Defense in Depth

Tom Doughty, CISO at Generate:Biomedicines with hands-on security architecture experience. The conversation covers why cybersecurity marketing often misses buyers, the 3Ms framework of moment/metric/motion, and the risks of AI and agentic claims. It looks at investor-driven buzzwords, practical use cases that help internal buy-in, and why clear, concrete messaging matters.

Matt Goodrich, Director of Information Security at Alteryx, shares insights on AI data hygiene and governance. He highlights the challenges of relying on polished AI outputs, warning about their potential misleading nature. Goodrich emphasizes the importance of integrating human oversight in AI workflows and proposes using multiple AIs for cross-verification. He advocates for treating AI outputs as research rather than authoritative, pushing for a skeptical approach, and underscoring the need for governance to establish trust in AI-driven security systems.

Pam Lindemoen, CSO and VP of Strategy at RH-ISAC, shares her insights from years in security and infrastructure. She emphasizes that winning means building trust rather than just proving technical expertise. The conversation touches on transforming security from an obstacle to an enabler, the importance of listening to stakeholders, and aligning security with business success. Pam also highlights early career lessons, encouraging empathy and strong relationship skills alongside technical knowledge.

Ejona Preci, Group CISO at LINDAL Group and a leader in security teams, discusses the evolving role of the CISO. She emphasizes the shift from being a 'chief of no' to a valued business partner. The conversation touches on the importance of translating technical risks into business language and the credibility gap faced by CISOs lacking decision-making power. Preci also addresses the responsibilities CISO must take on concerning AI integrity and model explainability, advocating for clearer expectations during hiring to avoid mismatches.

In this conversation with Peter Gregory, a renowned cybersecurity author, the discussion dives into effective communication tactics for CISOs. Topics include translating technical risks into tangible business impacts and using storytelling to engage executives. Gregory emphasizes the importance of trust and timing in leadership interactions. The panelists highlight the need to frame security in terms of outcomes, revenue preservation, and strategic priorities to earn buy-in. They also tackle the concept of accepting business risks consciously.

In this conversation, Erika Dean, former Chief Security Officer at Robinhood, dives into the complex responsibilities of CISOs. She discusses the critical gap between theory and the daily reality of risk management. Erika emphasizes the importance of asserting ownership over cyber risk and effectively communicating that to executives. She provides insights on the necessity of collaboration across departments to ensure security is a partnership rather than a policing action. They also explore how to engage boards with relevant metrics and elevate cybersecurity literacy.

Crystal Chatham, VP of cybersecurity at Speedcast with 18 years in IT experience, joins the conversation to dissect the prevalence of AI snake oil in the tech industry. She emphasizes the importance of hands-on experience and understanding customer needs when evaluating AI vendors. The panel examines the distinctions between predictive and generative AI and the potential risks of leaders promoting AI without adequate technical knowledge. They stress the necessity of frameworks to assess AI risks while encouraging safe experimentation and iteration in organizational environments.

Davi Ottenheimer, VP of Trust and Digital Ethics at Inrupt and expert in decentralized identity, explores the evolving landscape of network security. He argues that network security isn't dying but rather transforming as identity takes center stage, especially in cloud environments. Davi also highlights the importance of observability, discussing why packet-level visibility remains critical. He emphasizes the need for scalable standards and accountability in a world where identity is pervasive, suggesting a renaissance in network security as identity practices evolve.

Rob Allen, Chief Product Officer at ThreatLocker, dives deep into the challenges of configuration drift. He reveals how his team acts as 'configuration police' to combat frequent misconfigurations. The discussion highlights the need for cultural shifts in how organizations manage configurations, treating them as critical telemetry. Rob explains how common changes like temporary openings can signal potential compromises. With actionable insights and the importance of tracking configurations, this conversation sheds light on enhancing security maturity in today's landscape.

Julie Tsai, CISO-in-Residence at Ballistic Ventures, joins the conversation to dissect the relevance of least privilege in modern security. She argues that concepts like dynamic access and just-in-time provisioning are still rooted in least privilege principles. The discussion highlights the importance of prioritizing critical assets and implementing controls tailored to industry needs. Julie also emphasizes how automation can ease access control challenges, ensuring more reliable processes and compliance in today's fast-paced tech landscape.