Redefining CyberSecurity

What Security Congress Reveals About the State of Cybersecurity This discussion focuses on what ISC2 Security Congress represents for practitioners, leaders, and organizations navigating constant technological change. Jon France, Chief Information Security Officer at ISC2, shares how the event brings together thousands of cybersecurity practitioners, certification holders, chapter leaders, and future professionals to exchange ideas on the issues shaping the field today.  Themes That Stand Out AI remains a central point of attention. France notes that organizations are grappling not only with adoption but with the shift in speed it introduces. Sessions highlight how analysts are beginning to work alongside automated systems that sift through massive data sets and surface early indicators of compromise. Rather than replacing entry-level roles, AI changes how they operate and accelerates the decision-making path. Quantum computing receives a growing share of focus as well. Attendees hear about timelines, standards emerging from NIST, and what preparedness looks like as cryptographic models shift.  Identity-based attacks and authorization failures also surface throughout the program. With machine-driven compromises becoming easier to scale, the community explores new defenses, stronger controls, and the practical realities of machine-to-machine trust. Operational technology, zero trust, and machine-speed threats create additional urgency around modernizing security operations centers and rethinking human-to-machine workflows.  A Place for Every Stage of the Career France describes Security Congress as a cross-section of the profession: entry-level newcomers, certification candidates, hands-on practitioners, and CISOs who attend for leadership development. Workshops explore communication, business alignment, and critical thinking skills that help professionals grow beyond technical execution and into more strategic responsibilities.  Looking Ahead to the Next Congress The next ISC2 Security Congress will be held in October in the Denver/Aurora area. France expects AI and quantum to remain key themes, along with contributions shaped by the call-for-papers process. What keeps the event relevant each year is the mix of education, networking, community stories, and real-world problem-solving that attendees bring with them. The ISC2 Security Congress 2025 is a hybrid event taking place from October 28 to 30, 2025 Coverage provided by ITSPmagazine GUEST: Jon France, Chief Information Security Officer at ISC2 | On LinkedIn: https://www.linkedin.com/in/jonfrance/ HOST: Sean Martin, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.seanmartin.com Follow our ISC2 Security Congress coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/isc2-security-congress-2025 Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage ISC2 Security Congress: https://www.isc2.org NIST Post-Quantum Cryptography Standards: https://csrc.nist.gov/projects/post-quantum-cryptography ISC2 Chapters: https://www.isc2.org/chapters Want to share an Event Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.studioc60.com/performance#ideas KEYWORDS: cybersecurity, ai security, isc2 congress, quantum computing, identity attacks, zero trust, soc automation, cyber jobs, cyber careers, cyber leadership, security operations, threat intelligence, machine speed, authentication, authorization, sean martin, jon france, identity, soc, certification, leadership, event coverage, on location, conference Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

This episode focuses on a security incident that prompts an honest discussion about transparency, preparedness, and the importance of strong processes. Sean Martin speaks with Viktor Petersson, Founder and CEO of Screenly, who shares how his team approaches digital signage security and how a recent alert from their bug bounty program helped validate the strength of their culture and workflows. Screenly provides a secure digital signage platform used by organizations that care deeply about device integrity, uptime, and lifecycle management. Healthcare facilities, financial services, and even NASA rely on these displays, which makes the security posture supporting them a priority. Viktor outlines why security functions best when embedded into culture rather than treated as a compliance checkbox. His team actively invests in continuous testing, including a structured bug bounty program that generates a steady flow of findings. The conversation centers on a real event: a report claiming that more than a thousand user accounts appeared in a public leak repository. Instead of assuming the worst or dismissing the claim, the team mobilized within hours. They validated the dataset, built correlation tooling, analyzed how many records were legitimate, and immediately reset affected accounts. Once they ruled out a breach of their systems, they traced the issue to compromised end user devices associated with previously known credential harvesting incidents. This scenario demonstrates how a strong internal process helps guide the team through verification, containment, and communication. Viktor emphasizes that optional security features only work when customers use them, which is why Screenly is moving to passwordless authentication using magic links. Removing passwords eliminates the attack vector entirely, improving security for customers without adding friction. For listeners, this episode offers a clear look at what rapid response discipline looks like, how bug bounty reports can add meaningful value, and why passwordless authentication is becoming a practical way forward for SaaS platforms. It is a timely reminder that transparency builds trust, and security culture determines how confidently a team can navigate unexpected events. Learn more about Screenly: https://itspm.ag/screenly1o Note: This story contains promotional content. Learn more. GUEST Viktor Petersson, Co-founder of Screenly | On LinkedIn: https://www.linkedin.com/in/vpetersson/ RESOURCES Learn more and catch more stories from Screenly: https://www.itspmagazine.com/directory/screenly LinkedIn Post: https://www.linkedin.com/posts/vpetersson_screenly-security-incident-response-how-activity-7393741638918971392-otkk Blog: Security Incident Response: How We Investigated a Data Leak and What We're Doing Next: https://www.screenly.io/blog/2025/11/10/security-incident-response-magic-links/ Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Spotlight Brand Story: https://www.studioc60.com/content-creation#spotlight Keywords: sean martin, marco