In this episode, Michael Piacente shares insights on career transitions in IT and security, the evolving role of CISOs, and the impact of AI on security talent and practices. Discover how community, storytelling, and strategic hiring shape the future of cybersecurity leadership.

Resources

The 2026 Global CISO Leadership Report

Hitch Partners

NIST AI Framework

Send a text

In this episode, Nathanial Quist, also known as ‘Q’ returns along with Dr. Jay Chen, both of whom listeners might recognize from our inaugural episode where we discussed how common identity misconfigurations can undermine cloud security. Both Jay and Q are threat researchers with Palo Alto Networks Unit 42. Unit 42 is the global threat intelligence team at Palo Alto Networks and a recognized authority on cyberthreats, frequently sought out by enterprises and government agencies around the world.

In our conversation, they discuss what they found in their latest Cloud Threat Report examining the impact of the COVID-19 pandemic. We explore how the tremendous increase in remote work has affected cloud security and why Jay is more concerned over the number of mistakes that people are making, rather than the type of mistakes. Tuning in you’ll hear what organizations can do to curtail the recent rise in security incidents and some interesting observations that Q and Jay learned from their data, such as the fact that even malicious hackers need a holiday and don’t want to spend all their time in front of a computer cryptojacking :-)

Key Points From This Episode:

• Cloud security incidents grew, on average, 188% pre vs. post COVID-19 discovery.
• Retail organizations saw the greatest increase in security incidents at 402%.
• The cloud is no longer for low-impact data: 69% of data is PII.

Tweetables:

“We saw a decrease in crypto mining operations during the holiday period between December 24th through January 3rd. It just kind of goes to show that even malicious crypto miners want to take a holiday.” — Nathanial Quist [0:25:26]

“Standardization can help you find the issue but automation can help you to prevent or mitigate [it].” — Jay Chen [0:32:02]

Links Mentioned in Today’s Episode:

Cloud Threat Report

Clip from Tommy Boy

Nathaniel Quist on LinkedIn

Jay Chen on LinkedIn

Cloud Security Today

Send a text

While most companies have significantly increased their investments in SaaS, they have not updated their security controls and processes to ward off threats posed by this medium. Leaving SaaS security to Cloud Access Security Brokers (CASB) is not sufficient. The security controls need to be placed around the data, APIs, and applications that are running inside a cloud environment, not outside its perimeter. This is the kind of security that AppOmni provides and today we have its CEO, Brendan O'Connor on the show to dive deeper into the subject of SaaS security.

We begin with Brendan’s journey into IT and security and hear a bit more about what makes him tick. From there, we dive into the subject of security in the cloud as it pertains to SaaS specifically. Brendan does a great job of explaining why SaaS platforms are subject to so many misconfigurations and why these are not being recognized by security teams. He gets into how the cloud infrastructure is set up and uses a few brilliant analogies to describe how an attacker might get into a SaaS platform without security ever realizing. He talks about some basic security measures companies need to take and shares more about how solutions like AppOmni can automate security. For insight into the vulnerabilities of SaaS and how to guard against them, tune in today!

Key Areas From This Episode:

• Curiosity and a love for solving problems is Brendan’s method for keeping his edge.
• Brendan’s recommendations for security guardrails that always need to be in place.
• Hear Brendan’s argument about the need for automated SaaS security.
• Brendan’s recommendations for setting up and measuring SaaS security.
• Advice from Brendan about how security teams need to adapt in light of Solar Winds.

Tweetables:

“Companies have significantly expanded their SaaS investment and footprint and the SaaS applications themselves have really grown in complexity. Most companies haven't updated their security controls to support SaaS, or invested in new technology to manage this problem. That's where AppOmni comes in.” — @AppOmniSecurity [0:01:54]

“I love solving puzzles. Enterprise security at scale is a hard problem. It's a puzzle. There is not a one-size-fits-all solution.” — @AppOmniSecurity [0:05:29]

“SaaS applications are becoming closer to operating systems in the cloud than a single simple web app. You can't watch what every individual is doing. You have got to put guardrails in place.” — @AppOmniSecurity [0:20:30]

