A (3:55)

say the White House saying it's false that he won't move forward. Well, no, this is like we've, we've seen this where we're here. He has not moved forward. So to see if they are still going to push him as the nominee is something that we're following. But he, yeah, hey, I really think that that is the takeaway for our audience is the people that we are tapped into say, sure, 99.9. Like we can't say definitively because we're, we're, we're, we're not mind readers. We don't have a huge crystal ball. But this looks to be pretty doa.

C (4:28)

It does. And, you know, there's some, you know, paperwork deadline. I don't have the data off the top of my head, but. But there is. It's coming up where they will have to resubmit his nomination. I think it's probably at the end of the year. And if they don't, we're going to be looking at a different nominee. What's interesting about, you know, obviously within the cyber community. Community, Sean, plenty's very well regarded. There were some Democrats who voted against him. They didn't like some of the things he said at committee hearings about election security and some other things. So it's not like he's universally well regarded, but he's pretty well regarded by most people. And I don't know who they're going to pick next. That's another thing I'll be asking about if they do end up. Not if they end up officially saying he's not our guy.

A (5:04)

So okay with that. The other Capitol Hill thing. More policy than people. The NDAA dropped this week. I believe as of this recording, it has passed the House. It's pretty close to being the law of the land. Everything will shake out there. And of course, there are some cyber goodies in there. So talk to us about those goodies.

C (5:24)

I really do use the word goodies a lot for something.

A (5:27)

I just think it's perfect for when we talk about this particular one.

C (5:30)

Yeah, we're cyber people and we're like, what's. What can we grab out of the bag? You know, and there is. There's some significant stuff in there. You know, the NDAA being the one real thing that moves every single year means that it's often actually the best thing for anything to happen in Congress that's related to cyber. And there are a few things in here that are pretty notable. You know, there's the usual stuff about dual hats and whether they'll allow the cyber command leader to be split from the NSA leader. There's stuff like that that's kind of always circulating and percolating. Some of the new stuff is related to signalgate and essentially putting a mandate that there are secure phones, meaning set cybersecurity criteria by all the senior leaders of the Defense Department. Anybody working on sensitive national security missions, which is obviously something you have to think about how many phones that might be if you start doing that with the Department of Defense, because a lot of what they do is sensitive. But that was kind of a big deal. There was another thing that I was interested in, mental health in the cyber Community is something that obviously cybersecurity's covered over the years. And a. It's a big topic in our, in our field of people burning out and the long hours and the stress involved. There's some language in there mandating that if you work for Cyber Command or Cyber Mission Force, you're going to have access to mental health. Those mental health experts are going to have the proper security clearances. Those were a couple things that we. That jumped out at me, but there were several more.

B (6:46)

Sure.

A (6:46)

What else? Let's give people the, the exclusives.

C (6:50)

Another one. You know, this one was a little bit on the lighter side. Not when I say lighter, I don't mean lighter as a, as a subject matter, but lighter as far as what it actually mandates.

B (7:00)

Okay.

C (7:00)

There was the language there about the commercial spyware, the policy, the statement of policy on commercial spyware, which isn't binding by law. But it does give you a sense of where Congress is thinking about these things, such that if, if the Congress is not happy with what the administration is doing, that's pretty much a blueprint for what they're going to try to do in the future. So basically, things about, related to the way the United States combats misuse of spyware, protecting of journalists, protecting of human rights. Another one. You know, this starts to bleed into Derek World, but it's still, you know. Yeah, it's all right. It's related to AI and how much that training related AI has to be folded into cyber security training now. And saying that this is now a mandate, you must include this as a, as a focus of cyber security training for any personnel that receive cybersecurity training. But there's a few others.

A (7:45)

All right, so all of that fun stuff is on the congressional side. And you have also been reporting on the White House's side of things when it comes to cybersecurity strategy. There are a lot of strategies being released lately. We just saw the National Security strategy. There's. I don't really know that this is a strategy. There's an AI executive order that may or may not have dropped by the time that you are watching slash, listening to this. And there's going to be a cybersecurity strategy coming from the White House as well that I know you have been getting some details on. So fill in our listeners on all of those details.

