The Economics of Cybercrime and the AI Strategy Behind Getty with Isaac Straley - Ep 224

The Economics of Cybercrime and the AI Strategy Behind Getty with Isaac Straley - Ep 224

Guest Introduction: Isaac Straley [https://www.linkedin.com/in/isaac-straley/] is the CISO of the J. Paul Getty Trust [https://www.getty.edu/], one of the world's most significant cultural institutions, encompassing two museums in Los Angeles, a deep academic research library and scholarship program, a scientific conservation laboratory, and a global philanthropic grant-making foundation. Two months into his fourth CISO role, Isaac brings a career spent almost entirely in public sector and nonprofit organizations, including three prior stints as CISO at public research universities, to an institution that is increasingly a target in a sector that has historically underinvested in cybersecurity. He also holds responsibility for Getty's enterprise-wide AI strategy, making him one of the few guests this podcast has featured who is simultaneously building the offensive and defensive AI posture for the same organization. Here's a Glimpse of What You'll Learn * Why museums, libraries, and cultural institutions are now active targets and how recent attacks on the Seattle Library, Toronto Library, and British Museum changed the conversation * Why Isaac frames cybersecurity almost exclusively through an economics and business lens and what that means for how he prioritizes risk at Getty * Why patch management is the encyclopedia of security strategy and what has to replace it in an era of machine-speed vulnerability discovery * Why the NIST CSF 2.0's three response-oriented functions are more important than its two prevention-oriented ones and why the field has been signaling this for years * How observability pipelines rather than prevention controls are the architecture that makes AI-age security actually work * Why Isaac advises every aspiring security professional to go learn something else first and why that advice is more relevant in the AI era than it has ever been * Why measuring a SOC analyst on how many threats they found is the wrong metric and what he is replacing it with In This Episode Isaac opens by making the case, with genuine conviction, that the J. Paul Getty Trust needs a CISO and not merely an IT security director. The argument is stronger than it initially sounds. Getty is not just a tourist destination hosting a million and a half visitors a year across two museums in Los Angeles. It runs a digital archive of another million and a half physical pieces being built into a publicly accessible, API-enabled collection. Its conservation institute does leading-edge materials science research on how to preserve degrading plastics, oils, and stone. Its foundation funds cultural heritage organizations globally and distributes open source software, including a heritage data management platform used for archaeological dig sites. And all of it sits in a sector that, as Isaac notes directly, has not had the investment and focus it needs, evidenced by recent ransomware attacks on the Seattle Public Library, the Toronto Public Library, and the British Museum. That context is what makes his framing of the threat so useful: he thinks about attacks almost exclusively from an economics standpoint. Attackers are running supply chains with HR departments. Their KPIs are not calibrated to spare hospitals or museums. The question is simply whether a vulnerability exists and whether it can be exploited, and the answer is almost always yes and yes. The security architecture argument Isaac makes in this episode is the one that most challenges how the field has historically measured itself. Prevention and protection matter, he acknowledges, and there is a legal and ethical obligation to maintain basic hygiene. But NIST CSF 2.0 already signals where the weight should be: three of its five core functions are on the response side, detect, respond, and recover. The discipline has been pointing at this for years. What is new is that the AI age makes it structurally unavoidable. Organizations are no longer building controlled infrastructure with thoughtful design and hardened controls baked in. They are building platforms for people to create things nobody anticipated, and those platforms cannot be protected through prevention alone. What they can be protected through is observability, building trace data pipelines that capture what is happening across every system in real time, feeding that data to machine learning that understands what normal looks like, and escalating anomalies to a human before the damage compounds. Isaac is specific that this is not just a security strategy. It is a virtuous loop, because the same observability infrastructure that makes security possible also gives builders better feedback on whether their systems are working. Security and functionality, aligned by design rather than in opposition. The talent and leadership section of this episode is where Isaac is most candid about what he has learned the hard way. His standard advice to students asking how to break into cybersecurity is to go learn something else first: a business process, a technology, where it breaks, what controls feel like from the inside. The cybersecurity skills can be taught. The business knowledge and architecture intuition cannot be shortcut. In the AI era, that advice becomes more urgent, not less, because the organizations that will use AI well are the ones whose people can ask good questions of it. The 85% of Microsoft employees who stopped using Copilot after 90 days went straight to demanding outputs without context. The 15% who became power users treated it the way you treat a new hire who needs to learn the job. Isaac extends that into a leadership obligation: if AI is going to do the routine rote work, then the measure of a SOC analyst's success should not be how many threats they found. It should be how much they improved the observability pipeline from what they learned. That shift in measurement is what allows organizations to ride the wave of AI capability rather than be made redundant by it. This episode is brought to you by Cyberlynx [https://cyberlynx.com/]

