Loading summary
A
Welcome to the RSAC Cyberatthetop podcast, where security leaders across industries share the strategies, hard lessons and real experiences shaping modern cybersecurity. And AI insights are grounded in community and built for every level of profession.
B
One of the things that's always struck me about cybersecurity is this. We're all facing many of the same adversaries, yet we often fight them in isolation. Today's threats move so fast, they adapt quickly and increasingly they leverage automation and AI. No single organization, no matter how sophisticated, should go it alone. In this episode, I am thrilled to be joined by Jenny Mena, Chief Security Officer of Sallie Mae and board member at FS isac. We'll discuss the power of sharing threat intelligence, including how the culture around collaboration has evolved and what truly makes an information sharing community effective. We'll also talk about how to turn shared insights into action and what collective defense needs to look like in the years ahead. Let's get started. Jenny, first, thanks so much for being here. Thanks for being a part of this.
C
Well, thank you for having me. I'm excited about the topic.
B
It's a great topic and I just wanted to start off by asking you to give our audience a little bit of information about your background, an overview of your role.
C
Sure. Well, what I'll refer to as my day job is I'm the Chief Security Officer at Sallie Mae. That means I have the cybersecurity piece as well as physical and executive protection and crisis management. When I say that's my day job because I also spend a lot of time at FS ISAC as a board member. I have been the chair of the intelligence committee of the board and over the past year we did a CEO search search, worked on helping to onboard the new CEO and working with her as she develops what our strategy is going forward and how to support her in implementing that new vision.
B
Fantastic. FS ISAC is such an amazing organization. It's contributed so much well beyond financial services and really has led the ISACs. So I wanted to ask you then based on that at a high level, why is sharing threat intelligence so important in today's cybersecurity landscape?
C
I think we need all the help we can get on the defense side because the attackers are so sophisticated, so numerous and so varied. Even before AI, the attackers, the barrier for entry was getting lower. Right. You could buy ransomware as a service. You can buy buy services on the dark web where it's kind of drag and drop, point and click, and so you don't have to be A technical expert to get into the cybercrime game. You can go out and buy those services. It's just going to get easier and easier to be a cyber attacker with more and more crafted messages, finding more vulnerabilities with AI tools. So from that perspective, we certainly need all the help that we can get to keep up, you know, kind of the bigger geopolitical side. We need to think about systemic resilience. Lots of instability and conflict around the world. Who knows what will here on the drive home has happened around the world there's potential for hybrid of physical and cyber attacks, countries using asymmetric ways of exerting power. So we need to be prepared for everything and we want to help each other.
B
I love your point about how these tools have really enabled the attacker. I can think back almost nostalgically to the time when an attacker had to have both intent and technical competence to be able to do damage. And today it's just intent. And I'm curious around information sharing, threat sharing. How has the culture around information sharing changed in cybersecurity, let's say, over the past decade? And has your own perspective evolved over your career?
C
I think when we first started talking about cyber threat information sharing, it was very much about data, it was IOCs and maybe a little bit of TTPS. Very tactical and what can I load into my intrusion detection system? And those things still matter. But I think as we've worked together more, we are also sharing information about which third parties that we use might have been compromised, that may not know it themselves or may know it, but haven't told the companies that they work with. We've shared more about how critical really is this vulnerability. Are you seeing exploit it being exploited? Are you seeing attempts on your network? How are you addressing this? And I think the so what the what to do, how to take action within your company is such an important way that we can share information with each other rather than everyone reinventing, trying to figure out how to address a problem, being able to share good ideas so that we can all defend more rapidly.
B
On that topic, I mean, look, you've worked on the front lines of cyber defense. How does real time threat intelligence sharing change the outcome of active threats?
C
You know, it's kind of like internal to your organization. We all want everyone to report a phishing message when they get it. Why do we want them to report it? Because maybe our tool didn't catch it the first time time. But if we can block from everybody else based on your detection, then we can protect the rest of the organization. It's a similar concept across industry. So if one organization says, you know, whether it's, hey, this is an email, hey, this is a kind of attack that I'm seeing, everyone else can be ready to defend against it. We want to be able to do that as quickly as humanly possible because again, those attacks are coming in so fast.
B
You know, one, I guess a perennial problem is there's some organizations that still hesitate to share threat intelligence. In your view, what holds companies back and how can leaders overcome those barriers?