C (8:19)

Yeah, this is some more stuff that we've had just for, just for, just for our readers. This was something we, I think we might have talked about this already separately off camera, but I really was glad that we led with in the headline five page, because the national, you know, this is a cybersecurity strategy that's five pages long and it kind of got some meme like social media interaction. That was entertaining, right?

A (8:38)

Yes. If it was four pages, they have

B (8:40)

not done their job.

C (8:40)

Exactly.

A (8:41)

That's fifth page really solidifies how serious

C (8:43)

cyber five letters, everybody, you know. So, you know, what was interesting about it is, is that that's a really short strategy. I mean, I. Strategies are often kind of like blueprints more than like this is what we're actually going to do. That's very different from what the Biden administration's last strategy was. That thing was really concrete. This thing is significantly less concrete because you don't have much. 5 pages is not enough to put in there. It's not even one page per pillar. There are six pillars and there's a preamble that's about the Trump approach to cyber. That said, from what I've heard from talking to people who have or are familiar with it, they did. They've been doing some briefings with people, they've been rolling this out and sharing it with people who are stakeholders. I've always hated that word. People who care about the outcome.

A (9:22)

There we go.

C (9:23)

That, that, that. There's a lot in there. Obviously there's the pillars of the things that they have been leading with, which are related to making the adversary pay in cyberspace or cyber offense or deterrence. But they, within some of those things, they also have some very specific mentions of things like AI that we just talked about China post quantum cryptography. So it's coming together. This is, this is still in draft form. The six pillars were things that we first reported. The fact that five pages were first reported, the fact that they're looking at doing it in January 1st is first reported. The fact that, that they are looking at possible executive order tied to it is new as well. I mean, we've heard that they want to have some deliverables and some. Some things that we'll be implementing, but the fact that it might be an EO is also new. There've been obviously been some overlapping talk of an executive order on cyber at some point from this administration, but it seems like this is the way they're

B (10:13)

going to do it. All right,

A (10:16)

Possible new CISA nominee, more money for cyber goodies, and a forthcoming cybersecurity strategy. We're going to kick off 2026 with a bang, it looks like.

C (10:26)

Let's do it.

A (10:27)

All right, Tim, appreciate you filling US in on the way the year ended in the cyber policy universe.

C (10:35)

Appreciate getting to talk about it.

B (10:36)

Thank you.

A (10:38)

Joining us on our interview segment is Jim Dolce, the CEO of Lookout Mobile Security. And look, when it comes to mobile security, enterprises really have a lot to worry about. There's phishing, smishing, vishing, all of the isshings, all of the threats that can come in through these devices that we do so much work on on a day to day basis. And especially in the age of AI, when deepfakes are getting better and better, there's a lot to worry about when it comes to financial fraud, business, email compromise, any sort of scheme that can have an enterprise leader hand over the keys to the kingdom or even money to attackers. We talked to Jim about how to safeguard against these threats in 2025 and into 2026. And then also the added problems that that can cause when it's just on top of having to do all of the security updates for more traditional bounds like software updates or credential stuffing or any of the threats that we know have been around for a long time. Really layered conversation, really interesting conversation. Glad Jim joined us to talk about it. Check it out. All right. Joining us on this week's interview segment for Safe Mode is Jim Dolce, the CEO of mobile cybersecurity firm Lookout. Jim, really appreciate you joining us. And I know this is a very interesting time for mobile security because when I think about just the rush of AI that is going on and what's now possible with phishing, smishing, vishing, any other vishing that you and the industry talks about, I know it is just fundamentally and growingly reliant on AI. So I really appreciate you hopping aboard and we can dive into a conversation about just that.

B (12:38)

Great pleasure to be here.

