Recently and over the past few years, world events may have included cybersecurity components in their enactment. So, Brian, Erik, and Dan started talking about the role of security in critical infrastructure protection, asking questions about the ethics and thresholds for government and corporate roles in cyber retaliation, whether we as security practitioners have a role (or an obligation, or even a liability) to close vulnerabilities that can be used in primary or retaliatory scenarios. How much of human nature makes cyber retaliation a foregone conclusion, or can we find ways to reduce the need or use or availability of ways in via the technology. From Stuxnet to Iran to Caracas, using cybersecurity is a prevalent vector of retaliation, but does it always have to be that way? Or will it end with WOPR’s recognition that the only way to win the game is not to play at all?

It’s hard to talk about modern cybersecurity and not bring in current events, and even harder to keep it from turning political. We tried very hard to do a good job in the latter as we talked about the former.

Thanks for being part of the debate!

Show Notes:

• Caracas Invasion - https://abcnews.go.com/International/explosions-heard-venezuelas-capital-city-caracas/story?id=128861598
• Stuxnet Explained - https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html
• Book Recommendation: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon - https://geni.us/swbN
• San Bernardino vs Apple - https://epic.org/documents/apple-v-fbi-2/
• Movie Recommendation: Real Genius - https://geni.us/abYUYT
• Book Recommendation: The Creature from Jekyll Island: A Second Look at the Federal Reserve - https://geni.us/SL21a
• CIA Triad - https://cybersecuritynews.com/cia-triad-confidentiality-integrity-availability/
• Book Recommendation: Atomic Habits - https://geni.us/Nn2GSYr
• Michigan Council of Women in Technology -https://mcwt.org
• Critical Infrastructure (Sectors) - https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
• Shadowbrokers - https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/
• AI Prescriptions (Utah) - https://www.politico.com/news/2026/01/06/artificial-intelligence-prescribing-medications-utah-00709122
• Japanese Omoiyari -

Rules are made and policies are established. But the “how” of implementing and meeting those regulations or policies will be very context specific. In this episode of the Great Security Debate, Dan, Erik, and Brian cover a number of key policies and requirements and some different ways to think about implementing them and how the specific situation, company, risk will affect the way you meet the rule. From driving a car to incident response and everything in between. We debate the need to look back at old rules and see if they all still make sense (a great programme called Kill Stupid Rules), and flexibility in control implementation to meet evolving business needs, to move quickly, and keeping the whole picture of the business, customer, and employees in mind.

Thanks for Listening!

Show Notes:

1. Passing on the right in Michigan: https://legislature.mi.gov/Laws/MCL?objectName=MCL-257-637
2. Overtake time in Triathlon: https://www.triathlete.com/training/race-tips/9-race-rules-didnt-know-breaking/
3. Reflex Security (Agentic Tabletop Exercises and Training): https://reflexsecurity.io
4. Kill Stupid Rules: https://www.wsb.com/blog/employee-retention-secret/
5. GM Dress Code Change (2020): https://gmauthority.com/blog/2020/06/how-general-motors-ceo-mary-barra-changed-the-companys-dress-code-for-the-better/
6. Silly State Rules: https://www.buzzfeed.com/rhiannacampbell/weird-old-american-laws-you-wont-believe
7. Sex in Full Self Driving Cars (Clean): https://www.cbc.ca/news/science/sex-distracted-driving-1.3562029
8. Movie Recommendation - The Usual Suspects: https://geni.us/wVrLOCB
9. John Bingham, COO, Speak by Design: https://www.speakbydesign.com/about-us
10. Movie Recommendation - Gremlins: https://geni.us/qE6NAC
11. Movie Recommendation -Die Hard: https://geni.us/eMASs
12. Movie Recommendation - Love Actually:

We are back for another Great Security Debate.

In this episode: we discuss the potential role of agentic AI in security, from true “copilot” to automated decider of things, and whether LLMs are just a really cool search engine. Brian, Erik, and Dan also debate the means and extent to which we could replace ourselves with agents and what the inhibitors and risks are (spoiler alert: trust and survival of that agent after employment were big factors), and how do we train those agents of all the steps our brains take to make the decisions that the humans make, and do so without polluting it with aspirational versions of ourselves (think: Instagram vs Reality). And it all leads to a parenting lesson by Brian and an automotive process lesson by Erik? It’s quite a debate.

Thanks for listening! We might do one more episode in 2026, but if not have a wonderful holidays and a happy new year!

Here’s the quote that Brian references at the end of the episode by Tolstoy:

Thanks for listening!

