Bridging Cybersecurity and Economic Strategy: Insights from Cyber Policy Pioneer Alex Niejelow

Feature image, Alex Niejewlow and Marc Schein chatting

Podcast: Play in new window | Download (Duration: 19:13 — 26.4MB)

Subscribe: RSS

Summary

Today Marc is chattin’ with Alex Niejelow, a respected figure in cybersecurity. The episode opens with Marc highlighting Alex’s unique background growing up in Philly and his diverse career path. Alex shares how his early career as a Durham police officer and later as a lawyer shaped his mindset around public service and supporting people and businesses. He then transitioned into federal and state government roles, including significant positions in the Obama administration and Homeland Security, focusing on trade, customs, and national security issues such as counterfeit semiconductors in supply chains.

They then chat about Alex’s role on the National Security Council, where he worked on the intersection of trade and cybersecurity, a concept that was not widely recognized in the early 2010s but has since become central to government policy. Alex explains his involvement in developing the first-ever cyber sanctions regime, a tool designed to economically disincentivize cybercriminals and nation-states from monetizing stolen intellectual property and trade secrets. This approach was innovative in addressing the asymmetry in cyber threats, where traditional law enforcement and diplomatic tools were insufficient.

The chat then shifts to the challenges Alex faced working across multiple government agencies with differing priorities, which, while complex, ultimately led to better outcomes through collaboration and creative problem-solving. Alex emphasizes the importance of reducing asymmetry in cybersecurity, noting that companies remain vulnerable at their weakest points. He highlights the evolution of the cyber insurance industry, which has become more sophisticated with risk engineers engaging deeply with clients to improve cybersecurity postures and insurance terms.

Alex explains his motivation for founding Hilco Global Cyber Advisors, driven by the need to support middle-market companies that often lack adequate cybersecurity resources despite their sophistication and capital. He critiques the cybersecurity industry’s tendency to self-silo and stresses the importance of aligning cybersecurity solutions with the nature of the products and services businesses provide to increase adoption and effectiveness.

Finally, the chat turns to artificial intelligence (AI) as a major cybersecurity topic in 2025. Alex acknowledges both the threats and opportunities AI presents, noting that threat actors are leveraging AI to scale traditional cyberattacks like phishing. He expresses optimism about the cybersecurity community’s commitment to addressing these challenges and highlights regulatory efforts, such as guidance issued to the insurance industry on AI use in underwriting, to mitigate risks including bias. The episode closes with Alex sharing a personal anecdote from his time at the White House and providing contact information for Hilco Global Cyber Advisors.

Key Points

Alex’s career journey from police officer to cybersecurity expert in public and private sectors
Development of the first-ever cyber sanctions regime to economically deter cybercrime
The importance of collaboration across government agencies to address complex cyber challenges
The evolution and sophistication of the cyber insurance industry in reducing asymmetry
The dual impact of AI on cybersecurity: expanding threats and fostering innovative defenses.

Key Quotes

“The idea that cybersecurity issues and economic issues were actually interconnected was not widely accepted [in 2010]. It was still emerging. Fast forward to today. It is abundantly clear the intersectionality of those issues.”
“Companies are always as weak as their weakest link.”
“If you let the nature of the products and services that are being provided better inform and drive the cybersecurity solutions instead of vice versa, I think there will be a greater adoption.”
“Threat actors are expanding their capacity and capabilities leveraging AI … but it is the speed and scale at which it is becoming exacerbated that I think is most concerning.”

About Our Guest

Alexander Niejelow is Executive Director of Global Cyber Advisors at Hilco Global, bringing deep expertise in cybersecurity, fintech, and digital policy from leadership roles in both the private sector and government. He previously served as Deputy Superintendent for Innovation Policy at the New York Department of Financial Services, leading initiatives on AI and emerging fintech. At Mastercard, he was Senior Vice President for Cybersecurity Coordination and Advocacy, overseeing global cybersecurity and technology policy efforts. Alex also held key government positions, including Director of Cybersecurity Policy at the White House National Security Council and Chief of Staff to the U.S. Intellectual Property Enforcement Coordinator. He began his career as a litigator and holds a JD from the University of Pennsylvania and a BA from Duke University. Alex actively contributes to cybersecurity policy through board roles with the Center for Cybersecurity Policy and Blue Star Families, and has led global coalitions focused on cyber risk reduction and digital protection.

Follow Our Guest

Website | LinkedIn

About Our Host

National co-chair of the Cyber Center for Excellence, Marc Schein, CIC,CLCS is also a Risk Management Consultant at Marsh McLennan Agency. He assists clients by customizing comprehensive commercial insurance programs that minimize the burden of financial loss through cost effective transfer of risk. By conducting a Total Cost of Risk (TCoR) assessment, he can determine any gaps in coverage. As part of an effective risk management insurance team, Marc collaborates with senior risk consultants, certified insurance counselors, and expert underwriters to examine the adequacy of existing client programs and develop customized solutions to transfer risk, improve coverage and minimize premiums.

Follow Our Host

Website | LinkedIn

January 20, 2026February 3, 2026

Context is King: Tailoring Cybersecurity with Courtney Hans

Podcast: Play in new window | Download (Duration: 16:36 — 22.8MB)

Subscribe: RSS

Summary

In this episode of Chattinn Cyber, Marc Schein is chattin’ with Courtney Hans, a seasoned cyber professional with a unique background. Courtney shares that her path into cybersecurity was nontraditional, having started as a literature major and then spending about a decade as an adventure travel guide. She reflects on how the skills she developed during that time—understanding people’s motivations and goals—have been invaluable in her cybersecurity career, particularly in tailoring security strategies to individual organizational contexts.