A (12:41)

So with these vishing and smishing attacks, I know that so much of it targets executives when it comes to their mobile device. So especially in the executive mindset and the executive suite. Why do you think organizations are sort of leaving this sort of, I don't know if it's the back burner, but so much of what we talk about when it comes to enterprise cybersecurity, it's investing heavily in endpoint and cloud security. But these plans often overlook the executive suite's phone. Why is that and what do you think can change?

B (13:24)

Well, the plans often overlook all phones, not just those of the executive suite. And I think a lot of it has to do with it's education. And perhaps this discussion here will help with education. But you look at what Are the threats out there? What are the single largest and most expensive threats out there? And this changes over time, right? I mean, if we were having a discussion five years ago, we'd be talking about malware. This is pre AI. And as time goes on, the threat landscape changes and the largest and most expensive threats come in and out. Today. Credential theft is currently the largest and most expensive entry point for cyber attacks. Now it has evolved, right? It used to be simple password guessing, or perhaps I could go out on the dark web, I could buy a database of passwords and then I would use the assumption that many people use the same password in their personal lives as they do in business. I do a little social discovery and realize that you work at a certain company. I, I, I use your username is just your first dot, last name at your, your company's DNS and I guess your password, you know, and, and, and once I'm in the network, I've got basically the keys of the kingdom. That whole password guessing scheme has evolved and now it's a much, much more sophisticated system where bad guys are using techniques like phishing and smishing and voice phishing now also becoming another big problem. And so when we look at how big is the problem of credential theft, it is currently the number one attack vector. The use of stolen credentials is now the most common action in a data breach. Today, the estimates are anywhere between 30% and 50% of all cyber attacks are due to credential theft. That is more than software vulnerabilities, malware, and other sophisticated hacking techniques. So it starts with the understanding that credential theft is my biggest problem. If I'm a ciso, I've got a lot of problems. But credential theft has become one of my biggest problems because it is now the number one attack vector. And it is also the longest to detect because of breach that is caused by stolen credentials. Takes long to identify because the attacker logs in as a valid user, right?

A (16:39)

The behavior doesn't flag any other technology.

B (16:42)

All the security alarms, behavioral alarms and others, they don't go off because you've got a valid user who just logged in. And the statistics show that it takes as much as 300, 325 days, almost 11 months to detect a breach caused by stolen credentials. So number one, it has become the number one attack vector. The largest attack vector. It is the longest to detect and as a result, it's also the highest cost. The average cost of a breach due to stolen credentials. It runs between 4 and $5 million, which is significantly higher on a global average than any other breach. And that needs to be well understood. And I think in reference to your first question, I think that's a missing piece here that we have to acknowledge that credential theft has become the number one attack vector. Once we have acknowledged it, the next thing we need to do is we need to look at, okay, how is credential theft being perpetrated? As I said, it used to be. It has, it shifted. It used to be stolen databases, information stealers, if you would. It is now reverted to phishing. The method of theft has changed, and the stealing of databases, or the purchasing on the dark web of databases that have usernames and passwords, no longer the dominant threat mechanism. It's shifted to phishing and the different variations of phishing. And so when we think about, okay, now what action do I have to take? Okay, number one, I have to acknowledge that it's the number one attack vector. I have to look at how the bad guys are perpetrating this attack and acknowledge that it shifted over to phishing and other phishing variants. And then the last thing to acknowledge is the most important one, that phishing and variants of phishing, phishing and smishing and others are now 40% mobile, is now 40% of all phishing attacks. So we have this massive market for email phishing. I think it's a $6 billion TAM where CISOs are spending billions of dollars to protect against phishing via email. And we have to acknowledge that phishing has moved and is in the process of moving beyond email to other channels. And these channels are predominantly mobile delivered channels. SMS is a predominantly mobile channel, Smishing is SMS phishing, voice is a predominantly mobile channel. Phishing is voice phishing. And so all of this is educational credential death, number one, the number one attack vector, major shift from information stealing to phishing and variations of phishing. And now 40% of all phishing attacks are on mobile channels. And the next question is, okay, what do we do about that?

