SECNORA Podcast

summaryIn this episode of Secure by Design, Daniel Kulig and Aylin Orial discuss the rapid evolution of AI in the FinTech sector, emphasizing the shift from experimentation to accountability. They explore high-impact AI use cases, the importance of security in AI implementation, and the need for effective governance and compliance. Aylin shares insights on the shared responsibility of cybersecurity and the necessity of clarity in decision-making processes. The conversation concludes with practical lessons for leaders in the industry and a forward-looking perspective on the future of AI in FinTech. TakeawaysAI has transitioned from experimentation to production accountability.Fraud detection and risk management yield the fastest ROI in FinTech.Security must be integrated into the development process, not treated as an afterthought.Governance frameworks should scale with the risk associated with AI use cases.The role of the CTO is evolving to include shared cybersecurity responsibilities.Clarity in decision-making processes is crucial for successful AI implementation.Organizations must prioritize human oversight in AI systems to mitigate risks.Effective collaboration between CTOs and CISOs is essential for managing AI-related risks.AI can enhance security but also introduces new vulnerabilities.A hybrid approach of buying and building AI solutions is often the most effective strategy.Chapters00:00 The Rapid Evolution of AI in FinTech11:48 High Impact AI Use Cases in FinTech24:08 The Role of Security in AI Implementation36:00 Governance and Compliance in AI43:01 Lessons Learned and Future Outlook

SummaryIn this episode of Secure by Design, host Daniel Kulig and guest Eric Boemanns discuss the complexities of vendor management in IT security. They explore the pros and cons of multi-vendor strategies versus consolidation, emphasizing the importance of independence in building and validating security programs. The conversation highlights the challenges organizations face with vendor sprawl, the triggers for vendor conversations, and the need for clarity in decision-making. Practical steps for managing vendors and ensuring effective security outcomes are also shared, culminating in actionable takeaways for listeners.TakeawaysLeaders face pressure to consolidate or use multiple vendors.Independent validation is crucial for effective security programs.Vendor sprawl complicates security management.Consolidation can lead to vendor lock-in risks.Multi-vendor strategies can enhance resilience.Clarity in vendor choices is essential for decision-making.Audits can lead to optimizing for compliance over resilience.Continuous testing is necessary for security effectiveness.Building and validating should be separate processes.An inventory of security tools is the first step in management.

Summary:In this episode, Daniel Kulig and cybersecurity expert Philip Lee discuss the importance of tabletop exercises in securing executive buy-in for cybersecurity initiatives. They explore how these exercises can transform abstract cyber risks into tangible business impacts, the common misconceptions executives have about cybersecurity, and the key ingredients for designing effective tabletop exercises. Philip shares insights on how to engage executives, the importance of cross-functional communication, and how to measure the success of these exercises. The conversation emphasizes the need for tailored scenarios, the role of lessons learned, and the frequency of tabletop exercises to build organizational resilience.Takeaways:Tabletop exercises can bridge the gap between cybersecurity and executive leadership.Engaging executives in realistic scenarios helps them understand the impact of cyber risks.Avoid fear-based tabletops; focus on proactive engagement and learning.The right attendees are crucial for effective tabletop exercises.Informal communication channels often develop as a result of tabletop exercises.Tailor scenarios to the specific business context and threat landscape.Lessons learned discussions are critical for translating insights into action.Frequency of tabletop exercises should balance engagement and effectiveness.Cross-functional communication improves after tabletop exercises.Success is measured by engagement and actionable insights, not just attendance.

In this episode of the Secure by Design podcast, host Daniel Kulig engages with Horatio Morgan, a digital innovation expert, to explore the intricate relationship between big data, AI, and cybersecurity. They discuss the importance of data governance, the challenges organizations face in balancing data scale with security and privacy, and the emerging threats in AI. Horatio shares insights on the key stakeholders in AI governance, influential regulatory frameworks, and practical tools for ensuring privacy. The conversation also covers case studies of successes and failures in data governance, predictions for the future of AI, and advice for organizations and professionals navigating this complex landscape.TakeawaysData is the foundation of everything.Big data can give you power, but if you can't use it, that equals zero.Treat data as a governed asset.Privacy gives us permission to do stuff.Governance isn't a department, it's a coordinated teamwork.You must promote a culture of responsible curiosity.Explainable AI is a compliance tool.The future belongs to tech philosophers.If the customers are not on board, that equals no trust.The smarter the system gets, the smarter the attackers become.

In this episode of Secure by Design, host Daniel Kulig and guest Christopher Buch from Nimblr Security discuss the often-overlooked human aspect of cybersecurity. They explore how human behavior plays a critical role in cybersecurity, the psychological triggers that lead to phishing attacks, and the importance of effective cybersecurity awareness training. The conversation emphasizes the need for ongoing training, fostering a security culture within organizations, and the role of leadership in promoting cybersecurity awareness. They also touch on future challenges, including the impact of AI on phishing attacks and the necessity for organizations to adapt their approaches to different cultures and age groups.takeawaysHuman behavior is a critical factor in cybersecurity.85% of successful breaches are due to human error.Urgency and confusion are common tactics used by scammers.Effective training requires ongoing engagement and updates.Management must actively participate in cybersecurity training.Cybersecurity awareness should be part of the organizational culture.Different age groups may respond differently to training.Behavior change in cybersecurity is a gradual process.AI will enhance the sophistication of phishing attacks.Organizations must view cybersecurity as an ongoing journey.

In this episode of Secure by Design, host Daniel sits down with Sandamali to explore the rapidly evolving intersection of AI, cybersecurity, and governance. From AI's role in risk amplification to the evolving responsibilities of the CISO, they dive into the challenges and opportunities of governing AI in today's digital landscape. Sandamali shares insights into how Governance, Risk, and Compliance (GRC) is adapting to handle AI, along with real-world use cases and pitfalls that companies should watch out for. Plus, learn how organizations can build an AI-ready, security-first culture and prepare for the future of AI governance. Don’t miss this engaging conversation on navigating AI’s sharp edges while securing the digital future.

In this episode of Secure by Design, we dive deep into the shadowy world of vulnerability discovery and exploitation. From zero-days to n-days, bug bounty programs to advanced persistent threats, we unpack how security researchers, red teamers, and adversaries find flaws in software—and how those flaws are weaponized.You’ll learn:The lifecycle of a vulnerability—from discovery to public disclosure or underground sale.Techniques used to uncover bugs (fuzzing, reverse engineering, source code review, etc.Real-world stories of critical CVEs and how they were exploitedThe difference between ethical disclosure and weaponizationHow organizations can detect, respond to, and stay ahead of exploitation attemptsWhether you're a security professional, developer, or tech enthusiast, this episode offers a front-row seat to the high-stakes hunt for vulnerabilities that shape our digital security landscape.

Software supply chain attacks are on the rise — from dependency hijacking to CI/CD compromise. In this session, we dive into how the SLSA (Supply-chain Levels for Software Artifacts) framework helps you secure the integrity of your builds, detect tampering, and implement end-to-end trust in your development pipeline.What you'll learn:The anatomy of modern software supply chain attacksAn overview of the SLSA framework and its levels (1–4)How to integrate SLSA into your CI/CD workflowsReal-world breaches and how they could’ve been preventedPractical steps for developers, DevOps, and security teamsWhether you're an engineer, CISO, or DevSecOps practitioner, this session will give you a clear roadmap for hardening your software delivery process.📌 Subscribe for more content on secure development, DevSecOps, and emerging threats in the software ecosystem.