Secure Talk Podcast

The mistakes we made building the internet don't have to be repeated in the metaverse—if we act now.Join SecureTalk host Justin Beals for an essential conversation with Dr. Paola Cecchi-Dimeglio about building secure, ethical virtual worlds. Dr. Cecchi-Dimeglio brings 25 years of experience advising governments, Fortune 500 companies, and global institutions on AI ethics and technology governance.Her new book "Building a Thriving Future: Metaverse and Multiverse" (MIT Press, 2025) provides frameworks for building virtual spaces that serve humanity rather than exploit it.CORE THEMES: • Security by design vs. security bolted on after problems emerge • How biases get encoded into AI systems—and prevention strategies • The critical role of "human in the loop" for AI oversight • Why good regulation creates business stability • Digital identity systems for global inclusion • Authentication and verification in virtual spaces • Cross-border legal frameworks for technology governanceREAL-WORLD IMPACT: Over 1 billion people globally lack legal identification—virtual worlds could solve this through blockchain-based digital identity, or create new exclusions if built poorly. The standards we set now for authentication, verification, and identity control will determine whether these spaces become tools for human flourishing or mechanisms for surveillance.WHY THIS MATTERS NOW:Virtual worlds already exist—gaming platforms host billions of usersAI is accelerating everything, including security vulnerabilitiesDeepfake technology is improving faster than detection methodsThe decisions made today will shape digital society for decadesSURPRISING INSIGHTS: → Children currently detect deepfakes better than adults (but not for long) → Major consulting firms have sold governments expensive reports full of AI errors → Voice recognition systems historically failed on non-Western accents due to training data bias→ Email autocorrect defaults "Paola" to "Paolo" because datasets contained more men than womenABOUT THE GUEST: Dr. Paola Cecchi-Dimeglio is a globally recognized expert in AI, big data, and behavioral science. She holds dual appointments at Harvard Law School and Kennedy School of Government, co-chairs the UN ITU Global Initiative on AI and Virtual Worlds, and has authored 70+ peer-reviewed publications. Her work advises the World Bank, European Commission, and Fortune 500 executives on ethical AI implementation.THE OPTIMISTIC VISION: Virtual worlds can tap talent anywhere, breaking geographic barriers. They can connect separated families, provide legal identity to excluded populations, and create opportunities we can't yet imagine—but only if we build them with security, ethics, and human values as foundational requirements.ABOUT SECURETALK: SecureTalk ranks in the top 2.5% of podcasts globally, making cybersecurity and compliance topics accessible to business leaders. Hosted by Justin Beals, CEO of Strike Graph and former network security engineer.Perfect for: Security professionals, technology leaders, business executives, policy makers, anyone concerned about building ethical AI systems and secure virtual worlds.📚 "Building a Thriving Future: Metaverse and Multiverse" by Dr. Paola Cecchi-Dimeglio (MIT Press, 2025)#AIEthics #Cybersecurity #VirtualWorlds #TechnologyGovernance #MetaverseSecurity #DigitalEthics #AIRegulation #SecureByDesign

Cognitive scientist Steven Sloman, a Brown University professor and author, dives into the complex interplay between sacred values and decision-making. He examines how outrage and simplified thinking dominate social discourse, making it challenging for leaders to navigate cultural divisions. Sloman discusses the power of humor to disrupt absolutist views and the importance of recognizing our own biases. He also unpacks why insular communities become radicalized and the critical differences that set human deliberation apart from AI associations.

Most threat intelligence programs can't prove their value. Joe Rossi's team at Zions Bank did the opposite—preventing $3 million in fraud annually while actually attracting new customers to the bank.In this episode, former punk rock kid turned threat intelligence leader Joe Rossi reveals why your most valuable security intelligence isn't from expensive vendor feeds—it's sitting in your own logs right now. He shares the hard lessons learned building CTI programs from scratch, why most organizations focus on the wrong threats, and how to make security a competitive advantage instead of just a cost center.Key insights:• Why your firewall logs are more valuable than threat intelligence feeds• The cultural mindset required before you invest in CTI• How to quantify security program ROI in terms leadership actually cares about• Dark web monitoring: reality vs. Hollywood expectations• When your organization is actually ready for threat intelligenceWhether you're a CISO considering a CTI program or a security professional trying to prove value, this conversation offers practical frameworks for building security capabilities that directly impact the bottom line.

