CISO pressures are on the rise - board expectations, executive alignment, AI, and personal liability - and that's all on top of your normal security pressures. With all these pressures, CISO burnout is on the rise. How do we detect it and help prevent it? Easier said than done. In this Say Easy, Do Hard segment, we tackle the health and wellness of the CISO.
In part 1, we discuss the increased pressures CISOs face. We all know them, but how are they impacting our daily lives, both at work and at home. In part 2, we discuss detection and prevention techniques to help avoid burnout, including:
This is a serious problem in our industry and one we want to continue to focus on as we head into another stressful 2026.
Show Notes: https://securityweekly.com/bsw-428
SentinelOne announced a series of new innovative designations and integrations with Amazon Web Services (AWS), designed to bring the full benefits of AI security to AWS customers today. From securing GenAI usage in the workplace, to protecting AI infrastructure to leveraging agentic AI and automation to speed investigations and incident response, SentinelOne is empowering organizations to confidently build, operate, and secure the future of AI on AWS.
SentinelOne shares its vision for the future of AI-driven cybersecurity, defining two interlinked domains: Security for AI—protecting models, agents, and data pipelines—and AI for Security—using intelligent automation to strengthen enterprise defense. With its Human + AI approach, SentinelOne integrates generative and agentic AI into every layer of its platform. The team also unveils the next evolution of Purple AI, an agentic analyst delivering auto-investigations, hyperautomation, and instant rule creation—advancing toward truly autonomous security.
Show Notes: https://securityweekly.com/swn-542
In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications.
Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI.
Segment Resources:
github.com/coreruleset/coreruleset
coreruleset.org
The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain.
As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency.
OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025.
Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem.
This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape.
Segment Resources:
Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI.
Segment Resources:
aivss.owasp.org
https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for
https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Show Notes: https://securityweekly.com/asw-363
For this week's episode of Enterprise Security Weekly, there wasn't a lot of time to prepare. I had to do 5 podcasts in about 8 days leading up to the holiday break, so I decided to just roll with a general chat and see how it went.
Also, apologies, for any audio quality issues, as the meal I promised to make for dinner this day required a lot of prep, so I was in the kitchen for the whole episode! For reference, I made the recipe for morisqueta michoacana from Rick Martinez's cookbook, Mi Cocina. I used the wrong peppers (availability issue), so it came out green instead of red, but was VERY delicious.
As for the episode, we discuss what we've been up to, with Jackie sharing her experiences fighting against Meta (allegedly, through some shell companies) building an AI datacenter in her town.
We then get into discussing the limitations of AI, the potential of the AI bubble popping, and general limitations of AI that are becoming obvious. One of the key limitations is AI's inability to apply personal experience, have strong opinions, or any sense of 'taste'. I think I shared my observation that AI is becoming a sort of 'digital junk food'. "NO AI" has become a common phrase used by creators - a source of pride that media consumers seem to be celebrating and seeking out.
Segment Resources:
Show Notes: https://securityweekly.com/esw-439
You survived the click—but now the click has evolved. In Part 2, the crew follows phishing and ransomware down the rabbit hole into double extortion, initial access brokers, cyber insurance drama, and the unsettling rise of agentic AI that can click, run scripts, and make bad decisions for you. The conversation spans ransomware economics, why paying criminals is a terrible plan with no guarantees, and how AI is turning social engineering into a whole new wild west.
Show Notes: https://securityweekly.com/swn-541
The crew makes suggestions for building a hacking lab today! We will tackle:
Show Notes: https://securityweekly.com/psw-906
Join Business Security Weekly for a roundtable-style year-in-review. The BSW hosts share the most surprising, inspiring, and humbling moments of 2025 in business security, culture, and personal growth. And a few of us might be dressed for the upcoming holiday season...
Show Notes: https://securityweekly.com/bsw-427
It’s the holidays, your defenses are down, your inbox is lying to you, and yes—you’re gonna click the link. In Part 1 of our holiday special, Doug White and a panel of very smart people explain why social engineering still works decades later, why training alone won’t save you, and why the real job is surviving after the click. From phishing and smishing to click-fix attacks, access control disasters, and stories that prove humans remain the weakest—and most entertaining—link in security, this episode sets the stage for the attack we all know is coming.
