Adversarial

S4E18 – Mythos and TPRM, does SOC 2 really work? | RSS.com 00:34 - Introduction 03:33 - Enterprise Challenges 07:08 - End User and Browsers 21:55 - Vulnerability Metrics 40:37 - Approaching Leadership 42:09 - TPRM Discussion 46:40 - Sharing Findings 01:03:04 - Conclusion Mozilla: Anthropic’s Mythos found 271 security vulnerabilities in Firefox 150 Anthropic’s Mythos found 271 zero-day vulnerabilities in Firefox 150 Mozilla let Anthropic’s Mythos loose on Firefox 150’s codebase,

S4E17 – Mythos, Delve's downfall, and supply chain | RSS.com Project Glasswing (https://www.anthropic.com/glasswing) Anthropic is letting AWS, Apple, Google, Microsoft, JPMorgan, Cisco, NVIDIA, and friends point Claude Mythos at their shared attack surface while backing it with $100M in credits and $4M for OSS security groups so blue teams can burn down latent vulns before the offense gets equivalent AI. Inside the TeamPCP cascading supply chain attack (https://www.reversinglabs.com/blog/t

Special RSAC episode with Cloudflare - Cybersecuri | RSS.com The Adversarial Podcast brings you a special episode in collaboration with Cloudflare's Security Signal Podcast. 0:39 - 3:33 AI Governance and Autonomy 6:26 - 8:49 Human in the Loop 9:17 - 11:40 Cybersecurity and AI 15:26 - 18:19 Resilience and Anti-Fragility 28:24 - 33:05 Threat Intelligence 33:31 - 36:50 Board and CISO Dynamics 41:09 - 42:35 Future of Cybersecurity 42:35 - 44:14 Books and Resources Security Signal P

S4E15 – RSAC, Iranian hackers, White House's Cyber | RSS.com Iran-linked hackers claim responsibility for attack on US medical device maker Stryker Attackers tied to Iran say they hit Stryker, and investors punished the stock as the company scrambled to assess exposure. Trump Signs Executive Order Aimed at Cybercrime Gangs The President issued an order to tide together federal tools, international partners, and private-sector incentives for hunting down and disrupting ransomware crews.

S4E14 – Federal Gov vs. Anthropic, 40% layoff at B | RSS.com Claude Code Security research preview Claude now reasons about code like a human researcher, re-checks its own findings for confidence, and surfaces patch suggestions in a dashboard while keeping humans in control—limited preview for Enterprise/Team customers plus expedited access for open-source maintainers. Pentagon gives Anthropic a best-and-final offer With a deadline looming, the Pentagon demanded full lawful-use access, thr

S4E13 – Munich Security Conference, hiring AI spec | RSS.com GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use Google’s threat team distills red-team learnings from sophisticated experimentation as it hardens defenses and anticipates adversarial AI backdoors. New Trump Cyber Strategy Prompts Companies to Mull Legal Limits The administration’s aggressive cyber doctrine is forcing firms to reconsider how far they can legally follow t

Adversarial Podcast S4E12 – Curl shuts down bug bo | RSS.com The end of the curl bug bounty program. Curl’s creator Daniel Stenberg announced the shutdown of the project’s bug-bounty program because overwhelming volumes of low-quality and AI-generated reports, coupled with bad-faith security submissions, impose excessive mental and time costs while providing little real improvement to the software. Changing Federal Reserve Regulations. The memo directs Federal Reserve supervisory staff t

Adversarial Podcast S4E11 – Iran Internet blackout | RSS.com There's an internet blackout in Iran. How are videos and images getting out? During Iran’s nationwide internet blackout imposed amid widespread anti-government protests, some citizens have been using Elon Musk’s Starlink satellite service to bypass state-controlled communication blackouts and share information with the outside world despite government efforts to restrict or jam such access. Lawmakers to Restart Efforts to Revive

Adversarial Podcast S4E10 – AI impact on cyber job | RSS.com Cloudy Outlook for Cyber Jobs as AI Fills Security Gaps. Cybersecurity hiring growth slowed to 7% in 2025 amid flat budgets and economic uncertainty, with firms shifting spend toward AI automation over expanding teams. Coupang, Inc. (CPNG) Class Period Expanded in Pending Investor Securities Lawsuit - Hagens Berman. Hagens Berman expanded a securities class action against Coupang over alleged cybersecurity misstatements after mas

