The Business of Cybersecurity

Tech Talks Network
  • 5.0 (1)
  • TECHNOLOGY
  • UPDATED WEEKLY

The Business of Cybersecurity is a podcast from the Tech Talks Network that explores where security and business strategy converge. Hosted by Neil C. Hughes, creator of the Tech Talks Daily Podcast, this series examines how today’s enterprises are managing cyber risk while still moving fast and innovating. Through insightful conversations with industry leaders, CISOs, product strategists, and security architects, the podcast brings clarity to the real-world decisions shaping cybersecurity in modern business. Each episode dives into how companies are responding to regulatory pressure, increasing complexity in cloud environments, and rising expectations from boards and customers. From AI-driven defense and zero trust to skills gaps and risk quantification, we go beyond technical jargon to explore what actually works—and what doesn’t—on the road to building resilient organisations. Whether you're leading a security team, sitting at the executive table, or simply want to understand the business impact of cybersecurity, this podcast offers honest, grounded perspectives designed to help you make better decisions in an environment that never stands still. Search Tech Talks Network to discover more shows covering the voices at the heart of enterprise technology.

  1. Why Non Human Identities Are The Next Cybersecurity Challenge With Torii CEO Uri Haramati

    APR 1

    Why Non Human Identities Are The Next Cybersecurity Challenge With Torii CEO Uri Haramati

    How prepared are businesses for a world where AI agents are quietly becoming some of the most powerful users inside their systems? In this episode of Business of Cybersecurity, I sit down with Uri Haramati, CEO and co-founder of Torii, to unpack a shift that is happening faster than most organizations can keep up with. AI is no longer sitting on the sidelines as a productivity tool. It is now deeply embedded across platforms like Slack, Google Workspace, and CRM systems, often operating with levels of access that rival or even exceed human users. As Uri explains, that changes the entire security conversation, especially when many of these agents are effectively invisible to traditional identity and governance models. What stood out to me in this conversation is how quickly AI adoption has moved from experimentation to something far more operational. Uri shares insights from Torii’s 2026 SaaS Benchmark Report, which reveals that enterprises added nearly 700 new AI applications in just one year, with 61 percent of all apps operating outside of IT oversight. That creates a growing blind spot, where non-human identities, API tokens, and automated workflows are interacting with sensitive data without clear ownership or lifecycle management. It is a shift that feels familiar, echoing past waves like BYOD, but this time the scale and speed are on another level. We also explore why this is not simply a story about risk. There is a clear business driver behind this surge in AI adoption. Organizations are under pressure to control costs, reduce manual work, and get more value from their software stack. AI is stepping into that role, but it introduces new challenges around usage-based pricing, unexpected spend, and governance models that were designed for a much slower era of IT. Uri makes the case that the real issue is not adopting AI too quickly, but failing to evolve governance at the same pace. By the end of the conversation, one idea really stayed with me. Within the next couple of years, non-human identities could outnumber human ones inside most enterprises. That raises a simple but uncomfortable question. If every actor in your system needs to be treated as an identity, how many do you actually have, and how many are you truly managing? If this is a topic you are grappling with, I highly recommend checking out Torii’s 2026 SaaS Benchmark Report and connecting with Uri to continue the conversation. But for now, I would love to hear your perspective. Are we building the right guardrails for this new era of AI-driven access, or are we already further behind than we think?

