BIG LIES in Cybersecurity--Why We Need to Rebuild the Industry Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

BIG LIES in Cybersecurity--Why We Need to Rebuild the Industry

October 03, 2025 • Cyber Crime Junkies. Host David Mauro. • Season 7 • Episode 38

In the world of cybersecurity, there are big lies that have been perpetuated about compliance, fixability and communication--and it's time to burn it all down and start over.

Many experts see one main cybersecurity truth, especially about AI, SIEM, EDR and related business technology. By examining the intersection of AI, cybersecurity, and compliance, we can gain a deeper understanding of the lies that have been told about the state of cybersecurity and work towards a more secure future. Tune in to this thought-provoking

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Support the show

🔥New Special Offers! 🔥

Remove Your Private Data Online Risk Free Today. Try Optery Risk Free. Protect your privacy and remove your data from data brokers and more.
🔥No risk.🔥Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
🔥Want to Try AI Translation, Audio Reader & Voice Cloning? Try Eleven Labs Today 🔥 Want Translator, Audio Reader or prefer a Custom AI Agent for your organization? Highest quality we found anywhere. You can try ELEVAN LABS here risk free: https://try.elevenlabs.io/gla58o32c6hq

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

Engage with us on Socials:

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

BIG LIES in Cybersecurity--Why We Need to Rebuild the Industry

In the world of cybersecurity, there are big lies that have been perpetuated about compliance, fixability and communication--and it's time to burn it all down and start over.

TAGS: cybersecurity, compliance, information security, network security, internet security, tech news, hacking, cloud security, ethical hacking, unpopular opinion, cybersecurity truth, ai, artificial intelligence, Prompt, Cybersecurity certification, SIEM, EDR, business, technology , strategy, cyber strategy, internet security, tech news, cybersecurity truth,

Speaker 1 (00:04.344)
Data breaches are always in the news, but for every breach headline you read, there's a deeper truth nobody's talking about. Joshua Copeland's new book, Unpopular Opinion, rips the cover off the lies we tell ourselves in cybersecurity and shows us how to rebuild before it's too late. Look, cybersecurity is broken, but it's not broken by hackers or cybercriminals. It's by the defenders, career paths, and the vendors.

Today Josh exposes the myths, the bad habits, and frankly the bull crap that's holding the industry back. So buckle up, this one might sting. This is Cyber Crime Junkies, and now the show.

Speaker 1 (00:54.456)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.

Speaker 1 (01:14.638)
All right. Well, welcome everybody to cybercrime junkies. I am your host, David Morrow. And today we're joined by Joshua Copeland, a veteran and cybersecurity leader, author of a fantastic new book called Unpopular Opinion Burning Down the Bullshit to Rebuild Cybersecurity and someone who spent decades in the trenches protecting everything from federal systems to Fortune 500 enterprises. He's known for telling hard truths.

Most people in this industry are afraid to say out loud. And today he's here to do just that. Josh, welcome to the studio, my friend.

Thanks for having me. It's always a pleasure to be here talking with you.

Great. So tell us about the book. What drove you to see the need to kind of explain some of these things?

So I'll say that the journey kind of started about four years ago. I was on LinkedIn and seeing a lot of the, what I call self-licking ice cream cone of everything's awesome in cybersecurity. while I think cybersecurity is amazing and a great field to be in, we have a lot of problems and we have a lot of stuff that needs to kind of get fixed. And we didn't have a lot of folks calling out what was wrong and what we need to fix.

Speaker 2 (02:31.628)
So instead of being a passive person just sitting going, you know, someone should say this, I decided, well, I'll start, you know, giving my thoughts and opinions based off of, my now almost 30 years experience in cybersecurity. And it really just started with me doing some pretty basic rants about the things I thought that need to be fixed. I had people over the course of the last four years say, you know, you should really turn this into a book. And I always said, no.

Nobody's going to read that nobody's going to care. Finally, my wife was like, no, you really need to put this down because you're putting a bunch of good stuff out on LinkedIn, but that goes away eventually. You can't search it. You can't find it. You know, put it down in something, you know, physical, whether it's a physical book or on your Kindle app that kind of lays it out in a way that makes sense. And I'm like, all right, I'll do that. And it's been about a year kind of just going through my thoughts on

what I needed to do, what I thought could be valuable to other folks and where I thought as a industry we should be going.

