Cybercriminals today operate more like startups than stereotypes\u2014complete with org charts, sprint cycles, and pizza parties to celebrate successful breaches. In this episode of Security Matters, host David Puner talks with former CISO and U.S. Air Force veteran Ian Schneller about the evolving sophistication of threat actors and what it takes to stay ahead.<\/p>\n
From zero-day vulnerabilities and machine identity risks to AI-powered attacks and insider threats, Ian shares practical strategies drawn from his experience in military intelligence, offensive cyber operations, and corporate security leadership. Learn how to build resilience, translate cyber risk into business outcomes, and lead with mission-driven clarity in a threat landscape that never slows down.<\/p>\n
Imagine this, you’re defending your company from a cyber attack, but this isn’t the stereotype of a lone attacker in a hoodie. We’ve all seen that clich\u00e9 enough. The group coming after you has an org chart. They run sprints. They track ROI, and when they pull off a breach, they celebrate with a pizza party.<\/p>\n
Just like any other successful business hitting its goals, now they’ve decided you are their next project. This may sound like the opening to a cybersecurity thriller, but it’s real. Today’s guest, Ian Schneller has seen it firsthand. As a former CSO, most recently with Healthcare Service Corporation, HCSC and a U.S. Air Force veteran, Ian joins us to break down what it takes to stay ahead of today’s most organized and rapidly evolving threat actors \u2014 from building resilience against fast moving attacks, to strengthening identity defenses and applying mission-driven leadership.<\/p>\n
Ian shares practical strategies and stories drawn from the cockpit, the command center, and the boardroom that security leaders can use to help stay ahead of evolving threats. Let’s get into it with Ian Schneller.<\/p>\n
David: Ian Schneller, welcome to Security Matters. Thanks so much for coming onto the podcast.<\/p>\n
Ian: Oh, my pleasure. My first time, too. Very excited.<\/p>\n
David: Well really appreciate having you on. Where does this podcast find you today?<\/p>\n
Ian: In Dallas, Texas. In the middle of summer. Very hot.<\/p>\n
David: All right, so we’re air conditioned today, I imagine.<\/p>\n
Ian: We are.<\/p>\n
David: I’m actually not running AC. I’m in New Hampshire today, and it’s like high sixties, which is kind of odd after being in the nineties all week in Boston.<\/p>\n
Ian: You’re making me jealous. Maybe next time I go to New Hamster \u2014 and I called it New Hamster because that’s what my kids called New Hampshire when they were younger.<\/p>\n
David: Live free or die state. And today it is cloudy and raining and cold. So there you have it. Anyway. Let’s dive right in. There’s a lot we gotta talk about here, a lot we wanna talk about. You’ve had a remarkable career spanning roles in the U.S. Air Force, cybersecurity leadership at major financial institutions, and most recently as CSO at HCSC, otherwise known as Healthcare Service Corporation. What initially drew you to cybersecurity and how has your perspective on the field evolved over the years?<\/p>\n
Ian: It’s a great question and I’m gonna start with a story.<\/p>\n
David: Okay.<\/p>\n
Ian: And you’ll see there’s a theme here. I have stories \u2014 it helps me in my brain kind of resonate.<\/p>\n
David: Perfect.<\/p>\n
Ian: About five months ago, 20 CISOs in Dallas, we met and had dinner. We started out with \u201cHow did you get into cybersecurity?\u201d We had somebody who was a rodeo rider, a dancer, a ballerina. A musician, a fighter pilot \u2014 that wasn’t me \u2014 and a whole gamut of really interesting jobs.<\/p>\n
And the really interesting part with all is nobody started out in cybersecurity. About maybe half didn’t have a technical background to start, and life pushed them into the cybersecurity route.<\/p>\n
And so I was kind of a hybrid. I had a technical background, but I didn’t join or start my career thinking I was gonna be a cybersecurity expert. I had a technical degree, but I also had a pilot’s license. I flew aerobatics, I flew high performance aircraft. I was gonna be a pilot in the Air Force. That was my plan.<\/p>\n
Ian: As many of us know, life might have plans for you that aren’t your plans. And long story short \u2014 summarizing briefly \u2014 right after the first Gulf War budget cutbacks, after being at a fighter pilot squadron for a while to just kind of get my legs under me before going to formal training, the Air Force said, \u201cWe don’t need as many pilots, but you have a technical degree. How about you go be an intelligence officer?\u201d<\/p>\n
Alright. Like, okay, alright. I dunno what that is, but I’ll find out. And I did that for a couple years.<\/p>\n
Then there was a call for a very specialized workforce for what eventually turned into offensive cyber, and I did that through the nation’s intel community for a long time.<\/p>\n
