back a little while, so tell me, what are you working on nowadays?

Dale Hoch (13:34)

So at regscale we're doing the transition to AI security. So we're really operationalizing our security operations center and spending a lot of time with the hardening and the hows and whys around AI, which is why I love the RSA theme this year and coming here and being able to talk to all the innovators and speak to all the other players in the space, it kind of build the roadmap for the future as we get around. You know how it's one thing to keep lines of business open, but it's another thing to open up new lines of business. And if you're not leaning hard into AI, you're way behind. So that's what, that's what we've been working on at Ringscale.

Kevin McGee (Intern) (14:16)

Now I got to tell you, I used to think compliance was pretty boring, but it's probably one of the hottest things in the market. It's Picks and shovels in a gold mine.

Dale Hoch (14:23)

It really is. And when you start to get. When you start to wrap automations up with AI and continuous controls monitoring I think right now we're looking at the death of compliance really. And you're looking at it moving to key security indicators are what my buddy Roland Cloutier calls dynamic operational controls assurance to where you're proving everything in your operational tech stack and your cyber resilience automatically all the time. And that, that point in time checklist is going away.

Kevin McGee (Intern) (14:54)

You talk about compliance as code. Tell me a little bit about that.

Dale Hoch (14:57)

Yeah, so when you start to take, you know, DevSecOps has been around for a while but when you start to take where you build compliance and security into your pipeline and then you start to automate it and you. So you get away from. Okay, my access controls are right, check. My, my configuration management is done, check. You're automatically gathering all your evidence and you're doing it at the start of your code so you don't have to do that panic state whenever you get into the production level. So building in compliance into your pipelines is the key to the future. If you're not looking at doing it now, you're going to be forced to do it in two years.

Kevin McGee (Intern) (15:36)

Awesome. Well, thanks for your time, have a great show.

Dale Hoch (15:38)

Fantastic. I appreciate being here. Great to catch up with you again, Kevin.

Kevin McGee (Intern) (15:43)

All right, tell me who you are and what you do.

David Delappell (15:45)

Hey, thanks so much for having me Kevin. I'm David Delappell, co founder and CEO of Dune Security.

Kevin McGee (Intern) (15:50)

And what does Dune Security do?

David Delappell (15:52)

So at Dune we prevent social engineering and insider threat across every channel. We have built the best replacement for things like security awareness training as well as we just released our red teaming, our agentic red teaming product on the

Kevin McGee (Intern) (16:04)

user layer and I just got a chance to try that out and I got to make myself a deep fake of my boss, Dave Bittner.

David Delappell (16:11)

Yeah, exactly. And so it's a really crazy time right where attackers can get into companies really through any modality using deepfake where possible. We've created what we think is the industry leading adversarial AI within one hour. We're creating a new adversary emulation pathway which is a specific Persona, method and target.

Kevin McGee (Intern) (16:30)

So you're taking this beyond awareness training, you're taking this almost to a red teaming in the physical world of deepfakes and phishing and vishing and all those other things as well?

David Delappell (16:41)

That's right, yeah. Our focus has always been on the user is really the attack surface right and so you need to pull in unlimited input source data to truly quantify user risk accurately in the enterprise. And in the enterprise, I mean, they're getting hammered by these deepfake phone calls or encrypted channel attacks. Right. And so you kind of have to meet the market where it is and really emulate the attackers.

Kevin McGee (Intern) (17:03)

All right, walk me through one example that always blows everyone away when they see it. When they. When they see your product in action.

David Delappell (17:09)

Yeah. I mean, one data point I can give is, you know, we're working with a lot of large GSI's and BPOs with large call center populations around the world. And what we found is, on average, roughly 1% of employees are complicit, meaning they'll accept a bribe from our AI. And so that's pretty insane. And of course, those people did get terminated in some of our customers. And now we've created deterrence, which is great. And now it's way less than 1% the problem.

Kevin McGee (Intern) (17:37)

And I did some physical pen testing back in the 90s. If you've just got one person, you could only do one attack vector and only the imagination of one individual. But you can now do the set scale.

