CyberWire Daily - Beyond cyber: Securing the next horizon. [Special Edition]
Episode Date: May 11, 2025Cybersecurity is no longer confined to the digital world or just a technical challenge, it’s a global imperative. The NightDragon Innovation Summit convened a group of industry leaders to discuss ho...w public and private entities can work together to address emerging threats and harness the power of AI, cybersecurity, and innovation to strengthen national defense. In this special edition podcast, we capture a glimpse into the knowledge and expertise shared at the NightDragon Innovation Summit. We are joined by NightDragon Founder and CEO Dave DeWalt, DataBee CEO Nicole Bucala, Liberty Mutual Insurance EVP and CISO Katie Jenkins, Sophos CEO Joe Levy, and Dataminr VP of Sales Engineering Michael Mastrole. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Join me and my guests, Outpost 24's Laura Enriquez and Michelo Steppa on Tuesday, May
13th at noon Eastern time for a live discussion on the biggest threats hitting web applications
today and what you can do about them. We're going to talk about why attackers still
love web apps in 2025, the latest threat trends shaping the security landscape, how
to spot and prioritize critical vulnerabilities fast, along with scalable
practical steps to strengthen your defenses. Again, the webinar is Tuesday,
May 13th for our live conversation on the state
of modern web application security. You can register now by visiting events.thescyberwire.com.
That's events.thescyberwire.com. We'll see you there.
And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what attackers already know.
That's spycloud.com slash cyberwire. Fast free Wi-Fi means I can make dinner reservations before we land. And with live TV, I'm not missing the game.
It's kind of like I'm already on vacation.
Nice.
On behalf of Air Canada, nice travels.
Wi-Fi available to Airplane members on Equip flight, sponsored by Bell.
Conditions apply.
seercanada.com Hello everyone and welcome to this N2K CyberWire special edition, Beyond Cyber, securing the
next horizon.
I'm your host, Dave Bittner.
Today, we're looking past firewalls and phishing emails to explore the future of security,
where strategy, innovation, and AI converge to defend a rapidly shifting threat landscape.
In this episode, we're joined by a powerhouse lineup of guests who are shaping that future.
First, Dave DeWalt, founder and CEO
of NightDragon, takes us inside the high-stakes world of cyber investment, where the next
wave of security innovation is getting its fuel. Then we hear from Nicole Bucalla, CEO
of DataBe, who breaks down the reality for today's CISOs. It's not just about tech, it's about time, talent, and trust.
Next, we hear from Michael Mastrol, VP of Sales Engineering at DataMiner,
bringing us into the world of agentic AI, showing us how smarter tools are helping security teams
detect and respond before the damage is done. We'll also hear from Joe Levy, CEO of Sophos,
on why the future of cyber defense
depends on tighter integration from cloud to endpoint
and why innovation without coordination is a risk itself.
And Katie Jenkins, CISO at Liberty Mutual,
sharing what's keeping CISOs up at night,
what's giving them hope.
So whether you're leading a security team,
building the next great startup, or just want to stay one step ahead, stay tuned,
because the next horizon isn't just coming, it's already here.
Our first guest knows the cyber industry from the boardroom to the battlefield.
Dave DeWalt, founder and CEO of NightDragon, has been at the helm of some of cybersecurity's biggest names.
Now he's investing in the future, betting on the next generation of security innovators.
He joins us to talk trends, risks, and where smart capital meets smart defense.
It is always my pleasure to welcome back to the show,
Dave DeWalt, he is the founder and CEO of NightDragon.
Dave, welcome back.
Dave, thanks for having me.
Look forward to another RSA coming up
and lots of opportunity to see friends
and kind of family this whole cyber community.
So thanks for having me on the show again
and thanks for all you do as well.
Well, thank you. I appreciate it. And speaking of RSAC this year,
NightDragon is hosting the NightDragon Innovation Summit,
which I will mention. N2K CyberWire,
we are media partners with that event and very pleased to be taking part in
that. So if folks haven't checked out the information on that,
please do.
Again, it's the Night Dragon Innovation Summit.
Dave, as we're heading up towards RSA Conference this year,
what are you planning on looking around for?
What do you have your ear to the ground
when it comes to innovation in the cybersecurity sector?
Yeah, there's so much every year, Dave.
It's always amazing to touch base
with so many different people.
Night Dragon, we have a very specific strategy.
We try really hard to unite as much as we can
of our ecosystem of portfolio companies,
our partners, our advisors into forums,
like you mentioned, the Innovation Summit, but really create a
balance of that where we can see some of the most young and exciting technology that's
emerging like AI and even quantum areas now, but also hear from the large titans in the
industry as well, the Palo Alto networks, the CrowdStrikes, the checkpoints, the Microsofts, and really see what they're doing.
And we all know the word platformization from last year,
which has a lot of the buzz again coming in this year,
because many of the large companies are doing extremely
well, they're continuing to grow.
But we've also had some unparalleled and
unprecedented events over the last year.
It's not just the geopolitical environment we could talk about, but also the acquisition
is by Google.
$42 billion.
I mean, look at the history of cyber.
This is very unprecedented.
And so there's a lot of good buzz coming into it, a lot of nervousness, and I think anxiety
a little bit too, because, you know,
what once was a pretty strong public-private partnership model with the government still
has yet to be, you know, kind of vetted out.
