The Cyber Business Podcast

Machine Speed Attacks, Voice Agents, and Why Bad AI Excuses Fail with Keith Trawick - Ep 218

Guest Introduction Keith Trawick [https://www.linkedin.com/in/keith-trawick/] is the CIO of Stretch Zone [https://www.stretchzone.com/], a practitioner-assisted stretching franchise with more than 420 locations across the country and another 75 to 80 expected to open this year. He joined the organization as employee number one when it made the move from boutique wellness service to scalable franchise brand roughly 12 years ago, helping build the technology infrastructure from the ground up in a category that did not exist before Stretch Zone created it. With a career rooted in subscription-based, member-centric businesses, Keith brings a systems-first perspective to the intersection of AI adoption, franchise operations, and the very human challenge of bringing hundreds of independent business owners along on the journey. Here's a Glimpse of What You'll Learn * What it means to build technology for a franchise category that did not exist when you started and how that shapes the systems-first philosophy Keith still operates from today * Why Keith believes the service Stretch Zone delivers is AI-resilient at the front line and where the real AI opportunity lives on the back end * How machine learning in security tools is the unsung hero of the current threat environment and why traditional patching alone cannot keep pace with machine-speed attacks * Why Keith is deploying AI voice agents for inbound and outbound calls across the franchise network and the data foundation problem that has to be solved first * How he is partnering with SoundHound on voice and Blend on middleware to build an agentic system that respects compliance requirements across hundreds of independently owned locations * Why outcome-based pricing for AI tools makes more sense than hourly labor for a franchise model and what that calculation looks like in practice * Why the organizations that wrote off AI after a bad ChatGPT hallucination experience are going to have a very hard time competing from here In This Episode Keith opens with an origin story that reframes what technology leadership looks like when you are building the category, not just the company. Stretch Zone did not have a Google Business Profile category to select when it launched because no such category existed. Nobody knew what getting stretched meant. Keith joined as employee one with the franchise growth model and has spent 12 years building the systems infrastructure that allows more than 420 independently owned locations to deliver a consistent, brand-defined member experience without micromanaging the owners running those businesses. That tension, between brand consistency and franchise autonomy, runs through every technology decision he makes, and it is the lens through which he evaluates every AI initiative the organization is now pursuing. The security section of this episode is where Keith gets most animated, and with good reason. He draws the machine learning versus LLM distinction with a water-in-the-boat analogy that lands harder than most technical explanations do. Traditional patching is reactive by design: the boat manufacturer notifies you of a defect, you patch the hull, done. But zero-day vulnerabilities exploited at machine speed do not wait for the notification cycle. What Keith wants is a system that detects water in the boat as it arrives, identifies where it came from, and addresses it before the hole is officially documented. That is what machine learning tools like Darktrace are doing in practice, and Keith makes a direct case that behavioral AI understanding what is normal for each user, each application, each network pattern, and flagging deviation from that is the only defensive posture that makes sense when the attack pace has crossed from human speed to machine speed. The voice agent initiative is the most concrete and forward-looking section of the episode. Keith is mid-implementation, weeks away from beta testing at targeted locations, and he is candid about exactly how complicated it is to deploy agentic AI responsibly across a franchise network. The technology problem, building an AI that can handle inbound member calls and make outbound follow-ups within the right guardrails, required choosing partners with deep expertise rather than assembling something from YouTube tutorials and automation harnesses. SoundHound handles the voice side. Blend handles the middleware and data layer. But what took the most work was building the data foundation underneath it: a consistent definition of what a member actually is across 420 locations where 100 different owners might give 250 different answers to that question. Keith is clear that the agentic capability is ready. The last mile is compliance, making sure outbound call campaigns are registered, approved, and respectful of each state's quiet period rules across hundreds of independently owned businesses. That is the problem he is solving in real time, and the fact that he is talking about it before the rollout rather than after makes this episode particularly valuable for anyone who is contemplating the same move. This episode is brought to you by Cyberlynx [https://cyberlynx.com/]

Why the Credit Union Peer Network Is a Security Advantage Banks Cannot Buy with Nico Stein - Ep 217

