The Security Strategist

In this episode of The Security Strategist podcast, host Jonathan Care, Lead Analyst at KuppingerCole Analysts, speaks with Sudhir Reddy, the Chief Technology Officer (CTO) of Esper, about how to build trust in ‘Zero Trust.’. They explore this paradox in Zero Trust systems, where human trust is essential for the system to function effectively. Reddy emphasises the need for intelligent friction in security measures, allowing for a balance between security and business operations. The conversation also highlights the importance of understanding user needs and building trust within security systems to ensure effective implementation of Zero Trust strategies.How to Build Trust in a "Zero Trust" World?“Security should be a seatbelt, not a straightjacket,” Esper CTO said, describing the nature of zero trust in cybersecurity. For Reddy, zero trust isn’t just about “trust no one.” It’s about verifying everything while still allowing people to do their work.“Zero Trust is really about verification,” he explains. “But the paradox is that it’s built to create trust among the people using it.” As systems, devices, and AI tools grow, security can’t just mean adding more barriers. “The number of people interacting with systems has increased a lot,” Reddy adds. “But if the system doesn’t support the business, people will find a way around it.” That, he says, poses a risk where extremely rigid security could defeat its own purpose.From “Friction” to “Intelligent Friction”The Esper CTO explains Intelligent Friction designs systems that adjust security based on the situation. “You want the least friction where there is friction,” he says. “Add friction where it matters most, and make it disappear when it doesn’t.”Alluding to an example of banking apps, Reddy explains intelligent friction as a simple login for checking balances and extra verification for large transfers. “That’s intelligent design — progressive, contextual, and trusted.”When asked about the key message for CISOs, CEOs and IT decision-makers, he urges them to “stop measuring adherence to rules.” Instead, “start measuring where people are bypassing them — that’s where your friction is hurting the business.”At Esper, this approach guides everything from device management to enterprise policy design: security that protects without slowing you down. Discover how Esper is redefining Zero Trust through Intelligent Friction. Learn more at Esper.io.TakeawaysZero Trust is fundamentally about verification at every step.The shift to Zero Trust is driven by increased exposure and sophisticated attack vectors.Human trust is essential for Zero Trust systems to function effectively.Intelligent friction allows for security measures that adapt to user needs.Security should not hinder business operations; it should support them.CISOs should measure rebellion against security rules, not just adherence.Progressive security checks can enhance user trust in systems.Cultural change is necessary for effective security implementation.Feedback...

Can your organization truly trust every identity, human, machine, and AI?The traditional security perimeter is no longer a reliable boundary. As enterprises adopt hybrid infrastructures, cloud services, and autonomous AI systems, identity has emerged as the central element of effective cybersecurity.In the latest episode of The Security Strategist Podcast, Richard Stiennon speaks with StrongDM’s Chief Executive Officer Tim Prendergast about how organizations can secure human users, machines, and agentic AI through identity-based controls.Identity at the Center of Zero TrustBoth Stiennon and Prendergast believe identity has become the true control plane for modern cybersecurity. While Zero Trust frameworks are widely promoted, they often remain theoretical until grounded in strong identity governance. By continuously verifying and managing every identity—human, machine, and AI—organizations can strengthen access control, reduce the risk of credential theft, and enforce clear operational boundaries across their environments.As Prendergast explains, “No one wants to go out of business tomorrow, no matter how good their security is. You have to balance the needs of the business, the needs of your user or customer populations, and practical security.Securing Human UsersFor human users, particularly those with privileged access, identity management must strike a balance between security and productivity. CISOs need visibility into who is accessing critical assets, when, and under what context. StrongDM’s approach emphasizes just-in-time access, ensuring users receive only the permissions they need, precisely when they need them.Implementation ConsiderationsDeploying identity-based security requires a strategic, phased approach. Prendergast stresses that security measures must align with business priorities to minimize disruption. By treating users, machines, and AI agents as identities rather than simply devices or services, organizations can enforce dynamic policies, respond to threats more effectively, and maintain compliance in increasingly distributed IT environments.StrongDM’s approach demonstrates that the future of security lies in identity-first models where humans, machines, and AI agents are governed under the same principles, ensuring that the right identities have the right access at the right time.TakeawaysIdentity is the new control plane for security.Zero Trust is often theoretical; real progress lies in identity-based security.Stolen credentials are the primary attack vector.A Renaissance in identity security...

In today’s cybersecurity industry, Managed Service Providers (MSPs) who do not adapt risk falling behind. In the recent episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, talks with Stefanie Hammond, Head Nerd at N-able, and Jim Waggoner, Vice President of Product Management at N-able. They discuss how MSPs can tackle rising threats, bridge the talent gap, and maintain profitability in a quickly evolving market.The speakers particularly explore the critical need for MSPs to adopt Managed Detection and Response (MDR) services, the importance of internal security investments, and how AI can enhance efficiency. The conversation also touches on compliance challenges and future trends in pricing strategies for MSPs, emphasising the need for continuous adaptation in a rapidly changing threat environment.When Stiennon asked, “How quickly must an MSP change their entire model to a managed detection and response offering to stay competitive?” Hammond's answer was straightforward: “If an MSP hasn’t done that yet, I don’t know how much longer they can wait.” This sets the stage for the podcast.MDR Is No Longer Optional but Critical for MSPsFor MSPs serving clients in tightly regulated fields like finance, healthcare, government, or education, Managed Detection and Response (MDR) is a necessity.“Organisations in those sectors face a greater risk,” says Hammond. “Managed Service Providers (MSPs) need to incorporate MDR into their security offerings and make it standard for their customers to stay competitive.”However, Hammond cautions against selling MDR as a standalone solution.“We shouldn’t sell any security tools as a separate service.” Instead, she suggests packaging MDR with other prevention, detection, and recovery options—like backup and data protection—to create a layered cybersecurity package.Agreeing, Waggoner steps in and describes this as a natural growth process for MSPs: “It becomes a maturity lifecycle. You start by managing hardware and software, move on to daily security, and eventually cover full detection and response. If MSPs don’t want to develop that in-house, N-able can assist—we can co-manage it or handle it for them as they grow.”MSPs for Smarter Security and AI-Backed EfficiencyThe speakers also talked about howtalked how AI and automation are changing cybersecurity, not just for spotting threats but also for improving operations and driving sales. “We automatically handle 90 per cent of security alerts using AI,” expressed Waggoner. “If you’re not automating, you’re falling behind,” the Vice President of Product Management at N-able added.For Hammond, AI is equally beneficial in marketing and communication. She recommends MSPs not to manage sales and marketing on their own but to use AI to support themselves. Both experts agree that compliance, identity protection, and education are essential parts of a resilient security framework. “It always comes down to identity,” Waggoner emphasises. “Use unique logins, change passwords regularly, and set up...

