Agentic GRC, SOC 2, and Why Data Beats Compliance with Jake Bernardes

The Bugpocalypse Is Here: AI, Security & the Future of Software

Most conversations about AI and cybersecurity focus on a simple question: Will AI help defenders, or will it help attackers? But that may be the wrong question entirely. In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee sits down with Trey Ford, Chief Strategy & Trust Officer at Bugcrowd, former General Manager of Black Hat, former CISO of Deepwatch, and former security leader at Salesforce and Heroku. The conversation explores what Trey calls the "Bugpocalypse" and why AI is fundamentally changing the economics of vulnerability discovery. As AI dramatically lowers the cost of finding security flaws, organizations are entering a world where vulnerabilities can be discovered faster than ever before. The challenge is no longer simply finding problems. The challenge is validating them, prioritizing them, and deciding what to do when security teams are suddenly faced with thousands of findings and limited resources. Nate and Trey discuss how bug bounty programs are evolving, why AI is accelerating both offensive and defensive security capabilities, and how organizations need to move beyond individual vulnerabilities and start thinking in systems. They explore the future of software security, AI-assisted development, vulnerability management, technical debt, and why many organizations may need to rethink long-held assumptions about patching, remediation, and risk management. The conversation also dives into AI governance, agentic systems, security operations, and the challenges security leaders face as every department begins adopting AI-powered tools faster than organizations can fully understand or govern them. Trey shares lessons from decades of experience across consulting, vulnerability research, security leadership, and some of the industry's most influential organizations, offering practical insights into how security teams can adapt to a rapidly changing landscape. This episode is essential listening for CISOs, security leaders, developers, risk practitioners, and anyone trying to understand how AI is reshaping cybersecurity. Listen and Subscribe Spotify - https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=1c7d77143ad7424a Apple Podcasts - https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699 YouTube - https://youtube.com/@TPRMPodcast Episode Sponsor This episode features a message from TrustMind, a security questionnaire automation platform designed to help teams respond more quickly and consistently to vendor security reviews. TrustMind uses AI to automatically complete security questionnaires using your existing documentation, policies, and prior responses so security teams can spend less time copying and pasting and more time securing their platforms. Learn more at https://trustmind.com About the Guest Trey Ford is Chief Strategy & Trust Officer at Bugcrowd. Previously, Trey served as General Manager of Black Hat, Chief Information Security Officer at Deepwatch, and held security leadership roles at Salesforce and Heroku. He began his career as a security consultant and PCI assessor and has spent decades helping organizations understand and manage cyber risk. His work spans vulnerability research, security operations, product security, bug bounty programs, governance, and cybersecurity strategy. About the Host Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai and TrustMind. He works with SaaS companies to build business-aligned security programs that increase developer velocity, strengthen customer trust, and support rapid growth. About the Show The TPRM Podcast features real-world conversations with security leaders who are reshaping how we think about cybersecurity and risk. Each episode explores the threats, pitfalls, and risk myths behind modern security programs and what it actually takes to protect organizations operating at scale.

