Cybersecurity Where You Are (audio)

Episode 188: DBIR 2026 Insights and Collaboration with CIS

In episode 188 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Philippe "Phil" Langlois [https://www.linkedin.com/in/infosec-philippe-langlois], Data Breach Investigations Report (DBIR) Author at Verizon; and Charity Otwell [https://www.linkedin.com/in/charity-otwell], Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®). Together, they discuss some of the top insights of the 2026 DBIR and how CIS contributed to the publication. Here are some highlights from our episode: * 00:50. Introductions to Phil and Charity * 02:46. Vulnerability exploitation as the most common attack vector * 05:25. The role of artificial intelligence (AI) in threat actors' natural system thinking * 07:03. The need for clear governance and responsibility around vulnerability management * 08:58. Insight into the types of techniques threat actors research using frontier AI models * 13:43. A trending drop in ransomware payouts and organizations willing to pay attackers * 14:59. Why a healthy dose of distrust goes a long way in assessing attackers' claims of victims * 16:24. How two ransomware groups stand out above the norm * 17:49. The ongoing risk surrounding vendor, supplier, and other third party exposure * 22:34. The need for governance in managing data issues involving the use of AI * 27:14. Three ways in which CIS contributed to the 2026 DBIR * 34:02. How the 2026 DBIR informs the CIS Controls and parting actionable steps Resources * 2026 Data Breach Investigations Report [https://www.verizon.com/business/resources/reports/dbir/] * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Episode 87: Marking 11 Years as a Verizon DBIR Contributor [https://www.cisecurity.org/insights/podcast/episode-87-marking-11-years-as-a-verizon-dbir-contributor?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Applying the CIS Controls to Real‑World AI Environments [https://www.cisecurity.org/insights/blog/applying-controls-real-world-ai-environments?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * The Conti Leaks: A Case of Cybercrime’s Commercialization [https://www.cisecurity.org/insights/blog/the-conti-leaks-a-case-of-cybercrimes-commercialization?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 187: The Role of a CISO as a Strategic Storyteller

In episode 187 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager discuss how the role of a CISO functions as a strategic storyteller of cyber risk while keeping the bigger picture in mind. Here are some highlights from our episode: * 00:51. Framing the conversation around CISOs' efforts to communicate with the business * 02:01. Translation: A nuanced practice of simplifying the story while still telling the truth * 02:41. The need for a CISO to bridge their organization's respective "culture gap(s)" * 04:13. Collaborative and dictatorial: Two different ways CISOs talk to a business * 06:07. The work of translation in motivating and informing action around perceived risk * 07:03. Security sampling: A story from Tony that reminds CISOs of the bigger picture * 09:55. Fewer wizards and more mechanics: What the cybersecurity industry needs today * 12:20. Two factors to consider: Politicking and the need to provide an accessible narrative * 15:49. Rapport and tradecraft as two critical tools supporting the role of a CISO * 18:09. Technical competence as a prerequisite for confidence in risk conversations * 19:20. The false sense of security from relying on comparative data with competitors * 22:14. The CISO as a strategic storyteller who helps the business make decisions * 27:03. The need for machinery to constantly rediscover and recreate trust * 30:15. A call to action for Boards: Build vernacular in cybersecurity risk space * 35:03. CISO as a strategic storyteller vs. CISO as an enforcer Resources * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 183: The Role of CISO in Supporting Risk Translation [https://www.cisecurity.org/insights/podcast/episode-183-the-role-of-ciso-in-supporting-risk-translation?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 166: Foundations of Actuarial Science in Cyber Risk [https://www.cisecurity.org/insights/podcast/episode-166-foundations-of-actuarial-science-in-cyber-risk?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 121: The Economics of Cybersecurity Decision-Making [https://www.cisecurity.org/insights/podcast/episode-121-the-economics-of-cybersecurity-decision-making?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * NICE Workforce Framework for Cybersecurity (NICE Framework) [https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center/nice-framework-current-versions] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 186: Strong Cyber Defense Starts with IT Operations