"You have to think about how the online world really operates and how we make sure that data is secure. How can we trust each other in the digital world?" Robert Rogenmoser, the CEO of Securosys, asks. The answer is "encryption and digital signature."According to Robert Rogenmoser, the CEO of Securosys, storing keys insecurely creates immediate risk. This makes it crucial to maintain strong key security. "If it's just in a software system, you can easily get hacked. If I have your encryption key, I can read your data. If I have your Bitcoin keys, I can spend your money,” says Rogenmoser.In the recent episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, speaks to Robert Rogenmoser, the CEO of Securosys, about safeguarding the digital world with cryptographic keys. Rogenmoser puts up a case to rally Hardware Security Modules (HSMs) as the best solution for this critical challenge.In addition to discussing how hardware security modules (HSMs) protect encryption keys, they also talk about the evolution of HSMs, their applications in financial services, the implications of post-quantum cryptography, and the integration of AI in security practices. Are Hardware Security Modules (HSMs) the Ultimate Solution?The conversation stresses the importance of key management and the need for organisations to adapt to emerging technologies while ensuring data security.In order to mitigate the cybersecurity risks, the priority is to securely store the keys, control access, and generate impenetrable keys that cannot be easily guessed by cyber criminals. HSMs are the ultimate solution to the key issue, believes Rogenmoser. Firms tend to shift their data to the cloud, making it even more essential to secure keys. The main challenge arises when both the data and the keys are managed by the same cloud provider, as this setup can compromise the integrity of key control and raise concerns about data sovereignty. However, Securosys approaches this challenge differently. Rogenmoser explains that organisations can keep their data encrypted in the cloud. At the same time, they keep the key somewhere else, where only they have control over it.Multi-Authorisation System for High-Stakes TransactionsRogenmoser pointed out the company's patented system for multi-authorisation of Bitcoin keys. This system is essential because blockchain transactions are high-stakes and irreversible."Crypto custody for bitcoins or any cryptocurrency is a major business for our HSM," he said. Banks that hold large amounts of customer crypto cannot afford a single point of failure. "A blockchain operation is a one-way thing. You sign a transaction, and the money is gone."The multi-authorisation system addresses this issue by requiring a "quorum" of people to approve each transaction. Rogenmoser explained, "You can say this transaction can only be signed and sent to the blockchain if one out of three compliance officers signs this, plus two out of five traders." This approach creates a "more secure system" because "the HSM then checks, do we have a quorum? Did everyone actually sign the same transaction?" Only after verification is "the actual key for the blockchain […] used to sign a...

"With any new technology, there's always a turning point: we need something new to solve the old problems,” states Jeffrey Hickman, Head of Customer Engineering at ORY, setting the stage for this episode of The Security Strategist podcast.The key challenge enterprises face today, pertaining to identity and security, particularly, is the quick rise of AI agents. Many organisations are trying to annex advanced AI features into old systems, only to realise, post-cost investment, that serious issues have come to the surface. The high number of automated interactions could easily overload the current infrastructure. "The scale of agent workloads will be the weak spot for organisations that simply try to apply current identity solutions to the rapidly growing interaction volume,” cautions Hickman. In this episode of The Security Strategist podcast, Alejandro Leal, Host, Cybersecurity Thought Leader, and Senior Analyst at KuppingerCole Analysts AG, speaks with Jeffrey Hickman, Head of Customer Engineering at ORY, about customer identity and access management in the age of AI agents. They discuss the urgent need for new self-managed identity solutions to address the challenges posed by AI, the limitations of traditional Customer Identity and Access Management (CIAM), and the importance of adaptability and control in identity management. The conversation also explores the future of AI agents as coworkers and customers, emphasising the need for secure practices and the role of CISOs in pulling through these changes.AI Agents – The Achilles Heel of Legacy IdentityHickman explains that many companies face an immediate and serious issue at the moment. He said: "The scale of agentic workloads will be the Achilles heel for organisations that simply try to map existing identity solutions onto the drastically ballooning interaction volume."This scale not only overwhelms current systems but also creates perilous complexity. AI agents, acting on their own or on behalf of humans, lead to a huge increase in authentication events. This is called an "authentication sprawl." Such strain on old technology often positions security as an afterthought.The main unresolved technical issue is context: figuring out what an individual agent is allowed to do and what specific data it can access, Hickman tells Leal. "The problem is defining the context—what an agent is allowed to do and gather. Legacy IM solutions don't address this well; it's an unsolved area."To gain the necessary control, organisations must move beyond complicated scope chains and rethink how granular permissions function. Meanwhile, the risk of AI-driven phishing targeting human users, fueled by manipulated prompts, will grow until we can ensure the authenticity of human-in-the-loop moments using technologies like Passkeys.Also Read: OpenAI leverages Ory platform to support over 400M weekly active usersTakeawaysThe rise of AI agents is reshaping customer identity management.Traditional SIAM systems struggle with the scale of AI interactions.Adaptability is crucial for organisations facing new identity challenges.Control over identity solutions is essential for enterprises.Security must not be sacrificed for user experience.AI agents can amplify existing identity management...