Adversarial Podcast S4E09 – New Pentagon CIO, age | RSS.com Nation Cyber Strategy Forthcoming The Trump administration is preparing a new national cyber strategy that increasingly relies on private companies to conduct offensive cyber operations on behalf of the U.S. government. Kirsten Davies Confirmed as Pentagon CIO The U.S. Senate confirmed Kirsten Davies as the Department of Defense’s Chief Information Officer, placing her in charge of modernizing and securing the Pentagon’s vast IT i

Adversarial Podcast S4E08 – Shai-Hulud, critical R | RSS.com 00:00 Intro 02:33 Shai Hulud 2.0 17:12 Max severity React vulnerability 29:23 CrowdStrike catches insider feeding information to hackers 46:24 Anthropic disruptes AI-orchestrated cyber campaign 52:35 Uncertain economy takes effect on cyber teams Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact Researchers report that Shai-Hulud 2.0 is an ongoing npm supply-chain worm that has compromised hundreds of packages and

Embedded iFrame 00:00 Intro 01:50 Louvre password 08:54 Trump budget cuts 20:35 Google AI threat report 36:56 Nevada didn’t pay ransom 48:25 Moved the needle 58:38 L3Harris Trenchant boss stole exploits, sold to Russia 62:00 Ransomware remediation firm employees go rogue 63:40 Cybersecurity Is A Digital Identity Problem And We Must Deal With It The password for the Louvre’s video surveillance system was “Louvre” The Louvre Museum reportedly had a video-surveillance server password

Adversarial Podcast S4E06 – F5 Breach, AWS outage, | RSS.com F5 Hack Blamed on China Chinese state-backed hackers allegedly breached U.S. cybersecurity firm F5, gaining year-long access to its systems and BIG-IP source code, prompting security fears and causing the company to warn of revenue impacts and falling shares. AWS Outage A race condition in Amazon DynamoDB’s DNS management system caused widespread outages across the US-EAST-1 region on October 19–20, 2025, disrupting DynamoDB,

Adversarial Podcast S4E05 – Oracle Zero-Day, US cy | RSS.com Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign Mandiant and Google Threat Intelligence Group uncovered a large-scale CL0P-linked extortion campaign exploiting a zero-day (CVE-2025-61882) in Oracle E-Business Suite to steal data from organizations before patches were released. https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation UK government to be g

00:00 Highlight 00:43 Intro 06:40 "Moved the needle" awards 37:05 Scattered Lapsus$ and Jaguar Hack 44:39 One Token to Rule Them All - Entra pwned 1:02:21 H-1B visa changes and their effect on the cyber industry Scattered Lapsus$ and Jaguar Hack Jaguar Land Rover has extended its production pause until October after a cyberattack crippled its IT systems. The company is struggling to recover operations at Range Rover plants. https://www.wsj.com/business/jaguar-land-rover-extends-product

Adversarial Podcast S4E03 – Fumbled NPM Attack, En | RSS.com 00:00 Intro 03:10 NPM supply chain attack leaves attackers empty handed 24:44 Why is Atlassian buying a browser company? 37:20 Apple's new Memory Integrity Enforcement 52:56 Salesloft breach leads to downstream hacks Hackers left empty-handed after massive NPM supply-chain attack Hackers briefly compromised popular NPM packages like chalk and debug-js, infecting ~10% of cloud environments, but despite the massive supply-ch

Adversarial Podcast S4E02 - Cyber acquisitions and | RSS.com 00:00 Introduction & BlackHat 02:06 Cybersecurity in Schools 18:53 Black Hat Conference Highlights 34:02 New York sues Zelle 44:48 Trends in Cybersecurity Mergers and Acquisitions 1:02:44 95% of generative AI pilots at companies are failing 1:08:53 Prompt injection with poisoned calendar invites DARPA announces $4 million winner of AI code review competition at DEF CON DARPA announced Team Atlanta as the winner of its tw

Adversarial Podcast S4E1 - Trump's AI Action Plan, | RSS.com 00:00 Introduction & BlackHat 03:14 AI Action Plan Overview 13:30 Chip Security Act 20:48 Government led AI-ISAC? 23:16 UK government considering banning public sector ransomware payments 28:14 Microsoft probing if Chinese hackers learned SharePoint flaws through alert 42:07 Ethics in Vendor Relationships – Gifts for meetings America's AI Action Plan “America’s AI Action Plan,” released by the Trump administration, out

