Cybersecurity Where You Are (audio)

Center for Internet Security

Welcome to audio version of “Cybersecurity Where You Are,” the podcast of the Center for Internet Security® (CIS®). Cybersecurity affects us all — whether we’re online at home, managing a company, supporting clients, or running a state or local government. Join us on Wednesdays as Sean Atkinson, CISO at CIS, and Tony Sager, SVP & Chief Evangelist at CIS, discuss trends and threats, explore security best practices, and interview experts in the industry. Together, we’ll clarify these issues, creating confidence in the connected world. Subscribe to the video version of our podcast here: https://fast.wistia.net/embed/channel/0l9fss300m?wchannelid=0l9fss300m.

  1. 19h ago

    Episode 190: Separating Mythos AI Fact from Fiction

    In episode 190 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Brian Calkin, Chief Technology and Innovation Officer at the Center for Internet Security® (CIS®). Together, they separate fact from fiction around artificial intelligence (AI) capabilities like Mythos AI and other AI-driven vulnerability discovery tools. Here are some highlights from our episode: 00:50. Greetings to Brian and setting the stage for questions from a CIS webinar03:05. The lack of a unified formula or standard for vulnerability prioritization03:55. The opportunity for defenders to interrupt vulnerabilities chained together05:47. An invitation to better understand your enterprise amid the "slopdemic"06:33. How AI guardrails tie back into security best practices10:15. How a fundamental practice we can refine is the best counter to chained attacks12:25. The value of the CIS Community Defense Model and a teaser for Version 314:50. Mythos AI vs. Static Application Security Testing (SAST) in terms of practice and time19:08. Visibility, governance, and prioritization: Three elements of a "prepared" environment24:32. "One to one" cyber defense as a losing battle27:25. The importance of knowing your dependencies with open-source software33:15. Threat actor economics and the ongoing debate around responsibility in cybersecurityResources Mythos AI: What Actually Matters for Cybersecurity LeadersSecure by DesignCIS Critical Security Controls®CIS Community Defense Model 2.0Episode 185: AI Prompt Injection from a Risk PerspectiveLiving off the Land: Threats Looming From WithinTurn Intel Into Action: CIS Controls and the 2026 Verizon DBIRImplementation Guide for Small- and Medium-Sized Enterprises CIS Controls IG1Information Technology and Information Security GovernanceIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

    39 min

  2. May 27

    Episode 189: The Present and Future of AI-enabled Pentesting

    In episode 189 of Cybersecurity Where You Are, Sean Atkinson sits down with Ed Skoudis, President of SANS Technology Institute. Together, they discuss the present and future of pentesting enabled by artificial intelligence (AI). Here are some highlights from our episode: 00:39. Introductions to Ed01:49. The promise of AI-enabled pentesting in creating more secure infrastructure04:52. AI-enabled and AI-centric workflows in the realm of penetration testing08:03. Wranglers, matadors, and centaurs, oh my! Metaphors for AI-enabled pentesters13:00. How AI can assist with reporting, enumeration, and scanning as part of a pentest14:57. AI-enabled source-assisted pentesting and the types of vulnerabilities it finds19:50. A learning opportunity for the broader cybersecurity community23:44. How AI and human analysts could split the workload in a future penetration test25:54. AI-enabled pentesting vs. AI pentester in a box29:51. Why "human in the loop" might be too passive a phrase30:37. The use of AI for source code developmentResources Mythos AI: What Actually Matters for Cybersecurity LeadersSecure by DesignSEC543: AI-Assisted Source Code Analysis and Exploitation for Penetration TestersEpisode 108: Gaming and Competition in CybersecurityEpisode 59: Probing the Modern Role of the PentestIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

    34 min

  3. May 20

    Episode 188: DBIR 2026 Insights and Collaboration with CIS

    In episode 188 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Philippe "Phil" Langlois, Data Breach Investigations Report (DBIR) Author at Verizon; and Charity Otwell, Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®). Together, they discuss some of the top insights of the 2026 DBIR and how CIS contributed to the publication. Here are some highlights from our episode: 00:50. Introductions to Phil and Charity02:46. Vulnerability exploitation as the most common attack vector05:25. The role of artificial intelligence (AI) in threat actors' natural system thinking07:03. The need for clear governance and responsibility around vulnerability management08:58. Insight into the types of techniques threat actors research using frontier AI models13:43. A trending drop in ransomware payouts and organizations willing to pay attackers14:59. Why a healthy dose of distrust goes a long way in assessing attackers' claims of victims16:24. How two ransomware groups stand out above the norm17:49. The ongoing risk surrounding vendor, supplier, and other third party exposure22:34. The need for governance in managing data issues involving the use of AI27:14. Three ways in which CIS contributed to the 2026 DBIR34:02. How the 2026 DBIR informs the CIS Controls and parting actionable stepsResources 2026 Data Breach Investigations ReportCIS Critical Security Controls®Episode 87: Marking 11 Years as a Verizon DBIR ContributorMythos AI: What Actually Matters for Cybersecurity LeadersApplying the CIS Controls to Real‑World AI EnvironmentsCIS Community Defense Model 2.0The Conti Leaks: A Case of Cybercrime’s CommercializationIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

