Already Inside The House: How Nation-States Weaponize Your Enterprise Tools

Don't Eat the Whale: How to Build a Third-Party Risk Program That Scales

There's no shortage of frameworks telling organizations what to do about third-party and supply chain risk. What they don't have is a program. In this episode of Absolutely Critical, host Lee Mangold sits down with Jeffrey Sweet, a 35-year risk management veteran, former Security Director at American Electric Power, and founder of Resolute Cybersecurity Strategies, to talk about the hard work that lives between the executive briefing and the team that has to make it run. Jeffrey built and scaled TPRM from scratch at one of the largest utilities in the country, managing risk across more than 24,000 vendors. He and Lee dig into why most programs stall at the questionnaire stage, what it actually takes to get procurement and legal working with you instead of against you, and how to build a tiering system that focuses your limited resources on the vendors that can genuinely take you down. Get it wrong and you're not just failing an audit. You're leaving the door open for the next SolarWinds. You'll learn more about: * The Questionnaire Trap: Why collecting answers isn't the same as running a program and what validation, continuous monitoring, and contract accountability actually look like. * The 24,000-Vendor Problem: How to tier vendors by risk so you're spending your limited resources on the vendors that can actually hurt you. * Too Big to Assess: What to do when your largest vendors, the Microsofts and Oracles of the world, simply won't respond to your requests. * The FOCI Dashboard: How surfacing foreign ownership, control, and involvement data turned procurement from a roadblock into an ally. * Don't Eat the Whale: Jeffrey's sequenced approach to building a mature program over time, starting with contract language, then questionnaires, then continuous monitoring, then SBOMs, and why trying to do it all at once guarantees failure. This podcast is for: CISOs, GRC professionals, and security leaders responsible for protecting critical infrastructure and human capital against evolving AI-driven threats. Learn More About Fortress: https://www.fortressinfosec.com/https://www.fortressinfosec.com/ [https://www.fortressinfosec.com/] Connect With Lee: https://www.linkedin.com/in/leemangold/https://www.linkedin.com/in/leemangold/ [https://www.linkedin.com/in/leemangold/] Connect With Jeffrey Sweet: https://www.linkedin.com/in/jeffrey-sweet-resolute/https://www.linkedin.com/in/jeffreysweet/ [https://www.linkedin.com/in/jeffreysweet/]

Already Inside The House: How Nation-States Weaponize Your Enterprise Tools

Attackers don't need sophisticated malware when they can turn your own management tools into weapons. In this special episode of Absolutely Critical, host Lee Mangold sits down with Dave Gordon, Senior Threat Intelligence Specialist, and Andrea Schaumann-Phillips, Director of Federal Engagement at Fortress, to walk through the Q1 2026 threat intelligence brief covering 157 critical incidents targeting US critical infrastructure supply chains. Iranian group Handala compromised one Microsoft Intune administrator credential at Stryker, then executed a single remote wipe command across 200,000 systems in 79 countries. No ransomware. Just operational obliteration. TeamTCP poisoned Trivy and Checkmarx, security scanners trusted by developers worldwide, harvesting cloud credentials from 10,000 organizations. Chinese actors maintained six-month dwell inside Notepad++'s update infrastructure. Russian actors deployed wiperware against Poland's renewable energy HMIs during snowstorms. Volt Typhoon continues patient pre-positioning inside Midwest utilities. This isn't theoretical. It's operational. What does Monday morning look like when your vendor becomes your entry point? In this episode, you'll learn more about: * The One-Click Obliteration: How compromising a single management console enables simultaneous destruction across global infrastructure—and why Stryker couldn't prevent 200,000 devices from going offline. * The Pipeline Poisoning Pattern: Why TeamTCP's attack on Trivy and Checkmarx turned DevSecOps security scanners into credential harvesting machines. * The Surgical Supply Chain Strike: How Chinese actors maintained six-month access inside Notepad++ to surgically target telecoms and financial institutions. * Pre-Positioning for Kinetic Conflict: What Volt Typhoon's years-long dwell inside US utilities reveals about nation-state intent. * When Recovery Infrastructure Becomes the Target: Why Iranian actors attack backup systems alongside production environments. This podcast is for: CISOs, GRC professionals, and security leaders responsible for protecting critical infrastructure and human capital against evolving AI-driven threats. Learn More About Fortress: https://www.fortressinfosec.com/https://www.fortressinfosec.com/ [https://www.fortressinfosec.com/] Connect With Lee: https://www.linkedin.com/in/leemangold/https://www.linkedin.com/in/leemangold/ [https://www.linkedin.com/in/leemangold/] Connect With Dave Gordon: https://www.linkedin.com/in/dago858951118/ [https://www.linkedin.com/in/dago858951118/] Connect With Andrea Schaumann-Phillips: https://www.linkedin.com/in/alsgl/ [https://www.linkedin.com/in/alsgl/]

