Data Security Decoded – "Securing the Software Supply Chain"

Host: Caleb Tolan (Rubrik Zero Labs)
Guest: Allison Wyckoff, Director of Global Threat Intelligence, PwC
Date: June 24, 2025

Episode Overview

This episode explores the urgent topic of securing the software supply chain amidst rising attacks exploiting both new and legacy vulnerabilities. Host Caleb Tolan sits down with Allison Wyckoff, a seasoned expert from PwC, to dissect recent threat trends, the evolving role of generative AI in cyberattacks, and actionable defense strategies—especially for organizations without large security teams or budgets. The conversation is grounded, practical, and dotted with candid insights and real-world advice.

Key Discussion Points & Insights

Allison’s Cybersecurity Path & Motivation

Started with business degrees, moved into security through an internship ([01:58])
Twenty-plus years in the field, staying motivated by the constant change and challenge
- “I am inherently very curious, or nosy, you could say, which makes for usually a pretty decent analyst.” – Allison ([01:58])
Values the dynamic, mission-driven threat intelligence community

Retail Attacks & Supply Chain Spotlight

Current wave of retail-sector attacks underscores the importance of supply chain security
- Not just about protecting the organization—requires awareness of upstream and downstream relationships ([03:08])
- Importance of multifactor authentication (MFA) and thorough employee verification
- Effective defense isn’t about a magic tool but a “multifaceted” approach rooted in specific, ongoing training ([03:08])
- Notable shift in applying know your customer (KYC) style validation to employee interactions

Generative AI: Threat & Opportunity

State of AI in Cybersecurity ([05:01]–[07:23])

“We’re really in the beginning stages of what, like, the art of the possible is with AI in terms of network defense.”
Threat actors are adopting AI, but no “massive revolution” yet; main uses so far:
- Polishing phishing emails (ending poor grammar days)
- Assisting with code—evident in malware comments
- Creating AI-generated images for social engineering (since 2021-22)
Attackers, like defenders, use AI mainly to automate mundane tasks
“It’s always the path of least resistance that threat actors are going to take.” – Allison ([05:01])
Key takeaway: Current AI-related risks are often overhyped; organizations should track real developments but not panic

Near-Term Defensive Advice

Understand how AI tools are being leveraged—in both security operations and by adversaries ([07:23])
Stay vigilant, as the landscape may shift significantly in coming years

Light Moment: Florida Vacation Hotspots ([08:19])

Allison gives a classic “threat intelligence answer”: It depends
Options: theme parks, beaches on any coast, Everglades, and unique cold-water springs (“meaning there’s usually not alligators in them”)
Adds a personal touch and lightens the mood before returning to deep security topics

Attacks on Old Vulnerabilities: A Surprising Trend ([09:45])

PwC’s recent "Year in Retrospect" report saw a jump in exploitation of known (not just zero-day) vulnerabilities
- Shift: Now both espionage and criminal actors routinely use old vulnerabilities for initial access ([09:45])
- “The use of vulnerabilities honestly surprised us in terms of being a dominant way that threat actors were getting into organizations.” – Allison ([09:45])
Possible cause: better user training against phishing and improved MFA, making vulnerabilities more attractive to attackers
Practical reality: “You can’t patch all [vulnerabilities]; it’s just not possible.”
Advice:
- Prioritize patching for edge devices (VPNs, WAPs, remote access points) and high-severity vulnerabilities
- True vulnerability management requires deep understanding of your own network
- Log4J is cited as a vivid example of a ubiquitous, hard-to-find vulnerability ([12:25])

Software Supply Chain: Managing Third-Party Risk ([12:52])

First, truly understand all your vendors and the access or services they provide
-“Third party is this really overarching term.” – Allison ([13:10])
Organizations should know who can access what systems, identify exposure points, and plan for supplier outages
Increasing trend among clients to develop secondary suppliers to mitigate operational risks

Building Cyber Resilience: Closing Guidance ([14:08])

Step back from the “insane” pace of headline-chasing in threat intelligence
- Build your organization’s unique threat profile: “What do you have that threat actors are interested in?”
- Use partners and vendors to supplement your security knowledge and capabilities
- Focus on defending against threats most relevant to your org instead of trying to “whack a mole” every new headline
“If you can defend against those, you’re in pretty good shape.” – Allison ([14:08])

