Adversarial

The Adversarial Podcast Ep. 18 - CISA cuts, North Koreans steal $1.5B in crypto, planning for RSA Conference 💰 Budget cuts hit CISA, and election security programs might be first on the chopping block. The team debates whether these cuts were expected, what they mean for cybersecurity, and whether some programs were outside CISA’s core mission in the first place. Reference: https://www.scworld.com/perspective/a-sober-look-at-the-recent-cuts-at-cisa ⚔️ A sudden shift in cyber warfare stra

Episode notes ⬇️ See below for timestamps/summaries/references for each topic Adversarial Podcast Ep. 17 - 2025 CISO Compensation Survey, Okta layoffs and employee value, TLS inspection 00:00 Highlight/theme 00:37 Intro 1:21 Hitch Partners survey of CISOs 13:34 Dangling S3 buckets 24:35 Update on Cybersecurity Innovation Executive Order 32:58 Cyber stocks - NET and CRWD at all-time highs 44:07 Okta lays off 180 employees, including security engineers 55:47 Is anyone actually doing

1:33 Biden's Executive Order on Cyber Security 5:18 Cyber policy wishlist 21:30 TikTok and RedNote 29:36 Marsh's report on cyber insurance 49:21 Do CISOs need to be highly technical? Adversarial Podcast Ep. 16 - Cyber policy wishlist, RedNote/TikTok, Marsh's cyber insurance report, do CISOs need deep technical skills? Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity The outgoing Biden administration issues an executive order aimed at enhancing cyb

Join former CISOs Jerry, Mario, and Sounil as they dissect the latest cybersecurity news, discuss evolving threats, and share their seasoned perspectives on infosec. The Adversarial Podcast Ep. 15 - US-China-Taiwan cyber relations, mobile app ads facilitating spying, holiday DoS vulnerabilities 1:48 China accuses US of stealing trade secrets 10:05 Taiwan reports 2.4M Chinese cyberattacks/day 18:21 Christmas day Chrome Extension hacks, including Cyberhaven 23:28 Krebs: U.S. Army Soldie

The Adversarial Podcast Ep. 14 - Future of CISA/SEC under Trump, US Telco news, DAO faces $50M hack In this episode of The Adversarial Podcast, Jerry Perullo, Mario Duarte, and Sounil Yu discuss the latest developments in cybersecurity, geopolitical threats, and emerging trends as 2025 approaches. The Future of SEC/CISA under Trump 2.0. With Trump returning to office, the hosts discuss possible changes to SEC-mandated cybersecurity disclosures and the potential of priorities shifting awa

In this episode of The Adversarial Podcast, Jerry, Mario, and Sounil bring their adversarial insights to a packed discussion of the latest topics in enterprise cybersecurity. The Adversarial Podcast - East Coast vs. West Coast CISOs: The trio explores the divide between East Coast and West Coast CISOs. Is the East too focused on risk? Does the West overfit to AppSec and "shift-left" practices? - 2024 CISO Budget Report: Where are CISOs spending their increasing budgets in 2024? The hosts

In this episode of The Adversarial Podcast, former CISOs Jerry Perullo, Mario Duarte, and Sounil Yu explore critical topics shaping the cybersecurity landscape. The Adversarial Podcast Ep. 12 - RSA Conference ma | RSS.com 1. Crosspoint Capital’s RSA Innovation Sandbox Model The hosts discuss Crosspoint Capital's controversial $5 million SAFE investment requirement for Innovation Sandbox finalists. They examine the implications for startups, founders, and the cybersecurity ecosystem as a wh

The Adversarial Podcast Ep. 10 - the CISO job market, CRQ, beg bounties, and cryptography (00:00) Intro (5:15) The CISO job market: present and future (25:57) Handling beg bounties and VDP (41:30) Quantum cryptography – how important is cryptography, really? Stories: * “Chinese Researchers Reportedly Crack Encryption With Quantum Computer” - https://www.pcmag.com/news/chinese-researchers-reportedly-crack-encryption-with-quantum-computer Hosts: * Jerry Perullo: https://www.l

The Adversarial Podcast Ep. 9 - NIST password guidelines, CUPS vulnerabilities, breach vs. hack Episode notes (00:00) Intro & NIST’s new password complexity requirements (13:19) CUPS vulnerability: critical or a distraction (31:26) Federal standards for cybersecurity in health care: should legal responsibility fall on individuals? (47:30) What constitutes a hack vs a breach? Stories: * “NIST Drops Password Complexity, Mandatory Reset Rules” - https://www.darkreading.com/identity-ac

(00:00) Intro (02:24) Exploding pagers: are psychological attacks worse than breaches? (20:21) Are credit card breaches still a concern in 2024? (24:57) Infostealer delivered through GitHub Issues: how are trustworthy services being abused? (31:45) Founder mode: when is it time to switch from "founder mode" to "manager mode?" (44:02) Is open-source more secure than closed-source? The Adversarial Podcast Ep. 8 - Pagers and Supply | RSS.com Stories and books mentioned: * “Israel plant

Episode notes Listen as CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the value of security exams and question the relevance of certain certifications in today’s industry. Then, they debate into the vulnerability disclosure process, exploring how CVEs impact companies outside the SaaS world and whether CISA’s "Secure by Design" initiative is truly effective across industries. Finally, they discuss security misprioritization, from school systems to corporate desktops,