ciappelli, viktor petersson, security, authentication, bugbounty, signage, incidentresponse, breaches, cybersecurity, brand story, brand marketing, marketing podcast, brand story podcast, brand spotlight Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥EPISODE NOTES⬥ Understanding the Startup Engine Behind Cybersecurity This episode brings Sean Martin together with Ross Haleliuk, author, investor, product leader, and creator of Venture Insecurity, for a candid look at the forces shaping cybersecurity startups today. Ross shares how his decade of product leadership and long involvement in the security community give him a unique perspective on what drives founders, what creates market gaps, and why new companies keep entering a space already full of tools. Why Security Produces So Many Products Ross explains that the large number of security tools is not evidence of an industry losing control. Instead, it reflects a technology ecosystem where entrepreneurship has become easier and where attackers, not practitioners, define what defenders need. Because threats shift constantly, security leaders must always look for clues on what could fail next. That constant uncertainty fuels innovation. What Motivates Founders Despite outside assumptions, Ross observes that most founders are motivated by the problems they have lived themselves. Some come from enterprise teams. Others come from military backgrounds. Many find traction with early open source work. Few come into cybersecurity to chase quick wins, and most do not survive long enough to chase profits even if they wanted to. Security as Business Enablement Sean and Ross discuss the role of security as a business driver. In regulated sectors, companies invest because they must. In technology companies, strong security is a sales enabler that gives customers confidence to use their products. Outside of tech, the priority is more about resilience and operational continuity. How Buyers Should Think About Startups Ross outlines the tradeoffs. Startups deliver speed, responsiveness, fresh architecture, and modern user experience. Large vendors provide stability, predictability, and broad coverage. Neither is perfect. Security leaders should decide based on the importance of the capability, the level of influence they want, and the outcomes they need. This conversation highlights the practical realities behind the security products organizations choose and the people who build them. Listeners will hear both the optimism and the honesty that define today’s cybersecurity innovation economy. ⬥GUEST⬥ Ross Haleliuk, Security product leader, author, advisor, board member and investor | On LinkedIn: https://www.linkedin.com/in/rosshaleliuk/ ⬥HOST⬥ Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com ⬥RESOURCES⬥ Inspiring Blog: https://ventureinsecurity.net/p/not-every-security-leader-works-at ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/ Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact ⬥KEYWORDS⬥ sean martin, ross haleliuk, cybersecurity, startups, venture security, founders, innovation, risk, resilience, product strategy, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥EPISODE NOTES⬥ Understanding Beg Bounties and Their Growing Impact This episode examines an issue that many organizations have begun to notice, yet often do not know how to interpret. Sean Martin is joined by Casey Ellis, Founder of Bugcrowd and Co-Founder of disclose.io, to break down what a “beg bounty” is, why it is increasing, and how security leaders should think about it in the context of responsible vulnerability handling. Bug Bounty vs. Beg Bounty Casey explains the core principles of a traditional bug bounty program. At its core, a bug bounty is a structured engagement in which an organization invites security researchers to identify vulnerabilities and pays rewards based on severity and impact. It is scoped, governed, and linked to an established policy. The process is predictable, defensible, and aligned with responsible disclosure norms. A beg bounty is something entirely different. It occurs when an unsolicited researcher claims to have found a vulnerability and immediately asks whether the organization offers incentives or rewards. In many cases, the claim is vague or unsupported and is often based on automated scanner output rather than meaningful research. Casey notes that these interactions can feel like unsolicited street windshield washing, where the person provides an unrequested service and then asks for payment. Why It Matters for CISOs and Security Teams Security leaders face a difficult challenge. These messages appear serious on the surface, yet most offer no actionable details. Responding to each one triggers incident response workflows, consumes time, and raises unnecessary internal concern. Casey warns that these interactions can create confusion about legality, expectations, and even the risk of extortion. At the same time, ignoring every inbound message is not a realistic long-term strategy. Some communications may contain legitimate findings from well-intentioned researchers who lack guidance. Casey emphasizes the importance of process, clarity, and policy. How Organizations Can Prepare According to Casey, the most effective approach is to establish a clear vulnerability disclosure policy. This becomes a lightning rod for inbound security information. By directing researchers to a defined path, organizations reduce noise, set boundaries, and reinforce safe communication practices. The episode highlights the need for community norms, internal readiness, and a shared understanding between researchers and defenders. Casey stresses that good-faith researchers should never introduce payment into the first contact. Organizations should likewise be prepared to distinguish between noise and meaningful security input. This conversation offers valuable context for CISOs, security leaders, and business owners navigating the growing wave of unsolicited bug claims and seeking practical ways to address them. ⬥GUEST⬥ Casey Ellis, Founder and Advisor at Bugcrowd | On LinkedIn: https://www.linkedin.com/in/caseyjohnellis/ ⬥HOST⬥ Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com ⬥RESOURCES⬥ Inspiring Post: https://www.linkedin.com/posts/caseyjohnellis_im-thinking-we-should-start-charging-bug-activity-7383974061464453120-caEW Disclose.io: https://disclose.io/ ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/ Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact ⬥KEYWORDS⬥ cybersecurity, bug bounty, vulnerability disclosure, beg bounty, hacking, researcher, ciso, security teams, risk...

