Chasing Entropy Podcast by 1Password

In this episode of The Chasing Entropy Podcast, I talk with Matt O'Leary, who leads M&A and strategic partnerships at 1Password, about what changes when security is tied directly to the product, the brand, and the deal itself.The core idea is simple. When a company makes an acquisition, it inherits the whole business, not just the part that looked attractive in the pitch. That includes the technology, the team, the process gaps, the legal exposure, and any security weaknesses that were not obvious at first glance. O'Leary makes the case that strong dealmaking starts with risk discipline, because a transaction only creates value if the company can integrate what it buys without importing problems that slow everything down.He also explains that good corporate development starts with the roadmap, not the deal. An acquisition makes sense when it helps the company move faster than building on its own. That is why corp dev has to stay tightly aligned with product, engineering, and security leadership. In a cybersecurity company, technical diligence carries extra weight. If a target has a serious security or technology issue, that is not a detail to clean up later. It is a reason to walk away.The conversation also sharpens the distinction between partnerships and acquisitions. O'Leary argues that deep partnerships can create major leverage because they expand reach, increase product value, and connect a platform to the tools customers already use. But they also transfer risk. If two companies are tightly integrated, trust becomes shared. A failure on one side can damage both. In that sense, partnerships may be lighter than acquisitions, but they still demand the same seriousness around diligence, reputation, and customer impact.One of the strongest parts of the episode is the discussion about integration. O'Leary is clear that post-close integration is the hardest part of M&A. Retaining key people, understanding founder motivation, aligning technical architecture, and planning how products and teams will come together all matter before the announcement, not after. The lesson is practical. Do the hard work up front. Know what has to be true on day zero, and what could break if it is not handled early.For anyone interested in corporate development, O'Leary’s advice is direct. Curiosity matters more than a fixed career path. The best operators learn across functions, ask better questions, and build enough context to understand how product, security, legal, and finance decisions connect. For founders, his advice is just as clear. Build relationships with corp dev teams before you want an outcome. Trust and credibility take time, and good deals depend on both.Listen to the full episode, then pull up your current acquisition or partnership checklist and pressure-test it against the issues raised here: roadmap fit, technical and security diligence, founder retention, integration readiness, and customer communication. 

In this episode of The Chasing Entropy Podcast by 1Password, I speak with Dustin Heywood, known to many as EvilMog, executive managing hacker and senior technical staff member at IBM. The conversation stays grounded in real security work, from password cracking and Active Directory abuse to AI privilege creep and quantum planning. The through line is simple, most security failures start with access, trust, and bad assumptions about how systems behave under pressure.Heywood’s background explains why he sees the problem this way. He came up through network engineering, military communications, enterprise infrastructure, and offensive security. That path matters because his view of security is operational, not theoretical. He keeps coming back to one point, businesses are not trying to be secure for its own sake. They are trying to keep operating. Security has to support that goal or it gets bypassed.A big part of the episode focuses on agentic AI. Heywood argues that AI is exposing access problems that were already there. Service accounts already had too much privilege. Internal systems already trusted broad integrations. AI agents just make those weaknesses easier to trigger at scale. His main concern is the gap between identity and intent. A user might want an agent to buy concert tickets under a clear budget and time window, but today’s systems rarely encode that level of permission. In practice, the agent often gets broad backend access and can do far more than the task requires.That leads to the episode’s strongest point about machine identity. Most organizations still think clearly about human access and far less clearly about machine access. That model does not hold up when a company has thousands of employees and tens of thousands of machine identities tied to services, devices, integrations, and automation. If those identities are overprivileged, an AI layer on top of them becomes a force multiplier for existing risk.The discussion then shifts to quantum threats, and Heywood makes the issue concrete. He is less focused on dramatic “decrypt everything later” scenarios and more focused on the systems around the data. If quantum-capable attacks weaken the trust layers behind OpenID Connect, SAML, certificate authorities, VPN certificates, and federation systems, attackers do not need to break every encrypted file directly. They can go after the identity and key infrastructure that grants access. That is the planning problem security leaders need to understand now.His advice on crypto agility is practical. Start with inventory. Know where cryptography lives in your environment, how certificates are issued and renewed, and what would have to change if a major algorithm or trust model becomes unusable. He also points out that many companies still struggle with certificate management at a basic level. If certificate rotation is manual, the organization is already behind. Automation is not optional here.On credentials, Heywood takes a hard line that is worth adopting, assume every password entered into a remote system will eventually leak. That changes the goal. The answer is not more password theater. The answer is unique credentials, automated rotation where possible, stronger storage, and lower user friction. If security makes daily work harder, people will work around it. He is blunt about that, and he is right.This episode is most useful for security leaders who are dealing with AI adoption, identity sprawl, legacy authentication, or PKI debt and need a clearer way to frame risk. Heywood does not treat security as a checklist exercise. He treats it as a systems problem tied directly to business operations, user behavior, and the cost of getting access control wrong.

Cyber conflict makes more sense when you stop treating it like a technical sideshow and start looking at history, doctrine, and political intent. In this episode of Chasing Entropy, Dave Lewis sits down with analyst and author Allie Mellen to discuss the ideas behind her book Code War, and why the cyber strategies of the United States, China, and Russia reflect much older national patterns.Mellen’s central argument is clear. Cyber attacks are powerful, but not because they replace conventional force. They matter most when they are coordinated with military action, intelligence work, and influence campaigns. That thread runs through the whole conversation, from the Gulf War to Russia’s war in Ukraine. The point is not that cyber stands alone. The point is that cyber becomes far more effective when it is part of a larger campaign with a defined objective.That framing leads to one of the episode’s strongest ideas, history still shapes how nations operate online. Mellen traces the US approach back to a culture of experimentation and technical tinkering. China’s cyber ecosystem grew out of hacktivism and state-linked talent pipelines. Russia’s path was shaped by post-Soviet collapse, where cybercrime became tied to survival and later overlapped with state interests. Those origins still show up in how these countries organize teams, define targets, and pursue advantage.The conversation also pushes back on the way cyber conflict is usually portrayed. Pop culture tends to reduce it to a screen full of code and a few elite operators. Mellen argues that this misses the real story. Cybersecurity is technical, but the motivations behind cyber campaigns are understandable. Power, leverage, coordination, survival, influence. Those are not obscure concepts. They are the same forces that shape conflict everywhere else. One of the more memorable examples in the episode is her explanation of how WarGames helped push US policymakers to take computer security seriously in the 1980s. Public narratives matter, even when they get the details wrong.Another key theme is attribution. Mellen argues that defenders need to understand who is behind an operation, not just what malware was used. Attribution helps explain motivation, likely targets, and what may come next. That matters for governments, but it also matters for enterprises building realistic threat models. If you understand how a group operates and what it wants, you can make better decisions before the next incident lands.The final stretch of the episode focuses on AI, and the tone is sober. Mellen sees real value in automation, especially where AI can speed up workflows and reduce manual effort. She also sees a harder problem taking shape. AI lowers the cost of deception, makes false flag activity easier, and complicates attribution. Add that to a more fragmented internet and a more unstable geopolitical environment, and the result is a tougher operating environment for defenders.This episode is a strong listen for anyone trying to understand how cyber power actually works in practice. Listen to the full conversation, pick up Code War, and then review whether your threat model still treats cyber as a stand-alone technical problem. That assumption is getting harder to defend.Click for Allie's Book

