The ITSPmagazine Podcast

Show Notes For ten years, Ed Skoudis has curated one of the most anticipated sessions at RSAC Conference: SANS' "Five Most Dangerous New Attack Techniques: Crucial Tips for Defenders." The session has always been a hit -- standing room only on the main stage -- but this year, Ed says something has changed. Not one or two topics with an AI component. All five. Ed is deliberate about how the session comes together. He starts with people, not topics. He builds the panel around SANS instructors who bring front-line insight, and he starts the process six months out. This year's panel features returning panelist Heather Mahalik, Rob Teeley back for his second year, Joshua Wright in his second year -- this time carrying two topics and eight minutes instead of six -- and, making his first appearance on this stage, Robert M. Lee of Dragos, one of the world's foremost voices on ICS and OT security. The addition of "Crucial Tips for Defenders" to the title this year was intentional. Ed pushed every panelist to move beyond naming threats and toward prescribing action -- practical, implementable steps that a CISO can hand down and a practitioner can execute the next morning. For topics where prevention is impossible, the mandate shifted to detection and response. SANS publishes session notes to their website within minutes of the talk ending. The backdrop this year is a warning Ed calls unlike anything in his 30 years of attending RSA and DEF CON. At a recent AI cybersecurity conference in San Francisco, presenters from Google and Anthropic outlined what Google termed the "vuln apocalypse" -- an imminent surge in AI-discovered zero-day vulnerabilities at a scale and pace that patching pipelines are not designed to handle. Ed's own team at Counter Hack has already experienced this firsthand: a frontier AI model identified a critical zero-day in a widely used open source project in a matter of hours. The Anthropic presenter's claim was blunt: within months, AI will surpass all human vulnerability researchers combined. All of this lands at the center of what the RSAC session is designed to address -- not as a theoretical exercise, but as a set of actions defenders can take right now. The session runs Tuesday, March 24th at 3:55 PM on the main stage, with an interactive follow-on session Wednesday morning where attendees can go deeper with individual panelists. For anyone who wants to understand where the threat landscape is actually heading and what to do about it, Ed says this is the year you cannot afford to miss it. Guest Ed Skoudis, President, SANS Technology Institute; Founder & CEO, Counter Hack | On LinkedIn: https://www.linkedin.com/in/edskoudis Host Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/ Resources SANS Institute | https://www.sans.org RSA Conference 2026 is taking place April 28 - May 1, 2026 | Moscone Center, San Francisco -- Follow our coverage: https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/ More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq Keywords ed skoudis, sean martin, sans institute, sans technology institute, counter hack, rsac 2026, rsa conference, five most dangerous attack techniques, ai in cybersecurity, vulnerability research, zero-day vulnerabilities, patch management, penetration testing, defender tips, ics security, ai-powered attacks, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data...

Tony Anscombe has attended RSA Conference since 1998 -- back when it was held at the Fairmont Hotel. That long view informs everything about how ESET approaches threat intelligence. It is not about volume. It is about accuracy, speed, and putting the right signal in front of the right team at the right moment. The ESET eCrime Ecosystem Report comes in two forms: a business-facing summary outlining current risks for leadership, and a long-form technical report for analysts -- complete with IOCs, coding examples, and structured intelligence feeds covering ransomware, crypto scams, malicious email attachments, and infostealer data. These feeds are built to plug directly into SOC workflows and firewall rules, not to create more work for already stretched teams. Tony Anscombe is direct about the quality problem in threat intelligence. Open-source feeds sound appealing -- until you factor in the analyst hours required to clean out the noise. By then, the intelligence is stale. Attacks circle the globe in hours. Near-real-time, verified intelligence is not a premium -- it is the baseline requirement. The threat detection conversation has also moved well past malware. Anscombe walks through how modern attackers often skip the payload entirely -- credential theft gets them in, then slow lateral movement and data exfiltration follow, with ransomware as the final act rather than the first signal. ESET's platform focuses on behavioral anomaly detection across the full environment, with on-site, cloud, and managed deployment options for organizations that cannot or will not go all-in on cloud architecture. At RSAC Conference 2026, ESET will be at booth 5253 in Moscone North. Anscombe has two sessions on the Wednesday agenda: one on supply chain blind spots -- urging security teams to engage directly with the business side to map third-party risk fully -- and a community rant session tackling four things that need to change in cybersecurity, including the cryptocurrency regulation debate. On AI, his message is measured: the real conversation at the show is not about using AI -- it is about securing it. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Tony Anscombe, Chief Security Evangelist, ESET LinkedIn: https://www.linkedin.com/in/tonyanscombe/ RESOURCES ESET website: https://www.eset.com ESET threat research blog (WeLiveSecurity): https://www.welivesecurity.com ESET at RSAC Conference 2026 -- Booth 5253, Moscone North Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Tony Anscombe, ESET, Sean Martin, RSAC Conference 2026, eCrime, threat intelligence, eCrime Ecosystem Report, cybersecurity, endpoint protection, MDR, threat detection, supply chain security, AI security, ransomware, infostealer, brand spotlight, brand marketing, marketing podcast, brand story Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Backup storage rarely gets a spotlight at security conferences. Object First is working to change that. Anthony Cusimano, Director of Solutions Marketing, joined Sean Martin and Marco Ciappelli ahead of RSAC Conference 2026 to make the case that absolute immutability -- baked into hardware, not bolted on as a feature -- is one of the most critical layers of any modern security stack. Object First builds physical, on-premises appliances purpose-built for Veeam. Once backup data lands on the device, it cannot be changed by anyone: not an admin, not the vendor, not an attacker. That guarantee is the foundation of the company's entire product philosophy. As Anthony Cusimano puts it, the threat is clear -- ransomware operators now specifically target backups because destroying that data eliminates the victim's options. Heading into RSAC Conference 2026, Object First is bringing new capabilities to South Hall Booth S3601. Demos will include Honeypot, a feature that causes the Object First appliance to simulate a Veeam backup and replication server as a decoy. If a bad actor attempts brute-force access or a remote desktop connection, an alert fires immediately -- a signal that your real Veeam environment is likely also being probed. This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlight GUEST Anthony Cusimano, Director of Solutions Marketing, Object First LinkedIn: https://www.linkedin.com/in/anthonycusimano89/ RESOURCES Object First website: https://objectfirst.com ITSPmagazine RSAC Conference 2026 coverage: https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Anthony Cusimano, Object First, Sean Martin, Marco Ciappelli, brand story, brand marketing, marketing podcast, brand highlight, ransomware, backup security, immutable storage, Veeam, data protection, RSAC Conference 2026, cyber resilience, backup immutability, ransomware protection Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Every vendor at RSAC Conference 2026 will have an autonomous SOC story. Subo Guha, Senior Vice President of Product Management at Stellar Cyber, has been building the real thing for over a decade -- and he has one question every buyer should ask at every booth: can your platform explain why it reached its verdict? Stellar Cyber's autonomous SOC provides a full case summary for every true positive, showing the forensic evidence chain, threat intelligence correlations, and specific observables that led to the conclusion. SOC analysts can review, challenge, or override -- and that feedback loop is how the system improves. The threat landscape has shifted in ways that validate Stellar Cyber's original architecture. LLM-generated attacks have collapsed the time to launch a sophisticated phishing campaign from weeks to minutes. Stellar Cyber was built to serve the mid-market and the MSSPs that protect it -- organizations that face identical threats to enterprises but without