Most organizations have security champions. Few have a real security culture. In this episode of AppSec Contradictions, Sean Martin explores why AppSec awareness efforts stall, why champion programs struggle to gain traction, and what leaders can do to turn intent into impact. 🔍 In this episode: Sean’s Take: When security culture is treated as a checkbox, nothing changes. When it’s connected to ownership, incentives, and everyday work — everything does. Catch the full companion article in the Future of Cybersecurity newsletter for deeper analysis and more research. For developers: Has your security-champion program helped ship safer code—or just added meetings? For application security professionals: Are your metrics tied to risk reduction or participation counts? For business leaders: Can you connect your “security culture” investment to measurable resilience? 📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/building-real-security-culture-why-most-appsec-fall-martin-cissp-eab7e 🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_ ________ This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 ________ Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥GUEST⬥ Andrew Morgan, Chief Information Security Officer | On LinkedIn: https://www.linkedin.com/in/andrewmorgancism/ ⬥HOST⬥ Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com ⬥EPISODE NOTES⬥ The cybersecurity community has long recognized an uncomfortable truth: the gap between well-resourced enterprises and underfunded organizations keeps widening. This divide isn’t just about money; it’s about survivability. When a small business, school, or healthcare provider is hit with a major breach, the likelihood of permanent closure is exponentially higher than for a large enterprise. As host of the Redefining CyberSecurity Podcast, I’ve seen this imbalance repeatedly — and the conversation with Andrew Morgan underscores why it persists and what can be done about it. The Problem: Structural Imbalance Large enterprises operate with defined budgets, mature governance, and integrated security operations centers. They can afford redundancy, talent, and tooling. Meanwhile, small and mid-sized organizations are often left with fragmented controls, minimal staff, and reliance on external vendors or managed providers. The result is a “have and have not” world. The “haves” can detect, contain, and recover. The “have nots” often cannot. When they are compromised, the impact isn’t just reputational — it can mean financial collapse or service disruption that directly affects communities. The Hidden Costs of Complexity Even when smaller organizations invest in technology, they often fall into the trap of overtooling without strategy. Multiple, overlapping systems create noise, false confidence, and operational fatigue. Morgan describes this as a symptom of viewing cybersecurity as a subset of IT rather than as a business enabler. Simplification is key. A rationalized platform approach — even if not best-of-breed — can deliver better visibility and sustainability than a patchwork of disconnected tools. The goal should not be perfection; it should be proportionate protection aligned with business risk. The Solution: Culture, Collaboration, and Continuity Cyber resilience starts with people and culture. As Morgan puts it, programs must be driven by culture, informed by risk, and delivered through people, process, and technology. Security can’t succeed in isolation from the organization’s purpose or its people. The Australian CISO Tribe provides a real-world model for collaboration. Its members share threat intelligence, peer validation, and practical experiences — a living example of collective defense in action. Whether formalized or ad-hoc, these networks give security leaders context, community, and shared strength. Getting Back to Basics Practical resilience isn’t glamorous. It’s about getting the basics right — consistent patching, logging, phishing-resistant authentication, verified backups, and tested recovery plans. It’s about ensuring that, if everything fails, you can still get back up. When security becomes a business-as-usual practice rather than a project, organizations begin to move from reactive defense to proactive resilience. The Takeaway Bridging the cybersecurity divide doesn’t require endless budgets. It requires prioritization, simplification, and partnership. The “have nots” may never mirror enterprise scale, but they can adopt enterprise discipline — and that can make all the difference between temporary disruption and permanent failure. ⬥RESOURCES⬥ Inspiring Post: https://www.linkedin.com/posts/andrewmorgancism_last-night-i-was-fortunate-enough-to-spend-activity-7383972144507994112-V3Zr/ ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity...