SEASON TWO HAS LANDED! Bob Lord has spent decades building and leading security programs, from early internet crypto work at Netscape to roles at Twitter, Yahoo, the Democratic National Committee, and CISA. In this episode, he and host Dave Lewis get practical about a simple problem, the security advice most people hear does not match how real compromises happen.We start with the myths Bob tracks on Hacklore, then move into what “secure by design” looks like when you treat software security as an outcomes and incentives problem, not a checklist problem. The conversation closes with AI, dependency chains, and the career advice Bob gives to people trying to break into security.“Secure by design” is an incentives problem, not a technology problemWhen Bob talks about secure by design, he is deliberately not trying to write another technical framework. Plenty exist. His question is different.If we already know how to prevent a long list of common issues, why do we keep shipping the same defects?His answer is uncomfortable and practical: incentives.He draws a line to quality and safety movements outside software, especially automotive safety. Car companies used to compete on lifestyle and appearance, not safety. Customers did not know what to ask for. Manufacturers had little reason to prioritize safety until norms, regulation, and accountability shifted.Software, in his view, is still in the pre-seatbelt era. We have normalized shipping unsafe components, building with unsafe processes, and delivering unsafe defaults. Then we act as if customers should be able to configure their way out of systemic risk.From that lens, CISA’s Secure by Design work focuses on three principles:Take ownership of customer security outcomes. Shipping a patch is not enough if you do not know whether customers update. Measure adoption and remove friction.Embrace radical transparency. Make vulnerability handling easier, not adversarial. Build real safe harbor for good-faith research.Lead from the top. Meaningful change is driven by senior business leadership. You do not delegate quality to the quality team, and you do not delegate security outcomes to security teams alone.AI: the risk is permission amplification, not “AI is spooky”The AI section lands because it stays concrete.Dave shares a story where an internal LLM was asked, “Who at the company doesn’t like me?” The system reportedly queried HR data and responded. Bob uses that to highlight a predictable failure mode: agentic systems can become permission amplifiers.In many organizations, no single person has the ability to pull data from email, chat, and HR systems, then fuse it into a targeted answer. But companies are increasingly giving AI systems broad access paths without mature roles, rights, and auditing. Then we try to patch over it with soft instructions like “don’t be evil.”Bob’s point is not anti-AI. It’s pro-accountability. If the system can take actions and surface sensitive conclusions, you need guardrails that reflect that power.Supply chain reality: “It’s upstream” is not a defenseOpen source comes up in the context of underfunded teams who cannot afford premium tooling. Bob agrees the constraint is real, but he pushes back on the industry habit of outsourcing responsibility.If a defect ships in your product, it’s yours, even if it came from upstream.He also calls out a common failure pattern: vendors using unmaintained dependencies for years, sometimes far longer, and not giving customers visibility into what is actually inside the product. SBOM practices exist. Some companies do this well. Many do not.Mentioned in the episodehttps://hacklore.orghttps://pwn.college

In this episode of Chasing Entropy, I sit down with Kane Narraway, a security leader who has built and scaled Zero Trust environments at companies like Atlassian, Shopify, and Canva. Together, we explore the evolution of cybersecurity, from digital forensics to agentic AI, and the ongoing tension between innovation and control.From Forensics to FrameworksKane’s journey into cybersecurity began with a fascination for hardware, inspired by tinkering with spare computer parts from his grandfather. That curiosity led him into networking, digital forensics, and ultimately enterprise security, laying the foundation for a pragmatic approach to defense. He recalls the early days of building Zero Trust architectures before the term became an industry buzzword, emphasizing how early implementations were often “collections of Python scripts” long before robust vendor solutions emerged.The Last Mile of Zero TrustKane and I discuss the progress and pitfalls of Zero Trust adoption. While modern identity and access systems have made implementation easier, Kane argues that the industry still leans too heavily on network-level controls. “The point of Zero Trust was to stop relying on networks,” he notes, describing lingering issues like single-factor API keys and limited endpoint-level enforcement. His team’s experiments with proxy-based access models highlight how innovation often means rethinking, not just reinforcing, old ideas.The AI Security DilemmaThe conversation turns to agentic AI, autonomous systems capable of acting on credentials and data. Both Kane and I expressed concern that current security strategies, built for humans, are ill-suited for bots. “We’ve spent so long protecting human users,” Kane warns, “but now service accounts and AI agents are our weakest link.” They explore real-world examples, including AI prompt injection attacks, and question how organizations can extend Zero Trust principles to these new autonomous entities.Governance, Responsibility, and “Bot Jail”As AI governance becomes a boardroom topic, Kane and Dave tackle the thorny question of accountability: when an AI system goes rogue, who’s to blame? We mused about the idea of a “bot jail,” underscoring that explainability and traceability, not just prevention, are essential in the age of automation.Building Security Cultures that FitBeyond technology, Kane offers insights into building effective security teams that align with company culture. At Shopify, for instance, strong platform alignment meant setting clear principles and empowering teams to work autonomously. His advice for leaders: build around your organization’s DNA, not against it.Measuring What MattersSecurity impact can be hard to quantify. Kane recommends balancing operational metrics with threat intelligence and industry trend data, using reports like Verizon’s DBIR as directional guides. As credential-stuffing attacks decline and software supply chain threats rise, he stresses the importance of adapting defenses to real-world attacker behavior.Advice for the Next GenerationFor newcomers to cybersecurity, Kane’s advice is simple but grounded: “Do whatever you have to do to get in, and then find your passion.” Not everyone needs to start in red teaming; roles in governance, blue teams, or compliance can open doors and build transferable skills.Closing NotesAfter a wide-ranging discussion, I close with this question: coffee or tea? For Kane, it’s coffee at heart, but tea in practice. The perfect metaphor, perhaps, for the compromises every security leader makes between passion and practicality.Listen to the full episode of the Chasing Entropy Podcast on YouTube or your favourite podcast platform.Be sure to like and subscribe! Hosted by Dave Lewis, Global Advisory CISO at 1Password.

In this episode of the Chasing Entropy Podcast, I am joined by Joe Carson, Chief Security Evangelist and Advisory CISO at Delinea (formerly Thycotic), to explore how personal history, technology evolution, and emerging AI challenges shape the cybersecurity landscape.From Gaming to Global SecurityJoe shares his journey from growing up in Belfast with an early passion for gaming and coding, to building a decades-long career in IT and security. His path included pivotal moments—like responding to a massive DDoS attack in the early 2000s—that transformed his focus from systems administration to dedicated security research and identity protection.Identity as the New PerimeterTogether, Dave and Joe examine how identity has evolved: from managing devices and offices to today’s world of bring your own identity and now bring your own agent. With AI agents increasingly requiring credentials and access, they emphasize the urgent need to rethink identity governance—not just for humans, but also for machines and autonomous systems.AI, Governance, and RegulationThe conversation dives into the EU AI Act, GDPR, and the risks of poorly governed AI adoption. Joe highlights the importance of a risk-based approach to regulation, transparency in AI decision-making, and the critical role of explainability as the foundation of digital trust in the coming years.Practical Analogies and LessonsUsing the metaphor of an alarm clock evolving from simple to “agentic,” Joe illustrates how seemingly harmless technologies can become critical risk points as they accumulate access to health, financial, and personal data. The discussion reinforces why privilege management and least-access principles are more crucial than ever.Key TakeawaysIdentity is central: securing human and non-human access alike is now a strategic priority.AI needs governance: explainability and accountability must be built in from the start.Community matters: cybersecurity is sustained not just by technology, but by mentorship, collaboration, and shared experience.🔗 Be sure to like, subscribe, and share the Chasing Entropy podcast. And if you’re attending a security conference soon—keep an eye out for Joe Carson; he’ll probably be there.

In this episode of Chasing Entropy, I sit down with Heidi Potter, longtime organizer of ShmooCon and now CEO of Turngate, for a heartfelt conversation about community, chaos, and legacy in cybersecurity.From ShmooCon to What’s NextFor 20 years, Heidi helped shape ShmooCon into one of the most influential community-driven conferences in the industry. She reflects on the decision to sunset the event, sharing stories of the unexpected impact it had: first talks that launched careers, lifelong friendships, even marriages that began at the con. What started as a grassroots gathering became a cornerstone of hacker culture, thanks to her team’s dedication and her philosophy of “happy staff, happy event.”Lessons in Transparency and LeadershipHeidi shares how ShmooCon embraced radical transparency through its Own the Con sessions—revealing the financial realities, challenges, and choices behind running a conference. She explains why building the right team and treating the venue itself as part of that team are essential to success. Her guiding principle of “lead with kindness” underscores both her event leadership style and her approach to life.Stories, Chaos, and Community MagicFrom snowstorms that stranded attendees for days, to the legendary “Shmoo Bus,” to the serendipity of LobbyCon, Heidi and Dave trade stories that highlight the humor, chaos, and magic that defined the event. For Heidi, coordinating chaos isn’t just a skill, it’s a way of finding order, meaning, and connection in unpredictable moments.Looking ForwardWhile ShmooCon has closed its doors, Heidi isn’t done building community. She’s already laying the groundwork for new events under her Moose Meat initiative, with plans to create smaller, more flexible gatherings in the future. Above all, her focus remains on giving back to the community and leading with kindness.Listen now to hear Heidi’s reflections on two decades of ShmooCon, her insights on building inclusive communities, and why the stories we create together matter just as much as the code we write.