Show Notes:

• Reflex Security - https://reflexsecurity.io
• Movie Recommendation: Multiplicity - https://geni.us/7vgKO
• Plaid Privacy Policy - https://plaid.com/legal/
• Prompts.ai - https://www.prompts.ai/en
• Music Recommendation: Take On Me - A-ha - https://www.youtube.com/watch?v=djV11Xbc914
• Book Recommendation: The Toyota Way - Book - https://geni.us/3LcpM
• Book Recommendation: Six Sigma - https://geni.us/CS8ql
• Book Recommendation: Matricide - https://geni.us/Xfn2MB
• Book Recommendation: The Lorax - https://geni.us/Fy8X4b
• Perplexity - https://www.perplexity.ai
• TV Recommendation - Pluribus (Apple TV+) - https://tv.apple.com/us/show/pluribus/umc.cmc.37axgovs2yozlyh3c2cmwzlza

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

On this weeks’ Debate, Brian brings a truckload of acronyms for more single panes of glass to help us consolidate our various single panes of glass, Erik may actually be Brian (or maybe Brian is Erik), and Dan confirms he still (and likely always will) spend the rest of his days living in the house he just built deep in the Trough of Disillusionment.

What started out as a chat about some new technologies in the space turned into a treatise on the state of leadership and the future talent pipeline’s need for more curiosity (and why we think they are starved of the opportunity to learn to be curious). Along the way we talk about what motivates organisations to do security right from the get go vs leaving it alone based on difficulty to remediate, and the risk balances of both (think: productivity vs security). Throw in a little “binary opinions have dragged us into the mire” and you’ve got a full episode of The Great Security Debate.

We also drop some hints about a new show coming from The Distilling Security network in 2026 called The Final Act which will bring guests in the later stages of their careers about the urgency of our careers in security and tech, what they want to leave behind as legacy, and what they are doing to prepare their orgs for their eventual departure. Add on how they have and will give back to the community, and what their successors want to see done before this first generation of security and tech leaders hit the road.

Please subscribe and leave a comment. If you’d like to sponsor the network, please email sponsors@distillingsecurity.com

Thanks for listening!

Show Notes:

• What is Data Security Posture Management (DSPM) - https://www.ibm.com/think/topics/data-security-posture-management
• What is Identity Security Posture Management (ISPM) - https://www.sentinelone.com/cybersecurity-101/identity-security/identity-security-posture-management-ispm/
• What is an Institutional Review Board (IRB) - https://www.hhs.gov/ohrp/education-and-outreach/online-education/human-research-protection-training/lesson-3-what-are-irbs/index.html
• Lucy pulls the football (hand egg) away from Charlie Brown - https://www.youtube.com/watch?v=9dsm7K1Xkn4
• Healthy foods are more costly - https://www.cnbc.com/2023/12/27/healthy-foods-are-often-more-expensive-heres-why.html
• Why Ford cancelled the Bronco after OJ - https://www.slashgear.com/1560204/reason-ford-bronco-discontinued-after-oj-simpson-trial-explained/
• Not enough data - GSD Episode 62 [Audio] - https://podcasts.apple.com/us/podcast/the-100-years-ai-flood/id1513770103?i=1000735045511
• Not enough data - GSD Episode 62 [Video] -
• Book Recommendation - Anxious Generation by Jonathan Haidt - https://geni.us/lDrdn3
• Book Recommendation - The Coddling of the American Mind by Jonathan...

The Great Security Debate is *back*! It’s been a busy year, but it’s time to get this show back on the air (and maybe on the road). Dan takes a break from the rat race, Erik took over the world, and Brian uses Elmer’s Glue to splice his network cables.

Topics in the show this week:

• AWS and Microsoft make the best cases for business continuity plans, the AI
• Is public cloud reliable enough? Should we all move back to local data centres? How can we reliably assess that risk?
• Want an AI Data Centre on your town? NIMBY vs Innovation!

We will be back every 2 weeks on Mondays. Subscribe on YouTube at https://youtube.com/@greatsecuritydebate to see our smiling faces as you watch, or in your favourite podcast application to listen on your commute or with your whole family around the radio.

