Episode 193: AI Security and Responsibility in EO 14409

Episode 193: AI Security and Responsibility in EO 14409

In episode 193 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Rob T. Lee [https://www.linkedin.com/in/leerob], Chief of Research & Chief AI Officer at the SANS Institute, and Brian Calkin [https://www.linkedin.com/in/brian-calkin], Chief Technology and Innovation Officer at the Center for Internet Security® (CIS®). Together, they discuss AI security and the responsibility of the U.S. government in creating confidence around it, as represented in Executive Order (EO) 14409, "Promoting Advanced Artificial Intelligence Innovation and Security." Here are some highlights from our episode: * 00:50. Introductions to Rob and Brian * 02:32. How to conceptualize confidence around something as complex as AI security * 04:32. The U.S. government's responsibility to set AI security guardrails as clear expectations * 08:12. The use of "voluntary" participation to create confidence in the context of EO 14409 * 14:38. How Mythos AI and similar developments affect assessment of frontier AI models * 17:11. Airport security as an analogy for understanding AI security and privacy concerns * 18:41. Why cybersecurity is a hard sell until an incident occurs * 20:50. How AI is quickly becoming critical infrastructure * 22:53. Furbies as reference for a flexible, iterative benchmarking process for AI security * 25:50. The need for technical folks to translate AI risks into something understandable * 28:21. Balancing encouragement of AI innovation with mindfulness of risk * 31:24. The basics as a foundation for building shared responsibility around AI security Resources * Promoting Advanced Artificial Intelligence Innovation and Security [https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/] * The Myth of Mythos: What It Means For Information Security [https://www.cisecurity.org/insights/webinar/the-myth-of-mythos-what-it-means-for-information-security?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_193-0624_podcast] * Episode 190: Separating Mythos AI Fact from Fiction [https://www.cisecurity.org/insights/podcast/episode-190-separating-mythos-ai-fact-from-fiction?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_193-0624_podcast] * The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program [https://labs.cloudsecurityalliance.org/mythos-ciso/] * Anthropic says it has taken its latest AI models offline to comply with new export controls [https://apnews.com/article/anthropic-artificial-intelligence-trump-fable-mythos-d9cc7df5c02e93837d0f0bfb24d5cfd2] * Establishing Essential Cyber Hygiene [https://www.cisecurity.org/insights/white-papers/establishing-essential-cyber-hygiene?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_193-0624_podcast] * Episode 187: The Role of a CISO as a Strategic Storyteller [https://www.cisecurity.org/insights/podcast/episode-187-the-role-of-a-ciso-as-a-strategic-storyteller?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_193-0624_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 192: How Leaders Balance Expertise and Communication

In episode 192 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Marcus Sachs [https://www.linkedin.com/in/marcsachs], Senior Vice President and Chief Engineer at the Center for Internet Security® (CIS®). Together, they discuss how leaders, including those in cybersecurity, balance their technical expertise with mastery of communication strategies. Here are some highlights from our episode: * 00:51. Introductions to Marcus * 02:04. How Marcus found value in using analogies to communicate complex topics * 08:40. Coordination with non-technical folks as a sign of leadership maturity * 14:03. The wisdom in knowing what to say and what not to say when managing up * 17:31. The need to balance technical skills with team resourcing in a way that's imitable * 21:07. The challenge of leaders learning by proximity in hybrid and remote environments * 24:16. "Classic" engineering vs. "new" engineering * 25:13. Lessons from Boards in applying discipline, rigor, and order to software engineering * 28:23. The value in leaders continuously learning how businesses work Resources * Episode 183: The Role of CISO in Supporting Risk Translation [https://www.cisecurity.org/insights/podcast/episode-183-the-role-of-ciso-in-supporting-risk-translation?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_192-0617_podcast] * Episode 187: The Role of a CISO as a Strategic Storyteller [https://www.cisecurity.org/insights/podcast/episode-187-the-role-of-a-ciso-as-a-strategic-storyteller?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_192-0617_podcast] * Episode 99: How Cyber-Informed Engineering Builds Resilience [https://www.cisecurity.org/insights/podcast/episode-99-how-cyber-informed-engineering-builds-resilience?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_192-0617_podcast] * 7 CIS Experts' 2026 Cybersecurity Predictions [https://www.cisecurity.org/insights/blog/7-cis-experts-2026-cybersecurity-predictions?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_192-0617_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 191: GenAI Misuse for Physical Threat Planning