So we're kind of anxious about it in some ways, excited about all the technology in
other ways, and really happy to see friends and family and all our partners and portfolio
companies at the same time, all in one place, San Francisco, exciting times.
Well, what sort of themes are you seeing from founders right now?
Are there, are there any categories or types of companies that feel particularly
hot and then on the flip side, are there some things that might be a bit overhyped?
Yeah, you can take, you know, just take a look at the last 84 days of this administration
and you can kind of a little sense of some things that are quite hot because of some
of the administrative policies.
One of the areas is third party risk management, right?
I mean, how many companies right now are trying to figure out what the tariff impacts are
on them?
How do we understand what the tariff impacts are on them. How do we understand what the tariff impacts?
So supply chain risk management, I think, is one of the hottest areas right now because
it hasn't been really deployed much.
It needs to get deployed more.
We need more visibility.
It's not just a tariff risk or threat, but the cyber elements of it all too, because
we see now a focus on China and other countries when it relates to threats and risks
of tariffs, how does it affect your supply chain?
So that's one, like, I hate to call it, you know, du jour, but it's like a big important
one.
But the bigger themes, Dave, are also really important.
We're watching the wave of AI really manifests itself into really pragmatic, usable solutions at scale now.
I mean, the last two, three years, I've been there hosting events and AI summits and things.
You know, a lot of ideas and a lot of visions becoming reality.
And this is really attractive to many defenders that are out there because if we can begin
to scale our operations through autonomy or now agentic AI, it gives the
defense a powerful lever against the offense for the first time.
Many CISOs are restrained by the number of humans they can put in their SOC operation
or the number of people they can afford or contractors they can support.
Autonomy has a way now of creating good bots and good capabilities to scale.
So I'm really looking at RSA this year as the year of agentic AI.
And we can see it.
Agentic AI being used for a lot of different reasons.
Agentic responses for faster response to a threat.
Agentic scale for humans.
Pen testing areas of autonomy.
Threat management with autonomy.
So you're going to hear autonomy and agentic AI.
And if you just count the number of times they're set
in every keynote, we can make a bet here
for how many nickels we can win.
You know, with all this innovation that we're tracking here,
and you alluded to this earlier,
how are you seeing CISO's balancing
between best of breed and best of sweet platforms.
There's a little bit of attention there.
Yeah, a lot of bit of tension there, Dave.
It's a pendulum I've talked about for many, many years,
two decades, you know, best of breed versus best of sweet.
And it's like a pendulum and you can almost watch it
over the years, you know, as the threat environment
got more and more difficult, it would move the best
to breed because you would typically see the need for new vendors filling holes that the
bigger vendors couldn't solve quick enough.
And then as the market maybe, you know, calmed for a little bit, you'd see the best of suite
emerge.
Now we have like almost both of those happening.
You have the rise of the Titans, I like to say, which are the largest cyber Titans, Palo Alto networks,
Zscaler, CrowdStrikes, Checkpoints, Fortinet types.
But you also have the rise of the Cloud Titans
who have massive businesses as well,
Microsoft, AWS, Google now with all the acquisitions,
especially of Wiz, but Mandiant.
They've spent nearly 40 billion buying into the cyber market
over the last two years.
So you're watching this clash of titans and it's a really interesting dichotomy of young
companies filling new areas of threats and risks while platform vendors try to gobble
it all up.
And it's going to be, I believe, the hottest topic yet again, maybe outside of the government
and what's the government going to do.
But platformization, best of breed, best of suite, it's a real important topic and it's hard
for CISOs to balance because they don't want to get too much economic dependency on a big
vendor, but they also know they can get advantage in a single suite that's integrated.
So how do you create a balance of the two?
It's really a popular topic.
Many CISOs are veterans at this because
the average number of vendors is somewhere over 50, average around 80 vendors per large
enterprise anyway. So they're used to it. But would they like to create efficiency and
cost economies? Absolutely. But they got to make sure there's no new threats and risks.
So they need the new vendors. It's a really interesting, it's such the shape of cyber
in the world of cyber. I find it super fascinating.
Yeah.
Let me put you on the spot a little bit here.
As you're looking ahead towards the next year or so,
maybe into the following year,
is there anything on your radar that you think
isn't getting the attention that it deserves?
Something that's kind of lurking in the shadows
that may surprise people.
Yeah, I have several and these are important to keep an eye on.
You know, my entire career, 25 years of being in cyber security largely, has been all about
the transmission of malware and a physical form factor, almost like a digital factor, meaning files and remote
access tools and spear phishing and other types of ways to deliver payloads into a network
or onto an endpoint.
But it's changing and we're seeing the world of electronic warfare begin to meet cyber.
And this is a little scary when it comes to the ways in which we can create denials of service,
disrupt protocols and channels using RF or radio frequencies.
We're watching the emergence because of wars
in Russia and Ukraine and Israel,
where the inertia of EW or high performance microwave,
HPAMs, really now create a next threat level of EW or high performance microwave, HPMs,
really now create a next threat level in the world of cyber.
Because if I'm able to steal your data from your phone, say,
or from your computer, from your data center,
using RF or electronic capabilities,
I don't really have any defenses for that yet.