It was about 15 years ago when the Air Force said, \u201cHow about we take what you learned as an offensive cyber individual and put that into defense?\u201d And they assigned me to be a CIO and CISO. So I was dual-hatted into a joint role at an Air Force base in Northern California.<\/p>\n
And so it took about 15\u201320 years of my career to actually get into a true defensive role.<\/p>\n
David: And overall, you spent about 24, 25 years in the US Air Force.<\/p>\n
Ian: Twenty-four.<\/p>\n
David: Years in uniform and in the cyber realm, how long were you with the Air Force?<\/p>\n
Ian: Uh, well, I would have to kind of count it out. If you count the offensive and the defensive side, all told probably 12 \u2014 probably closer to 15.<\/p>\n
David: Okay. So then what was it like to shift over from military to corporate cybersecurity? Were there any particular lessons from your time at Cyber Command or the NSA that really stuck with you in the private sector?<\/p>\n
Ian: First of all, as a veteran, as a senior officer, you’re very comfortable \u2014 to the degree you can be \u2014 in a very large organization called the Department of Defense.<\/p>\n
You’re all of a sudden vulnerable. You’re in the private sector \u2014 different language, different culture, different business, different people, different lessons learned.<\/p>\n
It can be a tough transition and I think it would probably be tough in many ways for many veterans. So, as an ask for anybody who’s hiring a veteran, realize it can be tough.<\/p>\n
Having some mentoring along the way goes a long way in developing that person. You feel vulnerable for a while, and so it was with me.<\/p>\n
I had to learn finance. I spent hours and hours every night reading books on \u201cHow does a nation’s economy work? How do banks work? What are banking laws, banking regulations?\u201d<\/p>\n
I studied really hard on that and it was a lot of work. I enjoyed it, I loved it, but that meant it was a while before I could really, truly be effective and understand the business model of what I’m here to support.<\/p>\n
So that’s general advice I would give anybody in the career: spend time to learn how your business works, whatever it is.<\/p>\n
And then of course, when I became the CSO at HCSC, I had to spend a lot of time learning how the healthcare sector works.<\/p>\n
David: I’m glad you mentioned that because across your career you’ve overseen massive cyber defense operations in critical industries like finance and healthcare. How did those sectors differ in their approach to cybersecurity challenges, and what strategies proved universally effective?<\/p>\n
Ian: That’s a great question and one that I get asked a lot.<\/p>\n
And so this is my opinion from observations across the defense sector and healthcare sector \u2014 and finance is part of it \u2014 it’s just the baseline of how it’s formed.<\/p>\n
If you look at how an industry baseline is formed, it usually starts from laws and regulations, and the sectors have different laws, rules, regulations. The healthcare sector\u2019s underpinned by HIPAA and HITECH.<\/p>\n
Very important. How old is that? When was the last time the information security portions were updated? Around 20 years ago, a little bit over.<\/p>\n
And so the threat has changed a lot in 20 years. For organizations who have aligned their security program to that specific rule\/regulation but have not evolved, they’re about 20 years behind the cyber threats.<\/p>\n
My personal opinion is that’s one of the reasons factoring into some of the breaches that you see.<\/p>\n
One of the other things \u2014 very noble and right \u2014 HIPAA and HITECH are aligned to protect private health information for citizens. That’s great, but it doesn’t really get into ensuring the availability of services.<\/p>\n
A major breach can occur that doesn’t affect the information, but can affect an individual’s ability to access care. We’ve seen that in some really very, very large news stories over the last year or two.<\/p>\n
When you put the two of those together, I see in the healthcare sector \u2014 and it’s getting better, thankfully \u2014 but over the last few years, many organizations have aligned around saying, \u201cI’m compliant with HIPAA\/HITECH, I’m done.\u201d And they don’t evolve into staying in front of the threat, the adversary.<\/p>\n
And that’s probably the biggest thing that I see.<\/p>\n
David: You mentioned that you started out as a pilot. First of all, are you still flying? And second of all, how is being a CISO in some ways similar to being a pilot, or is it not?<\/p>\n
Ian: One, and I have to be fully disclosed, the last time I flew a plane as pilot in command was in 1999. It’s been a long time.<\/p>\n
David: Okay.<\/p>\n
Ian: If you and I went flying, you’d probably be scared and I’d spill your coffee, so you don’t want me flying right now \u2014 it’s been a while.<\/p>\n
But there are so many parallels between so many different careers. I think in general, it’s a beautiful question to ask anyone.<\/p>\n
Here’s a few things \u2014 and we could make this an entire day-long conversation on the parallels. The first thing is metrics, and I’ve given a presentation to a sector conference on metrics.<\/p>\n
