Kitecast

Most organizations are racing to adopt AI without considering the security implications. Justin Greis, former leader of McKinsey's cybersecurity practice and founder of an AI-powered consulting firm Acceligence, explains why this approach creates risk and how security leaders can change the conversation. Companies are deploying AI at different maturity levels. Some distribute AI tools to business units and wait for use cases to emerge. Others push boundaries with advanced algorithms. Few consider the associated risks. The right stakeholders often aren't in the room when AI decisions are made, either because organizations want to move fast or because security teams are underfunded and focused on daily operations. Technology companies are making AI capabilities available at unprecedented speeds, leaving organizations uncertain about securing and deploying these tools responsibly. Security should be the foundation of trust, not an afterthought. McKinsey research found that customers make buying decisions based on product security when companies can demonstrate testing and rigor. A secure, certified product materially influences purchasing choices compared to alternatives without visible security standards. Greis emphasizes that compliance certifications like SOC 2 or ISO represent minimum requirements, not security maturity. Organizations secure enough to meet business objectives naturally achieve compliance. The goal is translating business initiatives into security requirements that exceed baseline standards. The Chief Information Security Officer position has shifted from back-office administrator to business enabler. AI has accelerated this change by converging infrastructure, technology, and cybersecurity into unified platforms. CISOs now have opportunities to demonstrate how they understand business context and can help organizations move faster and safer. The challenge for security leaders is communication and relationship building. Years of underfunding forced CISOs to focus on survival rather than strategy. As security functions reach parity with other departments, more leaders can engage at the executive and board level. This shift requires CISOs to develop storytelling skills that contextualize security metrics for business audiences rather than overwhelming boards with technical details. As AI agents begin making decisions without human oversight, organizations face new risks. The push to remove humans from decision loops creates efficiency but introduces vulnerabilities, particularly when AI accesses data it shouldn't process or makes decisions affecting vulnerable populations. Companies need frameworks to identify where human oversight remains necessary and mechanisms to monitor those boundaries. Organizations implementing AI successfully have thought through secure development lifecycles, DevSecOps, and product operating models. Those starting from scratch face larger organizational changes to incorporate security, privacy, and responsible AI practices into development workflows. LinkedIn: https://www.linkedin.com/in/justingreis/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kevin Powers, Faculty Director of the Masters of Legal Studies in Cybersecurity Risk and Governance at Boston College Law School, began his professional and academic journey when he volunteered for a task force exploring cybersecurity education at Boston College. Rather than developing a purely technical curriculum, he advocated for an interdisciplinary approach that would integrate law, business, and risk management. "Cybersecurity is not just a technical issue," Powers explained during the podcast episode. Working with stakeholders from the White House, FBI, major financial institutions, and technology companies, the team built a curriculum designed to produce well-rounded cybersecurity professionals. The program launched in 2015 and recently transitioned to BC Law School, offering 10 courses taught entirely by practitioners actively working in the field. Students include FBI agents, financial compliance officers, and executives from Fortune 50 companies, with an average age of 33. A central theme of Powers' program is bridging the communication divide between technical teams and business leadership. With recent SEC regulations and requirements like New York's DFS Part 500 mandating board-level cybersecurity oversight, organizations need professionals who understand both technical controls and business implications. "Boards are recognizing cybersecurity as a core business function," Powers noted, emphasizing that every company operating on networks faces operational risk when systems go down. The program prepares students to communicate cyber risk in business terms and develop governance frameworks aligned with regulatory requirements like CMMC 2.0, FedRAMP, and the NIST Cybersecurity Framework. The program has evolved rapidly to address artificial intelligence governance. Powers redesigned his coursework after discovering AI tools could complete assignments in minutes, shifting 70% of grading to oral presentations that emphasize critical thinking over output. Looking ahead, Powers identified cloud security and data sovereignty as critical concerns. Many organizations mistakenly believe SaaS platforms automatically back up their data, leaving them vulnerable during incidents. The CDK Global attack on car dealerships illustrated how unprepared businesses can be when cloud services fail. Beyond academics, Powers emphasizes creating networks. Graduates maintain connections with government agencies, financial institutions, and technology companies, facilitating collaboration across sectors. The program hosts the annual Boston Conference on Cybersecurity, which draws hundreds of attendees including CISOs from major sports franchises and law enforcement leaders. For organizations navigating increasingly complex regulatory landscapes, Powers' message is clear: cybersecurity expertise must extend beyond technical skills to encompass governance, compliance, and strategic business alignment. As cyber threats evolve, professionals need frameworks like NIST to demonstrate reasonable security practices to regulators while protecting operational continuity. LinkedIn: https://www.linkedin.com/in/kevin-powers-54893a8/ Boston College School of Law: https://www.bc.edu/bc-web/schools/law.html Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Cybersecurity experts Heather Noggle and Dr. Arun DeSouza discussed Kiteworks' Data Security and Compliance Risk: 2025 Annual Survey Report, which introduces the industry's first quantitative risk scoring algorithm. The comprehensive study of 461 organizations reveals that 46% now operate in high- to critical-risk territory, with the median enterprise scoring 4.84 on a 10-point scale—dangerously close to the high-risk threshold of 5.0. The experts analyzed a counterintuitive finding about third-party risk management: Organizations managing 1,001-5,000 external partners face the highest security risk (average score 5.19), surpassing enterprises with over 5,000 third-party relationships. Dr. DeSouza explained this "danger zone" phenomenon: "By nature, managing over 5,000 means you're a much bigger organization with more resources ... Many times you've got a platform-based approach." These larger enterprises can monitor risks in real time, while mid-sized partner ecosystems struggle with enterprise-level complexity on mid-market budgets—resulting in 24% experiencing 7+ annual security incidents. Industry-specific findings