Resilient Cyber

• Resilient Cyber w/ Jim Manico - Enhancing Software Security in the Era of AI

  In this episode, we sit down with Jim Manico, a longtime industry AppSec Leader, Educator, and Innovator, to discuss enhancing software security in the era of AI.This includes covering recent talks Jim has given about using AI as a force multiplier for software development, the importance of security-centric prompting, and the overall impact of AI on the field of AppSec.We discussed:A recent talk Jim gave where he discussed transforming secure software creation with AI, doing the work of teams of people on his own, and what used to take tens of thousands of hours through the use of agents and various frontier models and offerings.The importance of security-centric prompting and guidance for models to produce secure code and the impact on vulnerability velocity by doing so.The risks of the broader developer community leaning into these tools without adding security-centric prompts and guidance, but the opportunity for prompt libraries and enterprise controls to lead to systemic secure software development within the enterprise.The workforce implications of AI-driven development and the need to upskill to stay relevant (and employable).Where Jim sees opportunity beyond just AppSec when it comes to AI and Cybersecurity, in other areas such as GRC and SecOps as well.

  --------  

  20:06

  --------

  20:06
• Resilient Cyber w/ AJ Yawn - Transforming Compliance Through GRC Engineering

  In this episode, we sat down with AJ Yawn, Author of the upcoming book GRC Engineering for AWS and Director of GRC Engineering at Aquia, to discuss how GRC engineering can transform compliance.We discussed the current pain points and challenges in Governance, Risk, and Compliance (GRC), how GRC has failed to keep up with software development and the threat landscape, and how to leverage cloud-native services, AI, and automation to bring GRC into the digital era.We dove into:What the phrase “GRC Engineering” means and how it differs from traditional Governance, Risk and ComplianceWhat some of the major issues are with traditional compliance in the age of DevSecOps, Cloud, API’s, Automation and now AISpecific examples of GRC Engineering, including the use of automation, API’s and cloud-native services to streamline security control implementation, assessment and reportingThe promise and potential of AI in GRC, and how AJ is using various models for control assessments, artifact creation and more, and how GRC practitioners should be leveraging AI as a force multiplierAJ’s new book “GRC Engineering For AWS: A Hands-On Guide to Governance, Risk and Compliance Engineering”

  --------  

  35:53

  --------

  35:53
• Resilient Cyber w/ Patrick Duffy: Securing the Modern Workspace

  In this episode of Resilient Cyber, we chat with Patrick Duffy, Product Manager at Material Security, on Securing the Modern Workspace. The conversation will include discussions about the increased adoption of cloud office suites, limitations of traditional security approaches, and a deep dive into how Material Security is tackling issues such as securing email and data, identity threat detection, and posture management.Stepping back a bit before we get too specific, we've seen major fundamental shifts in the way organizations work and operate today, including widespread adoption of Cloud Office Suites (e.g., Google Workspaces, Microsoft 365, etc.). How have these shifts changed the threat landscape, and what sort of issues are we seeing with traditional security practices when it comes to securing these environments?We know phishing and email attacks are common and critical to protect against, but what about challenges around visibility of accounts/activity, sensitive data, and secure configurations and posture?Getting more specific to Material, can you help us understand how you all approach this problem space from a platform and offering perspective? What are some key features and abilities Material Security customers utilize to secure their cloud office suite environments, and what threats do they help against?What are some key differentiators for Material compared to some of the other vendors working on this problem, or even how do you all differ from some of the native security capabilities of environments such as M365 or Google Workspace?This space continues to evolve, both in terms of the cloud workspace environments and their usage by organizations and the relevant threats. How is Material preparing for these changes, whether it's the widespread adoption of AI, increased complexity, and so onIt's always great to hear some first-hand use cases and applications. Can you share some examples where Material Security has found success with specific customers and users of the solution?We've covered everything from the pitfalls and shortcomings of traditional security approaches to cloud office suites to where the market is headed. Where can folks learn more about Material, and what should we keep an eye out for next?

  --------  

  19:32

  --------

  19:32
• Resilient Cyber w/ Wade Baker - Data Driven Incident Impact Analysis

  In this episode, I sit down with longtime industry researcher Wade Baker to dive into Cyentia's latest IRIS report. The report provides a data-driven look at incident trends, impacts, costs, and more.Are cyber incidents becoming more or less frequent? Are specific industries doing better than others? What does the average incident impact actually look like?Tune in to learn the answers, along with many other interesting insights!The report found that the number of security incidents continue to climb YoY, which isn’t a surprise, although there has been peaks and valleys throughout various periods, note the huge uptick in 2021~Similar to recent reports such as DBIR and M-Trends, application exploitation (e.g., system intrusion) is climbing. In contrast, methods such as physical threat and others have declined due to increased cloud adoption, virtual infrastructure, and so on.One finding that may surprise some is that the proportion of incidents is going down for some organizations, particularly the largest enterprises, while it is going up for SMBs and smaller organizations. This ties to concepts such as the cybersecurity poverty line, which I have discussed in other articles, such as with Ross Haleliuk in our article “Lifting the world out of cybersecurity poverty.”This is likely due to factors such as large enterprise organizations having robust security teams, larger budgets, being able to afford the latest security tooling and more, while SMB’s often fail to have many of these and deal with resource constraints in both dollars and expertise.We also see sectors which had historically low incidents now climbing, likely due to factors such as increased adoption of software and being digitally connected, as well as being a previously untapped sector for attackers

  --------  

  45:55

  --------

  45:55
• Resilient Cyber w/ Bob Ritchie - Securing Federal & Defense Digital Modernization

  In this episode, I sit down with SAIC Chief Technology Officer (CTO) and longtime Federal/Defense leader Bob Ritchie to discuss his experience securing public sector digital modernization, including everything from large multi-cloud environments to zero trust, identity, and where things are headed with AI.Bob starts discussing SAIC and his background there. He went from intern to CTO over 20 years with this public sector industry leader, including a brief stint with Capital One on the commercial side.We covered the current state of the federal cloud community across multiple clouds (e.g., Azure, AWS, and GCP) and some of the challenges and opportunities on the security front.We often hear phrases such as “identity is the new perimeter,” but the perimeter is porous and problematic, especially in large, disparate environments such as the Federal/Defense ecosystem. Bob touched on the current state of identity security in this ecosystem, where progress is being made and what challenges still need to be tackled.The government is doing a big push towards Zero Trust, with the Cyber EO 14028, Federal/Defense ZT strategies, and more. But how much progress is being made on ZT, and where can we look for examples of innovation and success?We dove into the rise of excitement and adoption of AI, GenAI, Agentic AI, and protocols such as MCP, A2A, and where the public sector community can lean into Agentic AI for use cases ranging from SecOps, AppSec, GRC, and more.Bob explains how he balances a good business focus while staying deep in the weeds and proficient in relevant emerging technologies and nuances required as a CTO.I’ve known Bob for several years, and you would be hard pressed to find a more competent technology leader. This is not one to miss!

  --------  

  40:58

  --------

  40:58

More Technology podcasts

Trending Technology podcasts

About Resilient Cyber

Resilient Cyber: Podcasts in Family