Well, what I love one of my favorite books is smart brevity like I like when like to me there's a lot of sophistication in succinctness and boiling things down to like the essence of it and I think we can all benefit by saying more with less words, right? Because otherwise we just kind of create these words salads and it becomes nonsense after a certain part and What I love about your book is you go through some pretty real topics

And you have like, it is just laid out very like, this is why it matters. Here's the data, right? And here's what we're seeing in the industry. was a really good read. Like it was, it really resonated with me. So congratulations. It's available everywhere. We'll have links in the show notes for everyone. a couple of things. You talk about a truth problem and you know, I will say that I don't know.

Speaker 1 (04:35.468)
I don't have the same experiences that you have had obviously. So I don't, I didn't know a lot of this stuff, which was really interesting. Some of the stuff, some portions I did know and I couldn't agree with you more. Like I got to tell you, like you point out some things that are so ingrained in the, in the industry that are real issues, right? And business leaders don't know they're being sold boxes that will cure security and it's nonsense, right? And it's really, really interesting.

So you talk about a truth problem. say in the book you say cybersecurity has a truth problem. And what exactly do you mean by that? Like what are some of the biggest myths or accepted truths in the industry that you think are the most harmful?

So, and really it's not a truth problem by the malicious, it's a truth problem in that we're in a position where we have to sell cybersecurity as something that organizations should do. And we get a lot of pressure to tell the story that senior leadership wants us to tell. So one of the biggest things, you know, I see in the field is things like attestations, know, a SOC 2 and ISO 27001, you know, those kinds of things.

It really depends on the quality of the auditor you have depends on how well you maintain those controls through the periods that you're not being actively audited. So just because I have a, you know, sock to type two audit doesn't mean that that's a true attestation of my security posture. It says on this date and time based off of this particular auditors viewpoint, which I've seen really, really great auditors and I've seen really

bad auditors where you see a SOC 2 from them and you go, maybe I'm not going to use that vendor because I know the quality of their audit reports. So it's not really one of those things where, yes, I'm telling you, we have a SOC 2, but is it a quality SOC 2? Is it something that, is it something I'm going to stand by and say, I put my professional's name against the quality of this report. And we have a lot of people who are afraid to say, you know, no, that this is not

Speaker 2 (06:48.878)
the level we need, we need to go more in depth beyond what this says because we look at security as we've met the minimum compliance requirements for our industry, whether it's a Sonsbury Oxley, whether it's a SOC 2 because you're a service provider, ISO 27001 because you're providing some kind of services or you're a publicly traded company and you have to file your SEC reports. We kind of look at that compliance as this is good.

And the real answer is just because the way threats evolve, anything that's compliance based is going to be five to 10 years behind what the actual threat level is. yes, I'm, secure per the standard, but I really secure compared to where I need to be. So I think that's where the truth telling comes in where I can tell you that I meet the compliance standards, but where am I truly beyond that and my security story. And it goes back to the same things with

things like certifications.

I was just about to say, can that same observation and analogy be applied to certifications? They're like a necessary evil. We need to know somebody's at a certain level, but that doesn't mean that they're ready to manage a sock or even work in a sock yet. Right? They just, they know that information at that time and date. Is fair? Yeah.

Yeah, and I can give you tons of examples. You know, I was interviewing candidate who had a CISP and a master's degree in information assurance with a focus on health. And I asked what I consider fairly standard question, you know, tell me a cybersecurity regulation framework or requirement that you know, and how the job that you're entering for would apply that to that role. You know, not anything high level, it should be a fairly softball question, very wide open. And this is a person who has CISP

Speaker 2 (08:38.477)
and a master's degree in information assurance with a focus on health. And I kind of got a blank stare and they couldn't spit out simple things like HIPAA or high tech. You you'd think that they would know that right off the top because they're a master's degree head of focus in health. You know, they have a CISP 26 % of the CISP is regulations, laws, frameworks, standards couldn't give me, you know, HIPAA couldn't give me, you know,

PCI DSS couldn't give me you FedRAMP couldn't give me you know, NIST 853, 800 171, CMOMC, any of these things that we talk about all the time in the industry. yes, you have the paper credentials, but I look at that and you know, I have a paper tiger now. So who looks really good on paper, but when I put them under even a monocle of stress, they don't have the answer.

time.