enterprise resources. A unified, multi-tenant platform means MSSPs onboard new customers in minutes. An open data ingestion engine works with whatever tools are already in place -- no EDR lock-in, no rip-and-replace. At the center of the platform is a correlation engine that transforms thousands of individual alerts into a manageable set of high-confidence cases. An identity compromise driving lateral movement across dozens of alerts becomes one case with a clear recommended action. Subo describes this as the difference between drowning in noise and focusing on decisions that actually require human judgment -- and it is the foundation the autonomous SOC layer is built on. Subo is direct about what the hype gets wrong: the claim that organizations can dramatically cut SOC headcount because AI has it covered is not happening. The realistic version of autonomous SOC is a force multiplier -- digital agents handle the continuous, high-volume triage work that consumes analyst hours, freeing humans for the cases that require context and institutional knowledge. A system that automates without explainability does not reduce risk. It relocates it. Stellar Cyber will be at booth S327 in the South Hall at RSAC Conference 2026, right at the bottom of the escalator. Live autonomous SOC demonstrations will be running throughout the event, with real-world results from customers already in production. The team also has a barista on site -- a detail Subo was particularly keen to mention for Marco Ciappelli. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Subo Guha, Senior Vice President of Product Management, Stellar Cyber https://www.linkedin.com/in/suboguha/ RESOURCES Learn more about Stellar Cyber: https://stellarcyber.ai RSAC Conference 2026 Coverage: https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Subo Guha, Stellar Cyber, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, autonomous SOC, Open XDR, MSSP security platform, AI-driven security operations, agentic AI cybersecurity, threat detection and response, RSAC Conference 2026, SOC analyst tools, multi-tenant security platform, LLM-generated attacks, security operations center, SIEM NDR unified platform Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Monzy Merza, Co-Founder and CEO of Crogl, sat down with Sean Martin and Marco Ciappelli ahead of RSAC Conference 2026 with a position that cuts against the prevailing AI narrative: there will be more security engineers next year than there are today, not fewer. His reasoning draws on how automation has always worked. The phone contact list eliminated the need to memorize numbers -- and people communicated with far more people as a result. AI in security will expand the surface area practitioners must handle, not shrink the need for them. Crogl was founded in 2023 to make every security practitioner as effective as their entire team. What sets Crogl apart is a refusal to require data normalization before the product becomes useful. Instead, Crogl builds a semantic knowledge graph across an organization's existing data lakes, SIEMs, and SOAR platforms -- however many there are -- so analysts can investigate alerts and threat hunt across their real environment, not an idealized version of it. Monzy Merza applies the same logic to language models as to data: if different data stores serve different purposes, why accept a single LLM for every security scenario? Crogl lets organizations choose their model, swap as needs evolve, and deploy on any footprint -- including fully air-gapped environments. For government agencies, energy utilities, and manufacturers, that is not a feature. It is a deployment prerequisite. Financial services leaders across 15 conversations in New York told Merza the same thing unprompted: Crogl's investment in an enterprise semantic knowledge graph is what they see as genuinely correct. Their argument: you cannot solve enterprise security operations with AI without knowing where data lives without transforming it. These were practitioners speaking, not vendors. The week before RSAC Conference, Crogl hosted the first AI SOC Summit near Washington, DC -- no NDAs, no directed demos. Attendees brought their own laptops, got access tokens, and used Crogl on their own problems, completely unattended. The booth at RSAC Conference will work the same way: walk up, run real scenarios, no one driving the demo. The head of AI, UX designer, and chief architect will all be on the floor to listen and be challenged. Organizations building AI security strategy around eliminating people are making a bet history does not support. The smarter path -- and the one Crogl is built around -- is enabling practitioners with tools that meet them where they are, on the data they have, with the models they trust, in the environments they control. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Monzy Merza, Co-Founder and CEO, Crogl On LinkedIn: https://www.linkedin.com/in/monzymerza/ RESOURCES Crogl: https://www.crogl.com AI SOC Summit: https://www.aisocsummit.com/ RSAC Conference 2026 Coverage on ITSPmagazine: https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Monzy Merza, Crogl, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, AI SOC, security operations center, autonomous alert investigation, enterprise semantic knowledge graph, AI security tools, SOC automation, security analyst, threat hunting, data normalization, large language models, agentic AI, RSAC 2026, RSAC Conference Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥EPISODE NOTES⬥ The conversation that led to this episode started with a LinkedIn post -- and it quickly surfaced a challenge that security leaders across industries are wrestling with but rarely talk about openly: who is actually responsible for protecting the people inside an organization, not just the systems they use? Roland Cloutier has sat in some of the most demanding security leadership seats in the world -- Global CSO at TikTok/ByteDance, a decade as Global CSO at ADP, and VP and CSO at EMC -- and he now advises CISOs and CSOs through The Business Protection Group. His lens is converged security: the deliberate integration of cyber, physical, privacy, and people-risk under a unified program and leadership model. Roland identifies three patterns that typically bring organizations to him. First, an emergent crisis -- a threat against an executive, a workplace violence incident, a travel security failure -- that suddenly exposes the absence of a coherent protection program. Second, a cost and structure conversation where the CEO is tired of receiving two different risk pictures from two different security leaders and wants a single accountable voice. Third, a board-driven inquiry where general counsel or the CEO is being asked questions about executive resilience and duty of care that nobody inside the organization can confidently answer. What makes this conversation particularly sharp is Roland's framing of convergence not as an org chart exercise, but as a force multiplier. A unified threat intelligence picture -- one that covers cyber, physical, executive, brand, and customer risk simultaneously -- enables cleaner prioritization, better resource allocation, and a fundamentally stronger conversation with the CEO. The alternative, which he has seen firsthand, is four separate threat management platforms reporting independently with no team working across all of them. The episode also pushes into territory that most security programs have not yet mapped: employee protection at scale. Not bodyguards for everyone, but the organizational consciousness to monitor for geographic threats, proactively check in with distributed employees during major events, and build a duty-of-care posture that extends beyond the office walls into people's home lives and total risk environment. For high-risk employees -- those with keys to the kingdom, not just C-suite titles -- that responsibility extends further still. For CISOs and CSOs wondering where to start, Roland offers a practical crawl-walk-run framework: start with shared services rather than full convergence, open the conversation with leadership, surface the gaps the business already knows exist, and build a financial and risk model that makes sense for your specific organization. The goal is a converged security program that treats people -- not just infrastructure -- as an asset worth protecting. ⬥GUEST⬥ Roland Cloutier, Principal at The Business Protection Group | On LinkedIn: https://www.linkedin.com/in/rolandcloutier/ ⬥HOST⬥ Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/ ⬥RESOURCES⬥ The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/ More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq ⬥ADDITIONAL INFORMATION⬥ On ITSPmagazine: https://www.itspmagazine.com/ On YouTube: https://www.youtube.com/@itspmagazine On LinkedIn Newsletter: https://itspm.ag/future-of-cybersecurity Sean Martin's Contact Page: https://www.seanmartin.com/ ⬥KEYWORDS⬥ roland cloutier, the business protection group, sean martin, executive protection, employee protection, converged security, physical security, ciso, cso, duty of care, threat intelligence,...