Courtney emphasizes that cybersecurity is not a one-size-fits-all problem. She explains how, during her time at a SaaS startup, she prioritized cybersecurity investments based on the company’s specific risks and environment, such as focusing on application security over endpoint detection due to budget constraints and business needs. She stresses the importance of context in determining where organizations should focus their people, processes, and technology investments to have the greatest impact.

The chat then shifts to practical advice on how organizations can begin improving their cybersecurity posture, particularly through tabletop exercises. Courtney encourages organizations to leverage resources from their cyber insurance providers, many of which offer free or low-cost training and virtual tabletop exercises. She advises starting simple—having conversations about incident response plans and ensuring everyone knows their role if a cyber incident occurs.

Courtney also discusses the importance of engaging leadership in cybersecurity exercises. She suggests setting clear expectations, respecting executives’ time, and framing tabletop exercises as safe spaces to practice responses without pressure. She highlights that cyber incidents affect the entire organization, not just IT, and that practice builds muscle memory and helps identify gaps before a real crisis occurs.

Finally, Courtney outlines best practices for following up after tabletop exercises, including documenting observations, assigning responsibilities, and setting deadlines to ensure improvements are made. She acknowledges the discomfort some may feel participating in these exercises but stresses that creating a supportive environment where it’s okay to say “I don’t know” is crucial for identifying and addressing security gaps effectively.

Key Points

1. Nontraditional Path to Cybersecurity: Courtney’s background in literature and adventure travel shaped her people skills, which are critical in cybersecurity for understanding motivations and tailoring solutions.

2. Context is King: Cybersecurity solutions must be customized to an organization’s specific risks, environment, and priorities rather than applying generic controls.

3. Value of Tabletop Exercises: These exercises are essential for preparing organizations to respond to cyber incidents, helping build muscle memory and identify gaps in a safe environment.

4. Leveraging Cyber Insurance Resources: Many cyber insurance providers offer free or low-cost resources, including virtual tabletop exercises, which organizations should utilize.

5. Leadership Engagement and Follow-Up:Successful cybersecurity preparedness requires executive buy-in, clear expectations, and diligent follow-up with assigned responsibilities to ensure continuous improvement.

Key Quotes

1. “Context is king… each of our clients, in the insurance space, are different. What their risks are, what their environment looks like, dictates where their investments will have outsized impact.”

2. “Practice builds muscle memory, practice builds an awareness of where the gaps are, and always better to identify the gaps in a safe environment versus a real environment.”

3. “Plans are useless, but planning is indispensable.” — Dwight Eisenhower, quoted by Courtney.

4. “If you see something, say something… make sure people feel comfortable bringing those concerns to light.”

5. “It’s absolutely okay, maybe desirable, to say ‘I don’t know that yet’ because that’s what we’re here to figure out—where our gaps are.”

About Our Guest

Currently the Vice President of Cyber Services for AmTrustCyber, Courtney Hans brings a variety of experience into her work. In her early career, Courtney was an adventure travel guide with a short window to make a strong impression. Curiosity became her superpower as she learned how to uncover the inner motivations of diverse groups of guests. Guiding, just like cybersecurity, requires agility and a cool head during a crisis. Formerly the Head of Security and IT for a growing SaaS startup, Courtney joined AmTrust to help to reduce risk and deepen the relationship between carrier and insured.

Follow Our Guest

Website | LinkedIn

About Our Host

Follow Our Host

Website | LinkedIn

December 18, 2025February 3, 2026

Unveiling the Dark Web: Cyber Threat Intelligence and Forensics with Alyssa Lisiewski

Podcast: Play in new window | Download (Duration: 11:50 — 16.3MB)

Subscribe: RSS

Summary

In this episode of Chattinn Cyber, Marc is chattin’ with Alyssa Lisiewski, Managing Director at Ankura and one of the best known and respected cybersecurity experts in the country. The conversation begins with Alyssa sharing her early introduction to technology, influenced by her father who taught her to take apart and reassemble computers from a young age. Initially interested in forensic crime scene investigations, Alyssa shifted her focus to cybersecurity due to her father’s encouragement and foresight about the field’s growth. She started her career as an intern in diplomatic security’s computer investigations and forensics unit, then pursued a master’s degree while working as a government contractor, honing her skills in cybersecurity and high-tech crime investigations.

Alyssa’s career progressed into the intelligence community, where she specialized in digital forensics from an intelligence perspective, which differed from traditional digital forensics. She later worked at the Department of Defense Cyber Crime Center in Maryland, conducting forensic examinations and testifying in court cases. Transitioning to the private sector, Alyssa led a digital forensics team at a major financial company focusing on insider threats before joining Anchor, where she combines her cyber threat and forensic expertise.

The discussion then shifts to clarifying common internet terminology: the surface web, deep web, and dark web. Alyssa explains that the surface web is the small portion of the internet most people use daily, such as Google and social media. The deep web contains more anonymous and legal content like academic and medical documents, while the dark web is accessed via Tor and is often associated with illicit activities but also hosts legitimate anonymous communications.

Alyssa emphasizes the importance of proactive dark web monitoring for businesses. Beyond just detecting if stolen data is posted, monitoring can reveal chatter among threat actors about industries or competitors, enabling companies to anticipate and mitigate attacks. She shares a real-life example where her team identified a threat actor group’s tactics early, allowing a client to detect an intrusion that had gone unnoticed for a month, demonstrating the value of threat intelligence in incident response.

Finally, Marc and Alyssa chat about the benefits and challenges of incorporating dark web analysis into post-incident investigations. While it can clarify the true impact of a breach and assist in legal mediation, there are limitations due to the trustworthiness of data posted by criminals. Her team validates findings through metadata analysis and breach research. The episode closes with Alyssa inviting listeners to connect with her via email or LinkedIn for further discussion, highlighting her openness to sharing knowledge and engaging with the cybersecurity community.