No Longer Exploratory: Building AI Governance for K12 with Desmond Grant - Ep 223

Guest Introduction: Desmond Grant [https://www.linkedin.com/in/reevolve/] is the CIO of Littleton Public Schools [https://www.littletonpublicschools.net/], a high-performing school district located approximately 15 minutes southwest of the Denver metro area and recognized across Colorado and the nation for its academic outcomes. In his second year as CIO, Desmond oversees technology strategy, cybersecurity, and data governance for a district navigating the same funding pressures, enrollment declines, and AI adoption challenges facing public education nationwide. He brings a practitioner's perspective to every conversation about technology in schools, grounded in a conviction that the decisions made right now about AI literacy will shape a generation. Here's a Glimpse of What You'll Learn * Why Desmond says we are no longer in the exploratory phase of AI and what the shift to intentional use actually requires of school districts * Why his district adopted the principle that it is not about being pro AI or anti AI but about being AI literate and why that reframe changes every conversation * How Littleton built an AI task force including staff, educators, students, and leaders to produce a framework being released at the start of the 2026 to 2027 school year * Why data privacy agreements and data governance have to come before any organization can responsibly give AI access to its data * How Desmond is crowdsourcing cybersecurity expertise internally across every domain on his team without the budget to hire dedicated security staff * Why machine learning is the unsung hero of the AI security battle and why the MGM breach is the clearest example of what it would have stopped * Why a prominent AI researcher's claim that AI will be more significant than electricity, including more significant than the Internet, is now getting a much larger show of hands in Desmond's presentations In This Episode Desmond opens with a budget reality that shapes everything else he says in this episode. Littleton Public Schools is funded primarily on a per-pupil basis, enrollment is declining across the state and the country, and Colorado's state deficit is creating competition for the same limited dollars between Medicaid, K12, and every other public obligation. In that environment, being a high-performing district does not guarantee resources. It just means the expectations are higher. Desmond's response to that constraint is practical and creative: he is exploring cell tower and colocation partnerships as revenue streams, building a crowdsourced internal security team across every technology domain on his staff, and pursuing a managed security service provider relationship that gives him access to a bench of specialists, including data privacy experts and penetration testers, without the cost of hiring them full time. The framing he uses throughout is the same: when the pot is limited, you get creative about what else is in the room. The AI governance section of this episode is where Desmond is most candid about what the past year taught him. He felt at the start of his tenure that there was time to develop policy thoughtfully. Twelve months later he looked up and said they were behind. That experience produced one of the most direct and repeatable lines in the episode: we are no longer in the exploratory phase of AI. The district has moved past that point. The response was an AI task force that brought together staff, educators, non-educators, leaders, and students to build a framework organized around four pillars: cybersecurity and data privacy, teaching and learning integration, policy and ethics, and the principle that there must always be a human in the loop. The framework was presented to district leaders and the Board of Education and is being released at the start of the 2026 to 2027 school year. The principle Desmond has adopted as his north star for all of it: it is not whether you are pro AI or anti AI. It is whether you are AI literate. You may feel any way you want about it, but if you are at least informed, you can justify your thinking and your reasoning. That framing has changed how he runs every stakeholder conversation about AI in the district. The security conversation in this episode is where Desmond and the host find the most alignment and the most productive friction. Desmond makes the machine learning versus LLM distinction in terms that are as clear as any guest this season. Machine learning is not consuming your data and running as an agent. It is asking one question on a continuous loop: is this normal? Adobe encrypting a file it does not normally encrypt. Desmond sending emails at 3:00 AM in a voice that does not sound like him. A new admin account doing things on day one that no other admin does. These are the signals machine learning catches at machine speed, stops, and escalates to a human. That is the model Desmond believes wins the security battle, not blocking everything off, not patching faster, not adding another SIEM or EDR layer, but having a system that sees abnormal behavior across every surface and calls for an adult before the damage is done. The MGM breach, he argues, is the clearest proof of what that would have meant in practice: a new admin account running behaviors no established admin ran, on day one, and no system flagging it as abnormal. Machine learning would have caught it. Nothing else would have. This episode is brought to you by Cyberlynx [https://cyberlynx.com/podcast]

