The Cyber Business Podcast

Why the Credit Union Peer Network Is a Security Advantage Banks Cannot Buy with Nico Stein - Ep 217

Guest Introduction: Nico Stein [https://www.linkedin.com/in/nico-stein-34041711/] is the SVP of IT and Operations at Signal Financial Federal Credit Union [https://www.signalfinancialfcu.org/], a community-based, member-owned credit union headquartered in Maryland with branches across the DC and Virginia region. With more than 12 years at Signal Financial, he oversees everything from laptops to cybersecurity to the financial core, and has built a reputation in the credit union community for open knowledge sharing at a time when most financial institutions treat peer conversations as competitive risk. An Object First ACE and Cisco Champion, Nico brings a practitioner's skepticism and a community-first mindset to the challenges of defending a regulated financial institution on a budget that does not scale with the threat. Here's a Glimpse of What You'll Learn * Why Nico shifted Signal Financial's entire security posture from hoping ransomware would not happen to assuming it will and building around recovery speed * How he made the case to a non-technical board using a single Washington Post headline framing that unlocked the budget he needed * Why backups being the first target of every ransomware attack changes how you have to think about immutable storage strategy * How AI-powered voice printing and stress detection in the call center is Signal Financial's frontline defense against voice phishing attacks targeting elderly members * Why agentic AI and MCP servers are Nico's personal security nightmare and what he believes most organizations are not yet ready for * Why the credit union peer network gives small and mid-sized financial institutions an intelligence advantage that banks structurally cannot replicate * Why AI should be evaluated by the problem it solves rather than the token count someone purchased In This Episode Nico opens with a framing that cuts through a lot of the performative confidence that shows up in security conversations: he told his board directly that he cannot stop ransomware, and if he had figured out how to do that, he would be on an island drinking margaritas because he had found the holy grail. What he could do was shift Signal Financial's entire security posture from hope to assumption, build around recovery speed, and make the case for immutable storage by asking leadership to picture the alternative on the front page of the Washington Post. That framing worked. The immutable storage solution has been in place for more than a year, the RTOs and RPOs are being met, and Nico talks about it with the kind of quiet confidence that comes from having actually built something rather than having sold someone on a strategy. He also offers a considered acknowledgment that backups are now the first target of every ransomware attack, giving credit to the organizations who thought they had it handled and missed one thing. It is a more generous framing than most and more useful for the organizations listening. The financial services threat section of this episode is where things get specific in a way that is rare on this podcast. Nico's members include elderly individuals who are being targeted with AI-generated voice cloning attacks where the caller sounds exactly like their grandson. That is not a network perimeter problem. It is a social engineering problem that lives at the intersection of AI capability and human vulnerability, and it is happening in Signal Financial's call center right now. His response is equally specific: voice printing systems that verify caller identity and detect stress indicators that may suggest someone is being coerced or lying when withdrawing large sums. He is direct that this is a vendor-dependent solution and that the vendors are starting to build the right tools. He is equally direct that the threat is outpacing awareness among members who have no reason to know that a call from their grandchild might not be their grandchild. The back half of this episode is where Nico pulls back from the operational and gets into the questions that the security conversation usually avoids. Agentic AI and MCP servers are his stated personal nightmare from a security perspective, not because he cannot block them but because utilizing them securely in a way that keeps data where it belongs is a problem nobody has fully solved yet. His AI evaluation framework is the same one that has shown up across the best episodes in this season: start with the problem, ask whether AI actually solves it, and resist the pressure to spend tokens because someone bought a million of them and wants to see adoption numbers. What makes Nico's version land differently is the context he brings it from: a regulated financial institution with limited resources, a peer network that functions as a genuine intelligence advantage over banks, and 12 years of scar tissue that makes him appropriately skeptical of anything arriving in a vendor PowerPoint with AI in the title. The Cyber Business Podcast Brought to you by Cyberlynx [https://cyberlynx.com/]

Deepfakes, Demos, and the Real Cost of a False Sense of Security with Chris Pacifico - Ep 216