So we're watching offense really hurtling towards capability in the areas of electronic warfare.
I think we're going to be talking about it.
I don't see any keynotes on it at RSA yet, but having my pulse to the ground as I do,
things I see, this is in the war theaters already.
Offense has these capabilities.
Defenses really far behind.
And we've got to catch up.
And then the second one quickly is quantum.
We're watching what once was everybody's thinking,
Horizon 2 or 3, maybe 2030, we'll
see the world of qubits and quantum capabilities.
Wow, is that happening fast, almost like AI did.
All of a sudden, Transformers came about. and next thing you know, we had amazing capabilities,
chat GPTs and DeepSeek last year, and wow, look at all this stuff happening.
I think quantum's going to surprise a lot of people.
In fact, one of my showcases at the Innovation Summit is around quantum, as well as AI, of
course.
But we're trying to show like what's
coming in the next kind of 12 months, 18 months, Dave, and keep an eye on quantum, keep an
eye on electronic warfare.
And there's other areas, of course, in AI and model drifting and model management that's
really important as well.
But two ones on the horizon, quantum and electronic warfare.
Well, the Night Dragon Innovation Summit is happening at RSAC 2025.
We'll have a link to that in the show notes.
Dave DeWalt is founder and CEO of Night Dragon.
Dave, thanks so much for taking the time for us.
Thanks for having me, Dave.
Look forward to seeing you there too.
Thank you.
Today's CISOs are juggling more than ever, threats, tools, compliance and burnout.
Nicole Bucalla, CEO of DataBe, knows this struggle firsthand.
She shares what she's hearing from security leaders in the trenches and what it really
takes to build resilience in an overwhelmed world. So we are coming up on DataBe's two year anniversary since the launch from Comcast.
I have to say, first of all, time flies.
But I'm also curious, how is it going?
How has it been for you all two years into your startup mode? It's been a really exciting, rewarding, and learning-filled journey.
One of the most amazing things about this journey has been the deep interaction with
practitioners.
It's why I came to Comcast to start this business to begin with.
As a quick reminder for anyone who's not familiar,
DataBe is a commercial version of a security data fabric
that was invented by Comcast's own global CSO.
And so as we build out more and more use cases for DataBe,
we actually interact with and are inspired by
a variety of different groups at Comcast.
So whether it's the governance risk and compliance team
or the vulnerability management team
or the IT team that works with the CMDB
and the asset inventory or the threat hunting team,
there is just so much learning that happens all around
with a beautiful interaction between those practitioners
and then the variety of highly skilled software developers
and customer facing professionals that have joined the DataB team from a variety of highly skilled software developers and customer-facing professionals
that have joined the DataBe team from a variety of different companies.
Amazingly, we're already over 120 people strong worldwide, and we have employees across three
continents and six countries.
The solution's available both in the US and in Europe for sale. And it's just been so great to see customers implement it
and just be so happy with the results.
Well, let's talk about some of the data challenges
that CISOs are facing today.
What sort of things do you find they're grappling with?
So the number one thing I find them to be grappling with
is the increasing demand for
reporting to show compliance with certain security frameworks.
We have customers that follow NIST CSF 2.0.
We have customers that need to show
compliance with the PCI DSS 4.0 regulations,
and then we have customers that have to show
a set of dashboards that align to the Gartner ODM metrics.
We have customers that have to show a set of dashboards that align to the Gartner ODM metrics. And we have customers that have a mandate to align to the CIS controls, all 18 of them.
And so this need for reporting has created a lot of pressure on these security and risk
teams.
And they're looking for ways to automate the reporting
and to have higher fidelity in the data
that underlies the reporting.
And so it's been really interesting to see
such a wide variety of frameworks be adopted,
yet the mission is all the same,
which is how can I have better faith in what I have
and where the gaps are and what I need to do
to close those gaps?
And then sometimes customers need to prove whether it's to regulators or to their board
that they have certain controls, that they know where the blind spots are, and that they're
doing things to cover those blind spots.
Well, help me understand how organizations do that.
How do you connect the dots between the different security data that you have to be able to demonstrate compliance?
Yeah, that's a great question.
And this is an old problem.
I think a traditional approach that folks took
was to output a data file, a static data file,
to something like a CSV, which is a spreadsheet.
And then they found themselves working
with data in different spreadsheets and trying to merge that data into
some dashboard with your typical images
like pie charts and bar charts and trying to tell a story.
The problem with that traditional approach is as soon as you
export data to a CSV, the data is now old.
If you have a need to do reporting continuously or,
if not continuously, then on some recurring
basis, perhaps quarterly or yearly, the act of having to wrangle everything together in
spreadsheets ends up creating an inaccurate submission at the end of the day.
So what we do is we have a proprietary ingest-pars normalization, and correlation technology
that allows for this data to be continuously ingested
and not just ingested, but first and then arranged
and then triangulated with each other so that the data set
is always ready for that analysis.
And on top of that, we actually provide an alignment
with the frameworks that I just mentioned,
reports and dashboard templates that draw on that data
and render the data into over 30
of the most common controls metrics
that a leader of security and risk
in a regulated company would want to see today.
So suppose I'm under more than one data regime here, or I should say regulatory regime.
I'm covered there as well?