Guest Introduction: Nico Stein [https://www.linkedin.com/in/nico-stein-34041711/] is the SVP of IT and Operations at Signal Financial Federal Credit Union [https://www.signalfinancialfcu.org/], a community-based, member-owned credit union headquartered in Maryland with branches across the DC and Virginia region. With more than 12 years at Signal Financial, he oversees everything from laptops to cybersecurity to the financial core, and has built a reputation in the credit union community for open knowledge sharing at a time when most financial institutions treat peer conversations as competitive risk. An Object First ACE and Cisco Champion, Nico brings a practitioner's skepticism and a community-first mindset to the challenges of defending a regulated financial institution on a budget that does not scale with the threat. Here's a Glimpse of What You'll Learn * Why Nico shifted Signal Financial's entire security posture from hoping ransomware would not happen to assuming it will and building around recovery speed * How he made the case to a non-technical board using a single Washington Post headline framing that unlocked the budget he needed * Why backups being the first target of every ransomware attack changes how you have to think about immutable storage strategy * How AI-powered voice printing and stress detection in the call center is Signal Financial's frontline defense against voice phishing attacks targeting elderly members * Why agentic AI and MCP servers are Nico's personal security nightmare and what he believes most organizations are not yet ready for * Why the credit union peer network gives small and mid-sized financial institutions an intelligence advantage that banks structurally cannot replicate * Why AI should be evaluated by the problem it solves rather than the token count someone purchased In This Episode Nico opens with a framing that cuts through a lot of the performative confidence that shows up in security conversations: he told his board directly that he cannot stop ransomware, and if he had figured out how to do that, he would be on an island drinking margaritas because he had found the holy grail. What he could do was shift Signal Financial's entire security posture from hope to assumption, build around recovery speed, and make the case for immutable storage by asking leadership to picture the alternative on the front page of the Washington Post. That framing worked. The immutable storage solution has been in place for more than a year, the RTOs and RPOs are being met, and Nico talks about it with the kind of quiet confidence that comes from having actually built something rather than having sold someone on a strategy. He also offers a considered acknowledgment that backups are now the first target of every ransomware attack, giving credit to the organizations who thought they had it handled and missed one thing. It is a more generous framing than most and more useful for the organizations listening. The financial services threat section of this episode is where things get specific in a way that is rare on this podcast. Nico's members include elderly individuals who are being targeted with AI-generated voice cloning attacks where the caller sounds exactly like their grandson. That is not a network perimeter problem. It is a social engineering problem that lives at the intersection of AI capability and human vulnerability, and it is happening in Signal Financial's call center right now. His response is equally specific: voice printing systems that verify caller identity and detect stress indicators that may suggest someone is being coerced or lying when withdrawing large sums. He is direct that this is a vendor-dependent solution and that the vendors are starting to build the right tools. He is equally direct that the threat is outpacing awareness among members who have no reason to know that a call from their grandchild might not be their grandchild. The back half of this episode is where Nico pulls back from the operational and gets into the questions that the security conversation usually avoids. Agentic AI and MCP servers are his stated personal nightmare from a security perspective, not because he cannot block them but because utilizing them securely in a way that keeps data where it belongs is a problem nobody has fully solved yet. His AI evaluation framework is the same one that has shown up across the best episodes in this season: start with the problem, ask whether AI actually solves it, and resist the pressure to spend tokens because someone bought a million of them and wants to see adoption numbers. What makes Nico's version land differently is the context he brings it from: a regulated financial institution with limited resources, a peer network that functions as a genuine intelligence advantage over banks, and 12 years of scar tissue that makes him appropriately skeptical of anything arriving in a vendor PowerPoint with AI in the title. The Cyber Business Podcast Brought to you by Cyberlynx [https://cyberlynx.com/]

Deepfakes, Demos, and the Real Cost of a False Sense of Security with Chris Pacifico - Ep 216

