Chasing Entropy Podcast by 1Password

In the 20th episode of the Chasing Entropy Podcast, Dave Lewis sits down with Trey Ford, Chief Strategy & Trust Officer at Bugcrowd and former General Manager of Black Hat, to explore the realities of modern cybersecurity leadership.From the pitfalls of annual penetration tests to the messy realities of vulnerability disclosure, Trey shares lessons from decades in the field. He explains why risk should be owned at the board level (not by the CISO alone), why disclosure remains the internet’s immune system, and what the rise of agentic AI means for governance and resilience.The conversation also dives into leadership growth: shifting from arguing to win, to arguing to understand, and how CISOs can transform into true business partners rather than gatekeepers.Key TakeawaysContinuous resilience matters. Annual pen tests don’t reflect reality—continuous measurement does.Risk ownership belongs with the business. CISOs shouldn’t carry it alone.Disclosure is essential. Research-first venues like Black Hat make it safer.Agentic AI raises new risks. Guardrails, explainability, and governance must be designed in.CISO success = trust. Build partnerships across the executive team, not walls.Memorable Quotes“If it’s accessible, it’s worth securing, scope is a convenience, not a defense.”“It’s not CISO vs. world; it’s the business deciding risk together.”“In the cloud you can ‘accidentally it all the way’, agentic AI just gives that accident agency.”Listen to Episode 20 now wherever you get your podcasts!

In this episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Jacob DePriest, the newly appointed CISO and CIO at 1Password. Together, they explore the intersection of security, IT, and the human factors that shape how we defend and sometimes undermine our digital world.From NSA to GitHub to 1PasswordJacob traces his path from early engineering work at the NSA to leading security operations at GitHub, and now into his dual role at 1Password. With roots in engineering and open source advocacy, he shares how those experiences shaped his approach to building secure yet productive environments.Security and Development: A Necessary PartnershipA recurring theme is the relationship between security teams and developers. Jacob emphasizes that security cannot scale without deep integration into the engineering lifecycle. Rather than bolting on controls, he advocates for shared scoreboards, embedded guardrails, and empowering developers to focus on outcomes without unnecessary friction.Secrets, AI, and the Future of RiskThe conversation dives into secrets management and the rise of AI in security. Jacob highlights how smarter alerting and AI-assisted scanning can help reduce noise around exposed credentials. They also discuss the promises and pitfalls of agentic AI, where transparency, governance, and credential security will become defining challenges for enterprises.Balancing Productivity and ProtectionAs both CISO and CIO, Jacob is uniquely positioned to tackle the long-standing tension between IT enablement and security. He argues that these shouldn’t be opposing forces, the shared goal is enabling the business safely and responsibly. Hybrid teams and flexible models, such as customizable unlock experiences in 1Password, illustrate how to strike that balance.Diversity, Culture, and Psychological SafetyThe episode also touches on team culture: hiring for diversity of thought, encouraging dissenting voices, and building psychological safety. Jacob and Dave reflect on how recognition systems, open communication, and intentional leadership can foster stronger, more resilient security teams.Parting Advice for Security LeadersJacob closes with two guiding principles:Focus on outcomes and the big picture, don’t lose sight of the real problems in pursuit of perfect solutions.Appreciate the community of security professionals who face daily challenges in an increasingly complex landscape.Listen now to hear Jacob’s insights on navigating the evolving role of security leaders, the integration of IT and cybersecurity, and how to prepare for the next wave of challenges.As always, be sure to like and subcribe!

