Podcast Summary
To The Point – Cybersecurity
Episode: Evolving Past Whack-a-Mole: Building Resilient Security Strategies for Modern Supply Chain Threats
Guests: Chris Hurst (CTO, CIO, CISO – Blackwired)
Hosts: Rachael Lyon & Jonathan Knepher
Release: October 14, 2025
Episode Overview
This episode examines the rapid evolution of supply chain attacks and the limitations of traditional “whack-a-mole” approaches in cybersecurity. Chris Hurst, an intelligence-driven cyber defense expert, joins hosts Rachael Lyon and Jonathan Knepher to discuss why organizations must move beyond patch-and-respond tactics by adopting a more intelligent, adversary-focused strategy. The conversation spans real-world breach stories, common pitfalls, the risk of legacy infrastructure, and the transformative role of actionable threat intelligence.
Main Discussion Points & Insights
1. The New Face of Supply Chain Attacks
[02:07–16:30]
- Chris brings real case studies, emphasizing “one compromise hits many” in today’s attacks (e.g., NPM breaches, token replay, credential theft).
- “The consequences of supply chain attacks could be absolutely gruesome. In many ways, it’s a one compromise hits many type issue.” (Chris, 02:39)
- Attackers are not just stealing credentials—they’re seizing IP, manipulating certificates, and exploiting vulnerabilities in secure file transfer systems.
- Real incident: A single unpatched platform resulted in 1,600 global casualties and total operational chaos. Attackers accessed secure law enforcement data, leading to global impacts.
- “The only thing limiting the blast ring for that [supply chain attack] is how many resources the attackers have.” (Chris, 04:37)
- Small vendors to large clients: Attackers use minor suppliers with privileged access as springboards into “megacompanies.”
- Threat actor collaboration: State-aligned groups quietly share and aggregate credential lists, amplifying risk and making detection and attribution harder.
- New trend: Many attacks now lack ransom notes or overt signals, leaving organizations compromised without their knowledge.
Key Quote:
“There probably isn’t any [ransom note]. There’s an attack but there’s no ransom... So, what do you do if there’s an attack and there’s no ransom note? You don’t know you’ve been attacked, but you have.”
(Chris, 07:56)
2. Legacy Infrastructure & “Bit Rot”
[13:30–17:50]
- Core industry systems are often decades old, “tweaked at the edges” but never truly modernized.
- Inadequate updates combined with new, insecure technologies (e.g., open banking, mobile banking) heighten risk.
- “What you just did is connected something which is inherently insecure to something that's been secure for many decades.” (Chris, 13:54)
- Many systems are so old, “no one can fix them anymore, so you have to preserve them—no one can patch them.”
3. The “Whack-a-Mole” Problem: Patch, Respond, Repeat
[18:07–30:13]
- Most current strategies focus on reacting to threats, continually patching, and responding as issues arise.
- Organizations are overwhelmed by “feeds” and spend heavily on cyber threat intelligence, but often miss the adversary’s perspective.
- “Winning the wrong game is the same as losing.” (Chris, 18:46)
- Many teams default to the “Mary Poppins job”—trying to be “practically perfect” via patch-and-respond, which no longer works against adaptive adversaries.
- “You can patch all day, all year long. It’s kind of a bit of a fallacy that costs organizations a lot of money.” (Chris, 19:34)
- Over-investment in internal analytics, not enough focus on outside-in intelligence—companies are “blind in one eye,” seeing only what’s inside.
- “We don’t look inside, we look outside. We look at the outside activity. Because that’s the missing element in the cyber security periodic table.” (Chris, 22:44)
- Threat actors evolve rapidly, commoditizing their platforms, and renting them out for mass exploitation.
4. Intelligence-Driven Defense: Changing the Paradigm
[17:51–31:49]
- Chris argues for actionable, adversary-focused intelligence as the foundation of resilient security.
- Blackwired’s approach: Monitoring adversarial activity without internal sensors—watching the watchers, not just the subject.
- “The unique thing about where Blackwired is: direct threat intelligence.” (Chris, 22:18)
- CISOs must select the right intelligence, not just more intelligence.
