A

You're listening to the Cyberwire Network, powered by N2K. We were only seeing about 24% of people significantly investing in proactive security measures versus reactionary. And so what that means is when you think about proactive measures, it's monitoring, consistent validation, putting protections in place, things that would stop the adversary from initially getting into a network. But if you're constantly preparing for a bad day and not trying to stop it from ever happening, you're just kind of assuming that you're going to be a victim.

B

Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolan, and if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when we drop new episodes. And if you're already a subscriber, thanks for coming back. We encourage you to give us a rating. Drop a comment below, let us know what you think about the show. This really helps us reach more listeners like you who are eager to learn more about reducing risk across their business and make sure the content that we're developing for you is really, really valuable. Now, in this episode, I had the pleasure of sitting down with Morgan Ademski, a senior cybersecurity leader with extensive experience across the NSA and the US Cyber Command. Morgan is currently at PwC where we got to explore some of the interesting findings in their new report, the 2026 Global Digital Trust and Insights Report. Let's get into it. Well, Morgan, thank you so much for joining us on the Data Security Decoded podcast. So excited to have this conversation with you today. Before we dive into the meat of the conversation, I'd love to get a sense of what you're obsessed with that has nothing to do with cyber. I'll start first. The thing that I'm obsessed with recently is a show on Netflix. I just binged the whole thing. It's called Boots. It is, I think, set in the late 80s, early 90s. It's about a set of Marine recruits that are going into the Marines and going through boot camp. And it follows this one very specific kind of non traditional recruit and his experience. And I found it to be a really, really cool story and I really enjoyed it. So that's the thing that I'll say I'm obsessed with now. How about you?

A

No, that's awesome. I've seen that series. I haven't been able to watch it yet. So after I watch it, I may come back and we'll have to talk about it separately. So for me Kind of celebrating a bit of a big birthday this year. And so around this specific birthday. Thank you. And just kind of reflecting on the past year, to be honest with you. Transitioning out of the US government after spending 16 years there. I was in national security, and I've been interested in it since high school. And so it's literally everything and anything that I've done, having spent, you know, 10, 11, 12 hours a day in a secure facility, not having access to my phone. And so right now, I'm just kind of trying to live. Learn to live my life on the outside. You know, just being able to have sunlight and windows and being able to access different technologies and be able to walk into a kitchen and have lunch, that I have direct access to my house. It just. Everything's fascinating to me. I feel a little bit out of my element and learning to walk again for the most part, but also, you know, spending a lot of time with family. I have kids, so, you know, Googling six, seven, what that means. That's a big thing. As well as learning about Labubus. And so just a lot of that type of stuff is kind of what I'm obsessed with outside of cyber life.

B

You know, the 6, 7 thing is something that just came up at dinner with my team. We were chatting about that last night. This is new to me, so if you want to educate me and our audience. What is six, seven? I do know what labubus are, and hopefully everyone listening. I'm sure everybody knows what labubus are. But what is the 6, 7 thing?

A

You know, it's something, as I've learned, it's kind of a meme for, like, so. So it was a play. So that's how I've learned what it means. If someone has a better definition, I'm happy to be educated. But we did like a whole trunk or treat around 6, 7, just because all the kids are really, really fascinated with it. So just learning my new terminology.

B

Wow. Well, if anybody else has a different definition of it, drop it in the comments, let us know. This is. This is something you can educate us on.

A

But it was like the word of the year in the urban dictionary. Yeah.

B

Wow. Wow.

A

I think I saw that somewhere and I was like, oh, I really need to get educated quick.

B

New York Times is going to have to figure out how to get into the wordle or something. Yes, I swear. I swear.

A

Yeah.

B

Awesome. Awesome. Well, I love it. Thank you so much. I will say the first time I heard you speak was at Cyber war Con in 2023. And at the time I believe you were at NSA, not quite US Cyber Command yet, but you were talking a lot about China pre positioning in US critical infrastructure, not necessarily for espionage or intelligence gathering, but really pre positioning for some type of larger scale conflict. They were compiling a list of zero days and living off the land, escalating their privileges over time. Now it's very interesting to think about that conversation that we were having, you know, about two years ago. And those themes are really, really relevant today, especially with groups like Scattered Spider that we're hearing with kind of similar tactics at a high level, but aren't, you know, connected to the nation state of China. But those themes are coming up more and more. So from your vantage point, what progress has been made since that talk that you gave in 2023 and what can organizations do to make prepare themselves for attacks like this?