In episode 186 of Cybersecurity Where You Are, Tony Sager sits down with Tony Krzyzewski [https://nz.linkedin.com/in/tonykrz], a CIS Critical Security Controls® (CIS Controls®) Ambassador for the Center for Internet Security® (CIS®). Together, they discuss how strong cyber defense starts with the fundamentals of IT operations. Here are some highlights from our episode: * 00:45. Introductions to Tony Krzyzewski and his background * 02:19. Tony Krzyzewski's first interaction with the CIS Controls * 03:47. IT operations: The foundation that makes strong cyber defense possible * 06:20. How an increasingly connected world makes the CIS Controls essential to cybersecurity * 09:56. The need for operations people to realize they're part of the cybersecurity solution * 13:11. The use of Implementation Groups to reduce overload on IT and security teams * 16:52. How the CIS Controls differ from "umbrella frameworks" like NIST CSF and ISO 27001 * 18:25. CIS Controls mappings and how they help to simplify a surplus of good guidance * 20:35. How the CIS Controls support improvement programs and Board-level conversations * 25:38. Tony Krzyzewski's work in creating the CIS Controls Ambassador program * 27:02. Why a deep view of what's happening at CIS supports Tony Krzyzewski's efforts * 30:11. Growing international promotion of the CIS Controls and "doing the basics well" Resources * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * CIS Controls Ambassador Spotlight: Tony Krzyzewski [https://www.cisecurity.org/insights/blog/cis-controls-volunteer-spotlight-tony-krzyzewski?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Episode 160: Championing SME Security with the CIS Controls [https://www.cisecurity.org/insights/podcast/episode-160-championing-sme-security-with-the-cis-controls?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Episode 168: Institutionalizing Good Cybersecurity Ideas [https://www.cisecurity.org/insights/podcast/episode-168-institutionalizing-good-cybersecurity-ideas?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Episode 172: Helping CISOs as a CIS Controls Ambassador [https://www.cisecurity.org/insights/podcast/episode-172-helping-cisos-as-a-cis-controls-ambassador?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Episode 181: Supply and Demand of Cybersecurity Ecosystems [https://www.cisecurity.org/insights/podcast/episode-181-supply-and-demand-of-cybersecurity-ecosystems?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Guide to Implementation Groups (IG): CIS Critical Security Controls v8.1 [https://www.cisecurity.org/insights/white-papers/guide-implementation-groups-ig-cis-critical-security-controls-v8-1?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Reasonable Cybersecurity [https://www.cisecurity.org/topics/reasonable-cybersecurity?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Mappings to Security Frameworks [https://www.cisecurity.org/controls/resources?crc=other-security-frameworks?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Translations [https://www.cisecurity.org/controls/resources?crc=translations?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Policy Templates [https://www.cisecurity.org/controls/policy-templates?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] * Securing the AI Ecosystem Begins at the Model Layer [https://www.cisecurity.org/insights/blog/securing-ai-ecosystem-begins-model-layer?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_186-0506_podcast-rep_tl] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 185: AI Prompt Injection from a Risk Perspective

