Episodes
-
How defense keeps up with AI, cyber threats, and private-sector innovation.
In this episode of The Watchtower, Ash Hunt sits down with Jimmy Harrington, retired Air Force colonel and former Deputy CIO at U.S. Special Operations Command, for a conversation about cyber resilience, defense innovation, and what large organizations often misunderstand about speed.
From NATO and the Pentagon to AI-enabled defense systems and private-sector collaboration, Jimmy shares what defense can teach enterprise security leaders about resilience, leadership, mentorship, and building organizations that can operate through uncertainty.
Highlights Why âkeeping upâ may be the wrong question How zero trust changes the goal from prevention to resilience Why defense innovation can become âinnovation theaterâ What it takes for new technology to actually scale What CISOs can learn from military leadership and mentorship ConnectJimmy Harrington on LinkedIn
Chapters0:00 Can organizations keep up with innovation?
1:14 Jimmy Harrington Deputy CIO
5:36 The pace problem inside defense institutions
6:50 Reframing cyber success: stop trying to stop everything
8:49 Run fast, trip less - operating under uncertainty
12:12 Threat-agnostic vs threat-specific cyber defense
14:09 Defense tech: from leading edge to catching up
15:14 Innovation theater: the $5B that never scaled
18:55 Slow is smooth, smooth is fast
21:16 Palantir, Anduril, and selling belief to the DoD
24:33 Building the plane while it's flying
27:23 Why CISOs and defense leaders don't collaborate enough
31:34 The military's leadership DNA corporate lacks
35:49 Mentorship and the replacement-first model
41:24 How leaders are actually built
43:10 The hardest part of leaving the military
46:28 What corporate underestimates about veterans
Presented by Cyera. Produced by Mission.org.
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
-
Is AI helping us make better decisions or just giving us more data to misinterpret?
In this episode of The Watchtower, Ash Hunt speaks with Tony Martin-Vegue, founder of NinetyFive Risk Advisory and author of From Heat Maps to Histograms, about cyber risk, decision-making, and the role of AI in risk analysis.
Tony explains why security teams often have more data than they realize, but still need the judgment to evaluate that data, understand its quality, and use it responsibly.
Highlights
Why AI can supercharge risk analysis without replacing human judgment How LLM outputs should earn their way into a risk model Why red/yellow/green heat maps limit executive risk conversations How cyber risk quantification helps security leaders speak in business terms What cybersecurity can learn from meteorology, epidemiology, actuarial science, and financial risk managementConnect
Tony Martin-Vegue on LinkedIn
95 Risk Advisory
Chapters
0:00 The judgment problem AI can't solve
1:24 From IT janitor to risk analyst with Tony Martin-Vegue
5:19 Explaining risk in dollars vs colors
9:35 Not enough data is not an excuse
13:50 The DBIR, data quality, and the 500-report flood
16:46 Industry reports or Twitter polls
17:39 Decision engineering: operating under uncertainty
20:35 The CISO's real job isn't stopping attacks
21:31 The most influential cybersecurity book
28:41 AI launders bias
31:49 Decision engineering at scale: agentic context across the business
39:43 Cyber risk math was invented by 18th-century gamblers
41:20 What cybersecurity needs to steal from other fields
43:44 Toyota, Taylorism, and why your heat map has to die
45:53 Where to find Tony and the book
Presented by Cyera. Produced by Mission.org.
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
-
Missing episodes?
-
Identity is now the fabric that determines the viability of every business operation.
In this episode of The Watchtower, Ash Hunt talks with Valvoline CISO Corey Kaemming about how identity became the operational backbone of modern companies. As cloud, automation, and AI accelerate, identity failures donât just create risk - they stop work entirely. They explore why identity decisions are now business decisions, how automation amplifies identity risk, and why CISOs are evolving from gatekeepers into service leaders responsible for keeping operations moving.
Chapters
0:00 Identity Now Runs Everything (Corey Kaemming)
1:20 Why Identity Suddenly Matters More Than Ever
5:40 âAttackers Arenât Breaking In⊠Theyâre Logging Inâ
9:30 Identity as the Backbone of Enterprise Operations
12:00 You Canât Just âTurn Onâ AI in Security
17:00 Moving Beyond Passwords - What Users Actually Want
19:20 Why Identity Workflows Keep Breaking
23:10 When Identity Fails, the Business Stops
26:00 âIf You Canât Log In, Nothing Worksâ
29:10 Inside a Real Identity Transformation Program
34:50 Who Should Own Identity - Security or the Business?
41:30 Rethinking Hiring, Teams, and Identity Strategy
46:15 Identity Beyond Security
Presented by Cyera. Produced by Mission.org.
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
-
Security runs on metrics, but do those metrics reflect real risk?
In this episode of The Watchtower, Ash Hunt sits down with Wade Baker - co-founder of Cyentia Institute and longtime architect of the Verizon DBIR - to dismantle the cybersecurity metrics that feel right but consistently lead programs astray. They take down "average cost per breach," expose why MTTR makes security teams look great while 99% of their vulnerabilities sit untouched, and introduce the half-life metric that actually tracks risk. Plus: why metrics are weaponized more often than they're used, and how AI agents are (finally) democratizing rigorous risk quantification.
