With Daniela away, Glen and Brian are running the show! 🤡 They kick things off by breaking down a recent NPM (Node Package Manager) supply chain attack that targets open-source developers through social engineering. This spirals into a larger discussion about the "spiderweb of trouble" within modern software supply chains and the massive, often invisible, risks posed by Shadow IT and Shadow AI. The hosts provide practical, actionable advice for organizations trying to govern tools they don't even know their employees are using, emphasizing that the AI genie isn't going back in the bottle.

• (01:55) Announcement: Join Glen, Brian, and Daniela for their social engineering workshop at SaintCon in Utah!

• (02:30) The NPM Attack: A deep dive into the ongoing supply chain attack where hackers use stolen developer credentials to inject malicious code into widely used open-source packages.

• (05:15) The Spiderweb of Trouble: How vulnerabilities in small, third-party components can create massive, tangled risks for organizations, even if they aren't using the components directly.

• (12:18) Software Bill of Materials (SBOM): A crucial tool for vetting vendors and understanding the security maturity of the products you buy. If a vendor can't provide one, that's a red flag. 🚩

• (14:05) Shadow AI & Shadow IT: The things you don't know about are the scariest. The hosts discuss the risks of unsanctioned apps and AI tools operating within your environment.

• (17:21) You Can't Just "Turn Off" AI: Why blocking AI is like fighting a house fire with a squirt gun. Governance through policy and training is the only realistic path forward.

• (29:40) A Cautionary Tale: A classic real-world example of how a critical business process became dependent on unsupported Shadow IT, leading to panic when it inevitably broke.

• Ask for an SBOM: When procuring software, ask vendors for a Software Bill of Materials (SBOM) to get a clear picture of what's inside their product.

• Create an AI Policy: Since you can't block AI everywhere, focus on governance. Develop a clear Acceptable Use Policy to give employees guardrails for using AI tools safely.

• Provide Sanctioned Tools: Enable your team to work efficiently by providing a sanctioned, private AI environment where they can safely use sensitive company data.

• Go Hunting for Shadows: Use DNS monitoring and review company credit card expenses to identify unsanctioned third-party applications and services being used in your organization.

• Build a Security Culture: Technical controls aren't enough. Foster a strong security culture where employees understand the why behind the policies and feel empowered to make smart decisions about data.

In this special Credit Union Edition of the ByteWise Podcast, Daniela, Brian, and Glen are joined by Tom Costello, CEO of Upstreme, to unpack the future of the Automated Cybersecurity Examination Tool (ACET) and its impact on credit unions.

For years, ACET has been the standard tool for cybersecurity self-assessments, but with its foundation—the FFIEC’s Cybersecurity Assessment Tool (CAT)—now officially sunset, credit unions must prepare for what comes next.

• ACET’s Rise and Sunset: Why the tool was created, its limitations, and why regulators are moving away from it.

• Alternative Frameworks: Deep dive into the top three contenders—NIST CSF 2.0, the CRI Profile, and the CIS Controls—and what each offer.

• Credit Union Realities: Challenges for smaller institutions, including ISE framework considerations, resource constraints, and scaling expectations.

• Transition Strategies: Practical advice on mapping from ACET to modern frameworks, avoiding common mistakes, and creating a smooth shift.

• Bigger Picture: How technologies like AI and Zero Trust Architecture are reshaping InfoSec, and why now is the perfect moment for credit unions to reframe cyber risk conversations with boards and leadership.

• Risk & Governance: Connecting frameworks to enterprise risk management, risk appetite, and governance functions—ensuring cyber strategy aligns with organizational strategy.

• “All frameworks are wrong. Some of them are just more useful than others.” – Tom Costello

• “The biggest mistake is doing nothing and sticking with ACET.” – Tom Costello

• NIST Cybersecurity Framework 2.0

• Financial Services CRI Profile

• CIS Controls

• Upstreme

• Connect with Tom

Welcome back to ByteWise! October is right around the corner and it is Cybersecurity Awareness Month. This episode is packed with budget-friendly, creative ideas to boost security awareness in your organization and personal life. The four key themes of this year's Cybersecurity Awareness Month: strong passwords, multi-factor authentication (MFA), recognizing phishing, and updating software.

The hosts discuss why these "usual suspects" are still critical topics. They explore the importance of MFA not just at work but on personal accounts like email and online banking. To make learning engaging, they brainstorm several low-cost activities:

• "Build Your Digital Fortress" Workshop: A hands-on session to walk employees through setting up MFA on their personal accounts.

• The MFA Rollout Race: A friendly competition between departments to see who can get the highest adoption rate, with winners receiving fun, inexpensive prizes like stickers or 3D-printed trinkets.

• "Password Creation Cook-Off": A challenge encouraging employees to create the most creative and strong passphrase, using online tools to "score" their strength.

• The "Set It and Forget It" Campaign: A drive to teach people how to enable automatic software updates on their personal devices to ensure they are always protected.

• "Reverse Phishing" Challenge: An innovative activity where employees are challenged to create their own convincing (but harmless) phishing email to better understand the psychology and tactics used by attackers.