"The harsh reality is the site wasn't real. The ad was fake. The reality is you've clicked through to a steward ad that's taken you to a fake site. That fake site then has taken your details, your credit card,” articulated Lisa Deegan, Senior Director, UK and International Growth at EBRAND, in the recent episode of The Security Strategist podcast.Host Richard Steinnon, Chief Research Analyst at IT-Harvest, sits down with Deegan to talk about cybersecurity in brand protection against online fraud. They explore how AI is being used by criminals to create convincing fake shops, the impact of these scams on consumer trust, and the need for a comprehensive approach to brand protection. Deegan emphasises the importance of understanding consumer behaviour, the mechanics of online scams, and the necessity for organisations to adopt proactive strategies to combat these threats. The Alarming Rise of AI Fake ShopsWhile the digital world seems like a boon to most, about two-thirds of humanity (five billion people), to be precise. This online community, heavily relying on mobile devices, have become prey for savvy cybercriminals. These criminals are now using Generative AI to create highly convincing, yet entirely fake, online retail experiences.Deegan, a cybersecurity and brand protection expert at EBRAND, illustrates the situation trapping the digital community. She asks the audience to imagine a consumer scrolling through social media, sees an ad for a favourite brand offering a deep discount. The consumer clicks, is taken to a professional-looking website that appears legitimate, enters payment details, and loses their money. The product never existed, and the consumer's data is stolen. The speed and scale of these attacks are unprecedented; single campaigns can target over 250,000 people in a single day, points out Deegan.The EBRAND senior director proposes a massive change in brand protection strategy. Instead of just dealing with surface-level violations, she wants to target the underlying criminal infrastructure. "It's no longer about firefighting individual infringements. It's about looking at the domains, the ads and the payment channels cyber criminals are using. And it's also the bad actors before that.”“It's bringing that all together and making sure that you're taking it down the infrastructure at source so that it's leaving them no opportunity to rebuild again," added Deegan.The speakers agree that the traditional method has become a continuous "whack-a-mole" game against sites that instantly reappear due to AI. To be effective, brands "need to embed monitoring with intelligence and rapid enforcement" to break down the entire operation, making it too costly and difficult for the criminals, who will "eventually get fed up and move on to some other soft target."TakeawaysThe landscape of online fraud is rapidly evolving due to AI.Two-thirds of humanity is now online, increasing vulnerability.Fake shops can deceive consumers with convincing ads and websites.Trust in brands is significantly impacted by online scams.Organisations need to dismantle the networks behind scams, not just individual sites.AI can be used for both scams...

Identity fabric, a contemporary, flexible identity and access management (IAM) architecture, should “be involved at every stage of authentication and authorisation,” says Stephen McDermid, CSO, EMEA at Okta Security. According to CISCO’s VP, 94 per cent of CISOs believe that complexity in identity infrastructure decreases their overall security. In this episode of The Security Strategist podcast, Alejandro Leal, podcast host and cybersecurity thought leader, speaks with McDermid about Identity Fabric, the modern threats to identity security, the role of AI in cybersecurity, and the importance of collaboration among industry players to combat these novel threats. Stephen emphasises the need for organisations to adopt a proactive approach to identity governance and to recognise that identity security is a critical component of overall cybersecurity strategy.Poor Identity GovernanceEnterprises today face a complicated web of users, applications, and data. Identity, once hailed as a small IT problem, is now at the forefront of cyberattacks, and they are becoming highly lucrative targets for cybercriminals. Alluding to recent high-profile breaches on the UK high street, McDermid points out the financial impact estimated in hundreds of millions of dollars. The common feature observed among these cyber incidents is the misuse of “poor identity governance.” This happens when users’ old login information lacks multi-factor authentication (MFA) or when attackers use social engineering to reset passwords. The reality today is that attackers now use automation and AI to find valid identities, which makes their work easier than ever, owing to a vast number of compromised credentials available online. The scale of the threat is massive. McDermid noted that "fraudulent sign-ups actually outnumbered legitimate attempts by a factor of 120." This indicates that organisations need to accept that "a breach is inevitable."Ultimately, McDermid's message was clear and pressing. He urged CISOs to understand where their identities are throughout their businesses. Furthermore, he stressed on the need to assume a breach and consider how to respond. The CSO also called for them to challenge their SaaS vendors to commit to the new standards. In his opinion, only through this type of collective action can the security community hope to make a difference in what seems to be a losing battle right now.TakeawaysIdentity Fabric is a framework for managing identities at scale.Modern attacks...

Enterprises can no longer afford the old trade-off between speed and safety. Developers are under constant pressure to release code faster. At the same time, security teams face an endless stream of new threats. The middle ground is clear, and that is software must be secure and resilient from the start, without slowing innovation.This is the philosophy Ian Amit, CEO of Gomboc AI, shared in a recent conversation with Dana Gardner, Principal Analyst at Interarbor, on the Security Strategist podcast. Amit argues that the next era of DevSecOps depends on rethinking how engineering and security come together.Moving Beyond Shift-Left FatigueThe traditional push to “shift security left” has often backfired. Developers face alert fatigue, drowning in warnings that obscure the real issues. Security teams end up chasing vulnerabilities rather than preventing them. Amit reframes the goal as engineering excellence:“I want to be proud of my code. It should be secure, resilient, efficient, and fully optimized. That’s what I call engineering excellence.” — Ian Amit, CEO, Gomboc AIAttackers only need to succeed once; defenders must be right every time. By closing the gap between development and operations, organizations can cut MTTR and reduce risk exposure.Balancing AccuracyGenerative tools can accelerate development, but they introduce instability.“With that 10x code, you’re also getting 10x the bugs,” Amit explains.Deterministic approaches, by contrast, deliver repeatability and precision. Neither alone is a silver bullet. As Amit puts it:“Use generative to cut through tedious work. Use deterministic approaches to align output to your own standards. You don’t want someone else’s standards creeping into your environment.”Seamless DevSecOpsThe future of enterprise security isn’t about more checkpoints. It’s about weaving security into development pipelines, enabling distributed teams to collaborate without friction. Gomboc AI’s approach centres on reducing engineering toil and empowering enterprises to achieve fast, safe, and automated development.Key TakeawaysTraditional shift-left security can create alert fatigue.Generative tools speed development but may increase bugs.Deterministic approaches offer accuracy and repeatability.Mean time to remediate (MTTR) is the most critical success metric.Collaboration across distributed teams is essential.Security must integrate seamlessly with DevOps processes.Chapters00:00 Introduction to DevSecOps and Its Importance03:08 Challenges in Traditional Shift Left Approaches06:07 The Role of AI in Development and Security08:58 Balancing Generative and Deterministic AI11:52 Automation and Metrics of Success in Security14:44 Collaboration in Distributed Teams17:59 Integrating SecOps into Existing Processes20:56 Future of AI in DevSecOps23:53 Gomboc AI's Approach to Bridging GapsAbout Gomboc AIGomboc.ai is a cloud infrastructure security platform built to simplify and strengthen security at scale. By connecting directly to cloud environments it provides complete visibility and protection across risks. Its deterministic engine automatically detects and fixes policy deviations in Infrastructure as Code (IaC), delivering tailored,...