    32 min
  2. AI Security Teams That Work 24/7 With Machine Speed

    MAR 25

    AI Security Teams That Work 24/7 With Machine Speed

    What happens when AI makes your security teams faster, but leaves the same people carrying all the risk? In this episode of Business of Cybersecurity, I sit down with Shan Kulkarni, CEO of Nullify, to discuss a growing tension that many security leaders are already feeling. AI is helping developers ship code faster than ever. Still, for product security teams, that speed often creates even more alerts, more vulnerabilities to review, and more pressure on already stretched teams. Shan argues that the real issue is not productivity alone. It is accountability. When copilots increase output while ownership remains with the same engineers, the workload does not disappear. It multiplies. We explore why Shan believes the next phase of enterprise AI will be shaped by autonomous AI employees rather than assistant-style tools. He explains how Nullify is designed to onboard, reason, and act like a human security engineer, with access to code bases, ticketing systems, cloud environments, and internal documentation. From validating whether a vulnerability is truly exploitable to assigning fixes and following up with developers, Shan shows how AI workers could replace several disconnected security tools and the extensive manual coordination required. Our conversation also gets into trust, which remains one of the biggest barriers to adoption in high-risk environments. Shan talks openly about the safeguards needed before companies will feel comfortable allowing AI to take action instead of simply making suggestions. We discuss merge-ready patches, exploit confidence scores, the rising threat surface created by AI-generated code, and why authorization, authentication, and business logic flaws may become some of the biggest risks in modern software. It is a timely conversation about what security teams actually need right now: fewer dashboards, fewer false positives, and better ways to manage growing responsibility in a world of machine-speed software delivery. If you are trying to understand where AI fits inside security operations, and whether autonomous systems can truly ease the burden rather than increase it, this episode should give you plenty to think about. What do you think, are we heading toward a future of AI teammates in cybersecurity, and how much responsibility are you willing to hand over?

    30 min
  3. AI, Social Engineering, And The New Browser Attack Surface

    MAR 18

    AI, Social Engineering, And The New Browser Attack Surface

    What if the biggest blind spot in cybersecurity today is the place where most work actually happens, the browser? In this episode of the Business of Cybersecurity podcast, I sat down with Adam Bateman, co-founder and CEO of Push Security, to explore a growing shift in how modern attacks are carried out and why traditional defenses are increasingly struggling to keep up. Adam brings a rare perspective to the conversation, having spent years in offensive security and red team operations simulating real-world attacks against major enterprises before founding Push Security. One of the central ideas we unpacked is the claim that the browser has quietly become the new endpoint. As organizations move more work into cloud applications and SaaS platforms, the connection between users and company systems increasingly runs through the browser rather than traditional networks or local applications. The problem is that most security tools still focus on endpoints, networks, and email. That leaves what Adam describes as a “missing middle,” the space between a user logging in and the moment a breach is discovered. We also discuss how phishing attacks have evolved beyond the inbox. Push has observed that as much as thirty-four percent of the malicious phishing attempts they detect now originate outside email, appearing instead through platforms like LinkedIn messages, Google search results, or other online channels. These platform-native attacks bypass traditional email gateways entirely, often targeting senior executives and employees with privileged access to business systems. Adam also shares insights from a recent campaign his team uncovered called ConsentFix, an attack technique that combines browser manipulation with OAuth consent abuse. Instead of exploiting software vulnerabilities or deploying malware, these attacks manipulate trusted workflows inside cloud platforms and identity systems. The result is a compromise that can occur entirely within a browser session, often without triggering traditional security alerts. Throughout our conversation we explore why these browser-native threats are growing, how attackers are using AI to scale social engineering campaigns, and why visibility into browser activity may become one of the most important capabilities for modern security teams. Adam also explains how Push Security approaches this challenge by bringing real-time detection and response directly into the browser environment where work and attacks increasingly collide. If cybersecurity teams are still focused only on networks, endpoints, and email, they may be missing the layer where attackers now spend most of their time. As work moves deeper into cloud platforms and SaaS tools, could the browser become the next frontline in enterprise defense?