As a pilot, you’re trained to know the key risk indicators for your system. What’s gonna cause a problem? What do you do about it?<\/p>\n
And in information security, we love metrics. We can generate metrics all day long, but which ones matter? What do you do about it when it goes out of tolerance? What’s your tolerance?<\/p>\n
Being trained in what really matters and how you keep your system operating safely is almost an exact parallel.<\/p>\n
Ian: But here’s the interesting thing \u2014 and I’m just gonna give you just a taste because we maybe should talk about this another time \u2014 what happens when there’s an incident in the aviation community?<\/p>\n
Deep investigation, and the entire world finds out every single thing that went wrong leading up to that accident, and then it’s published, and then everybody learns from it so that you don’t repeat the same mistake.<\/p>\n
What happens in the information security world? Eh \u2014 you don’t find out. You hear a generic statement: \u201cAn auto company got breached and it was because they didn’t follow good practices.\u201d<\/p>\n
Well, what specifically?<\/p>\n
So I think we have a lot we could learn from the aviation industry.<\/p>\n
David: Really interesting. I’m glad we touched upon that and yes, I would be fascinated to have a day-long conversation with you about it.<\/p>\n
So then, getting back to being a CISO, you’ve been a CISO in some pretty intense environments. What’s typically misunderstood about the CISO role, and how do you personally define success in it?<\/p>\n
Ian: Well, the CISO role, like many executive positions \u2014 I don’t want to say that we’re different in this aspect \u2014 but it is stressful.<\/p>\n
One thing I see that is a little bit different in the CISO role is, consider an organization that, for example, misses earnings targets. What does the news report usually say? Usually it says, \u201cCompany X missed targets,\u201d and so on and so forth.<\/p>\n
What happens if a company gets breached? In that case, \u201cCompany got breached and the CISO\u201d \u2014 and they name the person \u2014 \u201cand it’s their fault.\u201d<\/p>\n
It becomes personal.<\/p>\n
David: Mm-hmm.<\/p>\n
Ian: So it’s a very, to me, very different environment.<\/p>\n
The other one I would say that’s very different in this role \u2014 in any business role you could call it warfare in a way, that you’ve got threats and they’re trying to disrupt your model. But in cybersecurity, those threats at the end of the day are people and they’ve picked you, and they’re actively targeting you and your team.<\/p>\n
And so it becomes more personal, and it becomes a little bit more like what you might consider warfare. And I think that’s why you see the term \u201ccyber warfare\u201d a lot \u2014 it is truly warfare. There are people out there trying to do you harm and de facto, harm your customers.<\/p>\n
David: Then speaking of cyber warfare, the growing sophistication of cyber adversaries \u2014 attackers, bad actors, whatever you might call them \u2014 have you seen them evolve firsthand, particularly their use of zero-day vulnerabilities and global operations?<\/p>\n
Ian: There are many terms. To me, the clinically correct term is \u201cthreat actor.\u201d<\/p>\n
Okay, it’s a little clinical \u2014 they’re hackers, they’re bad guys, probably bad gals, you get the idea. But I call ’em threat actors usually.<\/p>\n
To understand the answer to that question, first of all, I think it’s really important to understand who are they and what motivates them.<\/p>\n
Depending on what you look at, it might be a nation state motivated by intelligence purposes, it might be a criminal motivated by money, might be a hacktivist motivated about standing behind a position.<\/p>\n
Ian: By and large, what we see and hear in a lot of the media are criminals \u2014 but what I’m gonna say next really applies to any threat actor.<\/p>\n
They’re getting better. Look at their techniques \u2014 to me, it’s extremely interesting to go a double click down behind what we’re seeing.<\/p>\n
What have we seen over the last 12\u201318 months? A wealth of zero-day vulnerabilities discovered in what I call edge devices \u2014 firewalls, proxies, endpoint devices \u2014 that gain initial access into a network.<\/p>\n
And what I don’t think coverage has gone deep enough on is understanding how does that happen?<\/p>\n
The threat actors have to invest in research and development. So when you pay that ransom, some of that money’s going into investing in new capabilities.<\/p>\n
What does that mean? How do you get the technology into the country you’re operating from? How do you reverse-engineer that to find the vulnerability? This is really tough work.<\/p>\n
And then what’s really interesting \u2014 and you can look at a couple of examples over the last year or two \u2014 now they’ve weaponized it globally at scale.<\/p>\n
Think of a few things that happened with zero days that we found out about after. Part of the aftermath wasn’t just the zero day, but many, many companies were breached over the weekend.<\/p>\n