In an era of AI, it’s no longer a question of whether we should use it, but instead, we need to understand how it should be used effectively, conveys Sam Curry, the Chief Information Security Officer (CISO) at Zscaler. He believes that the growth of agentic AI is not meant to replace human security teams; rather, it aims to improve the industry as a whole.In this episode of The Security Strategist podcast, host Richard Stiennon, an author and the Chief Research Analyst at IT-Harvest, speaks with Curry, Zscaler CISO, about the need for a shift to a model derived from authenticity, the role of agentic AI in security operations, and the criticality of awareness in adopting to changes brought by AI.The conversation also touches on the necessity of establishing trust and accountability in AI systems, as well as the implications for cybersecurity professionals in an increasingly automated world.AI Allows Easy Transition to Complex & Strategic Work The cybersecurity industry is constantly warring against malicious actors. As attackers become more skilled, especially with AI in the picture now. Security professionals must step up their skills just to keep pace with the advancements brought by AI. Instead of taking away jobs, it enables security experts to break free from repetitive manual tasks. Such a transition allows them to focus on more complex and strategic work."We spend a lot of our time in the SOC doing manual tasks repetitively and trying to glue things together," Curry says. "When you manage not to think about the tools, your ability to perform a task improves drastically."AI adaptations bring other changes that also help IT teams find better ways to perform their jobs. They move from simple detection and response to a more proactive approach to security. Curry believes that in this new environment, there will still be plenty of jobs; they'll just be more engaging and valuable.Ethics & Logic are Crucial to Work With AIFor universities and educational institutions, the rise of AI in cybersecurity poses a significant challenge. The traditional emphasis on technical certifications like Certified Ethical Hacking and Security+ is no longer adequate. Future jobs will demand a deeper understanding of fundamental principles."They're going to have to walk over to the philosophy department," Curry explains. "They'll probably need to engage with the social sciences department. Understanding ethics and logic is crucial because they have to work with AI and assess whether the information it provides is logical."The key is in coding, running scripts, but most importantly, it’s in learning to collaborate with AI as a partner....

It has been eight years since the NIST Special Publication 800-190: Application Container Security Guide was published, and its recommendations remain central to container security today. As cloud-native applications have become the foundation of modern enterprise IT, securing containers has shifted from an afterthought to a critical priority.In this episode, Richard Stiennon, Chief Research Analyst at IT-Harvest and host of Security Strategist, discusses container security with John Morello, CTO and Co-Founder of Minimus, and Murugiah Souppaya, Former Computer Scientist at the National Institute of Standards and Technology (NIST). Together, they focus on NIST Special Publication 800-190, exploring its role in providing best practices for securing containers, the recommendations outlined in the guide, and the approach required for effective container security. The conversation also examines current best practices and the future of container security, emphasizing the importance of compliance and the integration of security throughout the development lifecycle.Why NIST SP 800-190 Still MattersNIST’s framework was designed for both government and industry, offering guidance on how to:Integrate security early in the application lifecycle.Apply a holistic approach from hardware to workload.Build with minimalistic and secure container images.Maintain compliance with regulations and standards.Continuously monitor and update security practices.Understand the full container lifecycle from creation to retirement.As Murugiah Souppaya explains:“We want to make sure that people think of container security holistically, and also think about the full lifecycle management of the container itself. Like anything else in the enterprise, you want to look at this end-to-end and fill those gaps.”Insights on the Development of Container SecurityNIST SP 800-190 arrived at a time when containers were new to most organizations. Now, they have become the standard way to deploy applications at scale.John Morello recalls:“Around 2016 or so, containers were pretty new in the world. Containers and containerization in other forms had existed in the past, but it was really becoming a mainstream technology that was commonly used across many organizations.”This fast-paced adoption forced organizations to rethink their security culture. Containers required not only new technical controls, but also a shift in mindset: security had to be built-in from the start.TakeawaysContainer security became critical with the rise of cloud-native applications.NIST aims to provide guidance for both government and industry.The 800-190 guide offers a framework for securing containers.Security must be integrated early in the application lifecycle.Containers require a shift in security culture and practices.Holistic security involves securing hardware to workload.Best practices include using minimalistic and secure images.Compliance with regulations is essential for container security.Continuous monitoring and updating of...

