401 Access Denied Podcast Ep. 124 | 2025 State of Cybersecurity with Dan Lohrmann

Episode 124 • 22nd January 2025 • 401 Access Denied • Delinea

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 System I podcast brought to you by Delinea. I'm the host of the show, Joe Carson, Chief Security Scientist and Advisory CISO, and it's awesome to have you here for another awesome, excellent episode. We've actually hit amazing stats for the podcast. It's now pretty much over half a million downloads and listens of the episode, so it's fantastic to have such a growing audience over the many years. One of my favorite guests is always welcome to the show. I think now, you're definitely the most appeared guest on the episode, so it's fantastic to have you back. Dan, welcome back to the podcast. If you want to give the audience something new, listeners, a little bit about who you are, your background and what you do, it'd be great.

Dan Lohrmann:

Hey Joe, thanks so much for having me back. It's great to be with everyone. Likewise, I always love having you on my show, the CISO Insights Show with Bright Talk. Also, just the conversations with you all around the country, running into each other at a lot of events, always learn a ton. Your insights, your expertise is outstanding globally, top-notch.

Yeah, Dan Lohrmann. I am the field CISO with Presidio. I mainly focus on public sector, but I do 80/20, maybe 20% private sector. My background was, I started my career at the National Security Agency, was in England with Lockheed in the '90s, working on US/UK intelligence. I can't talk about it. I'd have to kill people if they knew what we did, but it was all good. It was all for the good guys and learned a ton in the intelligence community. Then 17 years in Michigan government after that. In Michigan, I did a lot of different roles. Agency CIO, I was the CISO for the state of Michigan, Chief Information Security Officer, Chief Technology Officer for the state of Michigan. Then we brought physical and cybersecurity together, actually before CISA did. I was the CSO over physical and cybersecurity in Michigan. That's my background. I've been with Presidio now a little more than three years and just really glad to be on the show today.

Joseph Carson:

You're an author as well. You've got your own book out as well.

Dan Lohrmann:

Yeah, we do. Actually, I've done three books. My latest one, I co-authored with Shamane Tan, Cyber Mayday and the Day After. It's a Leader's Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions, which I know is a mouthful, but it's really stories around ransomware. What happened behind the scenes in ransomware, colonial pipeline, those kinds of stories. Then what happened in the C-suite when they got that note from the bad guys and what happened. We do a lot of before, during, and after incidents. You can do stories, mainly stories but also best practices. I also blog. My weekly blog is with Government Technology Magazine, Lohrmann on Cyber Security. That's what we're going to be basing our discussion on today, which is-

Joseph Carson:

Absolutely.

Dan Lohrmann:

My annual prediction report.

Joseph Carson:

Another fun fact, I was actually just finishing, I just read a book over the holidays, the CISO COMPASS book. As I was going through, I did see a quote from you on it, which was fantastic. I love the quote because it was a rhyme about not being the person in security that says no and about how you do something. I think it was around the WiFi access quote.

Dan Lohrmann:

Yeah, the WiFi story is now famous. I tell that story a lot, but yeah, it was. I won't go through the whole story now unless you want to hear it, but the whole story is, I was the guy who tried to kill WiFi back in '04, so 20 years ago. The NSA guy, bad idea, shouldn't do WiFi, not secure, can't protect it. It's a long story. It's about a 10 minute story.

Joseph Carson:

We do that for another episode.

Dan Lohrmann:

I almost got fired. I almost got fired. I literally, that was the aha moment in my career where I learned that you've got to get to yes. You've got to be an enabler. CISOs are famous for, "The answer is no. What was the question?" Whatever the question, the answer's no. You can't do that. We're famous for that, and I was the worst of the worst. That was my modus operandi.

Joseph Carson:

We all were doing the same. I was the same. I was an enforcer of security. I was like, "You do it this way." Then I think we realized that if we don't do it ourselves, they're going to find shadow IT. They're going to find workarounds. You'll find it here anyway, and it would be better to be in your control with the right security in place rather than people going and doing shadow IT and creating the things that you don't even see and don't know about.

Dan Lohrmann:

Yeah, and I'll just say one last thing before we dive into the predictions is just one thing my boss and I, I had had white papers from the NSA, CIA, DIA, FBI. I had all this headlines from Home Depot getting hacked, Lowe's getting hacked, people going to the cash register, downloading social security numbers, credit card numbers. It was pretty ugly, and I had a lot of, but my boss said to me, Terry Takai at the time, but she said, "Dan, I've been to Dow, Ford, Chrysler and GM. They all have WiFi in their conference rooms. What do they know that you don't know? I'm giving you one week to figure this out or I want your resignation."