Guest Introduction Chris Pacifico [https://www.linkedin.com/in/chris-pacifico/] is the Director of IT at Rehab Medical [https://www.rehabmedical.com/], a durable medical equipment provider that gives people with mobility challenges access to everything from basic wheelchairs to advanced power chairs operated by eye movement. With a background spanning healthcare IT, technical writing, and hands-on security work, Chris brings a practitioner's perspective to AI adoption, budget-constrained security strategy, and the challenge of translating complex technical risk into language that moves a boardroom. He is a self-described cutting-edge advocate who draws a sharp line between staying current and bleeding out trying to keep up. Here's a Glimpse of What You'll Learn * Why Chris distinguishes between cutting-edge and bleeding-edge technology adoption and why that line matters more than ever with AI * How he used a live email spoofing demonstration mid-meeting to make his infrastructure team believe what they thought was impossible * Why he created a deepfake of the company president in 10 minutes and what happened when the president plugged in the flash drive * How a Copilot permissions demonstration went from 8 requested licenses down to 4 issued, with only 3 given out * Why tabletop exercises are the highest effort-to-value meeting any organization can hold, and how to get leadership in the room without triggering resistance * Why machine learning is the undervalued engine inside the best security tools and why bolting an LLM onto an email product is a different problem entirely * How Chris teaches prompt specificity using cookie dunking, dirty dishes, and a no-nonsense system prompt that HR would probably flag In This Episode Chris opens with a description of Rehab Medical that reframes what IT means in a mission-driven organization. The company provides mobility equipment to people who cannot move without it, including chairs that respond to eye direction alone. Chris is not on the front lines fitting those chairs, but he supports the people who are, and he carries that awareness into every security decision he makes. It shapes how he talks about risk, how he frames the budget conversation, and why he does not have much patience for security theater. When something actually matters to the people depending on it, the gap between a real defense and a false sense of security is not theoretical. The two demonstrations Chris walks through in this episode are the kind of practitioner storytelling that earns credibility with any audience. The first happened in a meeting where his infrastructure team was explaining why email spoofing from their own domain was impossible. As they talked, Chris quietly sent one of them an email from himself, with the subject line "Yes I can." The point was not to embarrass anyone. It was to make the threat feel real before asking the team to defend against it. The second happened after a leadership meeting about integrating AI into the company's software platform. Chris went back to his desk, built a deepfake of the company president in roughly 10 minutes, loaded it onto a flash drive, and walked it upstairs. What he forgot was that the same flash drive held a USB drop test he had been running to see if anyone in the building would plug in a found device and open the files on it. The president plugged it in, saw a file labeled 2025 payroll report, and nearly clicked it. The deepfake and the payload test landed simultaneously, and the result was more security autonomy than any formal presentation would have produced. The AI section of this episode is where Chris gets most direct about what he sees working and what he sees being oversold. He makes the machine learning versus LLM distinction clearly and without jargon, using Darktrace as the example of what genuine behavioral AI looks like in practice. He is equally candid about the Copilot demonstration he ran for leadership, where he used his own domain admin account to pull up three dozen documents that were not his, and used that moment to cut the requested license count in half without fully disclosing that he had elevated permissions. The lesson he draws is not about deception. It is about what it takes to make a permissions conversation land with someone who does not live in the infrastructure. His approach to teaching prompt specificity follows the same logic: skip the theory, make a mess with cookie dunking or dirty dishes instructions, and let the confusion do the teaching. The people who figure out why the instructions failed become the ones who write good prompts. Check out the previous episode: AI Is Draining the Grid: Behind-the-Meter Power Solutions with Tony Uttley [https://cyberlynx.com/podcast/ai-is-draining-the-grid-behind-the-meter-power-solutions-with-tony-uttley-ep-215]

AI Is Draining the Grid: Behind-the-Meter Power Solutions with Tony Uttley - Ep 215

Guest Introduction: Tony Uttley [https://www.linkedin.com/in/tony-uttley-8597667/] is the CEO of Enginuity Power Systems [https://enginuitypowersystems.com/], a behind-the-meter cogeneration company delivering combined heat and power solutions to hospitals, schools, farms, and multi-family housing facing the full force of America's coming energy crisis. An engineer by training, Tony spent a decade at NASA's Johnson Space Center, seven years at the Boston Consulting Group, and nearly 15 years at Honeywell, where he ran the residential business and helped found Quantinuum, the quantum computing company now approaching a $10 billion IPO. He brings that same first-principles problem-solving instinct to one of the most consequential infrastructure challenges the country has faced in a generation. Here's a Glimpse of What You'll Learn * Why 20 years of flat electricity demand left the US grid dangerously unprepared for the AI data center era * How the country would need 80 to 120 new nuclear reactors worth of power in the next 4 years to meet demand, and why that is effectively impossible * How a New York hospital system was ordered off the grid 5 times in one summer and what that meant for every patient scheduled for surgery those days * Why Enginuity's combined heat and power systems can deliver payback windows as short as 11 months in some markets * How a Northern Indiana dairy farm is turning cow waste into renewable natural gas to power its own operations and eliminate 15 micro blackouts a week * Why Tony selects for humility above all else when building teams to go after problems that may actually be impossible * Why AI is a national security issue and slowing it down is not an option regardless of the energy cost In This Episode Tony opens by tracing the energy crisis back to a decision that made complete sense for two decades and now looks like the setup to a very expensive problem. When electricity demand in the United States grew at an average compound rate of 0.17% for 20 years, nobody invested in new capacity. A $1,000 investment in grid infrastructure in 2005 would have returned $1,037 by 2025. No rational investor made that bet. Infrastructure aged, transmission lines went unbuilt, and electricity prices were kept artificially low by charging consumers only for the cost of producing power rather than the cost of replacing the assets generating it. That worked until it did not. Along came AI, and AI means data centers, and data centers mean 24/7 firm fixed capacity power demand at a scale the existing grid was never built to absorb. Tony is precise about the gap: the country needs somewhere between 80 and 120 gigawatts of power it does not currently produce in the next four years. One full-size nuclear reactor equals one gigawatt. The math is not encouraging, and he says so directly. The examples Tony uses to make the crisis concrete are the ones that stay with you. A hospital system in New York with 15 facilities across Manhattan and Long Island was told by its utility to go on emergency power five times in a single summer. Each time that happened, every scheduled surgical procedure for the day was cancelled, because starting a new surgery requires two independent power sources, and when the grid goes down, emergency power alone does not qualify. Five times. Real patients sent home. That is what grid instability looks like when it hits a healthcare system already operating on tight margins. Separately, a developer with all permits in place for a new multi-family housing project was told by their utility it would be four to five years before power could be provided. These are not hypotheticals. They are the backdrop against which Tony is selling, and they explain why he says customer resistance has effectively disappeared. The numbers work now in a way they simply did not three or four years ago. In parts of the country where electricity costs $0.35 or more per kilowatt-hour, Enginuity's systems, which deliver all-in at $0.15 per kilowatt-hour including maintenance, produce payback windows that compress to 11 months in some markets. The leadership conversation in this episode is as valuable as the energy one. Tony has spent his career going after problems with no playbook, from quantum computing to energy infrastructure, and he has developed a hiring philosophy built around a criterion that took him 20 years to consciously identify: humility. Not talent alone. Not raw intelligence. Humility. The high-ego geniuses who bounce everyone else against the wall as they walk down the hall may command respect, but they do not generate the sheer collective will that gets an organization four weeks from going out of business and back out the other side. Tony's model is to find the geniuses, sit on their shoulders, and build the commercial infrastructure around their capability. The ambition he sets for those teams is not calibrated to what seems achievable. At Quantinuum, project milestones were literally world records and firsts of their kind, with specific dates attached. He told teams to aim at the world record line and jump as hard as they could. Missing by two months while doing something that had never been done was, in his framing, an unqualified success. That philosophy is now being applied to a 20-year infrastructure problem with no single solution and no finish line.