The conversation also touches on the importance of using password managers, following NIST guidelines for password creation, and the critical need for leadership buy-in to make any awareness campaign successful. The key is to make security training engaging, positive, and presented in bite-sized, low-cost pieces to ensure it resonates with everyone.

In a departure from their usual tech-focused topics, Brian, Daniela, and Glen get personal in this Friday afternoon chat. They pull back the curtain on the realities of stress in the high-stakes world of IT and InfoSec. The team shares how stress manifests for them, the challenge of disconnecting in an "always-on" world, and the short-term and long-term strategies they use to decompress—from hobbies and workouts to the simple power of a supportive chat with colleagues. This is a candid conversation about setting boundaries, managing team stress, and remembering not to sweat the small stuff.

• How does stress show up for you? The team discusses the physical and emotional signs, from a short fuse to shoulders up by your ears.

• Short-Term Fixes: The hosts share their go-to methods for immediate stress relief, including workouts, setting down the phone, and finding humor in work memes.

• The "24/7 Briefcase": A discussion on how technology, especially smartphones, has erased the line between work and home life, making it harder than ever to truly disconnect.

• The Vacation Paradox: Can you ever really be "on vacation" when you're always reachable? The team shares stories of feeling anxious while trying to be offline.

• Long-Term Decompression: It's not just about a quick fix. The hosts dive into the hobbies and activities that provide a real escape, like working on antique cars, smoking meat, camping, and hiking.

• The Power of Your People: The importance of having a sounding board and connecting with peers who understand the unique pressures of the industry.

• When Stress Bleeds into the Team: As leaders, how do you manage your own stress without it negatively impacting your team? The group talks about empathy, owning your mistakes, and putting challenges into perspective.

We want to hear from you! How do you decompress and disconnect from the pressures of work? Share your tips and strategies with us on LinkedIn and Facebook.

In this episode of ByteWise, the team welcomes back Mark Carroll, founder of the Enterprise Risk Management master's program at Boston University, to tackle the controversial Business Impact Analysis (BIA). They explore why BIAs are non-negotiable for regulated industries, how to demonstrate their value in other sectors, and what separates a "check-the-box" BIA from a truly effective one. Mark shares real-world examples and practical strategies for navigating disagreements, managing stakeholder expectations, and aligning business needs with IT capabilities to build a resilient organization.

• Mark Carroll: Founder of the Enterprise Risk Management master's program at Boston University. With a rich background in IT, risk management, and business continuity, Mark brings decades of practical experience to the discussion.

Mark begins by defining the Business Impact Analysis (BIA) as a process of understanding business functions, assessing the impact of their loss, and analyzing what is required to restore them. He quickly distinguishes between organizations where a BIA is a choice versus a requirement. For regulated industries like banking or those with ISO requirements, the BIA is non-negotiable "table stakes" for legal operation. For others, it becomes a value-based decision, where the organization must be convinced of its worth as the cornerstone for any effective recovery activity.

The conversation then moves to what separates a good BIA from a poor one. Mark warns against the superficial "Survey Monkey" approach where everyone simply declares their systems critical. A truly effective BIA requires a deep dive to challenge assumptions and differentiate between what is merely important and what is truly mission-critical for survival. This analysis must reconcile discrepancies, such as a department requesting a four-hour recovery time while simultaneously holding a week's worth of inventory.

A significant portion of the discussion is dedicated to the human element of the BIA process. Navigating disagreements and gaining buy-in is crucial. Mark shares a practical strategy: begin the BIA with receptive departments to build momentum and create advocates for the process, leaving more resistant stakeholders for last. He illustrates the challenges with an anecdote about a finance department demanding unnecessary resources, highlighting how a fact-based approach and senior-level escalation are sometimes required to overcome myopic views.

Finally, the team explores the common disconnect between the recovery time objectives (RTOs) desired by the business and the actual recovery capabilities of the IT department and third-party vendors. A BIA forces this critical conversation, pushing for alignment through solutions like increasing inventory, dedicating more IT resources to specific functions, or developing manual workarounds. The reality of vendor contracts often dictates the true RTO, forcing the business to either pay more for faster service or accept the contractual risk.

The key takeaway from the discussion is that a well-executed BIA is essential for making the tough but necessary distinction between what's important and what's critical. As Mark aptly puts it, when a crisis hits, his job isn't to perform his day-to-day risk functions; it's to "carry water" for the people executing the recovery of truly critical operations.

John Hill joins the ByteWise team to pull back the curtain on Shadow IT. He kicks off the conversation with a chilling narrative from a hacker's perspective, illustrating how unapproved apps can bypass millions of dollars in security infrastructure. The discussion unpacks what Shadow SaaS is, why well-intentioned employees turn to it, and the significant risks it poses to security, compliance, and even disaster recovery.

However, the episode also explores the flip side: how the presence of Shadow IT can be a valuable warning sign for leadership. It can highlight gaps in your official tech stack, uncover process inefficiencies, and even introduce innovative tools. John provides practical advice for detecting unsanctioned apps and advocates for a modern, partnership-based approach where IT and business units work together to find the best solutions.