⬥GUEST⬥ Eric O'Neill, Keynote Speaker, Cybersecurity Expert, Spy Hunter, Bestselling Author. Attorney | On Linkedin: https://www.linkedin.com/in/eric-m-oneill/ ⬥HOST⬥ Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com ⬥EPISODE NOTES⬥ In this episode of the Redefining CyberSecurity Podcast, host Sean Martin reconnects with Eric O’Neill, National Security Strategist at NeXasure and former FBI counterintelligence operative. Together, they explore how cybercrime has matured into a global economy—and why organizations of every size must learn to compete, not just defend. O’Neill draws from decades of undercover work and corporate investigation to reveal that cybercriminals now operate like modern businesses: they innovate, specialize, and scale. The difference? Their product is your data. He argues that resilience—not prevention—is the true marker of readiness. Companies can’t assume they’re too small or too obscure to be targeted. “It’s just a matter of numbers,” he says. “At some point, you will get struck. You need to be able to take the punch and keep moving.” The discussion covers the practical realities facing small and midsize businesses: limited budgets, fragmented tools, and misplaced confidence. O’Neill explains why so many organizations over-invest in overlapping technologies while under-investing in strategy. His firm helps clients identify these inefficiencies and replace tool sprawl with coordinated defense. Preparation, O’Neill says, should follow his PAID methodology—Prepare, Assess, Investigate, Decide. The goal is to plan ahead, detect fast, and act decisively. Those that do not prepare spend ten times more responding after an incident than they would have spent preventing it. Martin and O’Neill also examine how storytelling bridges the gap between security teams and executive boards. Using relatable analogies—like house fires and insurance—O’Neill makes cybersecurity human. His message is simple: security is not a technical decision; it’s a business one. Listen to hear how the business of cybercrime mirrors legitimate enterprise—and why understanding that truth might be your best defense. ⬥RESOURCES⬥ Book: Spies, Lies, and Cybercrime by Eric O’Neill – Book link Book: Gray Day by Eric O’Neill – Book link Free, Weekly Newsletter: spies-lies-cybercrime.ericoneill.net Podcast: Former FBI Spy Hunter Eric O'Neill Explains How Cybercriminals Use Espionage techniques to Attack Us: https://redefiningsocietyandtechnologypodcast.com/episodes/new-book-spies-lies-and-cyber-crime-former-fbi-spy-hunter-eric-oneill-explains-how-cybercriminals-use-espionage-techniques-to-attack-us-redefining-society-and-technology-podcast-with-marco-ciappelli ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/ Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact ⬥KEYWORDS⬥ eric oneill, sean martin, nexasure, fbi, cybercrime, ransomware, resilience, cybersecurity, business, risk, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Organizations pour millions into protecting running applications—yet attackers are targeting the delivery path itself. This episode of AppSec Contradictions reveals why CI/CD and cloud pipelines are becoming the new frontline in cybersecurity. 🔍 In this episode: Sean’s Take: The pipeline is production. Integrity beats visibility. Security must flow through delivery. Catch the full companion article in the Future of Cybersecurity newsletter for deeper analysis and more research. 👉 Have you made CI/CD security measurable—or does it still feel like an endless patchwork of scripts, secrets, and trust? Are your pipelines part of your threat model—or an afterthought? How confident are you in the integrity of every artifact you release? Share your take—we’d love to hear your story—whether your team has succeeded in securing the software delivery pipeline from build to deploy, or whether attackers and complexity keep finding the cracks between your tools. 📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: 🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_ ________ This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 ________ Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥GUEST⬥ Walter Haydock, Founder, StackAware | On Linkedin: https://www.linkedin.com/in/walter-haydock/ ⬥HOST⬥ Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com ⬥EPISODE NOTES⬥ No-Code Meets AI: Who’s Really in Control? As AI gets embedded deeper into business workflows, a new player has entered the security conversation: no-code automation tools. In this episode of Redefining CyberSecurity, host Sean Martin speaks with Walter Haydock, founder of StackAware, about the emerging risks when AI, automation, and business users collide—often without traditional IT or security oversight. Haydock shares how organizations are increasingly using tools like Zapier and Microsoft Copilot Studio to connect systems, automate tasks, and boost productivity—all without writing a single line of code. While this democratization of development can accelerate innovation, it also introduces serious risks when systems are built and deployed without governance, testing, or visibility. The conversation surfaces critical blind spots. Business users may be automating sensitive workflows involving customer data, proprietary systems, or third-party APIs—without realizing the implications. AI prompts gone wrong can trigger mass emails, delete databases, or unintentionally expose confidential records. Recursion loops, poor authentication, and ambiguous access rights are all too easy to introduce when development moves this fast and loose. Haydock emphasizes that this isn’t just a technology issue—it’s an organizational one. Companies need to decide: who owns risk when anyone can build and deploy a business process? He encourages a layered approach, including lightweight approval processes, human-in-the-loop checkpoints for sensitive actions, and upfront evaluations of tools for legal compliance and data residency. Security teams, he notes, must resist the urge to block no-code outright. Instead, they should enable safer adoption through clear guidelines, tool allowlists, training, and risk scoring systems. Meanwhile, business leaders must engage early with compliance and risk stakeholders to ensure their productivity gains don’t come at the expense of long-term exposure. For organizations embracing AI-powered automation, this episode offers a clear takeaway: treat no-code like production code—because that’s exactly what it is. ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/ Interested in sponsoring this show with a podcast ad placement? Learn more: 👉 https://itspm.ag/podadplc ⬥KEYWORDS⬥ sean martin, walter haydock, automation, ai, nocode, compliance, governance, orchestration, data privacy, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