revealed surprising risk disparities. Energy topped the risk charts due to legacy IoT devices and 30-year-old technologies vulnerable to exploitation. Technology ranked second, which Noggle attributed to the "overconfidence factor" and rapid employee turnover. "Tech companies are losing people so fast, they want to implement things so fast. That to me is a perfect storm," DeSouza noted. Conversely, heavily regulated sectors like life sciences demonstrated lower risk scores due to compliance-driven security investments. The report exposed a dangerous "confidence paradox" where organizations claiming to be "somewhat confident" in data governance showed 19% higher risk scores than those acknowledging uncertainty. "Without governance you can't manage," Noggle emphasized, adding that overconfidence breeds complacency in rapidly evolving threat landscapes. AI governance emerged as a critical vulnerability. While 64% of enterprises track AI-generated content (up from 28% in 2024), only 17% have deployed technical governance frameworks. The stakes are high—the IBM Cost of a Data Breach Report found that 97% of AI-related breaches lacked proper controls, with AI breaches costing $670,000 more than average. DeSouza warned about inherited risks like "Echo Leak," a zero-click vulnerability exploiting AI's use of historical data, demonstrating that organizations must secure not just AI models but their entire operational environment. Poor data visibility creates cascading failures: Organizations unable to count their third parties showed 46% correlation with unknown breach frequency, while 31% of those with 5,000+ partners take over 90 days to detect breaches. As Noggle noted, "If we're back at identify and we're at detect, detect should not be that difficult if identify is done well." Heather Noggle LinkedIn: https://www.linkedin.com/in/heathernoggle/ Arun DeSouza LinkedIn: https://www.linkedin.com/in/arundesouza/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Dr. Rick Goud brings a unique perspective to the data sovereignty conversation, combining medical informatics expertise with entrepreneurial technology innovation. As co-founder and Chief Innovation Officer of Zivver, a secure digital communications platform acquired by Kiteworks in 2024, Goud's journey began with an unexpected twist – missing out on medical school in the Netherlands' lottery system led him to medical informatics, where he discovered his passion for solving healthcare's data security challenges. His background as a strategy consultant in healthcare, where he witnessed firsthand the alarming frequency of sensitive patient data being shared through insecure channels, sparked his mission to create solutions that balance robust security with user-friendly functionality. The podcast reveals a fundamental tension in European data sovereignty: While Europe boasts the world's strongest data protection laws like GDPR and the upcoming EU Data Act, organizations remain heavily dependent on foreign cloud infrastructure. Goud explains that the challenge extends beyond mere infrastructure – it's the absence of true European alternatives for essential software services that creates vulnerability. He highlights recent incidents, including a French Microsoft executive's court admission that Microsoft cannot prevent U.S. government access to data without customer notification, and the shocking case of a Dutch criminal court judge whose email was blocked by Microsoft at the behest of American authorities. These examples underscore how data sovereignty encompasses not just data protection, but also continuity of service and freedom from foreign interference. When addressing the economic realities of data sovereignty, Goud advocates for a pragmatic, risk-based approach rather than wholesale abandonment of U.S. cloud services. He emphasizes that organizations should start by identifying their specific risks – whether it's human error (the leading cause of data breaches), email interception, weak passwords, or phishing attacks. The solution often lies in implementing encryption layers where organizations maintain control of their own keys, effectively rendering data unreadable even if accessed by unauthorized parties. This approach allows organizations to continue using familiar tools like Microsoft 365 and Gmail while adding crucial security layers for sensitive information, avoiding the massive costs and behavioral changes required by complete infrastructure migration. The conversation concludes with practical advice for organizations beginning their data sovereignty journey. Goud recommends starting with "low-hanging fruit" – simple security measures that can be implemented quickly, such as activating DANE (DNS-based Authentication of Named Entities) for email encryption, which despite being available for a decade, sees adoption rates of only 15% to 20%. He stresses the importance of email and file security as the primary risk points where data leaves organizational boundaries. Rather than embarking on multi-year infrastructure overhauls, organizations should focus on immediate, achievable improvements while building partnerships with trusted vendors and peer organizations facing similar challenges. This collaborative approach ensures organizations aren't navigating the complex data sovereignty landscape alone. LinkedIn: https://www.linkedin.com/in/rickgoud/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Scott McCrady's path to becoming CEO of SolCyber started in the server rooms of the early 2000s. Back then, he was installing Nokia security appliances and building some of the first security operations centers for major corporations. McCrady spent years at companies like Symantec and FireEye, where he learned that keeping businesses safe requires more than just technical know-how. He built Symantec's security services across Asia Pacific, managing teams in multiple countries and learning how different businesses approach security challenges. Later at FireEye, he helped launch their partner strategy during the rise of nation-state attacks. Today, he runs SolCyber with a simple mission: help companies protect themselves from identity-based attacks that bypass traditional security tools. McCrady explained something that might surprise you: hackers don't break into networks the way they used to. Twenty years ago, they looked for open ports and vulnerable servers. Ten years ago, they targeted employee laptops and phones. Today? They steal usernames and passwords, especially administrative accounts. Insurance companies tell McCrady that nine out of ten breaches happen because someone's login credentials got compromised. The problem gets worse because IT teams often give employees more system access than they need. Why? Because it's easier than figuring out the exact permissions each person requires. McCrady shared a real example: a company with 500 employees had over 70 administrative accounts. Some hadn't been used in nine months, then suddenly started browsing the internet—a clear sign that hackers had taken control. McCrady works with organizations that can't answer simple questions like "Where are all our security logs stored?" or "Who can access our customer data?" These aren't startups or small businesses—these are established companies with IT departments and security budgets. They have data scattered across different systems, some going to one security vendor, some to another, and some not being monitored at all. While vendors push artificial intelligence and machine learning solutions, most