“SaaS is a fundamentally different architecture than hosting things on-premise. You need to rethink, what is the value that you get from your security tools? How can you get that value today in an automated fashion in these new systems that support that new architecture?” — @AppOmniSecurity [0:24:44]

Links Mentioned in Today’s Episode:

Matt Chiodi on LinkedIn

Matt Chiodi on Twitter

Brendan O’Connor on LinkedIn

App

Send a text

Keeping it simple is Brett’s mantra, and it has led to a great amount of success for him and the company he works for. As a security leader at Zoetis, the world’s largest animal healthcare company, Brett has managed to get ahead of the business in terms of adopting cloud securely. Although it may sound boring, standardizing security processes was a key element in the journey to automation for the Zoetis SOC.

In today’s episode, Brett also talks about how he ended up in the world of cybersecurity after majoring in ecommerce, the different facets that make up his current role at Zoetis, as well as some of the tools that are extremely useful to Brett and his team. Brett also opines on how automation has led to a reduction in talent-drain on his team. We also briefly delve into the SolarWinds hack and how this changed the way Brett thinks and approaches supply chain security.

Key Points From This Episode:

• Getting ahead of the business, build it before they come!
• Standardization MUST come before automation.
• Automation reduces talent-drain.
• Metrics that Brett and his team follow up on constantly.

Tweetables:

“Standardization...I just live and die by our process. We're very process-oriented. You can do that in the cloud but you have to take time to do that, and that's how it should be done.” — Brett Tode [0:10:38]

“Your standardized processes are the things that really are going to keep you in control and keep you effective over time. Automation is really cool and great because it's going to save us time. But without that standardized process, you can never get to automation.” — Brett Tode [0:13:04]

“In almost everything I do, I try to keep things simple. Don't try to make something so complex from the get-go because it’s just never going to work.” — Brett Tode [0:24:49]

“We’re always going to strive to be better. I think everyone should do that because making yourself better is just providing more value for the company. At the end of the day, that's what we're all supposed to be doing.” — Brett Tode [0:25:52]

Links Mentioned in Today’s Episode:

Brett on LinkedIn

Zoetis Careers

Send a text

This episode of the Cloud Security Today podcast is a little different from the others because this time host Matthew Chiodi gives the interviewer’s seat over to Yousuf Khan and they talk about an exciting new development in Matt’s career.

Matt announces a big career move and talks about how he’s hoping to fix some of the biggest problems in SaaS security today. He tells Yousuf about his new role and the fresh approach that his new company is bringing to the field. At the end of the episode, they discuss working in a start-up environment and give advice to anyone considering working in a start-up.

If you enjoyed this episode, subscribe, or follow Cloud Security Today wherever you get your podcasts.

Timestamps

[0:28] Matt introduces the topic for today’s episode

[1:50] Exciting news from Matt about his latest career move

[5:10] Matt explains one of the biggest challenges in app security today

[7:25] How have we managed app security up to now?

[9:20] So how does Cerby work?

[11:32] Matt’s new role at Cerby and an outline of his first few months

[12:50] Why Matt likes working in a start-up environment

[14:05] How Matt became interested in Cerby

[16:20] What’s next for Cerby?

[18:10] The advice that Matt would give to anyone looking to join a start-up

[20:40] Yousuf adds his thoughts about working for a start-up

Episode Links
Ridge Ventures
Yousuf Khan's Linkedin Profile
Cerby's website
Matt's Linkedin Profile

Send a text

In this conversation, MK Palmore shares insights from his diverse leadership journey, spanning the Marine Corps, FBI, and cybersecurity. He emphasizes the importance of a people-centered leadership approach, the balance between technical and leadership skills, and the significance of effective communication. MK reflects on his experiences, the impact of mentorship, and the lessons learned from both successes and failures in leadership roles. MK highlights the challenges in attracting diverse talent to cybersecurity and the necessity of nurturing new professionals. He concludes with insights on continuous learning and the importance of maintaining a beginner's mindset.

Takeaways

• Diverse experiences shape leadership philosophy.
• Mentorship plays a significant role in professional development.
• Silence from leaders can lead to assumptions and uncertainty.
• Leaders should increase communication during times of uncertainty.
• Maintaining a mindset of continuous learning is vital for personal growth.