C
There are some companies that are in industries that do in fact compete on threat intelligence. There is a subset of the cybersecurity market where, you know, one really does have a competitive advantage if they know about something first. For the vast, vast majority of us, we're not competing on cybersecurity. And because we're part of such an interconnected ecosystem in ways that we may not even know about right away, it just doesn't make good sense to hoard information thinking that you have a competitive advantage. I think the other problem is, and I married to an attorney, I think some companies either have attorneys that have provided, you know, very strict guidance, or people are afraid in the absence of ever actually having a conversation with an attorney about what they can and can't share. You know, I spent a long time in the federal government working on cybersecurity information sharing with private sector and still see a lot of conversation about do we need this authority, do we need this extended? There have always been legal authorities in place that allow companies to share cybersecurity threat information with government that do not prevent us from sharing with each other. So I'm not telling anyone not to get good legal advice, but I think there is a lot of fear, uncertainty and doubt that just doesn't really apply in what we would share in protecting against a cyber threat. Whether it's, hey, this is a way that I've configured my email defenses so this is a bad IP address. This is not personally identifiable information about our customers or our employees. This is not proprietary data. Again, unless you're one of those handful of cybersecurity vendors, this is not something that should be a problem to share. Now after a breach, if you were dealing with an incident response, obviously there could be additional legal concerns there. But in the day to day defense, I just think there's a lot of misunderstanding.
B
I love how you put that because I've seen so many times where folks go to legal counsel, let's say for the first time, when they're joining a threat sharing organization, Counsel pushes back and says, well, prove to me why we should share this because I want to be on the risk averse side and I think your guidance of really talking it through with counsel, understanding the reasons, expressing them to the benefit, is super, super important. And I'll come back to FS ISAC for a second because many people see FS ISAC among the ISACs as the shining beacon on the hill. The place that collaborates the best, that has the most active network. And you help guide this organization, which is one of the most mature intelligence sharing communities. What makes an information sharing ecosystem like that truly effective?
C
I think it's one word and that's trust. And trust is built over time through personal relationships. It's also built based on structures and rules of behavior. So I'll give you an example. Within FS isac we have something called the Threat Intelligence Committee. And you have to be approved to join the Threat Intelligence Committee as a person in addition to working for a company. And there are very specific rules of engagement and a traffic light protocol about information. If it's TLP read, you can't share it with your boss or someone who works for you. If it's tlp, Amber, you can share it with people within your company that have a need to know to take action. And then there are things that you can tell anyone, right, that we might put at a, you know, a green or a white, but having that protocol in place, and if you violate that protocol, you will be voted off the island. And that's kind of one of the core original use cases of FS ISAC where things are shared. We share everything with each other. And I'm sure some of those protocols help with counsel and other concerns that people have. That's kind of the base, right? Our bread and butter is this threat intelligence sharing. But we also work together more broadly on response and recovery. If there's a significant campaign we see from a threat actor, breach of a major vendor, some sort of other problem that affects us as a sector, how do we work together on response and recovery and then also building from that, how are we proactive together in security? What does proactive security look like where we're developing and sharing best practices that can be disseminated across our industry? We have some very, very large sophisticated organizations, some of the most sophisticated in the. And then we have the third Credit union of Springfield of wherever the Simpsons takes place. Right. A huge range. So how do we help each other? And even the biggest company might learn from another Company. So again, what does that proactive security of best practices look like? And as we look at FSISAC going forward, we built really solid relationships and engagement. I'm within the United States, right. We have a very solid North American Threat Intelligence committee. How do we deepen global engagement? Because FS ISAC is a global organization. We just had our first meeting of all of the boards together instead of just the US based global board also meeting with our peers overseas. So how do we share insights and align responses? You know, everything becomes more interconnected and moves faster. But that's going to be building another circle of trust for us too.
B
That's fantastic. That's actually great to hear. And I wanted to ask you a little bit about the receiving side of threat intelligence. So if you're a Chief Security Officer, Chief Information Security Officer, how can you ensure that the intelligence that you receive from peers actually translates into action inside the organization? You mentioned how this threat intelligence has evolved from just IP addresses and email addresses and URLs to things of more substance in some cases. How do folks translate that into actual actions that might be taken by tools or the teams?