This was literally like I was going to get fired, but I learned a bigger lesson. It wasn't just, that story is about WiFi, but then I tell the story. It could be cloud. It could be bringing your own device to work, BYOD. This one is AI. It's like, can't do AI, not secure. Believe me, there's a lot of insecurities, and we'll talk about AI. A lot of things could go wrong with AI, but you can't just say no. You can't just dismiss it and throw it out, baby with the bath water. You've got to get to yes, and you've got to do that securely. That's really our challenge as CISOs and as security professionals is getting to yes in a secure manner.

Joseph Carson:

Yep. Then you have visibility and that's what's critical. You have the knowledge and visibility of what's in place. Today's episode, and it's awesome, because what I always enjoy is, every year, you do a lot of the predictions. You do the predictions blog and then you do the CISO Insights. For me, it's always going through that list is always really intriguing and you get the normal flow predictions and then the ones that's like, "Whoa, okay, I didn't even think of that." Today's episode, I want to go through, for you, as you were going through that list, what were some of the most notable ones? What was the ones that you were like, "Wow, that's something that's pretty, it's going to happen and we're close to it." What was the list? What was the things that was top of mind?

Dan Lohrmann:

Yeah, two jump out to me. I'll just mention two different extremes. Everyone knows AI, last year, just to recap for the audience, last year, when we started the year, everyone was saying bring your own AI would be the new thing. I had never, a year ago, it was like everyone talks about that now like, "Yeah, of course, bring your own AI. Everybody does that," but a year ago, it wasn't even on the list. That really happened, and that was an eye-opening thing for me. There was one, and I'll save that for a moment from now that jumped out at me that I was not thinking about going into the year that I heard. New term, new philosophy that I hadn't really heard much about that jumped out, but the one that I was expecting was agentic AI merges as a hot new opportunity, but also the new cyber threat vector. agentic AI meaning we're going to have agent-based, the same way we have apps on our phone.

It used to be like everything was going, I'm dating myself here, but going back a decade, we all had phones, iPhones and this and that, but it was all web browser-based stuff. Then of course, we moved, everyone knows this already. Your audience knows. We went to all these apps and apps are on your phone, an app for this, an app for that. There's an app. Everyone was like, "There's an app for that." There's an app for the weather and there's this and that. That same thing is going to happen with agentic AI. There's going to be agents. We may ultimately get to the Jetsons where there's one agent to rule them all, if you will, right? One agent can do everything, the ChatGPT on steroids that can solve all of our problems in life from traveling to this to that go find me the best deal and then go ahead and book it for me and send me the tickets.

We're not there yet, but that day may come a decade from now, five years from now, but we're all going to have agents and those agents are going to help us in a wide variety of ways and moving more and more to agentic AI, lots of stories about that. All the big vendors have their own version of how that's going to play out, but then also, that will be the way, that trust that you have in that agent will then be what the bad guys use to gain access into your life.

Joseph Carson:

Absolutely.

Dan Lohrmann:

ore and more to agentic AI in: 2025

The one that jumped out at me, I'll just mention a second one that I just hadn't heard this term before. It was called pig butchering. Maybe you've heard this term. I'm like, "Pig butchering, what the heck is that?" I literally am seeing this show up in four or five reports and it jumped out at me. What it really is, it's the long-term financial fraud. The idea is, the pig, I'm sorry for the graphic terms here.

Joseph Carson:

It's a part of life.

Dan Lohrmann:

They fatten up the pig or they fatten up the cow and then they slaughter it, or the turkey for Thanksgiving, if you will. Whatever it might be, you fatten up the hog and then you butcher it and then you have the bacon and everything else. What does that mean for AI? What does that mean for cybersecurity? The idea is, the bad guys, and we've heard the term before going back four or five, six years, but it's slightly different this time. We've heard, we went from phishing to spear phishing to whaling, whaling going after the big fish. CEO fraud is another term for it, business email compromise. Those terms have been around for a few years. Everybody who watches your show, and you do a great job, know those terms.

How this is a little different is, it's almost, the example I like to use, it's funny, almost going back to the movie. It dates me here. One of my early favorite movies in the '70s was the Sting. It was this movie, if you remember the movie the Sting, if you've seen that joke.