What does it really take to be a CISO the business can rely on? In this episode, Sean Martin shares insights from a recent conversation with Tim Brown, CISO at SolarWinds, following his keynote at AISA CyberCon and his role in leading a CISO Bootcamp for current and future security leaders. The article at the heart of this episode focuses not on technical skills or frameworks, but on the leadership qualities that matter most: context, perspective, communication, and trust. Tim’s candid reflections — including the personal toll of leading through a crisis — remind us that clarity doesn’t come from control. It comes from connection. CISOs must communicate risk in ways that resonate across teams and business leaders. They need to build trusted relationships before they’re tested and create space for themselves and their teams to process pressure in healthy, sustainable ways. Whether you’re already in the seat or working toward it, this conversation invites you to rethink what preparation really looks like. It also leaves you with two key questions: Where do you get your clarity, and who are you learning from? Tune in, reflect, and join the conversation. 📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/beyond-title-what-really-takes-ciso-today-insights-sean-martin-cissp-n73ie/ ________ This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 ________ Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

First CISO Charged by SEC: Tim Brown on Trust, Context, and Leading Through Crisis - Interview with Tim Brown | AISA CyberCon Melbourne 2025 Coverage | On Location with Sean Martin and Marco Ciappelli AISA CyberCon Melbourne | October 15-17, 2025 Tim Brown's job changed overnight. December 11th, he was the CISO at SolarWinds managing security operations. December 12th, he was leading the response to one of the most scrutinized cybersecurity incidents in history. Connecting from New York and Florence to Melbourne, Sean Martin and Marco Ciappelli caught up with their longtime friend ahead of his keynote at AISA CyberCon. The conversation reveals what actually happens when a CISO faces the unthinkable—and why the relationships you build before crisis hits determine whether you survive it. Tim became the first CISO ever charged by the SEC, a distinction nobody wants but one that shaped his mission: if sharing his experience helps even one security leader prepare better, then the entire saga becomes worthwhile. He's candid about the settlement process still underway, the emotional weight of having strangers ask for selfies, and the mental toll that landed him in a Zurich hospital with a heart attack the week his SEC charges were announced. "For them to hear something and hear the context—to hear us taking six months off development, 400 engineers focused completely on security for six months in pure focus—when you say it with emotion, it conveys the real cost," Tim explained. Written communication failed during the incident. People needed to talk, to hear, to feel the weight of decisions being made in real time. What saved SolarWinds wasn't just technical capability. It was implicit trust. The war room team operated without second-guessing each other. The CIO handled deployment and investigation. Engineering figured out how the build system was compromised. Marketing and legal managed their domains. Tim didn't waste cycles checking their work because trust was already built. "If we didn't have that, we would've been second-guessing what other people did," he said. That trust came from relationships established long before December 2020, from a culture where people knew their roles and respected each other's expertise. Now Tim's focused on mentoring the next generation through the RSA Conference CSO Bootcamp, helping aspiring CISOs and security leaders at smaller companies build the knowledge, community, and relationships they'll need when—not if—their own December 12th arrives. He tailors every talk to his audience, never delivering the same speech twice. Context matters in crisis, but it matters in communication too. Australia played a significant role during SolarWinds' incident response, with the Australian government partnering closely in January 2021. Tim hadn't been back in a decade, making his return to Melbourne for CyberCon particularly meaningful. He's there to share lessons earned the hardest way possible, and to remind security leaders that stress management, safe spaces, and knowing when to compartmentalize aren't luxuries—they're survival skills. His keynote covers the different stages of incident response, how culture drives crisis outcomes, and why the teams that step up matter more than the ones that run away. For anyone leading security teams, Tim's message is clear: build trust now, before you need it. AISA CyberCon Melbourne runs October 15-17, 2025 Coverage provided by ITSPmagazine GUEST: Tim Brown, CISO at SolarWinds | On LinkedIn: https://www.linkedin.com/in/tim-brown-ciso/ HOSTS: Sean Martin, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.seanmartin.com Marco Ciappelli, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.marcociappelli.com Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage Want to share an Event Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf Want Sean...

During his keynote at SecTor 2025, HD Moore, founder and CEO of runZero and widely recognized for creating Metasploit, invites the cybersecurity community to rethink the foundational “rules” we continue to follow—often without question. In conversation with Sean Martin and Marco Ciappelli for ITSPmagazine’s on-location event coverage, Moore breaks down where our security doctrines came from, why some became obsolete, and which ones still hold water. One standout example? The rule to “change your passwords every 30 days.” Moore explains how this outdated guidance—rooted in assumptions from the early 2000s when password sharing was rampant—led to predictable patterns and frustrated users. Today, the advice has flipped: focus on strong, unique passwords per service, stored securely via password managers. But this keynote isn’t just about passwords. Moore uses this lens to explore how many security “truths” were formed in response to technical limitations or outdated behaviors—things like shared network trust, brittle segmentation, and fragile authentication models. As technology matures, so too should the rules. Enter passkeys, hardware tokens, and enclave-based authentication. These aren’t just new tools—they’re a fundamental shift in where and how we anchor trust. Moore also calls out an uncomfortable truth: the very products we rely on to protect our