In this episode of the Chasing Entropy Podcast, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Rob Fuller (a.k.a. Mubix), cybersecurity leader, Marine Corps veteran, red teamer, and technical advisor—to explore the twists, turns, and lessons from a career built at the intersection of curiosity, community, and defense.Early Sparks of CuriosityRob shares how tinkering with Game Genie and GameShark consoles in his youth planted the seeds of hacking and cybersecurity. From experimenting with memory manipulation in video games to dabbling in early online communities, his fascination with technology was clear—even if he didn’t yet have a name for it.The Marine Corps and Grounding in RealityHis journey took a pivotal turn in the U.S. Marine Corps, where Rob shifted into IT and found his calling at the Marine Corps CERT. There, he confronted threats at a national scale, battling nation-state adversaries and learning the importance of context, failure, and resilience. The high-stakes environment taught him perspective—what truly counts as critical versus what’s just noise.Red Teams, Purple Teams, and the Role of AIRob dives into his philosophy on red vs. purple teaming, how organizations misstep in their security approaches, and where AI fits into the equation. While AI can accelerate tasks like data analysis and content generation, he stresses that human judgment remains essential, particularly when weighing real-world risk.Maturity in Vulnerability Disclosure ProgramsRob outlines the evolution of Vulnerability Disclosure Programs (VDPs)—from a simple security@company.com email, to structured bug bounties, to advanced maturity where vulnerabilities are ballooned out, templated, and continuously scanned across entire infrastructures. Tools like Nuclei earn his praise as underrated game-changers in scaling this process.What’s Overrated, What’s UnderratedWhen asked about overrated tools, Rob jokingly points to Splunk, acknowledging it as a powerful log platform but often overhyped without the right people and processes behind it. In contrast, he champions Nuclei for its ability to empower teams with scalable, reusable vulnerability detection.Leadership, Curiosity, and MentorshipFor those entering cybersecurity, Rob emphasizes starting the leadership journey early—seeking credentials, mentorship, and experience beyond being just a technical contributor. For senior leaders, he advises fostering curiosity and root cause analysis across teams, and creating spaces for “show and tells” where junior staff can share passion projects that might blossom into innovative enterprise-wide solutions.Silicon Valley and BeyondRob also reflects on his experience as a technical advisor for HBO’s Silicon Valley, ensuring cybersecurity accuracy behind the scenes. From late-night calls to writer’s room debates, the role gave him a chance to influence how hacking and security were portrayed to millions of viewers—an opportunity to shift the narrative away from the usual Hollywood myths.Listen to the full conversation for Rob’s insights on community, resilience, and the underrated value of curiosity in shaping the future of cybersecurity.Don’t forget to like & subscribe to the Chasing Entropy Podcast wherever you get your podcasts.

In this episode of Chasing Entropy, Dave Lewis sits down with longtime friend and industry veteran Bill Brenner, Senior VP and Head of Content at Cyber Risk Alliance. Bill has been shaping the cybersecurity narrative for over two decades, from his early reporting days at TechTarget to his leadership roles at Akamai, Sophos, IANS, and now Cyber Risk Alliance.From Newsrooms to CybersecurityBill shares how his career began in traditional journalism, with a pivotal moment after 9/11 pushing him toward B2B reporting. A role at SearchSecurity marked his entry into cybersecurity, where he quickly established himself as a respected interviewer, writer, and—eventually—a storyteller within the security community.The OCD Diaries & Mental Health AdvocacyA major part of Bill’s journey has been his candid writing in The OCD Diaries, a personal blog turned community resource. What started as a therapeutic exercise evolved into a touchstone for many in security facing similar struggles. Today, Bill continues that advocacy through his work with CyberMinds, developing tools and resources to support the mental health of cyber defenders, who often face burnout, PTSD-like stress, and relentless alert fatigue.Storytelling, Security, and LeadershipReflecting on his time at Akamai, Bill discusses how being embedded in a security team during the Heartbleed and Shellshock era shaped his understanding of communication, trust, and leadership. He and Dave revisit their collaboration on reports, vulnerability advisories, and how content can influence both internal teams and the wider industry.AI, Content, and the Human ElementBill and Dave dive into the current disruption caused by artificial intelligence. While many companies mistakenly see AI as a replacement for people, Bill argues it must be used as an enhancer—freeing humans from repetitive tasks while preserving creativity, critical thinking, and authenticity. His own work at Cyber Risk Alliance now includes experimenting with AI to streamline workflows without losing the human voice.Looking AheadBill emphasizes the importance of resilience, humility, and staying focused on the human side of security. Whether through mental health advocacy, building stronger content strategies, or mentoring the next generation, his mission remains clear: tell stories that matter and help the community thrive in an increasingly chaotic digital world.👉 Where to find Bill:The OCD Diaries (archived blog with evergreen posts)Bill on LinkedIn (active writing and insights)SC Media / SC World (ongoing journalism and leadership work)