Show Notes: https://securityweekly.com/swn-540
Using OWASP SAMM to assess and improve compliance with the Cyber Resilience Act (CRA) is an excellent strategy, as SAMM provides a framework for secure development practices such as secure by design principles and handling vulns.
Segment Resources:
As genAI becomes a more popular tool in software engineering, the definition of “secure coding” is changing. This session explores how artificial intelligence is reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves. We’ll dive into the dual challenge of securing both human-written and AI-assisted code, discuss how enterprises can validate AI outputs against existing security standards, and highlight practical steps teams can take to build resilience into the entire development pipeline. Join us as we look ahead to the convergence of secure software engineering and AI security — where trust, transparency, and tooling will define the future of code safety.
Segment Resources:
Understand the history of threat modeling with Adam Shostack. Learn how threat modeling has evolved with the Four Question Framework and can work in your organizations in the wake of the AI revolution.
Whether you're launching a formal Security Champions program or still figuring out where to start, there's one truth every security leader needs to hear: You already have allies in your org -- they're just waiting to be activated. In this session, we’ll explore how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These are your early adopters: the developers, engineers, and team leads who already “get it,” even if their title doesn’t say “security.”
We’ll unpack:
Segment Resources:
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Show Notes: https://securityweekly.com/asw-362
Auld Lang Syne, Ghostpairing, Centerstack, OneView, WAFS, React2Shell Redux, Crypto, Josh Marpet, and More, on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-539
This week in the security news:
Show Notes: https://securityweekly.com/psw-905
Business Security Weekly is well aware of the cybersecurity hiring challenges. From hiring CISOs to finding the right skills to developing your employees, we cover it weekly in the leadership and communications segment. But this week, our guest interview digs into the global cybersecurity hiring trends.
Jim McCoy, CEO at Atlas, joins Business Security Weekly to share his expertise on the global workforce needs in the 160 countries where Atlas provides direct Employer of Record services. From CISO hiring to where to build security teams, Jim will help us navigate the cybersecurity hiring challenges most organizations face.
In the leadership and communications segment, CISOs, CIOs and Boards: Bridging the Cybersecurity Confidence Gap, Rethinking the CIO-CISO Dynamic in the Age of AI, Transparent Leadership Beats Servant Leadership, and more!
Show Notes: https://securityweekly.com/bsw-426
Pornhub, WSL, Santastealer, Geoserver, Webkit, Fortiyomama, Dad's Pix, Aaran Leyland, and More, on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-538
Open source projects benefit from support that takes many shapes. Kat Cosgrove shares her experience across the Kubernetes project and the different ways people can make meaningful contributions to it. One of the underlying themes is that code is written for other people. That means PRs need to be understandable, discussions need to be enlightening, documentation needs to be clear, and collaboration needs to cross all sorts of boundaries.
Show Notes: https://securityweekly.com/asw-361
Illuminating Data Blind Spots
As data sprawls across clouds and collaboration tools, shadow data and fragmented controls have become some of the biggest blind spots in enterprise security. In this segment, we’ll unpack how Data Security Posture Management (DSPM) helps organizations regain visibility and control over their most sensitive assets.
Our guest will break down how DSPM differs from adjacent technologies like DLP, CSPM, and DSP, and how it integrates into broader Zero Trust and cloud security strategies. We’ll also explore how compliance and regulatory pressures are shaping the next evolution of the DSPM market—and what security leaders should be doing now to prepare.
Segment Resources:
https://static.fortra.com/corporate/pdfs/brochure/fta-corp-fortra-dspm-br.pdf
This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them!
Over this year on this podcast, we've talked a lot about infostealers. Passkeys are a clear solution to implementing phishing and theft-resistant authentication, but what about all these infostealers stealing OAuth keys and refresh tokens? As long as session hijacking is as simple as moving a cookie from one machine to another, securing authentication seems like solving only half the problem. Locking the front door, but leaving a side door unlocked.
After doing some research, it appears that there has been some work on this front, including a few standards that have been introduced:
We'll address a few key questions in this segment: 1. how do these new standards help stop token theft? 2. how broadly have they been adopted?
