How AI has complicated enterprise mobile security

Safe Mode Podcast
Episode: How AI has complicated enterprise mobile security
Date: December 11, 2025

Episode Overview

This episode explores the evolving challenges of enterprise mobile security in an era where artificial intelligence (AI) has dramatically increased both the sophistication and scale of attacks, especially phishing, smishing, and vishing. Host Greg Otto interviews Jim Dolce, CEO of Lookout Mobile Security, unpacking how the enterprise threat landscape is changing and what organizations must do to keep up. The episode also delivers the latest updates from Capitol Hill on cybersecurity policy and legislation.

Capitol Hill & Cyber Policy Update

Guest: Tim Starks – Congressional Cyber Policy Reporter
Timestamps: [00:32] – [10:35]

CISA Director Nominee Turmoil

The nomination of Sean Planky for CISA Director faces significant hurdles. Senator Rick Scott's hold, unrelated to CISA itself but tied to a Coast Guard contract in Florida, has stalled progress.
Multiple factors, such as missed deadlines on telecom security reports and FEMA funding disagreements, compounded the issue.
"They said in July we're going to release this report. Well, it's December." – Tim Starks [02:04]
Consensus among insiders is Planky's nomination is "pretty much DOA" unless circumstances change.
“It looks to be pretty DOA.” – Greg Otto [04:00]
Deadline for possible renomination is the end of the year—otherwise, a new nominee may be required.

National Defense Authorization Act (NDAA) Cyber Provisions

The NDAA, an annual legislative cornerstone, contains several notable cybersecurity components:
- Mandate for secure phones for DoD senior leaders and sensitive missions.
- Expansion of mental health access for Cyber Command/Cyber Mission Force, with a focus on supporting those with the necessary clearances.
- Policy statement on commercial spyware and its abuse, protecting journalists and human rights—even if not yet legally binding.
- Requirement to include AI-related training as part of cybersecurity protocols.
“...training related AI has to be folded into cybersecurity training now... you must include this as a focus...” – Tim Starks [07:15]

White House & National Cyber Strategy Updates

New cybersecurity strategy draft is uniquely concise (five pages, six pillars) and contrasts with the Biden administration’s previous, much longer version.
Strategy highlights: cyber deterrence, making adversaries pay, addressing AI threats, and post-quantum cryptography.
“Five pages is not enough to put in there. It's not even one page per pillar.” – Tim Starks [08:56]
Upcoming strategy rollout may include an executive order for immediate implementation.
“They're looking at possible executive order tied to it... this is the way they're going to do it.” – Tim Starks [10:13]

Main Interview: Jim Dolce, CEO of Lookout Mobile Security

Timestamps: [12:38] – [37:57]

AI’s Impact on Mobile Phishing & Credential Theft

Shifting Threats: From Malware to Credential Theft

Mobile security threats have evolved:
- Pre-AI: ransomware and malware dominated.
- Now: credential theft is “the largest and most expensive entry point for cyber attacks.”
“Credential theft is currently the largest and most expensive entry point for cyber attacks” – Jim Dolce [13:44]
Attackers leverage social engineering and AI to bypass traditional defenses.

Why Mobile is the New Battleground

Historically, enterprises focused on securing endpoints and cloud services, often neglecting mobile.
40% of all phishing attacks now occur over mobile channels (SMS, voice) rather than email.
“Phishing has moved and is in the process of moving beyond email to other channels. And these channels are predominantly mobile delivered channels.” – Jim Dolce [17:53]

The Futility of MFA vs. Advanced Phishing

Traditional MFA (multifactor authentication) is no longer a silver bullet.
AI-powered voice and smishing attacks can trick users into giving credentials, bypassing standard MFA flows.
Demonstrated with internal tests: “More than half the time, we got our sales guys to go ahead and click on that Okta link and put the credentials in.” – Jim Dolce [23:39]

Fighting AI With AI

AI-Powered Defenses

Lookout uses AI to analyze message intent and urgency—not just malicious links.
Modern phishing may not require links; instead, attackers craft highly personalized, urgent messages (sometimes deepfakes or spoofed contact info).
“If the bad guy is using AI today, we have no choice but to use AI to battle his effectiveness.” – Jim Dolce [27:56]

False Positives and Privacy Boundaries

AI models are trained on large, anonymized datasets (tens of millions of texts daily) to reduce false positives to 1-2%.
Suspicious messages are redirected to users’ junk folders, not deleted, maintaining user control.
“All I'm doing is filtering out the messages that the model said are potential bad messages. I didn't delete them. You still get them. I just put them in a different folder for you.” – Jim Dolce [30:56]
Privacy remains a major concern, but enterprises are increasingly prioritizing security due to the risk and cost of breaches.
European customers and their worker councils are now more accepting of privacy tradeoffs given the magnitude of threat.

Enterprise Leadership & Security Culture

Advice for Executives

Top recommendation: treat mobile phishing as seriously as email threats.
“You need to protect your mobile devices from phishing and other phishing related schemes in the same way that you protect your email systems.” – Jim Dolce [37:41]
The “total addressable market” for mobile security is not keeping pace with the glaring reality—executives must update their priorities.