businesses just need help organizing what they already have. As McCrady put it, they need to get their house in order before worrying about advanced threats. So what actually works? McCrady keeps it simple with five must-haves. First, turn on multi-factor authentication everywhere, even though software companies charge extra for it. Second, add email security beyond what Microsoft or Google provides because business email compromise is how most attacks start. Third, install endpoint detection software that catches modern malware. Fourth, run security awareness training so employees recognize phishing emails (and to keep your cyber insurance valid). Fifth, buy cyber insurance now while it's affordable. McCrady's company, SolCyber, packages these essentials into what they call "foundational coverage"—basically, outsourced security for businesses that need protection but can't afford a full security team. For larger companies, they handle the complex stuff like managing security logs from dozens of systems and responding to attacks in real-time. LinkedIn Profile: https://www.linkedin.com/in/scottmccrady/ SolCyber Website: https://solcyber.com/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

This Kitecast episode features Chris Pogue, Director of Digital Forensics at CyberCX, a cybersecurity veteran with 25 years of experience. Chris brings unique insights from his extensive background spanning penetration testing, executive leadership, and military instruction. As an adjunct professor at Oklahoma State University, he teaches both international business and digital forensics, emphasizing the critical importance of communication between technical and non-technical stakeholders. Chris introduces CyberCX as "the biggest cybersecurity company you've never heard of"—a pure-play security firm with 1,500 professionals globally. Founded in Australia through the acquisition of 24 boutique security firms, CyberCX stands apart by focusing exclusively on cybersecurity expertise without the distractions of hardware sales or software development. With specialized teams including 200 penetration testers and 40 incident responders, they offer comprehensive security solutions tailored to each client's unique risk profile. The conversation reveals alarming trends in the threat landscape, including the surprising resurgence of SQL injection attacks targeting forgotten systems and unpatched vulnerabilities. Chris explains that once an exploit is announced, threat actors typically begin targeting it within 24 to 48 hours, yet organizations often take 60 to 90 days to implement patches. The podcast also explores how ransomware tactics are evolving from simple data encryption to targeting operational technology and critical infrastructure, creating more leverage by disrupting business continuity rather than just threatening data exposure. Third-party risk management emerges as a critical concern, with Chris noting that the traditional "castle and moat" security model has become obsolete in today's interconnected business environment. He describes how Business Email Compromise attacks frequently move laterally across supply chains, with compromised trusted partners becoming vectors for invoice fraud and malware distribution. The conversation also touches on the emerging role of AI in creating more convincing phishing campaigns and voice synthesis attacks. Drawing on decades of experience, Chris offers this compelling perspective on security investment: "In my career, I have yet to find an organization who under-invested in cybersecurity and was thankful that they did later." With data breach costs averaging $4.5 million globally and $9 million in the United States, the economic argument for proactive security becomes increasingly clear. Don't miss this eye-opening discussion on the frontlines of cybersecurity defense. LinkedIn Profile: https://www.linkedin.com/in/christopher-pogue-msis-6148441/ CyberCX: https://cybercx.com/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

In this insightful episode, cybersecurity experts Mike Crandall and Arun DeSouza join host Patrick Spencer to analyze Kiteworks' Top 11 Data Breaches in 2024 Report. Rather than just focusing on the number of records breached, the report introduces a sophisticated algorithm with seven key factors to score breaches on a scale of 1-10. This method provides a more comprehensive understanding of breach severity by evaluating financial impact, data sensitivity, regulatory compliance implications, ransomware involvement, supply chain impact, and attack vector sophistication. National Public Data topped the list with a score of 8.93, followed by Change Healthcare and Ticketmaster, both scoring 8.7. A significant finding discussed by the experts is the shift in industry targeting patterns, with financial services overtaking healthcare as the most breached sector. The conversation emphasizes how credential theft continues to plague organizations despite sophisticated controls. Five of the top 11 breaches resulted from credential compromises, including attacks that bypassed multifactor authentication. Arun highlights that despite years of security awareness training, approximately 25% of incidents remain attributable to human error. He warns of the growing sophistication of social engineering with AI-generated phishing that will soon include voice modulation and deepfakes, making attacks increasingly difficult to detect. Mike recommends leveraging AI defensively to detect anomalous behaviors that humans might miss. Both experts stress the critical importance of data protection and classification. Arun advocates for AI-powered data characterization and governance platforms that can proactively identify sensitive information requiring protection. Mike emphasizes the need for proper data classification, noting that organizations often struggle to differentiate between critical and non-critical data. He recommends data minimization strategies including cold storage for inactive data to reduce the potential attack surface. The experts agree that building enterprise-wide risk awareness requires collaboration across departments rather than treating security as an isolated IT function. The panel concludes that organizations must prioritize zero-trust architecture implementation, adopt data minimization strategies, and enhance incident response capabilities. Arun frames this as a comprehensive coalition of "people, process, and technology safeguards all working together." Mike adds a sobering perspective for businesses that might not see themselves as targets: "These weren't the 11 hacks of 2024. These were the top hacks... there are literally hundreds of thousands, if not millions more. And that's you." Top 11 Data Breaches in 2024 Report: https://www.kiteworks.com/top-data-breaches-report Arun DeSouza LinkedIn: https://www.linkedin.com/in/arundesouza/ Mike Crandall LinkedIn: https://www.linkedin.com/in/crandallmike/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