In episode 185 of Cybersecurity Where You Are, Sean Atkinson sits down with Brian Calkin [https://www.linkedin.com/in/brian-calkin], Chief Technology and Innovation Officer at the Center for Internet Security® (CIS®); Theodore "TJ" Sayers, Senior Director of Threat Intelligence at CIS; and Kyle Leonard, Cyber Threat Intelligence Analyst at CIS. Together, they use a risk perspective to discuss artificial intelligence (AI) prompt injection and how to defend against it. Here are some highlights from our episode: * 00:49. A definition of AI prompt injection for businesses and executives * 02:16. Brian on his role of guiding AI implementation at CIS * 03:12. Understanding the urgency surrounding AI prompt injection as a security risk * 05:32. Signals and trends indicative of threat actors attempting to weaponize prompt injection * 07:10. How AI prompt injection differs from traditional input validation vulnerabilities * 11:13. Early indicators that cyber threat intelligence (CTI) teams can monitor * 15:00. The need to treat AI as a new identity in any enterprise implementation strategy * 17:10. Understanding the difference: AI safety vs. AI security * 20:36. Foundational, practical AI security that extends across all sectors * 24:55. How CIS manages risk and supports the opportunity around the use of AI * 28:25. The long-term promise of AI-driven vulnerability discovery grounded in fundamentals * 34:48. Recommendations for piercing through the marketing hype surrounding AI Resources * Prompt Injections: The Inherent Threat to Generative AI [https://www.cisecurity.org/insights/white-papers/prompt-injections-the-inherent-threat-to-generative-ai?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_185-0429_podcast-rep_tl] * New CIS Report Warns Prompt Injection Attacks Pose Growing Risk to Generative AI [https://www.cisecurity.org/about-us/media/press-release/new-cis-report-warns-prompt-injection-attacks-pose-growing-risk-to-generative-ai?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_185-0429_podcast-rep_tl] * Episode 182: Striking a Balance on an AI Adoption Journey [https://www.cisecurity.org/insights/podcast/episode-182-striking-a-balance-on-an-ai-adoption-journey?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_185-0429_podcast-rep_tl] * Episode 120: How Contextual Awareness Drives AI Governance [https://www.cisecurity.org/insights/podcast/episode-120-how-contextual-awareness-drives-ai-governance?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_185-0429_podcast-rep_tl] * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_185-0429_podcast-rep_tl] * Applying the CIS Controls to Real‑World AI Environments [https://www.cisecurity.org/insights/blog/applying-controls-real-world-ai-environments?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_185-0429_podcast-rep_tl] * An Examination of Generative AI and Physical Threat Planning [https://www.cisecurity.org/insights/white-papers/an-examination-of-generative-ai-and-physical-threat-planning?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_185-0429_podcast-rep_tl] * AI Playbooks for SLTT Cybersecurity Leaders [https://www.cisecurity.org/insights/white-papers/ai-playbooks-sltt-cybersecurity-leaders?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_185-0429_podcast-rep_tl] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 184: Cybersecurity Policy Development as a Journey

In episode 184 of Cybersecurity Where You Are, Sean Atkinson sits down with Brock Boggs, Director of Technology at Cityscape Schools and Multi-State Information Sharing and Analysis Center® (MS-ISAC®) member [https://www.cisecurity.org/ms-isac/collective-sltt-cyber-defense?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_184-0422_podcast-rep_tl]. Together, they discuss how Brock approaches cybersecurity policy development as a journey at his school. Here are some highlights from our episode: * 01:21. Brock's first attempt at drafting an IT security policy manual * 04:17. Fact or fiction? How the best "written" security program doesn't always translate * 06:35. A starting policy landscape of creating baselines for cybersecurity, ticketing, and more * 08:40. How Brock learned about a roadmap for his school at ISAC Annual Meeting 2023 * 11:07. Lean and to the point: The second draft of Brock's IT security policy manual * 12:37. The use of Center for Internet Security® (CIS®) policy templates to write procedures * 19:34. How Brock used regular updates about his policy manual to secure stakeholder buy-in * 28:42. Openness, willingness to fail, and adaptability as strengths of the community * 31:49. Approaching cybersecurity policy development as an ever-changing journey Resources * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_184-0422_podcast-rep_tl] * Policy Templates [https://www.cisecurity.org/controls/policy-templates?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_184-0422_podcast-rep_tl] * Formalizing K-12 Cybersecurity Policies in Less Time [https://www.cisecurity.org/insights/case-study/formalizing-k-12-cybersecurity-policies-in-less-time?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_184-0422_podcast-rep_tl] * Episode 163: K-12 Cybersecurity Made Practical [https://www.cisecurity.org/insights/podcast/episode-163-k-12-cybersecurity-made-practical?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_184-0422_podcast-rep_tl] * Episode 176: A Cybersecurity Journey of Incremental Wins [https://www.cisecurity.org/insights/podcast/episode-176-a-cybersecurity-journey-of-incremental-wins?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_184-0422_podcast-rep_tl] * Guide to Implementation Groups (IG): CIS Critical Security Controls v8.1 [https://www.cisecurity.org/insights/white-papers/guide-implementation-groups-ig-cis-critical-security-controls-v8-1?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_184-0422_podcast-rep_tl] * CIS SecureSuite® Membership [https://www.cisecurity.org/cis-securesuite?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_184-0422_podcast-rep_tl] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].