systems—firewalls, endpoint managers, and security appliances—are now among the top vectors for breach, per Mandiant’s latest report. That revelation struck a chord with conference attendees, who appreciated Moore’s willingness to speak plainly about systemic security debt. He also discusses the inescapable vulnerabilities in AI agent flows, likening prompt injection attacks to the early days of cross-site scripting. The tech itself invites risk, he warns, and we’ll need new frameworks—not just tweaks to old ones—to manage what comes next. This conversation is a must-listen for anyone questioning whether our security playbooks are still fit for purpose—or simply carried forward by habit. ___________ GUEST: HD Moore, Founder and CEO of RunZero | On Linkedin: https://www.linkedin.com/in/hdmoore/ HOSTS: Sean Martin, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.seanmartin.com Marco Ciappelli, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.marcociappelli.com RESOURCES: Keynote: The Once and Future Rules of Cybersecurity: https://www.blackhat.com/sector/2025/briefings/schedule/#keynote-the-once-and-future-rules-of-cybersecurity-49596 Learn more and catch more stories from our SecTor 2025 coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/sector-cybersecurity-conference-toronto-2025 Mandiant M-Trends Breach Report: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025/ OPM Data Breach Summary: https://oversight.house.gov/report/opm-data-breach-government-jeopardized-national-security-generation/ Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage Want to share an Event Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us ___________ KEYWORDS: hd moore, sean martin, marco ciappelli, metasploit, runzero, sector, password, breach, ai, passkeys, event coverage, on location, conference Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

In this issue of the Future of Cyber newsletter, Sean Martin digs into a topic that’s quietly reshaping how software gets built—and how it breaks: the rise of AI-powered coding tools like ChatGPT, Claude, and GitHub Copilot. These tools promise speed, efficiency, and reduced boilerplate—but what are the hidden trade-offs? What happens when the tools go offline, or when the systems built through them are so abstracted that even the engineers maintaining them don’t fully understand what they’re working with? Drawing from conversations across the cybersecurity, legal, and developer communities—including a recent legal tech conference where law firms are empowering attorneys to “vibe code” internal tools—this article doesn’t take a hard stance. Instead, it raises urgent questions: The piece also highlights insights from a recent podcast conversation with security architect Izar Tarandach, who compares AI coding to junior development: fast and functional, but in need of serious oversight. He warns that organizations rushing to automate development may be building brittle systems on shaky foundations, especially when security practices are assumed rather than applied. This is not a fear-driven screed or a rejection of AI. Rather, it’s a call to assess new dependencies, rethink development accountability, and start building contingency plans before outages, hallucinations, or misconfigurations force the issue. If you’re a CISO, developer, architect, risk manager—or anyone involved in software delivery or security—this article is designed to make you pause, think, and ideally, respond. 🔍 What’s your take? Is your team building with AI? Are you tracking how it’s being used—and what might happen when it’s not available? 📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/when-coders-dont-code-what-happens-ai-coding-tools-go-martin-cissp-ychqe ________ This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 ________ Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥GUEST⬥ Pieter VanIperen, CISO and CIO of AlphaSense | On Linkedin: https://www.linkedin.com/in/pietervaniperen/ ⬥HOST⬥ Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com ⬥EPISODE NOTES⬥ Real-World Principles for Real-World Security: A Conversation with Pieter VanIperen Pieter VanIperen, the Chief Information Security and Technology Officer at AlphaSense, joins Sean Martin for a no-nonsense conversation that strips away the noise around cybersecurity leadership. With experience spanning media, fintech, healthcare, and SaaS—including roles at Salesforce, Disney, Fox, and Clear—Pieter brings a rare clarity to what actually works in building and running a security program that serves the business. He shares why being “comfortable being uncomfortable” is an essential trait for today’s security leaders—not just reacting to incidents, but thriving in ambiguity. That distinction matters, especially when every new technology trend, vendor pitch, or policy update introduces more complexity than clarity. Pieter encourages CISOs to lead by knowing when to go deep and when to zoom out, especially in areas like compliance, AI, and IT operations where leadership must translate risks into outcomes the business cares about. One of the strongest points he makes is around threat intelligence: it must be contextual. “Generic threat intel is an oxymoron,” he argues, pointing out how the volume of tools and alerts often distracts from actual risks. Instead, Pieter advocates for simplifying based on principles like ownership, real impact, and operational context. If a tool hasn’t been turned on for two months and no one noticed, he says, “do you even need it?” The episode also offers frank insight into vendor relationships. Pieter calls out the harm in trying to “tell a CISO what problems they have” rather than listening. He explains why true partnerships are based on trust, humility, and a long-term commitment—not transactional sales quotas. “If you disappear when I need you most, you’re not part of the solution,” he says. For CISOs and vendors alike, this episode is packed with perspective you can’t Google. Tune in to challenge your assumptions—and maybe your entire security stack. ⬥SPONSORS⬥ ThreatLocker: https://itspm.ag/threatlocker-r974 ⬥RESOURCES⬥ ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/ Interested in sponsoring this show with a podcast ad placement? Learn more: 👉 https://itspm.ag/podadplc ⬥KEYWORDS⬥ ciso, appsec, threatintel, trust, ai, vendors, bloat, leadership, tools, risk, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Threat modeling is often called the foundation of secure software design—anticipating attackers, uncovering flaws, and embedding resilience before a single line of code is written. But does it really work in practice? In this episode of AppSec Contradictions, Sean Martin explores why threat modeling so often fails to deliver: Drawing on insights from SANS, Forrester, and Gartner, Sean breaks down the gap between theory and reality—and why evolving our processes, not just our models, is the only path forward. 