Speaker 1 (09:33.518)
Yeah, mean, I think that's analogous to other industries too. Think of somebody that graduates, passes the bar exam from an Ivy League law school compared to somebody with five years of jury trial experience. Who cares what grades they had, what law school they went to? Like, which one do you feel more comfortable representing you? Like, the more experienced person, the person that gets it, right? Like, that understands the war of it.

And I think that is being played out a lot in cybersecurity. Does that make sense?

Oh, yeah, that absolutely makes sense. And then even to the the truth telling piece, you know, we see the ads for things like cybersecurity bootcamps and you know, get your degree and the entry level salary for this is this and the numbers they present are not fictitious. So you'll see a security plus bootcamp saying the average salary for somebody with security plus is $80,000 a year. And I will not argue the fact that it is, but it includes people like me who have

you know, 90 other certifications, a master's degree and 30 years experience, along with the person who's just graduating that bootcamp. And you can't compare those apples to apples. You know, when you look at the real numbers, the folks graduating from a security blessed bootcamp, you're looking at typically between 40 to 60K a year, not 100, 120K a year. And that's right, they're the truth, but they're they're spinning in a way that's misleading.

Yeah, and they're over promising under delivering, right? And then, and then people get upset, right? Because they're investing their time, their money, their, their energy in this with an expectation that's being set that just isn't realistic. And if we just get to the truth, it's still a fantastic career. It still might be a good bootcamp to go to, but just go into it being honest and having realistic expectations, right?

Speaker 2 (11:36.642)
Yeah, absolutely. And you know, I am not anti-bootcamp. Bootcamp absolutely serves a purpose. You know, I'm a big proponent of the folks who, you know, do your studying, get yourself ready, understand the fundamentals, and then use a bootcamp to, you know, sharpen your sword right before you take the exam. You know, make sure you've covered everything, you know, get touched up and brushed up. So you're at the sharpest you're going to be to take that exam. I think that's the absolute best use case of the bootcamp. Now, if you're going to...

Poll intent is that I walk in with little to no knowledge and I four days being firehose with information to, you know, brain dump that on a test on Friday and then flush it all on Saturday. You know, that's no value to anybody. It's not a value to you. It's not a value to your perspective organizations you're going to be a member of. You just, you've spent money and now you have a piece of paper that says, you know, stuff that you don't really know.

Right. If somebody is younger, let's say 25 to 30, they have graduated college in an unrelated field, but they have a passion for entering into cybersecurity. They go and they take the, let's say the security plus exam. They pass that, but they haven't, they don't have any hands on training in a SIM tool or working in a sock or things like that. Are there.

that they can take to learn? there a home lab they can create? Is there boot camps or, or I guess my question is what, what ideas could you share to a younger you or to these people that reach out to us sometimes and I'm not a career counselor and I don't, I don't work in a sock. just do the business aspect of it, right? Myself. So I want to help them. I just don't know how is my point.

Yeah, that's a great and fair question. There are great paths that are out there, particularly for career strangers. There are several organizations that are doing apprenticeship programs, where you can truly get in and they'll do legitimate education, get you trained and then get you placed with an organization.

Speaker 1 (13:45.284)
that's great. What are some of the names of those? Like, just generally. Anything, not that you're endorsing them, just ideas, things that you've heard.

I'll give you two, I'll endorse both of them. can put me on record as that. Cyber Warrior, it's based out of Boston and then Cyber Up based out of Missouri. Both top tier organizations that produce high quality candidates and do a really good job at getting folks placed into the field. And when they get on the job, they actually know what they're doing. It's not a, you know, a boot camp. This is a months long process where they're truly

ingrained into the material. Other opportunities is, you know, there are tons and tons of nonprofits in your local area, ranging from anything that you have a passion for. And every one of them is budget constrained, and looking for help in cybersecurity. If you're willing to go put in some time and effort to do some pro bono work for nonprofit. Those are great opportunities.

That's great idea.

One, it helps your community. Pick one that you're passionate about. If you're really passionate about dog rescue, there are tons of dog rescues that are out there. If you're passionate about children charities, there are tons of children's charities out there. Pick what you're passionate about and help them be better at their cybersecurity. Because ultimately, they're probably raising funds. There's lots of things that you can help them with from a cybersecurity perspective. And that gives you that real hands-on keyboard in a real operating environment.