Adversarial Podcast Ep. 27 - Is AI necessary for c | RSS.com Episode 27: AI Hype, Cyber Stocks, and the End of Trust Jerry Perullo, Mario Duarte, and Sounil Yu dive into the tension between AI buzz and cybersecurity substance in this wide-ranging episode covering everything from investing trends to browser hygiene. Topics include: * The AI fundraising filter If you’re pitching a cybersecurity startup today, you’d better have an AI story—even if your product doesn’t need it. The hosts

Adversarial Podcast Ep. 26 - US Treasury's Cyberse | RSS.com 00:00 Intro 03:17 Banks call out US Treasury's cybersecurity failures 28:54 SEC scraps proposed cybersecurity rules 38:05 What makes AI Security different Banks Challenge Treasury on Cybersecurity Failures. A coalition of major U.S. banking associations—including the American Bankers Association, Bank Policy Institute, MFA, and SIFMA—has publicly challenged the U.S. Treasury and OCC to adopt private-sector cybersecurity stan

Adversarial Podcast Ep. 25 – From CISOs to Entrepr | RSS.com 00:00 Intro 04:15 Our journeys from CISOs to Entreprenuers 23:48 Trump changes Biden's Cyber EOs 28:40 States rebuff proposed federal ban on AI laws 36:43 Vanta bug exposes customers' data to other customers 49:12 SentinelOne outage 52:53 Banking groups ask SEC to drop incident disclosure requirements 1:00:37 Cybersecurity teams generate average $36M in business growth 1:03:50 Cybersecurity Companies Want to Go Public. The

Adversarial Podcast Ep. 24 – Global Lumma takedown | RSS.com 00:00 Intro 02:49 Authorities Carry Out Elaborate Global Takedown of Infostealer Heavily Used by Cybercriminals 14:29 Coinbase says hackers bribed staff to steal customer data and are demanding $20 million ransom 26:24 Fake OpenAI MCP Integration 32:25 Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials 36:03 Destructive malware available in NPM repo went unnoticed for 2 years 48:10 Sam & Jony

Adversarial Podcast Ep. 23 – Crowdstrike layoffs, | RSS.com

Adversarial Podcast Ep. 22 – RSA Conference is here, Verizon's 2025 Data Breach Investigations Report, China names alleged US hackers 00:00 Intro 00:31 RSA conference 14:38 Verizon's 2025 DBIR report 37:55 Security of "Sign in with Google/Microsoft" 1:02:50 China accuses US of launching 'advanced' cyberattacks, names alleged NSA agents RSA Links: Adversarial Happy Hour: http://adversarial.com/rsac Innovation Sandbox: https://www.rsaconference.com/usa/programs/innovation-sandbox

Adversarial Podcast Ep. 21 – Chris Krebs & Sentinel One's clearances revoked, Oracle hack, how Goldberg got added to Signal chat ⬇️ See below for timestamps/summaries/references for each topic 00:00 Highlight/theme 23:05 Intro 06:56 White House revokes Chris Krebs and SentinelOne's security clearances 16:55 How Jeffrey Goldberg got added to the White House Signal group chat 26:48 DOGE staffer provided tech support to cybercrime ring 39:29 China Acknowledged Role in U.S. Infra Hacks

Adversarial Podcast Ep. 20 – corporate espionage a | RSS.com ⬇️ See below for timestamps/summaries/references for each topic 00:00 Highlight/theme 00:28 Intro 02:15 Unicorn startup allegedly cultivated spy to steal trade secrets from competitor 18:19 Google Strikes $32 Billion Deal for Cybersecurity Startup Wiz 33:35 Trump Administration accidentally sends war plans to reporter via Signal 47:20 GitHub action supply chain attack 53:55 Oracle under fire for its handling of security inc

The Adversarial Podcast Ep. 19 – AI-Powered Cybercrime, CISO job market, the BYOL elephant in the room Episode notes ⬇️ See below for timestamps/summaries/references for each topic 00:00 Highlight/theme 00:37 Intro 01:37 Malvertising campaign leads to info stealers hosted on GitHub 11:59 Wall Street is worried it can't keep up with AI-powered cybercriminals 24:02 What Really Happened With the DDoS Attacks That Took Down X 28:34 Bring-your-own-laptop policies 40:41 Are WAFs useful or