    31 min
  4. How Booz Allen Hamilton Prepares Organizations For A Cyber Crisis

    MAR 12

    How Booz Allen Hamilton Prepares Organizations For A Cyber Crisis

    What really determines whether a company survives a cyberattack, the sophistication of the attacker or how well the organization prepared before the breach ever happened? In this episode of Business of Cybersecurity, I sat down with Andrew Carr, Managing Director at Booz Allen Hamilton and leader of the firm’s Commercial Threat Detection and Response practice. Andrew has spent nearly two decades working in digital forensics, ransomware response, and incident investigations across both government and enterprise environments. During our conversation, he shared lessons drawn from hundreds of cyber incidents and explained why preparation, clarity, and coordination often matter far more than the tools organizations deploy. One of the most striking themes in this conversation was the importance of the first seventy-two hours during a cyber crisis. Andrew explained that organizations that stabilize quickly tend to have one thing in common. They understand their environments with precision. They know where critical data lives, how systems connect, and which assets attackers are most likely to target. When that visibility is missing, those early hours are often spent trying to answer basic questions rather than containing the incident. We also explored why traditional incident response exercises sometimes fail to prepare organizations for real attacks. Many companies still run tabletop exercises within individual departments, yet real cyber incidents rarely stay confined to a single team. Andrew described why effective rehearsals must involve the entire business, from technical responders to executive leadership, and why organizations need to define what he calls the “minimum viable company,” the core functions required to keep operations running during a major disruption. Another key takeaway from our discussion was the role of leadership. Cybersecurity can no longer be treated as a purely technical function handled by the IT or security team. Andrew argues that cyber risk is a business risk, and executives across the organization must understand how decisions, priorities, and communication shape the response when a crisis unfolds. We also discussed emerging risks around supply chains and AI systems, and how organizations are beginning to think more seriously about resilience rather than prevention alone. In a world where no company can block every attack, the ability to respond quickly and recover effectively is becoming the true measure of cybersecurity maturity. If you lead a technology team, oversee risk, or simply want to understand how organizations prepare for high-stakes cyber incidents, this conversation offers a clear look inside the realities of modern incident response. When the next breach happens, will your organization be scrambling to understand its environment, or ready to act within those critical first seventy-two hours?

    25 min
  5. Why Object First Says Most Immutable Backups Are Not Truly Immutable

    MAR 9

    Why Object First Says Most Immutable Backups Are Not Truly Immutable

    What happens when the backup you trusted turns out to be anything but immutable? In this episode of Business of Cybersecurity, I sit down with Anthony Cusimano from Object First to unpack one of the most misunderstood words in cyber resilience right now: immutability. It is a term that appears in countless vendor pitches and product pages, but as Anthony explains, the reality behind those claims can vary wildly. In a world where attackers are actively targeting backups as part of modern ransomware campaigns, that gap between promise and reality can have serious consequences. Anthony helps me separate marketing language from real architectural protection. We explore why a simple checkbox or software setting is not enough to make backup data truly safe, and why organizations need to think much more carefully about how backup storage is designed, isolated, and protected. He also explains why backup strategy can no longer sit quietly in the background as a routine IT function. It now sits right at the heart of cyber resilience. One of the biggest takeaways from this conversation is how ransomware operators have changed their tactics. Backups used to be the fallback plan, the thing that gave businesses a path back after an attack. Now, attackers know that too, which is why backup systems themselves have become a priority target. Anthony explains how this shift has changed the role of backup admins, raised the stakes for recovery planning, and forced security leaders to rethink what “safe” really means. We also get into the role of Zero Trust in backup storage, the risks of false confidence when immutability is poorly implemented, and the practical questions CIOs, CISOs, and infrastructure teams should be asking vendors before they trust them with business-critical recovery data. This is where the conversation gets especially useful, because Anthony does not stay at the theory level. He brings it back to what teams should be checking, testing, and validating right now. Another part of the discussion looks at how AI is changing the threat picture. As attacks become more automated and more adaptive, organizations will need recovery strategies that are built for pressure, not just written for compliance. Anthony shares his perspective on why long-standing best practices still matter, and why businesses should be far more intentional about where their most important data lives and how quickly it can be recovered. I also appreciated Anthony’s strong defense of backup professionals, the people who often carry enormous responsibility without much recognition until something goes wrong. This episode is a reminder that resilience is never just about technology. It is also about the people trusted to keep the business standing when everything else is under pressure. So if your organization believes its backups are immutable, the real question is simple. Are they truly protected at the architecture level, or are you trusting a label that might not hold up when it matters most? Connect with Anthony CusimanoLearn more about Object FirstAbsolute Immutability: The Ultimate Ransomware DefenseYouTube