AI is rapidly changing how cybercriminals operate. Social engineering, once easy to spot, has entered a new era. Phishing emails that used to be riddled with spelling mistakes and clumsy language are now polished, persuasive, and tailored using data scraped from social media and other online sources. The result? Messages that look legitimate enough to trick even the most security-aware employees.In this episode of Security Strategist, host Trisha Pillay sits down with Director of Threat Research at N-able, Kevin O’Connor to unpack how AI is reshaping phishing and what it means for businesses, especially small and medium-sized organizations that often lack the resources to keep up. Drawing on insights from the N-able Threat Report, O’Connor explains why traditional defenses and old-school user training aren’t enough to stop today’s AI-crafted scams.O’Connor says:“In the past, phishing emails were easy to spot, you’d see clumsy grammar mistakes, generic wording, they were just very obvious. But with the new wave of AI-enabled phishing emails, we’re seeing tailored attacks that pull from social media profiles and other sources. These messages are highly polished, they look convincing, and the worrying part is that attackers can now do this at scale. That means even IT professionals and security pros are at risk.”Why Even Experts Are Falling for AI-Powered PhishingDrawing on insights from the latest N-able Threat Report, this is why the shift is so dangerous:AI is changing the landscape of social engineering. Messages are tailored, credible, and increasingly difficult to block or filter.Phishing emails are now more convincing than ever. Attackers can create unique, targeted scams instead of blasting out obvious mass emails.Even experts are vulnerable. IT teams and security professionals are no longer immune.User training must evolve. Old advice like “look for spelling mistakes” won’t cut it anymore. Employees need new skills to recognize modern threats.The conversation also looks ahead at what enterprises can do now to strengthen defenses, updating training, and preparing for a future where AI will play a role on both sides of the cybersecurity battle.TakeawaysAI is changing the landscape of social engineering.Phishing emails are now more convincing than ever.Even tech-savvy employees can fall for scams.SMBs are increasingly targeted due to their vulnerabilities.User training must evolve to address modern threats.Two-factor authentication is critical for financial transactions.Organizations need to know their data exposure.Incident response planning is essential for preparedness.Automated responses can enhance security measures.The threat of compromise is a matter of when, not if.Chapters00:00 Introduction to AI-Driven Threats02:09 The Evolution of Phishing with AI05:42 The Rise of Attacks on SMBs08:56 Preventative Measures for Organizations12:36 The Future of AI in CybersecurityAbout Kevin O’ConnorKevin O’Connor is the Director of Threat Research at a...

"What we're seeing as a response to coding agents is one of the biggest risks in security vulnerabilities to date,” said Jaime Jorge, Founder and CEO of Codacy. “It's almost like a game to see how fast we can exploit vulnerabilities in some of these applications that are created so quickly."In this episode of The Security Strategist Podcast, Richard Stiennon, Chief Research Analyst at IT-Harvest, speaks with Jaime Jorge, the Founder and CEO of Codacy, about secure software development in the age of AI. The speakers talk about how quickly coding is evolving due to AI tools, the rise of autonomous coding agents, and the major security issues that come from this faster development. Jorge emphasised the importance of maintaining security practices and highlighted Codacy's role in providing thorough security analysis to ensure that AI-generated code is safe and reliable. The discussion also looks at the future of AI in software development and what IT leaders need to do to manage these changes.Software Development in an Era of AIThe world of software development is changing dramatically, the Codacy founder conveyed on the podcast. With AI tools like GitHub Copilot and Cursor becoming mainstream, developers are writing code faster than ever. Host Stiennon refers to this new era as "vibe coding," meaning the ability to create code at an incredible speed.However, this speed can bring serious and risky consequences. Data has shown that AI-generated code often has vulnerabilities. Some studies have found that these vulnerabilities can reach as high as 30-50 per cent. A Front Big Data study reported that 40% of the code suggested by Copilot had vulnerabilities. “Yet research also shows that users trust AI-generated code more than their own.”This trend is widening the gap between quick development and secure, enterprise-grade software.How to Keep up With Autonomous Coding Agents?“Without a doubt, one of the most significant trends that we're seeing is coding agents,” the CEO of Codacy told Stiennon. “Autonomous coding agents are becoming extremely skilled at taking a prompt and creating full-fledged products, getting even to the intentions that users have.”However, the challenges of autonomous agents cannot be denied. Jorge believes this is more than just a technical issue. It reflects a basic misunderstanding of how to use these powerful new technologies.He pointed out that it's dangerous to assume we can completely hand over decisions about the code generated by AI. Important software development practices, such as building security into the design and having human code reviews, shouldn't be overlooked. The convenience of using AI to quickly generate code for a project means we have a greater responsibility to review the code ourselves, to evaluate it, or to ensure that other people approve it.Jorge’s key message to CISOs, CTOs and IT decision-makers is that AI is here to stay and that their teams are already likely using it. This wave is hard to ,ride but “you have a choice in how to ride it.”"AI-generated code can secure our tools, and our agents are empowered with security capabilities. You can move fast if you have the right guardrails."The best practices Codacy developed over decades, such as...

"When you're encrypting the traffic and giving the keys only to the owner of the traffic, it provides a specific door for attackers to walk right in,” stated Eva Abergel, the Senior Solution Expert at Radware.In this episode of The Security Strategist Podcast, Richard Stiennon, the Chief Research Analyst at IT-Harvest, an author and a trusted cybersecurity advisor, speaks with Abergel about how Hypertext Transfer Protocol Secure (HTTPS) encryption is creating new challenges for cybersecurity professionals. They also talked about how DDoS attacks have changed to take advantage of new weaknesses that are hidden in plain sight within encrypted traffic. They discussed what organisations need to do to improve their defences.HTTPS Encryption Creating Challenges for DefendersHypertext Transfer Protocol Secure (HTTPS) encryption is known to have made the internet safer, especially from DDoS attacks. However, it has also created new opportunities for attackers. Threat actors in the modern day are leveraging encrypted traffic to camouflage malicious activity. Unfortunately, traditional cybersecurity tools have been unsuccessful at spotting and blocking these hidden attacks. This is simply because they cannot decrypt the data of such modern-day cyber breaches.Abergel says that unless an organisation can decrypt the traffic, it cannot see what's inside, allowing sophisticated DDoS attacks to go undetected. This presents a dilemma for IT decision-makers, as they are understandably reluctant to surrender the "keys to their castle" by allowing a third party to decrypt their protection walls.Especially, with the rise of “tsunami attacks”, in other words, DDoS attacks, the network layer becomes more vulnerable. Attackers deliberately target the application layer of a protected network to overwhelm the application, not the entire network. Essentially, hackers take advantage of a grey area in cybersecurity, explains Abergel. "WAFs are not equipped to deal with sophisticated web DDoS attacks. And network layer mechanisms and defences for DDoS attacks cannot recognise a DDoS attack on the application layer only by looking at the network layer."This means attackers found a comfortable and effective spot to launch their campaigns, often without severe consequences.Also Watch: From Prompt Injection to Agentic AI: The New Frontier of Cyber ThreatsHow to Protect Your Business Without Compromising Your KeysWhat is the solution when an organisation can't share their encryption keys? This is a major concern, especially for regulated industries that are legally prohibited from sharing this sensitive information to even the most trusted cybersecurity firms. To learn more about the solution, and how Radware can help you defend against modern cybersecurity threats, watch the podcast on EM360tech.com. You can watch the video version on our YouTube channel, @EM360Tech, or listen to the audio version on EM360Tech’s Spotify series, The Security Strategist podcast.TakeawaysDDoS attacks have evolved significantly since their...