The Adversarial Podcast Ep. 18 - CISA cuts, North Koreans steal $1.5B in crypto, planning for RSA Conference 💰 Budget cuts hit CISA, and election security programs might be first on the chopping block. The team debates whether these cuts were expected, what they mean for cybersecurity, and whether some programs were outside CISA’s core mission in the first place. Reference: https://www.scworld.com/perspective/a-sober-look-at-the-recent-cuts-at-cisa ⚔️ A sudden shift in cyber warfare stra

Episode notes ⬇️ See below for timestamps/summaries/references for each topic Adversarial Podcast Ep. 17 - 2025 CISO Compensation Survey, Okta layoffs and employee value, TLS inspection 00:00 Highlight/theme 00:37 Intro 1:21 Hitch Partners survey of CISOs 13:34 Dangling S3 buckets 24:35 Update on Cybersecurity Innovation Executive Order 32:58 Cyber stocks - NET and CRWD at all-time highs 44:07 Okta lays off 180 employees, including security engineers 55:47 Is anyone actually doing

1:33 Biden's Executive Order on Cyber Security 5:18 Cyber policy wishlist 21:30 TikTok and RedNote 29:36 Marsh's report on cyber insurance 49:21 Do CISOs need to be highly technical? Adversarial Podcast Ep. 16 - Cyber policy wishlist, RedNote/TikTok, Marsh's cyber insurance report, do CISOs need deep technical skills? Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity The outgoing Biden administration issues an executive order aimed at enhancing cyb

Join former CISOs Jerry, Mario, and Sounil as they dissect the latest cybersecurity news, discuss evolving threats, and share their seasoned perspectives on infosec. The Adversarial Podcast Ep. 15 - US-China-Taiwan cyber relations, mobile app ads facilitating spying, holiday DoS vulnerabilities 1:48 China accuses US of stealing trade secrets 10:05 Taiwan reports 2.4M Chinese cyberattacks/day 18:21 Christmas day Chrome Extension hacks, including Cyberhaven 23:28 Krebs: U.S. Army Soldie

The Adversarial Podcast Ep. 14 - Future of CISA/SEC under Trump, US Telco news, DAO faces $50M hack In this episode of The Adversarial Podcast, Jerry Perullo, Mario Duarte, and Sounil Yu discuss the latest developments in cybersecurity, geopolitical threats, and emerging trends as 2025 approaches. The Future of SEC/CISA under Trump 2.0. With Trump returning to office, the hosts discuss possible changes to SEC-mandated cybersecurity disclosures and the potential of priorities shifting awa

In this episode of The Adversarial Podcast, Jerry, Mario, and Sounil bring their adversarial insights to a packed discussion of the latest topics in enterprise cybersecurity. The Adversarial Podcast - East Coast vs. West Coast CISOs: The trio explores the divide between East Coast and West Coast CISOs. Is the East too focused on risk? Does the West overfit to AppSec and "shift-left" practices? - 2024 CISO Budget Report: Where are CISOs spending their increasing budgets in 2024? The hosts

In this episode of The Adversarial Podcast, former CISOs Jerry Perullo, Mario Duarte, and Sounil Yu explore critical topics shaping the cybersecurity landscape. The Adversarial Podcast Ep. 12 - RSA Conference ma | RSS.com 1. Crosspoint Capital’s RSA Innovation Sandbox Model The hosts discuss Crosspoint Capital's controversial $5 million SAFE investment requirement for Innovation Sandbox finalists. They examine the implications for startups, founders, and the cybersecurity ecosystem as a wh

Introduction: * The episode opens with a discussion on securing devices for employees traveling to high-risk countries, like China, as a way to protect corporate data and maintain customer trust. * Hosts Jerry, Sounil, and Mario welcome listeners and discuss recent events, including the FS-ISAC Fall Summit in Atlanta and geopolitical implications of the recent election. Key Topics: 1. Geopolitical Risks: * The group explores China's espionage activities and Russia's geopolitical maneuv

The Adversarial Podcast Ep. 10 - the CISO job market, CRQ, beg bounties, and cryptography (00:00) Intro (5:15) The CISO job market: present and future (25:57) Handling beg bounties and VDP (41:30) Quantum cryptography – how important is cryptography, really? Stories: * “Chinese Researchers Reportedly Crack Encryption With Quantum Computer” - https://www.pcmag.com/news/chinese-researchers-reportedly-crack-encryption-with-quantum-computer Hosts: * Jerry Perullo: https://www.l