In episode 191 of Cybersecurity Where You Are, Sean Atkinson sits down with Sasha Elvenaes, Sr. Multidimensional Threat Analyst at the Center for Internet Security® (CIS®), and Rian Davis, Multidimensional Threat Analyst at CIS. Together, they discuss how threat actors are misusing generative artificial intelligence (GenAI) to plan physical threats. Here are some highlights from our episode: * 00:40. Introductions to Sasha, Rian, and their research on GenAI misuse * 01:56. The impact of GenAI on lowering the barrier for operationalizing physical threat activity * 03:37. Exploitation of GenAI model design to circumvent models' guardrails * 05:58. The misuse of session persistence to streamline physical threat research * 07:57. GenAI misuse: A call for critical infrastructure operators to think about security differently * 11:52. Factors that make large-scale events a target of physical threat activity * 14:33. The use of GenAI as a strategy for organizations to see what threat actors could see * 15:37. Ongoing question: How can drones help mitigate risks while protecting public safety? * 17:13. Extrapolation as a reinforcement of GenAI session persistence * 20:15. The new reality: Look at what information AI can provide to threat actors * 25:01. Traditional methods vs. GenAI conversations for threat planning * 27:58. Continuous vulnerability assessments, communication, and other recommendations Resources * An Examination of Generative AI and Physical Threat Planning [https://www.cisecurity.org/insights/white-papers/an-examination-of-generative-ai-and-physical-threat-planning?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * An Examination of AI-Enabled Threats to Event and Stadium Security [https://www.cisecurity.org/insights/white-papers/an-examination-of-ai-enabled-threats-to-event-and-stadium-security?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Multidimensional Threats [https://www.cisecurity.org/topics/multidimensional-threats?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Man who exploded Cybertruck in Las Vegas used ChatGPT in planning, police say [https://www.npr.org/2025/01/07/nx-s1-5251611/cybertruck-explosion-las-vegas-chatgpt-ai] * Episode 190: Separating Mythos AI Fact from Fiction [https://www.cisecurity.org/insights/podcast/episode-190-separating-mythos-ai-fact-from-fiction?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Episode 185: AI Prompt Injection from a Risk Perspective [https://www.cisecurity.org/insights/podcast/episode-185-ai-prompt-injection-from-a-risk-perspective?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * 5 Steps to Help Secure Your City before a Large-Scale Event [https://www.cisecurity.org/insights/blog/5-steps-to-help-secure-your-city-before-a-large-scale-event?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Unmanned Aircraft Systems (UAS): Evolving Risks to Large-Scale Public Gatherings [https://www.cisecurity.org/insights/white-papers/uas-evolving-risks-to-large-scale-public-gatherings?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * 8 Security Essentials for Managing Your Online Presence [https://www.cisecurity.org/insights/blog/8-security-essentials-for-managing-your-online-presence?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Vulnerability Assessments [https://www.cisecurity.org/services/vulnerability-assessments?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 190: Separating Mythos AI Fact from Fiction

In episode 190 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Brian Calkin [https://www.linkedin.com/in/brian-calkin], Chief Technology and Innovation Officer at the Center for Internet Security® (CIS®). Together, they separate fact from fiction around artificial intelligence (AI) capabilities like Mythos AI and other AI-driven vulnerability discovery tools. Here are some highlights from our episode: * 00:50. Greetings to Brian and setting the stage for questions from a CIS webinar * 03:05. The lack of a unified formula or standard for vulnerability prioritization * 03:55. The opportunity for defenders to interrupt vulnerabilities chained together * 05:47. An invitation to better understand your enterprise amid the "slopdemic" * 06:33. How AI guardrails tie back into security best practices * 10:15. How a fundamental practice we can refine is the best counter to chained attacks * 12:25. The value of the CIS Community Defense Model and a teaser for Version 3 * 14:50. Mythos AI vs. Static Application Security Testing (SAST) in terms of practice and time * 19:08. Visibility, governance, and prioritization: Three elements of a "prepared" environment * 24:32. "One to one" cyber defense as a losing battle * 27:25. The importance of knowing your dependencies with open-source software * 33:15. Threat actor economics and the ongoing debate around responsibility in cybersecurity Resources * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Secure by Design [https://www.cisecurity.org/topics/secure-by-design?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Episode 185: AI Prompt Injection from a Risk Perspective [https://www.cisecurity.org/insights/podcast/episode-185-ai-prompt-injection-from-a-risk-perspective?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Living off the Land: Threats Looming From Within [https://www.cisecurity.org/insights/blog/living-off-the-land-threats-looming-from-within?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Turn Intel Into Action: CIS Controls and the 2026 Verizon DBIR [https://www.cisecurity.org/insights/webinar/turn-intel-into-action-cis-controls-and-the-2026-verizon-dbir?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Implementation Guide for Small- and Medium-Sized Enterprises CIS Controls IG1 [https://www.cisecurity.org/insights/white-papers/implementation-guide-for-small-and-medium-sized-enterprises-cis-controls-ig1?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Information Technology and Information Security Governance [https://www.cisecurity.org/insights/white-papers/information-technology-and-information-security-governance?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 189: The Present and Future of AI-enabled Pentesting

In episode 189 of Cybersecurity Where You Are, Sean Atkinson sits down with Ed Skoudis [https://www.linkedin.com/in/edskoudis], President of SANS Technology Institute. Together, they discuss the present and future of pentesting enabled by artificial intelligence (AI). Here are some highlights from our episode: * 00:39. Introductions to Ed * 01:49. The promise of AI-enabled pentesting in creating more secure infrastructure * 04:52. AI-enabled and AI-centric workflows in the realm of penetration testing * 08:03. Wranglers, matadors, and centaurs, oh my! Metaphors for AI-enabled pentesters * 13:00. How AI can assist with reporting, enumeration, and scanning as part of a pentest * 14:57. AI-enabled source-assisted pentesting and the types of vulnerabilities it finds * 19:50. A learning opportunity for the broader cybersecurity community * 23:44. How AI and human analysts could split the workload in a future penetration test * 25:54. AI-enabled pentesting vs. AI pentester in a box * 29:51. Why "human in the loop" might be too passive a phrase * 30:37. The use of AI for source code development Resources * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * Secure by Design [https://www.cisecurity.org/topics/secure-by-design?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * SEC543: AI-Assisted Source Code Analysis and Exploitation for Penetration Testers [https://www.sans.org/cyber-security-courses/ai-source-code-analysis-exploitation-pentesters] * Episode 108: Gaming and Competition in Cybersecurity [https://www.cisecurity.org/insights/podcast/episode-108-gaming-and-competition-in-cybersecurity?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * Episode 59: Probing the Modern Role of the Pentest [https://www.cisecurity.org/insights/podcast/episode-59-probing-the-modern-role-of-the-pentest?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].