Summary: Recorded live from the floor of HIMSS 2026 in Las Vegas, this Brand Spotlight conversation with Chris Sullivan, Global Healthcare Practice Lead at Zebra Technologies, explores how technology — from RFID drug tracking to AI-powered frontline devices — is reshaping the way hospitals deliver care, reduce waste, and protect patients. From a groundbreaking pharmacy innovation at Texas Children's Hospital to Zebra's vision for ambient intelligence at the point of care, this is a candid look at what it means to build technology for the people who actually do the work. At HIMSS 2026 in Las Vegas, the conversation keeps circling back to the same question: how can technology help healthcare workers spend more time with patients and less time chasing information? For Chris Sullivan, Global Healthcare Practice Lead at Zebra Technologies, that question is not hypothetical — it's the work. In this Brand Spotlight, Marco Ciappelli connects with Chris from the conference floor to talk about what's actually happening in healthcare technology right now. Zebra Technologies, a 55-year-old company with over 10,000 employees and more than 300 healthcare-specific products, has built its reputation by designing tools not for the corner office, but for the frontline worker — the nurse, the pharmacist, the care team member who needs the right information at exactly the right moment. One of the most compelling stories Chris shares is Zebra's partnership with Texas Children's Hospital, a world leader in pediatric oncology. The challenge: high-cost cancer medications — some exceeding a million dollars per treatment — were being lost, duplicated, or expiring before reaching patients. The solution was an RFID-based drug management system, built in partnership with a Texas software company, that now tracks medications throughout the pharmacy supply chain. The result? Millions of dollars in annual inventory savings, improved patient safety, and a model that Texas Children's is now actively sharing with hospitals in Amsterdam and beyond. But the RFID story is just one piece of a larger picture. What Zebra calls healthcare workflow orchestration — the coordination of people, assets, and information across a complex hospital environment — is the bigger ambition. Chris describes a three-part framework: asset visibility (digitizing wheelchairs, pumps, medications, and supplies), real-time information for caregivers (through mobile computers and hands-free wearables), and operational automation (like the pharmacy RFID system). Together, these elements are designed to remove friction from the care delivery process and give clinicians back the one thing they most want: presence with their patients. And then there's AI. Zebra has been building sensor-rich devices for years, and now those sensors — over 15 per device, capturing voice, video, and environmental data — are becoming the foundation for an AI platform built specifically for frontline workers. Chris draws a sharp distinction between AI for knowledge workers and AI for frontline workers, arguing that the needs, rules, and structures are fundamentally different. Zebra's approach is to pre-extract sensor intelligence into an open SDK with over 21 AI enablers, then package those into industry-specific blueprints that can be deployed in months rather than years. The conversation ends where it began: with people. Chris is both a technology provider and a healthcare board member, which gives him a perspective that's rare in this industry. He understands what it means when a caregiver is interrupted. He knows that a nurse who has to stop and look something up is a nurse who isn't holding a patient's hand. That's the problem Zebra is trying to solve — not with a flashy pitch, but with 55 years of frontline experience and a clear-eyed view of what the work actually looks like. Recorded remotely from HIMSS 2026 | Las Vegas, NV | March 9–12, 2026 This Brand Spotlight is part of ITSPmagazine's ongoing...

Show Notes Scott Scheferman -- known throughout the cybersecurity and music communities as Shagghie -- brings a rare combination of backgrounds to this conversation: classically trained on trumpet, a live techno producer since the late nineties, a student of synthesis at its lowest circuit level, and now a full-time researcher working on what he calls the Joy Protocol -- a frequency-based framework designed to produce measurable physiological and neurological benefits through sound and light. The conversation opens with Scott recounting his musical journey -- from blues trumpet in the Caribbean to losing his cherished instruments during a move to the United States, to a 25-year silence before his daughter convinced him to pick up the horn again. Then came the synthesizers. He describes performing live techno with six drum machines and synthesizer sequencers at a San Diego club, his parents in the crowd, sweating and dancing by 2:00 AM. For Scott, that was the moment of arrival -- not just as a performer, but as someone understood. From there, the conversation moves into the physics. Scott and Sean explore how frequency operates across the entire spectrum -- from the 7.83 hertz resonant frequency of the Earth itself to the quantum oscillations that defy measurement. Scott makes the case that sound is not merely an aesthetic experience but a literal force, one that operates on the body, mind, and cellular structure in ways now being confirmed by a new wave of scientific research. The Solfeggio scale, long dismissed by mainstream music as esoteric, turns out to have been built around frequencies that have specific, studied, physiological effects on the human body. The conversation doesn't shy from harder territory. Scott discusses directional sound weapons he witnessed firsthand at Booz Allen Hamilton, the documented Havana syndrome incidents, and how blue light frequencies are engineered into consumer electronics to trigger dopamine responses. These aren't conspiracy theories, he argues -- they are the same science, used from the opposite direction. The Joy Protocol is the inverse: taking those same mechanisms and applying them to produce healing, not harm. Even the 40-hertz frequency -- which Scott now seeks out on his wife's Power Plate machine at the gym -- produces a physical response he describes as immediately and unmistakably real. The episode closes on the question every musician, listener, and creator should be sitting with: if certain frequencies heal and others harm, if the A-440 tuning standard may have been a deliberate departure from something more resonant, and if the spaces between notes matter as much as the notes themselves -- then what does it mean to produce music intentionally? Scott points toward the guitar as a last frontier that AI cannot replicate: the harmonic overtones that physically manifest in wood when an instrument is tuned to a resonant frequency cannot be induced after the fact. That reality, he suggests, is both a challenge and an invitation. Host Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/ Guest(s) Scott "Shagghie" Scheferman, Cybersecurity Strategist, Musician, and Researcher | Website: https://www.scottscheferman.com/ | On LinkedIn: https://www.linkedin.com/in/scottscheferman/ Resources Scott Scheferman's Personal Website | https://www.scottscheferman.com/ Music Evolves: Sonic Frontiers Newsletter | https://www.linkedin.com/newsletters/7290890771828719616/ Keywords scott scheferman, shagghie, frequency healing, quantum consciousness, cymatics, solfeggio frequencies, sound as medicine, live techno, music production, joy protocol, sean martin, music, creativity, art, artist, musician, music evolves, music podcast, music and technology podcast More From Sean Martin on ITSPmagazine More from Music Evolves: https://www.seanmartin.com/music-evolves-podcast Music...