C
So I think it's both. There is a technology component, so there's information that you can ingest. We use an MXDR provider and they receive information from a number of sources and also provide us with excellent threat intelligence for what they're seeing across all of their other customers. So that's another great source that we get coming from that direction. In addition to the horizontal financial sector information we're getting from FS isac. But it's not just about the role of, you know, kind of the tool engineering detection team. It's also about learning what others are doing with, for example, third party risk management. How are people addressing those risks and getting the folks on that team within your organization talking to other people's teams. You know, there are multiple different examples of that. What are the latest IAM solutions and how to use them to identify potential risks coming from that attack vector? How are people using multi factor authentication, Right. That is now a favorite of bad guys to try to compromise. What are people learning about that? Right? What are best practices? Because what was a best practice today, by next Thursday we might find out has been compromised. Right? And you got to try something new. So it's really a multi role collaboration. And that's part of the evolution is it's not just the threat intel guys and girls sharing with each other and giggling about the names of all the different intrusion sets that everybody assigns and There tends to be a bit of navel gazing about. Well, is it this subunit of this nation's army? Is it this guy in this criminal syndicate? You know, it is a broader. Take this and make meaningful changes all the way up to, you know, requesting different budget items all the way up to your board. Right. What does it mean for the risk to the organization? How do I pivot my investments in the short term and the long term based on what we're seeing out there?
B
One of the things I've been so impressed about in the cybersecurity industry in general, and this is from the perch of being the program chair for RSAC conference for, I don't know, 18 years now, is that you can have two companies that are mortal enemies in business by day, but then at the level of the chief information security officer, for example, they're great partners. They call each other on their cell phone and they ask advice and bounce ideas off of them. How should cybersecurity leaders balance competition with collaboration, especially for new cybersecurity leaders, especially within the same industry? Like, what advice would you give them? How would you bring them into this world where cybersecurity really is collaborative?
C
Well, I think it's such a miss if you don't build those collaborative relationships. And if, for whatever reason you work for a company where you do think cybersecurity is a competitive advantage that you have over somebody else, partner with somebody in another industry that you don't collaborate with or that you don't compete with. I think one of the really interesting things about the RSA conference is there's the esaf, that's the CISO day on the Tuesday of the conference. And you get people from across all industries there, from airlines to banks to household name technology companies sharing with each other. And there is, obviously that means that there is commonality in what we're all trying to do, lessons that we've learned. Again, whether you're securing an airplane or securing a large retail chain that are directly applicable. And at those meetings, we are not sharing printouts of IOCs. We're talking about, gee, how are you handling deep fakes of executives that are trying to get your finance office to send wire transfers? We're talking about where should you be investing related to quantum computing in the future? How are you talking to your board about AI? How are you developing AI risk governance within your companies? Because it is moving so fast that we're jogging, sprinting, right to keep up. So again, I don't see those as competitive things. And again, if you're worried that someone is working the CISO from the direct competitor across the street. Talk to a sizzo from another industry, even if you just find somebody to commiserate with about all the stresses in your life. But I think you will find this community is so incredibly helpful if you ask for advice and help. And I think it's human nature that if you go to someone and say, hey, I'd really love your opinion, generally you get that you're saying, hey, I see expertise in you and boy, I'm happy to help you if I ever can help you in the future. And I think across the community, across the sectors, I have never had a kind of negative experience reaching out to a CISO and saying, hey, can we have lunch? I heard you talk on a webinar about what you're doing with your employee awareness training and I thought it was really cool. You will get a lunch date. So don't be shy and if you run into the one bad apple, know that they're the one bad apple. But the rest of the barrel is pretty good.
B
I love that and I'm so proud to be a part of this community for exactly what you're talking about, the ethos of wanting to help each other, this common bond of defense and protection, and it's so mission driven. And going back to threat intelligence, we are in the world of AI enabled attacks. We've also seen some of these demonstrations and tools from OpenAI from Anthropic recently. Looking ahead, how do you see the role of collective intelligence evolving as threats are becoming faster, more sophisticated, especially with these AI enabled attacks?
C
Well, I think we're going to have to use good AI to fight bad AI. So how do we, you know, we're talking at FS ISAC about how we can leverage AI within the threat intelligence analysis and sharing offerings that are provided across the sector. We are looking within our company, right, continuously looking at what AI enabled tools are out there, what modules are being added to our existing tool suite because the bad guys are leveraging AI. We already see it again, whether it's more sophisticated deep fakes, whether it's really good phishing emails that people are getting at home and at work. And it's not hard for these tools to go out and scrub your or my LinkedIn profile and send a note that says, hey, you know, I see you've got this great expertise I'm hiring for, you know, name of bank, right? Or hey, I'd love to have you come do a podcast for rsa. And it looks A whole lot like it's, you know, it's coming from you, it's coming from me. They've listed, you know, seven different things from my background and why that would be of interest. So, you know, it's just really easy to craft compelling lures without a lot of effort.