Yeah, so we actually built into the tool the ability to toggle between different regulatory
frameworks because the reality is that, you know, if you need MFA, you need MFA.
And many different framers call for that.
Same with endpoint detection and response.
Many different framers call for that.
Now, they may measure the controls slightly differently,
or they may include different aspects of that control.
But we actually have built the ability
to toggle between them.
And so that just further aids in the automation
and reduces the amount of manual work that any sort of data reporting team is going to have to do.
I want to switch gears with you a little bit. We have RSAC 2025 is coming up fast. I'm curious,
so what kinds of things do you expect to see and what are you looking forward to this year?
and what are you looking forward to this year? You know, I expect to see AI everywhere.
And then the latest buzzword, which is agentic AI, right?
I think that's still going to be very much
the talk of the town.
And it seems that there has been a maturation
in how folks are thinking about AI.
And I'm really seeing two things in the security space.
One is, how do I better prepare my data for
AI so that I get high fidelity results?
Because the power of the AI,
and particularly the generative AI,
which is the AI that learns,
is only as good as the data upon which it learns from.
And so we're seeing more and more focus on understanding data. only as good as the data upon which it learns from.
And so we're seeing more and more focus on understanding data.
For some companies, that's really daunting, and for others, you know, they're prepared,
but I think there's going to be a lot of intellectual discourse there.
The other area is around using AI to replace certain human tasks, and I'm seeing more and
more suggestions around how can frontline security analysts,
how can that role actually be replaced by an AI chatbot,
or how can you use an AI chatbot
to suggest alerts to look into
and to suggest playbooks for response.
So I think there's probably gonna be a lot of hands-on
demonstrations and opportunities for folks to experience AI at the conference,
and I'm really excited to see what's going to be available on the show floor.
Yeah, it's a really interesting insight.
My personal take is that we started off with unbridled excitement for AI,
and then we went through this,
what I'll call the eye-rolling phase where it was everywhere and everything and was going to do
everything for everyone but I feel like we're kind of on the other side of that
and we've distilled it into the things that are really useful and it's kind of
recognized what it can and can't do. Do you think that's an accurate perception
of what's going on out there? Yeah, I completely agree.
I think we're on the backside of that for sure.
I still think there may be a little too much buzz.
And you know, buzz is only deleterious when it means that someone skips over the fundamentals,
but that's where I think a lot of the data companies like ours come in, because they serve as a reminder to folks
that AI is not just a band-aid or a panacea.
There are prerequisites.
There are foundations that have to be put in place first.
So I think we are seeing more purposeful discourse about that.
We're also seeing discussions about how to use AI in
the workplace productively without
actually adding inefficiencies so that there can be places where AI can actually add inefficiencies
if it is used to deliver a result that actually isn't 100% accurate and then requires rework
or management oversight.
So we're now seeing more discourse about company policies
around AI, around training around AI, so that people use it in a way that's helpful and not
in a way that actually leads to rework. You know, Data B is coming up on your two-year
anniversary since launching from Comcast. Looking ahead to the next two years, how do you plan to
stay ahead of the curve?
How do you stay relevant in a rapidly changing field
like cybersecurity?
It's a great question.
One of the things that we have to our advantage
is Comcast actually acquired a company
called Blue Vector in 2019.
This company is 12 or 13 years old
in a very well established market space,
network detection and response.
And that industry itself has undergone peaks and valleys
with the approach of network encryption
and then the incoming FAD around SAS.
And so now we're seeing a lot of folks
move back to actually standard on premises deployments
of network monitoring capabilities.
And so we actually have a pretty cool integration
between Blue Vector and DataBee,
and it leverages Suricata and Zeek
and some really, really cool data
to really get ahead of the curve
from a threat hunting and detection standpoint.
And so that's one of the very unique pieces
of the DataBee portfolio is that Blue Vector piece.
I think the other thing that we're really focused on over the next two years is, again,
going back to the roots of how we began, which is just being so ingrained with the practitioner
mindset and the practitioner challenges.
For example, as there become more and more varied responses to insider threats.
We have the ability to,
with our insider threat use case,
actually help companies get the evidence
they need to launch criminal investigations into insiders.
And so I think we're seeing a maturation
of law enforcement response to cybersecurity attacks.
And so that's gonna to be an interesting area
over the next couple of years as well.
We'll be right back.
You've got unlimited access to music, but time, now that's limited.
The PC Insider's World's Elite MasterCard gets you unlimited PC Optima points, free grocery delivery, and time back for what matters.
Save time and earn $1,100 in average value each year.
The PC Insider's World's Elite MasterCard.
The card for living unlimited.
Conditions apply to all benefits. Visit PCFinancial.ca for details.
Value is for illustrative purposes only.
Spring is here and you can now get almost anything you need
delivered with Uber Eats.
What do we mean by almost?
You can't get a well-groomed lawn delivered,
but you can get chicken parmesan delivered.
Sunshine? No.
Some wine? Yes.
Get almost, almost anything delivered with Uber Eats.
Order now.
Alcohol in select markets.
See you after details.
Artificial intelligence.
Artificial intelligence isn't just a buzzword, it's becoming a critical part of cyber defense. Michael Mastrol, VP of Sales Engineering at Data Miner, unpacks how organizations are
actually putting agentic AI to work.
