Super Cyber Fridays!
Join us TOMORROW, Friday [09-19-25], for "Hacking Critical Infrastructure"

Join us Friday, September 19, 2025, for “Hacking Critical Infrastructure: An hour of critical thinking about thoughtful modernization for the things that can't fail.”

It all begins at 1 PM ET/10 AM PT with guests Joel Burleson-Davis, CTO, Imprivata, and Shaun Marion, VP and CSO, Xcel Energy. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Imprivata

Defense in Depth
What New Risks Does AI Introduce?

Just when we haven't solved the proliferation of Shadow IT, we're now dealing with Shadow AI. While much is the same, the "newness" is the scale and speed of AI advancement. We've been talking about digital transformation in the enterprise for several decades now. Is AI throwing a wrench into our very linear management process?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is our sponsored guest, Kara Sprague, CEO, HackerOne.

Listen to the full episode here.

Shadow AI as a control problem

The proliferation of AI tools in organizations can be daunting, but not as fundamentally new as it first appears. As Shyama Rose of Affirm observes, "This is not the first time we have had to adapt rapidly. Previous shifts like SaaS sprawl and decentralized API use taught us how innovation often outpaces governance." While AI adoption often happens outside security's line of sight, she emphasizes that "embedded AI is still just a third-party dependency" that must be evaluated and governed like any other technology. For Patrick McFadden of Thinking OS, this accelerates something we're already struggling to deal with, saying, "Third-party AI isn't a vendor risk problem. It's a cognition control problem: Shadow IT became shadow AI, features became agents, plugins became inference surfaces. If your organization doesn't control how cognition enters the system, it doesn't control the system."

Rethinking identity for autonomous agents

Traditional identity management frameworks struggle to accommodate AI agents that operate independently of human oversight. Matt Doughty of Prefactor explains that "human-centric identity models simply aren't designed for the unique nature of AI agents. Managing agents like employees is a shortcut that won't scale." When agents act autonomously, fundamental questions about access control, blast radius management, and audit trails become exponentially more complex. His solution: "Every agent needs its own distinct identity. Think of it as an agent's passport: explicitly scoped to its function, inherently portable across environments, and fully auditable for every action it takes." Mike Toole of Blumira takes a more pragmatic approach to controlling the sprawl, advocating to "give users access to better, easier options internally that we control and heavily test. Then moving connections and OAuth grants to an allow list model to limit 'random shiny AI product testing.'"

When process meets momentum

Security teams find themselves in reactive mode as AI adoption accelerates beyond traditional governance frameworks. "Ideally, AI tools should follow the same evaluation, onboarding, and hardening processes we use for any new service. But in reality, that's becoming harder to sustain," said Jared Mendenhall of CyberCISO. This isn't just about new tools. Your existing platforms are being reshaped by AI, often without advance notice, while executives push for rapid implementation. "As a result, security is frequently left in a reactionary mode, left to assess risk and find security solutions post deployment," he explains. "This isn't a breakdown of process. It's a case of security process being overrun by momentum, and we need to adapt accordingly."

Beyond blocking: channeling AI usage

The traditional security approach of simply disabling AI tools creates an illusion of control that backfires in practice. Christian Rose of TSB New Zealand explains the challenge: "I spend a lot of my day disabling AI toolsets within apps, but educating users about the risks not just of data but of the queries they are typing into AI toolsets is still key." The fundamental problem is human nature. Straight prohibitions will drive users to find alternatives outside organizational visibility. His solution shifts from restriction to redirection: "Any forward-thinking company today needs to provide an approved tool internally, correctly implemented and monitored, to make sure data is correctly labelled, but channel everyone through something you know about so you can deal with the inevitable issues which will come up."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks also to Brock Roderick of TSB New Zealand for being an unwitting contributor to this episode.

Huge thanks to our sponsor, HackerOne

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

How CISOs Make the Business Care About Cybersecurity

Last month’s AMA on r/cybersecurity tackled one of the hardest challenges for security leaders: getting the business to care.

A big thanks to our participants for sharing how they built trust, proved value, and moved beyond fear-based selling.

• Richard Marcus (u/richardmarcus), CISO, AuditBoard

• Adam Glick (u/glicksecurity), CISO, PSG Equity

• Kathleen Mullin (u/kmullin1123), CISO, My Virtual CISO; Director, SABSA Institute

• Joshua Scott (u/sircalibur), CISO, Hydrolix

• Montez Fitzpatrick (u/MadKingZ3R0), CISO, Navvis

From aligning security goals with growth, to showing ROI when nothing breaks, to navigating insurance pitfalls and board conversations, their insights drew a lively discussion from the community.

Read highlights from the AMA here.

Next up: “I’m a security professional who had to clean up a mess. Ask Me Anything.” Starting Sunday, September 21 on r/cybersecurity.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guests will be Jack Kufahl, CISO, Michigan Medicine, and Nick Espinosa, host, The Deep Dive Radio Show.

Thanks to our Cyber Security Headlines sponsor, Drata

Cyber chatter from around the web...
Jump in on these conversations

“Is burnout just part of the job in security?” (More here)

“User reported someone remoted into his virtual machine” (More here)

“What’s a security product you thought was super expensive but turned out to be a great deal?” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [09-19-25] Hacking Critical Infrastructure

• [09-26-25] Hacking Security Theater

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.