Patching Is Not a Security Strategy | Jerry Perullo

Most security teams still treat patching as the front line of defense. But what happens when attackers move faster than your remediation cycle, vulnerabilities are discovered at machine speed, and security teams are still optimizing around outdated assumptions? In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee sits down with Jerry Perullo, former CISO of Intercontinental Exchange, where he spent more than two decades securing critical infrastructure, including the New York Stock Exchange. Jerry is now Founder & CTO of Adversarial, Professor at Georgia Tech, and co-host of The Adversarial Podcast. The conversation explores why many security programs are still solving the wrong problems. Jerry breaks down the difference between threats and risks, why organizations often confuse activity with progress, and how security leaders should think more intentionally about tradeoffs, governance, and real business impact. Nate and Jerry unpack why vulnerability management has become overly narrow, why patching alone cannot be the strategy, and what organizations should be doing instead to reduce real exposure. They also discuss board communication, security decision-making, vendor-driven fear, and how security teams can avoid reacting to every headline while staying grounded in what actually matters. Jerry shares practical lessons from securing some of the world’s most critical financial infrastructure, including how mature organizations think about prioritization, resilience, and continuous improvement when the stakes are exceptionally high. This episode is essential listening for CISOs, security leaders, risk practitioners, and security teams trying to build programs grounded in reality instead of noise. Listen and Subscribe Spotify - https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=1c7d77143ad7424a Apple Podcasts - https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699 YouTube - https://youtube.com/@TPRMPodcast Episode Sponsor This episode features a message from TrustMind, a security questionnaire automation platform designed to help teams respond more quickly and consistently to vendor security reviews. TrustMind uses AI to automatically complete security questionnaires using your existing documentation, policies, and prior responses so security teams can spend less time copying and pasting and more time securing their platforms. Learn more at https://trustmind.com About the Guest Jerry Perullo is the Founder & CTO of Adversarial, a former CISO of Intercontinental Exchange, and a Professor at Georgia Tech. Over a 20+ year career leading security for critical financial infrastructure, including the New York Stock Exchange, Jerry developed practical approaches to cyber risk management, governance, and adversarial resilience. He is also co-host of The Adversarial Podcast, where he explores modern cybersecurity strategy with fellow former CISOs and security leaders. About the Host Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai and TrustMind. He works with SaaS companies to build business-aligned security programs that increase developer velocity, strengthen customer trust, and support rapid growth. About the Show The TPRM Podcast features real-world conversations with security leaders who are reshaping how we think about cybersecurity and risk. Each episode explores the threats, pitfalls, and risk myths behind modern security programs and what it actually takes to protect organizations operating at scale.

GRC Is Solving the Wrong Problem in an AI World | Ayoub Fandi

In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee sits down with Ayoub Fandi, GRC Engineering Lead at GitLab and creator of the GRC Engineer podcast and newsletter. As AI reshapes how security teams operate, many GRC programs are still built around audits, frameworks, and compliance driven workflows. Ayoub explains why this model is quickly losing relevance and why simply automating existing processes often leads to solving the wrong problems faster. The conversation explores how security teams need to rethink their operating models in an AI driven world. Nate and Ayoub discuss the shift from compliance driven programs to risk driven decision making, and why teams must move beyond audit cycles and start rebuilding workflows from first principles. They also examine how AI is changing the nature of work inside security, why compliance is becoming table stakes, and why risk management remains one of the most complex and human parts of security. This shift is forcing organizations to rethink how they approach workflows, decision making, and collaboration across teams. Beyond tooling, the discussion dives into systems thinking, stakeholder alignment, and how GRC teams can become more embedded within engineering, security, and the broader business. This episode is essential listening for CISOs, security leaders, engineers, and practitioners navigating AI driven change, modern security architecture, and the evolving role of security teams. Listen and Subscribe Spotify - https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=c862255fc2b84d12 Apple Podcasts - https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699 YouTube - https://youtube.com/@TPRMPodcast Episode Sponsor This episode features a message from TrustMind, a security questionnaire automation platform designed to help teams respond more quickly and consistently to vendor security reviews. TrustMind uses AI to automatically complete security questionnaires using your existing documentation, policies, and prior responses so security teams can spend less time copying and pasting and more time securing their platforms. Learn more at https://trustmind.com About the Guest Ayoub Fandi is the GRC Engineering Lead at GitLab and creator of the GRC Engineer podcast and newsletter. He focuses on rethinking how governance, risk, and compliance evolve in an AI driven world. His work centers on applying systems thinking, automation, and engineering principles to modernize GRC programs and better align them with modern security practices. About the Host Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai and TrustMind. He works with SaaS companies to build business aligned security programs that increase developer velocity, strengthen customer trust, and support rapid growth. About the Show The TPRM Podcast features real world conversations with security leaders who are reshaping how we think about cybersecurity and risk. Each episode explores the threats, pitfalls, and risk myths behind modern security programs and what it actually takes to protect organizations operating at scale.

