Super Cyber Fridays!
Join us TOMORROW, Friday [09-05-25], for "Hacking AI in Meetings"

Join us Friday, September 5, for “Hacking AI in Meetings: An hour of critical thinking about how to avoid liability while getting value from your recordings.”

It all begins at 1 PM ET/10 AM PT on Friday, September 5, 2025, with Joe Essenfeld, CEO, FORA, and Doug Mayer, vp, CISO, WCG. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, FORA

Defense in Depth
How Are You Managing the Flow of AI Data

We have a hard enough time managing the flow and security of data with humans. How are we supposed to address the speed and scale of data flows as we operationalize agentic AI?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is our sponsored guest Mokhtar Bacha, founder and CEO, Formal.

Listen to the full episode here. 

Access management faces transformation

The current approach to identity and access management is approaching obsolescence. Organizations have increasingly complex digital environments with traditional systems that cannot adequately secure them. Justin Pagano from Klaviyo delivers a stark warning: "I don't think anyone is prepared for how radically different access management/governance is going to need to look in 2-3 years." This transformation requires moving beyond the rigid, binary permissions toward more nuanced, contextual access decisions. Jens Schubert from Puls Security proposes a specific evolution: "My choice for the future is SADAC (Security Attributes Based Dynamic Access Control). Classic tools are too narrow or too broad in their approach." Treat every interaction as a security-attribute-based transaction that considers the individual risk profile of each request.

AI agents demand new authentication paradigms

Adding AI to the access management mix doesn't make anything easier. "Today's AI agents typically perform tasks on behalf of a user. The system should only have access to APIs that the current user is authorized to use," said Khash Kiani from ASAPP. This user-centric approach requires sophisticated authentication mechanisms, including custom headers, OAuth 2.0 flows, and specialized authorization systems. The complexity multiplies when considering data protection. Dutch Schwartz from SideChannel highlights the expanding attack surface: "Classic DLP was a good concept, but less than 9 percent of enterprises ever deployed it in full blocking mode, everywhere." Organizations must now protect data across various AI use cases, including employee chatbot usage, retrieval-augmented generation (RAG) systems, and fine-tuned models.

AI complexity demands simplified governance approaches

AI systems create a paradox where technology meant to simplify operations actually complicates security governance. As Jonathan Waldrop, former CISO at The Weather Channel, put it: "I thought AI was supposed to solve problems, not create more complicated ones." His solution calls on understanding the system's purpose, identifying required access, and granting only necessary permissions before iterating. However, AI exacerbates existing governance challenges. "With SaaS-to-SaaS integrations, and API keys everywhere, there's no single chokepoint for governance. AI systems just threw fuel on the fire," said Mike Van Orden from Emanate Security. The risk increases because AI workflows can utilize the full scope of available access. They can take bad access policy and abuse it at scale.

Data-centric identity management replaces role-based approaches

The more we shift to AI-driven operations, the more the limitations of traditional role-based access control come into focus. This was arguably overdue. "I think the core focus of IAM has needed a 'kick in the pants' to move away from RBAC (role-based access control) anyway. The key risk for most organizations is access to data, so identity needs to focus on that vector," argued Terry O'Daniel CISO of Scribe. In AI-enabled environments, the primary security concern isn't what role someone holds, but what data they can access.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Formal

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Understanding the Threat of Hyper Personalized Attacks

At Black Hat 2025, Bobby Ford, chief strategy officer at Doppel, explained how AI has fundamentally changed social engineering. What once took hours of manual research now happens in seconds across thousands of targets, making it nearly impossible for employees to spot what’s fake.

Unlike traditional tools that only monitor email, Doppel tracks across email, social media, phone calls, and help desks, then connects the dots through a threat graph to take down entire operations.

Click here to read more.

Thanks to our sponsor, Doppel

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Ray Espinoza, vp of information security, Elite Technology.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

“A hacker used AI to automate an 'unprecedented' cybercrime spree” (More here)

“How important is risk & threat management knowledge for cybersecurity roles?” (More here)

“Threat actor spent 40 minutes obfuscating a redirect, forgot to pay his hosting bill.” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [09-05-25] Hacking AI in Meetings

• [09-12-25] Hacking Managed Services

• [09-19-25] Hacking Critical Infrastructure

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.