B
You're right. I mean, it's gotten to the point where you really do need AI on your side to filter it out. And it feels like the marginal cost of the attacker to create one more personalized email, for example, or mass is going to zero. And I've got to ask, if you're talking to a newer chief information security officer or a newer security leader, what practical first steps would you recommend to them to become more engaged in this incredibly rich threat intelligence sharing set of communities?
C
I guess first of all, I would say, what industry are you in? And if you're in an industry that has an isac, and I think most do at this point get involved there because then you get kind of the lateral view across your whole industry. And we do see attackers tend to target even within financial sector, we'll say, hey, insurance is getting hit with this this week, right? So there are kind of subsectors that certain criminal groups tend to go after. There are obviously sectors that sometimes nation states show an interest in. So you want to get that, you know, what is it about my industry? Obviously some industries you have industrial control systems, operational technology that add a whole different flavor that you want to get plugged into. But I also recommend, you know, that we get involved locally, go to events in whatever city or community you belong to. There are, you know, now I've only been in major cities, but there are some great local communities where you can get together and meet with people and then go to, you know, I really do find value in going to the big events like rsa, you know, whether it's esaf, whether if you're an aspiring ciso, you know, the CISO bootcamp that's offered, build those relationships, learn, you know, what are people hearing about from the vendor community, right? They're not just scary people that send us more emails than the phishing actors do, right? Wanting to get together with us and sell their powerful tools and, you know, and innovative solutions. But they also were seeing from their perspective and you can learn about what new things are out there. You know, how do we stay ahead of this incredibly sophisticated threat? It's going to have to be through innovation and not just doing the same stuff we've been doing from a tool perspective either. So being A part of that community. Talking to the VC folks I find very valuable of hearing what's, what's coming next to address these threats. There are some brilliant people out there coming up with innovative new ideas and you want to be plugged into all of it. And again, people want to help each other. You know, we're past Covid, so go have coffee, go have lunch, go have a cocktail or whatever your thing is, you will build more trust with people, you know, than cold calling someone.
B
Absolutely. And you mentioned that trust topic several times, that it's kind of the key to build trust with an individual, a set of individuals, and then they're a resource both, you know, in the best possible way. Right. A resource to you, you're a resource to them. And let me ask you just on a personal level, what's been the most valuable lesson that you've learned from collaborating with peers across the cybersecurity community?
C
I've had some, just incredible success collaborating with others. Right. Taking other people's lessons learned to help myself, to help my team. One example that I can give you that's very recent and kind of tactical is we were getting a series of. And we're not alone. These were very sophisticated phishing emails that were coming through either DocuSign or Box.com legitimate accounts where a bad guy used their credit card, open an account, sends out, you know, phishing messages to company employees. And our email security solution, which will remain nameless, wasn't able to catch them because it's coming from a legitimate. Right. It doesn't know whether that's the Box.com or DocuSign account of a company that you're entering into a new contract with or if it's bad guy with a credit card. And so we had, we had basically quarantined every message coming from those companies and had analysts hand reviewing them. And you can imagine how much fun that was for the analysts. But you can also imagine how much our business partners enjoyed waiting while the queue got cleared. And so, you know, went out to peers, you know, through my fsisat group chat, and said, hey, what are you guys doing about this? And, you know, there was no brilliant solution other than what we've discovered is that if you wait for X number of hours and it wasn't a large number of hours, the vendor will catch up and take out the bad messages for you. So rather than having kind of a day and a half queue for individual analysts to review, it was a couple hours of sitting on quarantine and then it was safe to release. Right. So very tactical information. But I've also done that at looking at my security stack. You know, do you need a level three deep of email security vendors or is two kind of industry standard? How are you addressing this other topic has been very helpful and I'll say in a previous role, really incredibly helpful. We had a threat actor who we found out through intelligence sources had even hired a project manager to focus on attacking us with a different campaign every day. Every day the actor would pivot and try a different way to get into the organization. And I reached out to my partners through the isac, but also to the US government, to technology companies that we worked with, and I got some good information back. But by sharing information with one of the technology companies that we used everything we knew about the attacker, even though we were getting it through other sources, we saw that the actor pivot and we actually had a person who was out at Black Hat who had heard that the actor was pivoting and they called in a cold sweat. And my team had watched the bad emails come right through our defenses, but then vanished before they went to the recipients. And that was because my friend at MSTIC at Microsoft had all the information and had successfully gotten rid of the bad messages, not just for us, but for some of their other customers. So I don't know if it's a no no to mention a company, but they really saved my bacon. My boss was out of the country for an extended period for a family wedding and it would have been really bad if we had gone down from ransomware or some other impact from this bad actor because we hadn't gone out and asked for help from everybody. So a great success story.