Key Points

Alyssa’s Journey: Alyssa’s early exposure to technology and career path from forensic interests to cybersecurity and digital forensics.
Web Infrastructure: Explanation of the surface web, deep web, and dark web, including their differences and common misconceptions.
Threat Detection: The strategic value of proactive dark web monitoring for businesses to detect threats and industry chatter before breaches occur.
A real-world example of how threat intelligence helped identify a threat actor’s tactics and detect a breach earlier than usual.
The role of dark web analysis in post-incident investigations, including its benefits, limitations, and methods to validate data.

Key Quotes

“When I was four, my dad taught me how to take apart a computer and put it back together… he made sure I was learning about it from a very young age.”
“The surface web is really only 4 or 5% of the web. The majority of the web is the deep web and the dark web.”
“If you’re not monitoring proactively the dark web, chances are the first time you’re looking at the dark web is after that breach.”
“We knew … the threat actor group… and because of that, we were able to identify the actual true start of the incident, about a month prior to the update we were working on.”
“There are going to be situations where we may not be able to identify if data is out there, or we may identify it but not give any context… that’s why we do other things to try to validate it.”

About Our Guest

Alyssa Lisiewski is a Managing Director at Ankura in Washington, DC, bringing over 14 years of specialized experience in digital forensics, cybersecurity, and insider threat investigations. She has a proven track record of leading and conducting complex cyber investigations that protect critical digital assets across diverse industries including government, financial services, and legal sectors. Alyssa is highly skilled in operating within digital forensic lab environments, adhering to industry standards for evidence handling, and analyzing electronically stored information. She has been qualified as an expert witness in federal and military courts and has played key roles in program leadership, strategic service development, and partner engagement, driving innovation and excellence in cyber risk management.

Follow Our Guest

Website | LinkedIn

About Our Host

Follow Our Host

Website | LinkedIn

November 17, 2025February 3, 2026

AI Unmasked: Navigating Legal Risks and Realities with Cyber Attorney Ryan Steidl

Podcast: Play in new window | Download (Duration: 28:54 — 39.7MB)

Subscribe: RSS

Summary

In this insightful episode of the Chattinn Cyber podcast, host Marc Schein is chattin’with Ryan Steidl, a leading privacy and artificial intelligence attorney, to explore the evolving landscape of AI from a legal and cybersecurity perspective. Ryan shares his journey from Maryland to becoming a respected figure in data privacy and AI law, highlighting the influence of pioneering professors and his early work at Under Armour. He frames AI as an evolutionary technology that builds on existing data privacy and security issues but introduces new complexities due to limited human intervention in its processes.

Their chat delves into the current regulatory environment surrounding AI in the United States, which Ryan describes as a patchwork of state laws with no comprehensive federal framework yet in place. He discusses the recent veto of Virginia’s AI bill and the ongoing debate over a proposed federal moratorium on state AI legislation, emphasizing the tension between innovation and safety. Ryan also notes the role of federal agencies like the FTC and EEOC in shaping AI policy and how shifts in administration priorities—from safety to innovation—impact regulatory approaches.

Ryan advises business leaders to focus on the purpose behind AI adoption, urging them to carefully assess use cases, data needs, and risk tolerance before allowing AI tools in their organizations. He stresses the importance of governance, recommending cross-functional oversight teams and clear ownership at multiple levels—from enterprise governance to tool implementation and output accountability. He also highlights the necessity of rigorous vetting and ongoing risk assessments to manage AI-related risks effectively.

The chat further clarifies the distinctions between open-source AI models, public tools like ChatGPT, and private sandbox environments. Ryan warns against indiscriminate use of public AI models with sensitive data and advocates for controlled environments that offer greater security and customization. He also touches on emerging trends like synthetic data and regulatory sandboxes, which balance innovation with risk mitigation, citing Utah’s AI lab as a pioneering example.

Concluding on the topic of AI’s impact on cyber risk, Ryan offers a nuanced view: AI can both help manage and exacerbate cyber risks depending on how it is used. He underscores the increasing complexity AI introduces and the critical role of human oversight in accountability and enforcement. Ryan predicts that insurers will push organizations toward proactive risk management rather than reactive responses, emphasizing the need for continuous monitoring and anticipation of AI-related pitfalls. He closes by inviting listeners to access further resources and contact his team for guidance.

Key Points

AI as an Evolutionary Technology: AI builds on existing data privacy and security frameworks but introduces new challenges due to limited human intervention in its processes.
Fragmented AI Regulation: The U.S. currently has a patchwork of state-level AI laws with no comprehensive federal legislation, complicated by political debates such as the proposed moratorium on state AI laws.
Governance and Ownership: Effective AI adoption requires clear governance structures, cross-functional oversight, and defined ownership at multiple organizational levels.
Risk Assessment and Documentation: Organizations must implement thorough vetting processes, conduct ongoing risk assessments, and maintain detailed documentation to demonstrate accountability and compliance.
Safe AI Adoption Practices: Businesses should avoid using public AI models with sensitive data, favor sandbox or private instances, and consider synthetic data to mitigate privacy and compliance risks.

Key Quotes

“AI is more evolutionary than revolutionary, at least. It builds on a lot of topics that we’re pretty familiar with, especially in cybersecurity.”
“AI’s processing with limited human intervention heightens potential risk, so we have to dive deep into how we approach, analyze, control, and comply with it.”
“The current AI regulatory landscape in the U.S. is a patchwork, with states like California, Utah, and Colorado leading, but no comprehensive federal law yet.”
“Purpose, purpose, purpose — understanding why you’re using AI and what problem you’re solving is the foundation for managing risk.”
“Humans will need to be involved in AI no matter how much intervention happens … Insurers will demand organizations be proactive, not reactive, in managing AI risks.”