Think how hard that is \u2014 to weaponize it, to deploy it, to execute, to collect the information rapidly in a period of days.<\/p>\n
This is really sophisticated work, and so when I put that back together \u2014 they’re getting better. They will always get better because those motivations I mentioned at the beginning will not change.<\/p>\n
They’ll always want money or more intelligence or to make a public stand for or against something, and so whatever today’s state of capabilities are, they’re gonna get better.<\/p>\n
And whatever we defend against today, we can’t forget that that’s gonna be old news before long \u2014 something else is gonna come.<\/p>\n
Part of our job is to anticipate and forecast what is next and raise the defenses before the threat actors get there.<\/p>\n
David: That’s a tough job. So how do you do that? How do you stay on top of it and how do you anticipate what’s coming next?<\/p>\n
Ian: Part of it is red teaming \u2014 and yes, we’re thinking red teaming penetration testing, absolutely \u2014 but part of it’s red teaming to continuously think outside the box: How would I break into my systems? How would I affect my organization?<\/p>\n
And to have really creative and critical-minded individuals work at that constantly.<\/p>\n
Part of this is experience \u2014 just having been, for example, on one side, on the offensive side, where you have to continuously get better \u2014 having that adversary’s mindset.<\/p>\n
And what I like to tell everybody is don’t forget the adversary has 51% of the vote in what offensive cyber actions come at your organization.<\/p>\n
So you have to consider their motivations, their capabilities, in your equation on defense.<\/p>\n
David: How do you mean 51% of the vote?<\/p>\n
Ian: No matter what you do, the threat actor’s gonna do what they’re gonna do and they’re not gonna ask you \u2014 they’re gonna do it.<\/p>\n
David: And you’ve described threat actors as being as organized as Fortune 500 companies, sometimes even throwing pizza parties after big attacks. What does that level of sophistication mean for how we defend against them?<\/p>\n
Ian: First of all, don’t underestimate the threat actor \u2014 the adversary. They’re not necessarily a couple of loose-knit teenagers in the basement of their mom’s house, as kind of a stereotype.<\/p>\n
They might be very well organized. They have profit and loss statements. They invest in research and development.<\/p>\n
What’s interesting is they very likely have return on investment calculations \u2014 if they’re gonna go after a company, after a certain amount of time it’s not worth their time anymore and they might go somewhere else.<\/p>\n
So they operate like a financial organization. They are out there to make a profit.<\/p>\n
Now, I’m largely talking criminal actors here. If it’s a nation state after intelligence, it’s a different motivation \u2014 but again, we know nation states are gonna be very well organized.<\/p>\n
If I were to boil this down into one piece, it’s: don’t underestimate that threat actor. They are very capable.<\/p>\n
David: So then, moving to identity. With identity emerging as the new perimeter in cybersecurity, what’s your perspective on securing both human and machine identities?<\/p>\n
Ian: Oh, there’s so much we could unwind there. First of all, let’s take a macro look at what’s happening here.<\/p>\n
We have vulnerabilities \u2014 maybe it’s phishing, who knows \u2014 and as the world rallies around reducing that vulnerability, the threat actors will find something different.<\/p>\n
What we’re seeing now is a lot of violations of identity vulnerabilities.<\/p>\n
It could be calling a help desk, social engineering your way in. At the end of the day, we’ve got a person \u2014 they want to help you \u2014 they’re gonna capitalize on that. That’s the human side.<\/p>\n
So we’re seeing a lot of vulnerabilities in identities, and it’s a tough problem to tackle because usually you’ve got years of practices that need a little bit of hygiene.<\/p>\n
What’s coming up is what I call non-person identities \u2014 or I think you called it non-human identities \u2014 machine identities.<\/p>\n
David: Mm-hmm.<\/p>\n
Ian: Those are identities that keep applications working. Without going into a lot of details, usually an application needs to talk to another application, and they authenticate with a non-human identity.<\/p>\n
David: Mm-hmm.<\/p>\n
Ian: And they might have been there for 15, 20 years. You may not even know all your applications that use it.<\/p>\n
It’s probably a hard-coded password somewhere. These are things that are really tough to discover and fix \u2014 that means it’s a vulnerability.<\/p>\n
Threat actors are starting to look into that and exploit it, and that is an avenue into a network.<\/p>\n
David: So then, cloud environments continue to present unique challenges. What kinds of risks have you seen with cloud default configurations, and how can organizations stay ahead of them?<\/p>\n
Ian: Again, I love drawing parallels, and to me \u2014 especially in the early days and to a certain degree now, and not just cloud \u2014 I look at it as you bought a car.<\/p>\n