Guest Introduction Chris Pacifico [https://www.linkedin.com/in/chris-pacifico/] is the Director of IT at Rehab Medical [https://www.rehabmedical.com/], a durable medical equipment provider that gives people with mobility challenges access to everything from basic wheelchairs to advanced power chairs operated by eye movement. With a background spanning healthcare IT, technical writing, and hands-on security work, Chris brings a practitioner's perspective to AI adoption, budget-constrained security strategy, and the challenge of translating complex technical risk into language that moves a boardroom. He is a self-described cutting-edge advocate who draws a sharp line between staying current and bleeding out trying to keep up. Here's a Glimpse of What You'll Learn * Why Chris distinguishes between cutting-edge and bleeding-edge technology adoption and why that line matters more than ever with AI * How he used a live email spoofing demonstration mid-meeting to make his infrastructure team believe what they thought was impossible * Why he created a deepfake of the company president in 10 minutes and what happened when the president plugged in the flash drive * How a Copilot permissions demonstration went from 8 requested licenses down to 4 issued, with only 3 given out * Why tabletop exercises are the highest effort-to-value meeting any organization can hold, and how to get leadership in the room without triggering resistance * Why machine learning is the undervalued engine inside the best security tools and why bolting an LLM onto an email product is a different problem entirely * How Chris teaches prompt specificity using cookie dunking, dirty dishes, and a no-nonsense system prompt that HR would probably flag In This Episode Chris opens with a description of Rehab Medical that reframes what IT means in a mission-driven organization. The company provides mobility equipment to people who cannot move without it, including chairs that respond to eye direction alone. Chris is not on the front lines fitting those chairs, but he supports the people who are, and he carries that awareness into every security decision he makes. It shapes how he talks about risk, how he frames the budget conversation, and why he does not have much patience for security theater. When something actually matters to the people depending on it, the gap between a real defense and a false sense of security is not theoretical. The two demonstrations Chris walks through in this episode are the kind of practitioner storytelling that earns credibility with any audience. The first happened in a meeting where his infrastructure team was explaining why email spoofing from their own domain was impossible. As they talked, Chris quietly sent one of them an email from himself, with the subject line "Yes I can." The point was not to embarrass anyone. It was to make the threat feel real before asking the team to defend against it. The second happened after a leadership meeting about integrating AI into the company's software platform. Chris went back to his desk, built a deepfake of the company president in roughly 10 minutes, loaded it onto a flash drive, and walked it upstairs. What he forgot was that the same flash drive held a USB drop test he had been running to see if anyone in the building would plug in a found device and open the files on it. The president plugged it in, saw a file labeled 2025 payroll report, and nearly clicked it. The deepfake and the payload test landed simultaneously, and the result was more security autonomy than any formal presentation would have produced. The AI section of this episode is where Chris gets most direct about what he sees working and what he sees being oversold. He makes the machine learning versus LLM distinction clearly and without jargon, using Darktrace as the example of what genuine behavioral AI looks like in practice. He is equally candid about the Copilot demonstration he ran for leadership, where he used his own domain admin account to pull up three dozen documents that were not his, and used that moment to cut the requested license count in half without fully disclosing that he had elevated permissions. The lesson he draws is not about deception. It is about what it takes to make a permissions conversation land with someone who does not live in the infrastructure. His approach to teaching prompt specificity follows the same logic: skip the theory, make a mess with cookie dunking or dirty dishes instructions, and let the confusion do the teaching. The people who figure out why the instructions failed become the ones who write good prompts. Check out the previous episode: AI Is Draining the Grid: Behind-the-Meter Power Solutions with Tony Uttley [https://cyberlynx.com/podcast/ai-is-draining-the-grid-behind-the-meter-power-solutions-with-tony-uttley-ep-215]

AI Is Draining the Grid: Behind-the-Meter Power Solutions with Tony Uttley - Ep 215