Third-party-related breaches have doubled in the last 12 months. Ryan Patrick, Executive Vice President of TPRM Customer Solutions at HITRUST, is not surprised. As organizations outsource more to stay focused on core competencies, the vendor attack surface grows -- and malicious actors are exploiting it through a pattern Patrick calls "island hopping": land on a smaller vendor, secure a foothold, then move laterally toward the real target. The Stryker attack, which unfolded in real time during HIMSS 2026, made the stakes concrete. What began as a nation-state operation quickly became a supply chain crisis. Hospitals relying on Stryker products scrambled -- not because their own environments were breached, but because a critical supplier went down. Patrick argues that availability of services deserves equal weight to confidentiality, especially when a supplier outage directly impacts patient care and revenue. AI adds a new layer of urgency to vendor risk. Vendors are quietly adding AI capabilities to existing products -- sometimes without notifying customers. An EHR platform might add a clinical decision support model as a routine feature update. The health system consuming it may lack the leverage to audit what that model does with patient data. In agentic AI scenarios, where decisions happen without a human in the loop, the consequences are clinical, not just operational. Patrick's advice for managing AI risk: stop treating it as a fundamentally different category. Layer it into existing security programs, policies, and governance frameworks. The uniqueness lies in how you assess AI risk -- not in abandoning what already works. The industry, he observes, is finally moving past the wait-and-see phase. The data on HITRUST certification outcomes is compelling. One organization has gone seven to eight years without a security incident by requiring all vendors to achieve HITRUST certification. External vulnerability platforms like SecurityScorecard and RiskRecon independently confirm the pattern: HITRUST-certified vendors score measurably higher. Certified vendors mature over time. Non-certified vendors plateau. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Ryan Patrick, Executive Vice President, TPRM Customer Solutions, HITRUST https://www.linkedin.com/in/ryan-patrick-3699117a/ RESOURCES HITRUST: https://hitrustalliance.net HIMSS 2026 Coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/himss-global-health-conference-amp-exhibition-2026 Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Ryan Patrick, HITRUST, Sean Martin, third-party risk management, TPRM, supply chain security, healthcare cybersecurity, HIMSS 2026, AI security, EHR security, vendor risk, HIPAA compliance, CIA triad, supply chain resilience, agentic AI, healthcare data security, brand spotlight, brand marketing, marketing podcast, brand spotlight Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

As RSAC 2026 approaches, Daniel Bardenstein, CEO and Co-Founder of Manifest, joins hosts Sean Martin and Marco Ciappelli to unpack the growing disconnect between how security leaders perceive their AI and software supply chain posture and what practitioners on the ground actually experience. Drawing from Manifest's new research report — Beyond the Black Box — Bardenstein connects the dots between shadow AI, SBOM adoption gaps, and a dangerous pattern: history is repeating itself as organizations rush to adopt AI with the same disregard for security that characterized the early cloud era. In a wide-ranging pre-event conversation ahead of RSAC 2026, Daniel Bardenstein, CEO and Co-Founder of Manifest, explores what it means to truly secure the software and AI supply chain — not just check the compliance box. Manifest's new research report, Beyond the Black Box, surveyed more than 300 security and AI leaders globally to understand the reality of AI adoption and software supply chain risk. One of the most striking findings was not a statistic, but a structural problem: a significant perception gap exists between how confident executive security leadership feels about their AI security posture and how unprepared frontline practitioners actually are. Where there is misalignment, Bardenstein notes, there is risk. The conversation draws a vivid parallel to the cloud adoption wave of a decade ago, when organizations rushed to SaaS and cloud infrastructure without thinking through security implications — and gave birth to entire new industries to clean up the mess. Today, the same dynamic is playing out with AI. Nearly two-thirds of the survey respondents reported encountering shadow AI within their organizations, as employees freely use tools like ChatGPT, DeepSeek, or locally downloaded models without centralized governance. When that AI eventually gets embedded into software that organizations build, deploy, and sell, the blind spots compound. SBOMs — software bills of materials — represent a promising step toward supply chain transparency, and Bardenstein credits the US government's regulatory nudging for driving adoption. Manifest's research shows that roughly 60% of organizations are now generating SBOMs, a meaningful milestone. But generation is not governance. Too many organizations treat an SBOM as a compliance artifact — a JSON file on a hard drive — rather than an operational tool that could dramatically accelerate vulnerability response, regulatory compliance, and incident management. The prescription has been filled; it's just not being taken. To reframe the urgency, Bardenstein introduces the concept of the "transparency tax" — the hidden cost organizations pay in time, money, and risk when they build or buy opaque technology. Just as consumers demand ingredient labels on food, Carfax reports on used cars, and active ingredient disclosures on prescriptions, the technology sector needs to normalize the same transparency for software and AI. For organizations willing to do the math, the case for investing in supply chain visibility becomes not just a security argument, but a business one. Heading into RSAC 2026, Manifest will not have a booth but will be active across the conference floor, meeting with customers, partners, and prospects. Bardenstein will appear on an invite-only panel alongside leadership from Corridor Dev, 1Password, and Google to discuss secure software and secure AI. The team is also planning to announce new platform capabilities designed to close the governance gaps their research surfaced — helping organizations move fast without creating the kind of blind spots that make AI adoption a liability rather than an advantage. Tune in for this sharp, candid pre-event conversation — and look for the full on-location Brand Spotlight recorded live at RSAC 2026 in San Francisco. 🎙️ This story is part of the RSAC 2026 Coverage Series on ITSPmagazine, produced in partnership with...