You got this nice, bright, shiny car, and you look inside and there’s no seatbelt. And you say, \u201cWell, I want to be safe when I drive my car. Where’s my seatbelt?\u201d<\/p>\n
\u201cOh, well, we’ve got another team. We can give you a seatbelt, but you’re gonna have to hire a resident security engineer and budget a year, and we’ll put a seatbelt in there for you. But hey, nice car \u2014 start driving it now.\u201d<\/p>\n
It’s almost the same thing in security, and I think cloud was a big piece of that when you look at some of the insecure default configurations.<\/p>\n
Other technology is just as guilty.<\/p>\n
I have seen this in a positive trend \u2014 I don’t think it’s at the end of the trend \u2014 where things are starting to become more secure by default.<\/p>\n
That’s one big thing we need to get to. It’s a very complicated system and there are many configurations, and you can’t expect everybody to know all the configurations on day one.<\/p>\n
So part of it is: secure by default is a key trend that we need to aim for and get to.<\/p>\n
David: While we’re along the challenges track here, I might as well just keep ’em coming. Healthcare organizations face mounting pressures from ransomware, legacy infrastructure, and compliance requirements. How should CISOs in the healthcare sector prioritize addressing these intersecting risks?<\/p>\n
Ian: Hopefully not all three are insufficient, because that’s a tough challenge. And I hate to give this answer, but you gotta do all three \u2014 and I’ll unwind that a little bit.<\/p>\n
If you don’t have bare-bones compliance met, here’s what’s gonna happen: internal audit, external audit, regulators are going to drive your strategy. You must do what they say.<\/p>\n
And so that will be the group driving your strategy, and you don’t want that. You want to drive your own strategy.<\/p>\n
So get a firm foundation where compliance is solid, but you have to understand that that’s not the end of the game.<\/p>\n
You have to move into the threat actors \u2014 constantly evolving. We talked about it: how do you stay in front of them? You have to uplift that game all the time.<\/p>\n
But also, what I call operational excellence \u2014 are you deploying the capability across your entire attack surface, and correctly? That’s tougher than it sounds.<\/p>\n
You must continuously do both.<\/p>\n
Ian: Now, the ransomware piece is really interesting and we didn\u2019t talk too much about it. One of the ways I\u2019ve seen CISO roles change is success is \u2014 and should be \u2014 \u201cDon\u2019t get hacked.\u201d<\/p>\n
David: Mm-hmm.<\/p>\n
Ian: But if you do, make sure we can respond appropriately and recover back to normal operations quickly so that the business can run.<\/p>\n
That\u2019s another piece I\u2019ve seen in the job jar of CISOs, and I think it\u2019s a very appropriate one because, despite your best intentions \u2014 maybe a malicious insider, who knows \u2014 you might get breached, you might have your services stop working.<\/p>\n
Be resilient. Become operational again very quickly.<\/p>\n
David: In your CISO roles, how much of your bandwidth on average was spent combating malicious insiders or preventing malicious insiders \u2014 or whatever the proper terminology may be?<\/p>\n
Ian: I don\u2019t want to speak specific to a particular role because we could tie it to maybe some things that did or didn\u2019t happen. I think the bigger message is \u2014 I mentioned threat actors: nation states, criminals, hacktivists. There\u2019s a fourth class: insider threats.<\/p>\n
An insider threat could be non-malicious \u2014 the person who just fell for the phish and started a chain of events. That could be a non-malicious insider threat.<\/p>\n
Or you could have a malicious insider threat \u2014 somebody on purpose exfiltrating information, or deploying ransomware.<\/p>\n
We cannot discount those threats. Part of a program should have an insider threat capability to detect these risk scenarios that I just mentioned \u2014 and many more.<\/p>\n
It is a critical capability and it is something that I think needs to happen.<\/p>\n
What I see some organizations say is, \u201cOh, our workforce is great, not us.\u201d It could be anywhere.<\/p>\n
And you read the news stories \u2014 there are plenty where a malicious insider caused some kind of incident.<\/p>\n
David: Devoted listeners of this podcast may be surprised that we haven\u2019t even mentioned artificial intelligence yet in this episode, so let\u2019s mention it now. Artificial intelligence and agentic AI is rapidly transforming attack and defense strategies \u2014 both sides of the battlefield, if you will. How do you see it being weaponized and how can defenders use it to their advantage?<\/p>\n
Ian: It\u2019s a great question \u2014 it\u2019s one I get all the time.<\/p>\n
The way I see threat actors using AI: phish messages are really good. Business email compromise messages are really good. Deepfake videos \u2014 they\u2019re really good.<\/p>\n
If you look behind the scenes, really they\u2019re all aimed at getting access to your computer systems or to your money directly.<\/p>\n
