The Lock & Key Lounge — An ArmorText Original Podcast

Podcast #29 The Structures That Hold

Building Governance that Holds Because the Mission Demands It—Not Because Anyone Required It We have spent years in this industry talking about who belongs in the room—the board table, the executive suite, the security leadership track. What we have talked about far less is what it actually takes to get there, and whether the commitments organizations have made to broadening who leads are holding when the environment makes it easier to let them quietly lapse. Jameeka Green Aaron has operated at both levels simultaneously: as the CISO responsible for making security governance work inside a global digital health company serving millions of members, and as a board member whose job was to ask the harder questions about whether the organization was doing what it said it would. In this conversation with Navroop Mitter—recorded just one day after her move to Emerson Collective—Jameeka traces the arc from the South Side of Stockton to Black Hat MEA in Saudi Arabia, names the structural conditions that have kept the pipeline too thin for too long, and explains what it actually took to build AI governance at Headspace that held because people's wellbeing demanded it—not because regulation required it.

196 Countries, One CISO

Most security leaders spend their careers building programs in the private sector—strong compensation, clear organizational lines, and at least some degree of control over the stakeholder map. Occasionally, someone makes a different call. Bjørn Watne left senior CISO roles at Telenor and Storebrand—two of Scandinavia's most recognized institutions—to take on one of the most complex security mandates on the planet: Global CISO of INTERPOL, the international law enforcement organization supporting 196 member nations in the fight against transnational crime. In this conversation with Navroop Mitter, Bjørn explores what that decision looked like up close—the mission that drew him in, the trade-offs he accepted, and what you learn about security leadership when your stakeholder map includes sovereign governments that may not always see eye to eye, some of whom are actively sanctioning each other.

Grid Resiliency: It Must Be A Bottoms Up Approach

When we talk about securing the electric grid, the conversation usually focuses on preventing outages or protecting the biggest, most visible assets like large power plants, transmission lines, and control centers. But operators know the harder problem is not knocking the grid down; it’s bringing it back up. Grid recovery depends on a fragile chain of smaller substations, control systems, communications links, and auxiliary components that must come online in a precise sequence. Increasingly, those overlooked components are now becoming the real targets.  Rob Lee, co-founder and CEO of Dragos, joins Matt Calligan to explain how adversaries think about recovery denial, why attacking the smallest parts of the grid can stop the biggest ones from ever coming back online, and what it means that state actors are now transferring operational knowledge to non-state actors who are already causing physical process

Podcast#26: Blackstarts and Blindspots

How AI can turn air gaps into security gaps for ICS/SCADA For decades, critical infrastructure companies have relied on organizational silos—air gaps between IT and operational technology—to ensure that enterprise disruptions do not cascade into the physical systems that keep the lights on. But those silos have been largely successful due to biology and physics: the scale of coordination and depth of expertise required to overwhelm them has been beyond human capability. That changed when we built something capable of assembling expert skill sets instantaneously. Patrick Miller, CEO of Ampyx Cyber, recovering regulator, and one of the most recognized voices in OT cybersecurity, joins Matt Calligan to confront the question that most organizations have not seriously answered: what does resilience look like when both IT and OT systems are simultaneously degraded or unavailable—and the assumption that you can "go back to manual" turns out to be a pipe dream?

The Lock & Key Lounge - RIFF Edition 5

In this RIFF Edition, Navroop and Matt work through seven stories spanning different sectors, threat actors, and tools—but one failure mode: the layer underneath your security stack is the actual attack surface. From the collapse of patching windows to Russian intelligence phishing Signal accounts, from an Iranian-linked group wiping 80,000 Stryker devices through Microsoft Intune to Proton Mail's billing layer unmasking an anonymous user, the throughline is consistent: the attack didn't beat the technology—it went around it.