“For a long time, we focused on defending the perimeter and thought that was enough to keep businesses safe,” stated Ram Varadarajan, CEO and Co-founder of Acalvio. “It’s like putting locks on doors. The problem is that more people are finding ways to cross those boundaries and enter your business at an alarming rate.”In the recent episode of The Security Strategist podcast, Chris Steffen, the Vice President of Security Research at Enterprise Management Associates (EMA), sits down with Varadarajan to talk about how deception is changing threat detection in compromised enterprise environments. The CEO of Acalvio, alluding to the main issue in modern cybersecurity, explains that the old security model, which aims to create an impenetrable perimeter, is no longer enough. Attackers, equipped with more advanced tools, are discovering new methods to bypass these defences. The old "fortress mentality" is outdated.Assume Compromise!Both Varadarajan and Steffen agree that modern-day cybersecurity is not a matter of if an attacker will get in, but it's about anticipating when the attacker will get in. This mindset, referred to as "assumed compromise," means that a determined attacker will eventually find a way inside your network, especially with AI in the picture.Varadarajan explains, "The defender has to be right all the time in stopping the attacker at the door, whereas the attacker needs to be only right once to get past the perimeter and get inside the house."This imbalance gives attackers a significant edge. The vast number of entry points—from on-premise systems to cloud services and remote access—makes it impossible to secure each one perfectly. Consequently, the focus should be on what happens after an attacker is inside.So, how are businesses approaching such constantly looming threats?Deception: A Preemptive StrikeThis is where deception technology becomes an effective, proactive defense strategy. Instead of waiting for a breach to happen and then trying to fix the damage, deception actively engages and misleads the attacker."If you're assuming that the attacker is going to be inside, the question is how do you find these attackers and bad actors quickly and precisely so that you can conduct the enterprise's business?,” elucidates Varadarajan.Deception technology creates a web of fake assets, data, and credentials, forming a digital minefield for attackers. When an attacker tries to move laterally through the network or gain higher privileges, they interact with these decoys. This interaction provides an immediate, clear signal that a malicious actor is present, allowing defenders to stop them before they can reach their real target.The old methods of securing a network are no longer enough, agree both Varadarajan and Steffen. The rise of sophisticated, AI-driven attacks requires a new, proactive approach."Preemptive defense based on deception is a very legitimate and well-understood way of solving this problem,” stated Varadarajan.Enterprises are advised to switch strategy from defending the perimeter to actively deceiving and identifying within the network. This would help organisations to regain control. Deception...

Passwords remain one of the weakest links in enterprise security. Despite advances in multi-factor authentication (MFA), recent data breaches show that attackers continue to bypass traditional protections. In this episode of The Security Strategist, host Trisha Pillay speaks with Nic Sarginson, senior solutions engineer at Yubico.Together, they explore the vulnerabilities of passwords and conventional MFA, and why phishing-resistant authentication is no longer optional; it’s a strategic imperative for chief information security officers (CISOs)."Passwords alone just don’t cut it," says Sarginson. Hackers can launch sophisticated attacks in minutes, and traditional MFA often isn’t enough to stop them. Organisations should turn to device-bound passkeys and physical security keys not just as tools, but as a way to rethink enterprise security, stay ahead of compliance pressures, and embrace a passwordless future."Attackers can now launch sophisticated campaigns quickly and cheaply using publicly available data. That’s why breaches today are far more dangerous, and why weak MFA or social engineering is often involved." — Nic Sarginson, Yubico,Why This Matters for CISOsCybersecurity leaders face growing pressure to defend against phishing attacks, navigate evolving compliance demands, and deliver secure experiences for users. Sarginson shares practical strategies, expert insights, and real-world examples to help CISOs and IT leaders build a stronger, passwordless future.TakeawaysPasswords are fundamentally broken and pose a major vulnerability.Recent breaches highlight the inadequacy of traditional MFA.Device-bound passkeys offer stronger protection against phishing.Integration of new security methods is a significant challenge for enterprises.Real-world case studies show measurable improvements with security keys.Regulatory frameworks are increasingly mandating strong MFA.Phishing resistance must become the default in security strategies.The technology for passwordless solutions is now prevalent.Security leaders must advocate for proactive security measures.User education is crucial for the adoption of new security technologies.Chapters00:00 Introduction to Authentication Challenges02:15 The Impact of Recent Data Breaches05:30 The Entrenchment of Passwords and MFA08:22 Exploring Device Bound Passkeys11:20 Integrating Physical Security Keys14:34 Real-World Case Studies and Metrics17:24 Regulatory Pressures and Future Trends20:27 The Path to Passwordless SecurityAbout Nic SarginsonNic Sarginson is a senior solutions engineer for UKI and RSA at 