In this episode of the Chasing Entropy Podcast, host Dave Lewis welcomes industry analyst and long-time cybersecurity veteran Fernando Montenegro for a far-ranging and refreshingly honest discussion about the evolution of security, the realities of AI, and the human stories that shape our digital defenses.Fernando shares his origin story from math and fractals in Brazil to cryptography and bulletin boards, and ultimately to a career that has spanned consulting, sales engineering, and now research and analysis. Along the way, he highlights the importance of community spaces like TASK (Toronto Area Security Klatsch) and B-Sides as pivotal launchpads for industry newcomers.The conversation dives deep into artificial intelligence and its nuanced role in cybersecurity:Security for AI: Helping organizations safely adopt AI tools.AI for Security: Using AI to enhance defense mechanisms.Security against AI: Preparing for AI-augmented attacks and fraud.Fernando advocates for viewing AI through an economic and socio-technical lens rather than blindly trusting in its promise. As both he and Dave agree, AI isn't magic—it's math. It can augment work, but replacing human judgment, strategy, and contextual understanding is far from reality.They also touch on the dangers of layoffs fueled by AI hype, calling out examples like Klarna’s public misstep, and drawing parallels to earlier cloud-related downsizing miscalculations. Both stress the importance of understanding what workers actually do before trying to replace them with automation.As the episode wraps, Fernando delivers sage advice for those entering or pivoting into cybersecurity:Leverage your prior experience, whether from hospitality or marketing, it has value.Seek mentorship from peers 2–5 years ahead of you for tactical guidance.Don’t be discouraged by gatekeeping; curiosity and kindness go a long way in this relationship-driven field.Whether you're a seasoned professional or just getting started, this episode is a candid reminder that cybersecurity is as much about people as it is about technology and that chasing entropy means embracing complexity, not avoiding it.

In this special "Summer Camp" edition of Chasing Entropy, Dave Lewis sits down with longtime friend and cyber risk veteran Jeffrey Wheatman. From their early DEF CON gooning days to leading board-level security conversations, Dave and Jeffrey explore how cybersecurity professionals navigate entropy—when systems unravel, and chaos creeps in.Jeffrey, a former VP at Gartner and now a cyber risk strategist, brings 30 years of experience to the mic. They dive deep into the human and organizational aspects of risk management, effective communication with executive leadership, and how the security industry can stop "solutioning" with tech and instead focus on solving real problems.Key Topics That We Covered:From Hardware Store to Cyber Risk Strategist: Jeffrey’s unconventional path into cybersecurity and early lessons learned about clarity, communication, and not working in retail.Tech for Tech’s Sake?: Why the obsession with new tools misses the point—and how reframing security in terms of solving business problems is the real game changer.Communicating with Boards: Strategies for helping CISOs resonate with executives, plus tips on improving board-level metrics and engagement.AI in Cybersecurity: Cautious optimism, practical concerns, and philosophical musings. Both Dave and Jeffrey agree: AI is no silver bullet. But with thoughtful integration and strong scenario planning, it can be a powerful partner—especially for edge cases and pattern recognition.Speaking to Your Audience: Whether you're in front of a board or a DEF CON hallway track, Jeffrey shares hard-won lessons about adjusting your message, avoiding condescension, and using metaphors that land.Memorable Quotes“Technology is created and put in place to solve problems. Full stop.” — Jeffrey Wheatman“Your execs care about three things: money in, money out, and who gets in trouble when stuff goes sideways.” — Jeffrey Wheatman“AI is overblown and underutilized—both are true.” — Dave LewisWhere to Find JeffreyLinkedIn: The only “Jeffrey Wheatman”Speaking soon at: SANS Security Awareness, ISACA GRC, Black Hat, and PDA PRISM ConferenceFun fact: At DEF CON, you’ll know him as “Mnkey.”Listen now, share widely, and join us again next week as we continue Chasing Entropy in a world full of chaos and credentials.Don’t forget to like, subscribe, and spread the entropy.

