EP 13 – Pizza parties and profit margins: The business of cybercrime

David: You are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

Imagine this, you’re defending your company from a cyber attack, but this isn’t the stereotype of a lone attacker in a hoodie. We’ve all seen that cliché enough. The group coming after you has an org chart. They run sprints. They track ROI, and when they pull off a breach, they celebrate with a pizza party.

Just like any other successful business hitting its goals, now they’ve decided you are their next project. This may sound like the opening to a cybersecurity thriller, but it’s real. Today’s guest, Ian Schneller has seen it firsthand. As a former CSO, most recently with Healthcare Service Corporation, HCSC and a U.S. Air Force veteran, Ian joins us to break down what it takes to stay ahead of today’s most organized and rapidly evolving threat actors — from building resilience against fast moving attacks, to strengthening identity defenses and applying mission-driven leadership.

Ian shares practical strategies and stories drawn from the cockpit, the command center, and the boardroom that security leaders can use to help stay ahead of evolving threats. Let’s get into it with Ian Schneller.

David: Ian Schneller, welcome to Security Matters. Thanks so much for coming onto the podcast.

Ian: Oh, my pleasure. My first time, too. Very excited.

David: Well really appreciate having you on. Where does this podcast find you today?

Ian: In Dallas, Texas. In the middle of summer. Very hot.

David: All right, so we’re air conditioned today, I imagine.

Ian: We are.

David: I’m actually not running AC. I’m in New Hampshire today, and it’s like high sixties, which is kind of odd after being in the nineties all week in Boston.

Ian: You’re making me jealous. Maybe next time I go to New Hamster — and I called it New Hamster because that’s what my kids called New Hampshire when they were younger.

David: Live free or die state. And today it is cloudy and raining and cold. So there you have it. Anyway. Let’s dive right in. There’s a lot we gotta talk about here, a lot we wanna talk about. You’ve had a remarkable career spanning roles in the U.S. Air Force, cybersecurity leadership at major financial institutions, and most recently as CSO at HCSC, otherwise known as Healthcare Service Corporation. What initially drew you to cybersecurity and how has your perspective on the field evolved over the years?

Ian: It’s a great question and I’m gonna start with a story.

David: Okay.

Ian: And you’ll see there’s a theme here. I have stories — it helps me in my brain kind of resonate.

David: Perfect.

Ian: About five months ago, 20 CISOs in Dallas, we met and had dinner. We started out with “How did you get into cybersecurity?” We had somebody who was a rodeo rider, a dancer, a ballerina. A musician, a fighter pilot — that wasn’t me — and a whole gamut of really interesting jobs.

And the really interesting part with all is nobody started out in cybersecurity. About maybe half didn’t have a technical background to start, and life pushed them into the cybersecurity route.

And so I was kind of a hybrid. I had a technical background, but I didn’t join or start my career thinking I was gonna be a cybersecurity expert. I had a technical degree, but I also had a pilot’s license. I flew aerobatics, I flew high performance aircraft. I was gonna be a pilot in the Air Force. That was my plan.

Ian: As many of us know, life might have plans for you that aren’t your plans. And long story short — summarizing briefly — right after the first Gulf War budget cutbacks, after being at a fighter pilot squadron for a while to just kind of get my legs under me before going to formal training, the Air Force said, “We don’t need as many pilots, but you have a technical degree. How about you go be an intelligence officer?”

Alright. Like, okay, alright. I dunno what that is, but I’ll find out. And I did that for a couple years.

Then there was a call for a very specialized workforce for what eventually turned into offensive cyber, and I did that through the nation’s intel community for a long time.

It was about 15 years ago when the Air Force said, “How about we take what you learned as an offensive cyber individual and put that into defense?” And they assigned me to be a CIO and CISO. So I was dual-hatted into a joint role at an Air Force base in Northern California.

And so it took about 15–20 years of my career to actually get into a true defensive role.

David: And overall, you spent about 24, 25 years in the US Air Force.

Ian: Twenty-four.

David: Years in uniform and in the cyber realm, how long were you with the Air Force?

Ian: Uh, well, I would have to kind of count it out. If you count the offensive and the defensive side, all told probably 12 — probably closer to 15.