David Delappell (17:47)

Yeah, it's, It's. Right, exactly. We're able to send, you know, a thousand phone calls, deep fake phone calls at once. Right. And people can have conversations with this. And, you know, we're partnered with a company called Reality Defender. And what Reality Defender does better than we think anyone is deep fake detection. They've been building this for over five years now. And they have really, really deep, you know, technical mode over their competitors. But what we do is we'll, we'll, we'll flood the zone with realistic outreach like phone calls, and we'll find, okay, roughly 90% will pick up the phone, right, in a call center. Maybe 40, 50% are actually having a conversation with the thing and not knowing it's AI. And then we're able to get a non zero amount of users to be complicit or socially engineered. Now, if you put Reality Defender on it, though, we can block everything. Right, because it detects it.

Kevin McGee (Intern) (18:37)

That's fantastic. Well, thanks, and have a great rsa.

David Delappell (18:40)

Thanks so much, Kevin. It's great to talk to you today.

Kevin McGee (Intern) (18:43)

So it's Kevin the intern coming live from the streets of San Francisco. And because I'm an intern, I don't have much of a budget. But luckily the ARM cybervan is passing out free burritos, so I'm here scrounging burritos. Tell me who you are and what do you do.

Jason Williams (18:57)

So, Jason Williams and I'm with ARM Cyber and I'm the Global Director of Solution Architecture Worldwide.

Kevin McGee (Intern) (19:03)

Awesome. And what does ARM Cyber do specifically? Great.

Jason Williams (19:05)

So ARM Cyber is a data resilience, preemptive ransomware mitigation solution, providing organizations with peace of mind to not only stop threats that come against their organization, but to be able to recover data in a moment's notice.

Kevin McGee (Intern) (19:17)

That's awesome. I've heard you described as sort of the cloaking device for data. Is that true? Ekt.

Jason Williams (19:22)

Yep, pretty much. So we are able to understand where data assists the critical information within an organization and then be able to be that endpoint of the future for them.

Kevin McGee (Intern) (19:30)

All right, now tell me the story behind the burrito truck. Is this getting a lot of press here?

Jason Williams (19:34)

Oh, it's definitely getting a lot of press. Everybody loves burritos. We're in the hot spot here at RSA conference, giving out, you know, burritos that are chicken and veggie, and people are coming by and enjoying it. So free to everybody.

Kevin McGee (Intern) (19:45)

Fantastic. What's the most popular one? Chicken. Chicken, hands down. Well, thank you for your time today.

Jason Williams (19:50)

Thank you. Have a great one.

Dave Bittner (19:53)

That's intern Kevin, also known as Kevin McGee, global director of Cybersecurity Startups at Microsoft for Startup. Foreign.

Announcer (20:12)

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C. According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

David Delappell (20:39)

Zootopia 2 has come home to Disney.

Jason Williams (20:42)

Let's go get ready for a new case.

David Delappell (20:44)

We're the greatest partners of all time. New friends Gary the Snake and your

Dave Bittner (20:48)

last name, the Snake Dream Team Pick new habitats.

Announcer (20:51)

Zootopia has a secret reptile population.

David Delappell (20:54)

You can watch the record breaking phenomenon at home. Zootopia 2, now available on Disney. Rated PG. And right now you can get Disney and hulu for just $4.99 a month for three months with a special limited time offer.

Jason Williams (21:05)

Ends March 24.

David Delappell (21:06)

After three months, Plan Auto renews at 1299amonth. Terms apply.

Dave Bittner (21:16)

And finally, a site called Webinar TV is drawing attention after quietly recording publicly linked zoom meetings and republishing them as AI generated podcasts, sometimes without participants realizing their conversations were captured at all. According to reporting from 404 Media and a cyber Alberta analysis webinar TV scans for meeting links, joins sessions using browser extensions or related tools, then records and republishes content with summaries, chapters, and even AI hosts discussing the calls. Some users only discovered this after receiving promotional emails congratulating them on their surprise podcast debut. Zoom said the activity happens outside its platform environment and relies on publicly shared meeting links rather than a software vulnerability. Organizations often treat webinars as semi private working spaces, yet publicly shared links can quietly turn them into searchable, replayable content libraries for someone else's business model. The safest assumption may be that if a meeting link can be shared widely, it can also be replayed widely and possibly narrated by Phil and Amy. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Ramazas, our executive producer is Jennifer Ibin, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.