I\u2019ve also seen malware strains that most likely were written by artificial intelligence.<\/p>\n
David: Mm-hmm.<\/p>\n
Ian: And the undiscovered malware \u2014 or signatures that aren\u2019t known, where your tooling can\u2019t detect or block against it \u2014 is on the increase.<\/p>\n
So yes, threat actors are using artificial intelligence.<\/p>\n
The turnaround to that is: if used correctly, it can be a great defensive capability too.<\/p>\n
Think of a large organization \u2014 imagine all the things that happen day in, day out: alerts, warnings, breaches (hopefully none). But there could be, and there aren\u2019t enough people in the world to look at and analyze all of that.<\/p>\n
Artificial intelligence is getting quite good \u2014 in my opinion \u2014 at correlating all of that and really dialing down into: where might a real problem be? Where might we need to put human attention?<\/p>\n
It helps us make sure we use our resources appropriately in defense, prioritize defense.<\/p>\n
That\u2019s for cybersecurity.<\/p>\n
Now, there are many different risks here and it\u2019s much bigger than the CISO \u2014 it really needs to be an enterprise program, like AI security.<\/p>\n
How do we make sure we get the right answers? How do we make sure it\u2019s not hallucinating? How do we make sure it\u2019s responsible and ethical?<\/p>\n
I think the CISO should be at the table in helping formulate the right answers here \u2014 but it shouldn\u2019t be only the CISO at that table. It\u2019s a very enterprise-wide problem to solve.<\/p>\n
David: That table, of course, is reflective of the CISO and where the CISO sits at that table.<\/p>\n
So early in your career, you saw firsthand how technical language can fall flat in business settings. What helped you realize the importance of translating cybersecurity into business outcomes, and how has that shaped your leadership style?<\/p>\n
Ian: It makes me laugh \u2014 I\u2019m telling a story that happened about 30 years ago and it is still so fresh in my mind.<\/p>\n
When I first started in the Air Force, I was in a fighter pilot squadron. I got to fly a lot of planes, learn a lot. I didn\u2019t know anything about cybersecurity.<\/p>\n
The wing commander \u2014 the boss over the whole base \u2014 about once a month would have a big staff meeting of all the different leaders on the base, and he\u2019d let the lieutenants sit against the wall as long as you didn\u2019t talk or move. You were allowed to be in there and listen.<\/p>\n
So I was a wallflower, and I listened.<\/p>\n
I still remember this one day \u2014 the equivalent of the base CIO and CISO (they didn\u2019t call it that at the time) \u2014 he stood up and said, \u201cHey boss, I need a million dollars \u2014 blinky lights, wires, firewall, ones and zeros.\u201d<\/p>\n
Ian: I had an engineering degree and I didn\u2019t even know what this guy was saying. I had no idea \u2014 and I had more of an idea than probably the boss at the end of the table, who flew fighter jets and didn\u2019t understand information security.<\/p>\n
I still remember the guy\u2019s look on his face \u2014 stone-faced. He had no idea what was being said. He said, \u201cDenied. Sit down.\u201d Just like that.<\/p>\n
I remember feeling terrible for this guy \u2014 I still feel it when I tell you the story.<\/p>\n
David: Sounds like Maverick requesting the fly-by right there.<\/p>\n
Ian: Pretty much. Yeah, almost the same.<\/p>\n
The next month, the same guy comes up, says, \u201cHey boss, need a million dollars for a firewall. But here\u2019s the reason: on your base you have about three days\u2019 worth of gas to keep your jets flying. That gas is supplied by an electronic connection that, if disrupted, would stop the flow of gas. For a million dollars, we can protect that and ensure you have a steady flow of gas \u2014 keep your planes flying as long as you need.\u201d<\/p>\n
Same conversation, same ask \u2014 but now he changed it to resonate with the leadership at the table. The conversation took as long as I just took right here, and the boss said, \u201cOh \u2014 approved.\u201d<\/p>\n
You see the difference?<\/p>\n
David: Yeah.<\/p>\n
Ian: Skip forward from that time \u2014 it was almost 15 years, maybe a little bit longer \u2014 when I took command of the Communication Squadron, which is the CIO and CISO organization on an Air Force base.<\/p>\n
I remember after the ceremony, I walked in and I sat in my chair. I looked around and said, \u201cI\u2019ve never been a CIO. I\u2019ve never even worked in a CIO or CISO organization. What am I doing?\u201d<\/p>\n
I remembered that story, and so I\u2019ve got story number two now.<\/p>\n
That day was a Friday \u2014 I still remember this. At the end of the day, there was a social. The wing commander hosted a social for all the commanders, and it was about 5:00 on a Friday.<\/p>\n
This was Northern California. One of my roles: I had all the aircraft systems for that section in Northern California \u2014 radars and instrument landing systems and all that kind of thing.<\/p>\n