David: Okay. So then what was it like to shift over from military to corporate cybersecurity? Were there any particular lessons from your time at Cyber Command or the NSA that really stuck with you in the private sector?

Ian: First of all, as a veteran, as a senior officer, you’re very comfortable — to the degree you can be — in a very large organization called the Department of Defense.

You’re all of a sudden vulnerable. You’re in the private sector — different language, different culture, different business, different people, different lessons learned.

It can be a tough transition and I think it would probably be tough in many ways for many veterans. So, as an ask for anybody who’s hiring a veteran, realize it can be tough.

Having some mentoring along the way goes a long way in developing that person. You feel vulnerable for a while, and so it was with me.

I had to learn finance. I spent hours and hours every night reading books on “How does a nation’s economy work? How do banks work? What are banking laws, banking regulations?”

I studied really hard on that and it was a lot of work. I enjoyed it, I loved it, but that meant it was a while before I could really, truly be effective and understand the business model of what I’m here to support.

So that’s general advice I would give anybody in the career: spend time to learn how your business works, whatever it is.

And then of course, when I became the CSO at HCSC, I had to spend a lot of time learning how the healthcare sector works.

David: I’m glad you mentioned that because across your career you’ve overseen massive cyber defense operations in critical industries like finance and healthcare. How did those sectors differ in their approach to cybersecurity challenges, and what strategies proved universally effective?

Ian: That’s a great question and one that I get asked a lot.

And so this is my opinion from observations across the defense sector and healthcare sector — and finance is part of it — it’s just the baseline of how it’s formed.

If you look at how an industry baseline is formed, it usually starts from laws and regulations, and the sectors have different laws, rules, regulations. The healthcare sector’s underpinned by HIPAA and HITECH.

Very important. How old is that? When was the last time the information security portions were updated? Around 20 years ago, a little bit over.

And so the threat has changed a lot in 20 years. For organizations who have aligned their security program to that specific rule/regulation but have not evolved, they’re about 20 years behind the cyber threats.

My personal opinion is that’s one of the reasons factoring into some of the breaches that you see.

One of the other things — very noble and right — HIPAA and HITECH are aligned to protect private health information for citizens. That’s great, but it doesn’t really get into ensuring the availability of services.

A major breach can occur that doesn’t affect the information, but can affect an individual’s ability to access care. We’ve seen that in some really very, very large news stories over the last year or two.

When you put the two of those together, I see in the healthcare sector — and it’s getting better, thankfully — but over the last few years, many organizations have aligned around saying, “I’m compliant with HIPAA/HITECH, I’m done.” And they don’t evolve into staying in front of the threat, the adversary.

And that’s probably the biggest thing that I see.

David: You mentioned that you started out as a pilot. First of all, are you still flying? And second of all, how is being a CISO in some ways similar to being a pilot, or is it not?

Ian: One, and I have to be fully disclosed, the last time I flew a plane as pilot in command was in 1999. It’s been a long time.

David: Okay.

Ian: If you and I went flying, you’d probably be scared and I’d spill your coffee, so you don’t want me flying right now — it’s been a while.

But there are so many parallels between so many different careers. I think in general, it’s a beautiful question to ask anyone.

Here’s a few things — and we could make this an entire day-long conversation on the parallels. The first thing is metrics, and I’ve given a presentation to a sector conference on metrics.

As a pilot, you’re trained to know the key risk indicators for your system. What’s gonna cause a problem? What do you do about it?

And in information security, we love metrics. We can generate metrics all day long, but which ones matter? What do you do about it when it goes out of tolerance? What’s your tolerance?

Being trained in what really matters and how you keep your system operating safely is almost an exact parallel.

Ian: But here’s the interesting thing — and I’m just gonna give you just a taste because we maybe should talk about this another time — what happens when there’s an incident in the aviation community?

Deep investigation, and the entire world finds out every single thing that went wrong leading up to that accident, and then it’s published, and then everybody learns from it so that you don’t repeat the same mistake.

What happens in the information security world? Eh — you don’t find out. You hear a generic statement: “An auto company got breached and it was because they didn’t follow good practices.”

Well, what specifically?

So I think we have a lot we could learn from the aviation industry.

David: Really interesting. I’m glad we touched upon that and yes, I would be fascinated to have a day-long conversation with you about it.