This insightful Kitecast episode features Dominic Bowen, Partner and Head of Strategic Advisory at 2Secure in Stockholm, Sweden. With over 20 years of experience supporting business leaders, boards, and executives, Dominic brings valuable perspective from his work across cybersecurity, generative AI, risk management, and crisis response. His background spans strategic leadership positions in humanitarian organizations, military service with Special Operations Command, and law enforcement—providing him unique insights into risk management across diverse environments. Many risks facing organizations today are predictable, not "black swan" events. Dominic emphasizes that effective risk management begins with understanding the business environment before identifying, analyzing, and mitigating threats. Companies that neglect this approach face potential disruptions, as demonstrated by European and North American businesses that expanded into China without adequate risk assessment or those slow to withdraw from Russia after its invasion of Ukraine. Businesses must recognize that events like inflation spikes, terrorist attacks, or regional conflicts aren't unpredictable—proper planning and preparation can help organizations navigate these challenges. Cybersecurity represents one of the most pressing concerns for business leaders globally. Dominic notes that cyber threats have evolved into warfare weapons, with European officials warning businesses and citizens to prepare for heightened threats. This reality is demonstrated by the Russian attacks on Ukrainian financial institutions before the 2022 invasion and ongoing attacks against energy infrastructure throughout Europe. For businesses, this necessitates not just regulatory compliance but leveraging security frameworks as competitive advantages that enable boards and executives to move forward confidently despite increasing threats. Artificial intelligence offers transformative benefits for risk management—when properly implemented. Organizations can gain significant advantages through AI-powered predictive analytics, automated threat detection, improved decision-making capabilities, and scenario development. Those organizations leveraging AI for fraud detection, identifying insider threats, and recognizing suspicious transactions position themselves ahead of competitors who fail to adopt these tools. Effective risk management requires methodical approaches regardless of organizational context. Whether operating in conflict zones, developing humanitarian responses, or expanding business operations, Dominic emphasizes that the process remains consistent: understand the environment before attempting to identify or mitigate risks. Organizations that invest time in thoroughly understanding cultural, linguistic, political, and historical contexts before implementing risk mitigation strategies achieve substantially better outcomes. LinkedIn Profile: https://www.linkedin.com/in/dominic-bowen/ 2Secure: https://2securecorp.com/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Arun DeSouza, the Managing Director at Profortis Solutions, brings over two decades of experience as a CISO, having developed and implemented award-winning programs in identity lifecycle management and IoT security. His impressive career includes induction into the CISO Hall of Fame by the Global Cyber Startup Observatory and recognition as a top CISO by Cyber Defense Magazine. Arun’s expertise, combined with his academic background—a Ph.D. in Chemical Engineering from Vanderbilt—offers listeners a unique perspective on navigating today’s complex cybersecurity landscape. From Chemical Engineering to Cybersecurity Leadership Arun’s journey into cybersecurity is as unconventional as it is inspiring. Initially trained as a chemical engineer, he transitioned to cybersecurity through hands-on experience and a fearless approach to problem-solving. Faced with the challenge of managing global security for a French company, Arun built a strategic plan that not only upgraded systems but also delivered significant savings. His approach, which he calls the “power of federation,” involved collaborating with partners for discounted pricing and consolidating resources. Navigating Cybersecurity Threats: IoT, Ransomware, and AI Arun sheds light on the evolving cybersecurity threat landscape, particularly the rapid proliferation of IoT devices. With an estimated 75 billion IoT devices by 2025, the risks associated with insecure software, vulnerable cloud communications, and expanded attack surfaces are more significant than ever. He highlights specific challenges in manufacturing and OT security, where ransomware and supply chain attacks can cripple operations. Arun also warns of the impending threat of AI-powered supply chain attacks, which could amplify the scale and sophistication of breaches. His insights reinforce the need for robust data governance and the adoption of Zero Trust security models to mitigate these risks effectively. Critical Role of Identity Management and Leadership Central to Arun’s security philosophy is the concept of identity access management (IAM) as a strategic cornerstone. He introduces the idea of the “identity coin,” which blends physical security (person, device, location) with logical security (attributes, behavior, context). Arun emphasizes that security is not just about technology but also about strong leadership and communication. He advises CISOs to build relationships with senior leaders, use storytelling to convey risks, and align security initiatives with business objectives. His analogy of the CISO as the “captain of the good ship cyber” encapsulates his forward-thinking approach to navigating cybersecurity challenges. Technical Acumen and Strategic Vision Arun’s expertise and leadership offer actionable insights for anyone looking to strengthen their cybersecurity strategy. His forward-thinking approach to risk management, identity governance, and embracing change provides a valuable blueprint for both cybersecurity professionals and business leaders. LinkedIn: https://www.linkedin.com/in/arundesouza/ Profotis Solutions: https://profortissolutions.com/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

With over two decades of experience in the cybersecurity domain, Chad Lorenc stands as a prominent voice in cloud security and enterprise security strategy. Currently serving as a security leader at Amazon Web Services (AWS), Chad has contributed significantly to advancing cloud architecture best practices and building robust security frameworks for some of the world’s most dynamic organizations. In this insightful Kitecast episode, Chad shares his expertise on cloud security, the evolving role of CISOs, and the integration of artificial intelligence (AI) into enterprise security strategies. Evolution of Cloud Security: From Apprehension to Opportunity In the early days of cloud adoption, organizations often hesitated to migrate their operations due to concerns over security and control. Chad reflects on this initial apprehension and explains how the cloud security paradigm has matured over the years. Many companies attempted to replicate on-premises security models in the cloud, often facing challenges with patching, incident management, and compliance. Cloud environments require unique security approaches, with a focus on building specific controls and aligning them with broader security operations and compliance requirements. CISOs: Leading the Charge in Cloud and AI Adoption A recurring theme in the podcast is the critical role of CISOs in driving cloud and AI strategies. Chad offers valuable advice to CISOs, encouraging them to lead cloud adoption initiatives rather than being pulled into projects at the last minute. He highlights the tangible security benefits of cloud environments, such as the ease of implementing encryption and other advanced security controls. By taking a proactive approach, CISOs can not only enhance security but also achieve cost savings and operational efficiencies. Embracing AI and Navigating Regulatory