Joseph Carson:

I have.

Dan Lohrmann:

A whole group of people act around and it's all to try and get $10 million dollars from these criminals, to trick them into getting this money. It took a long, they're basically acting. It took all this time and energy, but it was for a big payday. The concept is that some of these things we've talked about in the last year or two years around deep fakes, around fraudulent, whether it be fraudulent passports, fraudulent documents, fraudulent emails, fraudulent communications, multi different venues or channels that people are going to use, so it might be a mixture of text, email, Facebook, LinkedIn.

Joseph Carson:

It's almost like a modern-day Oceans 11.

Dan Lohrmann:

Correct. Oceans 11 is a better example than my Sting going way back. Exactly. Oceans 11 is another great example. It's a modern-day Oceans 11 against each of us. It's like, this has to be true. The bad actors know, "Oh, they're going to try and call their bank. Before they do this million dollar transfer or, God forbid, $10 million dollar transfer or $100 million dollar transfer, they're going to want to check a few things," but they're learning your processes. They're doing multiple things to trick you, creating call centers and creating very sophisticated operations and maybe even including, which is really pretty crazy, but in-person meetings and just all kinds of things to basically trick you to get you push that button and do that transfer.

At the end of the day, they want that 8A, but it's a slow fraud. I'm not saying we're going to get rid of the fast, quick click and boom, they stole my identity for $10 bucks, but the idea that it's a slow, long fraud. Pig butchering shows up in also phishing, voice phishing, other types of social engineering. It's going to be harder and harder and harder to detect using new technologies, using AI, using deep fakes. I think that one jumped out at me.

Joseph Carson:

he biggest threat for me from: 2024

Of the advancements that was made and that we've seen the case where the Zoom call that was basically the accountant saw the CFO and the CEO in the background of the Zoom chat, and it was deep fakes. They thought that was a real video and they actually saw the people. They saw their colleagues. They saw their bosses, and they ended up doing a $25 million dollar transfer that ended up being basically a financial theft. Absolutely for me, pig butchering is the end-to-end, whole cycle of doing it, preparing, looking and learning and getting that big, massive payday. All these technologies like deep fakes and even AI, AI's really come in where the social engineering piece has got so good that it's so hard to even detect the threats.

One of the things I've mentioned in previous is that, in Estonia where I'm based, the language has always been protected because it was very difficult and the previous language translations from previous language translators were not very good. These are the ones that was being used for the phishing and social engineering. When you... replace that with chatGPT, the translations are perfect and now, that is no longer protection. Social engineering and deep fakes and AI, all of those things coming together changes the entire threat landscape to the point where we have to reset and think about what things make those. What does early detection, what can you do from a human perspective to identify those areas? Those are two great examples. I really, really like those.

Absolutely, the agents. One of the things to go back to the AI agent side, me being based in Estonia, Estonia's government had this thing called the Krattbot, which is the government's AI agent for the citizen. Citizens, we citizens will have our own AI agent that will interact with the government for us. To your point, we'll have our own personal agent, which might do, let's say our personal life, update certain social media, contact my family, book a vacation, do transfers, so you'll have your own personal agent and it will be two things. It'll be non-interactive, fully autonomous and interactive. I think the first ones will be interactive. We'll verify.

We want to check to make sure that it's doing the right things because right now we've got a lot of mistakes happening because it's not always correct. The accuracy is not quite there yet. We have to intervene quite a lot and check before we post, is that the right information? It's the right year, it's the right destination, so double checking everything. Then at some point in time, you might turn on some of the autonomous. You might just say, "Yeah, I'm fine with it during the updates," and with sending out calendars and replying to certain things for you so that you have some autonomous capability, but you're absolutely right. I think we may have different risk levels of AI agents out there. You'll have your government interactive one. You might have your employment one and you'll have your personal one. All of those, you'll be able to have different authorization and controls and security levels of.

Dan Lohrmann:

Yeah. I think what'll be interesting, Joe, it's not even if. It's when. There's a headline story. There's no predictions in this year about this, but nobody wants to tell the story of how this happens to Sarah or Trevor or something, but one of these autonomous agents going amok that all of a sudden, you're working for some German company you didn't even know you were working for, right? Something really crazy is going to happen, right? It's going to be like, "What do you mean?" It's going to be some random phone call that somebody's going to tell. It's going to happen.