So then, getting back to being a CISO, you’ve been a CISO in some pretty intense environments. What’s typically misunderstood about the CISO role, and how do you personally define success in it?

Ian: Well, the CISO role, like many executive positions — I don’t want to say that we’re different in this aspect — but it is stressful.

One thing I see that is a little bit different in the CISO role is, consider an organization that, for example, misses earnings targets. What does the news report usually say? Usually it says, “Company X missed targets,” and so on and so forth.

What happens if a company gets breached? In that case, “Company got breached and the CISO” — and they name the person — “and it’s their fault.”

It becomes personal.

David: Mm-hmm.

Ian: So it’s a very, to me, very different environment.

The other one I would say that’s very different in this role — in any business role you could call it warfare in a way, that you’ve got threats and they’re trying to disrupt your model. But in cybersecurity, those threats at the end of the day are people and they’ve picked you, and they’re actively targeting you and your team.

And so it becomes more personal, and it becomes a little bit more like what you might consider warfare. And I think that’s why you see the term “cyber warfare” a lot — it is truly warfare. There are people out there trying to do you harm and de facto, harm your customers.

David: Then speaking of cyber warfare, the growing sophistication of cyber adversaries — attackers, bad actors, whatever you might call them — have you seen them evolve firsthand, particularly their use of zero-day vulnerabilities and global operations?

Ian: There are many terms. To me, the clinically correct term is “threat actor.”

Okay, it’s a little clinical — they’re hackers, they’re bad guys, probably bad gals, you get the idea. But I call ’em threat actors usually.

To understand the answer to that question, first of all, I think it’s really important to understand who are they and what motivates them.

Depending on what you look at, it might be a nation state motivated by intelligence purposes, it might be a criminal motivated by money, might be a hacktivist motivated about standing behind a position.

Ian: By and large, what we see and hear in a lot of the media are criminals — but what I’m gonna say next really applies to any threat actor.

They’re getting better. Look at their techniques — to me, it’s extremely interesting to go a double click down behind what we’re seeing.

What have we seen over the last 12–18 months? A wealth of zero-day vulnerabilities discovered in what I call edge devices — firewalls, proxies, endpoint devices — that gain initial access into a network.

And what I don’t think coverage has gone deep enough on is understanding how does that happen?

The threat actors have to invest in research and development. So when you pay that ransom, some of that money’s going into investing in new capabilities.

What does that mean? How do you get the technology into the country you’re operating from? How do you reverse-engineer that to find the vulnerability? This is really tough work.

And then what’s really interesting — and you can look at a couple of examples over the last year or two — now they’ve weaponized it globally at scale.

Think of a few things that happened with zero days that we found out about after. Part of the aftermath wasn’t just the zero day, but many, many companies were breached over the weekend.

Think how hard that is — to weaponize it, to deploy it, to execute, to collect the information rapidly in a period of days.

This is really sophisticated work, and so when I put that back together — they’re getting better. They will always get better because those motivations I mentioned at the beginning will not change.

They’ll always want money or more intelligence or to make a public stand for or against something, and so whatever today’s state of capabilities are, they’re gonna get better.

And whatever we defend against today, we can’t forget that that’s gonna be old news before long — something else is gonna come.

Part of our job is to anticipate and forecast what is next and raise the defenses before the threat actors get there.

David: That’s a tough job. So how do you do that? How do you stay on top of it and how do you anticipate what’s coming next?

Ian: Part of it is red teaming — and yes, we’re thinking red teaming penetration testing, absolutely — but part of it’s red teaming to continuously think outside the box: How would I break into my systems? How would I affect my organization?

And to have really creative and critical-minded individuals work at that constantly.

Part of this is experience — just having been, for example, on one side, on the offensive side, where you have to continuously get better — having that adversary’s mindset.

And what I like to tell everybody is don’t forget the adversary has 51% of the vote in what offensive cyber actions come at your organization.

So you have to consider their motivations, their capabilities, in your equation on defense.

David: How do you mean 51% of the vote?

Ian: No matter what you do, the threat actor’s gonna do what they’re gonna do and they’re not gonna ask you — they’re gonna do it.

David: And you’ve described threat actors as being as organized as Fortune 500 companies, sometimes even throwing pizza parties after big attacks. What does that level of sophistication mean for how we defend against them?