Bob Kolasky walked the halls where CMMC was built. As founding director of CISA's National Risk Management Center, he watched this policy evolve from concept to pilot program to federal law—surviving three presidential administrations because the need never changed.On November 10, 2025, that policy becomes mandatory reality for every defense contractor pursuing new DoD solicitations. Self-certification ends. Independent verification begins. And the defense industrial base faces its most significant security transformation in a generation.In this conversation with Justin Beals, Bob explains what contractors need to understand about the deadline—and what recent enforcement actions reveal about gaps that have existed all along.From Honor System to Accountability:For years, defense contractors self-certified compliance with NIST 800-171 cybersecurity requirements. The system worked on trust. Contractors checked boxes, DoD accepted attestations, and controlled unclassified information flowed through supply chains with security gaps nobody was measuring.Then came the settlements. Raytheon paid $8.4 million for failing basic security controls—no antivirus software on systems handling defense information, no system security plans, missing access controls. Penn State settled $1.25 million across 15 contracts. Georgia Tech paid $875,000 in the first DOJ intervention in a cybersecurity False Claims Act case.These weren't breaches. These were preventable failures that contractors had certified didn't exist.Katie Arrington's warning to the industry has been consistent: "If you go on LinkedIn one more time and tell me how hard CMMC is, I'm going to beat you. That ship sailed in 2014." Translation: adversaries are watching, and contractors broadcasting difficulties are revealing exactly where vulnerabilities exist.The November 10th Framework:After this deadline, every new contract solicitation includes CMMC requirements matched to data sensitivity:Level 1 handles federal contract information through annual self-assessment with SPRS score reporting. Level 2 manages controlled unclassified information and requires independent C3PAO assessor validation—affecting approximately 35% of DoD's contractor base. Level 3 involves breakthrough technology or critical CUI aggregations and demands direct government audit.The quantitative approach represents a shift. Instead of binary pass/fail, contractors receive scores reflecting actual security posture. An 88 out of 110 qualifies for Level 2 conditional status with plan of action and milestones. These numbers measure real capabilities across incident response, access control, and continuous monitoring.The Supply Chain Ripple Effect:Prime contractors bear new responsibility for subcontractor compliance. Before contract award, they must verify—not just accept—that subs meet requirements. Security questionnaires aren't sufficient anymore. Primes need evidence, validation, and continuous visibility.An affirming official—typically a senior executive—personally attests to the government that the organization actively manages supply chain risk. This accountability changes relationships throughout the defense industrial base.Practical Considerations:Bob addresses the questions contractors are asking: How do you define system boundaries when CUI flows through your infrastructure? Why does each information system need a unique CMMC identifier? What does "current CMMC status" mean for maintaining certification? How do you schedule C3PAO assessments when capacity is limited and 35% of contractors need certification?He also explains why technology becomes essential—automating compliance evidence collection makes continuous monitoring feasible without massive security staff increases. And he's candid about what the next two years bring: with Kirsten Davies nominated as new CIO and Katie Arrington driving implementation, expect aggressive rollout through 2026.Why This Policy Survived:Bob's experience spans Obama, Trump, and Biden administrations. The CMMC framework persisted through every transition because supply chain security isn't a partisan issue—it's a national defense imperative. Now at Exiger advising defense contractors, Bob bridges the gap between policy intent and practical implementation.This conversation provides clarity on November 10th's real meaning: not just a compliance deadline, but a fundamental shift in how the defense industrial base secures the supply chain supporting national security.Guest: Bob Kolasky, SVP Critical Infrastructure at Exiger | Former Founding Director, CISA National Risk Management Center | 15 years shaping federal cybersecurity policy#CMMC #November10th #DefenseContracting #Cybersecurity #DFARS #CISA #SupplyChainSecurity #DIB #ComplianceDeadline #NationalSecurity

When we think about cybersecurity, images of tech giants and major financial centers come to mind—but what about the towns where most of us actually live? This SecureTalk episode with cybersecurity researcher Lars Kruse explores an often-overlooked question: how do communities of 20,000-100,000 residents protect themselves in an increasingly digital world?Host Justin Beals and Kruse, who studies at Sweden's Defense University, discuss the practical realities of implementing cybersecurity in resource-constrained environments. Through his research on over 600 European municipalities and validation interviews with consultants and administrators, Kruse reveals fascinating insights about the gap between written policies and daily operations.The conversation opens with a real-world incident from Germany where 72 towns simultaneously lost access to their IT systems—not through sophisticated hacking, but through preventable security oversights. This case study illustrates why understanding operational security matters just as much as regulatory compliance.Key topics explored include:- How mid-sized communities differ from "smart cities" in their security approach- The balance between regulatory requirements like GDPR, NIS2, and DORA- Why employee training consistently ranks as the most critical security investment- Practical frameworks for managing third-party technology vendors- The role of political leadership in prioritizing cybersecurity budgets- How research institutions contribute to better security policiesKruse shares optimistic findings too: many organizations already practice good security fundamentals—they just need guidance connecting their existing processes to compliance requirements. The episode emphasizes that cybersecurity isn't about expensive technology alone; it's about building resilient practices that protect community services and citizen data.Perfect for professionals in public administration, IT management, business operations, or anyone curious about how digital security works beyond headlines. This conversation offers practical knowledge about protecting the digital infrastructure we all depend on daily.SecureTalk features conversations with experts shaping the future of cybersecurity and compliance, hosted by Justin Beals, CEO of Strike Graph.#Cybersecurity #PublicSector #DigitalSecurity #CommunityResilience #SecurityEducation #DataPrivacy #TechPolicy #LocalGovernment #CyberAwareness #ITSecurity