In this episode of Chasing Entropy Podcast, I spoke with Paul Klein about the emerging “agentic web”, where AI agents perform real-world digital tasks on our behalf. Paul shares how Browserbase builds secure infrastructure for these agents to interact with websites safely, and how new integrations with 1Password’s Agentic Autofill enable secure, human-approved credential use without exposing secrets to AI models.Together, they explore how this evolution of automation can make the web more useful, while keeping it secure, observable, and aligned with human intent.Key takeaways1. The rise of the “agentic web”The internet still runs on legacy systems with no APIs—think DMV forms and government portals.Browserbase enables AI agents to safely automate tasks on these sites using headless browsers (full browsers without a GUI).These agents can perform structured, repetitive workflows—like procurement, compliance checks, or data lookups—without human micromanagement.2. Automation that works like an internAI isn’t magic, it needs structure.Klein compares AI agents to interns: they’re capable but need clear instructions, context, and defined steps.Repetitive “SOP-style” tasks are ideal; vague one-line prompts aren’t.3. Stagehand & Director: Building automation for everyoneStagehand (open-source) allows natural-language automation using “fuzzy selectors” like “click the login button”, instead of brittle scripts.Director lets anyone prompt AI to build web workflows, see the generated code in real time, and reuse it in production environments.4. Guardrails: Observability before autonomyBrowserbase includes live session replay—you can literally watch what your AI agent is doing in a headless browser.Observability ensures safety and accountability; cached workflows reduce dependency on LLMs over time.Governance best practice: treat AI tool use as remote code execution—sandbox it, restrict tool access, and monitor every action.5. Secure authentication for agents1Password Agentic Autofill now works in Director, allowing agents to securely log in with stored credentials.The human stays in the loop: every login request is approved (or denied) in real time.Passwords are never shared with the model, 1Password fills them directly into the browser.The pragmatic future of AI automationPaul sees agentic browsing not as a replacement for humans, but as a relief valve for digital drudgery. AI can handle the tedious work, checking orders, renewing passports, filling government forms, so humans can focus on creative and strategic thinking.“We’ve automated the equivalent of a couple thousand human lifetimes of browsing,” Klein notes. “That’s time people get back.”For CISOs and security leadersPaul’s advice:Treat AI agents like RCE: Lock down execution environments, sandbox them, and validate every dependency.Constrain tool access: Only approved connectors or MCPs should be callable.Start with observability: Log every action and enable real-time oversight before allowing automation to run at scale.Memorable quote“AI is your intern. Give it the shopping list and the steps.” ~ Paul KleinListen to this episode of Chasing Entropy wherever you get your podcasts, no hype, no FUD, just the humans behind the next wave of cybersecurity and AI automation.Also on YouTube: https://www.youtube.com/watch?v=o4tgJz_4WcM 

In this episode of Chasing Entropy, I sit down with Dhillon Kannabhiran, the founder of the long-running Hack in the Box (HITB) Security Conference, to explore the origins, evolution, and impact of one of the world’s most influential hacker gatherings.From Kuala Lumpur to Global StagesDhillon shares the unlikely beginnings of HITB in Malaysia, started as a scrappy, accessible alternative to high-cost events like Black Hat. Against all odds, and skepticism that “nobody would come to Malaysia”, HITB attracted global speakers and quickly became a fixture in Asia, the Middle East, and Europe. Along the way came wild stories of last-minute chaos, cultural exchanges, and the conference’s deliberate focus on building community through face-to-face connections.Curating Talks and Building CommunityThe conversation dives into how talks are chosen, balancing technical depth with accessibility, and ensuring new voices get a platform. Dhillon emphasizes that HITB isn’t just about the talks you can rewatch later, it’s about hallway conversations, TCP/IP networking sessions, and serendipitous encounters that spark startups, collaborations, and lifelong friendships.Security Lessons (and Non-Lessons)Looking back at two decades of research presented at HITB, Dhillon is candid: many of the same problems persist, only shifted into new technologies. From classic exploits to today’s “vibe coding” and AI-assisted development, human error and misunderstanding remain the root causes of vulnerabilities. Still, this constant reinvention ensures hackers, and defenders, will never run out of work.AI, Translation, and the Future of ConferencesThe discussion expands to how AI is reshaping both hacking and events. From bug-hunting orchestration with AI agents to real-time language translation devices, the tools are changing fast. Dhillon warns of risks like AI-generated deepfakes but also highlights opportunities for accessibility, inclusivity, and global collaboration.Words to Hack ByDhillon closes with advice for hackers and builders alike: “Try stuff out. Don’t hold back. Don’t think there’s going to be a tomorrow. Do whatever you can today. Keep hacking, bro.”

In this episode of Chasing Entropy, I sit down with Cole Grolmus, founder of Strategy of Security, to explore the often-overlooked world where cybersecurity and mergers & acquisitions (M&A) collide.The Journey to Strategy of SecurityCole shares his path from early sysadmin roles in Iowa to a decade at PwC, where he worked on large-scale cybersecurity transformations. Along the way, he blended business acumen with technical expertise, ultimately founding Strategy of Security to bridge the gap between practitioners and the commercial side of the industry.M&A and Cybersecurity: Where Risk Meets ValueThe conversation dives deep into the realities of cybersecurity in M&A:The real “gotchas” - Rarely do deals fall apart solely due to security issues, but identifying problems early can shape budgets and integration strategies.Integration challenges - From identity platforms to logging, customer management systems, and vendor contracts, successful acquisitions depend on planning for forward-looking integration, not just current posture.Reasonable assurance - Much like audits, due diligence can only go so far. Complete certainty is impossible, and security leaders must manage risk with contingencies like holdbacks and clawbacks.The AI Wild WestCole and Dave touch on the rising role of agentic AI in enterprises. Whether it’s ephemeral developer tools or standing customer-facing agents, the lack of maturity and consistency makes integration during M&A even more complex.Advice for Security LeadersFor CISOs facing M&A, Cole emphasizes:Have a playbook - Not all M&A is bad, but leaders must prepare to handle inherited risks.Factor M&A into your vendor strategy - The cybersecurity industry itself is consolidating rapidly, with billion-dollar deals becoming common. Vendor stability (or lack thereof) is now a core risk to manage.Pay attention to the business side - As careers progress, understanding the industry landscape matters as much as technical defenses.Key TakeawayM&A in cybersecurity isn’t just about dollars and deals, it’s about managing complexity, risk, and people. Whether you’re a CISO preparing for an acquisition or a practitioner navigating vendor shakeups, the ability to translate between business imperatives and technical realities is critical.

From a tank driver in the Gulf War to the founder of one of the U.S.’s largest regional cybersecurity conferences, Michael Farnum’s journey is a study in discipline, community, and curiosity. He shares how early exposure to cryptography, BASIC programming pranks, and first encounters with firewalls led him into security.We dive into how Farnum built the Houston Security Conference (HOU.SEC.CON) from 120 attendees in 2010 into a 3,000-person international eventHe also discusses the rapid rise of agentic AI, what excites him, and the risks of unauthenticated MCP servers, shaky credential governance, and invisible AI triggers. Despite looming challenges, Farnum is optimistic that security conversations are starting earlier this time around.He closes with timeless advice: don’t be overly cautious, advocate for your value and take the smart risks you might otherwise pass up.Key TakeawaysMilitary lessons: Encryption mishaps in the Gulf War taught discipline, planning, and after-action reviews that later informed his cybersecurity mindsetThe hook into security: First exposure to a Unix firewall showing live traffic convinced him this was the path to followCommunity builder: Founded HOU.SEC.CON to unite a fragmented Houston infosec scene; it has since grown into a national/international draw with thousands of attendeesAI & agentic AI: Rising volume of submissions at security conferences; risks include unauthenticated MCP endpoints, hidden triggers, and weak credential governanceCISO struggles:Data security remains the #1 challenge—knowing what you have, where it is, and who can access it.Application security continues to lag despite new tools.Modern infrastructure & APIs can help if applied well.AI-driven SOCs are already shifting MDR/MSSP models, often without customers realizingCareer advice: Be less cautious and ask for what you’re worth, take smart risks, and don’t undersell yourself

This week I got to sit down with Brian Levine who is a cybersecurity consultant and former U.S. DOJ cybercrime prosecutor, to unpack how security risks shape mergers, acquisitions, divestitures, and investments. We cover what really moves deal price and structure, why early cyber due diligence matters, and how to protect “Day 1” operations without blowing up the integration plan. Brian Levine, Cybersecurity consultant; former DOJ national coordinator for cybercrime prosecutors; founder of FormerGov, a directory connecting former government and military professionals with employers and recruiters.Key takeawaysIncidents move deals. Known or newly discovered breaches often pause negotiations, change terms, and drive down price—even if they don’t kill the deal.Do diligence in three passes:Inside-out (docs, policies, IR records, pen tests, insurance);Outside-in (OSINT, dark-web intel);Technical testing (when permitted pre-sign/close).Start early. The earlier you assess cyber risk, the more leverage you have to shape price, integration plans, and pre-close remediation.MFA, IAM, backups = table stakes. Missing basics can invalidate cyber-insurance claims and should be fixed before announcement to avoid “signal flare” attacks.Cloud reality check. Many targets lack visibility into their cloud posture; prioritize third-party assessments and guardrails that protect PII, IP, and operations.Vendor blast radius matters. Mature third-party risk management includes annual reassessments, contractual obligations, insurance checks, and vendor-involved tabletops, plus contingency (“backup vendor”) planning.Culture can be a blocker. If “everyone is an admin,” expect friction; design an identity plan that tightens controls without triggering mass attrition.Day-1 playbook, security-first. Run a compromise assessment pre-connect, harden the first systems to integrate (often O365), and sequence identity, segmentation, and logging before broad access.Boards should ask: What did we actually do for cyber diligence, what didn’t we do, and why? Reasonableness, and the paper trail, matters.Notable momentsUnearthing issues outside-in: spotting malware beacons and leaked data for sale before the target even knows.Regulatory context: Europe’s heavier regime (GDPR, DORA, AI rules) vs. U.S. patchwork, either way, negligence standards still bite.Real-world stakes: from payroll outages to healthcare delays, cyber incidents can rapidly become safety and livelihood issues.Resources & mentionsFormerGov, directory for former government and military professionals seeking roles in the private sector.Topics referenced: GDPR, DORA, MFA, IAM, immutable backups, zero-trust enclaves, dark-web monitoring, third-party risk management & vendor tabletop exercises.About the showChasing Entropy goes beyond headlines, no hype, no FUD, exploring the human decisions and systemic cracks that put security to the test. Subscribe, share, and send me your questions for future episodes.