• John Hill: A certified technology resilience, risk management, and cybersecurity expert with over 25 years of experience helping Fortune 500 companies manage and anticipate risks by embedding security into the fabric of business operations.

• Connect with John: Listeners can connect with John Hill via his LinkedIn Profile.

The episode opens with a powerful narrative from a hacker's perspective, reframing the threat of Shadow IT. Instead of complex breaches, hackers can simply create legitimate-looking SaaS tools and wait for employees to willingly hand over sensitive company data. This happens because employees, driven by a need for efficiency, turn to these unapproved applications—or "Shadow SaaS"—when their official tools are clunky or the process to get new software approved is too difficult. The core issue is often not malicious intent, but a desire to get the job done effectively, a motivation that savvy adversaries are all too happy to exploit.

The risks of this practice extend far beyond a simple data breach. John Hill explains how Shadow IT can cripple a company during a crisis. An unknown application embedded in a critical business process can completely derail disaster recovery efforts, leaving IT leaders baffled when systems fail to restore correctly. To get ahead of this, organizations can use several clever detection methods, such as monitoring web traffic with advanced firewalls, analyzing recurring credit card expense reports for small software subscriptions, and conducting a thorough Business Impact Analysis (BIA) to create an accurate map of which tools are truly essential to operations.

Ultimately, the conversation pivots from risk to opportunity. The presence of Shadow IT shouldn't be seen as a failure, but as a valuable feedback mechanism. It provides a clear signal to leadership about where the official tech stack is falling short and can even serve as a source of innovation by revealing highly efficient tools. The episode concludes with a crucial piece of advice for leaders: abandon the adversarial stance. Instead of punishing users, IT should foster a partnership with the business, using the discovery of shadow apps as a starting point for a collaborative conversation to find and implement the best solutions for everyone.

In today's rapidly evolving professional landscape, particularly in fields like cybersecurity and for those navigating career transitions, mentorship serves as a crucial anchor, providing guidance amidst a sea of information and diverse opinions. Glen, Daniela, and Brian agree that effective mentors do more than just impart knowledge; they challenge conventional thinking, encourage mentees to safely step outside their comfort zones to foster growth, and provide invaluable networking opportunities. Recounting their own experiences, they highlight how impactful mentors deliver honest, constructive feedback—even when it's difficult—and play a pivotal role in developing essential soft skills, such as persuasion and strategic communication, which are often as critical as technical expertise for career advancement.

The nature of mentorship, especially within technology and cybersecurity, has significantly evolved. It's no longer solely about mastering technical intricacies; there's a growing emphasis on cultivating business acumen, understanding organizational strategy, and translating complex technical jargon into clear, business-relevant language. The panel discusses the importance of mentors who can bridge this gap, helping technologists align their work with broader business goals and communicate their value effectively. Furthermore, they explore the benefits of seeking diverse mentoring perspectives, particularly for leadership development, to help individuals cultivate their own authentic style rather than merely replicating that of a single mentor.

Finding the right mentor and engaging productively in the relationship is a two-way street. While mentorship can be formal, it often arises organically from genuine curiosity and seeking advice; resources abound in online communities, industry associations, and through peer connections. Crucially, being an effective mentee requires openness to new ideas, resilience in the face of constructive criticism, and a proactive approach to learning and development. The episode underscores that whether you are seeking a mentor or looking to guide others, the foundation of a successful mentorship lies in a shared commitment to growth and mutual respect.

In this insightful episode of ByteWise, Brian switches roles to interview Glen and Daniela about a common challenge: overcoming skepticism and objections from leadership when trying to secure investment for crucial projects, particularly in information security. They dive into common pushbacks like "we're too small to be a target," "we can't afford it," or "it won't happen to us," providing practical strategies, real-world examples, and valuable frameworks to help listeners build compelling cases and gain buy-in from their board or CEO.

Throughout the discussion, Glen and Daniela tackle these common hurdles by debunking myths that organizations are "too small to target" or "can't afford" necessary protections. They emphasize that all businesses are vulnerable, often due to perceived weaker defenses or as stepping stones to larger targets, and stress the importance of using education, hard numbers, case studies, and quantifying potential financial losses (e.g., compared to net income or insurance limitations) to overcome these objections. Effectively communicating risk involves leveraging established frameworks like NIST or ISO, presenting simple yet relevant metrics tailored to the audience (especially the board) to drive action, and clearly articulating the current state, desired outcomes, and the tangible impact of proposed investments. Ultimately, success lies in a blend of data-driven arguments, strategic communication—including knowing your audience and anticipating their questions—and personal resilience, which involves patience, not taking rejection personally, and being well-prepared to advocate effectively when opportunities arise.

Remember, don't let initial skepticism derail your vital initiatives; use these strategies to build an undeniable case for what your organization truly needs. With persistence, data-driven insights, and a clear understanding of your audience, you can transform those objections into impactful approvals.