The Adversarial Podcast Ep. 9 - NIST password guidelines, CUPS vulnerabilities, breach vs. hack Episode notes (00:00) Intro & NIST’s new password complexity requirements (13:19) CUPS vulnerability: critical or a distraction (31:26) Federal standards for cybersecurity in health care: should legal responsibility fall on individuals? (47:30) What constitutes a hack vs a breach? Stories: * “NIST Drops Password Complexity, Mandatory Reset Rules” - https://www.darkreading.com/identity-ac

(00:00) Intro (02:24) Exploding pagers: are psychological attacks worse than breaches? (20:21) Are credit card breaches still a concern in 2024? (24:57) Infostealer delivered through GitHub Issues: how are trustworthy services being abused? (31:45) Founder mode: when is it time to switch from "founder mode" to "manager mode?" (44:02) Is open-source more secure than closed-source? The Adversarial Podcast Ep. 8 - Pagers and Supply | RSS.com Stories and books mentioned: * “Israel plant

Episode notes Listen as CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the value of security exams and question the relevance of certain certifications in today’s industry. Then, they debate into the vulnerability disclosure process, exploring how CVEs impact companies outside the SaaS world and whether CISA’s "Secure by Design" initiative is truly effective across industries. Finally, they discuss security misprioritization, from school systems to corporate desktops,

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they debate the impact of SSN leaks, discuss the effectiveness of recently implemented ransom payment bans in Miami, and recently reported AWS misconfigurations. Then, listen as they debate passkeys, vulnerability management, and board reporting. The Adversarial Podcast Ep. 6 - SSN Leaks, Cloud M | RSS.com 00:00 Intro 02:17 Social Security Number breach 14:48 Ransomware payment bans 21:47 AWS

Episode notes Speaking live at the Evanta CISO Summit in Atlanta in June 2024, host Jerry Perullo talks candidly about why CISOs are failing to land Board Director roles. The Adversarial Podcast Ep. 5 - Why Boards want mo | RSS.com

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they discuss upcoming lawsuits related to the recent CrowdStrike outage, switching costs, overhyped security vulnerabilities and their effect on practitioners' responsibilities, fake employees from North Korea, the information stealers and the state of password managers, and the increasing threat of deepfakes. The Adversarial Podcast Ep. 4 - CrowdStrike Lawsui | RSS.com Stories * “CrowdStrike i

Episode notes In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the recent Crowdstrike outages, PR in the recent Wiz acquisition rumors, stakeholder value in Rapid7, and the SEC dropping charges in the SolarWinds case. Stories: - Activist Jana has a stake in Rapid7. There are two paths to bolster value at the cybersecurity company: https://www.cnbc.com/2024/06/29/two-paths-for-jana-to-bolster-shareholder-value-at-rapid7.html - Google Near $23

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they reflect on the state of cybersecurity investments in 2024, debate the importance of configuration vs. code security, and discuss the importance of governance in risk management. Stories: * ‘There’s A Lot Of Noise’ — VCs Trying To Find Clarity In Cluttered Cyber AI Landscape: https://news.crunchbase.com/cybersecurity/venture-funding-ai-wiz-ma-rsa/ * Wiz raises $1B at a $12B valuation to expan

Episode notes In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss malicious Chrome extensions, the cybersecurity job market, mouse jigglers and security policy, and the impact of the recent ransomware wave. They share insights from their experiences, exploring the challenges of managing browser security policies, job burnout, and banning ransom payments. Stories: * Millions under threat from malicious browser extensions — what to do: https://www.t

In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the recent wave of cyber-attacks using Snowflake and the model of shared fate. They debate the effectiveness of banning ransom payments and explore the complexities of cybersecurity regulation, using recent events involving UnitedHealth and Jerry's former employer as case studies. The conversation also touches on the ethical dilemmas CISOs face when interacting with venture capital, highlighting pers

Joined by fellow Interim CISO veterans Yael Nagler of Yass Partners and Aurobindo Sundaram of RELX, host Jerry Perullo reflects on his experience as the Interim CISO of Silicon Valley Bank and explores the challenges of the role from hiring manager and candidate perspectives. Yael Nagler: https://www.linkedin.com/in/yaelnagler/ Aurobindo Sundaram: https://www.linkedin.com/in/aurobindosundaram/ 00:16:30 Why hire an Interim CISO? 00:21:00 Is there such a thing as KTLO in the CISO role? 00:30:3