Building the School of the Future in Kansas with Rob Dickson - Ep 222

Guest Introduction: Rob Dickson [https://www.linkedin.com/in/showmerob/] is the CIO of Wichita Public Schools [https://www.usd259.org/], the largest school district in Kansas, serving just under 50,000 students across 87 schools and programs throughout the Wichita metro area. In a role that spans both operational and instructional technology, Rob oversees cybersecurity and infrastructure alongside a portfolio of forward-looking educational initiatives that includes a public micro school, an immersive coding program, a hub for advanced cybersecurity and machine learning education built in partnership with Wichita State University, and a summer STEM camp serving 800 middle school students. He brings a career that started in the U.S. Air Force and spans 27 years in education technology to one of the most ambitious public school technology programs in the country. Here's a Glimpse of What You'll Learn * How Wichita Public Schools built Future Ready Centers where students learn advanced manufacturing, BioMed, and cybersecurity in environments that look nothing like classrooms * Why Rob draws a sharp line between productive struggle and cognitive offload, and why getting that balance right is the most important AI challenge in education today * How AI-powered tabletop exercises running on continuous improvement cycles are changing how Rob's team builds and tests its security posture * Why 900 job applicants for a single data analyst position turned out to be a social engineering threat vector and what Rob did about it * Why Rob is hiring students from WSU Tech to do real cybersecurity work and refresh 45,000 devices this summer * Why skills now have life cycles measured in years rather than careers, and what that means for how schools and post-secondary institutions need to rethink what they teach * Why the superintendent who gives his team room to take risks is the most important ingredient in everything Wichita is building In This Episode Rob opens with a description of Wichita Public Schools that reframes what a public school district can look like when leadership decides to build toward industry outcomes rather than test scores. The Future Ready Centers are not classrooms. The advanced manufacturing center teaches students to build planes. The Hack, the new hub for advanced computer knowledge built in partnership with Wichita State University, teaches cybersecurity and machine learning as extensions of computer science, with data science on the way. The micro school called Creative Minds runs on a 2.5-hour instruction model with the rest of the day in project-based learning organized around a year-long theme. This year it was animal conservation. Last year it was food preservation, culminating in a dinner and a show. Rob is explicit that none of this exists without the relationships that came first: with WSU Tech, with Wichita State, with local industry, and with the state Department of Education that had to understand what a school day that does not look like a school day actually is before it could be approved. The AI and education section of this episode is where Rob makes his most intellectually precise argument. Cognitive offload is real and useful. He does it himself every day to get through the work. But productive struggle cannot be outsourced because the wisdom that comes from working through a hard problem is not transferable. AI can help a student produce an output, but it cannot understand the material from the student's lens, bias, and perspective. That understanding only develops through the struggle, and once it exists, it is what makes a person capable of evaluating AI's outputs rather than simply accepting them. Rob draws the through-line to agentic AI directly: when you build an AI agent, you have to decompose a task to its root level and make it highly verifiable. If the task is not verifiable, subjectiveness enters the picture. And subjectiveness requires wisdom. And wisdom only comes from the productive struggle that most shortcuts are trying to skip. It is one of the more complete and practically grounded arguments for teaching children how to think before teaching them how to use AI that this podcast has featured. The security section of this episode delivers two concrete and specific examples that most IT leaders outside of education will not have heard before. The first is the 900-applicant problem: Rob posted a data analyst position and received over 900 applications. When his team began vetting them, a significant number were not real people. They were social engineering attempts to get an insider into the district's systems with access to student data. The second is the continuous improvement tabletop model, where instead of scheduling the annual March tabletop exercise and calling it done, Rob's team runs scenarios through AI, posts the results, and uses the memory the system has built to push the next scenario further. The result is a security posture that improves continuously rather than in once-a-year snapshots. Both examples reflect the same underlying principle: the threat environment in a school district is as complex as any enterprise, and the organizations that survive are the ones that treat security as a process rather than an event. This episode is brought to you by Cyberlynx [https://cyberlynx.com/]

