Episode 188: DBIR 2026 Insights and Collaboration with CIS

Episode 190: Separating Mythos AI Fact from Fiction

In episode 190 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Brian Calkin [https://www.linkedin.com/in/brian-calkin], Chief Technology and Innovation Officer at the Center for Internet Security® (CIS®). Together, they separate fact from fiction around artificial intelligence (AI) capabilities like Mythos AI and other AI-driven vulnerability discovery tools. Here are some highlights from our episode: * 00:50. Greetings to Brian and setting the stage for questions from a CIS webinar * 03:05. The lack of a unified formula or standard for vulnerability prioritization * 03:55. The opportunity for defenders to interrupt vulnerabilities chained together * 05:47. An invitation to better understand your enterprise amid the "slopdemic" * 06:33. How AI guardrails tie back into security best practices * 10:15. How a fundamental practice we can refine is the best counter to chained attacks * 12:25. The value of the CIS Community Defense Model and a teaser for Version 3 * 14:50. Mythos AI vs. Static Application Security Testing (SAST) in terms of practice and time * 19:08. Visibility, governance, and prioritization: Three elements of a "prepared" environment * 24:32. "One to one" cyber defense as a losing battle * 27:25. The importance of knowing your dependencies with open-source software * 33:15. Threat actor economics and the ongoing debate around responsibility in cybersecurity Resources * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Secure by Design [https://www.cisecurity.org/topics/secure-by-design?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Episode 185: AI Prompt Injection from a Risk Perspective [https://www.cisecurity.org/insights/podcast/episode-185-ai-prompt-injection-from-a-risk-perspective?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Living off the Land: Threats Looming From Within [https://www.cisecurity.org/insights/blog/living-off-the-land-threats-looming-from-within?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Turn Intel Into Action: CIS Controls and the 2026 Verizon DBIR [https://www.cisecurity.org/insights/webinar/turn-intel-into-action-cis-controls-and-the-2026-verizon-dbir?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Implementation Guide for Small- and Medium-Sized Enterprises CIS Controls IG1 [https://www.cisecurity.org/insights/white-papers/implementation-guide-for-small-and-medium-sized-enterprises-cis-controls-ig1?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Information Technology and Information Security Governance [https://www.cisecurity.org/insights/white-papers/information-technology-and-information-security-governance?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 189: The Present and Future of AI-enabled Pentesting

In episode 189 of Cybersecurity Where You Are, Sean Atkinson sits down with Ed Skoudis [https://www.linkedin.com/in/edskoudis], President of SANS Technology Institute. Together, they discuss the present and future of pentesting enabled by artificial intelligence (AI). Here are some highlights from our episode: * 00:39. Introductions to Ed * 01:49. The promise of AI-enabled pentesting in creating more secure infrastructure * 04:52. AI-enabled and AI-centric workflows in the realm of penetration testing * 08:03. Wranglers, matadors, and centaurs, oh my! Metaphors for AI-enabled pentesters * 13:00. How AI can assist with reporting, enumeration, and scanning as part of a pentest * 14:57. AI-enabled source-assisted pentesting and the types of vulnerabilities it finds * 19:50. A learning opportunity for the broader cybersecurity community * 23:44. How AI and human analysts could split the workload in a future penetration test * 25:54. AI-enabled pentesting vs. AI pentester in a box * 29:51. Why "human in the loop" might be too passive a phrase * 30:37. The use of AI for source code development Resources * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * Secure by Design [https://www.cisecurity.org/topics/secure-by-design?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * SEC543: AI-Assisted Source Code Analysis and Exploitation for Penetration Testers [https://www.sans.org/cyber-security-courses/ai-source-code-analysis-exploitation-pentesters] * Episode 108: Gaming and Competition in Cybersecurity [https://www.cisecurity.org/insights/podcast/episode-108-gaming-and-competition-in-cybersecurity?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * Episode 59: Probing the Modern Role of the Pentest [https://www.cisecurity.org/insights/podcast/episode-59-probing-the-modern-role-of-the-pentest?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 188: DBIR 2026 Insights and Collaboration with CIS

In episode 188 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Philippe "Phil" Langlois [https://www.linkedin.com/in/infosec-philippe-langlois], Data Breach Investigations Report (DBIR) Author at Verizon; and Charity Otwell [https://www.linkedin.com/in/charity-otwell], Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®). Together, they discuss some of the top insights of the 2026 DBIR and how CIS contributed to the publication. Here are some highlights from our episode: * 00:50. Introductions to Phil and Charity * 02:46. Vulnerability exploitation as the most common attack vector * 05:25. The role of artificial intelligence (AI) in threat actors' natural system thinking * 07:03. The need for clear governance and responsibility around vulnerability management * 08:58. Insight into the types of techniques threat actors research using frontier AI models * 13:43. A trending drop in ransomware payouts and organizations willing to pay attackers * 14:59. Why a healthy dose of distrust goes a long way in assessing attackers' claims of victims * 16:24. How two ransomware groups stand out above the norm * 17:49. The ongoing risk surrounding vendor, supplier, and other third party exposure * 22:34. The need for governance in managing data issues involving the use of AI * 27:14. Three ways in which CIS contributed to the 2026 DBIR * 34:02. How the 2026 DBIR informs the CIS Controls and parting actionable steps Resources * 2026 Data Breach Investigations Report [https://www.verizon.com/business/resources/reports/dbir/] * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Episode 87: Marking 11 Years as a Verizon DBIR Contributor [https://www.cisecurity.org/insights/podcast/episode-87-marking-11-years-as-a-verizon-dbir-contributor?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Applying the CIS Controls to Real‑World AI Environments [https://www.cisecurity.org/insights/blog/applying-controls-real-world-ai-environments?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * The Conti Leaks: A Case of Cybercrime’s Commercialization [https://www.cisecurity.org/insights/blog/the-conti-leaks-a-case-of-cybercrimes-commercialization?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 187: The Role of a CISO as a Strategic Storyteller