The notion of "Risk Acceptance" has always challenged me. For the uninitiated, Risk Acceptance is a concept often discussed in cybersecurity leadership when it comes to accountability for cyber debt. The idea is that cybersecurity leaders and other professionals identify risks and recommend mitigating actions that would reduce that risk, but recognize that it is always up to business leadership to weigh the costs and benefits of change and make a final decision. Risk Acceptance has always come u

Episode 3: Incidents In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Next I moved on to cyber risks in Episode 2 and the idea of a Remediation Agility chart to guide a wide-ranging Board room discussion with a single visual. The next area that deserves a permanent spot on the Board agenda is incidents. Incident awareness a

We've all run to the same side of the boat on supply chain security when it comes to cyber. Rather than chasing the Sisyphean (and antithetical to modern product-development philosophy) task of ensuring our suppliers deliver perfectly secure software, we should be expected to architect and deploy our dependencies with the assumption they will be compromised at some point, minimizing the amount of impact that could have and ensuring we could detect such an issue timely. To expound on it, I'll sa

Years ago I found myself in one of those awkward elevator pairings where you are unexpectedly face to face with your CEO. It's a particularly awkward spot when you are a CISO, as beyond the usual desperation to sound brilliant that most execs feel in that spot, the CEO these days also feels pressure to demonstrate "tone at the top", "executive buy-in", and "stakeholder oversight" when given the chance. In that particular vignette I doubled down on the awkwardness, as his quick cordial cyber com

Returning from 6 months as the interim CISO of Silicon Valley Bank, host Jerry Perullo speaks about Board/CISO interaction on the FS-ISAC Insights podcast. Full video interview at fsisac.com/insights 00:04:35 Being the Interim CISO of SVB through the crisis 00:06:36 The CISO “seat at the table” 00:14:00 Board TRIC 1: Threats 00:17:30 Board TRIC 2: Risks 00:19:30 Board TRIC 3: Incidents 00:21:20 Board TRIC 4: Compliance 00:26:00 CISOs as Board Directors Season 2 Episode 1 - Board/CISO I

There is a lot of confusion about network ingress and egress. This isn't limited to junior staff; I've witnessed this many times among software engineers and technology leaders alike. Often only network and firewall engineers really comprehend the topic fully, though this should not be the case. A network connection must begin with an "initiator". This is usually thought of as a "client" in a traditional "client server" model. The client is defined not by their intention, purpose, or operating

Episode 2: Risks In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Now it's time to move on to cyber risks and what level of detail is appropriate in a Board room. To steer our conversation let's use a Remediation Agility chart. Similar to the Threat Objective portrayal in Episode 1, this visual is meant to sit on the screen

As part of my advisory work, I often help companies find and/or interview security leaders. While I'm a huge fan of screening quizzes, I realized that I should go a step further and help firms understand what I'm trying to detect or avoid during the interview process. In the process of discussing this with some peers, the Bad CISO Archetypes list was born. Look out for these when you are hiring - but more importantly steer your career to avoid becoming one! Chicken Little You don’t want someo

Bugcrowd founder Casey Ellis joins #lifeafterCISO to talk about bug bounty programs in the wake of the Joe Sullivan Uber trial. Whether you've been running bounty programs for years or just learned of them last week, this conversation will take you from basics straight into the most interesting and controversial bits. 01:25 The Joe Sullivan Uber trial and its impact on bug bounties 10:30 Clearing Assurance Debt: The initial wave of bounties 15:40 Ostrich Risk Management 22:55 Vulnerability D

With mounting pressure around cyber literacy in the Boardroom, Directors are looking for specifics around what will be expected of them. Likewise, organizations are wondering what is fair for Directors to expect of management. Drawing on experiences from both sides of the table, following are reasonable expectations that leverage Director talents to establish effective cyber oversight. I'll do this using a mnemonic to guide program governance internally and externally - TRIC: Threats, Risks, In

Congratulations on your first cybersecurity job! Whether you are just entering the workforce or pivoting to a new field, here are some inside tips that may help you succeed. 1. Never say "that isn't my job". The colleagues I've seen advance and realize success in their cyber careers were willing to pitch in and help without regard to job description. This will be magnified if your employer is a smaller company, but the general idea is that companies and cultures are forged by the people who c