Key Takeaways:
- Cost-per-data-record is a survey artifact â there's no linear correlation between breach cost and records lost
- MTTR only measures the vulnerabilities you remediate â so you can post a great MTTR while ignoring 99% of your environment
- Survival analysis / half-life is the better metric â it tracks burn-down against a defined finish line, not raw speed
- Think like a general, not a sniper: zero vulnerabilities is the wrong objective; the right 80% is
- Metrics are weaponized to justify budget more often than they're used to manage program effectiveness
- You don't need a stats PhD â AI agents are democratizing rigorous risk modeling
Wade Baker on LinkedIn: https://www.linkedin.com/in/drwadebaker/
Cyentia Research: cyentia.com/research
Chapters
00:00 Are we measuring the right things?
01:18 Which cybersecurity metrics are most misunderstood
02:48 The psychology of measuring what's easy
04:20 "We've got to measure something" â and the trap that creates
05:30 The real problem: security doesn't agree what "good" looks like
07:40 Sniper vs general: the thinking style CISOs need
09:28 Doing security things vs achieving security goals
10:25 The $215-per-record myth â and why it won't die
12:13 Metrics as weapons: the real reason the number survives
14:31 The needle-in-the-haystack reality of real breaches
15:45 Risk quantification was solved decades ago â in other industries
17:24 The MTTR indictment: measuring only what you fix
18:48 Survival analysis and the half-life metric
21:07 Fixed-speed decay: metrics as decision engineering
23:57 Event landscape vs threat landscape
27:19 AI agents as scenario-analysis partners
30:05 Democratizing risk modeling without a stats PhD
31:13 What security leaders should actually measure
34:15 Your metrics are not your boss's metrics
36:07 Data storytelling: testing a metric's "so what?"
37:03 What's next from Cyentia Institute
Presented by Cyera. Produced by Mission.org.
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
-
Are you just avoiding a breach? Or are you prepared for one?
Dan Bowden is the Global CISO at Marsh - the world's largest insurance broker - where he protects 90,000+ employees across 130+ countries while simultaneously seeing how organizations are evaluated after cyber incidents. In this episode, Dan breaks down how regulation, insurance, and real breach data are changing the standard for what "prepared" actually means in 2026.
Dan Bowden is a seasoned security leader with a background spanning military, healthcare, and banking before joining Marsh as joint Global CISO.
Key takeaways:
- Why the gap between governance documentation and crisis culture is where most organizations fail
- How to properly engage your cyber insurance broker as a consultative security partner, not a checkbox
- What Marsh's breach data actually shows about insured companies being targeted (spoiler: the myth is busted)
- Why MFA in 2026 should be baseline - and what carriers are asking about next
- How regulatory frameworks like NYDFS are shifting from descriptive to prescriptive requirements
Guest: Dan Bowden, Global CISO, Marsh
LinkedIn: linkedin.com/in/danbowden
Chapters
0:00 Dan Bowden: Cybersecurity Is Not âBest Effortâ
1:10 What a Global CISO Sees That Others Donât
3:50 Why Companies Call Their Broker First During an Incident
5:03 What Real Incident Data Actually Teaches You
7:04 Rethinking Risk: Frequency vs Catastrophic Events
10:12 Why Cyber Risk Is Still Measured Wrong
11:39 Stop Letting the News Drive Your Security Strategy
14:32 Where Incident Response Actually Breaks Down
15:00 Governance vs Culture - What Really Happens in Crisis
18:03 How to Test Leadership Under Pressure
19:32 What Most Companies Get Wrong About Cyber Insurance
23:12 Cyber Insurance Is Bigger Than âCyberâ
24:11 Why Most Broker Relationships Fail
25:52 How Insurance Decisions Actually Get Made
27:53 Identity Is the Root of Most Attacks
29:46 MFA Is the Baseline - But Not the End
33:27 How Regulation Is Reshaping Security
37:52 Myth: Insurance Makes You a Target
41:31 The Future: Custom Cyber Insurance Models
Presented by Cyera. Produced by Mission.org.
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
-
Weâve spent billions on cybersecurity. Why are the problems the same?
In the first episode of The Watchtower, Ash Hunt invites Jason Clark, CSO at Cyera, to dig into the hard truth that foundational security controls still fail in real environments. Together, they explore why identity and data remain unsolved, how rapidly changing enterprise tech has outpaced control design, and why AI is forcing the industry to rethink its entire foundation.
This episode is made possible by Cyera.
Chapters
0:00 Has Cybersecurity Failed?
1:22 Jason Clark - Security Built for Old Tech
2:48 Why Security Frameworks Keep Failing
4:58 The Pattern - We Canât Keep Up - iPhone, Cloud, AI Adoption
7:47 Security Strategy Problem - No Data Visibility
10:02 Data and Identity Are Broken in Security
13:34 Identity Is a House of Cards
15:09 AI Will Break (or Fix) Cybersecurity
18:18 Rethinking Security - Systems and Data as Assets
20:39 Why Security Teams Clash with the Business
24:02 Why Risk Modeling Fails in Security
27:58 CISO Leadership Problem - No Business Influence
30:42 AI Adoption - Why Security Must Lead
33:17 The Future of Cybersecurity - Orchestrating Intelligence
34:07 Closing - What Comes Next
Presented by Cyera. Produced by Mission.org.
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
-
The systems we rely on werenât built for the world weâre running today.
Welcome to The Watchtower.
The cybersecurity podcast exploring how identity, data, and behavior now control whether a business runs - or stops.
Hosted by former global CISO, Ash Hunt, The Watchtower pulls back the curtain on whatâs actually happening behind dashboards - from fragile identity systems to the real impact of AI inside the business.
New episodes coming soon.
Presented by Cyera. Produced by Mission.org.
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.