Quantum computing represents one of the most significant advances in computer science we'll see in our lifetimes. We're watching error correction rates improve faster than predicted, with Google's Willow chip achieving benchmarks that compress development timelines dramatically.For security professionals, this creates an exciting challenge: how do we architect systems today that remain secure as computing power evolves? What makes this particularly interesting is that blockchain and Web3 technologies are at the forefront of this transition—not because they're more vulnerable, but because they're leading the way in implementing quantum-resistant solutions.Unlike traditional systems where encryption happens behind closed doors, blockchain's transparency means every transaction, every wallet, every cryptographic operation is visible on a public ledger. When post-quantum cryptography becomes necessary, these systems can't just patch quietly in the background. They need to migrate entire ecosystems while maintaining trust with users who can see every change on-chain.In this episode, we sit down with James Stephens, founder and CEO of Krown Technologies and a certified cryptocurrency forensic investigator, to explore how the blockchain industry is pioneering quantum-resistant infrastructure that will inform security practices across all sectors.What We Discuss:Why blockchain and DeFi are leading quantum-resistance innovationHow transparent, public ledgers change the security equationThe practical steps security leaders can take now to prepareWhy true randomness requires physics, not just algorithmsLessons from a decade of cryptocurrency forensic investigationsHow to build quantum-resistant infrastructure without sacrificing user experienceAssessing vendor roadmaps for quantum readiness across any industryJames brings practical experience from both investigating cryptocurrency breaches and building quantum-resistant blockchain infrastructure. His forensic work revealed that most losses come from key mishandling and social engineering rather than cryptographic breaks—insights that shaped how he approaches designing secure systems for any environment.This conversation covers both the technical innovation happening in quantum computing and the architectural decisions security teams need to make to prepare their organizations for this next era of computing power.About the Guest: James Stephens is a recognized authority in blockchain security and cryptocurrency forensics with over a decade of experience at the intersection of digital assets, cybersecurity, and quantum innovation. He holds certifications including CBE, CCFI, and CORCI, and is the author of "Quantum Reckoning: Securing Blockchain and DeFi in the Post-Quantum Era."#Cybersecurity #QuantumComputing #PostQuantumCryptography #Blockchain #Web3 #DeFi #InfoSec

Discover how strategic foresight is revolutionizing cybersecurity thinking. In this compelling SecureTalk episode, renowned futurist Heather Vescent reveals the 12 invisible paradigms that have shaped our entire approach to cybersecurity - and why breaking them could transform how we defend digital systems.Back in 2017, Vescent applied strategic foresight methodology to cybersecurity, uncovering fundamental assumptions like "security always plays catch-up," "the user is always wrong," and "we are completely dependent on passwords." Her research, published in 2018, predicted the passwordless revolution that's now mainstream reality.This isn't just theoretical - Vescent demonstrates how appreciative inquiry flips traditional problem-solving approaches. Instead of asking "what's broken and how do we fix it," she explores "what's working well and how do we amplify it?" This methodology helped identify paradigm shifts that seemed radical in 2018 but are now industry standard.Key insights include:- How to shift from reactive to proactive security postures- Why attack surface analysis needs systematic approaches- The role of AI as thought partner rather than replacement- How transparency reduces insider threat attack surfaces- Practical applications of decentralized identity technologies- Why security teams should focus on strengths, not just vulnerabilitiesVescent also addresses the commercialization challenges facing promising technologies like self-sovereign identity, explaining how ethical innovations often get compromised during market adoption. Her work bridges the gap between cybersecurity's technical realities and its broader societal implications.For CISOs, security leaders, and technologists seeking to influence rather than just react to the future, this conversation provides actionable frameworks for anticipating threats and building more resilient systems. Vescent's strategic foresight methodology offers a roadmap for moving beyond endless problem-solving cycles toward security that creates value rather than just preventing loss.Resources: Shifting Paradigms Paper: https://www.researchgate.net/publication/330542765_Shifting_Paradigms_Using_Strategic_Foresight_to_Plan_for_Security_Evolution Threat Positioning Framework GPT: https://chatgpt.com/g/g-68100f6a8c7481919d693ec9d4d9faab-the-threat-positioning-framework-gpt-by-h-vescentSelf Sovereign Identity Book : https://www.amazon.com/Comprehensive-Guide-Self-Sovereign-Identity-ebook/dp/B07Q3TXLDP?&linkCode=sl1&tag=vescent39-20&linkId=2797fe6ea49dff79952bc866ec8e8baf&language=en_US&ref_=as_li_ss_tl Heather's  email list: https://research.cybersecurityfuturist.com/