Challenges As organizations increasingly integrate AI into their operations, compliance and security become critical considerations. Chad discusses how the shift to data lakes and the acceleration of AI adoption have transformed cloud security conversations from traditional security measures to compliance and audit readiness. The conversation also touches on the complexities of shadow AI—where unsanctioned AI tools are used within companies—and how security leaders can address these challenges by aligning internal strategies with business demands. In addition, Chad sheds light on the regulatory landscape, including the growing importance of FedRAMP compliance for federal clients and the balance between rapid cloud innovation and regulatory adherence. Charting the Future of Cloud Security with Chad Lorenc The podcast concludes with Chad’s forward-looking perspective on the evolving cybersecurity landscape. He believes that while AI remains a dominant topic, true innovation lies in optimizing security operations and embracing technologies that drive business outcomes. Chad sees an emerging trend where CISOs are not only security experts but also strategic business leaders who contribute to overall organizational success. His parting advice to security professionals is clear: embrace new technologies like AI and cloud solutions with a strategic mindset to remain relevant and impactful. LinkedIn: https://www.linkedin.com/in/chadlorenc/ Amazon Web Services: https://www.linkedin.com/company/amazon-web-services/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Unveiling AI, Data Security, and Innovation Howard Holton, the Chief Technology Officer of GigaOm, explores some of the most pressing topics in technology today. With over two decades of experience spanning roles as CTO, CISO, CIO, and consultant, Howard brings a wealth of knowledge to the conversation. His background includes leadership positions at Rheem Manufacturing, Hitachi Vantara, and Precision Discovery, where he honed his expertise in digital transformation, data science, and operational strategy. At GigaOm, Howard combines his technical acumen with a passion for helping organizations navigate the complexities of modern technology landscapes. Generative AI: Hype vs. Reality The conversation delves into the rapid rise of generative AI (GenAI) and the realities beyond the hype. Howard explains how businesses are grappling with this transformative technology, which, while promising, is rife with complexities. Many organizations rushed into adopting AI without fully understanding its implications, leading to inefficiencies and unexpected risks. He points out that generative AI is a powerful tool but cautions against treating it as a catch-all solution. The conversation highlights how improper use can lead to issues like misinformation, inaccurate outputs, and even legal challenges, underscoring the need for deliberate strategy in deploying AI tools. Tackling AI Governance and Risks Howard also provides an unvarnished look at AI governance and its associated risks. With generative AI being a relatively young technology, governance frameworks are still in their infancy. Organizations often lack cohesive tools to manage the risks associated with AI deployments. This leads to challenges in ensuring compliance with data privacy regulations and safeguarding sensitive information. Shadow AI: The Hidden Risk Shadow AI emerged as another critical topic in the discussion. Howard describes Shadow AI as the unauthorized use of AI tools by employees, often without the knowledge or approval of management. While employees leverage these tools to improve productivity or efficiency, this practice introduces significant risks to data security and compliance. Sensitive company data may unknowingly be exposed to public large language models (LLMs), creating vulnerabilities and potential regulatory breaches. Advice for the Tech Community Closing the episode, Howard offers invaluable advice for professionals navigating the ever-changing tech landscape. He underscores the importance of mentorship, curiosity, and collaboration in driving innovation. “It’s our job to help people,” he says, emphasizing the need for tech leaders to share their knowledge and foster growth within their communities. Howard also encourages organizations to adopt a mindset of continuous learning, particularly as emerging technologies like AI continue to evolve. LinkedIn: https://www.linkedin.com/in/howardholton/ GigaOm: https://gigaom.com/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Luigi Lenguito, a pioneering figure in predictive cybersecurity, brings an extraordinary background to his role as founder and CEO of BforeAI. Before revolutionizing cyber threat prevention in 2018, Lenguito's 18-year tenure at Dell and Quest Software encompassed 26 diverse executive positions. His unconventional journey from Formula Three racing champion in Italy to tech industry innovator showcases his adaptability and vision. At Dell, Lenguito's entrepreneurial spirit shone through his creation of a groundbreaking program that bridged the gap between corporate employees and startups, demonstrating his talent for fostering innovation and maximizing human potential. Building a Bridge Between Corporates and Startups One of Lenguito’s most impactful achievements at Dell was creating an innovative entrepreneurship program that connected Dell employees with early-stage startups. The program grew to involve over 400 Dell employees mentoring 10 to 20 startups at any given time. Rather than following traditional corporate-startup engagement models, Lenguito’s program focused on unleashing the untapped potential of Dell employees, allowing them to utilize skills from their past experiences that weren’t being used in their current roles. This unique approach not only benefited the startups but also significantly improved employee satisfaction and retention. From Intrapreneur to Entrepreneur Lenguito’s exposure to entrepreneurs through the Dell program eventually inspired his own entrepreneurial journey. In 2018, he founded BforeAI after discovering research that aligned with his long-held vision of predictive cybersecurity. Inspired by the concept of “pre-crime” from the movie Minority Report, Lenguito saw the potential to transform cybersecurity from reactive to proactive that relies on continuous monitoring. His company now prevents an average of 20 million potential cyberattack victims daily, with the ability to predict threats up to nine months in advance. Insights on Building Corporate Innovation Programs Drawing from his experience, Lenguito shares three key principles for organizations looking to build successful corporate entrepreneurship programs. First, clearly define your purpose--understanding why you’re creating the program is crucial. Second, set clear boundaries and expectations upfront about what the program will and won't do to avoid frustration on both sides. Third, secure appropriate funding by identifying who benefits from the program’s secondary outcomes, as they should be the ones sponsoring it. Future of Cybersecurity Lenguito’s vision for the future of cybersecurity challenges the industry’s current “assume breach” mentality and zero trust security principles. His experience with cyber insurance providers has led to innovative hybrid models that combine traditional insurance with predictive security measures. This forward-thinking approach has earned recognition from industry leaders, with BforeAI recently being named a Gartner Cool Vendor in AI and GenAI for banking and financial services. LinkedIn Profile: https://www.linkedin.com/in/llenguito/ BforeAI: https://bfore.ai/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