In the 20th episode of the Chasing Entropy Podcast, Dave Lewis sits down with Trey Ford, Chief Strategy & Trust Officer at Bugcrowd and former General Manager of Black Hat, to explore the realities of modern cybersecurity leadership.From the pitfalls of annual penetration tests to the messy realities of vulnerability disclosure, Trey shares lessons from decades in the field. He explains why risk should be owned at the board level (not by the CISO alone), why disclosure remains the internet’s immune system, and what the rise of agentic AI means for governance and resilience.The conversation also dives into leadership growth: shifting from arguing to win, to arguing to understand, and how CISOs can transform into true business partners rather than gatekeepers.Key TakeawaysContinuous resilience matters. Annual pen tests don’t reflect reality—continuous measurement does.Risk ownership belongs with the business. CISOs shouldn’t carry it alone.Disclosure is essential. Research-first venues like Black Hat make it safer.Agentic AI raises new risks. Guardrails, explainability, and governance must be designed in.CISO success = trust. Build partnerships across the executive team, not walls.Memorable Quotes“If it’s accessible, it’s worth securing, scope is a convenience, not a defense.”“It’s not CISO vs. world; it’s the business deciding risk together.”“In the cloud you can ‘accidentally it all the way’, agentic AI just gives that accident agency.”Listen to Episode 20 now wherever you get your podcasts!

In this episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Jacob DePriest, the newly appointed CISO and CIO at 1Password. Together, they explore the intersection of security, IT, and the human factors that shape how we defend and sometimes undermine our digital world.From NSA to GitHub to 1PasswordJacob traces his path from early engineering work at the NSA to leading security operations at GitHub, and now into his dual role at 1Password. With roots in engineering and open source advocacy, he shares how those experiences shaped his approach to building secure yet productive environments.Security and Development: A Necessary PartnershipA recurring theme is the relationship between security teams and developers. Jacob emphasizes that security cannot scale without deep integration into the engineering lifecycle. Rather than bolting on controls, he advocates for shared scoreboards, embedded guardrails, and empowering developers to focus on outcomes without unnecessary friction.Secrets, AI, and the Future of RiskThe conversation dives into secrets management and the rise of AI in security. Jacob highlights how smarter alerting and AI-assisted scanning can help reduce noise around exposed credentials. They also discuss the promises and pitfalls of agentic AI, where transparency, governance, and credential security will become defining challenges for enterprises.Balancing Productivity and ProtectionAs both CISO and CIO, Jacob is uniquely positioned to tackle the long-standing tension between IT enablement and security. He argues that these shouldn’t be opposing forces, the shared goal is enabling the business safely and responsibly. Hybrid teams and flexible models, such as customizable unlock experiences in 1Password, illustrate how to strike that balance.Diversity, Culture, and Psychological SafetyThe episode also touches on team culture: hiring for diversity of thought, encouraging dissenting voices, and building psychological safety. Jacob and Dave reflect on how recognition systems, open communication, and intentional leadership can foster stronger, more resilient security teams.Parting Advice for Security LeadersJacob closes with two guiding principles:Focus on outcomes and the big picture, don’t lose sight of the real problems in pursuit of perfect solutions.Appreciate the community of security professionals who face daily challenges in an increasingly complex landscape.Listen now to hear Jacob’s insights on navigating the evolving role of security leaders, the integration of IT and cybersecurity, and how to prepare for the next wave of challenges.As always, be sure to like and subcribe!

In this episode of the Chasing Entropy Podcast, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Rob Fuller (a.k.a. Mubix), cybersecurity leader, Marine Corps veteran, red teamer, and technical advisor—to explore the twists, turns, and lessons from a career built at the intersection of curiosity, community, and defense.Early Sparks of CuriosityRob shares how tinkering with Game Genie and GameShark consoles in his youth planted the seeds of hacking and cybersecurity. From experimenting with memory manipulation in video games to dabbling in early online communities, his fascination with technology was clear—even if he didn’t yet have a name for it.The Marine Corps and Grounding in RealityHis journey took a pivotal turn in the U.S. Marine Corps, where Rob shifted into IT and found his calling at the Marine Corps CERT. There, he confronted threats at a national scale, battling nation-state adversaries and learning the importance of context, failure, and resilience. The high-stakes environment taught him perspective—what truly counts as critical versus what’s just noise.Red Teams, Purple Teams, and the Role of AIRob dives into his philosophy on red vs. purple teaming, how organizations misstep in their security approaches, and where AI fits into the equation. While AI can accelerate tasks like data analysis and content generation, he stresses that human judgment remains essential, particularly when weighing real-world risk.Maturity in Vulnerability Disclosure ProgramsRob outlines the evolution of Vulnerability Disclosure Programs (VDPs)—from a simple [email protected] email, to structured bug bounties, to advanced maturity where vulnerabilities are ballooned out, templated, and continuously scanned across entire infrastructures. Tools like Nuclei earn his praise as underrated game-changers in scaling this process.What’s Overrated, What’s UnderratedWhen asked about overrated tools, Rob jokingly points to Splunk, acknowledging it as a powerful log platform but often overhyped without the right people and processes behind it. In contrast, he champions Nuclei for its ability to empower teams with scalable, reusable vulnerability detection.Leadership, Curiosity, and MentorshipFor those entering cybersecurity, Rob emphasizes starting the leadership journey early—seeking credentials, mentorship, and experience beyond being just a technical contributor. For senior leaders, he advises fostering curiosity and root cause analysis across teams, and creating spaces for “show and tells” where junior staff can share passion projects that might blossom into innovative enterprise-wide solutions.Silicon Valley and BeyondRob also reflects on his experience as a technical advisor for HBO’s Silicon Valley, ensuring cybersecurity accuracy behind the scenes. From late-night calls to writer’s room debates, the role gave him a chance to influence how hacking and security were portrayed to millions of viewers—an opportunity to shift the narrative away from the usual Hollywood myths.Listen to the full conversation for Rob’s insights on community, resilience, and the underrated value of curiosity in shaping the future of cybersecurity.Don’t forget to like & subscribe to the Chasing Entropy Podcast wherever you get your podcasts.

In this episode of Chasing Entropy, Dave Lewis sits down with longtime friend and industry veteran Bill Brenner, Senior VP and Head of Content at Cyber Risk Alliance. Bill has been shaping the cybersecurity narrative for over two decades, from his early reporting days at TechTarget to his leadership roles at Akamai, Sophos, IANS, and now Cyber Risk Alliance.From Newsrooms to CybersecurityBill shares how his career began in traditional journalism, with a pivotal moment after 9/11 pushing him toward B2B reporting. A role at SearchSecurity marked his entry into cybersecurity, where he quickly established himself as a respected interviewer, writer, and—eventually—a storyteller within the security community.The OCD Diaries & Mental Health AdvocacyA major part of Bill’s journey has been his candid writing in The OCD Diaries, a personal blog turned community resource. What started as a therapeutic exercise evolved into a touchstone for many in security facing similar struggles. Today, Bill continues that advocacy through his work with CyberMinds, developing tools and resources to support the mental health of cyber defenders, who often face burnout, PTSD-like stress, and relentless alert fatigue.Storytelling, Security, and LeadershipReflecting on his time at Akamai, Bill discusses how being embedded in a security team during the Heartbleed and Shellshock era shaped his understanding of communication, trust, and leadership. He and Dave revisit their collaboration on reports, vulnerability advisories, and how content can influence both internal teams and the wider industry.AI, Content, and the Human ElementBill and Dave dive into the current disruption caused by artificial intelligence. While many companies mistakenly see AI as a replacement for people, Bill argues it must be used as an enhancer—freeing humans from repetitive tasks while preserving creativity, critical thinking, and authenticity. His own work at Cyber Risk Alliance now includes experimenting with AI to streamline workflows without losing the human voice.Looking AheadBill emphasizes the importance of resilience, humility, and staying focused on the human side of security. Whether through mental health advocacy, building stronger content strategies, or mentoring the next generation, his mission remains clear: tell stories that matter and help the community thrive in an increasingly chaotic digital world.👉 Where to find Bill:The OCD Diaries (archived blog with evergreen posts)Bill on LinkedIn (active writing and insights)SC Media / SC World (ongoing journalism and leadership work)