In this episode of the Chasing Entropy Podcast, I am joined by Singapore-based cybersecurity leader Emil Tan, a man who wears many hats and wears them well. From government defense to grassroots community building, Emil’s journey is a masterclass in adaptability, curiosity, and community spirit in cybersecurity.Who Is Emil Tan?Emil is a cybersecurity polymath: a national defense contributor at Booz Allen, founder of the Singapore-based community Division Zero (Div0), co-founder of the hacker conference SINCON, advisor to the startup RedAlpha, and active participant in the non-profit CREST. His career arc spans R&D, operations, policy, and education—with a consistent theme of learning by doing.A Non-Linear Path to ImpactEmil shares his unlikely journey into cybersecurity, which began not with elite academic scores but with a love for math and curiosity about the digital world. After being part of Singapore’s first cohort in a cybersecurity diploma program, Emil embraced early challenges in capture-the-flag (CTF) competitions and informal meetups at McDonald's that eventually gave rise to Div0.From Operations to Policy and Back AgainWhat sets Emil apart is his transition from cyber operations to policymaking. Frustrated by policies that didn’t reflect frontline realities, he stepped into the policy arena to bridge the gap. He speaks candidly about the complexity of policymaking and the importance of being a "technical policymaker" who can translate between operations and lawmaking.The Power of Automation and AI (Without the Hype)Emil and Dave dig into the evolution of automation in security—from scripting away mundane tasks to the role of AI today. Emil’s philosophy? Automate the boring stuff so you can focus on meaningful work. He challenges the fear-driven narrative around AI, noting that rather than replacing jobs, it redefines them.Advice for Aspiring Security ProsWhether you’re new to the field or feeling stuck, Emil offers grounded, honest advice:Fall in love with your career, not just your jobStart anywhere, fail often, and learn deeplyTalk to people—war stories beat certificatesSeek community: Div0, SINCON, and beyondGet ConnectedWant to connect with Emil?LinkedIn Attend Div0 meetups (twice a month in Singapore)Catch him at the next SINCON conferenceListen now on all major platforms and don't forget to like, subscribe, and share. Thanks for joining me as we continue the Chasing Entropy Podcast, where chaos meets clarity, and security finds its human side.

Jack Daniel, a legendary storyteller and community-builder, shares his incredible journey from mechanic to cybersecurity strategist. He recounts humorous tales from his early days tinkering with cars, before navigating into tech by chance. The heart of the conversation focuses on the founding of BSides, a community-centered security movement that empowers local talent worldwide. Jack also discusses his unique presentation style with sock puppets, all while emphasizing the importance of community, mentorship, and authentic engagement in fostering connections.

In this discussion, Grigorios Fragkos, known as Dr. Greg, shares his extensive background in cybersecurity spanning academia and enterprise defense. He delves into the fascinating rise of agentic AI and its potential ethical applications in enhancing cybersecurity defenses. The talk also highlights the evolving role of the Chief Information Security Officer, advocating for a shift towards a Chief Cybersecurity Officer to address new challenges. Dr. Greg emphasizes the necessity of continuous learning and critical thinking in navigating the complex cybersecurity landscape.

Javvad Malik, a security advocate, Guinness World Record holder, and co-host of Host Unknown, dives into a captivating conversation about humor's role in cybersecurity. He shares his unique journey from banking in the late '90s to industry advocacy, emphasizing the art of clear communication with non-technical audiences. With engaging anecdotes, he highlights how humor can bridge gaps in understanding complex security risks. Javvad also reflects on collaborative podcasting and the importance of empathy in sharing cybersecurity insights, making tech both relatable and entertaining.