Chapters

00:00
Introduction to Leadership and Music

02:57
Diverse Leadership Experiences

06:05
The Importance of People-Centered Leadership

09:05
Technical Skills vs. Leadership Skills

11:49
Communication as a Leadership Skill

14:53
Learning from Mistakes in Communication

18:01
The Impact of Silence in Leadership

20:44
Navigating Uncertainty in Leadership

25:06
Bridging the Gap: Technical and Business Communication

30:22
Building Personal Brand and Eminence

32:53
Overcoming Barriers in Cybersecurity Talent Acquisition

38:31
Staying Sharp: Continuous Learning and Adaptability

Send a text

Summary
In this conversation, Chris Hetner discusses the evolving role of boards of directors in cybersecurity, emphasizing the need for improved communication and understanding of cyber risks. He highlights the challenges boards face in adapting to new SEC rules and the importance of leveraging AI responsibly. Hetner also shares insights on tools for quantifying cyber risk and prioritizing investments while advocating for continuous learning and proactive engagement with board members.

Takeaways

• Boards are becoming more aware of cybersecurity risks.
• Cybersecurity discussions often receive limited airtime in board meetings.
• The SEC's new disclosure rules can drive more frequent discussions on cyber risk.
• AI governance is crucial as AI technologies become more prevalent.
• Collaboration with general counsel and risk officers is essential.

Chapters

00:00 Introduction and Background on Cybersecurity and Boards
03:05 Current Challenges Facing Boards in Cybersecurity
06:11 Understanding Cyber Risk and Communication with Boards
08:58 Improving Board Engagement with Cybersecurity
11:56 Leveraging SEC Guidelines for Cyber Risk Discussions
15:02 The Role of AI in Cybersecurity Governance
18:05 Tools for Quantifying Cyber Risk
21:12 Prioritizing Cybersecurity Investments
24:02 The Importance of AI Governance
26:57 Staying Informed in Cybersecurity
30:13 Final Thoughts and Continuous Learning

Send a text

Episode Summary

On today’s episode, Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency, Allan Friedman, joins Matt to discuss SBOMs. As Senior Advisor and Strategist at CISA, Allan coordinates the global cross-sector community efforts around software bill of materials (SBOM). He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics.

Before joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard’s Computer Science Department, the Brookings Institution, and George Washington University’s Engineering School.

He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a C.S. degree from Swarthmore College, and a Ph.D. from Harvard University.

Today, Allan talks about SBOMs and their adoption in non-security industries, Secure by design and secure by default tactics, and how to make software security second nature. What, exactly, is the SBOM? Hear about how SBOMs could’ve helped against significant attacks, the concept of antifragility, and why vulnerability disclosure programs are so important.

Timestamp Segments

· [02:27] Allan’s career path.

· [05:10] Allan’s day-to-day.

· [06:15] What has been most rewarding?

· [08:00] SBOMs in non-security startups.

· [10:50] Real-world examples of Secure by Design tactics.

· [17:30] Will software security ever seem obvious to us?

· [19:30] What is the SBOM, and will it solve all our problems?

· [23:41] Could an SBOM have helped against the SolarWinds attack?

· [27:52] Memory-safe programming languages.

· [30:16] Misconceptions around Secure by Design, Secure by Default.

· [32:00] The importance of vulnerability disclosure programs.

· [35:37] Antifragility in cybersecurity.

· [41:47] VEX.

· [44:29] How to get involved with CISA.

· [48:00] How does Allan stay sharp?

Notable Quotes

· “Sometimes, organizations need a good excuse to do the right thing.”

· “It is bananas that software that we use, and pay for, still delivers with it not just the occasional vulnerability, but very real risks that require massive investments from customers.”

· “When tech vendors make important logging information available for free, everyone wins.”

· “The SB in SBOM doesn’t stand for Silver Bullet.”

Relevant Links

Email: sbom@cisa.dhs.gov

Website: www.cisa.gov

LinkedIn: Allan Friedman

Resources:

Open Source Security Podcast

Risky Business Podcast