A (20:12)

Okay, so going back to the credential theft part of it, look, experts everywhere are going to say if you want to defend against credential stuffing, enforce some type of mfa. But I'm wondering, in your opinion, all, all forms of MFA equally secure, or is there one particular form of MFA that you would prescribe above all others?

B (20:33)

No. So, mfa, I think today it's a fallacy to think that MFA covers phishing. And here's why in the world where I stole your username and password or I bought a username and password off the dark web. Now I've got the keys to get into your network. But multifactor authentication is that one last step that prevents me from getting in. And so in the world where I call it info stealers, people were stealing passwords or buying passwords on the dark web. MFA was effective because I can buy your username and password, but I don't have your phone in my hand. And that second factor is coming in the form of a text sent to your phone. Right. And so that was okay, MFA was okay, and a good defense in the world of stolen passwords. But phishing MFA does not solve the phishing problem, because the mobile phishing problem these days or the smishing problem, because I'm actively on my phone, it's happening on my mobile device. So I'll give you a perfect example. We do this test or this demonstration in the company, and it took 15 minutes to create this demonstration. And it's a perfect example of the scope of the problem. Today you will get, you're a salesperson networks for Lookout. You'll get a call from Jim, and it's Jim calling you and Jim's caller ID on the phone. And so bosses call and you answer the phone and you have a, a machine generated AI, generated voice, which basically is Jim. And he says, hey, I, I see that you haven't signed your comp plan. Your sales comp plan payroll runs on Friday. I want to make sure that you get paid on Friday. So I need you to go in and sign your comp plan. Now, inevitably, the reply will be, of course I signed it already, Jim, what are you talking about? But the machine is smart enough to have that conversation. And it turns around and it says, well, we don't have a copy. Let's just make sure and get another copy. I'll tell you what, I'm going to send you a text message. You click on the link and put your okta credentials in and you'll get a docusign and just docusign your. So there's no MFA in that process. Right. I'm sending you a link on your device. I've asked you to click on the link and log in with your okta credentials in order to get that docusign, which presumably is your sales comp plan. Well, basically got more than half the time. We got our sales guys to go ahead and click on that OCTA link and put the credentials in.

A (23:43)

Not great.

B (23:44)

No, MSA incorporated into that process. And now I have your credentials. And so the Sophistication, particularly because this AI is now being used to create this engagement. The sophistication is beyond what MFA can help solve.

A (24:07)

So what is the next education part there? Whether it's education, training or whatever, what do you do in order to train an enterprise to watch out for something like this? Especially when AI is just racing at a breakneck pace to really get to a point where it's tough for even knowledgeable people to discern what is real and what isn't, for sure.

B (24:31)