The Kiteworks 2025 Forecast for Managing Private Content Exposure Risk Report offers a comprehensive analysis of emerging cybersecurity and compliance trends shaping the year ahead. The report identifies 12 pivotal trends affecting how organizations manage private content exposure risk, highlighting critical areas like data privacy regulations, software supply chain security, AI governance, and quantum computing threats. With 75% of the world's population expected to have their personal data protected under privacy laws by 2025, organizations must implement robust strategies to mitigate risks and ensure compliance. During the Kitecast episode, cybersecurity experts Alexandre Blanc and Evgeniy Kharam discussed the alarming rise in software supply chain attacks. These attacks are projected to spiral and the associated cost. The experts emphasized that while compliance frameworks like SOC 2 and ISO 27000 standards provide baseline guidance, organizations must move beyond mere checkbox security compliance. "Alexandre explained, “Organizations often view SOC 2 or ISO certification as the end goal, but that's just the starting point. What matters is building a comprehensive security program that actually addresses real risks and maintains security posture over time." The discussion delved deep into CMMC 2.0 compliance challenges facing defense contractors. While surveys indicate most organizations believe they're prepared for certification, the reality is starkly different: the actual number of organizations ready to pass certification requirements is quite low. Evgeniy noted, "Don't wait to start your CMMC preparation. This isn't just about checking boxes. Organizations need to understand their environment, document their processes, and implement required controls - all of which takes significant time and resources." The Kitecast conversation highlighted growing concerns about employees inadvertently exposing sensitive data through public large language models (LLMs) and other AI tools. Rather than focusing solely on technical controls, the experts emphasized the need for comprehensive governance frameworks that include clear policies, regular training, and approved platforms for business use. You cannot just block ChatGPT and think you've solved the problem. New AI tools emerge constantly. Organizations need to educate employees about the risks and provide secure alternatives for legitimate business needs. 2025 Forecast Report https://www.kiteworks.com/forecast-report/ LinkedIn Profile for Evgeniy Kharam https://www.linkedin.com/in/ekharam/ LinkedIn Profile for Alexandre Blanc https://www.linkedin.com/in/alexandre-blanc-cyber-security-88569022/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Jerod Brennen, VP of Cybersecurity Services at SideChannel, brings a unique perspective to cybersecurity leadership. Originally pursuing a career in music education, Brennen's journey led him through various IT roles before landing in cybersecurity at a public utility. Today, he serves as a vCISO for multiple organizations while also creating educational content for LinkedIn Learning, where he has developed over 40 courses covering topics from application security to ethics in technology. His unconventional path from music to technology has shaped his approach to security leadership, emphasizing the importance of both technical expertise and human understanding. As a vCISO, Brennen emphasizes the importance of tailored security approaches for small and medium-sized businesses. His work at SideChannel involves helping organizations across various sectors—from healthcare technology to manufacturing—build resilient security programs that align with their specific needs and capabilities. He highlights that while many of these businesses may not have the resources for a full-time CISO, they still require sophisticated security leadership to protect their digital assets and maintain compliance with industry standards. Brennen’s approach focuses on building security programs that enable business growth rather than simply implementing restrictions, ensuring that security measures support rather than hinder organizational objectives. A significant portion of the conversation focused on the challenges of data security in modern business environments. Brennen discusses the complexities of managing data access, particularly in cloud environments, and emphasizes the importance of proper tenant separation for different environments (development, testing, production). He notes that while cost often drives initial cloud decisions, mature organizations eventually shift their focus to building stable, secure infrastructure that aligns with their business goals. The discussion delved into the increasing importance of compliance frameworks such as SOC 2 and CMMC, with Brennen sharing insights on how organizations can effectively prepare for and maintain these certifications while avoiding common pitfalls. The discussion also touched on emerging technologies, particularly the challenges and opportunities presented by AI. Brennen addresses the growing concern among organizations about the secure use of generative AI tools, highlighting the need for clear policies around data sharing with these platforms. He emphasizes the importance of considering long-term implications of AI adoption, drawing parallels with recent events in the tech industry to illustrate the potential risks of data handling by emerging technology companies. His perspective on AI security is particularly relevant given the current landscape where many employees are already using these tools without formal organizational guidance. LinkedIn: https://www.linkedin.com/in/jerodbrennen/ SideChannel: https://sidechannel.com/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Evgeniy Kharam is the founder of a cybersecurity consulting company and an industry veteran with extensive expertise in cybersecurity. He advises clients on navigating the complexities of the cybersecurity landscape and co-hosts two popular podcasts focused on cybersecurity architecture and business insights. Evgeniy is also a board advisor for the Canadian Cybersecurity Network, the largest technology group in Canada. Outside of his professional life, he is an active family man with four children, including twins, and enjoys organizing snowboarding events for networking in the cybersecurity community. Evgeniy joined the Kitecast podcast to discuss his new book, Architecting Success: The Art of Soft Skills in Technical Sales. It is a reflection on the evolution of sales engineering, especially in the cybersecurity field. Evgeniy draws from his personal experiences to address the increasingly complex nature of technical sales and the gap between technical knowledge and the ability to communicate it effectively in business terms. The book also serves as a personal challenge for Evgeniy, as he admits that writing is outside his comfort zone, and he believes that improving soft skills is often about doing what you dislike most. During the podcast interview, one of the key topics Evgeniy discusses is the importance of soft skills in cybersecurity sales. He emphasizes the need for adaptability, listening, and the ability to connect with clients. He points out that successful cybersecurity sales professionals must adjust their approach based on the client’s