See you on the 17th with more debates! And some entirely new shows coming from Distilling Security very soon, too. Subscribe to the newsletter on our website https://distillingsecurity.com to hear all about them

Links to mentioned articles and topics:

• AWS Outage - 20 October 2025 - https://www.bbc.com/news/articles/cev1en9077ro
• Microsoft Azure Outage - https://www.wsj.com/tech/microsoft-hit-with-azure-365-outage-b3ac0724
• 37Signals move from AWS to Data Centre - https://world.hey.com/dhh/our-cloud-exit-savings-will-now-top-ten-million-over-five-years-c7d9b5bd
• 100 Years Flood - usgs.gov - https://www.usgs.gov/water-science-school/science/100-year-flood
• Great Flood of 1937 - https://www.weather.gov/lmk/flood_37
• Impact of Jaguar Land Rover Incident - https://www.bbc.com/news/articles/c0qpl0v3gnzo
• CDK Attack and Outage - https://www.industryweek.com/technology-and-iiot/article/55091142/major-cybersecurity-breach-affects-auto-manufacturers
• Russian grain blockade against Ukraine - https://www.cfr.org/article/how-ukraine-overcame-russias-grain-blockade
• Saline, Michigan OpenAI Data Centre & Pushback - https://apnews.com/article/openai-inc-joi-harris-data-management-and-storage-microsoft-corp-oracle-corp-f25196fca5865ed79d94c972249a272c
• Racine, Wisconsin Foxconn and Microsoft site failures - https://racinecountyeye.com/2025/10/08/microsoft-abandon-1st-caledonia/
• Racine, Wisconsin What happened to FoxConn?

The Great Security Debate crew recorded a live episode at the GTS Security Summit in Detroit, Michigan with special guest, Zah Gonzalvo, SVP of Financial, Climate, and Operational Risk at Banco Popular. Tune in for a great discussion on risk, risk mitigation, risk prioritisation, and risk in context. Yep, it's all about risk!

Takeaways:

• The evolution of security has shifted from a binary perspective to a more nuanced understanding of risk management, acknowledging the need for flexibility in addressing diverse security challenges.
• In contemporary discussions, it is increasingly evident that security must be integrated into business strategy, highlighting the imperative for security professionals to communicate effectively with stakeholders.
• The role of the Chief Information Security Officer (CISO) has transcended traditional technological boundaries, necessitating a comprehensive grasp of business risk and operational efficiency.
• Effective risk management within organizations requires a shared responsibility model, where every employee contributes to the overall security posture, thus reinforcing the concept that security is a collective endeavor.
• Scenario analysis is a potent tool in risk management, enabling organizations to anticipate potential threats and understand the implications of various risk scenarios on their operations.
• Engaging with business units to contextualize security risks in terms of operational impact and financial implications is vital for securing necessary budgets and resources for security initiatives.

In this episode of The Great Security Debate, Dan, Brian and Erik invent (and copyright) the idea of a Fantasy Hacker League then dig into more serious discussions on deception technology, asset discovery challenges, and resource management. The conversation also delves into the impact of budget constraints on security projects, the mental toll on cybersecurity professionals, and the evolving role of CISOs in digital transformation. Issues such as job stress, burnout, and role mismatches among security leaders are addressed, alongside strategic insights on integrating security within broader business operations.

00:00 Introduction to the Great Security Debate

00:39 Humorous Take on Hacker Recruitment

03:16 Fantasy Hacker League Concept

09:18 Microsoft's Honeypot Strategy

22:58 Challenges in Security Budgets and Resources

31:03 The Reality of Full-Time Positions

31:31 Introverts vs. Extroverts in Leadership

32:06 The Challenges of Being a CISO

33:53 Work-Life Balance and Stress

37:04 The Role of Security in Business

39:36 The Future of Security Leadership

41:00 Adapting to Economic Constraints

59:28 The Importance of Enjoying Your Work

01:00:26 Conclusion and Farewell

Welcome to the Great Security Debate! In this episode, experts take on a multifaceted discussion about the intricacies of technology and cybersecurity. The debate navigates through the recent incident involving CrowdStrike and Microsoft, dissecting the layers of technology, processes, and the roles of different entities in maintaining security. Emphasizing the lessons learned, the debate also explores the challenges of disaster recovery, business continuity, and balancing risk in an increasingly complex digital landscape. Tune in as the hosts delve into the ramifications of over-consolidation, the implications of vendor lock-in, and the importance of maintaining a culture of quality and robust testing.

00:00 Introduction to the Great Security Debate

00:37 Layers of Technology and Finger Pointing

01:23 Disaster Recovery and Business Continuity

02:34 Market Leaders and Single Points of Failure

08:25 The Complexity of Software and Manufacturing Analogies

14:27 Kernel Access and Security Implications

23:29 BitLocker Keys and Recovery Challenges

28:05 Daily Text File Sharing

28:21 Transitioning BitLocker Management

28:45 Risk Profiles and Encryption Decisions

31:47 Team Collaboration and Lessons Learned

33:38 CrowdStrike Incident Analysis

36:18 The Importance of Response and Culture

44:10 Balancing Speed and Safety in Software

51:41 Closing Remarks and Future Plans