The Lock & Key Lounge — An ArmorText Original Podcast

Podcast #31 All Tools, No People: Cybersecurity Is Missing The Boring Human Investment

OT security spending is at an all-time high, yet all these tools do is fill the “do we have X product” hole if the organization isn't investing in a human-driven aggregation layer to curate and make decisions based on the telemetry and data pouring out of them. Danielle Jablanski has examined this problem from a rare intersection of vantage points: as a strategist working with asset owners at Nozomi Networks, as a leader of OT strategy inside CISA's Office of the Technical Director, and now as the OT cybersecurity consulting program lead at STV, an infrastructure-focused firm building security in from the start rather than bolting it on. She joins Matt Calligan to explain why treating cybersecurity as a technology problem instead of a people problem is dangerous in environments where the stakes couldn’t be higher - where failure doesn’t just interrupt data or access, it stops water, electricity, and the systems society runs on.

Podcast #30 Faster Than Human

Anthropic's Project Glasswing used a restricted AI model to surface over ten thousand high-severity vulnerabilities across more than a thousand open-source projects. The 2026 Verizon DBIR tells us vulnerability exploitation just became the number one initial access vector for breaches—up 55% in a single year. Only 26% of critical vulnerabilities were fully remediated last year, down from 38% the year before. Median time to resolution: 43 days, up from 32. That was the pre-Glasswing baseline—before AI-scale discovery even entered the equation. Tim Chase, Program Director at MFG-ISAC, and Brian Geffert, VP of Cyber Defense at 3M and former Global CISO at KPMG International, join Matt Calligan to confront what this means for an industry that has heavy OT interconnection, no regulatory floor equivalent to NERC CIP, and a security culture that has outsourced too much to tools that are now becoming the attack surface themselves.

Podcast #29 The Structures That Hold

Building Governance that Holds Because the Mission Demands It—Not Because Anyone Required It We have spent years in this industry talking about who belongs in the room—the board table, the executive suite, the security leadership track. What we have talked about far less is what it actually takes to get there, and whether the commitments organizations have made to broadening who leads are holding when the environment makes it easier to let them quietly lapse. Jameeka Green Aaron has operated at both levels simultaneously: as the CISO responsible for making security governance work inside a global digital health company serving millions of members, and as a board member whose job was to ask the harder questions about whether the organization was doing what it said it would. In this conversation with Navroop Mitter—recorded just one day after her move to Emerson Collective—Jameeka traces the arc from the South Side of Stockton to Black Hat MEA in Saudi Arabia, names the structural conditions that have kept the pipeline too thin for too long, and explains what it actually took to build AI governance at Headspace that held because people's wellbeing demanded it—not because regulation required it.

Podcast #28 196 Countries, One CISO

Most security leaders spend their careers building programs in the private sector—strong compensation, clear organizational lines, and at least some degree of control over the stakeholder map. Occasionally, someone makes a different call. Bjørn Watne left senior CISO roles at Telenor and Storebrand—two of Scandinavia's most recognized institutions—to take on one of the most complex security mandates on the planet: Global CISO of INTERPOL, the international law enforcement organization supporting 196 member nations in the fight against transnational crime. In this conversation with Navroop Mitter, Bjørn explores what that decision looked like up close—the mission that drew him in, the trade-offs he accepted, and what you learn about security leadership when your stakeholder map includes sovereign governments that may not always see eye to eye, some of whom are actively sanctioning each other.

Podcast #27 Grid Resiliency: It Must Be A Bottoms Up Approach

When we talk about securing the electric grid, the conversation usually focuses on preventing outages or protecting the biggest, most visible assets like large power plants, transmission lines, and control centers. But operators know the harder problem is not knocking the grid down; it’s bringing it back up. Grid recovery depends on a fragile chain of smaller substations, control systems, communications links, and auxiliary components that must come online in a precise sequence. Increasingly, those overlooked components are now becoming the real targets.  Rob Lee, co-founder and CEO of Dragos, joins Matt Calligan to explain how adversaries think about recovery denial, why attacking the smallest parts of the grid can stop the biggest ones from ever coming back online, and what it means that state actors are now transferring operational knowledge to non-state actors who are already causing physical process