Joseph Carson:

It absolutely is going to happen. We're going to look back even just, it almost happened when we look back a couple of years ago with the Microsoft Clippy. Remember when it was been let go on social media and then people started training it on really bad models and it become very biased?

You're absolutely right that if you haven't fully secured, and I think one of the big things was the recent executive order, which was quite interesting from the government in the US and also CIS's best practice guideline and framework. I think that is really setting where you had to start thinking. You have to start thinking about those things, to your point, because they will happen. If you haven't thought about them today and put the controls in place and really being strict around who has access to the algorithms and the models and how do you train that data and where is that data being trained from and the data source and origins, you really have to make sure that if you're not in full control of the learning model itself and the algorithm, you will have those scenarios where it might just go off on its own accord and start making decisions that you never thought of.

Dan Lohrmann:

I think we have today, as we're talking, I literally, this idea just popped in my mind. I'll give it. Somebody out there might turn this into a business opportunity, but literally, we have fraud reports. We use different types of identity theft protection around our social security numbers in the US, numbers you have there in Europe and around the world, different sensitive data around our health records or this or that. The reality is, it's now going to be even a broader, I suspect you're going to have more of the identity theft protection will be much broader and/or it'll have a different meaning, really.

It's not just social security numbers and credit card numbers and somebody stole my tax records. It's going to be, they stole my identity and/or tried to take my autonomous agent and go work in South America or something. Literally, where has my identity been that I don't know about, because this autonomous agent is running around the world pretending to be me. I think those days are coming. I think that maybe is, I don't know, maybe that's a stretch thing over the next couple of years.

Joseph Carson:

I think it's going to happen. I think it's going to happen. One thing is because I've always referred to, to your point is, we've had this whole discussion for years of cloning people and sheep. Dolly the sheep was one of the worst examples, but I think we're at the point where actually, digital clones. We are creating enough of our digital DNA on the internet that the more that you contribute to basically public domains, videos, audios, chat conversations, likes, preferences, all of that, if an attacker or somebody who wants to abuse your identity, they could capture all of that and create a digital clone of you. It will look like you. It will sound like you. It might even have very similar personality traits. It may not be 100% identical because one thing I think I read in a book recently is what the AI agents can't replicate is your soul or your frontal cortex, which is where things will change or you have different opinions or different concepts.

we've started seeing even in: 2024

Dan Lohrmann:

That has absolutely happened. People hiring people from North Korea. That's been in the papers, and companies coming out and admitting that. Yeah, I totally agree. That actually happened in '24.

Joseph Carson:

I just think it will get improved, the technology, to make that even more severe and more concerning. What are the things was interesting from the list as well?

Dan Lohrmann:

Yeah, sure. I'll maybe run down there, really quickly cover. What we do is, we look at the top reports, not just individual predictions. Literally, it's thousands of predictions, but we look at hundreds of reports from different vendors. We then rank the reports from one through the year that it is, and then we have five bonus reports like Honorable Mention, so it's 25 different reports. We can run through those in a minute, but then, we take all these reports. By the way, the value here is actually very substantial. I encourage people not just, obviously, listen to Joe and I, but go and read the reports. The real key is the why. People think, "Oh, these are just random predictions." No, this is like predicting the weather. There's a science behind it. It's connecting the dots and you can learn by, I always learn so much. To me, it helps me. I gain more out of this than I give.

Joseph Carson:

It's a training session to many...

Dan Lohrmann:

This is all based on free information. Many of these companies would normally charge, the Foresters and the IDC and Gartner, this is based on their free information. If you want to go get their detailed paid reports, you can pay tens or hundreds of thousands of dollars for that. This is stuff that these vendors give away for free every year. There are 20, 30, sometimes 40-page reports with detailed references. They're very, very well done, and I learn a ton. Then we roll it all up and we talk about the top 10 trends, the trends that cut across all the reports. I'll just run through those real quickly. All the detail is there. We'll put the link there. You can go.

Joseph Carson:

We can put them in the show notes. Absolutely. We're going to make it available for everyone.