As RSAC 2026 approaches, Michael Parisi of Steel Patriot Partners sits down with Marco Ciappelli and Sean Martin to talk about what it means to show up to the world's largest cybersecurity conference with a business-first mindset. For Parisi — a 20-plus year veteran of professional services, federal compliance, and cybersecurity — RSA is less about the show floor and more about the quiet corners where real conversations happen. Steel Patriot Partners operates on a simple but powerful premise: business owners first, engineers second, compliance professionals third. That philosophy shapes everything from how they engage clients to how they show up at industry events. At RSAC, Parisi's calendar is already full — and intentionally so. The value isn't in the booths. It's in the bilateral trust that forms between peers who cut through the noise to share what's actually working. And the noise, this year, is particularly loud. AI dominates the conversation in ways that create as much anxiety as excitement — especially for federal cybersecurity professionals whose institutional knowledge feels suddenly uncertain. Parisi addresses this head-on: the question isn't just whether AI will replace jobs, it's whether leaders are having honest conversations with their teams about what's changing and why. The fog of marketing has thickened into what he calls a "fog of truth" — a marketplace where it's increasingly hard to know who actually delivers versus who just pitches well. This conversation is a preview of what Steel Patriot Partners will be listening for, talking about, and connecting around at RSAC 2026 — from retaining trusted people amid AI disruption, to whether tried-and-true solutions still hold their own against the wave of AI-native platforms. Parisi and the SPP team will also be sitting down with Marco and Sean live on the floor for a deeper follow-up conversation. Loved this conversation? Share it with someone heading to RSAC 2026 and make sure to connect with Michael Parisi and the Steel Patriot Partners team in San Francisco. GUEST Michael Parisi Chief Growth Officer, Steel Patriot Partners https://www.linkedin.com/in/michael-parisi-4009b2261/ https://www.steelpatriotpartners.com RESOURCES Steel Patriot Partners: https://www.steelpatriotpartners.com RSAC Conference 2026: https://www.rsaconference.com ✨ A special thank you to our sponsors and supporters: https://itspm.ag/telecom-ts630 _____________________________ Are you interested in telling your story? 👉 https://www.itspmagazine.com/telling-your-story Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Archer is redefining what it means to manage governance, risk, and compliance in an environment defined by constant change. Steve Schlarman, Senior Director at Archer, has spent nearly two decades helping organizations understand why their traditional GRC approaches are falling short and what it takes to close the gap. The forces challenging organizations today are well known: velocity of change, volume of change, and the uncertainty that compounds both. What makes the problem acute is timing. Annual audit cycles and quarterly risk assessments produce reports that reflect a reality that has already shifted by the time decision makers see them. The result is drift between what GRC functions can see and what leadership actually needs to know, and every gap in that visibility carries potential exposure. Schlarman explains that this reactive posture is exactly what Archer is working to change. Rather than treating risk and compliance as periodic checkboxes, the goal is to build a program that runs continuously, projecting forward as the business expands into new jurisdictions, launches new products, or encounters emerging risks. What are the compliance obligations? How does exposure shift? Archer Evolv is designed to answer those questions in real time, keeping GRC moving alongside the business rather than scrambling to catch up. Central to Archer's strategy is AI applied with intention. Rather than deploying generic agents, Archer is building what Schlarman calls AI operators: focused, guardrailed tools designed specifically to solve GRC problems. That distinction matters because the complexity of risk and compliance work demands precision, not just automation. This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlight GUEST Steve Schlarman, Senior Director, Archer | https://www.linkedin.com/in/steveschlarman/ RESOURCES Learn more about Archer and the Archer Evolv platform: https://www.archerirm.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Steve Schlarman, Archer, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, GRC, governance risk and compliance, adaptive GRC, integrated risk management, Archer Evolv, AI in GRC, risk management, compliance automation, enterprise risk, risk and compliance strategy Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Nobody decided to build a human-optional workflow — they just kept making reasonable procurement decisions, task by task, until the human became optional across hiring, contracting, finance, and security operations. Sean Martin traces what organizations have actually assembled, where accountability lives when it goes wrong, and why the regulatory window for getting ahead of it is closing faster than most leaders realize. In this edition of Lens Four, Sean Martin looks at the agentic AI landscape through three lenses — programs, innovation, and messaging — to connect the signals that matter. 🔍 In this episode: Fourth Lens: The vendors knew what they were building. The buyers didn't ask the right questions. The auditors haven't arrived yet. The organizations that use the remaining window to map what they've assembled — and make explicit decisions about what requires human judgment — will be positioned when the frameworks arrive. The ones that don't will discover that the workflow they built by default is not the workflow they would have chosen under scrutiny. 📖 Read the full Lens Four analysis on seanmartin.com: https://www.seanmartin.com/lens-four/task-by-task-workflows-handing-to-ai-one-decision-at-a-time 🎧 Listen to the Redefining CyberSecurity Podcast conversation with Edward Wu of Dropzone AI at Black Hat USA 2025: https://www.itspmagazine.com/their-stories/dropzone-ai-brings-agentic-automation-to-black-hat-usa-2025-a-drop-zone-ai-pre-event-coverage-of-black-hat-usa-2025-las-vegas-brand-story-with-edward-wu-founder/ceo-at-dropzone-ai 🎧 Listen to the Redefining CyberSecurity Podcast conversation with Subo Guha of Stellar Cyber at RSAC 2025: https://www.itspmagazine.com/their-stories/simplifying-cybersecurity-operations-at-scale-automation-with-a-human-touch-a-brand-story-with-subo-guha-from-stellar-cyber-an-on-location-rsac-conference-2025-brand-story 🎧 Listen to the Redefining CyberSecurity Podcast conversation with Subo Guha of Stellar Cyber at Black Hat 2025: https://www.itspmagazine.com/their-stories/stellar-cyber-revolutionizes-soc-cybersecurity-operations-with-human-augmented-autonomous-platform-at-black-hat-2025a-stellar-cyber-event-coverage-of-black-hat-usa-2025-las-vegas 🎧 Listen to the Random and Unscripted episode — "We're Becoming Dumb and Numb" — with Sean Martin and Marco Ciappelli: https://randomandunscripted.com/episodes/were-becoming-dumb-and-numb-why-black-hat-2025s-ai-hype-is-killing-cybersecurity-and-our-ability-to-think-random-and-unscripted-weekly-update-with-sean-martin-and-marco-ciappelli | 🎬 Watch on YouTube 🔔 Subscribe to the Future of Cybersecurity newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to Lens Four on seanmartin.com and "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website. 🔎 Keywords agentic AI, workflow automation, task-specific AI agents, AI hiring tools, resume screening automation, HireVue, Paradox Olivia, legal AI, Harvey AI, LegalOn, contract review automation, agentic SOC, Dropzone AI, Stellar Cyber, Token Security, AI agent...