    36 min
  6. Goldilock Secure On Cutting The Blast Radius In Overconnected Networks

    MAR 3

    Goldilock Secure On Cutting The Blast Radius In Overconnected Networks

    For two decades, the mantra in technology has been simple: connect everything. More APIs, more integrations, more remote access, more cloud. But what happens when that hyper-connectivity becomes the very thing that amplifies risk? In this episode of Business of Cybersecurity, I sit down with Steven Brodie, Chief Revenue Officer at Goldilock Secure, a NATO-backed cybersecurity firm challenging the industry’s long-standing assumptions. Steven argues that in 2026 we are finally confronting the downside of overconnectivity, where sprawling networks and forgotten links create enormous blast radiuses when breaches occur. Instead of defaulting to constant connection, he introduces the idea of “right-sized connectivity,” where systems are connected only when required, no more and no less. We explore why so many modern breaches spread so quickly, and how architectural decisions made in the name of speed and convenience have left organizations exposed. Steven explains how most attacks are software-driven, moving laterally at machine speed, often faster than teams can patch. In that arms race, patching alone is no longer enough. Goldilock Secure approaches the problem differently by adding a physical layer of segmentation that can remotely connect or disconnect assets without sending commands over the public internet. The goal is simple: buy time, contain incidents, and prevent a localized breach from becoming a company-wide crisis. We also discuss the tension between security and operational continuity. How do you introduce deliberate firebreaks into a network without slowing down the business? Steven is clear that this is not about returning to air-gapped islands everywhere. It is about controlled connection and controlled disconnection. Boards, he argues, should rethink cybersecurity metrics away from checklist compliance and toward containment, resilience, and clear audit trails that demonstrate who accessed what, and when. As AI accelerates attack automation and zero-day vulnerabilities shrink response windows, the question facing every CISO and board is whether their architecture has grown beyond what is defensible. Are you relying purely on logical controls that can be subverted in software, or are you prepared to add physical boundaries that act as real firebreaks? I would love to hear your take. Has hyper-connectivity become a strategic liability in your organization, or is it still viewed as a competitive advantage?

    26 min
  7. How Kiteworks Is Preparing Enterprises For AI-Driven Risk In 2026

    FEB 28

    How Kiteworks Is Preparing Enterprises For AI-Driven Risk In 2026

    How prepared are enterprises and government agencies for the next wave of AI-driven risk? I sit down with Tim Freestone, Chief Strategy Officer at Kiteworks, to unpack the findings from the Kiteworks 2026 Data Security & Compliance Risk Forecast and what it reveals about the true state of data resilience today. As AI accelerates business processes and agentic systems gain more autonomy, Tim argues that the real challenge is no longer about adding another security tool. It is about gaining repeatable control over how sensitive data moves across organizations, partners, and automated systems. We explore why third-party involvement in breaches has surged to nearly one in three incidents and what that means for board-level accountability. Tim explains how traditional third-party risk assessments struggle to scale in an AI-enabled world, and why data-layer controls and modern digital rights management approaches are being revisited in a more practical form. We also examine the shift from ransomware headlines to the rising dominance of social engineering, and why micro-learning and human error prevention may offer a more realistic path forward than annual compliance training. Our conversation also tackles the regulatory pressure building across regions, from evolving GDPR requirements to the EU AI Act. Tim makes the case for unified, data-centric compliance models that provide file-level visibility and auditability, rather than fragmented controls across siloed systems. We discuss the growing relevance of data security posture management, the shrinking timeline for quantum risk, and the “harvest now, decrypt later” threat that leaders can no longer afford to dismiss as a distant concern. Finally, we turn to identity as the new perimeter in a world where AI agents act with increasing autonomy. Tim shares why identity alone is insufficient and why combining identity with data location defines the modern security boundary. For leaders facing limited budgets and skill constraints, his advice is pragmatic: start with visibility, align with established frameworks like NIST, and use AI-enabled copilots to accelerate cyber maturity rather than fall behind. If you are responsible for security, compliance, or risk outcomes, this episode offers a clear-eyed look at what is changing, accelerating, and must be addressed now. Are you truly in control of every send, share, receive, and save of sensitive data across your ecosystem?