From 45-Year Mainframe to AI Campus: Loyola's CIO on What Works with Alan Schomaker - Ep 221

Guest Introduction Alan Schomaker is the CIO of Loyola University New Orleans, a Jesuit-based institution of approximately 5,000 students that includes a law school and sits on the Gulf Coast as one of four Loyola universities across the country. Five years into his tenure, Alan has led one of the more dramatic technology transformations in higher education, taking the university off a 45-year-old mainframe system and into a cloud-based infrastructure, navigating a hurricane mid-implementation, and now building an AI adoption culture that encourages faculty and staff to solve their own problems rather than wait for IT to do it for them. Here's a Glimpse of What You'll Learn * How Alan led Loyola through a mainframe-to-cloud migration while a hurricane shut down operations mid-implementation * Why ghost students powered by AI agents are committing financial aid fraud at universities across the country and how Alan's team is detecting them * Why locking down AI to a single approved tool is short-sighted and what Alan is doing instead to prevent shadow AI from taking root on campus * How a new registrar used ChatGPT to solve in 16 hours a workflow problem that IT had been unable to crack for a year * How that same registrar then built an AI scheduling tool that reduced a week-long whiteboard process to 10 minutes * Why AI writes better SQL than most database administrators and what that means for how technical staff should be thinking about their role * Why teaching students how to use AI is the same obligation universities have always had with every other powerful tool In This Episode Alan's first five years at Loyola University New Orleans read like a case study in change management under pressure. He inherited a 45-year-old mainframe that some staff still describe as the greatest system ever built, navigated the cultural resistance of moving business processes back to the departments that own them, and did it all while a hurricane shut the campus down for a month in the middle of the implementation. The technical migration was the easy part. Getting people to accept that having more control over their own systems was a benefit rather than a burden was the harder work, and Alan is candid that it is still ongoing. What that experience built in him is a clear instinct about where the real friction in technology adoption lives, and it is almost never in the technology. The ghost student problem Alan describes is one of the most specific and underreported AI threat vectors this podcast has covered. AI agents are being deployed to enroll as fake students in online programs, submit falsified identification documents, collect financial aid and Pell Grant money, and disappear. Alan knows it is not unique to Loyola because he has compared notes with CIOs at other universities and found it spreading. The tell that cracked it open at Loyola was an address verification check that started returning properties actively listed for sale on Zillow. That single data point revealed the fraudulent enrollment pattern and prompted a broader vetting process that now correlates IP location, phone verification, SSN identification, and address data before admissions decisions are made. It is a practical, layered response to a threat that most institutions have not yet acknowledged publicly. The two stories Alan tells about his new registrar are the best argument for democratized AI problem-solving this podcast has captured in a single episode. The first: a grade change workflow that had defeated IT for a year, attempted through the ERP's native tools, abandoned at 80% completion, and then solved by the registrar in 16 total hours using ChatGPT to build a Google Form with scripting, a logging sheet, automated email routing, an approve-deny button for the associate dean, and a two-day reminder trigger. Simple, elegant, and built by the person who understood the process because he lives it. The second: a class scheduling tool that replaced a week of whiteboard and Post-it note work with a 10-minute automated output, complete with a shareable dashboard for the facilities team to assess building impact before scheduling repairs. Alan's response to both was not to shut them down but to help vet them for security and get them into production. His philosophy is explicit: if IT becomes the bottleneck, shadow AI fills the gap. He would rather be the person staff bring ideas to than the one they hide them from.

