Data Security Decoded
Episode: Three Threats Reshaping Financial Services: Identity, Supply Chain, and AI
Date: October 14, 2025
Host: Caleb Tolan (Rubrik)
Guest: Troy Wells (Intelligence Officer for the Americas, FS-ISAC)
Episode Overview
This episode of Data Security Decoded focuses on the evolving threat landscape facing financial institutions, specifically how identity-based attacks, supply chain compromises, and AI-driven threats are reshaping cyber risk management. Host Caleb Tolan sits down with Troy Wells—an experienced intelligence officer with a background at the U.S. Army, FBI Cyber Division, and CISA—to discuss practical strategies for resilience, the unique challenges brought by cloud migration and AI adoption, and the necessity of collaboration in the sector.
Key Discussion Points & Insights
1. Troy Wells' Background and Transition to Financial Services
-
[01:36] Troy reflects on his journey from the U.S. Army and FBI to FS-ISAC, highlighting the sector-wide, mission-first mindset and the importance of teamwork and trust.
-
Quote:
"The US financial system is, in a way, it's the beating heart of the global financial system. But a heart doesn't survive without the body. It's all interconnected and you can't protect one without... the other." (02:31, Troy Wells)
-
Troy emphasizes the critical role of intelligence sharing and collaboration for resilience.
2. Prevention vs. Detection & Response in Cybersecurity
- [03:52] Caleb asks about balancing prevention with detection and response.
- [04:03] Troy uses a fire safety analogy: prevention is like keeping flammables away and teaching kids not to play with matches, but you also need smoke detectors (detection) and fire drills (response).
- Quote:
"Prevention, detection, and response aren't separate. They're complementary. Together, they create resilience, which is ultimately about keeping people safe, protecting critical assets, and maintaining trust in the financial system." (05:28, Troy Wells)
3. The Promise and Peril of AI in Financial Services
- [06:07] Caleb introduces AI as a hotspot in security conversations.
- [06:07-13:14] Troy distinguishes between:
- AI Models: Like calculators; helpful for those who know how to use them, but dangerous if misapplied.
- AI Agents: "Like a really smart, motivated, and fast intern helping you out"—require supervision, frequent checking, and continuous training.
- Opportunities:
- AI's efficiency for data analysis, triaging alerts, automating low-level tasks.
- Letting skilled staff focus on higher-order strategy.
- Risks:
- Manipulation via poisoned data, bias, prompt engineering failures.
- AI-driven attacks: phishing, recon, rapid exploitation—lowering the skill-bar for attackers.
- Overdependence; need for human judgment and oversight.
- Quote:
"The institutions that succeed in using AI will be those that balance innovation with discipline, making sure AI is used to strengthen—not weaken—the security and resilience of the overall financial system." (13:04, Troy Wells)
- Four Responsible AI Adoption Tips:
- Treat AI as an augmentation, not a replacement for human judgment.
- Establish governance early—define data usage, accountability, and validation.
- Apply rigorous security to AI, as with any critical tech.
- Let security teams pilot AI tools before broader rollout.
4. Lessons from Threat Actor Behavior in Cloud Migrations
- [13:56] Troy discusses how cloud and multi-cloud environments, while flexible, introduce new risks such as misconfigurations exposing sensitive data.
- Recent high-profile breaches underline the reality of cloud risk—even among well-resourced organizations.
- Best Practices:
- Strong cloud security posture management (monitoring, automated remediation).
- Managing data sprawl: classifying/tracking sensitive data, enforcing strict access and retention.
- Baking resilience into cloud architecture from day one: redundancy, outage simulations, integrated business continuity.
- Quote:
“Cloud risk isn’t hypothetical, it’s very real. It can happen to anyone, even major healthcare or tech companies…” (14:33, Troy Wells)
- Threat Intel Caution:
- Don't blindly block entire cloud IP ranges; could block legitimate services and self-inflict damage that exceeds the harm posed by attackers.
- Balance, validate, and contextualize threat intelligence—with human oversight.
5. The Top Three Emerging Threats for Financial Services
[18:08–22:42]
Troy identifies and elaborates on the three threats he views as most urgent in the next 12–24 months:
a. Identity-based Attacks
- Evolved techniques (phishing, MFA bypass, SIM swapping—ex: Scattered Spider) make detection harder as attackers look like legitimate users.
- “What's emerging about this is how seamless and convincing these identity attacks are becoming.” (18:38, Troy Wells)
- Attackers working at high speed—compromising, exploiting, and switching targets rapidly.
b. Supply Chain & Infrastructure Compromises
- Not new (e.g., SolarWinds), but sophistication increases (e.g., Arcane Door campaign).
- Attackers leveraging zero-days, targeting hardware like firewalls, deploying persistent malware, and evading detection at the infrastructure layer.
- “That is an escalation targeting the infrastructure layer itself… for financial institutions that's particularly concerning.” (19:53, Troy Wells)
c. AI-enabled Threats
- AI operationalized for phishing, reconnaissance, and automating attacks—making it easier for less-skilled adversaries to become dangerous.
- “While none of these three threats… came out of nowhere, what's emerging is the speed and sophistication with which they're evolving.” (22:45, Troy Wells)
- Barriers to entry for cybercrime are dropping rapidly.
Notable Quotes & Memorable Moments
- On Collaboration:
"No single bank or institution can defend alone. Resilience comes from collaboration and shared intelligence." (02:25, Troy Wells)
- On AI Models vs. Agents:
"AI agents are more like having a really smart, motivated, and fast intern helping you out—they can do a lot of work quickly, but they're inexperienced." (07:34, Troy Wells)
- On Misplaced Trust in Technology:
"Don't just assume that because it's cloud and it's new… that it also means less due diligence, less attention has to be paid to security." (17:09, Troy Wells)
Important Segment Timestamps
| Timestamp | Topic | |-------------|----------------------------------------------------------------| | 01:36 | Troy Wells' background and mission in FS-ISAC | | 03:52 | Balancing prevention with detection & response | | 06:07 | AI’s role, risks, and recommendations for financial services | | 13:56 | Cloud migration: lessons, mishaps, and architecture resilience | | 18:08 | Top 3 emerging threats: Identity, Supply Chain, AI | | 22:45 | The increasing speed and sophistication of attacks |
Resources & Where to Learn More
- FS-ISAC: fsisac.com — Reports, threat intel, exercises, and resilience resources for financial sector practitioners.
- For FS-ISAC members, access to Intel X for specialized reports and community threat sharing.
- LinkedIn: Troy Wells is active, sharing public reports and perspectives on current threats.
Tone & Style
This episode featured Troy’s accessible analogies, pragmatic guidance, and a strong emphasis on sector-wide collaboration. The dialogue was candid, occasionally humorous (e.g., “cybersecurity podcast Bingo Card” jokes about AI), but always grounded in practical reality—ideal for practitioners and leaders alike.
Summary Takeaway
Financial services face accelerating risks from increasingly convincing identity attacks, supply chain exploits targeting infrastructure, and the operationalization of AI for both defense and offense. The path forward is resilience through vigilance, collaboration, rigorous processes, and always keeping skilled humans in the loop. As Troy puts it:
"You can't AI away the analysis." (10:48, Troy Wells)