Ian: First of all, don’t underestimate the threat actor — the adversary. They’re not necessarily a couple of loose-knit teenagers in the basement of their mom’s house, as kind of a stereotype.

They might be very well organized. They have profit and loss statements. They invest in research and development.

What’s interesting is they very likely have return on investment calculations — if they’re gonna go after a company, after a certain amount of time it’s not worth their time anymore and they might go somewhere else.

So they operate like a financial organization. They are out there to make a profit.

Now, I’m largely talking criminal actors here. If it’s a nation state after intelligence, it’s a different motivation — but again, we know nation states are gonna be very well organized.

If I were to boil this down into one piece, it’s: don’t underestimate that threat actor. They are very capable.

David: So then, moving to identity. With identity emerging as the new perimeter in cybersecurity, what’s your perspective on securing both human and machine identities?

Ian: Oh, there’s so much we could unwind there. First of all, let’s take a macro look at what’s happening here.

We have vulnerabilities — maybe it’s phishing, who knows — and as the world rallies around reducing that vulnerability, the threat actors will find something different.

What we’re seeing now is a lot of violations of identity vulnerabilities.

It could be calling a help desk, social engineering your way in. At the end of the day, we’ve got a person — they want to help you — they’re gonna capitalize on that. That’s the human side.

So we’re seeing a lot of vulnerabilities in identities, and it’s a tough problem to tackle because usually you’ve got years of practices that need a little bit of hygiene.

What’s coming up is what I call non-person identities — or I think you called it non-human identities — machine identities.

David: Mm-hmm.

Ian: Those are identities that keep applications working. Without going into a lot of details, usually an application needs to talk to another application, and they authenticate with a non-human identity.

David: Mm-hmm.

Ian: And they might have been there for 15, 20 years. You may not even know all your applications that use it.

It’s probably a hard-coded password somewhere. These are things that are really tough to discover and fix — that means it’s a vulnerability.

Threat actors are starting to look into that and exploit it, and that is an avenue into a network.

David: So then, cloud environments continue to present unique challenges. What kinds of risks have you seen with cloud default configurations, and how can organizations stay ahead of them?

Ian: Again, I love drawing parallels, and to me — especially in the early days and to a certain degree now, and not just cloud — I look at it as you bought a car.

You got this nice, bright, shiny car, and you look inside and there’s no seatbelt. And you say, “Well, I want to be safe when I drive my car. Where’s my seatbelt?”

“Oh, well, we’ve got another team. We can give you a seatbelt, but you’re gonna have to hire a resident security engineer and budget a year, and we’ll put a seatbelt in there for you. But hey, nice car — start driving it now.”

It’s almost the same thing in security, and I think cloud was a big piece of that when you look at some of the insecure default configurations.

Other technology is just as guilty.

I have seen this in a positive trend — I don’t think it’s at the end of the trend — where things are starting to become more secure by default.

That’s one big thing we need to get to. It’s a very complicated system and there are many configurations, and you can’t expect everybody to know all the configurations on day one.

So part of it is: secure by default is a key trend that we need to aim for and get to.

David: While we’re along the challenges track here, I might as well just keep ’em coming. Healthcare organizations face mounting pressures from ransomware, legacy infrastructure, and compliance requirements. How should CISOs in the healthcare sector prioritize addressing these intersecting risks?

Ian: Hopefully not all three are insufficient, because that’s a tough challenge. And I hate to give this answer, but you gotta do all three — and I’ll unwind that a little bit.

If you don’t have bare-bones compliance met, here’s what’s gonna happen: internal audit, external audit, regulators are going to drive your strategy. You must do what they say.

And so that will be the group driving your strategy, and you don’t want that. You want to drive your own strategy.

So get a firm foundation where compliance is solid, but you have to understand that that’s not the end of the game.

You have to move into the threat actors — constantly evolving. We talked about it: how do you stay in front of them? You have to uplift that game all the time.

But also, what I call operational excellence — are you deploying the capability across your entire attack surface, and correctly? That’s tougher than it sounds.

You must continuously do both.

Ian: Now, the ransomware piece is really interesting and we didn’t talk too much about it. One of the ways I’ve seen CISO roles change is success is — and should be — “Don’t get hacked.”

David: Mm-hmm.