Well, therein lies. The solution lies in technology, right? There's a whole lot of. I'll give you some examples. We have some new technology here at Lookout. You will find others that will deliver these kinds of services. We have something called smishing AI. The interesting thing about smishing messages these days, or phishing messages these days is they used to rely on a link, right? They used to always, you get a text, it has a link, you click on the link and the, the problem lies in the link, not in the text message. Well, the bad guys have gotten through the use of AI. They've gotten much, much more sophisticated. They don't need the link anymore. A lot of it is done on intent and a lot of it is, is very much personalized, right? If I want to, to, to. To Phish, Greg, first I'm going to go online, I'm going to find out. I'm going to go to your Facebook or your Instagram. I'm going to learn about your family, learn about your kids, your kids names, your birthday. I'm going to go, I'm going to get all this personal information about Greg, and then I'm going to fish him with perhaps a quick message from one of your children that says, hey, dad, I'm at the gas station. My credit card isn't working. Can you send me your credit card number so I can get out of here and get back to school? Okay, Think about if you got that message, which was coming from a text from your, I don't know, children's son, daughter, whatever it may be, and that is an emergency. I need you, dad. Come and save me. Give me your credit card number, because mine is not working, right? And especially if it came from the telephone number of your kid and the caller ID had your kid's name, so everything looked perfect. There was no link in there for you to connect to, right? All it was a message perhaps had intent, urgency. In that case, that's an urgency, right? Well, well, we have trained our models to understand intent and to understand urgency without the Use of a link. I mean, you know, you gotta, you gotta fight AI with AI, right? So the bad guy, that was probably an agency AI application that went out to the Internet and all these social networking sites and learned everything it could find out about Greg and used all of that information about your family and etcetera, to formulate a SMS message that would be able to get you to reply to without question. And so we're battling against the machine and the intelligence of a machine and all of the data that that machine can access. And the only way to combat that kind of sophistication is with AI. So when that message comes into Greg's phone, if he's protected by lookout, that message goes through our model. And the model says, there's urgency in this message. And saying, dad, you got to send to me now I'm stuck at the gas station, they won't let me leave without paying for my gas. You send that message. Well, the model sees that urgency and flags that urgency, right? And. Or it flags intent. And so you're basically fighting AI with AI. And, you know, cybersecurity has always been a battle between the good guys and the bad guys, right? And one gets the edge on the other. And so if the bad guy is using AI today, we have no choice but to use AI to battle his effectiveness.

A (28:21)

So what other things or what other tools, Like I'm wondering with the urgency, like I'm wondering what else can be done to help filter, block or analyze the attempts. Because sometimes, you know, in business or just in life, you do get legitimate urgent messages. So I'm wondering what else goes in to the technology beyond just going, oh, well, this message is urgent. That's a red flag because, hey, holiday, that just, it's the holiday season. Flights get canceled, I need somewhere today, I need a rental car. So how do you discern between legitimate urgency and something that looks like it's the foundation of a scam?

B (29:05)

Right? So, so I use that as, as a simplified explanation, but it's not so simple. And what we're really talking about is the training of a sophisticated AI model, right? So let's think about this. If I can capture literally millions of SMS messages any given day, right? I mean, I've got a. Here we've got a deployment of almost 6,7 million endpoints, right? Figure how many texts a day do you get? You get maybe 10 texts a day. So of course, my. On the average, if you got 6 million endpoints, 10 texts a day, that's 60 million texts, right? We capture that Text, we anonymize it. Right. There's a big privacy issue here, of course, and I don't want to just pass over the privacy aspects of it. So we'll capture that message, we'll anonymize it, we'll use it to train the model, and then we'll throw the message away. But think about, this is really a AI training discussion that we're having. If I can train the model with tens of millions of messages every day, which amounts to billions of messages in any given month and tens of billions of messages in a year, then the model gets smarter and smarter. And to answer, we can certainly go into the science of AI training and such, what would take us hours to have that conversation. But suffice it to say that the larger the data set that's used to train the model, the smarter the model gets. Now, will there be a false positive? Because what you're, you're, you're basically pointing out that there's a possibility false positive here. I can tell you that our model is seeing only 1 or 2% false positives. And so let me. And it will get smarter and smarter over time. Right. But where it stands today, 1 to 2% false positives. And what is a false positive? What we do with that message is we simply put it into your junk folder on your, on your phone. Right. So you didn't lose the message. I didn't throw it away. I just moved it to your junk folder. And so it's incumbent upon you, when you check your messages, you check your junk folder and then you further scrutinize what's in your junk folder. Right. So all I'm doing is filtering out the messages that the model said are potential bad messages. I didn't delete them. You still get them. I just put them in a different folder for you. And I'm telling you, take a look at this message. I've got a concern about it. And it's up to you to discern whether or not it's a valid message or not. But I've pointed out to you that this message needs more scrutiny from you.