Third-party risk is no longer a background concern for healthcare organizations -- it is a frontline challenge. Jason Kor, Principal at HITRUST, works on the company's third-party risk management team, helping enterprises understand the security risk embedded in their supply chains. The numbers tell a stark story: according to Security Scorecard, 99% of the world's 2,000 largest companies are actively connected to a vendor that has experienced a breach in the past 18 months. And Verizon's Data Breach Investigations Report shows that the share of breaches tied to a third party has doubled year over year. HITRUST exists precisely to help organizations move from awareness to action. HITRUST will be at HIMSS 2026 in Las Vegas, March 9-12, at Booth 11307. Stop playing whack-a-mole with vendor risk -- step into the VR challenge and win prizes. For organizations already holding a HITRUST certification, the team has something else waiting: a trophy recognizing the commitment to independent, external audits and rigorous security standards. For those exploring certification for the first time, the booth is a chance to understand how HITRUST compares to alternatives like SOC 2 questionnaires -- and why scalability and risk reduction make it the stronger choice for supply chain assurance. Kor puts it plainly: the audits are time-consuming and expensive because they are effective. And at the end of the process, someone reads that report and makes real business decisions based on what it contains. Two major themes converge at this year's event: supply chain risk and AI. HITRUST has already launched an AI security assessment offering, and new CSF releases are on the horizon, including a report center feature enabling online review of assessments for anti-fraud and continuous monitoring purposes. On Tuesday, March 10, 2026, from 11:10 AM to 11:30 AM, Kor will deliver a 20-minute session titled "Understanding AI Security Risk -- The New Blind Spot in TPRM and Supply Chain Resilience." The session addresses a rapidly evolving challenge: as organizations build their own generative AI tooling -- or work with third parties that have integrated AI into their products -- questions around data sovereignty, input handling, and model provenance become critical, especially in healthcare where electronic health information is at stake. Also on the HIMSS 2026 agenda from HITRUST: Ryan Patrick, Executive Vice President of TPRM Customer Solutions, joins John P. Houston of UPMC and Chuck Christian of Franciscan Health for a Brunch Briefing titled "Building Secure, Compliant, and Resilient Healthcare Systems Together" on Tuesday, March 10, 2026, from 10:30 AM to 11:45 AM at Level 1, Casanova 505. The session offers practical strategies, frameworks, and real-world lessons for organizations looking to reduce risk, enhance protection, and advance trust in an evolving threat and regulatory landscape. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Jason Kor, Principal, HITRUST https://www.linkedin.com/in/securityconsultantcissp/ RESOURCES HITRUST: https://hitrustalliance.net Jason Kor Session -- Understanding AI Security Risk -- The New Blind Spot in TPRM and Supply Chain Resilience (Tuesday, March 10, 2026, 11:10 AM - 11:30 AM): https://app.himssconference.com/event/himss-2026/planning/UGxhbm5pbmdfNDMyMTMxOA== Building Secure, Compliant, and Resilient Healthcare Systems Together -- Brunch Briefing (Tuesday, March 10, 2026, 10:30 AM - 11:45 AM): https://app.himssconference.com/event/himss-2026/planning/UGxhbm5pbmdfNDMzNzQwMQ== HIMSS 2026 Global Health Conference and Exhibition: https://www.itspmagazine.com/cybersecurity-technology-society-events/himss-global-health-conference-amp-exhibition-2026 Are you interested in telling your story? ▶︎ Full Length Brand Story:...

Attackers are moving in 72 minutes. One CISO has already eliminated the entire SOC team. And the industry is spending a quarter of a trillion dollars while struggling to define what "resilience" even means. In this edition of Lens Four, Sean Martin looks at the cybersecurity landscape through three lenses — programs, innovation, and messaging — to connect the signals that matter. 🔍 In this episode: Sean's Take: When attackers operate in minutes and defenders plan in quarters, the gap isn't technology — it's assumptions. The organizations closing the 72-minute gap aren't hiring faster. They're rethinking what humans are for and what machines should own. Catch the full companion article on Lens Four at seanmartin.com for the complete three-lens analysis with all references and data sources. For CISOs and security leaders: Can your program detect, investigate, and contain a threat in 72 minutes — or are you still measuring in days? For vendors and product teams: Is your platform solving the operational problem CISOs have today, or selling a vision their program can't execute on? For marketing and go-to-market teams: Are you connecting your messaging to measurable outcomes — or hiding behind buzzwords like "resilience" and "platform"? 📖 Read the full Lens Four analysis on seanmartin.com: https://www.seanmartin.com/lens-four/72-minute-gap-breaches-vendors-messaging 🎬 Watch the companion video summary — "Why Hackers Beat Your Security in Just 72 Minutes": https://youtu.be/EjsADm7faJ0 🎧 Listen to the Redefining CyberSecurity Podcast conversation with Richard Stiennon on SOC automation: https://redefiningcybersecuritypodcast.com/episodes/soc-automation-and-the-ai-driven-future-of-cybersecurity-defense-a-redefining-cybersecurity-podcast-conversation-with-richard-stiennon-chief-research-analyst-of-it-harvest 🎬 Watch the video version of the Richard Stiennon conversation: https://youtu.be/si_fS4H-d3w 🔔 Subscribe to the Future of Cybersecurity newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence. Enjoy, think, share with others, and subscribe to Lens Four on seanmartin.com and "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity Sincerely, Sean Martin and TAPE9 Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️ Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location To learn more about Sean, visit his personal website. 