He shows us how it's helping security teams stay ahead of fast-moving threats and where
it still has room to grow.
Data Miner is the real-time information company that helps global organizations detect early signals of
emerging risk so they can know first and act faster. When I talk to security officers,
they discuss to me their struggles with third-party risk vendors and threat intelligence.
Some of the challenges they face are late or non-notifications of third-party vendors that have been breached,
as an example.
Another one could be prioritizing last-minute vulnerability disclosures over others and
kind of fight this emergency change control process.
We may see them as like a vendor comes out and says, we're disclosing a vulnerability
today and it's being widely exploited.
So that's a struggle.
And then another struggle they face,
they employed quite a bit of people
or pay more than one vendor to monitor the dark web.
And really what they don't know about this problem,
essentially all of the data that they
would need to kind of solve these issues
actually live within the public domain.
They just really never had a way to systematically dig
through it at scale to find relevant information.
So we built a platform that leverages AI in a scalable way
to parse all of this public data, and that data can include
text, images, voice, video, and IoT sensor data, and distill it down to actionable alerts
that are pertinent to our customers and whatever they're looking for.
So really, we just turn chaos into clarity in real time and empower these security teams
with actionable information.
Hmm.
So, help me understand here, when we're looking at today's risk landscape,
how does an organization best dial in the sorts of things that Data Miner provides?
As customers use the Data Miner platform each day, we've helped them thwart losses and reduce risk,
and I'll just give you a few sample areas. One is executive risk and travel protection.
We help executives move around the world more safely,
avoiding the risks of travel.
And we just saw recently the shooting
in the Toronto airport.
Another, just to give you a cyber example,
vulnerability intelligence.
We help our customers coin a term
that an insurance company gave us,
help them look around the corner as to what their vendors will be disclosing in
the future as far as a vulnerability because we're kind of
will pick up something on the dark web.
And another example is third-party risk by providing them
early notifications of issues with disturbances and outages
from some of the platforms
that they're using from these third parties.
So if people come to see us at a trade show
or chat with one of our team members,
we'd be happy to show them what we call
a data miner in action example,
which shows a timeline of specific examples
that have happened within the physical
or the cybersecurity space to show them how
we can give them more time
and a better way to respond to these threats.
So we're kind of like an early warning system
for the most pressing risks.
You know, one of the hot topics, of course,
at this year's RSAC conference is AI
and specifically agentic AI.
What part does that play in the types of things
that you all are doing?
Okay, by integrating agentic AI into workflows and fostering this AI-human collaboration,
businesses can strengthen their crisis management, their operational efficiency, and long-term
resilience at an evolving risk landscape.
So with both agentic and AI, cybersecurity teams can achieve greater
confidence through enriched context more quickly than by using conventional methods of gathering
this information.
Where do you suppose we're headed here? I mean, when we're looking at how these innovations
evolve and we're advancing our capabilities around AI, what do you see in terms of AI being a tool
to a CISO out there?
To summarize it real quickly, it's efficiency.
So let me give an example.
So the BCG group at the end of last fall
released a bit of research that says that,
and I quote, protecting digital assets has increased
the ranks of the world's cybersecurity workforce
to 7.1 million people.
But another 2.8 million jobs remain unfilled.
We believe AI can help close this gap and assist CISOs
with relevant alerts about threats to their businesses,
to their people, their customers, and data,
help provide actionable intelligence
necessary to help them
thwart these threats during the times like this.
This ultimately will help CSOs help
their people operate more efficiently and
reduce what I call the risk gap scenarios.
Well, the company has certainly had some success.
Along with that, you recently announced a good amount of funding
85 million dollars in funding
What's on the horizon there? What will that funding enable data miner to do?
That's right
As a matter of fact on March 18th data miner announced that we secured
85 million dollars in new funding from Night Dragon and HSBC. In addition, on April 24th,
we also announced another 100 million dollars from Fortress, bringing that to a total of
185 million dollars raised in the last two months. So the second part of your question,
what will we do with it? This new capital will allow data miner to accelerate its
growth trajectory and continue to really pioneer trailblazing generative AI and
agentic AI capabilities that shape the future of real-time information. And we
will also use this funding to expand our international go-to-market and power new
products in new verticals. What's your advice, you know, for folks who are out there and
they're shopping around for this sort of thing, what sort of
questions should they be asking to make sure, you know, that
what they end up with aligns with their needs?
Sure. Really just understand, it's important that they
communicate with us to understand what
their challenges are with respect to third-party risk as well as other information that they
need to protect themselves in a way that they protect themselves quickly and how they prioritize
the risk and do they have the context needed to help them with this prioritization.
DataMiner actually, we're very good
at helping customers with this
and with this prioritization in such a way
that they can protect their business as best as possible.
The attack surface has exploded,
but defenses are still playing catch-up.
Joe Levy, CEO of Sophos, makes the case for better integration across cloud, network, and endpoint.
He explains why security tools need to work together, not just coexist, and how innovation can't succeed in silos.
silos. So congratulations on a year as the new CEO of Sophos. I would love to check in with you and just hear what that journey has been like. How has it been for you and your colleagues?
Well, thanks, Dave. It's been a very exciting year. And I would have to say that this has been one of the most transformative periods in
my entire career for me and for, I think, Sophos as well.