👉 What’s your take? Share your experience with threat modeling in application security in the comments below. Is your organization able to integrate threat modeling into everyday work, or does it remain a one-off exercise? What changes to process or culture would make it valuable and visible across teams? 📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/problem-threat-modeling-application-security-too-slow-martin-cissp-8n5ye/ 🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_ ________ This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 ________ Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥GUEST⬥ Aunshul Rege, Director at The CARE Lab at Temple University | On Linkedin: https://www.linkedin.com/in/aunshul-rege-26526b59/ ⬥CO-HOST⬥ Julie Haney, Computer scientist and Human-Centered Cybersecurity Program Lead, National Institute of Standards and Technology | On LinkedIn: https://www.linkedin.com/in/julie-haney-037449119/ ⬥HOST⬥ Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com ⬥EPISODE NOTES⬥ Cybersecurity Is for Everyone — If We Teach It That Way Cybersecurity impacts us all, yet most people still see it as a tech-centric domain reserved for experts in computer science or IT. Dr. Aunshul Rege, Associate Professor in the Department of Criminal Justice at Temple University, challenges that perception through her research, outreach, and education programs — all grounded in community, empathy, and human behavior. In this episode, Dr. Rege joins Sean Martin and co-host Julie Haney to share her multi-layered approach to cybersecurity awareness and education. Drawing from her unique background that spans computer science and criminology, she explains how understanding human behavior is critical to understanding and addressing digital risk. One powerful initiative she describes brings university students into the community to teach cyber hygiene to seniors — a demographic often left out of traditional training programs. These student-led sessions focus on practical topics like scams and password safety, delivered in clear, respectful, and engaging ways. The result? Not just education, but trust-building, conversation, and long-term community engagement. Dr. Rege also leads interdisciplinary social engineering competitions that invite students from diverse academic backgrounds — including theater, nursing, business, and criminal justice — to explore real-world cyber scenarios. These events prove that you don’t need to code to contribute meaningfully to cybersecurity. You just need curiosity, communication skills, and a willingness to learn. Looking ahead, Temple University is launching a new Bachelor of Arts in Cybersecurity and Human Behavior — a program that weaves in community engagement, liberal arts, and applied practice to prepare students for real-world roles beyond traditional technical paths. If you’re a security leader looking to improve awareness programs, a university educator shaping the next generation, or someone simply curious about where you fit in the cyber puzzle, this episode offers a fresh perspective: cybersecurity works best when it’s human-first. ⬥SPONSORS⬥ ThreatLocker: https://itspm.ag/threatlocker-r974 ⬥RESOURCES⬥ Dr. Aunshul Rege is an Associate Professor here, and much of her work is conducted under this department: https://liberalarts.temple.edu/academics/departments-and-programs/criminal-justice Temple Digital Equity Plan (2022): https://www.phila.gov/media/20220412162153/Philadelphia-Digital-Equity-Plan-FINAL.pdf Temple University Digital Equity Center / Digital Access Center: https://news.temple.edu/news/2022-12-06/temple-launches-digital-equity-center-north-philadelphia NICE Cybersecurity Workforce Framework: https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/ Interested in sponsoring this show with a podcast ad placement? Learn more: 👉 https://www.itspmagazine.com/purchase-programs ⬥KEYWORDS⬥ sean martin, julie haney, aunshul rege, temple university, cybersecurity literacy, social engineering, cyber hygiene, human behavior, community engagement,...

Threat modeling is often called the foundation of secure software design—anticipating attackers, uncovering flaws, and embedding resilience before a single line of code is written. But does it really work in practice? In this episode of AppSec Contradictions, Sean Martin explores why threat modeling so often fails to deliver: Drawing on insights from SANS, Forrester, and Gartner, Sean breaks down the gap between theory and reality—and why evolving our processes, not just our models, is the only path forward. 👉 What’s your take? Share your experience with threat modeling in application security in the comments below. Is your organization able to integrate threat modeling into everyday work, or does it remain a one-off exercise? What changes to process or culture would make it valuable and visible across teams? 📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/problem-threat-modeling-application-security-too-slow-martin-cissp-8n5ye/ 🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_ ________ This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 ________ Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website.

AI is everywhere in application security today — but instead of fixing the problem of false positives, it often makes the noise worse. In this first episode of AppSec Contradictions, Sean Martin explores why AI in application security is failing to deliver on its promises. False positives dominate AppSec programs, with analysts wasting time on irrelevant alerts, developers struggling with insecure AI-written code, and business leaders watching ROI erode. Industry experts like Forrester and Gartner warn that without strong governance, AI risks amplifying chaos instead of clarifying risk. This episode breaks down: • Why 70% of analyst time is wasted on false positives • How AI-generated code introduces new security risks • What “alert fatigue” means for developers, security teams, and business leaders • Why automating bad processes creates more noise, not less 👉 What’s your take? Share your experience with AI in security in the comments below. Has AI helped reduce noise — or only made things harder? 📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/ai-application-security-why-false-positives-still-sean-martin-cissp-jb8zc/ 🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_ ________ This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 ________ Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website.