In episode 187 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager discuss how the role of a CISO functions as a strategic storyteller of cyber risk while keeping the bigger picture in mind. Here are some highlights from our episode: * 00:51. Framing the conversation around CISOs' efforts to communicate with the business * 02:01. Translation: A nuanced practice of simplifying the story while still telling the truth * 02:41. The need for a CISO to bridge their organization's respective "culture gap(s)" * 04:13. Collaborative and dictatorial: Two different ways CISOs talk to a business * 06:07. The work of translation in motivating and informing action around perceived risk * 07:03. Security sampling: A story from Tony that reminds CISOs of the bigger picture * 09:55. Fewer wizards and more mechanics: What the cybersecurity industry needs today * 12:20. Two factors to consider: Politicking and the need to provide an accessible narrative * 15:49. Rapport and tradecraft as two critical tools supporting the role of a CISO * 18:09. Technical competence as a prerequisite for confidence in risk conversations * 19:20. The false sense of security from relying on comparative data with competitors * 22:14. The CISO as a strategic storyteller who helps the business make decisions * 27:03. The need for machinery to constantly rediscover and recreate trust * 30:15. A call to action for Boards: Build vernacular in cybersecurity risk space * 35:03. CISO as a strategic storyteller vs. CISO as an enforcer Resources * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 183: The Role of CISO in Supporting Risk Translation [https://www.cisecurity.org/insights/podcast/episode-183-the-role-of-ciso-in-supporting-risk-translation?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 166: Foundations of Actuarial Science in Cyber Risk [https://www.cisecurity.org/insights/podcast/episode-166-foundations-of-actuarial-science-in-cyber-risk?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 121: The Economics of Cybersecurity Decision-Making [https://www.cisecurity.org/insights/podcast/episode-121-the-economics-of-cybersecurity-decision-making?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * NICE Workforce Framework for Cybersecurity (NICE Framework) [https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center/nice-framework-current-versions] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 186: Strong Cyber Defense Starts with IT Operations

In episode 186 of Cybersecurity Where You Are, Tony Sager sits down with Tony Krzyzewski [https://nz.linkedin.com/in/tonykrz], a CIS Critical Security Controls® (CIS Controls®) Ambassador for the Center for Internet Security® (CIS®). Together, they discuss how strong cyber defense starts with the fundamentals of IT operations. Here are some highlights from our episode: * 00:45. Introductions to Tony Krzyzewski and his background * 02:19. Tony Krzyzewski's first interaction with the CIS Controls * 03:47. IT operations: The foundation that makes strong cyber defense possible * 06:20. How an increasingly connected world makes the CIS Controls essential to cybersecurity * 09:56. The need for operations people to realize they're part of the cybersecurity solution * 13:11. The use of Implementation Groups to reduce overload on IT and security teams * 16:52. How the CIS Controls differ from "umbrella frameworks" like NIST CSF and ISO 27001 * 18:25. CIS Controls mappings and how they help to simplify a surplus of good guidance * 20:35. How the CIS Controls support improvement programs and Board-level conversations * 25:38. Tony Krzyzewski's work in creating the CIS Controls Ambassador program * 27:02. Why a deep view of what's happening at CIS supports Tony Krzyzewski's efforts * 30:11. Growing international promotion of the CIS Controls and "doing the basics well" Resources * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * CIS Controls Ambassador Spotlight: Tony Krzyzewski [https://www.cisecurity.org/insights/blog/cis-controls-volunteer-spotlight-tony-krzyzewski?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Episode 160: Championing SME Security with the CIS Controls [https://www.cisecurity.org/insights/podcast/episode-160-championing-sme-security-with-the-cis-controls?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Episode 168: Institutionalizing Good Cybersecurity Ideas [https://www.cisecurity.org/insights/podcast/episode-168-institutionalizing-good-cybersecurity-ideas?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Episode 172: Helping CISOs as a CIS Controls Ambassador [https://www.cisecurity.org/insights/podcast/episode-172-helping-cisos-as-a-cis-controls-ambassador?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Episode 181: Supply and Demand of Cybersecurity Ecosystems [https://www.cisecurity.org/insights/podcast/episode-181-supply-and-demand-of-cybersecurity-ecosystems?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Guide to Implementation Groups (IG): CIS Critical Security Controls v8.1 [https://www.cisecurity.org/insights/white-papers/guide-implementation-groups-ig-cis-critical-security-controls-v8-1?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Reasonable Cybersecurity [https://www.cisecurity.org/topics/reasonable-cybersecurity?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Mappings to Security Frameworks [https://www.cisecurity.org/controls/resources?crc=other-security-frameworks?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Translations [https://www.cisecurity.org/controls/resources?crc=translations?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Policy Templates [https://www.cisecurity.org/controls/policy-templates?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Securing the AI Ecosystem Begins at the Model Layer [https://www.cisecurity.org/insights/blog/securing-ai-ecosystem-begins-model-layer?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].