It's interesting to be able to make the transition from technology leader.
I've been chief technology officer of a number of different cyber security companies for quite a long time over the years and had never really imagined myself stepping into
the CEO role. But the opportunity presented itself and it felt like the right thing to
do. And the past year has sort of proven to me that it was indeed the right decision,
certainly for me. And I would like to think for the company as well. So I could say that it's been an incredibly rewarding and gratifying
transition for me. Well, congratulations. And, you know, over the past year or so,
Sophos has certainly faced a number of threats on its own. You all have
published some research about China targeting cybersecurity vendors and your
efforts to fight back.
Can you touch on that a little bit for us?
Certainly.
We disclosed a series of reports, which we have called Pacific Rim, that describe this
five-year-long battle that we found ourselves in with some nation-state Chinese adversaries.
And the distillation of this effectively states that
if you are a successful IT vendor,
where you have some material presence of infrastructure
on the internet, in other words,
if you have been commercially successful
and you have a lot of customers
who are using your perimeter devices,
whether they're routers or switches or remote access points
or firewalls or zero trust network access
Whatever it is if it's a device that sits on the internet and its purpose in life is to provide connectivity
That utility alone will predict that you are going to become the target of these nation state attackers
that are attempting to establish some sort of a foothold within the points of presence on the internet.
And then we see the adversaries using this in a variety of different ways.
They could use it to establish a botnet, which they can subsequently use as a proxy network
to attack other victims, or they can attack the customers themselves.
And in some cases, they can attempt to attack the vendors who are building the software
and building the hardware on the perimeter.
So I think it's fair to say that at the RSAC conference this year, AI and machine learning
are going to continue to be hot topics.
In fact, it's probably a malpractice if you and I don't discuss it a little bit here today.
I'm curious, how are you dialing in the degree to which you're integrating
AI across the Sophos product stack? AI is absolutely an obligatory topic of conversation
within cybersecurity, and it's interesting the way that the attitudes have shifted over the past
few years. We've gone from a healthy dose of skepticism from those who
have been doing cybersecurity and information security for the longest about the practical
benefits and utility of AI to what I think is a reasoning with it in a way that is cautiously
optimistic is how I would put it. And it's clear the benefits that we can operationally
get out of it.
And I think that that attitude and that perception
is beginning to take over the entire cybersecurity industry,
still with a cautious optimism, I would say.
And the history of how we've used AI
has primarily been around simple classification.
Is this file good or bad?
Is this website good or bad?
Is this email good or bad? Is this website good or bad? Is this email good or bad?
And it was practically quite useful,
but now naturally with the evolution
of large language models,
we're seeing a demonstration of an AI
that can actually reason in ways
that previous generations couldn't.
And we're starting to see some really good,
practical, beneficial applications
of that kind of use within security operations.
And I think the goal here, of course, is to be able to simulate the intuition of a human
analyst as accurately as possible, where you get all the benefits of what a good security
operations practitioner will be able to produce without any of the downsides, which are primarily
understood as hallucinations today.
But you could effectively just think of those as another form of false positive, which is something that the industry has dealt with for a very
long time.
So, really, really interesting time in the evolution of machine learning and artificial
intelligence in service of cybersecurity.
As a leader, as the CEO, how do you talk to the folks that you work with there at Selfos about getting on board with AI,
but also not getting carried away with the hype train of it as well.
Yeah, that is a very important balance to try to strike in any organization, not just within a cybersecurity company,
but within any company. I think we're still seeing these simultaneous pressures to
ensure that we're not just throwing things
at the wall randomly to see what's going to stick because that waste cycles within a business.
Whether you're trying to do that within your go-to-market or your support organization
or your marketing organization, you have to be very thoughtful and very deliberate about
what you're introducing into your environment, not just for the utility of it,
whether you're actually going to get an ROI, but for the security implications of that as well.
And then if you are a technology vendor, we can focus specifically on cybersecurity,
and you're thinking about how do you bring this into your portfolio so that you can use it for
the benefit of your customers and your partners, the same sort of judiciousness needs to apply.
You need to be really deliberate
in the decisions that you're making.
And you have to have a kind of an internal framework.
And we're fortunate, we saw this coming years ago,
we instantiated a governance body that helps us to deal
with AI across the entire organization,
whether it's for our own internal use
or in service of the products and services
that we're building for our customers.
And that's really been helpful to us
in steering those decisions.
You know, at RSAC this year,
we have the Night Dragon Innovation Summit,
which I know your company will be featured at,
and we here at CyberWire will be participating in as well.
And one of the things that they previewed
that they're going to be talking about
is this notion of platform versus best of breed.
I would love to get your insights
on how you parse out the difference between those.
I think this is a great topic and a really important one.
And for those of us who have been in the industry
for a long time, we've seen these expansion,
contraction cycles, and we've seen this debate go on and we've seen the pendulum
swing both ways.
Where I think we are at this point is, number one,
people want to ensure that they have the best
possible tools for the job, which
would imply that best of suite is really
we are going to get the most benefit.
But at the same time, as we continue
to see the proliferation of tools within security
operations and we just continue to see the increasing complexity of tools within security operations, and we just continue
to see the increasing complexity of the way that our systems work.