Guest Introduction: Tony Uttley [https://www.linkedin.com/in/tony-uttley-8597667/] is the CEO of Enginuity Power Systems [https://enginuitypowersystems.com/], a behind-the-meter cogeneration company delivering combined heat and power solutions to hospitals, schools, farms, and multi-family housing facing the full force of America's coming energy crisis. An engineer by training, Tony spent a decade at NASA's Johnson Space Center, seven years at the Boston Consulting Group, and nearly 15 years at Honeywell, where he ran the residential business and helped found Quantinuum, the quantum computing company now approaching a $10 billion IPO. He brings that same first-principles problem-solving instinct to one of the most consequential infrastructure challenges the country has faced in a generation. Here's a Glimpse of What You'll Learn * Why 20 years of flat electricity demand left the US grid dangerously unprepared for the AI data center era * How the country would need 80 to 120 new nuclear reactors worth of power in the next 4 years to meet demand, and why that is effectively impossible * How a New York hospital system was ordered off the grid 5 times in one summer and what that meant for every patient scheduled for surgery those days * Why Enginuity's combined heat and power systems can deliver payback windows as short as 11 months in some markets * How a Northern Indiana dairy farm is turning cow waste into renewable natural gas to power its own operations and eliminate 15 micro blackouts a week * Why Tony selects for humility above all else when building teams to go after problems that may actually be impossible * Why AI is a national security issue and slowing it down is not an option regardless of the energy cost In This Episode Tony opens by tracing the energy crisis back to a decision that made complete sense for two decades and now looks like the setup to a very expensive problem. When electricity demand in the United States grew at an average compound rate of 0.17% for 20 years, nobody invested in new capacity. A $1,000 investment in grid infrastructure in 2005 would have returned $1,037 by 2025. No rational investor made that bet. Infrastructure aged, transmission lines went unbuilt, and electricity prices were kept artificially low by charging consumers only for the cost of producing power rather than the cost of replacing the assets generating it. That worked until it did not. Along came AI, and AI means data centers, and data centers mean 24/7 firm fixed capacity power demand at a scale the existing grid was never built to absorb. Tony is precise about the gap: the country needs somewhere between 80 and 120 gigawatts of power it does not currently produce in the next four years. One full-size nuclear reactor equals one gigawatt. The math is not encouraging, and he says so directly. The examples Tony uses to make the crisis concrete are the ones that stay with you. A hospital system in New York with 15 facilities across Manhattan and Long Island was told by its utility to go on emergency power five times in a single summer. Each time that happened, every scheduled surgical procedure for the day was cancelled, because starting a new surgery requires two independent power sources, and when the grid goes down, emergency power alone does not qualify. Five times. Real patients sent home. That is what grid instability looks like when it hits a healthcare system already operating on tight margins. Separately, a developer with all permits in place for a new multi-family housing project was told by their utility it would be four to five years before power could be provided. These are not hypotheticals. They are the backdrop against which Tony is selling, and they explain why he says customer resistance has effectively disappeared. The numbers work now in a way they simply did not three or four years ago. In parts of the country where electricity costs $0.35 or more per kilowatt-hour, Enginuity's systems, which deliver all-in at $0.15 per kilowatt-hour including maintenance, produce payback windows that compress to 11 months in some markets. The leadership conversation in this episode is as valuable as the energy one. Tony has spent his career going after problems with no playbook, from quantum computing to energy infrastructure, and he has developed a hiring philosophy built around a criterion that took him 20 years to consciously identify: humility. Not talent alone. Not raw intelligence. Humility. The high-ego geniuses who bounce everyone else against the wall as they walk down the hall may command respect, but they do not generate the sheer collective will that gets an organization four weeks from going out of business and back out the other side. Tony's model is to find the geniuses, sit on their shoulders, and build the commercial infrastructure around their capability. The ambition he sets for those teams is not calibrated to what seems achievable. At Quantinuum, project milestones were literally world records and firsts of their kind, with specific dates attached. He told teams to aim at the world record line and jump as hard as they could. Missing by two months while doing something that had never been done was, in his framing, an unqualified success. That philosophy is now being applied to a 20-year infrastructure problem with no single solution and no finish line.

Why Silence After a Breach Helps the Hackers with Scott Dickinson - Ep 214

Guest Introduction: Scott Dickinson is the first-ever CISO at AnMed Health, a not-for-profit hospital system in Anderson, SC with three main hospitals and a growing network of emergency care facilities. He brings a career spanning military intelligence, the FBI, the Department of Commerce, the Department of Defense, and multiple state agencies to one of the most high-stakes environments in cybersecurity. His background in intelligence gives him a rare and direct line into how adversaries think, and he applies that perspective every day to the mission of protecting patients and the systems that keep them alive. Here's a Glimpse of What You'll Learn * What it means to be an organization's first-ever CISO and how Scott approached building a security program from the ground up at AnMed Health * Why Scott draws a direct line between his military intelligence background and how he approaches threat modeling in healthcare * Why machine learning is fundamentally different from bolting an LLM onto a legacy product and what that distinction means for how security tools should be evaluated * How the cybercrime economy has changed in six years and why rented ransomware has lowered the barrier to entry to nearly zero * Why Scott believes the security community needs to shift from disclosure of what happened to disclosure of how it happened and what others can do to prevent it * How Scott thinks about building personal resilience as a CISO and why being battle-tested is now seen as a qualification rather than a liability * Why AI-powered critical thinking atrophy is one of the most underappreciated risks of widespread AI adoption, and what leaders should be doing about it In This Episode Scott opens with something that does not come up often enough in these conversations: the emotional dimension of the work. He chose to come into healthcare specifically because he does not want attackers picking on sick people. The framing is simple and it is genuine. Hackers are bullies. Hospitals are targets. People have died because of cyberattacks on healthcare facilities, and he intends to be in the way. That motivation runs underneath everything else he says in this episode and gives his technical arguments a weight that purely strategic conversations rarely carry. He also brings something most CISOs cannot: a decade in military intelligence and direct experience working alongside the FBI, Department of Defense, and Department of Commerce. He does not just understand how defenders think. He understands how attackers think, which is a different skill entirely and one he applies every day at AnMed. The most practically useful section of this episode is Scott's argument about what the security community owes each other after a breach. He is direct: the stigma around disclosure is helping the attackers. When an organization gets hit and goes quiet to manage the reputational damage, it withholds exactly the information that could allow every other organization to close the same door before the attackers find it. Scott's position is not that organizations should be reckless with sensitive information. It is that the focus of disclosure has to shift from what was exposed to how it happened and what others should do right now to protect themselves. He makes a pointed analogy to community resilience more broadly, drawing on a personal story about a neighbor who pulled a truck off him without stopping to weigh the legal liability. That instinct to help rather than hesitate is what he wants to see from the security community. Scott closes with the AI argument that most vendors are not making loudly enough because it is uncomfortable for them: the danger is not just that AI can be weaponized by attackers, it is that over-reliance on AI erodes the critical thinking that defenders need most when things go wrong. He uses his own SOC as a concrete example. When he introduced an AI-powered email security product, he did not let it run silently. He showed his analysts exactly what the tool was flagging and why, teaching them to think the same way so that the tool was developing their judgment rather than replacing it. That is the model he argues the industry needs to internalize before AI becomes a liability masquerading as a defense.