Ian: But if you do, make sure we can respond appropriately and recover back to normal operations quickly so that the business can run.

That’s another piece I’ve seen in the job jar of CISOs, and I think it’s a very appropriate one because, despite your best intentions — maybe a malicious insider, who knows — you might get breached, you might have your services stop working.

Be resilient. Become operational again very quickly.

David: In your CISO roles, how much of your bandwidth on average was spent combating malicious insiders or preventing malicious insiders — or whatever the proper terminology may be?

Ian: I don’t want to speak specific to a particular role because we could tie it to maybe some things that did or didn’t happen. I think the bigger message is — I mentioned threat actors: nation states, criminals, hacktivists. There’s a fourth class: insider threats.

An insider threat could be non-malicious — the person who just fell for the phish and started a chain of events. That could be a non-malicious insider threat.

Or you could have a malicious insider threat — somebody on purpose exfiltrating information, or deploying ransomware.

We cannot discount those threats. Part of a program should have an insider threat capability to detect these risk scenarios that I just mentioned — and many more.

It is a critical capability and it is something that I think needs to happen.

What I see some organizations say is, “Oh, our workforce is great, not us.” It could be anywhere.

And you read the news stories — there are plenty where a malicious insider caused some kind of incident.

David: Devoted listeners of this podcast may be surprised that we haven’t even mentioned artificial intelligence yet in this episode, so let’s mention it now. Artificial intelligence and agentic AI is rapidly transforming attack and defense strategies — both sides of the battlefield, if you will. How do you see it being weaponized and how can defenders use it to their advantage?

Ian: It’s a great question — it’s one I get all the time.

The way I see threat actors using AI: phish messages are really good. Business email compromise messages are really good. Deepfake videos — they’re really good.

If you look behind the scenes, really they’re all aimed at getting access to your computer systems or to your money directly.

I’ve also seen malware strains that most likely were written by artificial intelligence.

David: Mm-hmm.

Ian: And the undiscovered malware — or signatures that aren’t known, where your tooling can’t detect or block against it — is on the increase.

So yes, threat actors are using artificial intelligence.

The turnaround to that is: if used correctly, it can be a great defensive capability too.

Think of a large organization — imagine all the things that happen day in, day out: alerts, warnings, breaches (hopefully none). But there could be, and there aren’t enough people in the world to look at and analyze all of that.

Artificial intelligence is getting quite good — in my opinion — at correlating all of that and really dialing down into: where might a real problem be? Where might we need to put human attention?

It helps us make sure we use our resources appropriately in defense, prioritize defense.

That’s for cybersecurity.

Now, there are many different risks here and it’s much bigger than the CISO — it really needs to be an enterprise program, like AI security.

How do we make sure we get the right answers? How do we make sure it’s not hallucinating? How do we make sure it’s responsible and ethical?

I think the CISO should be at the table in helping formulate the right answers here — but it shouldn’t be only the CISO at that table. It’s a very enterprise-wide problem to solve.

David: That table, of course, is reflective of the CISO and where the CISO sits at that table.

So early in your career, you saw firsthand how technical language can fall flat in business settings. What helped you realize the importance of translating cybersecurity into business outcomes, and how has that shaped your leadership style?

Ian: It makes me laugh — I’m telling a story that happened about 30 years ago and it is still so fresh in my mind.

When I first started in the Air Force, I was in a fighter pilot squadron. I got to fly a lot of planes, learn a lot. I didn’t know anything about cybersecurity.

The wing commander — the boss over the whole base — about once a month would have a big staff meeting of all the different leaders on the base, and he’d let the lieutenants sit against the wall as long as you didn’t talk or move. You were allowed to be in there and listen.

So I was a wallflower, and I listened.

I still remember this one day — the equivalent of the base CIO and CISO (they didn’t call it that at the time) — he stood up and said, “Hey boss, I need a million dollars — blinky lights, wires, firewall, ones and zeros.”

Ian: I had an engineering degree and I didn’t even know what this guy was saying. I had no idea — and I had more of an idea than probably the boss at the end of the table, who flew fighter jets and didn’t understand information security.

I still remember the guy’s look on his face — stone-faced. He had no idea what was being said. He said, “Denied. Sit down.” Just like that.