🔎 Keywords 72-minute gap, ai-driven cyberattacks, soc automation, unit 42, incident response, identity-driven attacks, credential theft, iam misconfigurations, cisa workforce, agentic ai, palo alto networks, crowdstrike, google wiz acquisition, cybersecurity spending, platform consolidation, ai security vendors, it-harvest, richard stiennon, gartner cybersecurity trends 2026, forrester predictions, clawjacked, enterprise management associates, board-ciso communication, cybersecurity resilience, managed security services, cyber insurance, redefining cybersecurity podcast, lens four, sean martin, tape9 Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥EPISODE NOTES⬥ The security operations center has always been a battleground of volume, velocity, and human endurance. Analysts have long faced the impossible math of too many alerts, too few hours, and too much at stake. For years, the industry promised automation would change that equation -- but the technology was never quite ready to deliver. That moment, according to Richard Stiennon, has now arrived. Stiennon, Chief Research Analyst at IT-Harvest, has spent two decades tracking every corner of the cybersecurity vendor landscape. His data now shows more than 61 net-new SOC automation vendors -- companies that did not exist a few years ago -- built from the ground up to replace the work of tier-one, tier-two, and tier-three analysts. Some of these vendors launched in January 2024 and reached $1 million in ARR by April. By the end of 2025, several were reporting $3 million ARR. These are not incremental improvements. They represent a structural shift in how security operations can be run. What makes this generation of SOC automation different from earlier SIEM and SOAR tooling is scope and autonomy. The value proposition is blunt: 100% alert triage, 24 hours a day, 7 days a week -- with automated case building, threat investigation, and response actions including machine isolation and reimaging. Stiennon points to a CISO he met, speaking under Chatham House rules, who disclosed that a large enterprise had already eliminated its entire human SOC team. He predicts that disclosure will go public before long. The conversation also explores the business context question that security leaders frequently wrestle with: are these AI-driven SOC tools operating with a narrow cyber mandate, potentially optimizing for security metrics at the expense of business continuity? Stiennon pushes back on that concern, arguing that large language models are already trained on the full breadth of human knowledge -- they understand business context at a level that exceeds most organizations' internal documentation. The more pressing risk, he suggests, is not that AI will act outside business intent, but that organizations will move too slowly to benefit. Waiting six months for a proof-of-concept report while spending a million dollars on human SOC operations is not due diligence -- it is opportunity cost. The conversation also touches on data privacy in AI-driven security, the role of federated learning and fully homomorphic encryption for compliance-sensitive environments, and what security leaders can do today to evaluate and accelerate their own adoption timeline. Stiennon will be at RSA Conference 2026 with his new book, Guardians of the Machine Age: Why AI Security Will Define Digital Defense, continuing to make the case for a field that is moving faster than most organizations are prepared to acknowledge. ⬥GUEST⬥ Richard Stiennon, Chief Research Analyst at IT-Harvest | Website: https://it-harvest.com/ On LinkedIn: https://www.linkedin.com/in/stiennon/ ⬥HOST⬥ Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/ ⬥RESOURCES⬥ IT-Harvest | https://it-harvest.com/ Richard Stiennon on LinkedIn | https://www.linkedin.com/in/stiennon/ Guardians of the Machine Age: Why AI Security Will Define Digital Defense (Richard Stiennon) | Available via IT-Harvest and major booksellers RSAC Conference 2026 Coverage on ITSPmagazine | https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/ More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq ⬥ADDITIONAL INFORMATION⬥ On Podcast:...

⬥EPISODE NOTES⬥ What happens when a cybersecurity professional knows exactly what's wrong but can't get anyone to act on it? It's a problem that affects security teams across every industry, and it's the central question driving Josh Mason's new book, Speaks Security with a Business Accent. In this conversation, Josh Mason joins Sean Martin to unpack why technical accuracy alone doesn't move the needle and what it takes to communicate security in terms the business actually understands. Josh Mason brings a perspective shaped by years as an Air Force pilot and cyber warfare officer, where mission-first thinking wasn't optional, it was survival. As a safety officer, he studied aircraft mishaps, analyzed black box recordings, and learned that risk awareness doesn't mean risk paralysis. The same philosophy, he argues, applies to cybersecurity: teams can acknowledge risk without letting fear of failure prevent them from supporting the mission. Drawing from books like Dale Carnegie's How to Win Friends and Influence People, The Phoenix Project, and The Goal, Josh Mason structured his own book as a narrative, telling the story of a CIO who transforms a disconnected security team into one that communicates effectively with colleagues, leadership, the board, and eventually beyond the organization. A recurring theme in this conversation is the danger of perfection as the enemy of progress. Josh Mason uses the Iron Man analogy of building an imperfect prototype, flying it, learning from the failure, and iterating, to argue that security teams need to embrace a similar mindset. DevOps teams have already adopted this approach, and security can learn from it. Inaction for perfection's sake, he warns, isn't going to get anyone anywhere. The conversation also examines whether the cybersecurity industry does enough to learn from its own incidents. Unlike aviation, where the FAA and NTSB mandate rigorous post-incident analysis, cybersecurity lacks a centralized authority enforcing that same discipline. Organizations like MITRE, Verizon, and Mandiant publish valuable trend reports, and the data is there for those willing to use it, but it ultimately comes down to individual responsibility and leadership within each organization. For anyone who has ever felt technically right but strategically sidelined, this conversation offers a practical lens on bridging the gap between what security teams know and what the business needs to hear. ⬥GUEST⬥ Josh Mason, Author of Speaks Security with a Business Accent | Air Force Veteran, Cybersecurity Professional, and Founder of Noob Village | Website: https://www.mason-sc.com | On LinkedIn: https://www.linkedin.com/in/joshuacmason/ ⬥HOST⬥ Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/ ⬥RESOURCES⬥ Speaks Security with a Business Accent by Josh Mason | https://www.mason-sc.com The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/ More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq ⬥ADDITIONAL INFORMATION⬥ ✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast Redefining CyberSecurity Podcast on YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq 📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/ Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact ⬥KEYWORDS⬥ josh mason, sean martin, speaks security with a business accent, cybersecurity communication, business alignment, penetration testing, risk management, air force cybersecurity, security leadership,...