Notable Quotes & Memorable Moments

“Credential theft... takes almost 11 months to detect, because the attacker logs in as a valid user.” – Jim Dolce [16:42]
“MFA was effective because I can buy your username and password, but I don't have your phone in my hand. ... But phishing, MFA does not solve the phishing problem.” – Jim Dolce [20:33]
“We're battling against the machine and the intelligence of a machine and all of the data that that machine can access. And the only way to combat that kind of sophistication is with AI.” – Jim Dolce [27:31]
On privacy: “What we heard... was, you know what... the problem on balance, not protecting from these very sophisticated attacks is worse than the privacy issues that may arise.” – Jim Dolce [32:32]

Key Takeaways

Mobile devices are increasingly targeted in sophisticated, AI-enabled phishing campaigns.
Credential theft via mobile channels represents the largest and costliest risk to enterprises.
AI models, trained on massive, anonymized datasets, are essential for detecting intent, urgency, and other signals beyond malicious links.
Enterprises are now more willing to balance privacy and security, recognizing the enormous risk and cost from failure to act.
Leadership must shift investment and focus to mobile security—mobile phishing is no longer a minor vector, but a major, growing threat.

Timestamps for Important Segments

[00:32] — Capitol Hill Policy Updates with Tim Starks
[05:04] — NDAA Cyber Provisions
[07:45] — White House Cyber Strategy
[12:38] — Interview with Jim Dolce Begins
[13:24] — Why Executives Overlook Mobile Threats
[16:42] — The Danger of Credential Theft
[20:33] — Limitations of MFA
[24:31] — AI-Driven Phishing Attacks
[29:05] — AI Detection, False Positives, and Privacy Concerns
[32:12] — Enterprise Culture Shift on Privacy and Security
[36:38] — Jim Dolce’s Key Advice for CEOs

For enterprise leaders and security practitioners, this episode is an urgent call-to-arms: the age of AI has made mobile not just another endpoint, but a primary battlefield. Security strategies must evolve now—before attackers do.

Safe Mode Podcast
Episode: How AI has complicated enterprise mobile security
Date: December 11, 2025

Episode Overview

Capitol Hill & Cyber Policy Update

Guest: Tim Starks – Congressional Cyber Policy Reporter
Timestamps: [00:32] – [10:35]

CISA Director Nominee Turmoil

The nomination of Sean Planky for CISA Director faces significant hurdles. Senator Rick Scott's hold, unrelated to CISA itself but tied to a Coast Guard contract in Florida, has stalled progress.
Multiple factors, such as missed deadlines on telecom security reports and FEMA funding disagreements, compounded the issue.
"They said in July we're going to release this report. Well, it's December." – Tim Starks [02:04]
Consensus among insiders is Planky's nomination is "pretty much DOA" unless circumstances change.
“It looks to be pretty DOA.” – Greg Otto [04:00]
Deadline for possible renomination is the end of the year—otherwise, a new nominee may be required.

National Defense Authorization Act (NDAA) Cyber Provisions

The NDAA, an annual legislative cornerstone, contains several notable cybersecurity components:
- Mandate for secure phones for DoD senior leaders and sensitive missions.
- Expansion of mental health access for Cyber Command/Cyber Mission Force, with a focus on supporting those with the necessary clearances.
- Policy statement on commercial spyware and its abuse, protecting journalists and human rights—even if not yet legally binding.
- Requirement to include AI-related training as part of cybersecurity protocols.
“...training related AI has to be folded into cybersecurity training now... you must include this as a focus...” – Tim Starks [07:15]

White House & National Cyber Strategy Updates

New cybersecurity strategy draft is uniquely concise (five pages, six pillars) and contrasts with the Biden administration’s previous, much longer version.
Strategy highlights: cyber deterrence, making adversaries pay, addressing AI threats, and post-quantum cryptography.
“Five pages is not enough to put in there. It's not even one page per pillar.” – Tim Starks [08:56]
Upcoming strategy rollout may include an executive order for immediate implementation.
“They're looking at possible executive order tied to it... this is the way they're going to do it.” – Tim Starks [10:13]

Main Interview: Jim Dolce, CEO of Lookout Mobile Security

Timestamps: [12:38] – [37:57]

AI’s Impact on Mobile Phishing & Credential Theft

Shifting Threats: From Malware to Credential Theft

Mobile security threats have evolved:
- Pre-AI: ransomware and malware dominated.
- Now: credential theft is “the largest and most expensive entry point for cyber attacks.”
“Credential theft is currently the largest and most expensive entry point for cyber attacks” – Jim Dolce [13:44]
Attackers leverage social engineering and AI to bypass traditional defenses.