In this episode of the Chasing Entropy Podcast, host Dave Lewis welcomes industry analyst and long-time cybersecurity veteran Fernando Montenegro for a far-ranging and refreshingly honest discussion about the evolution of security, the realities of AI, and the human stories that shape our digital defenses.Fernando shares his origin story from math and fractals in Brazil to cryptography and bulletin boards, and ultimately to a career that has spanned consulting, sales engineering, and now research and analysis. Along the way, he highlights the importance of community spaces like TASK (Toronto Area Security Klatsch) and B-Sides as pivotal launchpads for industry newcomers.The conversation dives deep into artificial intelligence and its nuanced role in cybersecurity:Security for AI: Helping organizations safely adopt AI tools.AI for Security: Using AI to enhance defense mechanisms.Security against AI: Preparing for AI-augmented attacks and fraud.Fernando advocates for viewing AI through an economic and socio-technical lens rather than blindly trusting in its promise. As both he and Dave agree, AI isn't magic—it's math. It can augment work, but replacing human judgment, strategy, and contextual understanding is far from reality.They also touch on the dangers of layoffs fueled by AI hype, calling out examples like Klarna’s public misstep, and drawing parallels to earlier cloud-related downsizing miscalculations. Both stress the importance of understanding what workers actually do before trying to replace them with automation.As the episode wraps, Fernando delivers sage advice for those entering or pivoting into cybersecurity:Leverage your prior experience, whether from hospitality or marketing, it has value.Seek mentorship from peers 2–5 years ahead of you for tactical guidance.Don’t be discouraged by gatekeeping; curiosity and kindness go a long way in this relationship-driven field.Whether you're a seasoned professional or just getting started, this episode is a candid reminder that cybersecurity is as much about people as it is about technology and that chasing entropy means embracing complexity, not avoiding it.

In this special "Summer Camp" edition of Chasing Entropy, Dave Lewis sits down with longtime friend and cyber risk veteran Jeffrey Wheatman. From their early DEF CON gooning days to leading board-level security conversations, Dave and Jeffrey explore how cybersecurity professionals navigate entropy—when systems unravel, and chaos creeps in.Jeffrey, a former VP at Gartner and now a cyber risk strategist, brings 30 years of experience to the mic. They dive deep into the human and organizational aspects of risk management, effective communication with executive leadership, and how the security industry can stop "solutioning" with tech and instead focus on solving real problems.Key Topics That We Covered:From Hardware Store to Cyber Risk Strategist: Jeffrey’s unconventional path into cybersecurity and early lessons learned about clarity, communication, and not working in retail.Tech for Tech’s Sake?: Why the obsession with new tools misses the point—and how reframing security in terms of solving business problems is the real game changer.Communicating with Boards: Strategies for helping CISOs resonate with executives, plus tips on improving board-level metrics and engagement.AI in Cybersecurity: Cautious optimism, practical concerns, and philosophical musings. Both Dave and Jeffrey agree: AI is no silver bullet. But with thoughtful integration and strong scenario planning, it can be a powerful partner—especially for edge cases and pattern recognition.Speaking to Your Audience: Whether you're in front of a board or a DEF CON hallway track, Jeffrey shares hard-won lessons about adjusting your message, avoiding condescension, and using metaphors that land.Memorable Quotes“Technology is created and put in place to solve problems. Full stop.” — Jeffrey Wheatman“Your execs care about three things: money in, money out, and who gets in trouble when stuff goes sideways.” — Jeffrey Wheatman“AI is overblown and underutilized—both are true.” — Dave LewisWhere to Find JeffreyLinkedIn: The only “Jeffrey Wheatman”Speaking soon at: SANS Security Awareness, ISACA GRC, Black Hat, and PDA PRISM ConferenceFun fact: At DEF CON, you’ll know him as “Mnkey.”Listen now, share widely, and join us again next week as we continue Chasing Entropy in a world full of chaos and credentials.Don’t forget to like, subscribe, and spread the entropy.

In this episode of the Chasing Entropy Podcast, I am joined by Singapore-based cybersecurity leader Emil Tan, a man who wears many hats and wears them well. From government defense to grassroots community building, Emil’s journey is a masterclass in adaptability, curiosity, and community spirit in cybersecurity.Who Is Emil Tan?Emil is a cybersecurity polymath: a national defense contributor at Booz Allen, founder of the Singapore-based community Division Zero (Div0), co-founder of the hacker conference SINCON, advisor to the startup RedAlpha, and active participant in the non-profit CREST. His career arc spans R&D, operations, policy, and education—with a consistent theme of learning by doing.A Non-Linear Path to ImpactEmil shares his unlikely journey into cybersecurity, which began not with elite academic scores but with a love for math and curiosity about the digital world. After being part of Singapore’s first cohort in a cybersecurity diploma program, Emil embraced early challenges in capture-the-flag (CTF) competitions and informal meetups at McDonald's that eventually gave rise to Div0.From Operations to Policy and Back AgainWhat sets Emil apart is his transition from cyber operations to policymaking. Frustrated by policies that didn’t reflect frontline realities, he stepped into the policy arena to bridge the gap. He speaks candidly about the complexity of policymaking and the importance of being a "technical policymaker" who can translate between operations and lawmaking.The Power of Automation and AI (Without the Hype)Emil and Dave dig into the evolution of automation in security—from scripting away mundane tasks to the role of AI today. Emil’s philosophy? Automate the boring stuff so you can focus on meaningful work. He challenges the fear-driven narrative around AI, noting that rather than replacing jobs, it redefines them.Advice for Aspiring Security ProsWhether you’re new to the field or feeling stuck, Emil offers grounded, honest advice:Fall in love with your career, not just your jobStart anywhere, fail often, and learn deeplyTalk to people—war stories beat certificatesSeek community: Div0, SINCON, and beyondGet ConnectedWant to connect with Emil?LinkedIn Attend Div0 meetups (twice a month in Singapore)Catch him at the next SINCON conferenceListen now on all major platforms and don't forget to like, subscribe, and share. Thanks for joining me as we continue the Chasing Entropy Podcast, where chaos meets clarity, and security finds its human side.

In this heartfelt and wide-ranging conversation on the Chasing Entropy Podcast, I get to sit down with my friend, legendary storyteller, and community-builder Jack Daniel to trace a truly unique career journey, one that spans grease-stained garages, green-screen terminals, the early internet, and the global expansion of the BSides movement.From Mechanic to Cybersecurity StrategistJack shares stories from his earliest days, working in auto repair, navigating the oddities of the Renault parts system, and unexpectedly becoming the "computer guy" because no one else would do it. It’s a masterclass in accidental career pivots driven by curiosity, necessity, and grit.Building Communities and Hacking ConferencesOne of the most inspiring parts of this episode is Jack’s account of the founding and evolution of BSides, the community-led security conference series. What began as a scrappy rebellion against corporate conference gatekeeping has now blossomed into over 1,150 events in more than 60 countries from Mexico City to Canberra, with passionate organizers creating space for local talent and untold stories.Jack reflects humbly on his role in that movement, describing himself as a “cheerleader” and “uncle” to a vast family of hackers. But it’s clear: his vision, mentorship, and love for the community helped make it all possible.Sock Puppets, Imposter Syndrome, and Speaking with HeartThe conversation also touches on Jack’s unique presentation style, including sock puppets and tuxedos, and the philosophy behind it. For Jack, great talks aren’t about ego; they’re about earning the audience’s attention. He champions the kind of speaker who walks on stage thinking, “Wow, they want to hear from me? I owe them everything.”HighlightsThe evolution from mechanic to firewall evangelistTales of early infosec user groups, ShmooCon, and BSides VegasCommunity resilience in places like India, Brazil, Australia, and KathmanduThe human side of hacker culture: burnout, mentorship, and shared griefWhy passion and participation, not polish, make a great speakerQuote of the Episode:“If you get 26 people in a room somewhere that has no other options, you’re making a more profound impact on that community than you’ll ever realize.”Listen Now Catch the full conversation on your favourite podcast platform, and don’t forget to subscribe for more human centric cybersecurity stories every week.