A (31:49)

So I'm wondering, what are your conversations like with enterprise leaders that are responsible for mobile security and whether you hear any pushback from organizations around implementing comprehensive mobile security, whether it is more focused on the credential stuffing or just on these AI phishing attacks? And how do you address that?

B (32:12)

Yeah, so we've gone back to our top 100 customers, and these are customers that are large enterprise accounts, mostly multinationals, some of Them have hundreds of thousands of endpoints. Right? Our largest customer is more than a quarter million endpoints. And we go back to these largest customers. We were actually surprised in the conversation because in the more than 10 years I've been here at Lookout as CEO, the biggest element of discussion in any customer is privacy. And what makes privacy big in mobile is that these devices are used for personal and business. Very different than my Mac sitting here on my desk. That's purely for business. It was assigned to me by the company. It's locked down with company applications. I don't really use that personally, but I use this thing personally all the time. And because of the personal nature, so the dual purpose nature of the phone, personal and business privacy has always been a big issue for us here. And we have always designed privacy controls into everything that we do. And over the past 10 years our large customers have been comfortable with the privacy controls that we put in place. But because we're so sensitive to privacy, we thought, hey, think about what I'm going to go tell this customer. We're going to capture all your SMS messages and we're going to use them to train a model so that we can keep you safe. Right? The idea of taking your messages and we can talk all day long about we're going to anonymize it and we're going to throw it away, we're not going to store it. We thought that was going to be a big problem. Just from 10 years of experience with these large enterprise customers, we thought they were going to reject this concept immediately on a privacy basis. And what we heard was very different and very surprising. And what we heard was this. What we heard was, you know what, I get that there's going to be some privacy concern, sure. I'm listening to your privacy controls, I accept them. But the problem with credential theft and the problem on balance, not protecting from these very sophisticated attacks is worse than the privacy issues that may arise. And we're willing to educate our users that there are controls in place because the problem is such a big problem. And we've seen that shift now that we have not seen in 10 years, especially in Europe where you can't do anything on an employee's phone without getting approval by a workers council. And over the 10 years, we've always big European customers of ours, we've always had to get workers council approval to have lookout on these devices. And we always got it because we have a good story to tell in terms of privacy. But we're seeing this shift now. That says the risk of not being protected and the risk to the business, the cost to the business, a loss of business, far outweighs now the privacy issue. Not that privacy is no longer an issue, but we're willing to do the work to explain that this is being done in a private way and that you're not at risk of having your company, Big Brother, seeing your messages, reading your messages, storing your messages for future reference. We're willing to explain to our customers that the controls are in place. To our users that the controls are in place because the problem is worth the extra effort.

A (36:17)

Interesting. Interesting. So on top of all of that, I'm wondering if you had one piece of advice for every CEO listening or anybody that is at the top of the food chain when it comes to determining enterprise cybersecurity plans. What would you tell them about their mobile security posture? Something that they could implement this week that could make their enterprise safer?

B (36:38)

What would it be? Well, I'll take that, that I'll answer that from on a very high level, I would say to this. So look, I recognize, I know that you understand that credential theft is important. I recognize that you're spend, you're literally the TAM on, on email phishing is, is 6, $7 billion and growing, it's expected to grow to 10. So I recognize you're spending money. But, but what I need to point out to you is that phishing is now moving very quickly, is moving over to mobile devices and you don't spend a lot of money there. I mean the mobile security market, the TAM for mobile security is smaller than the TAM for email phishing. Right. And my only advice is that recognize that now 40% of phishing attacks occur on these mobile devices and that number is only going to grow. And therefore the action, the call to action is you need to protect your mobile devices from phishing and other phishing related schemes in the same way that you protect your email systems.

A (37:57)

All right, Jim, really appreciate you hopping aboard, giving us a perspective on the way that mobile security is changing and we'll have to hear from you again soon. Appreciate it.

B (38:06)

Okay, great. Thank you for having me.

A (38:09)

Thank you. Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.

B (38:35)

Com.

A (38:36)

Thanks for listening. Check us out next week.