Dan Lohrmann:

Agentic AI, we mentioned. AI-driven scams and social engineering, we mentioned one and two, which is the pig butchering. Three, ransomware evolved with automation and AI. Again, lots of examples how ransomware will still be here, but it's going to change. It's going to evolve. Supply chains attacks on the rise. Again, you say, "Dan, that's been happening for years." Totally agree, but it's going to be definitely modify and change and evolve. Open source are vulnerabilities, cloud, multi-vendor risks around the cloud and how that's going to change with specific examples in each category. Democratization of cyber tools is number five. Number six, geopolitical cyber warfare will intensify. Again, that's looking at Russia, China, Iran, North Korea, talking about the big four and how that's going to change. That was six.

Number seven, post-quantum threats will accelerate, so he need to, a lot of talk about what's called harvest now, decrypt later. Grab all your data, even if it's encrypted. Maybe later I can decrypt it. People talked about the balloon that went across America grabbing all the data from China and the same thing, but that's going to happen online in the internet. Number eight was IoT edge devices are growing, attack vectors. Again, okay, we've got the cloud. We've got the mobile. We've got the individual end devices. Nine was AI-powered SOCs, Security Operation Centers and automation will redefine defenses, using more and more security co-pilots, AI-driven security operation centers. More and more of that first line, that entry level agent will be AI. Then the second tier, third tier might be more advanced agents. Then the number ten trend, and again, there's plenty more in the report, but regulatory pressures and compliance shifts.

I'll just say a couple of quick things about this, Joe. There's some disagreements in some of these that not everybody thinks. Some people say go north. Some people say go south. Some people think we're going to have more regulation, that especially around AI, you're going to start seeing a big move around regulation related to cryptocurrencies and crypto, more regulation around privacy and other things. Other people say, "No, we're going the opposite direction." Trump and his new administration, especially in the US, I'm talking now with Trump 2.0, with just being inaugurated. As we're taping this, it was yesterday. Literally, the idea that deregulation opening up more mergers, more opportunity for banks and for Wall Street and for companies. What will that do to reporting? What will that do to cyber regulation? Will people have to report incidents? There's a divergence in opinion on this, and it's important to read both sides and they both have strong arguments.

Joseph Carson:

ey came up with in the end of: 2023

You looked at the inauguration and you look at a lot of the people that was basically sitting in the front row or second row were the tech, which are very dependent on making sure. You looked at even Meta taking away their basically fact-checking process to being community driven. That's, to your point, a direction towards non-regulation or a self-regulation type of thing. Then you can look at where TikTok as well was one day banned and then back in again. You look at them being potentially partnering or the US being taken over by an AI company, which then you get into a lot of questions gets raised. You're absolutely right. I think there is regulation, but there's also deregulation as well happening. It could go in two different directions or different countries and different states might take very opposite approaches and only time will tell.

For me, I think going back to even the TikTok story, I think that there's a wrong approach in that. They targeted a company rather than the fundamental issue, which was that data collection of a large amount of citizens by a company that has a state-owned connection. They should have looked at the fundamental problem, the core, because when TikTok went dark a few days ago, everyone moved to different platforms. Same problem. I saw pictures being taken from aircraft carriers that was being posted on RedNote. Again, another Chinese app that's basically doing the similar thing.

For me, I think the fundamental is not addressing the fundamental core of the problem. Just targeting a company is the wrong direction because what you end up doing is you just push. It's like taking down a ransomware game. Then all of, you've taken down the infrastructure, but you didn't take down the main core problem behind it, and a lot of them just create a new ransomware variant to come out with another smaller one and it grows again. You have this reoccurring snowball effect. For me, I think that's one of the things, but it's visible. It's highly visible. Again, what's going to happen in the next 75 days will be very interesting, I think, definitely around when you look at apps and data and data privacy might get some new direction. Any thoughts? Anything that you have that you thought?

Dan Lohrmann:

No, I think I agree with everything you just said. I think listening to Trump, it's gotten a life of its own now. It's almost like it's a shadow, indication of US-China relations a little bit like, let's cut a deal. It's almost like, listening to him last night from the Oval Office, it was literally like, "TikTok," he always goes into this little side spiel about how a lot of the young people voted for him and they all are on TikTok and they want to keep it going, so maybe I should keep it going because they like me on TikTok. Yeah, these side issues that are almost comical, but we had a bipartisan Congress and the US Supreme Court that upheld saying, "This is a threat to the US," and there's a lot of reasons for that. There's hundreds of papers. I'm sure your audience is very smart on this topic. They can read those papers. I've done a couple blogs on it. I'm sure you have. The good, the bad and the ugly with TikTok.