- “Learning from mistakes as a CISO is a terrible strategy because you only get one chance to make a mistake at that level.” (Chris, 28:54)
- Industry-wide, there’s a shift from defending what you have, to anticipating what attackers might do.
- “If you lay out mousetraps where the mouses are currently running, the mice don’t run there anymore.” (Chris, 23:37)
- Many organizations' success metrics—number of patched vulnerabilities, analyst headcount, incident response teams—don’t actually track with real outcomes.
5. Industry Challenges: CISO Pressure, Board Disconnect, and “Hopium”
[32:20–36:44]
- High CISO turnover: Many are “just watching the clock” until a breach gets them fired.
- Board communication gap: CISOs struggle to present nuanced cyber risk in business terms.
- “The board says, ‘I don’t need this technical stuff. I just need an answer.’” (Chris, 33:21)
- Industry burnout and fatalism: Over time, defenders lose hope and rely on “hopium”—hoping to avoid disaster until retirement.
- “They’re using hopium to say, oh God, if I survive long enough to earn a bit of money and maybe retire out... then I’m all good, aren’t I?” (Chris, 35:03)
- Difference between real intelligence (actionable, adversary-focused) and “war stories” or news—most industry “sharing” is just stories, not useful intelligence.
6. The Generational & Global Shift in Cybersecurity
[36:44–41:07]
- Change is needed—and coming, as a new generation enters security roles with fresh mindsets.
- “People of a certain age built the world that we actually live in... It’s not the same people who are going to be building the future. And that’s the brilliant thing.” (Chris, 37:18)
- US system gets praised for willingness to invest in “real future stuff” and fostering innovation (e.g., federally funded research, MIT), which is less common in the UK/EU.
- Chris expresses responsibility to mentor, shift mindsets, and ensure newcomers have better tools, perspectives, and resilience.
7. The Role of Innovation, Sharing, and Crisis Leadership
[41:07–42:52]
- Necessity will keep driving invention; cross-domain thinking is logical and inevitable.
- True intelligence sharing is rare—most are just “war stories,” not actionable insights.
Notable Quotes & Memorable Moments
- On supply chain risk:
- “If your auditor doesn’t pay the ransom, then your information goes out to everybody who wants to buy it.” (Chris, 06:09)
- On legacy tech:
- “Vint Cerf... says, right, that you’ve got bit rot in these organizations... the systems you have, you have to preserve because no one can fix them anymore.” (Chris, 14:23)
- On CISO career risk:
- “It’s the only job in Christendom... you don’t get the job, you’re immediately fired.” (Chris, 25:19)
- Industry-wide fatigue:
- “I see a big sea change in the cybersecurity industry... a resolution to fatalism where everybody has now lost their desire to defend and they're actually using hopium.” (Chris, 34:51)
- On innovation’s promise:
- “I don’t believe there’s a problem that’s been invented that can’t be solved.” (Chris, 41:14)
Key Segment Timestamps
- [02:07–16:30]: Real-world supply chain attack stories; credential theft, state adversaries, and the evolving threat landscape.
- [17:51–22:44]: Industry’s “whack-a-mole” difficulties, pitfalls of internal-focused defenses.
- [22:44–30:13]: Building intelligence-led defenses; decision-making traps; why more analysts ≠ more security.
- [32:20–36:44]: CISO burnout and board-level challenges; fatalism in the industry.
- [36:44–41:07]: Generational change, the importance of innovation, and lessons from the US model.
- [41:07–42:52]: Cross-domain application of intelligence; the need for genuine intelligence sharing.
Tone & Takeaways
Chris Hurst threads hard-won experience with humor, urgency, and some maverick critique. He underlines that today’s adversary moves too fast for old models—intelligence, anticipation, and continual adaptation are critical. Attacks are bigger, quieter, and more devastating, while defenders are too often focused inwardly, burning resources on the wrong problems.
If you’re a CISO, cyber team leader, or security strategist, the message is clear:
“Don’t rebuild the same vulnerabilities in the cloud. Don’t rely on learning from your next breach. Get the right intelligence—before you need it.” (Paraphrased, 16:12–17:12)
The episode closes with optimism about new blood in the industry and a call for all practitioners to evolve—before the next supply chain domino falls.