mood, energy, and current situation, moving from transactional interactions to building genuine relationships. Evgeniy also explores the dynamics between sales professionals and sales engineers. He suggests that the sales engineer’s role is not just to support the sales team but to engage in a more collaborative manner, asking the right questions to help the sales team qualify deals effectively. This dynamic allows for a smoother sales process, where both parties respect each other's expertise and play to their strengths, without crossing into each other's responsibilities. Another major point of discussion is the impact of virtual sales in a post-COVID world. Evgeniy stresses the importance of maintaining professionalism in virtual environments, from investing in proper equipment like cameras and microphones to ensuring a polished appearance. He also highlights the growing reliance on voice communication and the need to train one's voice for better delivery, as remote work has made verbal communication a primary tool for client interactions. LinkedIn: https://www.linkedin.com/in/ekharam/ Architecting Success: https://www.softskillstech.ca/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

John Christly, VP of Services for Blue Team Alpha, and author of two cybersecurity books, brings his wealth of experience to this episode of Kitecast. With a background spanning roles such as CEO, CIO, CISO, and CTO, as well as military service, Christly offers unique insights into the world of cybersecurity compliance for Department of Defense (DoD) contractors. In this enlightening discussion, Christly demystifies the Cybersecurity Maturity Model Certification (CMMC) process. He explains how many organizations are surprised to find they’re further along in compliance than they initially thought, thanks to existing frameworks like DFARS and NIST 800-171. However, he cautions that self-attestation is no longer sufficient, emphasizing the need for third-party verification in the new CMMC landscape. Christly also delves into the critical role of FedRAMP certification in doing business with the government. He highlights the importance of data sovereignty and security in protecting American interests. The conversation explores the challenges of achieving “FedRAMP-like” status and the expertise required to truly build secure systems to DoD specifications. The podcast doesn’t shy away from emerging threats, with Christly offering valuable insights on managing AI-related risks in the workplace. He stresses the importance of clear policies, employee education, and ongoing monitoring to harness the benefits of AI while protecting sensitive data. Christly’s practical advice on consolidating security tools and gaining visibility into cloud application usage provides actionable strategies for improving organizational cybersecurity posture. Whether you’re a DoD contractor or simply interested in elevating your cybersecurity practices, this episode of Kitecast is a must-listen. Tune in now and take the first step toward robust, compliant cybersecurity for your organization. LinkedIn https://www.linkedin.com/in/johnchristly/ Blue Team Alpha https://www.blueteamalpha.com Book: NIST 800-171 Controls Made Simple: A Step by Step Guide https://www.udemy.com/course/nist-800-171-controls-made-simple Book: The Basics of Cybersecurity https://www.amazon.com/dp/B0CZY65DQC Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kayne McGladrey, the Field CISO at hyperproof, is a renowned cybersecurity expert with an extensive background in enhancing security landscapes across various industries. His career is marked by significant contributions in developing robust security frameworks, managing complex risk scenarios, and driving comprehensive compliance initiatives. With a deep commitment to transforming the cybersecurity field, Kayne’s insights and strategies continue to influence how organizations approach security and regulatory compliance, making him a sought-after voice in the industry. In this Kitecast episode, Kayne McGladrey challenges the traditional view of cybersecurity as merely a cost center, proposing instead that it acts as a critical enabler of business. He eloquently explains how effective cybersecurity measures can unlock new market opportunities and help sustain revenue streams, thus fundamentally altering the narrative from a grudging investment into a strategic asset. By integrating robust cybersecurity practices, businesses can protect their operations from potential threats while enabling smooth and secure growth and innovation. Throughout the discussion, Kayne explores the evolving landscape of compliance tools, moving away from outdated methods like manual spreadsheets to more sophisticated, automated solutions. These advanced tools are designed to streamline and enhance the efficiency of compliance processes. However, Kayne points out the challenges businesses face, such as the lack of executive buy-in, which can hinder successful integration. He emphasizes the critical need for aligning security and compliance strategies with broader business objectives to ensure a cohesive and proactive approach to managing compliance. Kayne delves deeper into the practical challenges faced by cybersecurity teams, especially in the realms of evidence collection and risk assessment. He criticizes the persistence of outdated, manual processes that many organizations still use and advocates for a shift toward automated, more reliable methods. Such modern approaches not only save time but also improve the accuracy and effectiveness of cybersecurity measures, thereby enhancing an organization’s ability to manage and mitigate risks more efficiently. Looking toward the future, Kayne discusses the development of a GRC (Governance, Risk, and Compliance) maturity model that he is pioneering. This model is intended to provide organizations with a clear, actionable roadmap to enhance their governance structures and compliance strategies. By adopting this model, organizations can better navigate the complexities of regulatory environments, reduce risk, and cultivate a proactive, compliance-forward culture. Kayne’s vision for the future of GRC is aimed at making compliance a seamless part of business operations, thus fostering greater organizational resilience and adaptability. LinkedIn Profile https://www.linkedin.com/in/kaynemcgladrey/ hyperproof https://hyperproof.io/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Jacqui Kernot, the Security Director at Accenture for Australia and New Zealand, boasts over two decades of extensive experience in cybersecurity, spanning multiple industries. Recognized for her authoritative voice on diversity and inclusion alongside cybersecurity risk management, Jacqui is a well-regarded speaker who frequently addresses these pressing issues. She is committed to pushing the boundaries of cybersecurity and focused on integrating cutting-edge AI and technological advancements into the security domain. In her recent appearance on the Kitecast episode, Jacqui illuminated the transformative impact of AI on cybersecurity. She pointed out that although AI technology is still emerging, the foundational steps taken today by organizations to build robust infrastructures will be pivotal. Jacqui stressed that companies poised to anticipate future technological needs and begin laying the groundwork for AI integration will likely lead the industry. This strategic foresight is crucial for fully realizing AI’s potential and maintaining a competitive edge in