"With every technological wave, technology weaponises very quickly. You can create targeted attacks at an unprecedented scale, a human-centric attack at a scale that's never been before humanly possible,” states Sage Wohns, CEO and Founder of Jericho Security. In this episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, speaks with Wohns about modern-day cybersecurity threats driven by AI. They discuss the need for a strong security culture, innovative training methods, and the importance of adapting to new attack vectors. The founder of Jericho Security, an AI-powered human risk management platform, talks about the shift from traditional rule-based defences to probabilistic approaches. Additionally, Wohns spotlighted the necessity of using AI to counter AI in the fight against cyber threats. Generative AI: A Cause for Concern in Cyber SecurityThe speakers agree that every organisation today has one common and new challenge. It’s the rise of generative AI. This is because gen AI is a tool quickly and widely being used in cyber tech. “We have moved past simple, templated attacks to a new era,” iterated Wohns. Threats have now become more dynamic, personalised, targeted and scalable in ways the world has never witnessed before.For years, cybersecurity training has depended on static, rule-based defences. Consider those generic phishing emails from a "Nigerian Prince" or a fake Google logo. However, as Wohns points out, attackers no longer follow a script. They are using AI to create complex, multi-channel attacks that can take advantage of publicly available information and stolen data to target individuals.This new reality shows that old "checkbox training" is outdated. An attack on a salesperson will differ significantly from an attack on an accountant, and both will be tailored to exploit specific weaknesses. These attacks go beyond emails; they include deepfake voice calls, fake videos, and coordinated messages that blur the line between what is real and what poses a threat.TakeawaysAI is rapidly changing the landscape of cyber threats.A strong security culture is essential for organisations.Traditional training methods are outdated and ineffective.Probabilistic defences are needed to counter dynamic attacks.Creating a positive security culture encourages reporting mistakes.Multi-channel attacks are becoming more sophisticated.Generative AI can be used to simulate realistic attacks.Tailored training can enhance employee engagement and effectiveness.Using real-world data makes training relevant and impactful.AI solutions must evolve to keep pace with attackers.Chapters00:00 Introduction to Cybersecurity and AI Threats03:01 The Evolution of Cyber Threats05:50 Innovative Approaches to Security Training08:55 Probabilistic Defences vs. Rule-Based Systems11:49 Creating a Positive Security Culture15:02 Multi-Channel Attacks and Emerging Threats18:13 Key Takeaways for IT Decision MakersAbout Jericho...

When cybercriminals breach an organization, they're not just after one piece of data - they're hunting for the keys that unlock everything."Think of Hardware Security Modules (HSMs) like a master vault in a bank for an entire organization's digital security," said David Close, Chief Solutions Architect at Futurex. More than just an analogy, this is the reality of how modern enterprises are secured.Cybersecurity is full of complexities despite various advancements. Some aspects of it run constantly behind the scenes and occasionally go unnoticed until a breach strikes. Among these essential elements, Hardware Security Modules (HSMs) play a key role in maintaining digital trust. In a recent episode of The Security Strategist podcast, Richard Stiennon explores with Close why HSMs have become the invisible guardians protecting our digital lives.What is a Hardware Security Module (HSM)?At its core, a Hardware Security Module (HSM) is specialized, tamper-proof hardware that protects cryptographic keys and performs cryptographic operations. Close alludes to an analogy to describe an HSM, stating it's "the vault where you store all the keys to everything. The vault keys, the safety deposit keys, even the digital keys to the security system itself." Born in the early 1980s for the payment industry, HSMs have evolved into the root of trust for almost every sector. They verify authenticity and safeguard encryption for tasks like processing payments, signing code, issuing identities, and encrypting sensitive data. "If someone gets into the master vault, they don't just have access to one thing. They have access to everything," says Close, illustrating the importance of HSMs for stronger security. This is why regulatory bodies like PCI mandate HSM usage for organizations handling sensitive payment data.To make HSMs more accessible and user-friendly, Futurex's main solution is CryptoHub Cloud. It works as an HSM as a Service (HSMaaS).Close describes HSMaaS as not just a cloud version of HSM but a "centralized cryptographic service provider." Unlike some solutions that operate in shared cloud infrastructure, Futurex's CryptoHub Cloud runs in purpose-built cryptographic environments that are fully isolated. Such a unique approach gives customers full control, predictable performance, and independence from the cloud provider's native crypto stack. This is also an important factor for organizations in regulated industries.HSMs Enforce Policy"HSMs don't just solve crypto problems,” says Close, “they create predictability and enforce policy, also allow you to have a true security model that is effective at scale."In a world that depends more on digital systems, it is essential to understand and use the power of HSMs. They act as invisible protectors, making sure our most sensitive digital assets remain secure and trustworthy.TakeawaysHSMs are essential for protecting cryptographic keys and sensitive data.The evolution of HSMs has made them easier to use and integrate into cloud environments.Crypto agility allows organizations to adapt to new cryptographic algorithms without replacing existing infrastructure.HSMs enforce strict access controls and audit logs for all cryptographic operations.Regulatory bodies mandate the use of HSMs for managing sensitive payment data.HSMs provide a physical layer of security that software alone cannot...