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they debate the impact of SSN leaks, discuss the effectiveness of recently implemented ransom payment bans in Miami, and recently reported AWS misconfigurations. Then, listen as they debate passkeys, vulnerability management, and board reporting. The Adversarial Podcast Ep. 6 - SSN Leaks, Cloud M | RSS.com 00:00 Intro 02:17 Social Security Number breach 14:48 Ransomware payment bans 21:47 AWS

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they discuss upcoming lawsuits related to the recent CrowdStrike outage, switching costs, overhyped security vulnerabilities and their effect on practitioners' responsibilities, fake employees from North Korea, the information stealers and the state of password managers, and the increasing threat of deepfakes. The Adversarial Podcast Ep. 4 - CrowdStrike Lawsui | RSS.com Stories * “CrowdStrike i

Episode notes In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the recent Crowdstrike outages, PR in the recent Wiz acquisition rumors, stakeholder value in Rapid7, and the SEC dropping charges in the SolarWinds case. Stories: - Activist Jana has a stake in Rapid7. There are two paths to bolster value at the cybersecurity company: https://www.cnbc.com/2024/06/29/two-paths-for-jana-to-bolster-shareholder-value-at-rapid7.html - Google Near $23

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they reflect on the state of cybersecurity investments in 2024, debate the importance of configuration vs. code security, and discuss the importance of governance in risk management. Stories: * ‘There’s A Lot Of Noise’ — VCs Trying To Find Clarity In Cluttered Cyber AI Landscape: https://news.crunchbase.com/cybersecurity/venture-funding-ai-wiz-ma-rsa/ * Wiz raises $1B at a $12B valuation to expan

Episode notes In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss malicious Chrome extensions, the cybersecurity job market, mouse jigglers and security policy, and the impact of the recent ransomware wave. They share insights from their experiences, exploring the challenges of managing browser security policies, job burnout, and banning ransom payments. Stories: * Millions under threat from malicious browser extensions — what to do: https://www.t

In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the recent wave of cyber-attacks using Snowflake and the model of shared fate. They debate the effectiveness of banning ransom payments and explore the complexities of cybersecurity regulation, using recent events involving UnitedHealth and Jerry's former employer as case studies. The conversation also touches on the ethical dilemmas CISOs face when interacting with venture capital, highlighting pers

Joined by fellow Interim CISO veterans Yael Nagler of Yass Partners and Aurobindo Sundaram of RELX, host Jerry Perullo reflects on his experience as the Interim CISO of Silicon Valley Bank and explores the challenges of the role from hiring manager and candidate perspectives. Yael Nagler: https://www.linkedin.com/in/yaelnagler/ Aurobindo Sundaram: https://www.linkedin.com/in/aurobindosundaram/ 00:16:30 Why hire an Interim CISO? 00:21:00 Is there such a thing as KTLO in the CISO role? 00:30:3

The notion of "Risk Acceptance" has always challenged me. For the uninitiated, Risk Acceptance is a concept often discussed in cybersecurity leadership when it comes to accountability for cyber debt. The idea is that cybersecurity leaders and other professionals identify risks and recommend mitigating actions that would reduce that risk, but recognize that it is always up to business leadership to weigh the costs and benefits of change and make a final decision. Risk Acceptance has always come u

Years ago I found myself in one of those awkward elevator pairings where you are unexpectedly face to face with your CEO. It's a particularly awkward spot when you are a CISO, as beyond the usual desperation to sound brilliant that most execs feel in that spot, the CEO these days also feels pressure to demonstrate "tone at the top", "executive buy-in", and "stakeholder oversight" when given the chance. In that particular vignette I doubled down on the awkwardness, as his quick cordial cyber com

Returning from 6 months as the interim CISO of Silicon Valley Bank, host Jerry Perullo speaks about Board/CISO interaction on the FS-ISAC Insights podcast. Full video interview at fsisac.com/insights 00:04:35 Being the Interim CISO of SVB through the crisis 00:06:36 The CISO “seat at the table” 00:14:00 Board TRIC 1: Threats 00:17:30 Board TRIC 2: Risks 00:19:30 Board TRIC 3: Incidents 00:21:20 Board TRIC 4: Compliance 00:26:00 CISOs as Board Directors Season 2 Episode 1 - Board/CISO I

Episode 2: Risks In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Now it's time to move on to cyber risks and what level of detail is appropriate in a Board room. To steer our conversation let's use a Remediation Agility chart. Similar to the Threat Objective portrayal in Episode 1, this visual is meant to sit on the screen

Bugcrowd founder Casey Ellis joins #lifeafterCISO to talk about bug bounty programs in the wake of the Joe Sullivan Uber trial. Whether you've been running bounty programs for years or just learned of them last week, this conversation will take you from basics straight into the most interesting and controversial bits. 01:25 The Joe Sullivan Uber trial and its impact on bug bounties 10:30 Clearing Assurance Debt: The initial wave of bounties 15:40 Ostrich Risk Management 22:55 Vulnerability D

I used to have a TVM team. Threat & Vulnerability Management. The individuals in there had the word "Vulnerability" in their titles. It's how a lot of shops roll. TVM seemed to become a default piece of the "build a cyber shop playbook". And if you survey big CISO organizations today, you'll still find a lot of TVM departments. I'm not sure how this came to be, but I can't think any of us ever organically decided that we needed an individual - no less a team - specifically tasked with managing