CISO Series Podcast
Wait, SMS Doesn’t Stand for “Super Mega Secure?”

SMS messages don't have a great security reputation. We can thank SIM swapping attacks for that. But there's also a whole supply chain for delivering these messages that is an underappreciated attack surface.

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is our sponsored guest, Brian Long, CEO, Adaptive Security.

Listen to the full episode here.

Hiring North Korean operatives on a Tuesday

It used to be that hiring a secret North Korean operative would be the stuff of overwrought spy novels. Now it's just Tuesday for security teams. Talk about innovation. A story in The Register about Vidoc Security Lab almost falling for hiring two North Korean operatives in two months shows how sophisticated these scams have become. Both candidates sailed through initial interviews with strong backgrounds and legit LinkedIn profiles, only to fall apart during video calls with laggy appearances and ChatGPT-sounding answers. This isn't just an identity verification challenge. Our entire hiring process was designed around in-person interactions that COVID completely derailed. Commodity deepfake tech has made exploiting this insecure business process trivial.

AI coding and the death of specifications

Using AI Copilots for coding is THE use case everyone points to for LLMs. AI-generated code can usually pass static analysis tests. But you can get hurt when the rubber meets the road, with missing input validation or bypassed authorization flows. A thread on the cybersecurity subreddit points out that developers who submit AI code still need to "own it" and check their work. The real problem isn't vibe coding. It's that LLMs are trained because they're watching us. When your training set includes all of humanity's insecure software habits, these tools will repeat the same bad patterns. Just because LLMs can generate code quickly doesn't mean we still don't need production processes. Ideally, AI agents must first write specifications, then add security requirements, then create code and test cases.

Deepfake personas beyond video calls

Everyone thinks about deepfakes as making fake videos of people. However, the real threat is deepfake personas, which utilize open-source intelligence about individuals to provide attackers with instant context. Most interactions aren't happening over video anyway. But they happen all the time over voice calls, SMS, WhatsApp, email, and LinkedIn. The amount of context that large language models can pull together is staggering. Using just a LinkedIn URL, researchers found the name of an employee's five-month-old daughter because his wife had posted a job listing that included the child's name for the first 20 seconds before auto-saving. We must account for LLMs that can find and index that kind of data instantly.

The middleman problem with SMS

Supply chain security isn't restricted to software, it applies to communications as well. A new investigation by Lighthouse Reports revealed that millions of "secure" login codes from most major tech platforms were being routed through a controversial Swiss contractor linked to surveillance operations. Blame this on companies saving money using a sprawling network of subcontractors using "lowest cost routing," where each middleman promises to shave costs. But any middleman can see everything passing through their system, and there's always more middlemen than you expect. So all those codes that say "do not share with anyone" may have already been shared with just about anyone.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Louis Zhang, AIA Australia for providing our "What's Worse" scenario. 

Huge thanks to our sponsor, Adaptive Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Transforming Asset Visibility with Trend Micro

In this episode, Franz Fiorim, Field CTO at Trend Micro, explains how their Cyber Risk Exposure Management (CREME) solution addresses these challenges through continuous asset discovery and risk prioritization across the entire attack surface. Joining him are Krista Arndt, Associate CISO at St. Luke’s University Health Network, and Brett Conlon, CISO at American Century Investments. They discuss how CREME consolidates external attack surface management, cloud security posture management, and vulnerability remediation into a unified platform that discovers hidden assets through multiple methods including agentless cloud integrations, network discovery sensors, and third-party API connections.

Read the full article and listen to the episode here.

Thanks to our podcast sponsor, Trend Micro

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

What I love about cybersecurity…

“I love that in cybersecurity, we are unquestionably the good guys. I've worked across many different industries, but it's a great industry to be in because we're doing something really good for people.“ - Brian Long, CEO, Adaptive Security

Listen to the full episode of “Wait, SMS Doesn’t Stand for “Super Mega Secure?”"

The Pattern of Early Adoption of Security Tools

"If you want to be successful breaking into the market as a startup, you really have to define what your product is, what it’s solving, and who your customer is—both in size and vertical. That’s the story that resonates, especially with SMBs." - Hadas Cassorla, principal consultant, SideChanel

Listen to the full episode of “The Pattern of Early Adoption of Security Tools”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guests will be Jack Kufahl, CISO, Michigan Medicine, and Nick Espinosa, host, The Deep Dive Radio Show.

Thanks to our Cyber Security Headlines sponsor, Drata

Super Cyber Fridays!
Join us Friday for “Hacking Critical Infrastructure”

Join us on Friday, September 19th, 2025, for Super Cyber Friday: “Hacking Critical Infrastructure: An hour of critical thinking about thoughtful modernization for the things that can't fail.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Joel Burleson-Davis, CTO, Imprivata, and Shaun Marion, VP and CSO, Xcel Energy, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thanks to our Super Cyber Friday sponsor, Imprivata

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.