In this episode of the Chasing Entropy Podcast, host Dave Lewis sits down with Dr. Grigorios Fragkos, widely known as Dr. Greg, a cybersecurity veteran with deep roots in academia, government, and enterprise defense. From the early days of building near real-time threat detection systems to orchestrating national-level cyber defense initiatives, Dr. Greg shares a dynamic perspective on the ever-evolving cybersecurity landscape.From Hacking Curiosity to PhD PioneeringDr. Greg opens up about his journey from tinkering with software engineering to earning a PhD focused on near real-time threat assessment using IDS data, a field he was ahead of by more than a decade. He candidly recounts the challenges of building AI-driven assessment engines long before the rise of today’s agentic AI approaches.The Rise of Agentic AI & Its ImpactThe conversation takes a deep dive into agentic AI, systems that can plan, reason, and execute. Dr. Greg argues for its use in advancing cybersecurity defense rather than offense, noting that current hype often ignores ethical applications. Both he and Dave stress the importance of separating the thinking layer of AI from raw processing power, an idea Greg proposed in his PhD work and sees finally coming to fruition.Redefining the Role of the CISOWith experience leading cybersecurity efforts across industries and nations, Dr. Greg challenges the conventional definition of a CISO. He advocates for the emergence of a Chief Cybersecurity Officer, a broader role encompassing AI threats, cyber resilience, and critical infrastructure protection. He also cautions aspiring CISOs: “Don’t do it for the title. Do it because you believe in the mission.”M&A Cyber Due Diligence: The Ugly TruthDrawing from real-world mergers and acquisitions experience, Dr. Greg reveals the hidden pitfalls of cyber due diligence. From rubber-stamped security audits to outright neglect of breach indicators, he offers a sobering view into how risk is often underestimated or deliberately ignored during high-stakes deals.Global Cybersecurity Culture & B-Sides AthensGreg also explores how culture shapes cybersecurity practices around the world—from risk ownership misunderstandings to wildly differing maturity levels. He shares his passion project: B-Sides Athens, a thriving community-driven conference that’s celebrated its 10th year of inclusive, high-quality knowledge sharing.Final Wisdom: Education, Not Just CertificationIn closing, Dr. Greg pushes back against the growing narrative that university degrees no longer matter in cybersecurity. While certifications are valuable, he emphasizes that academic journeys foster critical thinking, understanding of fundamentals, and intellectual discipline—all essential in a fast-changing field.Don’t forget to like, subscribe, and share this episode! Got thoughts or questions? Join the conversation on social media using #ChasingEntropy.

In this episode of the Chasing Entropy Podcast, host Dave Lewis sits down with the incomparable Javvad Malik, security advocate, Guinness World Record holder, and co-host of the Host Unknown podcast. What follows is a dynamic, humorous, and insightful conversation that spans decades of cybersecurity experience, unconventional career moves, and the art of connecting with people on stage, on camera, and in the boardroom.From Banks to Blogging: Javvad’s Cybersecurity Origin StoryJavvad reflects on his start in the late ’90s at a UK bank—when password management involved envelopes and binders, not vaults and biometrics. From there, his journey took him through consulting, industry analysis (thanks to Wendy Nather’s nudge), and eventually into advocacy and content creation with KnowBe4. His career, fueled by curiosity and storytelling, shows just how many paths there are into (and through) the world of security.Communication That Cuts Through the NoiseJavvad and Dave dive into the recurring theme of miscommunication in cybersecurity. Why do so many security pros still struggle to resonate with non-technical audiences? Javvad argues it’s about meeting people where they are whether that’s through TikTok trends, clear analogies, or a bit of humor. Rather than blame users for not “getting it,” he encourages listening to what people are really asking and addressing their concerns with empathy and clarity.A Guinness World Record, Just for FunJavvad shares the backstory behind his tongue-in-cheek claim to fame: setting a Guinness World Record for the most views on a cybersecurity awareness video within 24 hours. It’s not about vanity, it’s about grabbing attention and delivering value. Humor, he explains, is the safest and most effective vehicle for driving engagement in a world awash with FUD.The Host Unknown Podcast & Having Fun With SecurityDave and Javvad also talk about Host Unknown, the podcast Javvad co-hosts with Tom Langford and Andy. Part satire, part serious, the show exemplifies how cybersecurity content doesn’t have to be dry or fear-based to be effective. The key: build trust, stay authentic, and have a good laugh along the way.On AI, Creativity & the MundaneThe duo wraps up with a candid chat about AI’s role in cybersecurity and content creation. While both share concerns about disingenuous use of generative AI, they remain hopeful that AI can offload tedious work and leave humans to focus on creativity and strategy if implemented thoughtfully and securely.Final ThoughtsJavvad leaves listeners with this advice:Be curious.Ask questions.Share your voice, even if it’s still evolving.Cybersecurity may be more complex and crowded than ever, but the human element connection, storytelling, and community remains the most powerful defense against entropy.

In this episode of the Chasing Entropy Podcast, I speak with Mark Hillick, CISO at Brex, about the changing role of security leaders in a world shaped by AI, rapid innovation, and shifting business expectations. From building security culture at Riot Games to navigating Silicon Valley’s AI gold rush, Hillick offers grounded insight into what it takes to lead a modern, business-aligned security team.1. Security as a Business EnablerHillick shares his journey from infrastructure engineer to CISO, emphasizing that the best security teams don’t just protect—they enable. By integrating early, communicating clearly, and avoiding gatekeeping, security becomes a trusted partner, not a blocker.“If the business isn’t there, we wouldn’t be either. Security must enable, not obstruct.”2. The Role of Empathy and TrustDrawing from his experiences across industries and geographies, Hillick highlights how trust is built—and lost. He discusses the trauma some teams bring from past negative security experiences and why empathy and explicit communication matter more than ever.3. AI: Hype, Hope, and RiskHillick identifies AI as the third major paradigm shift of his career. He outlines how AI is reshaping internal productivity, operational efficiency, and product development—but warns that many organizations are repeating old security mistakes by moving too fast without proper safeguards.“If you’re a security engineer and not using tools like Copilot or Cursor, how can you help others use them securely?”4. The Sales DilemmaDave and Mark discuss the fine line between outreach and overreach in cybersecurity sales. Hillick shares candid stories—from being bombarded with cold calls to salespeople contacting his spouse—and makes the case for respectful, empathetic sales practices.5. Advice for the Next GenerationFor those entering the field, Mark keeps it simple:Show up.Work hard.Stay curious.Be kind.“Curiosity will protect you from cynicism. And this industry needs a lot less cynicism.”This episode is a must-listen for security practitioners, leaders, and anyone curious about the future of cybersecurity leadership in the age of AI. It’s a real, unfiltered conversation—minus the FUD, plus a healthy dose of dry humor.Don’t forget to subscribe, rate, and share!Link: https://www.buzzsprout.com/2497520/episodes/17430216-chasing-entropy-episode-010-empathy-ai-and-the-evolution-of-security-with-mark-hillick 

In this week's episode of the Chasing Entropy Podcast, 1Password’s Global Advisory CISO, Dave Lewis, sits down with longtime friend and cybersecurity luminary Brian Honan, founder and CEO of BH Consulting. From his roots in the early days of IT to advising governments and shaping policy at the European level, Brian brings a storied career and sharp insights into how the industry has evolved, and where it’s headed next.From Mainframes to Modern ThreatsBrian walks us through his unconventional journey into cybersecurity, dating back to the 1980s when formal education in the field didn’t exist. What started as a role supporting those "fad" personal computers quickly evolved into a career grounded in discipline, curiosity, and continuous learning. His foundational experience in IT, he explains, has been crucial in understanding how systems work and how to secure them.Advice for Aspiring Security ProfessionalsFor those breaking into the field, Brian offers timeless advice: curiosity, patience, and humility are key. Degrees may get your foot in the door, but demonstrating a genuine passion through blogging, open-source contributions, or volunteering at conferences like B-Sides is what sets you apart.The Rise of Agentic AI and Shadow ITThe conversation shifts to emerging challenges, particularly agentic AI and its implications on enterprise security. Brian emphasizes that security teams must shift from saying “no” to enabling business outcomes securely. He shares a startling example of an unauthorized AI note-taker infiltrating a sensitive corporate meeting highlighting the real-world risks of unsanctioned tech.Data Sovereignty in a Globalized WorldOne of the episode’s most thought-provoking segments delves into data sovereignty. Brian outlines how geopolitical tensions and regulatory mismatches (like the GDPR vs. U.S. data laws) are introducing new forms of risk. He shares alarming examples, including a prosecutor at the International Criminal Court losing access to Microsoft services underscoring how governments may “weaponize” data control.Defending Against the UnseenTo wrap up, Dave and Brian discuss how attackers are increasingly exploiting legitimate software and tools—not just traditional malware. Security teams must now detect "unusual good" behavior, not just the known bad. That means strengthening endpoint detection, monitoring network anomalies, and having a robust SOC (internal or outsourced) to handle the complexity.Final TakeawayBrian’s message is clear: as threats evolve, so must defenders. The secret? Stay curious, be patient, and never lose your sense of humour.Listen now to hear two seasoned pros explore the tension between innovation and risk, and why embracing change, rather than fearing it, is essential in cybersecurity.