This issue has been around for several years at least, even more, and it hasn't gone away. I do think my gut tells me that they're going to do a deal. I don't know when. I don't know what the deal's going to be, whether that's somehow 51% US-owned, 49% China-owned, but it's almost become an indicator of US-China relations, which is interesting. Could it be part of a deal on tariffs? You think, "Come on, really? TikTok could be a part of the deal on tariffs?" I don't know. I was a little shocked last week when right before last Friday, Trump came out and said he had a great call with President Xi in China and we're going to make the world a safer, more wonderful place together.

I wasn't expecting that. I think there's, what time is it now? Tomorrow, it could be another new deal that he's cut. Some people think he's going to give it to Elon Musk. Who knows what's going to happen, but I do think it's serious. I do think it's not just a joke. One last thing I would mention on this, Joe, is that, and they mentioned that this morning on CNBC when I was watching. My workout in the mornings on the treadmill, I'm watching CNBC, the morning show and what they're doing at the World Economic Forum in Davos and all of that. The description by several people that TikTok is very different in China than it is in the US.

Joseph Carson:

It's an educational platform in China.

Dan Lohrmann:

It's a platform that's regulated very heavily, back to our regulation point, it's very heavily regulated in China. It's a positive force for their education and their learning in China for young people and for the entire society where in the US, it's very different and it's more about-

Joseph Carson:

It's text and memes. Exactly right.

Dan Lohrmann:

Addicting people to watching really cute videos. The reality is, you can come at this thing from 47 different directions. I do think that my gut is that it's not going to go away. My gut is they're going to cut a deal. I don't know what that deal's going to look like, but I think that the very fact that you've got a bipartisan Congress and the US Supreme Court that's upheld the TikTok ban means it's not going to go on in its current form. It's got to change.

Joseph Carson:

Absolutely. I think it was interesting. I remember going back to the reciprocal point where when India banned TikTok and then China was like, "Okay, let's ban the Indian apps from China," and it was like, "Huh, we don't have any." Again, it was interesting going back. I saw Dark Tangent, DT, his comment, who for the audience, is Jeff Moss, who's the founder of the Black Hat Conference and DEF CON. He made a comment where it should be a reciprocal approach. If TikTok's allowed in the US, then things like Meta and Instagram and other types, and X and so forth should be allowed also in China. It should be a reciprocal play from basically that, open the market to our apps if we open up our market to your apps.

That's the other approach, so then it becomes much more a fair and open, but right now, it's not. It's only one-directional. It's... to your point, and there's two different versions as well, the educational one in China versus the non-educational one that I would say in the rest of the world. It'll be interesting to see what happens over the next couple of weeks. That might set a precedent for other apps and other future directions as well. Anything, what would you like to give the audience for recommendations? What would be your suggestions for reading materials or education? We'll definitely make sure that your book and the blog and the CISO Insights especially you do with Errol as well, because that's always fantastic on BrightTALK, because that's always fantastic on BrightTALK. That's always fun.

Dan Lohrmann:

As I mentioned earlier, we want to have you back on the show this year, so we're excited for that. I'll just mention the top five reports. Again, these aren't Dan Lohrmann's predictions. I'd just say two quick things on this. I'll just run through the top five real quick. You can go read those. Some call them predictions. Some call them forecasts. It's funny. Some people say, "We don't do predictions. We do insights. We do forecasts or we do trends," but really, they're all the same. The reality is, they're using the word interchangeably. I understand a trend is not a prediction, but they're really bringing in. Trend Micro was the top report this year.

Joseph Carson:

They always do a fantastic report.

Dan Lohrmann:

Great Cyber Security Forecast: 2025

They have videos. A lot of them have interactive things. You can scan it quickly on their websites and you can click on one and zoom in on the specific, zoom in on one topic. You don't have to read the whole thing. Some of these are very, very, very state-of-the-art, innovative, in some cases, reports. It's really cool to even watch it and see how they do some of this. A lot of reports, a lot of examples, talking about Google Willow as well, where they're going.

Joseph Carson:

That was a bit of a shock for me was the Willow chip and its capability on actually basically correcting the encryption key. I think it was 10. I can't even remember the number was... or whatever it was to the power of ten.