    39 min

  4. May 13

    Episode 187: The Role of a CISO as a Strategic Storyteller

    In episode 187 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager discuss how the role of a CISO functions as a strategic storyteller of cyber risk while keeping the bigger picture in mind. Here are some highlights from our episode: 00:51. Framing the conversation around CISOs' efforts to communicate with the business02:01. Translation: A nuanced practice of simplifying the story while still telling the truth02:41. The need for a CISO to bridge their organization's respective "culture gap(s)"04:13. Collaborative and dictatorial: Two different ways CISOs talk to a business06:07. The work of translation in motivating and informing action around perceived risk07:03. Security sampling: A story from Tony that reminds CISOs of the bigger picture09:55. Fewer wizards and more mechanics: What the cybersecurity industry needs today12:20. Two factors to consider: Politicking and the need to provide an accessible narrative15:49. Rapport and tradecraft as two critical tools supporting the role of a CISO18:09. Technical competence as a prerequisite for confidence in risk conversations19:20. The false sense of security from relying on comparative data with competitors22:14. The CISO as a strategic storyteller who helps the business make decisions27:03. The need for machinery to constantly rediscover and recreate trust30:15. A call to action for Boards: Build vernacular in cybersecurity risk space35:03. CISO as a strategic storyteller vs. CISO as an enforcerResources CIS Critical Security Controls®CIS Community Defense Model 2.0Episode 183: The Role of CISO in Supporting Risk TranslationEpisode 166: Foundations of Actuarial Science in Cyber RiskEpisode 121: The Economics of Cybersecurity Decision-MakingNICE Workforce Framework for Cybersecurity (NICE Framework)If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

    40 min

  5. May 6

    Episode 186: Strong Cyber Defense Starts with IT Operations

    In episode 186 of Cybersecurity Where You Are, Tony Sager sits down with Tony Krzyzewski, a CIS Critical Security Controls® (CIS Controls®) Ambassador for the Center for Internet Security® (CIS®). Together, they discuss how strong cyber defense starts with the fundamentals of IT operations. Here are some highlights from our episode: 00:45. Introductions to Tony Krzyzewski and his background02:19. Tony Krzyzewski's first interaction with the CIS Controls03:47. IT operations: The foundation that makes strong cyber defense possible06:20. How an increasingly connected world makes the CIS Controls essential to cybersecurity09:56. The need for operations people to realize they're part of the cybersecurity solution13:11. The use of Implementation Groups to reduce overload on IT and security teams16:52. How the CIS Controls differ from "umbrella frameworks" like NIST CSF and ISO 2700118:25. CIS Controls mappings and how they help to simplify a surplus of good guidance20:35. How the CIS Controls support improvement programs and Board-level conversations25:38. Tony Krzyzewski's work in creating the CIS Controls Ambassador program27:02. Why a deep view of what's happening at CIS supports Tony Krzyzewski's efforts30:11. Growing international promotion of the CIS Controls and "doing the basics well"Resources CIS Critical Security Controls®CIS Controls Ambassador Spotlight: Tony KrzyzewskiEpisode 160: Championing SME Security with the CIS ControlsEpisode 168: Institutionalizing Good Cybersecurity IdeasEpisode 172: Helping CISOs as a CIS Controls AmbassadorEpisode 181: Supply and Demand of Cybersecurity EcosystemsGuide to Implementation Groups (IG): CIS Critical Security Controls v8.1Reasonable CybersecurityMappings to Security FrameworksTranslationsPolicy TemplatesSecuring the AI Ecosystem Begins at the Model LayerIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