In this compelling episode of the Chasing Entropy Podcast, I sit down with none other than Thom Langford, EMEA CTO at Rapid7 and “twice-recovering CISO,” for an honest and often humorous deep-dive into the lived realities of cybersecurity professionals.Finding Purpose in SecurityThom reflects on his unconventional path into cybersecurity, entering the field two decades into his tech career and quickly realizing he had found his “tribe.” From his early days wrangling VAX/VMS systems to leading security teams, his journey underscores the importance of mentorship, curiosity, and persistence.Burnout, Mental Health & Imposter SyndromeThis episode doesn’t shy away from the emotional toll of cybersecurity. Both Thom and Dave speak candidly about the mental load that comes with defending digital infrastructure, from career burnout to imposter syndrome. Thom offers relatable stories including hiding in a bathroom stall to avoid public speaking—and shares how vulnerability, perspective, and humour became his coping tools.Security Isn’t Funny, But It Can Be FunThom’s approach to security education is rooted in humor and storytelling, which he argues improves information retention and builds connection. He shares insights from The Host Unknown Podcast and reminds us that just because security is serious doesn’t mean it has to be dry. Laughter, he says, is often the best way to tackle hard truths.Reducing Friction, Building Better UXA recurring theme is the need to reimagine user experience in cybersecurity. Thom advocates for intuitive, low-friction security that doesn’t require justification, just like locking your front door or putting on a seatbelt. When secure behaviours are second nature, we’ve truly succeeded.Advice for NewcomersTo those entering the field, Thom’s message is clear: you don’t have to be technical to make a difference. Whether managing risk, policy, or compliance, every role matters. He also urges senior professionals to manage their calendars more assertively for sanity’s sake.Where to Find Thom Langford🎧 Host Unknown Podcast📸 TomLangford.photography📝 Blog at TomLangford.com💼 LinkedIn“Stay secure, my friends.” — Thom LangfordCatch the full episode to hear two seasoned CISOs pull back the curtain on the cybersecurity industry with wit, wisdom, and just the right amount of entropy.

In this insightful episode of Chasing Entropy, host Dave Lewis welcomes cybersecurity veteran Allison Miller to explore the intersections of fraud, risk, complexity, and AI in the ever-evolving digital landscape.Allison brings two decades of experience spanning enterprise cybersecurity, anti-fraud, and advanced product risk. From traditional financial institutions to cloud-native startups, her work bridges how technology enables connection—and how those same systems can be exploited.She shares her early fascination with communication networks, her journey through IRC, payphone hacks, and digital commerce, and how those formative experiences shaped her career.Key Topics CoveredChasing Risk and ComplexityFraud as a window into system weaknesses — Allison explains why fraud fascinates her: it’s about understanding how things can go wrong even when the code is working as designed.She discusses how payment systems, platform identity abuse, and communication channels become targets precisely where their value lies.The Role of AI in CybersecurityAI as a detection tool: Building on her background in detection technologies, Allison sees AI as the next step in a lineage of data-driven defenses.Three key AI applications:→ Detection→ Investigation assistance→ Automation in Security Operations Centers (SOCs)CISO responsibilities: While AI governance is still evolving, Allison highlights parallels with AppSec and suggests that product risk programs must incorporate AI security and safety.Agentic AI and emerging risks: She warns that autonomous agents, while powerful, introduce new layers of system complexity that require holistic monitoring—simple components can combine into chaotic behaviors.Future of Cybersecurity LeadershipCloud, mobile, and multi-cloud continue to challenge traditional security models, requiring CISO teams to expand their skills and embrace innovation.CISOs are now “chasing complexity” as much as they’re defending against it.Advice for Aspiring Cybersecurity ProfessionalsFollow your curiosity rather than a linear career path.Focus on interesting problems—your unique perspective will create opportunities.Embrace networking and open conversations to accelerate learning and growth.Quote of the Episode:"Follow your curiosity. You can bring your interests into almost any job description—and that's where real opportunity lies." — Allison MillerTune in to this episode for a candid discussion that peels back the layers of how risk, fraud, and AI are shaping the cybersecurity front lines.Subscribe to the Chasing Entropy Podcast for more real talk with the minds driving cybersecurity forward.LinkedIn: Allison Miller, Founder & Principal, Cartomancy LabsWebsite: Cartomancy LabsNewsletter: Futurecast

In this episode of Chasing Entropy, I sit down with cybersecurity trailblazer Wendy Nather for an honest, insightful, and occasionally hilarious conversation that spans career origin stories, hammer metaphors, and how empathy is the secret weapon of modern security leadership.From Swiss Banks to StrategyWendy Nather’s journey into cybersecurity is anything but conventional. From wrangling Unix systems at a Swiss bank to being unexpectedly appointed head of EMEA security, her career has been a series of “say yes and figure it out later” moments. Her creation of the security strategist role at Duo (where she helped bring Dave onboard) laid the groundwork for today’s Advisory CISO model—distinct from field CISOs and rooted in trust-building and strategic influence.Understanding the Security Poverty LineWendy unpacks her now-famous concept of the “security poverty line,” a lens for understanding how underfunded, understaffed organizations struggle to meet industry best practices. It's a call to move beyond judgment and toward practical empathy—especially when small businesses with outdated gear and little budget become backdoor vulnerabilities in the broader digital ecosystem.The Human Side of CybersecurityThe conversation dives deep into the need for empathy, especially at the CISO level. Wendy argues that real leadership in security isn’t about technical perfection—it’s about understanding people, building influence, and leading with compassion. For those just entering the field, she reminds listeners that many roles in cybersecurity today didn’t even exist a decade ago, and that we’re all still “making this up as we go.”Agentic AI, Zero Trust, and a SpoonThe pair also reflect on the rise of agentic AI and its implications for zero trust architectures. Wendy challenges the assumption that AI introduces completely new risks, suggesting instead that it’s a matter of awareness, contract transparency, and figuring things out as a community. She also revisits her “spoon” analogy from past keynotes: good security design should be as intuitive as using a spoon—hard to mess up, universally usable.Final ThoughtsWendy closes with advice for veterans and newcomers alike: surround yourself with peers you trust, keep learning, and don’t buy into gatekeeping myths that overvalue technical credentials. What really matters is adaptability, collaboration, and understanding the bigger picture.Subscribe to Chasing Entropy on your favourite podcast platform and join us next time as we continue to unravel the systems and stories shaping cybersecurity.

In this episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Adrian Sanabria—Principal Researcher at the Defenders Initiative and founder of Destroyed by Breach—for a wide-ranging and candid conversation about the challenges, myths, and future of cybersecurity.From Help Desk to Hacking the NarrativeAdrian shares his unconventional journey into the cybersecurity world, tracing it back to retail tech support and internet help desk gigs where he developed resilience, empathy, and a knack for communication. He talks about how early experiences handling confused customers over phone lines laid the groundwork for a career in community engagement, public speaking, and eventually running B-Sides Knoxville.Debunking Security MythsAdrian doesn’t pull punches. From phishing simulations and forced password resets to the overhyped impact of breaches, he challenges many “best practices” that persist in cybersecurity. He notes that while the industry once operated on instinct and guesswork, we now have decades of actionable data—but still struggle to act on it meaningfully.“Less than 100 CVEs each year actually matter. Out of tens of thousands.” – Adrian SanabriaAgentic AI, Shadow IT, and the Next FrontierThe conversation turns to emerging threats and opportunities, particularly around Agentic AI and open-source vulnerabilities. Adrian warns that while companies rush to adopt automation and AI tools, they’re often ignoring foundational problems—like identity management and shadow IT—that have plagued organizations for decades.Policy, Priorities, and the Security Industry’s Missed OpportunityBoth Dave and Adrian agree: governments are stepping in with cybersecurity policies because the security industry has failed to manage its own narrative. Marketing budgets, FUD, and vendor agendas have diluted the voice of practitioners. The episode urges listeners to advocate for more grounded, evidence-based conversations in the field.What’s Next and What Matters MostAs AI hype barrels forward, Adrian sees it as both a distraction and an opportunity. “It’s useful tech,” he says, “but we’re not using it wisely.” Instead of slow, GPU-hungry processes, he calls for smarter automation and attention to patterns that really matter.He also reflects on his own growth: learning to play to strengths, managing ADHD, and finding fulfilling work that delivers real feedback.Final Advice for Aspiring Cybersecurity folks“Stop trying to be good at everything. Find what you’re already good at, and build on that.”Adrian closes with advice that’s equal parts practical and personal, encouraging newcomers to the field to be self-aware, adaptable, and unafraid to seek help—be it professional diagnosis or community mentorship.Listen & SubscribeWherever you get your podcasts. Like, subscribe, all that sort of jazz, and stay tuned for next week’s episode of Chasing Entropy.