Sounil Yu joins the #lifeafterCISO podcast and shares the idea of "retiring many times". Sounil is the renowned author of the Cyber Defense Matrix and lauded by the CISO community for his ability to step back and view problems in a new light. Host Jerry Perullo and Sounil go on to look at the Equifax breach from a new angle, talk about CISO accountability, and finally offer up their early thoughts on the Twitter whistleblower report. 01:43 Returning to work as a CISO 10:30 Do CISOs spend too m

An essential part of moving on from a long tech career is just figuring out when the time is right. Join host Jerry Perullo and retired Netflix CISO Jason Chan for a discussion about picking your time, "Identity Management" after retirement, and the Psychology of Happiness. Links to the material discussed by Jason Chan include: https://arthurbrooks.com/podcast_show/the-art-of-happiness-with-arthur-brooks/ https://www.coursera.org/learn/the-science-of-well-being Episode 05 - Deciding When I

I used to have a TVM team. Threat & Vulnerability Management. The individuals in there had the word "Vulnerability" in their titles. It's how a lot of shops roll. TVM seemed to become a default piece of the "build a cyber shop playbook". And if you survey big CISO organizations today, you'll still find a lot of TVM departments. I'm not sure how this came to be, but I can't think any of us ever organically decided that we needed an individual - no less a team - specifically tasked with managing

I've been using the term "West Coast CISO" a lot lately. While it feels like CISOs used to be either network/infrastructure CISOs or risk manager CISOs, now the split is having to make room for the CISO heavily focused on code security. The image is one of a CISO born in the cloud, focused on delivering (security) bug-free code, and thus focusing architecturally on CI/CD, change control, and automation, to oversimplify. This emphasis on code is contrasted with network controls and discussion of

As originally published on Vectra's Unfiltered at https://www.unfilteredcxo.com/ Cybersecurity is afflicted with the duty of “proving a negative” all the way up to the Board room. We can learn some tricks from incident response and threat intelligence to tackle the art of distinguishing the lucky from the good. When it comes to incident response, it is challenging – but essential – to define criteria for closing an investigation. Enter the true positive. When someone says that they did not see

Episode notes In this Episode host Jerry Perullo talking about cybersecurity in higher education. A Professor of the Practice in the Georgia Tech School of Cyber Security and Privacy, Perullo thinks aloud on the challenges that have prevented cyber from taking off at the undergraduate level before focusing on specific steps you might take to pursue this career path. 00:00:55 A Brief History of Cyber in Higher Ed 00:03:11 The Archetype Cyber Curriculum 00:08:03 Enter the CISO: t-5 00:13:25 W

In this Episode host Jerry Perullo talking about cybersecurity in higher education. A Professor of the Practice in the Georgia Tech School of Cyber Security and Privacy, Perullo thinks aloud on the challenges that have prevented cyber from taking off at the undergraduate level before focusing on specific steps you might take to pursue this career path. 00:00:55 A Brief History of Cyber in Higher Ed 00:03:11 The Archetype Cyber Curriculum 00:08:03 Enter the CISO: t-5 00:13:25 When You Are Rea

In this episode we are talking about Angel Investing, Advisory Work, and how they are essentially the same thing when you get down to it. Hear some details about evaluating opportunities, structuring "deals", and avoiding mistakes along the way. 00:05:37 Don’t Screw Up - Riding VC Paper, the FAST Agreement, Option Vesting,... 00:21:26 Win - Playing to your Strengths 00:24:11 Diversify - Frequency and Volume to Avoid Black Swans 00:30:17 Conflicts & Disclosure Episode 03 - Angel Investing

In this episode, host Jerry Perullo explores the opportunities and challenges for retiring tech executives and CISOs in the Board room. Hear about how Boards need business leaders first and specialists second, and what you can do today to groom yourself in that very direction. 01:57 Background 07:45 The Traditional Board Director 09:50 Episode BLUF 10:19 Landing a Seat 14:32 Your Board Profile 16:08 t-3: What You Should do Now 28:40 Recap Episode 02 - The CISO Board Director | RSS.com

In this introductory episode, host Jerry Perullo talks about the range of opportunities available to tech executives after the day job. Perullo leverages his 20 years of experience as the founding CISO of ICE and the New York Stock Exchange to discuss what you can do 3-5 years before leaving your post to get prepared. 00:08:43 Advisory Work 00:13:20 Consulting 00:16:00 Angel Investing 00:25:05 Board Directorship 00:35:12 Entrepreneurship 00:37:06 Teaching 00:39:12 Volunteering Episode