I got a call from the crew saying the instrument landing system was out, but, \u201cDon\u2019t worry \u2014 we\u2019ll fix it on Monday.\u201d<\/p>\n
I said, \u201cWe should fix it now. Why aren\u2019t you gonna fix it now?\u201d<\/p>\n
They said, \u201cNo, our SOP says if it\u2019s the weekend, we fix it the next workday.\u201d<\/p>\n
I said, \u201cNo \u2014 you\u2019re gonna fix it now, tonight.\u201d<\/p>\n
Ian: They got a little upset with me, but they did it. And I said, \u201cWell, let me explain to you why.\u201d<\/p>\n
This is where the aircraft experience came in \u2014 and I\u2019ve got to give a little bit of a side note to my story.<\/p>\n
This was 10\u201315 years ago. There was a full-motion simulator for a big jet on base \u2014 one of the biggest planes in the country. I was able to get in and I gave them all lessons on how to fly a radar approach and an instrument landing approach.<\/p>\n
The gist of it is: you\u2019re very precise with an instrument landing approach; you get kind of close with a radar approach.<\/p>\n
Even though they weren\u2019t pilots, they immediately saw once I showed them.<\/p>\n
And you know what? For the rest of my tenure there \u2014 this was Northern California, lots of fog \u2014 never once did I have a single complaint. Anytime that instrument landing system had even a potential of a glitch, they were on it. They fixed it immediately, no matter what.<\/p>\n
The key here is we turned the business objective into \u2014 in this case \u2014 an information security priority: the availability of the system.<\/p>\n
If you understand the business you support, it helps you make prioritized decisions.<\/p>\n
I could go on with stories all day long on this kind of thing, but the key is: as a CISO, understand your business. Understand what generates revenue, what keeps customers happy, what\u2019s on the mind of the CEO, COO \u2014 and that will really help you prioritize what to fix, what to secure.<\/p>\n
David: Along those lines, what qualities or skills do you believe are the most critical for the next generation of cybersecurity leaders?<\/p>\n
Ian: I love the question \u2014 I get this asked all the time. I know you want me to say \u201ctechnology\u201d number one. It\u2019s not \u2014 it\u2019s lower on the list.<\/p>\n
I always say: be a student of leadership. In a lot of my CISO roles, I had hundreds of people in my team. You need to be a leader.<\/p>\n
You need to understand how to lead teams \u2014 not perfectly, but the key is to continuously study, train, assess, adjust, and become even better.<\/p>\n
Be a great communicator \u2014 and we talked about some of the techniques here already. Be able to concisely, crisply speak or write your point.<\/p>\n
How many times have you received an email where somebody\u2019s asking you for something and it\u2019s three pages long? I stop reading after about the fourth sentence. If you can\u2019t ask it quickly, I\u2019m not gonna read it \u2014 I don\u2019t have time.<\/p>\n
So being crisp and clear in communications is really key.<\/p>\n
Ian: Be inquisitive \u2014 question, want to understand. Be thoughtful in your thinking, and then be able to be decisive and execute.<\/p>\n
Before I get to technology, this is a big one: know how budgets work. How do we get money? How do we spend money? How do we ask for more money?<\/p>\n
It sounds trivial, but you know what? That\u2019s what makes your program work \u2014 do you have the resources to do your job?<\/p>\n
After that \u2014 how do you hire people? How do you get more people?<\/p>\n
And then technology. Obviously you need to have some kind of technology background \u2014 you may not need to be a reverse engineer, but you do need to understand how the technology can be used to help protect against cyber threats.<\/p>\n
David: So then, having worked closely with public\u2013private partnerships, what role do you believe these collaborations play in addressing the cyber challenges of today and tomorrow?<\/p>\n
Ian: I think public\u2013private partnerships are a great idea. I\u2019ve seen them strengthen over the last 10 years. I see room to grow.<\/p>\n
One area \u2014 and you\u2019re seeing a trend here, right? You gravitate towards what you learned first and what you know.<\/p>\n
If you\u2019re in a fighter jet flying in enemy territory, you have a radar \u2014 it\u2019s picking up threat signals within the view of that radar, but you only see what your system sees.<\/p>\n
Now imagine if there\u2019s many jets out in that battlespace and each one sees part of the picture. What if we can combine that into one picture of the whole battlespace?<\/p>\n
Public\u2013private partnerships can do this with cyber. You might have a great view of the threat picture that you face, but it might not be complete.<\/p>\n
If we can find a way to legally and safely build what we all see into one large threat picture, we can be better defenders.<\/p>\n
Another key piece \u2014 and this is overlooked still \u2014 is what I call systemic risk. We\u2019re so focused on defending our organization that we may not understand how our organization fits in the ecosystem of healthcare or finance, for example, and what are the key nodes that will make our entire system fall down.<\/p>\n