About Our Guest

Ryan Steidl, based in Seattle, Washington, is a member of Constangy’s Cyber Team and part of its compliance advisory group, where he provides strategic guidance on navigating complex data privacy and cybersecurity laws. He advises clients on compliance with diverse state, federal, and international privacy regulations, helping them develop business-focused data protection strategies that minimize legal risk and align with operational goals. Prior to joining Constangy, Ryan spent eight years at Grant Thornton as a founding member of their Cyber Practice and Senior Manager of the Privacy & Data Protection team, leading regulatory risk assessments, privacy program development, and compliance advisory for a broad range of clients including Fortune 500 companies, multinationals, private equity firms, and startups.

Follow Our Guest

Website | LinkedIn

About Our Host

Follow Our Host

Website | LinkedIn

May 28, 2025February 3, 2026

Point. Click. Hack: Snehal Antani on the Future of Autonomous Cybersecurity

Podcast: Play in new window | Download (Duration: 23:33 — 32.4MB)

Subscribe: RSS

Summary

In this insightful episode, Marc Schein interviews Snehal Antani, the CEO and co-founder of Horizon3.ai, about his entrepreneurial journey, the evolution of his company, and the future of cybersecurity. Snehal shares how Horizon3.ai grew from a handful of engineers working in a basement to a cutting-edge firm revolutionizing autonomous penetration testing. He walks listeners through the different startup phases, emphasizing how critical it is to develop a repeatable sales process, retain customers, and build operational excellence at scale.

Snehal discusses the complex challenge of preserving organizational culture during rapid growth, highlighting mistakes made during their first hyper-growth phase and the importance of investing in strong, well-indoctrinated management. He explains how a thoughtful approach to onboarding managers as cultural ambassadors ultimately led to a more stable, scalable team.

He offers a candid perspective on venture funding—detailing both the pitfalls of dealing with inexperienced investors and the value of bringing on seasoned operators as board mentors. Snehal uses his experience with crises, including the collapse of Silicon Valley Bank and the loss of his father, to underline the importance of developing “muscle memory” within leadership teams. He compares this to special operations units, where preparation and planning allow for excellence under pressure.

The episode shifts into technical terrain with a compelling explanation of autonomous penetration testing. Snehal shares how Horizon3.ai developed a system capable of autonomously discovering vulnerabilities and compromising environments without human input—essentially transforming cyber warfare into an algorithmic domain. He compares pen testing to chess, where well-defined opening and closing moves are followed by dynamic midgames.

Finally, Snehal forecasts a future in which cyberattacks will be AI-powered and nearly instantaneous. He warns that most current defensive tools are designed for human-centered responses, which will soon be obsolete. As evidence, he cites Horizon3.ai’s autonomous agent compromising a bank in under five minutes—twice as fast as the previous year. He predicts the first deepseek-enabled cyberattack within 90 days, calling it a wake-up call for the industry.

Key Points

Startup Phases: Snehal outlines the four key startup phases: building value, repeatable sales, scaling operations, and achieving operational excellence.
Culture During Hypergrowth: The key to scaling culture is hiring the right management and giving them time to assimilate before they scale their teams.
Autonomous Pen Testing: Horizon3.ai’s agent can autonomously discover and exploit vulnerabilities without human involvement.
Crisis Leadership: True leadership is tested during crises; muscle memory and planning are essential for executive teams.
AI-Powered Cyber Threats: Snehal predicts that the next wave of cyberattacks will be powered by open-weight AI models capable of adaptive exploitation.

Key Quotes

“You want to build that muscle memory as a CEO as early as possible… so you can stack excellence upon excellence.”
“PowerPoint is cheap. YouTube videos are cheap. Let our results do the talking.”
“My primary competitor is mediocre consultants.”
“Every defensive tool in the market today is designed for humans at the center—and every one of them will be rendered obsolete.”
“The future of cyber warfare will be algorithms versus algorithms, and humans by exception.”

About Our Guest

Snehal Antani is the CEO and co-founder of Horizon3.ai, a pioneering cybersecurity company that leverages artificial intelligence to autonomously conduct penetration testing. Before founding Horizon3, Snehal served as the first Chief Technology Officer for the Joint Special Operations Command (JSOC), where he was instrumental in leading initiatives in data analytics, cloud/edge computing, and cybersecurity as part of the Commander’s executive team. His extensive experience also includes roles as CTO and Senior Vice President at Splunk, multiple CIO positions at GE Capital, and starting his career as a Software Engineer at IBM. Snehal holds a Master’s in Computer Science from Rensselaer Polytechnic University and a Bachelor’s in Computer Science from Purdue University, where he was recognized as their 2023 Distinguished Alumni. With 18 patents to his name, he is driven by a purpose to solve meaningful problems, create significant impact, and foster a culture of continuous learning. His leadership principles emphasize servant leadership, prioritizing business needs over political popularity, and letting results speak for themselves.

Follow Our Guest

LinkedIn | Horizon3.ai

About Our Host

Follow Our Host

Website | LinkedIn

April 22, 2025February 3, 2026

The Currency of Trust: Navigating CMMC with Mark Jackolski

Podcast: Play in new window | Download (Duration: 9:09 — 12.6MB)

Subscribe: RSS

Summary

In this episode of Chattinn Cyber, cybersecurity expert Mark Jackolski, Director of Risk and Compliance at Show Proof, shares his journey from Long Island technician to national leader in cyber compliance. With a foundation in information systems from Stony Brook University, Mark discusses how his passion for technology evolved into a career focused on helping organizations meet rising cybersecurity standards.

The heart of the conversation is the Cybersecurity Maturity Model Certification (CMMC), a framework initiated by the Department of Defense to ensure that contractors protect controlled unclassified information. Mark explains that while compliance with NIST 800-171 has been required since 2017, CMMC introduces verification—organizations must now demonstrate their cybersecurity posture through third-party assessments to remain eligible for federal contracts.