Why Mobile is the New Battleground

Historically, enterprises focused on securing endpoints and cloud services, often neglecting mobile.
40% of all phishing attacks now occur over mobile channels (SMS, voice) rather than email.
“Phishing has moved and is in the process of moving beyond email to other channels. And these channels are predominantly mobile delivered channels.” – Jim Dolce [17:53]

The Futility of MFA vs. Advanced Phishing

Traditional MFA (multifactor authentication) is no longer a silver bullet.
AI-powered voice and smishing attacks can trick users into giving credentials, bypassing standard MFA flows.
Demonstrated with internal tests: “More than half the time, we got our sales guys to go ahead and click on that Okta link and put the credentials in.” – Jim Dolce [23:39]

Fighting AI With AI

AI-Powered Defenses

Lookout uses AI to analyze message intent and urgency—not just malicious links.
Modern phishing may not require links; instead, attackers craft highly personalized, urgent messages (sometimes deepfakes or spoofed contact info).
“If the bad guy is using AI today, we have no choice but to use AI to battle his effectiveness.” – Jim Dolce [27:56]

False Positives and Privacy Boundaries

AI models are trained on large, anonymized datasets (tens of millions of texts daily) to reduce false positives to 1-2%.
Suspicious messages are redirected to users’ junk folders, not deleted, maintaining user control.
“All I'm doing is filtering out the messages that the model said are potential bad messages. I didn't delete them. You still get them. I just put them in a different folder for you.” – Jim Dolce [30:56]
Privacy remains a major concern, but enterprises are increasingly prioritizing security due to the risk and cost of breaches.
European customers and their worker councils are now more accepting of privacy tradeoffs given the magnitude of threat.

Enterprise Leadership & Security Culture

Advice for Executives

Top recommendation: treat mobile phishing as seriously as email threats.
“You need to protect your mobile devices from phishing and other phishing related schemes in the same way that you protect your email systems.” – Jim Dolce [37:41]
The “total addressable market” for mobile security is not keeping pace with the glaring reality—executives must update their priorities.

Notable Quotes & Memorable Moments

“Credential theft... takes almost 11 months to detect, because the attacker logs in as a valid user.” – Jim Dolce [16:42]
“MFA was effective because I can buy your username and password, but I don't have your phone in my hand. ... But phishing, MFA does not solve the phishing problem.” – Jim Dolce [20:33]
“We're battling against the machine and the intelligence of a machine and all of the data that that machine can access. And the only way to combat that kind of sophistication is with AI.” – Jim Dolce [27:31]
On privacy: “What we heard... was, you know what... the problem on balance, not protecting from these very sophisticated attacks is worse than the privacy issues that may arise.” – Jim Dolce [32:32]

Key Takeaways

Mobile devices are increasingly targeted in sophisticated, AI-enabled phishing campaigns.
Credential theft via mobile channels represents the largest and costliest risk to enterprises.
AI models, trained on massive, anonymized datasets, are essential for detecting intent, urgency, and other signals beyond malicious links.
Enterprises are now more willing to balance privacy and security, recognizing the enormous risk and cost from failure to act.
Leadership must shift investment and focus to mobile security—mobile phishing is no longer a minor vector, but a major, growing threat.

Timestamps for Important Segments

[00:32] — Capitol Hill Policy Updates with Tim Starks
[05:04] — NDAA Cyber Provisions
[07:45] — White House Cyber Strategy
[12:38] — Interview with Jim Dolce Begins
[13:24] — Why Executives Overlook Mobile Threats
[16:42] — The Danger of Credential Theft
[20:33] — Limitations of MFA
[24:31] — AI-Driven Phishing Attacks
[29:05] — AI Detection, False Positives, and Privacy Concerns
[32:12] — Enterprise Culture Shift on Privacy and Security
[36:38] — Jim Dolce’s Key Advice for CEOs

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

Episode Overview

Capitol Hill & Cyber Policy Update

CISA Director Nominee Turmoil

National Defense Authorization Act (NDAA) Cyber Provisions

White House & National Cyber Strategy Updates

Main Interview: Jim Dolce, CEO of Lookout Mobile Security

AI’s Impact on Mobile Phishing & Credential Theft

Shifting Threats: From Malware to Credential Theft

Why Mobile is the New Battleground

The Futility of MFA vs. Advanced Phishing

Fighting AI With AI

AI-Powered Defenses

False Positives and Privacy Boundaries

Enterprise Leadership & Security Culture

Advice for Executives

Notable Quotes & Memorable Moments

Key Takeaways

Timestamps for Important Segments

Summary

Episode Overview

Capitol Hill & Cyber Policy Update

CISA Director Nominee Turmoil

National Defense Authorization Act (NDAA) Cyber Provisions

White House & National Cyber Strategy Updates

Main Interview: Jim Dolce, CEO of Lookout Mobile Security

AI’s Impact on Mobile Phishing & Credential Theft

Shifting Threats: From Malware to Credential Theft

Why Mobile is the New Battleground

The Futility of MFA vs. Advanced Phishing

Fighting AI With AI

AI-Powered Defenses

False Positives and Privacy Boundaries

Enterprise Leadership & Security Culture

Advice for Executives

Notable Quotes & Memorable Moments

Key Takeaways

Timestamps for Important Segments