Maybe an upstream node \u2014 an organization, a utility, for example \u2014 might be breached and fail. The trickle-down effects might affect me, and those effects might affect four other organizations. Pretty soon, we have a sector in crisis.<\/p>\n
It comes down to: how does our sector work, how do we collaborate together to ensure our sector is resilient? There\u2019s work being done there, but there\u2019s a lot more to do.<\/p>\n
David: What threats should CISOs be watching over the next few years, and is there anything flying under the radar that deserves more attention?<\/p>\n
Ian: That\u2019s a great question \u2014 it\u2019s one I think about all the time. I know what I\u2019m gonna say here isn\u2019t gonna be the most complete answer.<\/p>\n
If you go back 10\u201315 years ago, nobody envisioned a lot of the threats we see now. The key is understanding they will evolve \u2014 there will be new threats.<\/p>\n
The motivations probably won\u2019t change much: money, intelligence, public stance. So start there, then critically think about what might happen next.<\/p>\n
An example: multifactor authentication is great \u2014 but as it becomes widely deployed, they find ways to work around it.<\/p>\n
So whatever key defense we have now, the threat actor will find some way to bypass it.<\/p>\n
I think insider threats will increase. I hear quantum technology and quantum-safe algorithms will be big \u2014 quantum computing will really change how defenders need to defend and how attackers will attack.<\/p>\n
Is it there yet today? Probably not. But someday, it will be widely available \u2014 what will happen then? We need to think about it now and start building strategies early.<\/p>\n
David: Quantum is definitely something we\u2019ll be keeping our eye on.<\/p>\n
So, let\u2019s talk about you and what you\u2019re up to these days, to wrap things up here. You\u2019ve recently shifted your focus toward advisory and board roles. What drives the new career chapter, and what\u2019s one piece of advice you\u2019d offer to someone just stepping into the world of cybersecurity leadership?<\/p>\n
Ian: I love it. On a personal side \u2014 I stepped down about a month ago for health reasons. I have some short-term health challenges I\u2019ve got to work through. Everything will be fine \u2014 it\u2019s just you can\u2019t be a CISO, which is a full-time job, and focus on getting through the health issues.<\/p>\n
You can\u2019t do both at the same time in this case, so I made the tough choice. I loved my organization, loved the team \u2014 amazing people, amazing organization \u2014 but I have to focus on myself and solve those challenges.<\/p>\n
By short term, I mean in 2026 I should be back to normal.<\/p>\n
I\u2019ve been on a couple of boards of directors, I\u2019ve been on advisory boards \u2014 I really like that work. I\u2019ve had a lot of formal training over the last two years in it, so I\u2019m going to dip my toe into that and see how it works.<\/p>\n
Shifting to your second question: for those pursuing a cybersecurity career \u2014 in my opinion, you picked a great career. It\u2019s going to be a career that exists for a long time. It\u2019s a job that\u2019s different every day. You get to use your brain, think critically, and it never gets old.<\/p>\n
I don\u2019t think anybody who\u2019s really in cybersecurity gets bored. It\u2019s a great way to keep your brain active and ultimately to do good.<\/p>\n
If you do your cybersecurity job right, you\u2019re helping people \u2014 you\u2019re saving their information, their access to care if you\u2019re in healthcare, or their access to money if you\u2019re in finance. You\u2019re doing good.<\/p>\n
So I highly recommend cybersecurity as a career.<\/p>\n
David: So are you leaving the door open for potential future CISO-ing, or do you think you\u2019ve maybe had enough of the adult-size portion?<\/p>\n
Ian: I\u2019ve learned you never say no to a door that\u2019s open.<\/p>\n
David: Ian, thank you so much for coming on the podcast. Really appreciate it. I think there are a lot of areas we can dive into deeply with you here, and look forward to having you back sometime in the near future.<\/p>\n
Ian: It\u2019d be a pleasure. Thank you.<\/p>\n
David: Alright \u2014 there you have it. Thanks for listening to Security Matters. If you liked this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop.<\/p>\n
And if you feel so inclined, please leave us a review \u2014 we\u2019d appreciate it very much, and so will the algorithmic winds.<\/p>\n
What else? Drop us a line with questions, comments, and if you\u2019re a cybersecurity professional and you have an idea for an episode, drop us a line.<\/p>\n
Our email address is securitymatterspodcast@cyberark.com.<\/p>\n
We hope to see you next time.<\/p><\/div>\n","protected":false},"featured_media":220119,"template":"","class_list":["post-215118","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\n