cybersecurity. A significant portion of Jacqui's discussion centered on the imperative of data sovereignty and stringent management practices. In an era increasingly dominated by large language models and cloud-based technologies, securing and responsibly managing data is paramount. Jacqui advocated for strict data governance frameworks that ensure data is accessible only by authorized personnel, emphasizing that responsible AI deployment is fundamental to future security architectures. Jacqui also delved deeply into the role of Zero Trust architecture in today’s cybersecurity landscape. She explained that as organizations increasingly migrate to cloud services and face more complex cyber threats, adopting a Zero Trust approach is crucial. This methodology is not only essential for blocking unauthorized access but also vital for building resilient security protocols that can robustly counteract potential breaches. Looking forward, Jacqui shared insights on the evolving challenges and opportunities within cybersecurity. She highlighted the necessity for security strategies to remain adaptive and vigilant against new threats while also leveraging emerging technologies. The discussion touched on the need for more sophisticated security measures that can effectively safeguard against the evolving landscape of cyber threats, ensuring that organizations can protect their critical assets in an increasingly digital world. LinkedIn Profile www.linkedin.com/in/jkernot/ Accenture www.accenture.com/us-en Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

The Kiteworks Sensitive Content Communications Privacy and Compliance Report is an annual survey designed to delve into the pressing issues of data privacy, compliance, and cybersecurity. This comprehensive report gathers insights from IT, cybersecurity, risk, and compliance leaders around the globe, with the latest survey capturing responses from 572 leaders across 10 different countries. The report is meticulously divided into five sections: cyberattacks and data breaches, data types and classification, compliance and risk, cybersecurity and risk management, and operational procedures. These insights provide organizations with actionable intelligence to navigate the complex landscape of data security and compliance. This Kitecast episode features a panel discussion, with Kitecast Co-host Patrick Spencer addressing key findings in the report and soliciting feedback from Co-host Tim Freestone and two guest panelists, Alexandre Blanc and Ranbir Bhutani. Alexandre pointed out that while the frequency of cyber incidents has decreased, the scale of each incident has grown significantly. Threat actors have become more organized, targeting larger organizations with higher impact, particularly in specific verticals like healthcare and finance. This shift is likely influenced by geopolitical tensions, using cyberattacks to disrupt trust in systems and organizations. Ranbir echoed these observations, adding that the sophistication of phishing attacks has increased, often leveraging unethical AI to create highly convincing fraudulent communications. The conversation also explored the persistent challenge of human error in cybersecurity. Despite numerous training initiatives and advanced technologies, the human element remains a significant vulnerability. Tim, Alexandre, and Ranbir emphasized that until organizations can effectively abstract human errors from business processes, this will continue to be a weak link. Ranbir shared an anecdote about a near-miss phishing attempt, underscoring the difficulty even seasoned professionals face in recognizing sophisticated attacks. Another critical insight from the discussion involved the disparity in cybersecurity maturity across industries. The podcast revealed that higher education and state government sectors are particularly vulnerable, with a high number of reported breaches. This is attributed to underfunding and a lack of stringent cybersecurity measures. In contrast, the federal government has shown better compliance due to regulatory pressures like CMMC 2.0. The panelists agreed that while regulations are a step in the right direction, the enforcement and practical implementation of these regulations remain a challenge, particularly for smaller organizations. Finally, the podcast touched on the issue of litigation costs associated with data breaches. The long-term financial impact of breaches extends beyond immediate operational disruptions and ransom payments. Ongoing litigation can drain resources and affect an organization’s reputation and client trust. Kiteworks 2024 Sensitive Content Communications Privacy and Compliance Report: https://www.kiteworks.com/sensitive-content-communications-report/ Alexandre Blanc: Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Betania Allo is a distinguished expert in cybersecurity law and public policy and frequently presents at international forums and events. She boasts an impressive academic background with advanced degrees from Harvard University and Syracuse University. Currently, she is pursuing a doctorate in engineering with a focus on analytics at George Washington University. Her extensive experience includes serving as a Program Management Specialist and Senior Officer at the United Nations, where she addressed complex issues related to counterterrorism and technology. This Kitecast episode delves into Betania Allo’s multifaceted career journey, highlighting her transition from law and public policy to the specialized field of cybersecurity. Her decision to move from Argentina to the U.S. for graduate studies, combined with her background in international relations and law, set the stage for her focus on cybersecurity. Betania’s efforts to bridge the gap between legal experts and technologists are emphasized, underscoring the importance of understanding both domains to effectively tackle global cyber threats. The podcast discussion covers Betania’s tenure at the United Nations, where she worked on counterterrorism and technology. Insights are provided on how terrorist groups exploit digital platforms for recruitment, communication, and fundraising. The challenges of safeguarding these platforms and the importance of a multi-stakeholder approach involving private sector companies, NGOs, and academia are examined. Betania’s experiences during the pandemic revealed the increased vulnerability and exploitation of digital spaces by terrorist organizations. Betania also discusses the rehabilitation and reintegration of terrorists through technology. The significance of using technology in the initial screening of individuals for accurate assessments and tailored rehabilitation programs is outlined. Despite the challenges, Betania advocates for incorporating artificial intelligence (AI) and other technologies to enhance rehabilitation efforts. Her innovative approach aims to create unified systems for better data synchronization and resource allocation, particularly in regions with limited infrastructure. Finally, Betania argues that political decision-making needs to be tapped in prioritizing technological advancements and cybersecurity investments. Continuous collaboration between governments, tech companies, and security experts is deemed essential to stay ahead of emerging threats. As such, she points out the need for engaging training programs to build a robust cyber culture within organizations and beyond. LinkedIn: https://www.linkedin.com/in/betaniaallo/ Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.