Just imagine all of the upstream and the downstream interconnections that you have in the way
that you build your IT systems today.
They're more complex than they've ever been before, which means that there is greater
complexity in their operation.
And insecurity tends to lurk at those interconnections.
The greater the
complexity, the more difficult it is to actually assess the security of a thing. Therefore, there's
also this motivation to move toward consolidation, which is best of suite. So you don't want to
sacrifice anything in the quality of the individual tool, but at the same time, you probably get
greater operational benefit from having a collection of tools that can operate within a unified and a consolidated operating paradigm.
I think that's the direction that the industry is going to head for the foreseeable future.
From supply chain exposures to AI-driven attacks, the threat landscape isn't slowing down.
Katie Jenkins, CISO at Liberty Mutual, gives us a candid look at the risks on the horizon
and the trends in innovation that might just outpace them.
So I want to check in with you as we are in RSA conference season here.
What are some of the emerging threats and trends that you're tracking as a CISO heading
into conference season?
Well, I'm sure the go-to answer would be AI security solutions, which to be fair, is something
I'm definitely interested in, particularly in looking to see how these solutions have evolved,
have become really essentials for enterprises our size.
But with RSA, I'm also keen to connect with
my network of peers and partners and exploring other trends.
I'm curious about things like how others
are achieving process efficiency
and workforce strategies, team re-skilling.
I always pick up tidbits around budget trends
and pulse checking topics like fraudulent IT workers,
post-quantum preparedness.
So, you know, maybe the best part about RSA is that there's like no doubt that I will
pick up things that hadn't been on my radar, but will quickly be on my radar.
Do you have a strategy for that as you're making your way around the show floor, the
presentations, one-on-one conversations?
How do you budget your time?
conversations, how do you budget your time? Yeah, so I am fairly meticulous about laying that all out in advance.
Being there for the relatively short period that I'm there,
I just really need to make the time super worthwhile.
So I'd pick out key partners that I know will be there with,
you know, new information, new announcements. I work in, you know, healthy handful of emerging
and startup type organizations. I cherry pick some of my favorite networking events where I know there'll be like-minded peers
and folks that they can kind of collaborate with.
So regrettably or intentionally, I don't leave a lot of margin for casualness in that schedule.
It's pretty fact, dance card as they say.
Yeah, it's definitely that kind of event.
But you know, I'll say like for me personally,
one thing I'm intentional about is kind of making a lap
around the very edge of the show floor.
Because you never know when you're going to run into
somebody who has this up and coming idea
that might be something you never knew you needed
a solution to until you cross paths with them.
Is that an experience we share?
Serendipity, huh?
Yeah.
I think that's awesome that that has been your experience.
I don't think that experience is exclusive to the floor.
I think that there are so many interesting events going on,
that the opportunity to meet new people and introductions
happen super organically that, yes, I have always come away
with, I did not expect to hear about that, and now this is
something new for me to pursue.
Yeah. You mentioned AI. I'm curious what your approach is
to that. I mean, how do you filter through the hype around AI?
We've got agentic AI is a hot topic this year.
What's your approach?
I definitely don't think AI is just hype.
For Liberty Mutual, it's already well in use.
It's creating real value for us.
And quite honestly, it's making me rethink about how my security team operates,
how we can best leverage it to optimize our functions.
But with that, I am cautious.
I'm cautious about the hype
surrounding the readiness of these solutions.
I think many of us have been in the position of hearing
pitches or seeing pitches that look great in a PowerPoint PowerPoint but aren't really ready for prime time.
And yet there's still value in that.
These ideas can still help me anticipate what is coming.
We are experimenting in-house with our own security AI tool development.
I think it's really healthy to realistically weigh
the pros and cons of build versus buy decisions.
And there's really good value to me
in understanding from my peers, such as here at RSA,
what's really working for others, right?
I have to be keeping a pulse on things
so I don't get swept up in just the fiction that AI is the magical
solution for all security challenges. And I'm looking for a healthy dose of reality here.
What about collaboration? As you're keeping in touch with your fellow CISOs around the industry,
both colleagues in organizations that are similar to Liberty Mutual, but I
suppose other organizations as well. How do you keep those communication lines open to
make sure that you have a broad spectrum of information at your disposal?
Yeah, I think those connections are really essential in these times. I participate in many different formal
and informal peer groups,
but I think it's a real bright spot of this industry
that collaboration continues to be a strong force.
And quite frankly, I believe it's one of the reasons
why we gather in San Francisco each year, right?
To strengthen our relationships,
be ready to share insights from our experiences,
our successes.
I'm biased in thinking I have an exceptional team,
as many of us are fortunate to have,
but the threats we face are real,
and learning from each other's missteps,
each other's successes is really invaluable to me.
In order to add to that, I would say that like me,
many of my CISO peers are genuinely motivated to
improve not only their own organizations,
but also have impact and make improvements
across the broader cybersecurity landscape.
With that in mind,
this collective collaboration
and effort is really essential in the spirit
of being able to achieve more together
than we can as individuals.
You know, looking broadly at the industry,
I'm curious if there are any particular pain points
that frustrate you.
Are there things that you think to yourself,
I wish we could shift this one thing across the industry,
I wish there were something that we could change.
Is there anything that comes to mind in terms of aspirations
for positive change over the coming year or so?