Speaker 2 (15:16.994)
that you can dump on your resume and say, yes, I did this. It doesn't matter that you didn't get paid for it. It's legitimate work. And then to your point, know, home labs, lots of vendors offer free training on their tools, particularly, SEM Sores, EDRs provide a plethora of different training opportunities. Get in and do those things. The more you kind of get hands on with the things, the better you're to be in an interview because we're going to ask you questions. And it's less about which tool you know, because it's really

But how they... Yeah, it's about how they work, how they integrate into different systems. What's their real role, right? Because when I think about all those different platforms, it's really about visibility, right? Being able to spot anomalies and see things, but they all cover different things. Some cover the endpoints, some cover the Microsoft 365 Suite, some cover the entire tech stack, you know, some orchestrate it all. You need to understand the context in which you're threat hunting and...

how to threat hunt, how to build those cases and look at that behavior, right? I mean, that's what it seems like.

And the thought process behind it is tool agnostic. Building out how you would use a tool is not necessarily dependent on the tool. Whether I'm using Splunk or I'm using Fortesem or I'm using Devo, each one of those is going to operate in a wildly different manner. But they all do the same end product and you're going to get the same kind of results which require you to have the same analytical thought process. So if I know that you can operate a

We'll say a Splunk and we're a Azure Sentinel shop. It's going to take you a little bit of time for upscaling on that particular platform, but I already know that you know how to do the actual function.

Speaker 1 (17:04.235)
Different flavor, right? Like it's not, it's not night and day. It's just a different, different nuances. Some might have different modules and be able to see telemetry differently, but it's not going to be that foreign in general, right?

Right. And it's no different than other things like programming. You can be a programmer in one language and if you understand how to program the up skill to learn another language is not insurmountable and is generally fairly quick.

and I think that's in any field. Even salespeople, when they leave an organization, start a new one, they might be a Salesforce shop and now they're over at HubSpot, right? And then, and they're at a shop, they have to learn HubSpot. Like there's modules, there's trainings, there's a billion videos for you to learn. Like just learn along the way and just, you know, embrace it, absorb it, be a sponge.

And even outside of vendors, LinkedIn and YouTube are fantastic. There's a YouTube video for anything that you want. There are a of professionals on LinkedIn that will happily book out 30 minutes and chat with you on what they're doing. If you're interested in a role, go on LinkedIn and find folks that are doing that type of role and just ask them for 30 minutes a time just to talk.

YouTube is

Speaker 2 (18:28.174)
what their career is. I will absolutely wager to say at least 25 % of them will go. Yeah, sure. I'll give you 25 minutes. you 30 minutes and just chat with you. Right. Because ultimately we all want the field to grow. We want to be able to retire at some point and not wake up at three o'clock in the morning when my phone goes off because something bad has happened. I want someone to replace me at some point and the only way I can do that and sleep well at night is by growing that next generation.

and having those conversations is how we do that.

Yeah, absolutely. So you talk about burning down the bull crap to rebuild cybersecurity. What needs to be burned down? Like I get what you mean by with the rebuilding part, but what are the parts that need to be burned down and kind of, I know it's not like a revolutionary like in the streets burning down, but you're saying like some of these systems, some of these things just need to start over.

Right, because they've kind of morphed and decayed in a sense, right?

Yeah. So really it's taking a fresh look at how we do cybersecurity. For the past, I'll say 40 years, we've largely considered security as a full on after the fact thing. We build stuff, then we go, crap, we need security. So flipping that on its end, you know, really embracing the term is DevSecOps. think it should be secDevOps. Your security should be first and then you're doing secure development rather than development with security on it.

Speaker 1 (20:04.748)
It's an app dev guy who named it, I'm sure. It's an app dev guy, not a security guy who named that.

but really kind of taking a look at how we're doing things. We've done cybersecurity awareness training for decades upon decades. I was DOD for 20 years and I had the same guy steal my iPhone for 10 years every year on my cybersecurity training. And you click, click, click, click, answer the questions, get through as quickly as possible. And we've made some headway in micro training and being more engaging, but we're still focusing on things are.

not necessarily in our control. People, we can do a lot of training, but Sue from accounting is still going to click on the, want the free tickets to whatever concert like every single time. There's not anything we're going to do it. And we're likely not going to fire Sue from accounting for that because she's a fantastic accountant. So we have to work on building systems that are resilient to what we know humans are going to do. Not saying that we don't train humans, but we've got to focus on the things that we can control.

Exactly.