"In this technology-centric world, where we see new advantages, new paths, new adventures, at the end of the day, the other side of the screen is always a human being,” Bartosz Skwarczek, Founder & President at G2A Capital Group, reflectively said. The quote sets the tone of the recent episode of The Security Strategist podcast. In this episode, Shubhangi Dua, Podcast Host and Producer, sits down with Skwarczek, an award-winning CEO recognised by Forbes. They talk about the evolution of online marketplaces, the importance of security, and the role of people in business. They discuss the challenges of operating a global marketplace, the significance of diversity in teams, and the future of payment security technologies. Bartosz emphasises the importance of a proactive approach to cybersecurity and the use of AI in business operations. He also highlights the essential role of human values and communication in creating a successful organisation.Proactive and Multi-Layered Approach to CybersecuritySecurity is a top priority for G2A, Skwarczek articulated. He adds that it's a "constant improvement" and a "kind of battle that you have with the bad actors." To stay "one step ahead of attackers," G2A deploys a multi-layered defence strategy.The multi-layered strategy starts with careful monitoring of threat intelligence channels to ensure organisations stay on top of the latest threats, vulnerabilities, and methods used by malicious actors.A dedicated incident response team has clearly defined roles and responsibilities. They can respond immediately to any security incidents, especially those related to different types of fraud, such as friendly fraud (chargeback fraud) or traditional credit card fraud. Skwarczek says that employee training is extremely important. G2A conducts mandatory training every month for its employees, assuring they know how to avoid common mistakes like phishing emails. Especially considering that over 3 million phishing emails are sent every day.Skwarczek also emphasises the importance of these ongoing audits. Alluding to the constantly changing market, He says cyber criminals constantly devise new tricks. This is why frequent evaluations are needed to ensure G2A is moving in the right direction. AI, Blockchain, and the Future of Payment SecurityLooking ahead, Skwarczek talked about the future of payment security. He recognised the complicated relationship between new technologies and strict regulations.The payment industry is inherently "conservative because it's regulated," he added, with extensive regulatory frameworks that ensure the safety of people's money. This intentional pace, however, coexists with rapid technological advancements. Skwarczek specifically pointed to the growing influence of AI and blockchain.While AI offers immense

Artificial intelligence (AI) is on everyone’s mind, and its impact doesn't escape the cybersecurity industry. The industry experts acknowledge not just the benefits but also the cybersecurity threats of AI integrations.As Pascal Geenens, Director of Threat Intelligence at Radware, puts it, "It's AI, so everything is changing weekly. What I talked about two weeks ago has already changed again." The constant change means that malicious actors are not just adopting AI, they're leveraging it to create new threats at a striking pace. In this episode of The Security Strategist Podcast, Richard Stiennon, an industry Analyst, Author and Chief Research Analyst at IT-Harvest, speaks with Geenens.They discuss how cybersecurity threats are enhanced by AI. This includes how attackers are using AI tools, the implications of new technologies like agentic AI, and the challenges posed by AI advancements. The conversation also touches on the role of nation-states in utilising AI for cyber operations, the concept of vibe hacking, and the future of interconnected AI agents.AI-Driven Attacks Fuelled by Prompt InjectionMalicious hackers evidently first used AI in 2023, specifically through prompt injection attacks on large language models (LLMs) such as ChatGPT. Attackers would find "evasion techniques" to bypass ethical guardrails, asking questions indirectly to generate malicious scripts or gather information for attacks. Geenens says, "If you would ask the direct question, how can I commit a murder and get away with it? He would say, no, no, no, that goes against my ethical principles. But there are ways around it."The game changed with the emergence of offline models and specialised services like WormGPT and FraudGPT. These models, distilled from larger ones and enhanced with hacking-specific information from underground forums, lowered the barrier to entry for aspiring cyber criminals. "They created their own model and sold it as a service underground. And that model was geared towards helping anyone with questions to interact with a prompt and to make their malware better, increase the effectiveness of their malware," explained Geenens. This accessibility meant that "more actors would actually move from script kiddie level to a more sophisticated level." Teenagers, in particular, took advantage of these AI assistants. They provided a friendly, non-toxic environment to learn and develop hacking tools, unlike the often unwelcoming underground forums.The Rise of Agentic AI & Automated ExploitsIn 2024, the focus shifted to AI agents, which provide attackers with automated workflows. Unlike LLMs, agents can interact with their environment, gather updated information, execute tools, and even spawn new agents that communicate with each other. "You can have a manager agent that says, okay, I need to develop something. It’s a big problem here. I need to develop a tool. I have an agent that does

"The thing to challenge is the fact that fraud prevention is a vertical by itself," says Guido Ronchetti, CTO at XTN Cognitive Security. He stresses that recent fraudulent trends exhibit "no real separation between fraud, cybersecurity, and AML.”In this episode of The Security Strategist podcast, Jonathan Care discusses fraud prevention with Ronchetti and Paolo Carmassi, Head of Sales at XTN. They explore the connection between fraud, cybersecurity, and artificial intelligence (AI), emphasising the need for a holistic approach to tackle modern fraud challenges. The conversation further spotlights how to take advantage of local identity and data privacy as competitive advantages, particularly in Europe. The speakers discuss emerging threats such as shell game malware. The relation between fraud, cybersecurity, and AI is apparent in scenarios like authorised push payment fraud. It often involves an initial data breach, followed by social engineering, and culminating in financial fraud. Future of Fraud Prevention To effectively fight such threats, a detailed picture of the entire "kill chain" is critical. It should include expertise from cybersecurity and anti-money laundering (AML).Expanding on “kill chain,” Carmassi says that "fraud is no longer a case of just the banking industry or the financial services at large. It's something that is starting to spill out into other industries as well." The head of sales points to examples in gambling, with issues like account takeover and bonus abuse, and even the automotive sector, where app vulnerabilities could lead to physical security threats. The emergence of sophisticated bots further complicates this space. That makes it a unified defence strategy pressing across all sectors.Alluding to an example, Ronchetti explained, "Last year we were dealing with one of the top 10 European banks. The reason for that was GDPR." The bank had to replace a well-established American vendor after over a year of a Proof of Concept (POC). This was because the vendor's data-sharing practices, particularly with clients outside the European Union, clashed with GDPR requirements. This incident stresses the importance of a provider's ability to tackle the complex European regulations. The upcoming AI Act further accentuates this divide, with European and US approaches to AI regulation diverging significantly.The episode concludes with insights on the future of fraud prevention, focusing on trust and the integration of behavioural biometrics.TakeawaysFraud prevention must integrate with cybersecurity and AI.The traditional view of fraud as a silo is outdated.Emerging technologies blur the lines between industries.GDPR sets a global standard for data privacy.Cultural and geographical factors influence fraud solutions.New threats like shell game malware are evolving.Younger demographics are becoming targets for fraud.Trust is essential for competitive advantage in fraud prevention.Behavioural biometrics can enhance identity validation.A holistic view of fraud prevention is necessary.Chapters00:00 Introduction to Cognitive Security04:01 Rethinking Fraud...