Chris Wysopal, Chief Security Evangelist and co-founder of Veracode, shares his extensive insights into the security vulnerabilities posed by AI-generated code. He reveals a startling 45% error rate in AI systems, matching that of human coders, while discussing the risks of faster coding without adequate testing. Wysopal warns against inexperienced developers using AI tools, stressing the necessity for firm governance. He also highlights the limitations of AI in tackling complex coding issues and urges for improved security frameworks.

90% of Twitter users are represented by only 3% of tweets. When you scroll through your feed and form opinions about what "people are saying" about politics, you're not seeing the voices of nine out of ten users. You're seeing the loudest, most extreme 10% who create 97% of all political content on the platform.In this episode of SecureTalk, host Justin Beals explores the "invisible majority problem" with Dr. Claire Robertson, Assistant Professor at Colby College. Together they examine how moderate voices have been algorithmically erased from our public discourse, creating pluralistic ignorance that threatens democracy itself.Dr. Robertson's journey began at Kenyon College during the 2016 election—a blue island in a sea of red where Trump won the county by 40 points but the campus precinct went 90% blue. Surrounded by good people who saw the same election completely differently, she dedicated her career to understanding how we end up living in different realities.Topics covered:The psychology behind false polarizationHow extreme voices get mathematically amplifiedWhy conflict drives engagement in the attention economyThe abandonment of scientific rigor in AI deploymentResearch methods for understanding our digital public squareResources: Claire E. Robertson, Kareena S. del Rosario, Jay J. Van Bavel,Inside the funhouse mirror factory: How social media distorts perceptions of norms,Current Opinion in Psychology,Volume 60,2024,101918,ISSN 2352-250X,https://doi.org/10.1016/j.copsyc.2024.101918.(https://www.sciencedirect.com/science/article/pii/S2352250X24001313)

The cybersecurity landscape just shifted permanently, and most organizations aren't ready. While CISOs struggle with alert fatigue from 40+ security tools, a new threat vector is emerging that makes traditional identity management obsolete: AI agents acting autonomously across enterprise systems.Join Secure Talk host Justin Beals for a critical conversation with Rishi Bhargava, the security architect who built Demisto into a $560M category-defining platform and now leads Descope in solving the next impossible challenge. This episode delivers actionable insights for everyone—from Fortune 500 CISOs managing complex threat landscapes to business leaders evaluating AI adoption risks.For Security Professionals, you'll discover: • How AI agent proliferation creates an "identity explosion" that traditional IAM can't handle • Why probabilistic AI systems require fundamentally different access controls than deterministic human users • Advanced WebAuthn and FIDO2 implementation strategies for zero-trust architectures • SOC2 compliance frameworks adapted for AI-human hybrid workflows • Real-world SOAR evolution lessons from the Demisto acquisitionFor Business Leaders, you'll learn: • Why passwordless authentication directly impacts customer acquisition and retention • The hidden costs of password-related support tickets and user drop-offs • How early AI identity management adoption creates competitive advantages • Risk assessment frameworks for AI agent deployment in sensitive environmentsFor Everyone: • Why your current passwords are a ticking time bomb in an AI-first world • How biometric authentication actually works (and why it's more secure than you think) • Practical steps to future-proof your digital security todayWhether you're architecting enterprise security for thousands of employees or simply trying to understand why your login experience keeps getting more complex, this episode reveals the forces reshaping digital identity. The organizations that master AI agent authentication will lead their industries—those that don't risk catastrophic breaches and customer exodus.#CISO #AIAuthentication #EnterpriseIdentity #ZeroTrust #PasswordlessSecurity #CyberSecurityStrategy #IAM #BiometricAuth #SecurityCompliance #AIAgents