Speaker 2 (21:10.402)
Build the systems resilient. know, look at things from a perspective where we're changing the prospect where most organizations view security as a cost center. And the old line of thinking absolutely is a cost center. It's something we dump money into. There's no return on investment. But a good cybersecurity leader can flip that and go, this is an investment in your marketing. You know, by getting these security practices in place and being top tier in these practices.

Now you have opened the aperture to your sales. you've been a, you know, SMB market organization. When you level up your security posture, now you are open to those Fortune 100, Fortune 500 companies where

There's so many different ways to articulate it, right? I mean, like you are building on trust. You're asking for your customers' money, their private data, their credit card information, their banking, their life savings, whatever it is that you are selling. You're asking them to trust you. And by having vast, know, like by bolstering your cybersecurity layers, right? You are able to, if you articulate that right, it goes directly into sales.

because it is something that can wrap around every single offering to just demonstrate that you are trustworthy and that they know that they can trust in doing those things in providing that info. We don't sell your data. We don't, you know, we care about whether we lose your data like that. That matters to people. People are getting fed up with, you know, everybody getting all their stuff and just doing whatever they want with it.

And then you can even take it a step further and know, you know, the big thing that everyone talks about right now is AI. Now, there are some frameworks out there for AI security. There's the ISO 42001 standard and there's the NIST AI framework. Look at that and go one of two things. You can say as an organization, I'm just going to wait until it's more mature and everyone else has it and then it becomes table stakes.

Speaker 1 (23:09.344)
Yep. That came out a couple years ago.

Speaker 2 (23:23.362)
There's no return on investment in doing it or you can be a leader in your field, get that on board and get it implemented. And now that's sales differentiator between you and your peers saying, yes, not only are we doing all the things everyone else is already doing and consider that just straight table stakes like a SOC 2 and ISO 27001, but we're also doing this AI framework that's on top of that to make us more secure. We're going above and beyond our peers and that investment

has a much better return on investment when everyone else isn't doing it. And it's not table stakes anymore.

Absolutely. Well, and AI, I think AI training and AI awareness and the proper use of prompting has to be integrated into traditional cybersecurity awareness because there's organizations out there that haven't developed or enforced valid AI policies, right? They're not using a compliant AI platforms or secure ones, ones with a

BAA or ones with the right data centers with controlled access, things like that. And then even once that's done, we still have users that are stressed out, that are uploading sensitive information, asking AI generatively to summarize it and stuff. And they can't do that still, but they can do it if they anonymize it. They do it right.

Yeah, and that's one of the key things with pretty much any technology is the security folks are widely known as the Department of No. You want to do something and we say no, it's not secure.

Speaker 1 (25:04.802)
Yeah, you talk about that. Yeah.

But we have to change that to where we're the department of yes, if. Yes, if we can do this, where we're going to get, you know, a enterprise chat GPT where we can enforce some data loss prevention on it and that we can do true monitoring. And we've signed the zero data retention agreement with OpenAI. So we know that that is not being stored or reused to train their models and provide them the way forward on that because ultimately humans are really, really smart.

and they're going to find ways around whatever we put in place. I can have the most locked down endpoint in my environment. And someone brings one of these into the office. And now everything that I thought was secure is not.

Right.

Speaker 2 (25:51.854)
Cool thing is, I can have something on my screen, snap a photo of it and upload that into ChatGPT, Gemini, Clawed, whatever tool you wanna use, and it's gonna read what's on the screen and give you an output based off of that. So it doesn't matter what I do to lock down that endpoint, there are stable ways around that. So the real value is to provide that in a frictionless manner to your users in a way that you have control. And when you do that, you generate

better revenue, faster return on investment. And ultimately you can say, I know how things are working and how they're running and what's being used in my environment. Because I've allowed them to do that in ways that are safe saying and doesn't jeopardize the business. Where if you don't, you can't stand on two feet and say, yes, I am sure I've done everything I can. ultimately AI will not defend you in court.

and AI will not do your jail sentence.

Correct. And we've seen how things have changed in the last five years to that end. The importance you talk in the book about the importance, and maybe you say it, I believe you articulate it differently, but really the importance of making valid internal business cases when you have initiatives. And the challenge that the industry has is a lot of cybersecurity leaders have been technologists.

It don't come from the sales department or from a public speaking department or a presentation, you know, skillset. And they often struggle with blending the technical benefits to show how things are going and actually speaking in business terms. Like this is working and it's affecting our revenue because we've reduced mitigation.