Notable Quotes with Timestamps

On why vulnerabilities remain a top attack vector:
“The use of vulnerabilities honestly surprised us in terms of being a dominant way that threat actors were getting into organizations… What I can tell you is everyone’s using it now.” – Allison Wyckoff ([00:00], reiterated at [09:45])
On generative AI threats:
“It’s always the path of least resistance that threat actors are going to take.” – Allison Wyckoff ([05:01])
On prioritizing security efforts:
“You can’t patch all of them. It’s just not possible… You’ve got to pick your challenges or pick your battles, right.” – Allison Wyckoff ([09:45])
On defending your business:
“The news cycle is so insane... if you don’t understand your threat profile, you’re going to drive yourself insane trying to whack a mole... Step one is really, like, what do you have that threat actors are interested in?... And if you can defend against those, you’re in pretty good shape.” – Allison Wyckoff ([14:08])

Important Segment Timestamps

| Segment | Timestamp | |----------------------------------------------|---------------| | Allison’s Background | [01:58]–[02:40]| | Retail Attacks & Supply Chain | [03:08]–[04:30]| | Generative AI Trends | [05:01]–[07:23]| | Florida Hot Take | [08:19]–[09:12]| | Vulnerabilities & Patch Priorities | [09:45]–[12:25]| | Managing Third Party/Supply Chain Risk | [12:52]–[13:57]| | Building a Threat Profile & Takeaways | [14:08]–[15:05]|

Summary

Allison Wyckoff offers hard-earned, field-tested guidance for organizations within reach—emphasizing basics over buzzwords, real risk over media hype, and partnership over lone-wolf defenses. Whether you’re worried about the next Log4J or just keeping up with MFA, the episode provides actionable takeaways to help any security team (large or small) bolster their cyber resilience and stay a step ahead in the ever-shifting landscape of software supply chain security.

Data Security Decoded – "Securing the Software Supply Chain"

Host: Caleb Tolan (Rubrik Zero Labs)
Guest: Allison Wyckoff, Director of Global Threat Intelligence, PwC
Date: June 24, 2025

Episode Overview

Key Discussion Points & Insights

Allison’s Cybersecurity Path & Motivation

Started with business degrees, moved into security through an internship ([01:58])
Twenty-plus years in the field, staying motivated by the constant change and challenge
- “I am inherently very curious, or nosy, you could say, which makes for usually a pretty decent analyst.” – Allison ([01:58])
Values the dynamic, mission-driven threat intelligence community

Retail Attacks & Supply Chain Spotlight

Current wave of retail-sector attacks underscores the importance of supply chain security
- Not just about protecting the organization—requires awareness of upstream and downstream relationships ([03:08])
- Importance of multifactor authentication (MFA) and thorough employee verification
- Effective defense isn’t about a magic tool but a “multifaceted” approach rooted in specific, ongoing training ([03:08])
- Notable shift in applying know your customer (KYC) style validation to employee interactions

Generative AI: Threat & Opportunity

State of AI in Cybersecurity ([05:01]–[07:23])

“We’re really in the beginning stages of what, like, the art of the possible is with AI in terms of network defense.”
Threat actors are adopting AI, but no “massive revolution” yet; main uses so far:
- Polishing phishing emails (ending poor grammar days)
- Assisting with code—evident in malware comments
- Creating AI-generated images for social engineering (since 2021-22)
Attackers, like defenders, use AI mainly to automate mundane tasks
“It’s always the path of least resistance that threat actors are going to take.” – Allison ([05:01])
Key takeaway: Current AI-related risks are often overhyped; organizations should track real developments but not panic

Near-Term Defensive Advice

Understand how AI tools are being leveraged—in both security operations and by adversaries ([07:23])
Stay vigilant, as the landscape may shift significantly in coming years

Light Moment: Florida Vacation Hotspots ([08:19])