New Book: Climate Capital — Investing in the Tools for a Regenerative Future | An Interview with Tom Chi | An Analog Brain In A Digital Age With Marco Ciappelli What if the economy isn't broken — just badly designed? Tom Chi, Google X founding member, inventor of 77 patents, and venture capitalist at At One Ventures, joined me on An Analog Brain In A Digital Age to discuss his new book Climate Capital: Investing in the Tools for a Regenerative Future. From the streets of Florence to the strip malls of Silicon Valley, from the mechanics of attention capture to the physics of ecological economics, this conversation goes far beyond climate. It's about how we design the systems we live inside — and whether we have the will to redesign them before it's too late. 📺 Watch | 🎙️ Listen | marcociappelli.com Article Body Tom Chi has worked on things that changed the world. Microsoft Office. Web search. The self-driving car. Google Glass. He'll tell you himself that not all of them were hits, and he's fine with that — that's what it means to be an inventor. But what he's working on now is different in scale from anything before. Not a product. Not a platform. A redesign of the global economy. His new book, Climate Capital: Investing in the Tools for a Regenerative Future, starts from a premise that sounds radical until you think about it for more than a few minutes: economics is a design discipline. And right now, it's poorly designed. Not maliciously — poorly. We built systems optimized for short-term capital extraction, and we're living with the consequences. The question Tom is asking is whether we can redesign them before those consequences become irreversible. He didn't get there through ideology. He got there through Florence. Tom was auditing sustainable MBA courses alongside his partner when he was invited to a conference in Italy. He landed, got a day off, wandered the streets — and something clicked. The entire city is built from sustainable materials. And it's one of the most beautiful places on earth. That moment demolished an assumption he didn't even know he was carrying: that sustainable living means downgrading. Florence is a 2,000-year-old counterexample to every joke about Birkenstocks and cold showers. We knew how to do this. We just forgot. Which brings us to the first big thread of our conversation: the pattern of forgetting. We talked about this in the context of technology, not history. Specifically, how the shift from software you paid for to software supported by advertising quietly changed everything. When you pay for a tool, the goal is to make it better. When the tool is supported by advertisers, the goal is to keep you inside it as long as possible. Clippy used to annoy us because it interrupted our train of thought. Now interrupting our train of thought is the entire business model. Tom has a phrase for what's happening at scale: cognitive despoiling. We spent the 20th century strip mining the physical resources of the planet. We're spending the 21st century strip mining the cognitive resources of humanity. There's a finite number of coherent thoughts this civilization can produce. And we're burning through them — with misinformation, amygdala triggers, and dopamine loops — the same way we burned through forests and waterways. The damage is invisible because it's underwater, like ocean trawling. But it's real. And it compounds across generations. This is where I had to push back a little. Because I grew up in Florence. I made the jump to digital. I love my vinyls and I love my streaming library. I'm part of the contradiction he's describing. And I asked him: given all this, where do you even start? His answer is the most practical thing I've heard in a long time. Start with physical businesses. The ones actually causing most of the damage — to water, soil, air, biodiversity. And here's the part that almost nobody is talking about: 90% of the cost structure of a physical business already aligns...

Host | Matthew S Williams For more podcast Stories from Space with Matthew S Williams, visit: https://itspmagazine.com/stories-from-space-podcast ______________________ Episode Notes Asteroid Mining: The Promise, the Problems, and the Philosophy Asteroid mining is one of those ideas that cycles in and out of public fascination — generating enormous excitement, then fading when people realize it won't happen within the next news cycle. But the concept never truly disappears, and for good reason. Near-Earth asteroids, numbering in the millions, contain staggering quantities of precious metals, rare earth elements, and water ice. Ironically, those same materials — iron, gold, platinum, nickel, and dozens of others — were originally delivered to Earth by asteroids during the Late Heavy Bombardment period some four billion years ago. We're essentially talking about going back to the source. The three main asteroid types — carbonaceous (C-type), silicate (S-type), and metallic (M-type) — each offer distinct resources. Beyond metals, the abundance of water ice in the solar system could relieve pressure on Earth's increasingly stressed freshwater supply and fuel deep-space missions. Philosophically, the implications are profound. Thomas More and Nietzsche both wrestled with why scarcity drives human value systems. Flood the market with space-borne metals and the entire economic architecture built on scarcity begins to crumble. Orwell saw it too — abundance erodes hierarchy. The first trillionaires born from asteroid mining might find their wealth meaningless almost immediately after making it. But the darker scenarios deserve equal attention. Redistributing consumption off-world doesn't eliminate it. Space debris, environmental degradation beyond Earth, and the very real risk of exploitative labor structures in off-world operations — echoes of colonialism and indentured servitude — are not science fiction. They're logical extensions of human patterns. The enthusiasm may ebb and flow, but asteroid mining remains an inevitable chapter in humanity's story. The real question is what kind of story we choose to write around it. ______________________ Resources ______________________ For more podcast Stories from Space with Matthew S Williams, visit: https://itspmagazine.com/stories-from-space-podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

There is a question that sounds almost embarrassingly simple. After a vulnerability is discovered in a piece of widely used software — something like Log4Shell, which shook the security world and left hundreds of thousands of organizations exposed overnight — the question organizations scrambled to answer was this: where is this code, and what does it touch? Most couldn't answer it. Not the Fortune 500 companies. Not the government agencies. Not the critical infrastructure operators. Not the hospitals or the banks or the utilities. They had built and bought mountains of software over years and decades, and when the moment came to understand what was actually inside it, they were effectively blind. That gap is exactly what Daniel Bardenstein set out to close when he co-founded Manifest Cyber in 2023. And in a conversation on ITSPmagazine's Brand Highlight series, he made a case for technology transparency that is hard to argue with — not because it's technically complex, but because the analogy he draws is so strikingly obvious once you hear it. "If you want to buy a house, you get to go inside the house, do the home inspection," he said. "You want to buy food from the grocery store — you can look at the ingredients. Even our clothes tell you what they're made of, how to care for them, and where they're from." But software? The technology running hospital MRI machines, weapon systems, financial infrastructure, water delivery? No transparency required. No ingredient label. No inspection rights. Just trust. That trust, as Log4Shell demonstrated, is a vulnerability in itself. Bardenstein came to this problem with credentials that few founders in the space can claim. Before starting Manifest, he spent four and a half years in the US government leading large-scale cyber programs and serving as technology strategy lead at CISA — the Cybersecurity and Infrastructure Security Agency. He saw firsthand how defenders are perpetually at a disadvantage, operating without the basic visibility they need to do their jobs. His mission became building the tools to change that. The problem, he's quick to point out, has not improved in the years since Log4Shell. Software supply chain attacks have multiplied — XZ Utils, NPM Polyfill, and others following the same pattern: trusted software becomes the attack vector, and it spreads fast. Meanwhile, most security teams are still operating with SCA tools that generate noisy, overwhelming alerts and vendor risk programs built on Excel spreadsheets and questionnaires rather than actual empirical data about the security of what they're buying. "Security teams have a false sense of security," Bardenstein said. The gap between what organizations think they know and what they actually know about their software supply chains remains dangerously wide. Manifest Cyber addresses this across the full lifecycle. For organizations that build software, the platform maps every open source dependency, assesses it for risk, and ensures developers can write more secure code without losing velocity. For organizations that buy software — which is everyone — it finds risks before procurement, then continuously monitors every third party component so that when something breaks, they know the blast radius in seconds, not weeks. The timing matters. Regulation is catching up to the problem. The EU AI Act, the Cyber Resilience Act, and a growing body of global policy are beginning to demand exactly the kind of software supply chain transparency that Manifest is built to provide. Organizations that wait to build this capability will find themselves scrambling to comply — those that build it in now will have it as a competitive advantage. The ingredient label for software has always been missing. Manifest Cyber is writing it. ________________________________________________________________ Marco Ciappelli interviews Daniel Bardenstein, CEO & Co-Founder of Manifest Cyber, for ITSPmagazine's Brand Highlight...