WE'RE IN!

Lieutenant General Lori Reynolds' (Ret., USMC) career journey from a Naval Academy graduate to a key figure in cybersecurity and information warfare illustrates the progression of military communications and cyber operations. Initially commissioned as a Marine Corps communications officer in 1986, Lori’s career took her from managing traditional radio communications to leading the Marine Corps Cyberspace Command. 

Tune in to hear how she played an important part in integrating cyber operations into the Marine Corps' combined arms approach and later spearheaded efforts to create a comprehensive information warfighting function.

Listen to learn more about: 

How China's cyber operations have become more sophisticated, quiet and focused on long-term strategic positioning

Why the threat now extends beyond cyberattacks to include technological exports and influence operations 

How Russia and other state actors are also engaged in hybrid warfare, operating below the threshold of conventional conflict

The Department of Defense Cyber Crime Center (DC3) operates a Vulnerability Disclosure Program (VDP) that handles critical cybersecurity issues reported by the public, including using an actual red phone for urgent matters. In the latest episode of WE’RE IN!, Melissa Vice, director of DC3’s VDP, describes how they respond to cyberthreats and collaborate with other groups within the center, such as the Operation Enablement Directorate and cyber forensics laboratory. 

Tune in to hear how the program, which began in 2016 following a successful bug bounty event, has processed over 53,000 reports, 56% of which were actionable, and resulted in nearly 30,000 remediated vulnerabilities.

Listen to learn more about:

Why VDP has been recognized by the government as a reliable and economical cybersecurity strategy 

How Melissa and her team handled the notorious Log4j vulnerability

How DC3 has explored the use of AI and machine learning to enhance capabilities and scale operations 

Hear from this season’s guests for their thoughts and predictions on AI and cybersecurity. We took sound bites from a range of WE’RE IN! interviewees, whose opinions on AI vary from thinking it’s overblown to being cautiously curious. Tune into this episode to better understand AI’s seismic effects on the infosec industry.

Bill Dunnion, chief information security officer at global telecommunications company Mitel, is well-versed in the critical nature of telecom infrastructure and the devices that support it. He’s also keenly aware of how his role as CISO is under increasing scrutiny from regulators around the world and in Canada, where Mitel is based. 

In this episode of WE’RE IN!, Bill expresses skepticism about AI, preferring the term "machine learning" for most current applications, but he acknowledges its potential benefits, such as improving threat detection.

Listen to hear more about: 

• How Bill's diverse background in telecom, IT, and security has provided him with a well-rounded perspective to approach his CISO role
• Why the integration of voice, data, and collaboration tools in enterprise communications presents new cybersecurity challenges
• Why security awareness is crucial for both professional and personal life 

Jen, a former military professional turned hacker, shares her journey into cybersecurity and her experiences with the Synack Red Team in the latest episode of WE’RE IN! She transitioned from fixing security issues to actively seeking vulnerabilities, inspired by her brother and motivated by her experiences at the storied hacker conference, DEF CON. Jen emphasizes the importance of skill development and preparation for women entering the male-dominated cybersecurity field, and discusses her preferred hacking tools and techniques.

In this episode of WE’RE IN!, Jennifer gives her take on AI in penetration testing, suggesting it should be used as a tool for initial reconnaissance but not for exploiting vulnerabilities. 
 

Listen to hear more about: 

• Why all of Jennifer’s smart home devices’ warranties are voided
• How anyone can be a hacker by following the Open Source Intelligence methodology to find vulnerabilities
• The importance of producing high-quality work and going above and beyond to gain trust in the pentesting industry

Sara Mosley, technical director for the Bureau of Diplomatic Security's Cybersecurity and Technology Services, works with the U.S. State Department to help identify threats and potential compromises. In her role, she advocates for a Zero Trust approach that focuses on protecting critical data rather than trying to secure everything equally. She recommends balancing security measures with mission needs to prevent users from circumventing security protocols.