B
Oh my gosh, I love that story. Because it's not just you that's benefiting. You've actually helped probably countless people behind the scenes.
C
Yep. They were able to protect all of their customers.
B
And I guess it is a bit of a compliment if you get your own project manager going after.
C
Yes, probably, you know, you know you've made it, but maybe you don't want to have made it when they assign a PM to, you know, go after your company. It was hard to believe, but shells you how sophisticated and motivated these threat actors are.
B
Oh, and organized. Wow.
C
Yeah.
B
That's amazing. Jenny, thank. Thanks so much for sharing this with us. You know, this is such an important topic, especially, you know, for those folks that are thinking about entering the security space, for example, and they don't have experience. I don't think it' intuitive how important this culture of threat, intelligence sharing and the building of relationships really, really is to being successful. And I think you really underscored that and brought it to life with these stories. So thank you so much. Thanks for being a part of this. I really appreciate it. And to our listeners, please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Jenny, thanks again.
Date: June 26, 2026
Guests:
This episode of the RSAC “Cyber at the Top” podcast explores the critical importance of sharing threat intelligence within the cybersecurity community. Host B interviews Jenny Mena, an executive leader in both the private sector and the Financial Services Information Sharing and Analysis Center (FS-ISAC). The discussion ranges from the evolution of threat sharing culture to the practical realities of collaboration, legal concerns, actionable intelligence, and the rising role of AI—ultimately making a case that no single organization can “go it alone” in today's threat landscape.
"Even before AI, the attackers, the barrier for entry was getting lower... It's just going to get easier and easier to be a cyber attacker with more and more crafted messages, finding more vulnerabilities with AI tools. So from that perspective, we certainly need all the help that we can get to keep up..." – Jenny Mena
"Rather than everyone reinventing, trying to figure out how to address a problem, being able to share good ideas so that we can all defend more rapidly." – Jenny Mena
"There have always been legal authorities in place that allow companies to share cybersecurity threat information with government that do not prevent us from sharing with each other." – Jenny Mena
"I think it's one word and that's trust. And trust is built over time through personal relationships. It's also built based on structures and rules of behavior." – Jenny Mena
"I think it's such a miss if you don't build those collaborative relationships... I have never had a negative experience reaching out to a CISO and saying, hey, can we have lunch?... You will get a lunch date." – Jenny Mena
"Well, I think we're going to have to use good AI to fight bad AI. So how do we...leverage AI within the threat intelligence analysis and sharing offerings that are provided across the sector?" – Jenny Mena
"...we're past Covid, so go have coffee, go have lunch, go have a cocktail or whatever your thing is, you will build more trust with people, you know, than cold calling someone." – Jenny Mena
"My team had watched the bad emails come right through our defenses, but then vanished before they went to the recipients. And that was because my friend at MSTIC at Microsoft had all the information and had successfully gotten rid of the bad messages, not just for us, but for some of their other customers. So...they really saved my bacon." – Jenny Mena
| Timestamp | Speaker | Quote | |------------|---------|-----------------------------------------------------------------------------------------------------------------------------------------| | 02:47 | Jenny | "It's just going to get easier and easier to be a cyber attacker with more and more crafted messages, finding more vulnerabilities ..." | | 04:37 | Jenny | "Rather than everyone reinventing, trying to figure out how to address a problem, being able to share good ideas so that we can all defend more rapidly." | | 06:52 | Jenny | "There have always been legal authorities in place that allow companies to share cybersecurity threat information... So...there is a lot of fear, uncertainty and doubt that just doesn't really apply in what we would share in protecting against a cyber threat."| | 10:01 | Jenny | "I think it's one word and that's trust. And trust is built over time through personal relationships. It's also built based on structures and rules of behavior."| | 16:51 | Jenny | "I have never had a negative experience reaching out to a CISO and saying, hey, can we have lunch?... You will get a lunch date." | | 20:32 | Jenny | "We're going to have to use good AI to fight bad AI..." | | 22:30 | Jenny | "...go have coffee, go have lunch, go have a cocktail... you will build more trust with people you know, than cold calling someone." | | 27:10 | Jenny | "...my friend at MSTIC at Microsoft had all the information and had successfully gotten rid of the bad messages, not just for us, but for some of their other customers. So...they really saved my bacon."|
This conversation highlights the mission-driven, resilient spirit of the cyber defense community—reminding us all that, as threats evolve, so must our willingness to “defend together.”