A

Yeah, that was one of my most favorite talks because I was just so passionate about the fact that we have a threat, we know what they're doing, we can see them and we need to work together to be able to stop them. And I think it was very passionate. I was, I was there to rally the troops and a lot of people stepped up to the cause. So from a progress perspective, I think one of the biggest things that happened around talking about those China based actors pre positioning in US critical infrastructure is it really brought a national level conversation across multiple sectors, across multiple companies. And it wasn't just about cyber. Right. It was about geopolitical risk and the fact that these actors wanted to be in these systems and these networks to cause societal panic at a time of their choosing, most likely connected to a potential conflict between US and Taiwan. And we wanted people to recognize like, people are like, oh, why is this new? We thought they were in critical infrastructure anyway. Be like, no, like the scope and scale of their operations is extensive. The fact that they're not only pre positioning in US critical infrastructure, but also in telecommunications networks and conducting espionage, the fact that they're doing information operations, it is every different pillar of type of offensive operations that we care about. It's across every industry that you can name and in critical services that we all depend on every given day. So that national level attention was really important. I think. Second, the fact that the reason that we found them and knew what they were doing and were able to work together to be able to detect that activity, because the public sector and the private sector brought together critical parts of that information. We knew about intent or we knew about the actors or specifically what they were trying to accomplish. And then we had industry who had insights into the infrastructure that they were using. And we had victims come forward and say, hey, I see these type of actors in my networks, I'm being able to detect them. And here's what I'm learning about what they're doing in my networks. And people were sharing it with each other so that other people could find it as well. And I think that collective defense and everyone working together is where I've seen a lot of progress happen over the last couple years because we're continuing looking to track, detect it and protect ourselves against it. And we also saw a lot of the public announcements from the US Government on how they were disrupting the infrastructure. Right. And how they're naming the Personas. And that's a really big thing as well, because we're taking down the critical components that they rely on to be successful. The part where I think we could probably continue to do well is maybe we're not talking about as often or as much as we used to. So what I don't want people necessarily to think is, oh, maybe this isn't occurring anymore, or this is an activity they don't think is interesting. Oh no, it's still occurring. Right. This is part of a national strategy. And so we, we've got to continually talk about it, think about it, adapt to how the adversary potentially is kind of changing their tactics. And we have to work together, we have to share that information amongst each other. And so I think those are things that I see as progress and things need to keep to work on. When you talk about things like scattered spider, like, to be honest with you, living off the land is not a new technique. Right. That's not something that people do. Social engineering, social fissioning, trying to, trying to imitate legitimate users. These are all things that work. We don't see adversaries having to use malware anywhere anymore as much like being able to be detected. So they're getting creative and they're adapting to how cyber defenders are being able to find them. And so scattered spiders, just leveraging what works. And so it's a great, you know, they're building on that business model. And so I think those are kind of things. I wouldn't say they're mimicking national nation state actors, but they are using what works and so are nation state actors. And so. So unfortunately they're continuing to be successful.

B

Right, right, absolutely. And something you said at the beginning of that about how what China is doing is, it's not necessarily just related to cyber There was a really great interview, you know, at the time of recording this, this was a couple weeks ago. There's a really Great interview on 60 Minutes about China pre positioning in US critical infrastructure from a cyber perspective. And so I think it's really interesting to see how this conversation is starting to become a little bit more mainstream. And, you know, we had a podcast with Nicole Pearl Roth to Catch a Thief. Great series that really tells the entire story from, in a really beautiful and understandable way, all about this story as well. So it's really interesting to see it kind of start to make its way more into the mainstream. And people, you know, who aren't in the threat intelligence community or in cybersecurity roles in the private sector, more people are becoming familiar with it. So we got to keep talking about it. Definitely, I agree with you. There's.

A

Yep, absolutely. I think that's a really critical component.

B

Right, Absolutely. So shifting gears to your current gig now you're at PwC. You are leading cyber data and tech risk, and you recently released a report. It is the PwC 2026 digital or global Digital Trust Insights report. And I'd love to drill into some of the insights from that report. I think we'll spend a decent amount of time talking about that. And I know we were just talking about geopolitics. It is a huge theme throughout the report. One of the results that stood out to me was it says 60% of business and tech leaders are reacting to the geopolitical landscape by making cyber risk investment one of their top three strategic priorities for the year ahead. What was surprising to you about where folks are investing from a proactive versus reactive perspective?

A

Yeah, I think one of the surprising things is that we were only seeing about 24% of people significantly investing in proactive security measures versus reactionary. And so what that means is when you think about proactive measures, it's monitoring, consistent validation, putting protections in place, things that would stop the adversary from initially getting into a network. And we saw a stronger investment in things like recovery and liability and having legal services on hand, which is great as well. You need all of those things. But if you're constantly preparing for a bad day and not trying to stop it from ever happening, you're just kind of assuming that you're going to be a victim.

B

And.