AI Is Breaking Security as We Know It | Michael Coates

In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee sits down with Michael Coates, Founding Partner at Seven Hill Ventures and former CISO of Twitter, Mozilla, and CoinList. As AI continues to accelerate both attack speed and capability, the gap between attackers and defenders is rapidly shrinking. Michael explains how automated attacks are compressing response times to the point where human driven security models are no longer viable, and why organizations must begin removing humans from critical decision loops. The conversation explores how security teams need to rethink their operating models in an AI driven world. Nate and Michael discuss the future of the SOC, the rise of automation and agent driven workflows, and why many traditional security practices may soon become obsolete. They also examine how AI is lowering the barrier to entry for attackers, enabling capabilities that were once limited to nation state actors. This shift is forcing organizations to move faster, experiment more, and rethink how they balance risk, speed, and innovation. Beyond technology, the discussion dives into how roles inside security teams are evolving, what skills will matter most going forward, and why security leaders must shift from gatekeepers to enablers of business velocity. This episode is essential listening for CISOs, security leaders, and practitioners navigating AI driven threats, modern security architecture, and the rapidly changing role of cybersecurity. Listen and Subscribe Spotify - https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=c862255fc2b84d12 Apple Podcasts - https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699 YouTube - https://youtube.com/@TPRMPodcast Episode Sponsor This episode features a message from TrustMind, a security questionnaire automation platform designed to help teams respond more quickly and consistently to vendor security reviews. TrustMind uses AI to automatically complete security questionnaires using your existing documentation, policies, and prior responses so security teams can spend less time copying and pasting and more time securing their platforms. Learn more at https://trustmind.com About the Guest Michael Coates is the Founding Partner at Seven Hill Ventures and former CISO of Twitter, Mozilla, and CoinList. He has spent his career building and scaling security programs at some of the most influential technology companies while also advising and investing in the next generation of cybersecurity startups. Michael brings a unique perspective across operator, founder, and investor roles, with deep expertise in modern security architecture, risk, and the evolving impact of AI on cybersecurity. About the Host Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai and TrustMind. He works with SaaS companies to build business aligned security programs that increase developer velocity, strengthen customer trust, and support rapid growth. About the Show The TPRM Podcast features real world conversations with security leaders who are reshaping how we think about cybersecurity and risk. Each episode explores the threats, pitfalls, and risk myths behind modern security programs and what it actually takes to protect organizations operating at scale.

How AI Is Reshaping Cyber Attacks and Defense | Conor Sherman

In this episode of the TPRM Podcast, Threats, Pitfalls & Risk Myths, Nate Lee sits down with Conor Sherman, CISO in Residence at Sysdig and host of the Zero Signal Podcast. As AI rapidly reshapes the cybersecurity landscape, both attackers and defenders are beginning to automate their operations in ways that were not possible just a few years ago. Conor explains how threat actors are already using AI driven techniques to accelerate attacks and why traditional security operating models are starting to struggle to keep up. The conversation explores how defenders should rethink security strategy in a world where attacks can move from discovery to exploitation in minutes. Nate and Conor discuss autonomous defense, the limits of human driven response models, and why security teams must begin designing systems that can react at machine speed. They also examine the role of the modern CISO, the importance of resilience over perfection, and how security leaders can help their organizations adopt AI safely while still moving fast enough to stay competitive. This episode is essential listening for CISOs, security leaders, and practitioners navigating AI driven threats, modern cloud security, and the evolving role of security leadership. Listen and Subscribe Spotify https://open.spotify.com/show/7JvPsyMJPgVLOKuJhkKfxA?si=1c7d77143ad7424a Apple Podcasts https://podcasts.apple.com/us/podcast/the-tprm-podcast/id1848217699 YouTube https://youtube.com/@TPRMPodcast Episode Sponsor This episode features a message from TrustMind, a security questionnaire automation platform designed to help teams respond more quickly and consistently to vendor security reviews. TrustMind uses AI to automatically complete security questionnaires using your existing documentation, policies, and prior responses so security teams can spend less time copying and pasting and more time securing their platforms. Learn more at https://trustmind.com About the Guest Conor Sherman is the CISO in Residence at Sysdig and the host of the Zero Signal Podcast. In his role he works closely with security leaders and organizations navigating modern cloud threats and the rapidly evolving AI powered threat landscape. Conor advises companies on building resilient security programs, adapting defenses to emerging attack techniques, and helping security teams operate effectively as both attackers and defenders begin using AI driven tools. About the Host Nate Lee is a B2B Scaleup CISO and Founder of Cloudsec.ai and TrustMind. He works with SaaS companies to build business aligned security programs that increase developer velocity, strengthen customer trust, and support rapid growth. About the Show The TPRM Podcast features real world conversations with security leaders who are reshaping how we think about cybersecurity and risk. Each episode explores the threats, pitfalls, and risk myths behind modern security programs and what it actually takes to protect organizations operating at scale.