Breaking Things on Purpose: An Honest Take on AI Readiness and Leadership with Shawn Hamm - Ep 213

Guest Introduction Shawn Hamm is a cybersecurity leader with three decades of IT experience who is currently making the deliberate move from Director of Cybersecurity into the CIO seat. With a background spanning hands-on technical work, consulting, security leadership, and hiring, he brings a practitioner's perspective to both the technology and the human side of organizational leadership. His work today focuses on building AI-ready teams, driving adoption from the ground up, and creating environments where the full range of talent in the room has a genuine opportunity to excel. Here's a Glimpse of What You'll Learn * Why Shawn sees the transition from cybersecurity director to CIO as a natural evolution rather than a departure from his roots, and what made him take the leap * How deploying open source AI on his own hardware at home, and breaking it repeatedly, taught him things no training course would * Why a colleague he expected to be the email guy turned out to have 32 active agents running his entire workday, and what that story reveals about who actually leads AI adoption * Why the Microsoft Copilot internal study found that only 15% of users became power users, and why the differentiator was people skills rather than technical skills * How Shawn is building an internal AI council and monthly agent showcase to spread adoption organically across his organization * Why the genie in the lamp analogy is the most honest explanation of how agentic AI actually works and where most people go wrong with it * What the women in tech conversation looks like from the perspective of two fathers of daughters in the industry, and why Shawn believes the fix starts with raising the standards for young men In This Episode Shawn opens with a refreshingly honest framing of his own transition. Moving from cybersecurity director to CIO was not a pivot away from what he knows, it was the next seat at the table, with broader authority and broader responsibility. He acknowledges that the jump can feel intimidating for security professionals who have spent years becoming deeply competent in their lane, but his approach is consistent with how he handles everything: start with a solid foundation, do not rush the advanced stuff until you understand the basics, and treat failure as a data point rather than a verdict. That philosophy runs through every part of this episode and gives it a coherence that is rare when a conversation covers as much ground as this one does. The most memorable story Shawn tells is the one he did not expect to tell. He decided to inventory how people in his organization were actually using the Copilot licenses they already had. He made phone calls, asked questions, and mostly found people using it for email. Then he got to a colleague he had already written off as the email guy, a bit older, not exactly a technology enthusiast by reputation. That man had 32 agents running, had worked through every level of the Microsoft training curriculum from beginner to developer, and was receiving a morning briefing PDF in his inbox by 6:00 AM every day summarizing everything he needed to know to start work. Shawn tells that story with the kind of genuine surprise that lands because it is clearly real. It also sets up his broader argument: AI adoption at the enterprise level is not being led by the people you expect, and the skill driving results is not technical fluency, it is the managerial ability to onboard a new tool the same way you would onboard a new employee. The Microsoft internal study on Copilot proved exactly that. Only 15% of users at a technology company became sustained power users, and the common thread was not their technical background. It was that they treated the tool like an intern, took time to explain the context, the job, and the expectations, and let it get better over time. The women in technology conversation that takes up the back half of this episode deserves its own mention because it does not happen from the usual angle. Shawn and the host approach it as two fathers of daughters who are going into tech, which grounds the conversation in something personal before it becomes systemic. Shawn is direct that the problem is not women needing to do more. The system is not set up to provide an equal playing field, and the organizations still fighting with one arm tied behind their back because they are not drawing on the full talent available to them are making a strategic mistake. He has built a team where 30% of the IT technical staff is female, he actively targets his nieces for tech conversations, and he talks about Girls Who Code with the kind of firsthand familiarity that comes from a daughter who attended the program. What makes this section work is that Shawn keeps the focus exactly where he says it belongs: not on how women can adapt to a broken system, but on what the men in the room need to do differently.