I remember feeling terrible for this guy — I still feel it when I tell you the story.

David: Sounds like Maverick requesting the fly-by right there.

Ian: Pretty much. Yeah, almost the same.

The next month, the same guy comes up, says, “Hey boss, need a million dollars for a firewall. But here’s the reason: on your base you have about three days’ worth of gas to keep your jets flying. That gas is supplied by an electronic connection that, if disrupted, would stop the flow of gas. For a million dollars, we can protect that and ensure you have a steady flow of gas — keep your planes flying as long as you need.”

Same conversation, same ask — but now he changed it to resonate with the leadership at the table. The conversation took as long as I just took right here, and the boss said, “Oh — approved.”

You see the difference?

David: Yeah.

Ian: Skip forward from that time — it was almost 15 years, maybe a little bit longer — when I took command of the Communication Squadron, which is the CIO and CISO organization on an Air Force base.

I remember after the ceremony, I walked in and I sat in my chair. I looked around and said, “I’ve never been a CIO. I’ve never even worked in a CIO or CISO organization. What am I doing?”

I remembered that story, and so I’ve got story number two now.

That day was a Friday — I still remember this. At the end of the day, there was a social. The wing commander hosted a social for all the commanders, and it was about 5:00 on a Friday.

This was Northern California. One of my roles: I had all the aircraft systems for that section in Northern California — radars and instrument landing systems and all that kind of thing.

I got a call from the crew saying the instrument landing system was out, but, “Don’t worry — we’ll fix it on Monday.”

I said, “We should fix it now. Why aren’t you gonna fix it now?”

They said, “No, our SOP says if it’s the weekend, we fix it the next workday.”

I said, “No — you’re gonna fix it now, tonight.”

Ian: They got a little upset with me, but they did it. And I said, “Well, let me explain to you why.”

This is where the aircraft experience came in — and I’ve got to give a little bit of a side note to my story.

This was 10–15 years ago. There was a full-motion simulator for a big jet on base — one of the biggest planes in the country. I was able to get in and I gave them all lessons on how to fly a radar approach and an instrument landing approach.

The gist of it is: you’re very precise with an instrument landing approach; you get kind of close with a radar approach.

Even though they weren’t pilots, they immediately saw once I showed them.

And you know what? For the rest of my tenure there — this was Northern California, lots of fog — never once did I have a single complaint. Anytime that instrument landing system had even a potential of a glitch, they were on it. They fixed it immediately, no matter what.

The key here is we turned the business objective into — in this case — an information security priority: the availability of the system.

If you understand the business you support, it helps you make prioritized decisions.

I could go on with stories all day long on this kind of thing, but the key is: as a CISO, understand your business. Understand what generates revenue, what keeps customers happy, what’s on the mind of the CEO, COO — and that will really help you prioritize what to fix, what to secure.

David: Along those lines, what qualities or skills do you believe are the most critical for the next generation of cybersecurity leaders?

Ian: I love the question — I get this asked all the time. I know you want me to say “technology” number one. It’s not — it’s lower on the list.

I always say: be a student of leadership. In a lot of my CISO roles, I had hundreds of people in my team. You need to be a leader.

You need to understand how to lead teams — not perfectly, but the key is to continuously study, train, assess, adjust, and become even better.

Be a great communicator — and we talked about some of the techniques here already. Be able to concisely, crisply speak or write your point.

How many times have you received an email where somebody’s asking you for something and it’s three pages long? I stop reading after about the fourth sentence. If you can’t ask it quickly, I’m not gonna read it — I don’t have time.

So being crisp and clear in communications is really key.

Ian: Be inquisitive — question, want to understand. Be thoughtful in your thinking, and then be able to be decisive and execute.

Before I get to technology, this is a big one: know how budgets work. How do we get money? How do we spend money? How do we ask for more money?

It sounds trivial, but you know what? That’s what makes your program work — do you have the resources to do your job?

After that — how do you hire people? How do you get more people?

And then technology. Obviously you need to have some kind of technology background — you may not need to be a reverse engineer, but you do need to understand how the technology can be used to help protect against cyber threats.

David: So then, having worked closely with public–private partnerships, what role do you believe these collaborations play in addressing the cyber challenges of today and tomorrow?