Why Silence After a Breach Helps the Hackers with Scott Dickinson - Ep 214

Guest Introduction: Scott Dickinson is the first-ever CISO at AnMed Health, a not-for-profit hospital system in Anderson, SC with three main hospitals and a growing network of emergency care facilities. He brings a career spanning military intelligence, the FBI, the Department of Commerce, the Department of Defense, and multiple state agencies to one of the most high-stakes environments in cybersecurity. His background in intelligence gives him a rare and direct line into how adversaries think, and he applies that perspective every day to the mission of protecting patients and the systems that keep them alive. Here's a Glimpse of What You'll Learn * What it means to be an organization's first-ever CISO and how Scott approached building a security program from the ground up at AnMed Health * Why Scott draws a direct line between his military intelligence background and how he approaches threat modeling in healthcare * Why machine learning is fundamentally different from bolting an LLM onto a legacy product and what that distinction means for how security tools should be evaluated * How the cybercrime economy has changed in six years and why rented ransomware has lowered the barrier to entry to nearly zero * Why Scott believes the security community needs to shift from disclosure of what happened to disclosure of how it happened and what others can do to prevent it * How Scott thinks about building personal resilience as a CISO and why being battle-tested is now seen as a qualification rather than a liability * Why AI-powered critical thinking atrophy is one of the most underappreciated risks of widespread AI adoption, and what leaders should be doing about it In This Episode Scott opens with something that does not come up often enough in these conversations: the emotional dimension of the work. He chose to come into healthcare specifically because he does not want attackers picking on sick people. The framing is simple and it is genuine. Hackers are bullies. Hospitals are targets. People have died because of cyberattacks on healthcare facilities, and he intends to be in the way. That motivation runs underneath everything else he says in this episode and gives his technical arguments a weight that purely strategic conversations rarely carry. He also brings something most CISOs cannot: a decade in military intelligence and direct experience working alongside the FBI, Department of Defense, and Department of Commerce. He does not just understand how defenders think. He understands how attackers think, which is a different skill entirely and one he applies every day at AnMed. The most practically useful section of this episode is Scott's argument about what the security community owes each other after a breach. He is direct: the stigma around disclosure is helping the attackers. When an organization gets hit and goes quiet to manage the reputational damage, it withholds exactly the information that could allow every other organization to close the same door before the attackers find it. Scott's position is not that organizations should be reckless with sensitive information. It is that the focus of disclosure has to shift from what was exposed to how it happened and what others should do right now to protect themselves. He makes a pointed analogy to community resilience more broadly, drawing on a personal story about a neighbor who pulled a truck off him without stopping to weigh the legal liability. That instinct to help rather than hesitate is what he wants to see from the security community. Scott closes with the AI argument that most vendors are not making loudly enough because it is uncomfortable for them: the danger is not just that AI can be weaponized by attackers, it is that over-reliance on AI erodes the critical thinking that defenders need most when things go wrong. He uses his own SOC as a concrete example. When he introduced an AI-powered email security product, he did not let it run silently. He showed his analysts exactly what the tool was flagging and why, teaching them to think the same way so that the tool was developing their judgment rather than replacing it. That is the model he argues the industry needs to internalize before AI becomes a liability masquerading as a defense.