You Can't Outrun a Script: AI Security in a Law Firm with Michael Massey - Ep 220

Guest Introduction Michael Massey [https://www.linkedin.com/in/michaeljmassey/?skipRedirect=true] is the CISO at Reminger Co LPA [https://www.reminger.com/], a defense-focused law firm handling medical malpractice defense, workers compensation defense, and insurance defense across a large portfolio of client matters. With a background that includes time at IBM Watson Health during what he describes as the early days of AI in healthcare analytics, Michael brings a practitioner's perspective to one of the most data-sensitive environments in cybersecurity: a law firm storing thousands of confidential client records, HIPAA-covered medical files, and privileged communications that cannot afford to be compromised. Here's a Glimpse of What You'll Learn * Why Michael's team discovered their own AI-powered security tools were working correctly by accidentally locking themselves out * How Darktrace Identity and Rapid7 are functioning as the frontline defense layer at Reminger and what real-world triggered alerts actually look like in practice * Why attorneys citing AI-hallucinated case citations before judges is the most concrete example of what happens when verification stops * How DLP tools surface genuine insider threat activity and why filtering the noise to find the real signal is one of the hardest ongoing challenges in legal IT * Why Michael's time at IBM Watson Health gives him a firsthand lens on how fast AI can move from promising to catastrophic when governance is absent * Why the vendor vetting process has become one of the most time-consuming and frustrating parts of AI adoption in a HIPAA-regulated environment * Why the cat and mouse game between attackers and defenders will never end and what that means for how security teams should be building their programs In This Episode Michael opens with a phrase that stopped the host mid-sentence: you cannot outrun a script. It is the clearest and most economical summary of why AI-powered security is no longer optional that this podcast has captured. When attackers are operating at machine speed, any defensive posture that depends on human reaction time is structurally behind. Michael is not making an abstract argument. He is describing his operational reality at a law firm where confidential client records, HIPAA data, and privileged legal communications are stored across a system that receives attempted intrusions on a regular basis. Darktrace and Rapid7 are not aspirational purchases. They are the tools he relies on daily, and he tells the story of how he knows they work because both he and a colleague locked themselves out of their own systems within the same week by doing something outside their normal behavioral pattern. The AI flagged it, acted on it, and left two security administrators calling each other for help. His conclusion is exactly right: that is not a problem, that is proof. The legal AI section of this episode is where Michael brings a perspective most security guests cannot. Attorneys at firms across the country are now appearing before judges with case citations that do not exist, sourced from AI systems that hallucinated the precedents with complete confidence and no disclaimer. In the legal world, Michael notes, they have their own term for this now. Law clerks are finding the ghost cases. Judges are calling attorneys to account. Disciplinary counsel is getting involved. Fines, suspensions, and in some cases disbarment proceedings are following. Michael draws the through-line to security directly: the same verification failure that burns an attorney in a courtroom burns a security analyst who acts on a false positive without checking. The tool is only as good as the human process built around it. At Reminger, the challenge is particularly acute because attorneys are naturally risk-averse and because many of them do not realize they are already using AI tools, a fact revealed by an internal survey where staff said they did not use AI while actively relying on AI-powered systems every day. The IBM Watson Health story is the most historically grounded moment in the episode and one of the more sobering case studies this podcast has featured. Michael was there when Watson Health was doing what he now recognizes as early AI: ingesting thousands of hospital records, building treatment outcome models, identifying that Drug A produced better results than Drug B or C for patients matching specific profiles. It worked. Then it moved into cancer research and it moved too fast, and the result was a patient receiving chemotherapy who did not have cancer, a lawsuit, and the end of Watson Health as a going concern. Michael uses this not as a cautionary tale against AI but as a calibration: the pace of adoption has to be matched to the quality of the governance surrounding it. The organizations and governments that cannot move fast enough to build appropriate guardrails are not being slow. They are being outrun by a technology whose consequences they cannot yet fully anticipate. This episode is brought to you by Cyberlynx [https://cyberlynx.com/]