A

And while that's hard sometimes to avoid, in the cyber aren arena, we have to have a balance in both. Right. You should be investing in those proactive measures as well as those reactionary things, and you should constantly be Looking at those investments and saying, okay, do I have the right balance? Am I prepared in the right way? Have I thought through the playbook A lot to think about, okay, what are all the things that I might need to have in place in case one of these things happen? And do I have all the right contacts and people aware of what, what their role and responsibilities is? In fact, that does occur. And so I think that's really important. But here's three strategies that I'd probably talk about a little bit more as people think through what they should be investing in. So build in all of those foundational proactive measures that I was talking about, right? Zero trust, having exposure management and patching. I know there's so much patch fatigue out there, but you got to continue to think about patching and prioritizing where you're putting all of those resources against and are there best ways to prioritize how you're managing your patch management system, which really should be relying on, quite honestly, threat intelligence. I'm a huge supporter of threat intelligence, but if you know what adversaries are looking to try to accomplish and what they're exploiting, it helps you figure out what you need to patch first and then also segmentation and third party controls. We really talk a lot about the fact that there's a lot of third party risk and you got to think about those dependencies and potentially what risk you're taking on and how you're going to manage that and how you're going to hold them accountable to ensure that their security measures are up to par with what you're expecting. Second, I think that you got to be ready to move fast, you got to be agile, you got to be the fact that if you do have a bad day, how do you have things like AI and automation in place that will enable you to be able to deal with that crisis management and any type of breach faster than before. We've seen that it's shortened the breach lifestyle. So AI and automation has shortened the breach life cycle to less than 80 days, which is really good because it's usually much more significantly multiple months in the past than. And so when people have those type of things in place, it's allowed them to kind of not have to spend a lot of time doing the rudimentary day one type work. They can pull the data together very quickly. And lastly, I think this is the most important part that you just talked about, right? Making resilience the outcome and making the board the owner. And what that really means is that this Isn't just a CISO cyber problem. Everyone needs to fundamentally understand at the C suite board level that their dependencies in the fact that investing in cybersecurity protects their overall business risk and operations. And so I think that's going to be critically important. Important for everyone to kind of have an understanding of.

B

Right? Absolutely. And another interesting finding that stood out, and you kind of referred to it at the start of your response to that last question was that 39% reported that they're looking at changing their cyber insurance policies. So are most organizations that you're working with looking at increasing those. The coverage with cyber insurers? Are they decreasing it? What does that kind of really say about how organizations are looking at cyber insurance and measuring that against their risk?

A

I think one of the most valuable things that organizations are doing when they look at cyber insurance is they're not necessarily looking at it as a financial product. They're looking at it more as a way to assess their overall hygiene. Right. I think that's really critically important because of the fact that they can say, okay, overall, how do I look? How am I doing? How do I test? Do I have all the right security controls in place? Because from an underwriting perspective, they're going to want to make sure that they all exist and they're running and they're functioning the right way. So cyber assurance almost gives them kind of that rapport. Work hard. Does this make sense? So people are looking to invest more in cyber insurance and, and you know, we had 4 out of 10 companies looking at geopolitical politics and the volatility in that environment and saying, hey, we need to better assess and evaluate our cyber insurance policy to make sure we have all the right controls and things in place. And those people that are going through a bad cyber breach or risk or they've gone through it, they're going back and relooking at their policies as well and trying to make sure they have all the right things in place and maybe taking some lessons learned.

B

Right. That's a really interesting perspective of how organizations are leveraging those policies to kind of build that scorecard, if you will. I hadn't really thought about it in that way, so that's really interesting. And another thing that the report pointed out was the top priorities for CISOs, and those were labeled as threat hunting, agentic AI, event detection, and behavioral analytics. I don't think that that would probably come to any of our listeners as a surprise. Those are very hot button issues. But based off of the work that you're doing with PwC clients that are looking at these areas as strategic investments or that they have been doing that for a long time. Maybe not so much with the agentic AI piece, but you know, the threat hunting and event detection and behavioral analytics, the organizations that are doing really well in these areas. What stands out in terms of how they're deploying these things?

A

Yeah, so threat hunting is the top AI enabled capability for all security professionals. That shouldn't shock anyone. And nearly half of all security professionals are ranking as their top priority, which I think is really important. But what we're seeing is that clients leading in this space are using AI agents to augment their SOC analysts. Right. They're using it to make them more efficient and more effective. And I think that's really important. There's a lot of discussion around will agent AI or will an AI agent replace me? And the facts of the matter is that's not where we're at right now. Right now we're trying to create capability to allow cyber defenders to deal with their daily workload, which is always significant as much as possible. Right. To help them do their analytics. But we always. And I was on a panel last week where I talked about the importance of having governance frameworks and guardrails and humans in the loop all involved in how we're leveraging AI for cyber defense. Because we just need to validate some of the findings and the information that we see. Because quite honestly, you've got to pair a lot of different data sets and cyber defenders are just really well positioned at times to be able to say that doesn't look right. I see an anomaly. I see something that doesn't make sense. Adversaries are adapting. We talked about the fact that living off the land, they are literally acting as legitimate users. They look like everybody want everyone else. And so sometimes it just takes a cyber analyst, a net defender, a SOC analyst to be able to come in and say, okay, this is all the data is what it's telling me. But what am I missing? What do I not? What am I not thinking about this pattern of life that this individual is potentially doing? Are they accessing networks they shouldn't have access to? And that's going to be really important. So I think that's where we see clients leading, is how do we use it to augment our daily lives? How do we enable us to move faster and be more efficient? But then how do we also validate it from a human perspective?