Beyond meeting DoD requirements, Mark describes how CMMC builds reputational credibility, calling it “the currency of trust.” He emphasizes the strategic advantage of showing compliance through a recognized badge rather than repeated explanations, which streamlines the contracting process and establishes confidence with partners and clients.

When asked how organizations should begin preparing, Mark advises starting with people: appointing a program leader, engaging executive buy-in, and mapping where sensitive data flows. He warns against relying on underqualified partners and stresses the importance of assessing technical, administrative, and physical requirements early. Missteps—like poor documentation or unclear scoping—can lead to wasted time and resources.

Finally, Mark highlights the growing relevance of CMMC beyond the DoD. New regulations aim to standardize data protection across all federal agencies, meaning businesses even tangentially involved in government work may soon fall under its scope. As CMMC requirements become embedded in contracts by summer 2025, organizations that prepare now will gain a competitive edge in the expanding defense and government market.

5 Key Points

CMMC Explained: The Cybersecurity Maturity Model Certification verifies that organizations working with the Department of Defense meet NIST 800-171 cybersecurity standards.
Strategic Advantage: Earning CMMC builds trust and provides a significant edge in securing government contracts by signaling a strong cybersecurity posture.
Preparation Starts with People: A successful CMMC journey begins by appointing accountable personnel, securing executive alignment, and clearly mapping the flow of controlled unclassified information (CUI).
Pitfalls and Guidance: Common mistakes include working with unqualified providers and underestimating documentation requirements. Mark recommends finding certified experts through the Cyber AB marketplace.
Growing Scope: CMMC will expand beyond the DoD to other government agencies, making early adoption a strategic move even for subcontractors or non-defense contractors.

5 Key Quotes

“It’s the currency of trust.” – Mark on how CMMC serves as a reputation badge in the defense industry.
“Start by appointing somebody to oversee the entire process.” – On the critical role of leadership in compliance efforts.
“Documentation is key—not just technical controls, but the processes and people behind them.”
“If you’re going to develop a policy or some other procedure, there has to be buy-in from the organization.”
“CMMC started with the DoD, but it’s going to expand to other government agencies. This is just the beginning.”

About Our Guest

Mark Jackolski is a creative and team-oriented cybersecurity professional with a deep-seated passion for technology. He specializes in assisting small to medium-sized businesses in enhancing their security posture and achieving compliance with industry standards. With a persistent drive to deliver exceptional results, Mark offers strategic virtual Chief Information Security Officer (vCISO) services that emphasize risk management, security program development, and regulatory alignment.

Dedicated to continuous learning, Mark is committed to refining his skills and adopting innovative approaches to cybersecurity. He partners with clients to transform cybersecurity from a mere compliance requirement into a competitive advantage. His expertise spans complex frameworks, including HIPAA, ISO 27001, CISv8, NIST, and CMMC 2.0, enabling him to guide organizations through the intricacies of regulatory compliance effectively.

Follow Our Guest

LinkedIn | Website

About Our Host

Follow Our Host

Website | LinkedIn

February 11, 2025February 3, 2026

Navigating Cybersecurity Contracts: Insights from Ken Rashbaum

Podcast: Play in new window | Download (Duration: 20:11 — 27.7MB)

Subscribe: RSS

Summary

In this episode of Chattinn Cyber, Marc Schein welcomes back Ken Rashbaum, a partner at Barton LLP and a professor at Fordham Law School. Ken, a well-respected privacy attorney, shares his journey from being a trial lawyer and prosecutor to becoming a leading figure in data protection and cybersecurity. He discusses how his early work in healthcare law, particularly with the introduction of HIPAA, paved the way for his focus on privacy and cybersecurity on a global scale.

Their chat shifts to the current landscape of data protection regulations in the U.S. Ken explains the fragmented nature of these laws, which primarily exist at the state level, with only limited federal regulations in healthcare and children’s information. He expresses skepticism about significant changes in federal regulation following the recent presidential election, highlighting the philosophical divide between the two major political parties regarding privacy legislation. Ken emphasizes that voters are increasingly concerned about the privacy and security of their personal information, which complicates the regulatory landscape.

Marc and Ken then delve into the importance of cybersecurity provisions in contracts, particularly for midsize businesses. Ken argues that simply stating compliance with applicable laws is insufficient due to the evolving nature of cybersecurity regulations. He advocates for more detailed cybersecurity requirements in contracts to provide clarity and certainty for all parties involved. Ken also addresses the challenges small and mid-sized businesses face when negotiating contracts with larger corporations, suggesting that they assess risks and consider mitigation strategies, such as implementing multi-factor authentication.

The discussion also touches on the implications of the General Data Protection Regulation (GDPR) for businesses that may not operate in Europe but have customers there. Ken advises that companies should be aware of their obligations under GDPR if they market to EU residents, as the global nature of the internet makes it difficult to avoid these regulations. He stresses the importance of transparency and understanding the data protection implications of using artificial intelligence in business agreements, given the rapid development of AI technology.

Finally, Ken highlights the need for continuous learning in the field of cybersecurity and data protection, urging professionals to stay updated on current changes and adapt to the evolving needs of businesses. He concludes by encouraging open communication and collaboration between legal advisors and businesses to ensure that contracts are tailored to meet the specific needs and risks of each party. The episode wraps up with Ken sharing his contact information and resources for listeners seeking further guidance on these critical issues.