⬥GUEST⬥ Andy Ellis, Legendary CISO [https://howtociso.com] | On LinkedIn: https://www.linkedin.com/in/csoandy/ ⬥HOST⬥ Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com ⬥EPISODE NOTES⬥ In this episode of Redefining CyberSecurity, host Sean Martin speaks with Andy Ellis, former CSO at Akamai and current independent advisor, about the shifting expectations of security leadership in today’s SaaS-powered, AI-enabled business environment. Andy highlights that many organizations—especially mid-sized startups—struggle not because they lack resources, but because they don’t know how to contextualize what security means to their business goals. Often, security professionals aren’t equipped to communicate with executives or boards in a way that builds shared understanding. That’s where advisors like Andy step in: not to provide a playbook, but to help translate and align. One of the core ideas discussed is the reframing of security as an enabler rather than a gatekeeper. With businesses built almost entirely on SaaS platforms and outsourced operations, IT and security should no longer be siloed. Andy encourages security teams to “own the stack”—not just protect it—by integrating IT management, vendor oversight, and security into a single discipline. The conversation also explores how AI and automation empower employees at every level to “vibe code” their own solutions, shifting innovation away from centralized control. This democratization of tech raises new opportunities—and risks—that security teams must support, not resist. Success comes from guiding, not gatekeeping. Andy shares practical ways CISOs can build influence, including a deceptively simple yet powerful technique: ask every stakeholder what security practice they hate the most and what critical practice is missing. These questions uncover quick wins that earn political capital—critical fuel for driving long-term transformation. From his “First 91 Days” guide for CISOs to his book 1% Leadership, Andy offers not just theory but actionable frameworks for influencing culture, improving retention, and measuring success in ways that matter. Whether you’re a CISO, a founder, or an aspiring security leader, this episode will challenge how you think about the role security plays in business—and what it means to lead from the middle. ⬥SPONSORS⬥ LevelBlue: https://itspm.ag/attcybersecurity-3jdk3 ThreatLocker: https://itspm.ag/threatlocker-r974 ⬥RESOURCES⬥ Inspiring Post: https://www.linkedin.com/posts/csoandy_how-to-ciso-the-first-91-days-ugcPost-7330619155353632768-BXQT/ Book: “How to CISO: The First 91-Day Guide” by Andy Ellis — https://howtociso.com/library/first-91-days-guide/ Book: “1% Leadership: Master the Small Daily Habits that Build Exceptional Teams” — https://www.amazon.com/1-Leadership-Daily-Habits-Exceptional/dp/B0BSV7T2KZ ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/ Interested in sponsoring this show with a podcast ad placement? Learn more: 👉 https://itspm.ag/podadplc ⬥KEYWORDS⬥ andy ellis, sean martin, ciso, ai, sas, shadow it, vibe coding, patch management, political capital, leadership, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast

At Black Hat USA 2025, artificial intelligence wasn’t the shiny new thing — it was the baseline. Nearly every product launch, feature update, and hallway conversation had an “AI-powered” stamp on it. But when AI becomes the lowest common denominator for security, the questions shift. In this episode, I read my latest opinion piece exploring what happens when the tools we build to protect us are the same ones that can obscure reality — or rewrite it entirely. Drawing from the Lock Note discussion, Jennifer Granick’s keynote on threat modeling and constitutional law, my own CISO hallway conversations, and a deep review of 60+ vendor announcements, I examine the operational, legal, and governance risks that emerge when speed and scale take priority over transparency and accountability. We talk about model poisoning — not just in the technical sense, but in how our industry narrative can get corrupted by hype and shallow problem-solving. We look at the dangers of replacing entry-level security roles with black-box automation, where a single model misstep can cascade into thousands of bad calls at machine speed. And yes, we address the potential liability for CISOs and executives who let it happen without oversight. Using Mikko Hyppönen’s “Game of Tetris” metaphor, I explore how successes vanish quietly while failures pile up for all to see — and why in the AI era, that stack can build faster than ever. If AI is everywhere, what defines the premium layer above the baseline? How do we ensure we can still define success, measure it accurately, and prove it when challenged? Listen in, and then join the conversation: Can you trust the “reality” your systems present — and can you prove it? ________ This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn. Sincerely, Sean Martin and TAPE3 ________ ✦ Resources Article: When Artificial Intelligence Becomes the Baseline: Will We Even Know What Reality Is AInymore?https://www.linkedin.com/pulse/when-artificial-intelligence-becomes-baseline-we-even-martin-cissp-4idqe/ The Future of Cybersecurity Article: How Novel Is Novelty? Security Leaders Try To Cut Through the Cybersecurity Vendor Echo Chamber at Black Hat 2025: https://www.linkedin.com/pulse/how-novel-novelty-security-leaders-try-cut-through-sean-martin-cissp-xtune/ Black Hat 2025 On Location Closing Recap Video with Sean Martin, CISSP and Marco Ciappelli: https://youtu.be/13xP-LEwtEA Learn more and catch more stories from our Black Hat USA 2025 coverage: https://www.itspmagazine.com/bhusa25 Article: When Virtual Reality Is A Commodity, Will True Reality Come At A Premium? https://sean-martin.medium.com/when-virtual-reality-is-a-commodity-will-true-reality-come-at-a-premium-4a97bccb4d72 Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage ITSPmagazine Studio — A Brand & Marketing Advisory for Cybersecurity and Tech Companies: https://www.itspmagazine.studio/ ITSPmagazine Webinar: What’s Heating Up Before Black Hat 2025: Place Your Bet on the Top Trends Set to Shake Up this Year’s Hacker Conference — An ITSPmagazine Thought Leadership Webinar | https://www.crowdcast.io/c/whats-heating-up-before-black-hat-2025-place-your-bet-on-the-top-trends-set-to-shake-up-this-years-hacker-conference ________ Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and...