Ian: I think public–private partnerships are a great idea. I’ve seen them strengthen over the last 10 years. I see room to grow.

One area — and you’re seeing a trend here, right? You gravitate towards what you learned first and what you know.

If you’re in a fighter jet flying in enemy territory, you have a radar — it’s picking up threat signals within the view of that radar, but you only see what your system sees.

Now imagine if there’s many jets out in that battlespace and each one sees part of the picture. What if we can combine that into one picture of the whole battlespace?

Public–private partnerships can do this with cyber. You might have a great view of the threat picture that you face, but it might not be complete.

If we can find a way to legally and safely build what we all see into one large threat picture, we can be better defenders.

Another key piece — and this is overlooked still — is what I call systemic risk. We’re so focused on defending our organization that we may not understand how our organization fits in the ecosystem of healthcare or finance, for example, and what are the key nodes that will make our entire system fall down.

Maybe an upstream node — an organization, a utility, for example — might be breached and fail. The trickle-down effects might affect me, and those effects might affect four other organizations. Pretty soon, we have a sector in crisis.

It comes down to: how does our sector work, how do we collaborate together to ensure our sector is resilient? There’s work being done there, but there’s a lot more to do.

David: What threats should CISOs be watching over the next few years, and is there anything flying under the radar that deserves more attention?

Ian: That’s a great question — it’s one I think about all the time. I know what I’m gonna say here isn’t gonna be the most complete answer.

If you go back 10–15 years ago, nobody envisioned a lot of the threats we see now. The key is understanding they will evolve — there will be new threats.

The motivations probably won’t change much: money, intelligence, public stance. So start there, then critically think about what might happen next.

An example: multifactor authentication is great — but as it becomes widely deployed, they find ways to work around it.

So whatever key defense we have now, the threat actor will find some way to bypass it.

I think insider threats will increase. I hear quantum technology and quantum-safe algorithms will be big — quantum computing will really change how defenders need to defend and how attackers will attack.

Is it there yet today? Probably not. But someday, it will be widely available — what will happen then? We need to think about it now and start building strategies early.

David: Quantum is definitely something we’ll be keeping our eye on.

So, let’s talk about you and what you’re up to these days, to wrap things up here. You’ve recently shifted your focus toward advisory and board roles. What drives the new career chapter, and what’s one piece of advice you’d offer to someone just stepping into the world of cybersecurity leadership?

Ian: I love it. On a personal side — I stepped down about a month ago for health reasons. I have some short-term health challenges I’ve got to work through. Everything will be fine — it’s just you can’t be a CISO, which is a full-time job, and focus on getting through the health issues.

You can’t do both at the same time in this case, so I made the tough choice. I loved my organization, loved the team — amazing people, amazing organization — but I have to focus on myself and solve those challenges.

By short term, I mean in 2026 I should be back to normal.

I’ve been on a couple of boards of directors, I’ve been on advisory boards — I really like that work. I’ve had a lot of formal training over the last two years in it, so I’m going to dip my toe into that and see how it works.

Shifting to your second question: for those pursuing a cybersecurity career — in my opinion, you picked a great career. It’s going to be a career that exists for a long time. It’s a job that’s different every day. You get to use your brain, think critically, and it never gets old.

I don’t think anybody who’s really in cybersecurity gets bored. It’s a great way to keep your brain active and ultimately to do good.

If you do your cybersecurity job right, you’re helping people — you’re saving their information, their access to care if you’re in healthcare, or their access to money if you’re in finance. You’re doing good.

So I highly recommend cybersecurity as a career.

David: So are you leaving the door open for potential future CISO-ing, or do you think you’ve maybe had enough of the adult-size portion?

Ian: I’ve learned you never say no to a door that’s open.

David: Ian, thank you so much for coming on the podcast. Really appreciate it. I think there are a lot of areas we can dive into deeply with you here, and look forward to having you back sometime in the near future.

Ian: It’d be a pleasure. Thank you.

David: Alright — there you have it. Thanks for listening to Security Matters. If you liked this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop.

And if you feel so inclined, please leave us a review — we’d appreciate it very much, and so will the algorithmic winds.

What else? Drop us a line with questions, comments, and if you’re a cybersecurity professional and you have an idea for an episode, drop us a line.

Our email address is [email protected].

We hope to see you next time.