In this episode of WE’RE IN!, Sara underlines the importance of collaboration between IT and security teams to adequately protect data and address relevant threats in anticipation of the September deadline for federal Zero Trust compliance.

Listen to hear more about:

• The role of the private sector in adopting Zero Trust frameworks and providing security tools
• Preparing for emerging technologies like quantum computing and their accelerated development due to AI advancements
• Why Sara believes hackers will initially benefit more from AI advancements than defenders

Cybersecurity has a complexity problem. A tangled web of technical, psychological, economic and geopolitical factors enable and motivate malicious actors. Michael Daniel, CEO and president of the Cyber Threat Alliance, is helping public and private organizations decode these complex motivations with information sharing, including the Ransomware Task Force. 

In this episode of WE’RE IN!, Michael elaborates on his "immune system" approach for the internet, a strategy where threats are quickly identified and neutralized. But this requires robust – and highly trusted – information sharing between groups. 

Listen to hear more about:

• The threat assessment for the 2024 Paris Olympics, highlighting potential threats from Russia and Azerbaijan
• The need for more resilient software systems that can degrade gracefully rather than catastrophically fail
• Michael’s thoughts on industry diversification and the value of different viewpoints in tackling cybersecurity challenges

Anand Prakash on cloud security startups and next-gen hacking 

Anand Prakash, founder of startup PingSafe, shares his insights on building a successful cybersecurity business and his experience as a top bug bounty hunter. He emphasizes the importance of fast execution, accountability and learning from mistakes when growing the company acquired by SentinelOne, where he’s now a senior director of product management. 

In the latest episode of WE’RE IN!, Anand touches on India's prominence in global tech – particularly in security research and bug bounty programs – and he shares his personal journey into cybersecurity, which began with a curiosity about hacking at a young age in cyber cafes. 

Listen to hear more about: 

• How bug bounty programs have evolved, with companies now more open to ethical hacking due to increased awareness of data breaches
• The viability of government efforts to reduce entire classes of vulnerabilities like SQLi
• If AI is effective in improving red teaming and bug bounty hunting

Ads Dawson, release lead and founding member for the Open Web Application Security Project (OWASP) Top 10 for Large Language Model Applications project, has no shortage of opinions on securing generative artificial intelligence (GenAI) and LLMs. With rapid adoption across the tech industry, GenAI and LLMs are dominating the conversation in the infosec community. But Ads says the security approach is similar to other attack vectors like APIs. First, you need to understand the context of AI-related vulnerabilities and how an attacker might approach hacking a particular AI model. 

In the latest episode of WE’RE IN!, Ads talks about including threat modeling from the design phase when integrating GenAI into applications, and how he uses AI in his red teaming and application security work. 

Listen to hear more about: 

The misuse of AI, such as creating deep fakes for financial gain or manipulating powerful systems like the stock market 

The role of governments in securing the AI space and the concept of “safe” AI

How the infosec community can contribute to OWASP frameworks

Integrating security into the product development lifecycle is a tall order for any industry. It’s particularly challenging for healthcare, with its wide range of critical needs from HVAC systems to medical devices. Kevin Tambascio, director of cybersecurity data and application protection at Cleveland Clinic, juggles the need for constant vigilance and staying updated on fast-moving threats to hospitals.

In the latest episode of WE’RE IN!, Kevin discusses the importance of compliance and risk assessment, noting that while compliance with rules like HIPAA is crucial, it's equally important to pressure test controls against real-world threats. Ransomware targeting hospital data is the primary threat, while phishing and potential abuse of generative AI also pose significant risks. 

Listen to hear more about: 

• The benefits of forming an AI task force to enact safe and responsible procedures while enabling clinicians and researchers to explore AI’s potential
• Effectively communicating cyber threats to non-technical staff by relating them to potential impacts on patient safety and business operations
• Application security in healthcare; applications often have access to sensitive patient health information and can be potential entry points for cyber threats