B

Right, Absolutely. That, that governance and observability element with agents is Something that I think is very top of mind for many of our listeners and really everyone in the market. And, you know, interesting point that you made on how, you know, socks are deploying AI agents. We had a really great conversation with Grant Ovia. This was, I believe it was over the summer. He's over at Profit Security, and that is what they specialize in and they're building out a product there. So if any of our listeners haven't heard that episode, I definitely recommend you check it out because we dive into that topic very specifically. There some. Another. Another point that stood out to me while I was reviewing the report was your respondents had very little confidence in their ability to withstand cyber attacks targeting specific vulnerabilities, especially given what we were talking about at the top of the call in terms of geopolitics and, and these sophisticated threat actors paint a picture of what that means. This, this lack of confidence.

A

Yeah, I think it's just gaining a better understanding and appreciation for how interconnected so many systems are. Right. And the fact of the matter is, is that we've been building technology on technology and networks for decades. And so there's consistent vulnerabilities and risks associated with legacy systems, supply chain dependencies and authentication controls. I mean, those are the three main areas that we think about, things that we need to protect against. When you think about legacy systems, Right. Significant vulnerabilities constantly patching. The fact of the matter is, is that a lot of clients are struggling to figure out, okay, what's connected to my network, what. What have I assumed from a tet deb. Responsibility. Effective. How, you know, what are all the end points? What's the. What's my perimeter defense? I've got to think through all of these different types of components and I have to have, to your point, visibility into where all of that potential risk is. And I think people are still struggling to think about that, and it kind of makes them nervous. From a vulnerability perspective, very few people are going to come out and say, I know all the things I can protect against everything. I understand every threat that's coming at me every single day, and I have full visibility and I can, I can deal with that. And so I think it's great for people to come out. It's actually kind of a little bit encouraging for people to say, okay, I don't know what I don't know. And so therefore I have to prepare for the worst. From a vulnerability perspective, the supply dependencies is really fascinating just because I think people, when they saw various crisis and conflicts over the last two years just saw how impactful that geopolitical volatility can be on getting critical components, on trying to make sure that they have resiliency and redundancy and communication set up when you talk about the telecommunications sector for their clients. And so having to map out all of those dependencies, I think is a really interesting conversation for a lot of people these days that if A, B or C scenario occurred across the world, how would it impact them from a business operations perspective? Because while people think about it, I think a lot of people experienced a lot of different types of scenarios over the last couple years that maybe said, okay, we need to think about this a little bit differently, which is really important too. And the authentication controls is similar. Right. I just. Adversaries are constantly evolving to what we're doing and how we're operating in the cyberspace domain. You think about the discussion that happens around North Korean IT workers, right? How they are being creative and the fact of the matter is, and how they're being, you know, hired into high profile companies, they're being able to operate, they're generating that revenue to take back to the regime. It is, they're just being creative. And the fact of the matter is a lot of those opportunities came because a lot of people moved. Workplace flexibilities, bring your own device type capabilities. And so as our adversaries continue to adapt, we've got to be more creative when we think about, okay, how are we going to do authentication controls in person verification. But you know what's going to make that so much more complicated? AI agents. Right. And so authentication of AI agents is going to be a fascinating thing as we move forward. If you're going to enable them to be able to, to certain, do certain functions from a business operations perspective.

B

Right, right. No shortage of, you know, threat vectors to kind of think about these days. So Morgan, thank you for joining us. Where can folks find you and learn more about the incredible work that you're doing?

A

Yeah, so obviously I am on LinkedIn if you want to find me personally, we post a lot of pieces but if you go to our pwc.com, we have a lot of great thought leadership pieces that have been coming out Both on agentic AI, just recently published our forecast for 2026 which is all the issues and topics I think that will still continue into 2026 but also future topics like quantum and 6G and so you can follow us there and of course just reach out. You know, we've got a lot of expertise and insight at PWC that we can tap into to just help people clients think about the problem a little bit differently.

B

Wonderful. We'll link to all of those resources in the show notes for our listeners to check out too. Morgan, thank you again for joining us and look forward to having another conversation soon.

A

Thanks, Caleb. Really appreciate it.