Key Points

Fragmented Data Protection Regulations: Ken explains the current state of data protection laws in the U.S., highlighting the lack of comprehensive federal regulations outside of healthcare and children’s information. He notes that most regulations exist at the state level, leading to a complex and inconsistent legal landscape.
Importance of Detailed Cybersecurity Provisions in Contracts: The conversation emphasizes that simply stating compliance with applicable laws in contracts is insufficient. Ken advocates for including specific cybersecurity requirements to provide clarity and certainty for all parties involved, especially given the evolving nature of cybersecurity regulations.
Challenges for Midsize Businesses: Ken discusses the difficulties that small and midsize businesses face when negotiating contracts with larger corporations. He suggests that these businesses assess their risks and consider mitigation strategies, such as implementing cybersecurity measures like multi-factor authentication.
Implications of GDPR: The podcast addresses the relevance of the General Data Protection Regulation (GDPR) for businesses that may not operate in Europe but have customers there. Ken advises that companies should be aware of their obligations under GDPR if they market to EU residents, as the global nature of the internet makes compliance necessary.
Continuous Learning and Adaptation: Ken stresses the importance of continuous learning in the field of cybersecurity and data protection. He encourages professionals to stay updated on current changes and to maintain open communication with businesses to tailor contracts to their specific needs and risks.

Key Quotes

On the State of Data Protection Laws: “We only have national data protection law in the U.S. in healthcare, for public companies, and children’s information. Everything else is at the state level, and the states very much want to keep that prerogative.”
On Cybersecurity Provisions in Contracts: “When you say parties are going to meet applicable law, a good response to that question is, what does that even mean? The law is all over the place… it differs from state to state, from country to country, from industry to industry.”
On GDPR Compliance: “Generally speaking, they are subject to the GDPR if they are marketing to customers who are residents of the European Union… any time you throw up a website, you are basically marketing globally.”
On Continuous Learning in Cybersecurity: “Working in this space requires a dedication to continuous learning… too many advisors think that they are, you know, like Moses with tablets coming down from Mount Sinai. You really have to keep up with current changes.”

About Our Guest

Kenneth N. Rashbaum is a distinguished legal expert specializing in privacy, cybersecurity, and e-discovery, advising multinational corporations, financial services, and life sciences organizations on the complexities of electronic information management. With extensive experience in information governance, he ensures compliance with federal, state, and international laws while navigating the legal and regulatory challenges of e-commerce. Ken is adept at preparing and negotiating technology contracts, including service level and license agreements, and provides guidance on privacy and cyber liability insurance applications. He leads assessments and remediation initiatives for data breaches, develops social media compliance policies, and represents clients in federal and state investigations. An internationally recognized thought leader in electronic discovery, Ken has served as national e-discovery counsel for major pharmaceutical companies and has contributed to legislative efforts in New Jersey regarding privacy and cybersecurity laws. He is also an Adjunct Professor of Law at Fordham University School of Law and has previously taught at Hofstra University. Prior to joining Barton, Ken was a senior litigation partner at Sedgwick LLP, where he co-chaired the E-Discovery, Compliance, and Data Management Practice Groups.

Follow Our Guest

LinkedIn | Website

About Our Host

Follow Our Host

Website | LinkedIn

December 10, 2024February 3, 2026

Navigating Cyber Threats: Insights from New York’s Cybersecurity Advisory Board

Podcast: Play in new window | Download (14.8MB)

Subscribe: RSS

Summary

In this episode of Chattinn Cyber, Marc Schein is chattin’ with Jeremy Shockett, a prominent figure in cybersecurity and former co-chair of the New York State Cyber Security Advisory Board. Mark introduces Jeremy, emphasizing his extensive background, including his previous role as a prosecutor. This introduction sets the stage for a discussion centered on cybersecurity practices, particularly the significance of tabletop and red team exercises in enhancing organizational preparedness against cyber threats.

Jeremy shares his professional journey, detailing his transition from a 24-year career as a prosecutor to his appointment by the governor of New York as the deputy secretary for public safety, where he oversees cybersecurity initiatives. He elaborates on the role of the New York State Cyber Security Advisory Board, which comprises leaders from both public and private sectors. This board advises the governor on cybersecurity policies and plays a crucial role in responding to real-time threats, highlighting the collaborative effort required to address cybersecurity challenges effectively.

The discussion then delves into the differences between tabletop exercises and red team exercises. Jeremy explains that tabletop exercises are hypothetical scenarios where participants discuss responses to simulated threats, helping organizations identify decision-making processes and vulnerabilities. In contrast, red team exercises involve actual simulated attacks conducted by hired experts to test an organization’s defenses in real-time. This distinction underscores the unique purposes and methodologies of each exercise type, emphasizing their importance in a comprehensive cybersecurity strategy.

Jeremy offers practical recommendations for conducting these exercises, advising organizations to start with tabletop exercises to establish decision-making frameworks and identify vulnerabilities before progressing to red team exercises. He outlines key takeaways from both types of exercises, such as understanding strategic decision-making, clarifying roles and responsibilities, and evaluating communication strategies. For red team exercises, he highlights the importance of identifying specific vulnerabilities and assessing the effectiveness of social engineering defenses, providing valuable insights for organizations looking to strengthen their cybersecurity posture.

The conversation concludes with Jeremy sharing a memorable experience from a tabletop exercise where he played the role of the governor. He emphasizes the importance of asking critical questions that challenge the status quo and drive effective responses to threats. Reflecting on his career transition from Miami to New York, Jeremy expresses gratitude for the opportunities he has encountered, reinforcing the value of preparedness and collaboration in the ever-evolving field of cybersecurity.

Key Points

Importance of Preparedness: The discussion emphasizes the necessity of conducting both tabletop and red team exercises to prepare organizations for potential cyber threats. These exercises help identify vulnerabilities and establish effective response strategies.
Differences Between Exercise Types: Jeremy clearly distinguishes between tabletop exercises, which are discussion-based and focus on hypothetical scenarios, and red team exercises, which involve real-time simulated attacks. Understanding these differences is crucial for organizations to implement effective cybersecurity training.
Sequential Approach to Exercises: Jeremy recommends that organizations conduct tabletop exercises first to develop decision-making processes and identify weaknesses before moving on to red team exercises. This sequential approach enhances the effectiveness of the overall cybersecurity strategy.
Key Takeaways from Exercises: The conversation highlights critical insights gained from both types of exercises, such as understanding roles and responsibilities, evaluating communication strategies, and identifying specific vulnerabilities in defenses. These takeaways are essential for improving organizational resilience.
Leadership and Inquiry: Jeremy shares a personal anecdote about a tabletop exercise where he played the role of the governor, underscoring the importance of leadership and asking challenging questions. This approach fosters a culture of inquiry that can lead to more effective crisis management and decision-making in cybersecurity scenarios.