    27 min
  8. Building Trust Through Cybersecurity in a Zero Trust World

    JAN 19

    Building Trust Through Cybersecurity in a Zero Trust World

    How can cybersecurity stop being treated as a tax on growth and start becoming something founders actually lean on to win trust, customers, and long-term advantage? In this episode of Business of Cybersecurity, I reconnect with Taylor Hersom, Founder and CEO of Eden Data, for a wide-ranging and honest conversation about what security really looks like in an AI-first world. Taylor has built his career inside compliance, risk, and cybersecurity, from Deloitte to launching Eden Data during COVID, and now helping venture-backed startups and global enterprises rethink how security fits into the business itself. Rather than framing cybersecurity as fear-driven insurance, he explains why it works best when treated as a signal of maturity, discipline, and credibility. We spend time unpacking how generative AI and agentic systems are changing the risk landscape, often faster than regulation and enforcement can keep up. Taylor shares why data, not models, remains the real asset worth protecting, and why so many organizations are still operating in a kind of AI Wild West. Without slipping into alarmism, he explains where companies are most exposed today, from training data to shadow AI tools quietly entering workflows, and why governance, transparency, and basic controls matter more than flashy security spending. What really stands out is Taylor’s practical take on turning compliance into a growth lever. We talk about SOC 2 and ISO standards, not as box-checking exercises, but as tools that can actually improve operations, customer confidence, and sales conversations when done properly. He explains why oversharing security posture can be a competitive advantage, how founders should think differently than large enterprises, and why bad audits and rubber-stamp certifications may create more risk than they remove. We also explore the human side of cybersecurity, including why most breaches still come down to everyday mistakes, not elite hackers, and how automation, monitoring, and better system design can reduce risk without burning out teams. Taylor shares a grounded view of how AI could finally help solve staffing shortages and alert fatigue inside security teams, and why emerging AI security standards may soon become the next credibility badge companies want to display. We close on a lighter note with book and music recommendations, but the core message is clear. Cybersecurity no longer lives in a silo, and the organizations that understand this are already using trust as a business advantage rather than a defensive posture. As AI becomes woven into every workflow, the companies that communicate clearly about how they protect data and customers may be the ones that stand out most. So as security, compliance, and AI continue to collide over the next few years, will your organization treat cybersecurity as a burden to manage, or as a story worth telling? Useful Links Connect with Taylor Hersom on LinkedInLearn more about Eden DataFollow on LinkedIn Thanks to our sponsors, Alcor, for supporting the show.

    34 min
See All (28)

About

The Business of Cybersecurity is a podcast from the Tech Talks Network that explores where security and business strategy converge. Hosted by Neil C. Hughes, creator of the Tech Talks Daily Podcast, this series examines how today’s enterprises are managing cyber risk while still moving fast and innovating. Through insightful conversations with industry leaders, CISOs, product strategists, and security architects, the podcast brings clarity to the real-world decisions shaping cybersecurity in modern business. Each episode dives into how companies are responding to regulatory pressure, increasing complexity in cloud environments, and rising expectations from boards and customers. From AI-driven defense and zero trust to skills gaps and risk quantification, we go beyond technical jargon to explore what actually works—and what doesn’t—on the road to building resilient organisations. Whether you're leading a security team, sitting at the executive table, or simply want to understand the business impact of cybersecurity, this podcast offers honest, grounded perspectives designed to help you make better decisions in an environment that never stands still. Search Tech Talks Network to discover more shows covering the voices at the heart of enterprise technology.

Information

More From Tech Talks Network