    39 min

  6. Apr 29

    Episode 185: AI Prompt Injection from a Risk Perspective

    In episode 185 of Cybersecurity Where You Are, Sean Atkinson sits down with Brian Calkin, Chief Technology and Innovation Officer at the Center for Internet Security® (CIS®); Theodore "TJ" Sayers, Senior Director of Threat Intelligence at CIS; and Kyle Leonard, Cyber Threat Intelligence Analyst at CIS. Together, they use a risk perspective to discuss artificial intelligence (AI) prompt injection and how to defend against it. Here are some highlights from our episode: 00:49. A definition of AI prompt injection for businesses and executives02:16. Brian on his role of guiding AI implementation at CIS03:12. Understanding the urgency surrounding AI prompt injection as a security risk05:32. Signals and trends indicative of threat actors attempting to weaponize prompt injection07:10. How AI prompt injection differs from traditional input validation vulnerabilities11:13. Early indicators that cyber threat intelligence (CTI) teams can monitor15:00. The need to treat AI as a new identity in any enterprise implementation strategy17:10. Understanding the difference: AI safety vs. AI security20:36. Foundational, practical AI security that extends across all sectors24:55. How CIS manages risk and supports the opportunity around the use of AI28:25. The long-term promise of AI-driven vulnerability discovery grounded in fundamentals34:48. Recommendations for piercing through the marketing hype surrounding AIResources Prompt Injections: The Inherent Threat to Generative AINew CIS Report Warns Prompt Injection Attacks Pose Growing Risk to Generative AIEpisode 182: Striking a Balance on an AI Adoption JourneyEpisode 120: How Contextual Awareness Drives AI GovernanceMythos AI: What Actually Matters for Cybersecurity LeadersApplying the CIS Controls to Real‑World AI EnvironmentsAn Examination of Generative AI and Physical Threat PlanningAI Playbooks for SLTT Cybersecurity LeadersIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

    38 min

  7. Apr 22

    Episode 184: Cybersecurity Policy Development as a Journey

    In episode 184 of Cybersecurity Where You Are, Sean Atkinson sits down with Brock Boggs, Director of Technology at Cityscape Schools and Multi-State Information Sharing and Analysis Center® (MS-ISAC®) member. Together, they discuss how Brock approaches cybersecurity policy development as a journey at his school. Here are some highlights from our episode: 01:21. Brock's first attempt at drafting an IT security policy manual04:17. Fact or fiction? How the best "written" security program doesn't always translate06:35. A starting policy landscape of creating baselines for cybersecurity, ticketing, and more08:40. How Brock learned about a roadmap for his school at ISAC Annual Meeting 202311:07. Lean and to the point: The second draft of Brock's IT security policy manual12:37. The use of Center for Internet Security® (CIS®) policy templates to write procedures19:34. How Brock used regular updates about his policy manual to secure stakeholder buy-in28:42. Openness, willingness to fail, and adaptability as strengths of the community31:49. Approaching cybersecurity policy development as an ever-changing journeyResources CIS Critical Security Controls®Policy TemplatesFormalizing K-12 Cybersecurity Policies in Less TimeEpisode 163: K-12 Cybersecurity Made PracticalEpisode 176: A Cybersecurity Journey of Incremental WinsGuide to Implementation Groups (IG): CIS Critical Security Controls v8.1CIS SecureSuite® MembershipIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

    38 min

  8. Apr 15

    Episode 183: The Role of CISO in Supporting Risk Translation

    In episode 183 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager discuss how the role of CISO supports risk translation across all levels of an organization. Here are some highlights from our episode: 01:52. Describing the role of CISO in a single sentence03:43. The importance of storytelling in risk translation for an organization07:56. The need for CISOs to meet members of an organization where they are10:47. Why the function of translating risk matters more than sharing it14:41. The misnomer of "soft skills" and why they're a crucial part of professional life15:50. Tony's experience with cultivating "soft skills" and working with trusted truth tellers21:01. The importance of contextualization when framing risk to a Board of Directors24:20. How teaching and communicating differ25:05. Humility and empathy: Crucial skills in understanding another person's world26:34. How communication and public speaking can help to advance a mission29:08. The use of teaching to build mastery and writing to understand what we teach32:35. Public speaking tip: Don't let the first time you hear your words aloud be onstage36:10. Tony's "superpower" of geeky sincerityResources Episode 88: The Evolution of the Role of a CISOEpisode 121: The Economics of Cybersecurity Decision-MakingEpisode 166: Foundations of Actuarial Science in Cyber RiskCIS Community Defense Model 2.0If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

    40 min
See All (190)

About

Welcome to audio version of “Cybersecurity Where You Are,” the podcast of the Center for Internet Security® (CIS®). Cybersecurity affects us all — whether we’re online at home, managing a company, supporting clients, or running a state or local government. Join us on Wednesdays as Sean Atkinson, CISO at CIS, and Tony Sager, SVP & Chief Evangelist at CIS, discuss trends and threats, explore security best practices, and interview experts in the industry. Together, we’ll clarify these issues, creating confidence in the connected world. Subscribe to the video version of our podcast here: https://fast.wistia.net/embed/channel/0l9fss300m?wchannelid=0l9fss300m.

Information

You Might Also Like