Key Quotes

“Part of public safety is cybersecurity. And part of that job is to be the co-chair of the Cybersecurity Advisory Board.”
“A tabletop exercise is a hypothetical. It’s a pretend threat… you work through in a systematic way how the entity… is going to respond to it.”
“My advice would be the tabletop exercise goes first. You get a real sense of who should be making decisions.”
“You get to learn about your communication strategy… how do you deal with your clients? How do you deal with maybe the press?”
“You can ask a question. Why can’t we fix this within an hour? The people of the state of New York need… fill in the blank.”

About Our Guest

Jeremy Shockett is a shareholder at Anderson Kill’s New York office, where he co-chairs the White Collar Defense group and is a member of the Corporate and Commercial Litigation practice. With extensive experience representing individuals and corporations before various federal agencies, including the DOJ and SEC, Jeremy has a strong background in pre-trial investigations and court proceedings. He previously served as the Deputy Secretary for Public Safety in New York, overseeing public safety and homeland security initiatives, and co-chaired the New York State Cybersecurity Advisory Board. His prior roles include Chief of the Trial Division at the Bronx County District Attorney’s Office, where he led over 200 prosecutors, and Special Assistant U.S. Attorney in the Organized Crime and Gangs Section. Jeremy is also an accomplished lecturer and trainer, having taught law enforcement and legal professionals both domestically and internationally. Outside of his professional pursuits, he has a passion for poker, which he enjoys discussing.

Follow Our Guest

LinkedIn | Website

About Our Host

Follow Our Host

Website | LinkedIn

November 13, 2024February 3, 2026

Unmasking Cyber Threats: The Rise of Spoofing and Phishing with Gideon Hazam

Podcast: Play in new window | Download (Duration: 10:36 — 14.6MB)

Subscribe: RSS

Summary

In this episode of Chattinn Cyber, Marc Schein is chattin’ with Gideon Hazam, a renowned expert in spoofing. The discussion revolves around the challenges faced by organizations in detecting and protecting against phishing attacks on their brands.

Gideon explains that his company spent six months meeting with Chief Information Security Officers (CISOs) from various industries to understand their main challenges related to phishing attacks. They identified three major challenges: detecting phishing attacks quickly, identifying the users exposed to these attacks, and finding ways to protect them.

To address these challenges, Gideon’s company developed a platform that has gained popularity and is now being implemented across sectors and organizations worldwide. The platform helps organizations detect phishing attacks on their customers quickly, identify the users at risk, and implement measures to protect them.

He then goes on to explain the connection between spoofing and phishing. Phishing is the platform used to conduct a cyber takeover, where attackers create fake websites to harvest credentials or steal money. Spoofing, on the other hand, is the technique used to generate these phishing attacks. It involves using spoofing tools to create fake websites or clone existing ones.

The conversation then delves into the susceptibility of different industries to spoofing attacks. Gideon explains that any organization with an online presence and customer interaction is a potential target for hackers. However, industries related to finance and money are particularly vulnerable due to the potential for financial manipulation and theft.

The discussion also touches upon the lifecycle of a phishing attack. It starts with building the phishing site, which is then detected and ideally taken down. However, the exposure window remains until the site is successfully removed. Even after takedown, the harvested credentials can still be exploited, posing a continued threat to organizations.

Gideon predicts that spoofing attacks will become more prevalent in the corporate world due to the increasing reliance on online activities and the availability of numerous spoofing tools in the market. He emphasizes the need for authentication solutions to ensure users are visiting legitimate websites and not falling victim to imposter sites.

The conversation provides valuable insights into the challenges posed by spoofing and phishing attacks, the connection between the two, and the need for robust authentication measures to protect against these threats. The discussion highlights the importance of detecting attacks quickly, identifying at-risk users, and implementing effective protection measures to safeguard organizations and their customers.

Key Points

Organizations face three major challenges when it comes to phishing attacks on their brands: detecting attacks quickly, identifying exposed users, and protecting them.
Spoofing is the technique used to generate phishing attacks, where attackers create fake websites or clone existing ones.
Any organization with an online presence and customer interaction is a potential target for spoofing attacks, with industries related to finance being particularly vulnerable.
The lifecycle of a phishing attack involves building the phishing site, detecting it, and ideally taking it down. However, even after takedown, the harvested credentials can still be exploited.
The prevalence of spoofing attacks is expected to increase due to the growing reliance on online activities and the availability of easy-to-use spoofing tools in the market.

Key Quotes

“Phishing is basically the platform to conduct a counter takeover in one hand. I will build a phishing site in order to harvest as many credentials as possible of any anyone. And secondly, I can use phishing to steal money. Simple as that.”
“The interesting part is that any firm, any organization that has online presence, which require interaction between end user and customer is a target for the hackers, because if they can use their tools to harvest credentials, that would anywhere on each industry or niche…”
“Detection and takedown … are the two major points. But takedown may take days may take weeks. Sometimes it takes even longer. And until the point that this site is down, the customers, the end users are still exposed.”
“The more online activities become, the more spoofing attack will be there. Because this is a huge surface for attackers to exploit … The number of … spoofing tools [that] exist today in the market is numerous.”