There is a lot of confusion when it comes to cybersecurity "geo restrictions" on networks, and just as much when it comes to corporate travel protocol. While the topics are distinct, they are often conflated and share enough underpinning facts to discuss together. First, let's talk about geographic network restrictions. We can organize that topic by ingress - or inbound restrictions, and egress - or outbound. INGRESS Ingress geographic network ("geo IP") restrictions apply to restricting wha

There is a misconception out there that security departments should be ingesting feeds of Indicators of Compromise (IOCs) and loading them into firewalls, endpoint software, and proxy configurations as soon as possible. This perception is amplified by product marketing focused on the task, and it's easy to get caught up in the idea that this is our mission. By the time an IOC has been published in an intelligence report, there is a high likelihood it has been neutralized. Imagine a command & co

Patching became a household term during the Equifax security breach and Congressional hearings. While IT maintenance and hygiene have their place in running a secure environment, over-emphasis can distract limited resources from more important tasks or trigger operational risks. Patches are only relevant when a security vulnerability is known and addressed by a vendor. So whether it is a 0-day vulnerability discovery without a patch yet available or just the unavoidable window between the time

In addition to new rulemaking and interpretive guidance on cybersecurity from the SEC, public companies are seeing their cybersecurity disclosures and assertions weighed directly by investors, ratings agencies, and insurance providers - not to mention prospective customers. Investors and analysts are capturing cybersecurity maturity alongside other Environmental, Social, and Governance (ESG) priorities, and agencies are performing algorithmic reviews of public filings to score companies on their

Since 2010, the Three Lines of Defense model has been widely adopted as an authoritative framework for operational and financial enterprise risk management across the globe. The model was not intended to dictate new positions and roles within an organization per se, but to evaluate existing structures to ensure sufficient coverage and independence to provide effective risk management. Even if you are not evaluated against the model today, it is a useful framework to gauge the maturity of your or

Below are some things I learned as a CISO making angel investments into cybersecurity startups. I’m not a professional investor or financial advisor, and I’m avoiding discussions on whether you should pursue private investing or how to pick winners. My focus in this article is on the types of investments, customs, and definitions a CISO focused on cybersecurity startups is likely to see around 2021+, and helping you understand the terms you will hear if you decide to get involved. Basics Delib

Multifactor authentication (MFA / 2FA) is arguably the most powerful security control deployed over the past 20 years. But it dawned on me that it isn't multi that's really getting it done. It's the fact that one of those factors has been a one-time-password (OTP or 1TP) in a token or app that changes every 60 seconds. The unwritten math about MFA is that a single factor is difficult to compromise, and thus two of them = difficult^2. But in reality our static credentials have become easy thanks

I listened to an NPR story on SMS SIM swapping on my drive in this morning. This is a pretty well-documented threat vector whereby adversaries port your phone number over to their device at a key moment in an authentication hack so they can intercept a one-time verification code and impersonate you. The way it usually plays out, the intercepted code plays a part in "recovering" a "lost" password for your email account, which they then use to "recover" more passwords for more important accounts,

Cybersecurity is arguably the most concerning topic across corporate board rooms these days, with Directors clamoring for data not just on risk, but on general education around this new and complex subject. This collection of tips mirrors a talk I gave at the FS-ISAC annual summit in April 2018 and I hope follow CISOs, security practitioners, corporate governance professionals and corporate Directors may find it helpful. Episode 1 introduced core Corporate Governance concepts for Security Profe

Cybersecurity is undeniably one of the most concerning topics in corporate board rooms today. Directors are looking not only for assurance around the obvious risks, but for general education around this new and complex subject. Clarity is sought around what is expected of Directors, how exposed a firm is to the latest breach on the news, how management assesses cybersecurity risk, and how a firm's program stacks up in independent reviews. A knock-on effect of this is a raft of questions among CI

I'm pleased to be a part of the publication of a substantial Cybersecurity Guide for Directors and Officers announced yesterday. I hope you will visit www.securityroundtable.org and enjoy the entire book and more. Following is my contribution (Chapter 27): What are they after? A threat-based approach to cybersecurity risk management Intercontinental Exchange & New York Stock Exchange - Jerry Perullo, CISO Given finite resources and the ongoing threat of the “next big hack,” cybersecurity is