Segment Resources:
Show Notes: https://securityweekly.com/esw-437
Disney Gone Wild, Docker, AIs, Passkeys, Gogs, React2Shell, Notepad++, Josh Marpet, and More
Show Notes: https://securityweekly.com/swn-537
This week in our technical segment, you will learn how to build a MITM proxy device using Kali Linux, some custom scripts, and a Raspberry PI! In the security news:
Show Notes: https://securityweekly.com/psw-904
Organizations rely heavily on Salesforce to manage vasts amounts of sensitive data, but hidden security risks lurk beneath the surface. Misconfigurations, excessive user permissions, and unmonitored third party integrations can expose this data to attackers. How do I secure this data?
Justin Hazard, Principal Security Architect at AutoRABIT, joins Business Security Weekly to discuss the security challenges of Salesforce. Justin will discuss how proactive oversight and a strong security posture in Salesforce requires additional capabilities, including:
Think your data in Salesforce is safe and secure, think again.
This segment is sponsored by AutoRABIT. Visit https://securityweekly.com/autorabit to learn more about them!
In the leadership and communications segment, Boards Have a Digital Duty of Care, The CISO’s greatest risk? Department leaders quitting, The 15 Habits of Highly Empathetic People, and more!
Show Notes: https://securityweekly.com/bsw-425
We've got: Hypnotoad, AI Galore, Storm-0249, DocuSign, Broadside, Goldblade, Ships at Sea, Sora, Aaran Leyland, and More on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-536
The MCP standard gave rise to dreams of interconnected agents and nightmares of what those interconnected agents would do with unfettered access to APIs, data, and local systems. Aaron Parecki explains how OAuth's new Client ID Metadata Documents spec provides more security for MCPs and the reasons why the behavior and design of MCPs required a new spec like this.
Segment resources:
Show Notes: https://securityweekly.com/asw-360
Misconfigurations are one of the most overlooked areas in terms of security program quick wins. Everyone freaks out about vulnerabilities, patching, and exploits.
Meanwhile, security tools are misconfigured. Thousands of unused software packages increase remediation effort and attack surface. The most basic misconfigurations lead to breaches. Threatlocker spotted this opportunity and have extended their agent-based product to increase attention on these common issues.
This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more!
AI and the case for toxic anthropomorphism. When Wendy coined this phrase on Mastodon a few weeks ago, I knew that she had hit on something important and that we needed to discuss it on this podcast.
We were lucky to find some time for Wendy to come on the show!
Quick note: while this was not a sponsored segment, 1Password IS currently a sponsor of this podcast. That doesn’t really change the conversation any, except that I have to be nice to Wendy. But why would anyone ever be mean to Wendy???
Finally, in the enterprise security news,
All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-436
Toilet Cams, North Korea, Brickstorm, MCP, India, React2Shell, Proxmox, Metaverse, Josh Marpet, and More, on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-535
This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news:
Show Notes: https://securityweekly.com/psw-903
While many businesses rely on Microsoft 365, Salesforce and Google Workspace security features, critical blind spots remain—the recent series of high profile SaaS breaches demonstrate this. So what should you do?
Mike Puglia, General Manager of Kaseya Labs, joins Business Security Weekly to discuss the risks in SaaS applications. In this segment, Mike will explore how bad actors are focusing their attacks on SaaS applications, hijacking tokens and how misconfigured integrations are used to bypass traditional defenses. Mike will also discuss how IT leaders can rethink protecting their essential SaaS business applications with tools that go beyond endpoint and MFA strategies to secure the modern user.
This segment is sponsored by Kaseya 365 User. Visit https://securityweekly.com/k365 to learn more about them!
In the leadership and communications segment, The rise of the chief trust officer: Where does the CISO fit?, When Another Company’s Crisis Hurts Your Reputation, Effective Workplace Communication Tips, and more!
Show Notes: https://securityweekly.com/bsw-424
AI semantics, Calendly, GreyNoise, Teams, Schmaltz, India, Antigravity, Scada, Aaran Leyland, and More...
Show Notes: https://securityweekly.com/swn-534