Let me take the aspirational angle to your question,
because I don't think it's peaked as that pin point yet.
But for me, I would love to see a major push for innovation
and a strong focus on upskilling our security
workforce at scale.
With the rapid developments and emerging technologies,
the evolving tactics of the adversaries,
I think it's just crucial that we're preparing
our security teams today with the skills
that they'll need in the future.
The challenge to this, right,
is that we have day jobs that often turn into our night jobs,
and those are incredibly demanding.
So when I think about learning initiatives, these need really be integrated into our current
priorities.
They can't just be an add-on.
We have to have these up-skilling mindsets and opportunities be built into our daily
routines, be part of our responsibilities.
I certainly feel the responsibility to make sure
that my team is equipped to meet the challenges ahead
without overwhelming their already packed schedules,
considering topics like burnout.
So now is the time to be making the shift
before it gets to that excruciating pain point?
It's part of what I didn't say excruciating,
but the pain point part of your question,
it's just this pace of change in cybersecurity
is clearly not slowing down.
And we really, I feel a very strong sense of need
to invest in our workforce,
not just as an altruistic
interest but really being essential for continuing to be a resilient and an
effective security organization. Yeah you know as someone who is in a high level
leadership position in cybersecurity what sort of advice do you have for
folks who are coming up in the industry? Maybe somebody coming up through school or considering a career change.
Do you have any words of wisdom?
Oh my goodness.
I think now is an exceptional time to be joining the workforce and joining security teams.
The talent that we're bringing in right now is really the bright spot that makes me hopeful
for this future.
So my advice would be to just sink your teeth in, have conversations to understand people's
career journeys in security.
Some people have been in security their whole lives.
Some have come to security from a very unique set of backgrounds.
And I think that to be new to this field,
perhaps even new to your careers,
you have maybe a little more latitude
than you even realize to take the time
to ask people about their journeys.
What resources have been most instructive?
What are people's favorite podcasts, right?
That's, it's all part of finding your place
and finding where you can make impact.
But I'll tell you what, Dave, I mean,
there really are some extraordinary individuals
joining the team, and I hope they know
they have an open invitation to explore
and their own curiosities and interests to figure out where they can
make the biggest impact for us.
So one of the things that I think security leaders face and confirm if I'm correct here
or not is there's a lot of pressure to innovate but at the same time not compromise trust.
How do you balance that?
How do you balance speed with resilience as you're looking
at your own organization's strategy?
Totally agree with your premise that there can be friction there. When I think about
innovation, think about both the pressure or the need to keep up with the broader tech
advancements in our organization. And on the other side, how we're using innovation and
security to advance things like
automation and efficiency in our processes.
For me, customer trust and integrity
are very deeply embedded in Liberty Mutual's culture.
That yields or means
that responsible innovation is the ultimate goal there.
I'll share an anecdote from two days ago,
recently biased, but I love it.
In our, we have an in-house responsible AI committee,
and one of my leaders was bringing one of
our R&D use cases through this responsible AI review.
And it delighted me when there were non-security committee members challenging
my security team with security questions around what we were bringing forward.
And it just really emphasized the fact that security is recognized across the organization
the way that it is. My CIO, Monica Caldas, loves to say,
stable and secure systems is job number one.
And this statement alone reassures me
that we don't have to sacrifice speed
for security and resilience, it all matters.
So maybe the last point I would emphasize there
is that to the speed versus resilience question,
we've adopted a strategy,
prioritizes security at every stage
of our innovation process.
We have robust governance,
we use a risk assessment framework
that helps us innovate confidently.
We know we're not going to be compromising our customers' trust.
So really this allows us to embrace new technologies,
experiment responsibly while ensuring that we're adhering to our standards,
and most importantly, we're maintaining our customers' trust.
What also strikes me in the story you describe, and most importantly, we're maintaining our customer's trust.
What also strikes me in the story you describe,
I mean, that speaks to a culture of having a safe place
where people can express their concerns
and know that they're going to be heard.
Oh, absolutely.
And that has been a really intentional change
that I've been trying to drive in the organization.
I mean, you don't have to go that far back in time
where you think about, was security scary or secretive?
And if I felt something wasn't quite right,
I'd best keep my mouth shut about that
to like really inviting and making that space.
We were celebrating people that are reporting things
that seem unusual or suspicious to them.
And that puts us in such a stronger place
that it's not just on the security team
to find the holes and the workarounds
and the opportunities.
Everyone's in it together.
We use the tagline, responsible defenders.
We invite our whole workforce to be.
And that's a wrap on Beyond Cyber, securing the next horizon.
A huge thanks to our guests, Dave DeWalt, Nicole Bucalla, Michael Mastroel, Joe Levy
and Katie Jenkins for sharing their insights, stories and strategies.
As we heard today, cybersecurity is no longer just about defense, it's about vision, integration
and bold innovation.
The threats may be evolving, but so are the people, technologies and investments rising
to meet them.
If you liked today's episode, don't forget to subscribe, leave a review, and share it
with a colleague.
You can find more interviews and insights on our website, thecyberwire.com.
Thanks for listening.
I'm Dave Bittner.
We'll see you back here next time. What's the common denominator in security incidents? Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams
while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps. See your attack paths the way adversaries do.