Dan Lohrmann:

It's crazy. It really is. There's a great video in there, a video you can watch, we link to. There's a lot on encryption and where they're going with Quantum and that whole thing. WatchGuard does a great job, I always think. They're a small company playing with the big boys, but they're always very creative. They do some great reports, I'll run through their five. Malicious AI will create attack chains. Threat actors move to long con. They call it the long con versus pig butchering, same thing. Bad actors profit with gen AI. This is a funny one. CISOs become the least desirable role in business. CISOs are getting a bad name out there. Some people last year was like, our roles will grow and in many cases they have, involving AI, involving all areas that maybe they weren't involved in before, but it also puts a lot of pressure on what they have to produce.

Then Fortinet did a great job as well, really great report. Some of the people on our show tell me they like Fortinet best. Then Splunk was number five. Fortinet, one person said Fortinet, one person said Splunk. They really liked Splunk, which did a really nice job as well. They're now part of Cisco, but they have a really great report. Again, I get 20-something pages and lots of examples in here. Those are the top five. You could go on and read them. I was going to ask you. I don't know if you have time for this, probably we're out of time now, but Kaspersky is always in the top 10. I think they've often been in the top five. They're banned in the US, but they always put out good reports.

Joseph Carson:

Yeah, they still have a lot of coverage in Middle East, Africa, Southeast Asia, so they still have a large presence. The Kaspersky lab portion do pretty phenomenal research. Again, those are also a big contributor to the Interpol as well, so they do a lot of collaboration there. Their insights, again, there's always the question around the connectivity and connection between state and private companies, but they do pretty impressive research. Absolutely.

Dan Lohrmann:

I think so, too. They were number six. I just throw that out there. Again, go to the material. You can disagree, but educate yourself. We always talk about we all have to be lifelong learners. We all have to reinvent ourselves. What I do now, how I do it is so different than it was even a decade ago. All of us, our jobs are changing, our roles. AI is changing. The technology innovation is changing, so I just encourage people to go out, read the material, read the reports to themselves, read the details from these companies because they really offer an abundance of really helpful material.

Joseph Carson:

I couldn't agree more. One of the things I do with these predictions and insights and trends and reports is, it allows me to understand about, I've got my own research that I do. Then I try to overlay it with the other reports, insights and trends to see, is there something I need to be thinking about differently? Is there something that I need to double down on because it means that, yes, I need to do an action because this is very likely applicable and high impact to the work I do. It allows me to really learn. That's what we do. We're a community. We're a community of people who have various different types of input, and the research comes from huge experts in the field. They've got large teams, like I said, Google Mandiant, and they've got impressive team.

When they provide their insights, absolutely. I'm going to look at it. When Verizon Data Breach Investigations Report comes out, I'm going to look at it because the contribution from the community in that is so vital. It's our scorecard in many regards, so I thank you for correlating and bringing this all together because it simplifies, when it comes to people like me, is that it simplifies it for me. Rather than me going and having to do the research myself and find everything, you bring it and make it so much easier for everyone to consume. Then doing it with the pseudo insights talk that you, session you do is another. It's behind similar thought process of all. Great work, Dan, and keep up the fantastic work. It's always very much appreciated. Again, many thanks for coming on the episode. It's always great to chat with you. I always learn something new and always having a great conversation. If the audience have any questions, what's the best way to contact you?

Dan Lohrmann:

Yeah. Feel free to reach out on LinkedIn. Dan Lohrmann on LinkedIn, L-O-H-R-M-A-double-N, and you see my name. Joe, I just want to say thank you to you. You do amazing work. You're always, everyone talks about it. You say, "Oh, you know Joe." He's literally a global celebrity in the cyber security world, so thanks so much for having me. It's really an honor to be on your show, so thank you.

Joseph Carson:

It's always, for me, the highlight of my time of the week is talking to amazing both security experts and leaders and innovators like yourself. For me, it's the most fun part is listening and learning, so thank you.

For everyone, definitely we'll get all the show notes. We'll get all the links to the blogs. We'll get links to Dan's books, as well as the CISO Insights episodes, so it allows you to quickly find them, be able to go and look for more information, for more learning opportunities. Again, Dan, many thanks. For the audience, stay safe, take care. Tune in every two weeks for the 401 Access Denied podcast bringing you insights, learning, educational trends, hot topics to really make it simplified and help you understand the current state of cybersecurity in the world today. Thank you. Stay safe and take care. All the best.

Dan Lohrmann:

So long.

Share Episode

Shownotes

Transcripts

Follow

Links

Chapters

Video

More from YouTube