In this episode of Chasing Entropy, host Dave Lewis welcomes longtime friend and cybersecurity thought leader Matt Johansen. What unfolds is a deeply insightful, often personal discussion that spans the evolution of an entire career—from a student in a literal church pew to a key voice shaping cybersecurity narratives today.From Dorm Room to Industry LeaderMatt shares the serendipitous moment that ignited his cybersecurity career: a last-semester class taught by a university CISO, a DVD of James Arlen’s “Black Hat to Black Suit,” and the early encouragement to engage on Twitter and LinkedIn. That first year of digital networking proved foundational—every boss Matt's had, he met during that stretch.Big Banks and Shadow ITMatt contrasts his experience building security programs at a scrappy fintech startup with the tightly controlled environment at Goldman Sachs post-acquisition. He discusses how rigid controls can reduce risk but stifle innovation, and unpacks how shadow IT thrives even in the most controlled environments. The lesson? Security postures must match organizational realities.Mental Health, Burnout & the Myth of the Security SuperheroOne of the episode's most powerful threads is Matt’s advocacy for mental health awareness in cybersecurity. He critiques "superhero culture," where the same individuals are always relied on in crises. Instead, he calls for real structural changes—proper rotations, mandatory time off, and leadership accountability. As he puts it, you can’t yoga your way out of burnout.Identity is the New MalwareMatt and Dave explore how the attack surface has shifted. With SaaS proliferation and stolen credentials replacing malware as the primary attack vector, identity management has become paramount. Highlighting attacks like the TeleMessage breach and the phishing incident involving Troy Hunt, they emphasize that security must make “clicking links” safe—not shame users for doing it.Vulnerable U & Making Security AccessibleMatt now runs Vulnerable U—a cybersecurity media company delivering digestible infosec news via newsletters, YouTube, TikTok, and Instagram. He reflects on how his early work curating news for Liquid Matrix evolved into a full-time passion for communicating security in a human, relatable way.Advice for Aspiring ProfessionalsMatt’s number one tip for newcomers? Create content. Even if you’re still learning, share your process. Blog your breakthroughs, record your thought process, and contribute to the dialogue. That transparency and authenticity open doors.Mentioned in the Episode:Vulnerable U: vulnu.comTeleMessage Security BreachThe "Black Hat to Black Suit" talk by James Arlen“Clicking links should be safe. What do we have to do to make clicking links safe?” — Matt JohansenBe sure to subscribe, share, and join us as we continue to chase entropy across the loading construct.

In this compelling episode of the Chasing Entropy Podcast, host Dave Lewis, Global Advisory CISO at 1Password, sits down with renowned cybersecurity expert Runa Sandvik, founder of Granite and longtime advocate for digital security in high-risk spaces. Together, they explore a career dedicated to protecting journalists, challenging the status quo in cybersecurity, and hacking smart rifles (yes, really).From Oslo to the Front Lines of Press FreedomRuna recounts her journey from a curious teenager in Oslo intrigued by hacking, to working at the Tor Project, and eventually becoming head of newsroom cybersecurity at The New York Times. Her work there included launching a secure, anonymous tip line for whistleblowers, a pivotal tool for modern investigative journalism.Building Trust in the Security CommunityThe conversation dives into how cybersecurity professionals can meaningfully support journalists—by building relationships not only with individual reporters but also with the infrastructure teams behind them. Runa highlights organizations like the Freedom of the Press Foundation and the Electronic Frontier Foundation as crucial players in this ecosystem, alongside companies like 1Password that provide free tools to journalists.Hacking Smart Rifles: The DEF CON TaleIn one of the more unexpected twists, Runa discusses her 2015 research that exposed vulnerabilities in smart rifles. What began as a curiosity at a gun show evolved into a full-blown technical exploit, revealing how attackers could lock triggers or cause shots to miss targets dramatically. The story underscores a vital lesson: as technology continues to permeate even the most unlikely of devices, security needs to follow closely behind.The Persistent Shadow of Shadow ITDave and Runa also explore the persistent issue of shadow IT—when employees turn to unapproved tools to get work done. Runa emphasizes the importance of understanding user needs, fostering open communication, and demonstrating the benefits (legal, privacy, and security) of company-approved solutions. Without this approach, she warns, organizations risk being blindsided by their own internal blind spots.AI, Privacy, and Human RightsAs AI continues to reshape the tech landscape, Runa cautions against jumping on the bandwagon without first establishing clear policies and security frameworks. She draws important parallels between the rush to adopt AI and the ongoing struggles organizations face with basic cybersecurity hygiene.Looking AheadDespite the allure of emerging technologies, Runa concludes by urging listeners not to lose sight of the foundations: training, awareness, clear policy, and human-centered security practices remain the bedrock of any resilient security program.Resources Mentioned:Granitt – Runa’s security consulting firm1Password for JournalistsFreedom of the Press FoundationSecureDrop

In the second episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, welcomes a true luminary in the cybersecurity world—Rich Mogull, SVP of Cloud Security at Firemon and CEO of Securosis. What follows is a lively, insightful, and often humorous conversation that ranges from paramedics to Black Swan events, revealing how physical disaster response frameworks can revolutionize cybersecurity.From Paramedic to Cybersecurity VisionaryRich shares his unconventional journey into cybersecurity, starting with physical security at university events, then pivoting to paramedicine, software development, and ultimately to security analysis and consulting. His transition into cybersecurity was never part of the plan—it was shaped by curiosity, opportunity, and a whole lot of caffeine.The Power of Early OpportunitiesWe reminisce about early career moments, including Dave’s first-ever speaking engagement alongside Rich. These experiences underscore the value of mentorship, peer support, and stepping into discomfort to grow.Black Swan Events & Incident ResponseThe heart of the episode centers on a shared talk from IRISSCON in Dublin titled “Digital Doomsday: Building Resilience for Cyber Black Swans.” Rich explains the concept of a Black Swan—unpredictable yet highly impactful events—and how learnings from physical disaster response (like hurricanes or mass casualty events) can be applied directly to incident response in IT.Bridging Physical and Cyber Crisis ManagementDrawing from his extensive background in emergency services and disaster response, Rich advocates for adopting the Incident Command System (ICS) and all-hazards preparedness within cybersecurity. He emphasizes that while the domain (cyber vs. physical) may differ, the principles of coordination, communication, and scalability remain the same.“The nature of putting out a fire vs. handling a hurricane vs. dealing with ransomware—they're all just different domains of the same challenge.”Why Cyber Keeps Burning ItselfWe also explore recurring issues in the industry, like password mismanagement and shadow IT. Rich critiques the idea that security teams should try to control everything, arguing instead for building resilient systems that can adapt to business needs, attacker behavior, and legacy tech constraints.Final InsightsRich closes by reflecting on the forces that shape cybersecurity:Business decisions and prioritiesAdversary tacticsLegacy system vulnerabilitiesHuman errorCompliance pressuresHe cautions against over-indexing on hot trends while neglecting the fundamentals that could reduce real-world risks—especially in critical infrastructure.

In our first-ever episode, host Dave Lewis sits down with Jennifer Leggio — cybersecurity strategist, marketing leader, and community builder — for a candid conversation on career growth, the evolution of cybersecurity, and why staying true to your passion matters more than chasing titles.Key Topics DiscussedThe Origins of the Security Twits: How a simple list helped create an early infosec community on Twitter.Career Lessons: Why Jennifer left a COO role to return to her marketing roots — and what it taught her about fulfillment.Shadow IT Risks: Why "Shadow IT" is a growing organizational threat and how leadership must step up.The Importance of Communication: From responsible disclosure to executive messaging, clear communication saves organizations.Learning From the Past: Why cybersecurity must do a better job of remembering lessons — like patching and password hygiene.Advice for Newcomers: Find great mentors, define your own path, and never be afraid to pivot.Memorable Quotes"Stick to what fulfills your soul — not what your title says you should be." — Jennifer LeggioFinal ThoughtsJennifer's journey shows that authenticity, curiosity, and resilience are just as critical in cybersecurity as technical skills. Whether you're a seasoned professional or just entering the field, her advice is a refreshing reminder to build community, learn from the past, and stay true to yourself.