Allison gives a classic “threat intelligence answer”: It depends
Options: theme parks, beaches on any coast, Everglades, and unique cold-water springs (“meaning there’s usually not alligators in them”)
Adds a personal touch and lightens the mood before returning to deep security topics

Attacks on Old Vulnerabilities: A Surprising Trend ([09:45])

PwC’s recent "Year in Retrospect" report saw a jump in exploitation of known (not just zero-day) vulnerabilities
- Shift: Now both espionage and criminal actors routinely use old vulnerabilities for initial access ([09:45])
- “The use of vulnerabilities honestly surprised us in terms of being a dominant way that threat actors were getting into organizations.” – Allison ([09:45])
Possible cause: better user training against phishing and improved MFA, making vulnerabilities more attractive to attackers
Practical reality: “You can’t patch all [vulnerabilities]; it’s just not possible.”
Advice:
- Prioritize patching for edge devices (VPNs, WAPs, remote access points) and high-severity vulnerabilities
- True vulnerability management requires deep understanding of your own network
- Log4J is cited as a vivid example of a ubiquitous, hard-to-find vulnerability ([12:25])

Software Supply Chain: Managing Third-Party Risk ([12:52])

First, truly understand all your vendors and the access or services they provide
-“Third party is this really overarching term.” – Allison ([13:10])
Organizations should know who can access what systems, identify exposure points, and plan for supplier outages
Increasing trend among clients to develop secondary suppliers to mitigate operational risks

Building Cyber Resilience: Closing Guidance ([14:08])

Step back from the “insane” pace of headline-chasing in threat intelligence
- Build your organization’s unique threat profile: “What do you have that threat actors are interested in?”
- Use partners and vendors to supplement your security knowledge and capabilities
- Focus on defending against threats most relevant to your org instead of trying to “whack a mole” every new headline
“If you can defend against those, you’re in pretty good shape.” – Allison ([14:08])

Notable Quotes with Timestamps

On why vulnerabilities remain a top attack vector:
“The use of vulnerabilities honestly surprised us in terms of being a dominant way that threat actors were getting into organizations… What I can tell you is everyone’s using it now.” – Allison Wyckoff ([00:00], reiterated at [09:45])
On generative AI threats:
“It’s always the path of least resistance that threat actors are going to take.” – Allison Wyckoff ([05:01])
On prioritizing security efforts:
“You can’t patch all of them. It’s just not possible… You’ve got to pick your challenges or pick your battles, right.” – Allison Wyckoff ([09:45])
On defending your business:
“The news cycle is so insane... if you don’t understand your threat profile, you’re going to drive yourself insane trying to whack a mole... Step one is really, like, what do you have that threat actors are interested in?... And if you can defend against those, you’re in pretty good shape.” – Allison Wyckoff ([14:08])

wavePod

Securing the Software Supply Chain

Powered by Wave AI

Summary

Data Security Decoded – "Securing the Software Supply Chain"

Episode Overview

Key Discussion Points & Insights

Allison’s Cybersecurity Path & Motivation

Retail Attacks & Supply Chain Spotlight

Generative AI: Threat & Opportunity

State of AI in Cybersecurity ([05:01]–[07:23])

Near-Term Defensive Advice

Light Moment: Florida Vacation Hotspots ([08:19])

Attacks on Old Vulnerabilities: A Surprising Trend ([09:45])

Software Supply Chain: Managing Third-Party Risk ([12:52])

Building Cyber Resilience: Closing Guidance ([14:08])

Notable Quotes with Timestamps

Important Segment Timestamps

Summary

Summary

Data Security Decoded – "Securing the Software Supply Chain"

Episode Overview

Key Discussion Points & Insights

Allison’s Cybersecurity Path & Motivation

Retail Attacks & Supply Chain Spotlight

Generative AI: Threat & Opportunity

State of AI in Cybersecurity ([05:01]–[07:23])

Near-Term Defensive Advice

Light Moment: Florida Vacation Hotspots ([08:19])

Attacks on Old Vulnerabilities: A Surprising Trend ([09:45])

Software Supply Chain: Managing Third-Party Risk ([12:52])

Building Cyber Resilience: Closing Guidance ([14:08])

Notable Quotes with Timestamps

Important Segment Timestamps

Summary