When Risk Stops Being Red and Starts Being Real: Escaping Crayon‑Level Risk Models in High‑Stakes Environments

In this episode of the Absolutely Critical podcast, host Lee Mangold explores the often-avoided world of risk management with David White, Co-founder of Axio. While many organizations treat risk as a mere checkbox for auditors, David argues it must be a repeatable "machine" that drives executive decisions. They dive into the limitations of qualitative 5x5 matrices, often called the "lighter shade of red" problem, and explain why CISOs must adopt the language of finance to successfully compete for budget. The conversation highlights practical strategies for simplifying quantification, avoiding the trap of "risk register bloat," and understanding the true meaning of financial resilience. David also shares a simple, high-impact method to start quantifying risk today without a massive budget or complex tools. Whether you are a CISO or a security practitioner, this episode provides the framework to move your program from guesswork to grounded financial insights. You’ll learn more about: 1. The Language of Business: Why "red" risks fail in boardrooms and how to translate security threats into dollar amounts. 2. Quantification Simplified: How to focus on "good enough" data for decision-making rather than pursuing unnecessary decimal-point precision. 3. The 15-Slot Rule: Strategies for managing risk register bloat by making every entry "earn its space". 4. Vulnerability vs. Risk: Defining the critical difference between a technical system weakness and a business impact. 5. The Tabletop Tally: A practical method to calculate actual event costs during your next security drill. This podcast is for: CISOs, GRC professionals, and security leaders responsible for protecting critical infrastructure and human capital against evolving AI-driven threats. Learn More About Fortress: https://www.fortressinfosec.com/ [https://www.fortressinfosec.com/] Connect With Lee: https://www.linkedin.com/in/leemangold/ [https://www.linkedin.com/in/leemangold/] Connect With David: https://www.linkedin.com/in/dwhite-axio/ [https://www.linkedin.com/in/dwhite-axio/]

The Hidden Cost of Deepfakes: How AI Impersonation Disrupts Organizations

The AI revolution has arrived, and the primary target isn't your software, it’s your human instincts. In this episode of Absolutely Critical, host Lee Mangold sits down with 25-year cybersecurity veteran James McQuiggan to explore the high-stakes world of AI-driven social engineering. They break down the "wake-up call" story of a global organization that lost $25 million to a deepfake video call and discuss how attackers clone a voice with just 10 seconds of audio. James also provides a framework for defense, from implementing family "code words" to leveraging AI in GRC (Governance, Risk, and Compliance) without losing human oversight. You’ll learn more about: 1. The Human Vulnerability: Why attackers prioritize "soft targets" over zero-day exploits. 2. The $25M Deepfake: Anatomy of a multi-layered impersonation attack. 3. AI in Governance: Using generative AI to baseline policies and automate audit prep. 4. Polite Paranoia: Practical strategies to verify identity in a synthetic world. This podcast is for: CISOs, GRC professionals, and security leaders responsible for protecting critical infrastructure and human capital against evolving AI-driven threats. Learn More About Fortress: https://www.fortressinfosec.com/ [https://www.fortressinfosec.com/] Connect With Lee: https://www.linkedin.com/in/leemangold/ [https://www.linkedin.com/in/leemangold/] Connect With James: https://www.linkedin.com/in/jmcquiggan/ [https://www.linkedin.com/in/jmcquiggan/]

Absolutely Critical by Fortress

Absolutely Critical, a podcast by Fortress, goes inside how today’s leaders defend the systems, partners, and infrastructure their missions depend on from relentless cyber threats. Spanning government and commercial industries, the show explores what it takes to protect operations where disruption, compromise, or failure is not an option. Each episode delivers hard lessons, real strategies, and the technologies that stop cyber threats before they become mission failures. Hosted by Lee Mangold, a cybersecurity leader with over 20 years of experience securing mission-critical systems for the U.S. Department of War, intelligence organizations, and some of the world’s largest enterprises.