About Our Guest

Gideon Hazam is an accomplished senior sales and business professional with a wealth of experience in business operations, development, and strategic sales, complemented by strong technology and managerial skills. As the co-founder and Chief Operation & Security Officer of Memcyco, he leads the charge in addressing a critical cyber blind spot: brand impersonation attacks that jeopardize both companies and their customers. With a unique ability to analyze complex business challenges and devise effective strategies, Gideon emphasizes the importance of protecting users from the rising tide of phishing and social engineering attacks. His extensive background in corporate development and global sales, combined with a collaborative and creative leadership style, positions him as a key player in the cybersecurity landscape. Passionate about safeguarding consumers in an evolving threat environment, Gideon is eager to engage in discussions about enhancing online protection measures against the ever-growing onslaught of cyber threats.

Follow Our Guest:

About Our Host

Follow Our Host:

Website | LinkedIn

October 29, 2024February 3, 2026

Promises and Pitfalls: The Intersection of AI and Insurance with Marshall Gilinsky

Podcast: Play in new window | Download (Duration: 13:04 — 18.0MB)

Subscribe: RSS

Summary

In this episode of Chattinn Cyber, Marc Schein is chattin’ with Marshall Gilinsky, a partner at Anderson Kill, PC, focusing on the impact of artificial intelligence across various industries, particularly in insurance.

Marshall shares his background and explains how his interest in AI developed over time. He expresses his fascination with the technology, emphasizing its potential benefits and risks. Marshall believes that AI has the capacity to revolutionize numerous tasks and industries, but he also stresses the importance of understanding and regulating AI to ensure its safe and productive use.

The discussion then shifts to instances of AI misuse, where Marshall recounts a case involving a lawyer who relied solely on AI to draft legal briefs. This reliance led to significant failures and embarrassment for the lawyer, highlighting the need for caution and responsible use of AI to prevent similar mishaps in the future.

Mark inquires about the implications of AI for the insurance industry and seeks advice for policyholders. Marshall explains that while AI is a powerful new tool, it can both enhance and harm insurance operations. He notes that current insurance policies lack specific provisions for AI-related claims, advising policyholders to remain vigilant about potential risks associated with AI technologies.

The conversation progresses to the topic of AI regulations and future predictions. Marshall discusses the ongoing efforts by regulators to understand and ensure the safe development of AI. He emphasizes the necessity of balancing business interests with the protection of policyholders and investors. Although he acknowledges the challenges in making accurate predictions about AI’s future, he remains hopeful for conscientious engineering practices that prioritize safety and responsibility.

In closing, Mark thanks Marshall for his valuable insights and expresses interest in continuing the dialogue. Marshall appreciates the opportunity to discuss AI and mentions his ongoing learning and exploration in this rapidly evolving field. Overall, the episode underscores the importance of understanding and managing the risks and benefits associated with AI, particularly within the insurance sector.

Key Points

Fascination with AI: Marshall expresses a deep interest in AI, highlighting its transformative potential across various industries. He emphasizes the need to understand both the benefits and risks associated with AI technologies.
Cases of Misuse: The discussion includes real-world examples of AI misuse, such as a lawyer who relied solely on AI for drafting legal briefs, which resulted in failure. This underscores the importance of caution and responsible use of AI.
Impact on Insurance: AI is described as a double-edged sword in the insurance industry. While it can enhance operations, it also poses risks. Marshall notes that current insurance policies often lack specific provisions for AI-related claims, urging policyholders to be aware of these potential risks.
Need for Regulation: The conversation highlights the ongoing efforts by regulators to understand AI and ensure its safe development. Marshall stresses the importance of balancing business interests with the protection of policyholders and investors.
Challenges in Prediction: Marshall acknowledges the difficulty in making accurate predictions about the future of AI. However, he expresses hope for responsible engineering practices that prioritize safety and ethical considerations.
Continuous Learning: Ongoing education and exploration in the field of AI is important and reflects the rapidly evolving nature of the technology and its implications.
Responsible Use: The conversation reinforces the need for a cautious approach to AI, advocating for responsible use to mitigate risks and maximize benefits in various applications, particularly in sensitive areas like insurance.

Key Quotes

On Fascination with AI: “The potential for benefits to society from… using AI in all sorts of tasks across the world, economic, personal, etc., are mind boggling. While at the same time the potential for harm is of great concern.”
On Misuse of AI: “There was a lawyer, who… relied exclusively on AI to draft some briefs. The chat bot basically wove the brief out of whole cloth, making up the facts and the law… It ends up being a magnificent failure.”
On the Impact of AI in Insurance: “It just seems at this point to present as a new type of thing that can go wrong and lead to a very common sort of insurance problem.”
On Regulation: “Everyone’s kind of learning together… businesses are trying to develop these tools in a way that enhances their operations and their profitability, and regulators are out there trying to make sure that it’s done in a way that’s safe.”
On Predictions for AI’s Future: “I think there’s a lot of conscientious engineers out there that are trying to do things in a way that’s safe and productive… But we live in a capitalistic marketplace where there’s strong incentives to build the biggest, baddest, most productive thing you can.”
On Continuous Learning: “I’m constantly talking to people to find out new things that are happening… because there’s constantly new things that are emerging all the time.”

About Our Guest

Marshall Gilinsky is a shareholder at Anderson Kill’s Boston office, specializing in Insurance Recovery and Commercial Litigation. He co-chairs the firm’s Sexual Harassment and Abuse Insurance Recovery Group and the Sports, Media, and Entertainment Group, while also being a member of the Banking and Lending Group and the Restaurant, Retail & Hospitality Group. With over 20 years of experience representing policyholders, Marshall has recovered hundreds of millions of dollars through successful litigation of complex insurance claims, including those related to high-profile events like 9/11, Hurricane Katrina, and Superstorm Sandy. He also assists clients with captive insurance companies, focusing on resolving coverage disputes with reinsurers. Known for his deep understanding of clients’ businesses and insurance programs, Marshall frequently writes and lectures on insurance topics and is often quoted in major media outlets, including The New York Times and CNN.