Speaker 1 (27:50.968)
for this, this, and this. And that's a positive impact on the PNL. Things like that, right? Walk us through kind of what your observation is through your experience.

So I think across the board, there's a issue within cybersecurity that we aren't really great at transferring the bits and bytes of the things that we do into dollars and cents for the business. And until you can make that argument in dollars and cents and in risk, which is what all business people speak, know, money and risk, you will have a hard time doing anything. And ultimately it comes down to, we can't expect

the CEO, the CFO, the COO, the chief marketing officer, and cert whatever C-suite executive that you want. Expect them to come to us and learn all about CVEs and attack paths and the MITRE ATT framework and MITRE DEFEND framework. We're going to have to come to them on the terms that they understand, which means we need to be better at business and understanding how things affect business. I can make a change because

I see it as a security gain and it's only going to add three seconds per transaction. But if I look at an organization as, you know, 4,000 people, three seconds per transaction increase in time, you're talking when you map that out, 300 extra hours a month of work. Well, that's not tenable to any organization's P &L sheet. So you have to be able to come to the table and go, all right, what's the happy middle ground between this more security and where it's still usable?

Right.

Speaker 2 (29:29.024)
and provides the, what I'll call the right amount of friction. Because I don't want it to be so easy that my systems are wide open, but I also don't want to be so hard that people find ways around it. So finding that balance and how you do that is understanding the business. You need to go talk to your folks in operations, you need to talk to your financial management folks and understand what projects and what their pain points are so that you can find solutions that not only fix their pain points, but also prevent a more secure solution.

And then you get buy-in before you present the project to the board because you've already talked with those folks, you've built that trust. And when I go to them with a project that I want to drive, they feel comfortable that I've thought about what their concerns are. Now they're still going to voice them, but they already have a level of trust built where it's, I'm not coming in there demanding you do what I say because I'm the security guy. It's here, here's a solution for a problem that we have.

or this is something we want to add on because we want to be more secure and be more marketable. And I can talk to you of how this is going to increase your productivity, reduce your P &L sheet, how it's going to increase our overall revenue by spending the money on this project that I'm going to have to do to meet this requirement or that requirement or exceed the requirements that makes us a market differentiator.

You talk about security team members and security leaders crossing departments and meeting on a regular basis, which the cadence would vary depending on the organization and the department obviously. But to really learn more about how that department operates and then because security and technology is a river that flows through every aspect of an organization, you'll find ideas where security might be able to

wrap around certain offerings, certain product offerings and go from a premium version to a premium version because it's got better security and this is what it means for the end user, right? Or this is what it means for the customer and there's a benefit there. It's something they'll be willing to pay a little bit more for. And that's really good advice and there's lots of examples of organizations that do that.

Speaker 2 (31:42.956)
Yeah, it comes also down to breaking silos where as the security professional, you're talking to two different parts of the operational board that don't routinely talk to each other because they have vastly different missions. But they're doing similar things and they're spending two different pots of money to develop the same type of solution where I can go, all right, we'll take this, we'll build out the solution and provide you both the same solution. And that way we can get one solution. So that's less vulnerability.

means we have less things out there. It's controlled and you get a better product because we're able to leverage both of your PNL sheets rather than just one PNL sheet versus the other.

Absolutely. You've done a lot of unpopular opinions. You've got a lot of content out there. Is there one that, are there any one or two that bubble up in your experience or in your mind that you really concerned about doing years ago, but now you're kind of glad you did and one that has gotten a lot of traction in the debate?

So I think the one that I would not have done four years ago that I just did recently was I made the analogy that cybersecurity is a cult. And I did some comparisons where, we have all these frameworks and regulations and they become our scriptures and we have our high priest who browbeat us that you will go do these things. And we cling to them in ways that just don't necessarily make sense to our business because that's just what we're

cold to do, you you have to follow this guidance to the letter and it takes the critical thinking out of our role in cybersecurity. If those things were truly as great as some folks lead them to believe, and I'm a firm believer that cybersecurity frameworks, whether it's NIST, whether it's an ISO, whether it's a CIS benchmark, are really, really good things to have. They give you a great starting point. But you have to understand your business to know

Speaker 2 (33:52.878)
Sometimes this doesn't apply to my organization because I have these three mitigating controls around it. And maybe am I going to spend $200,000 to protect a thousand dollar asset? Probably not. But if I stick straight to the frameworks, you're going to have those things and that generated a lot of kind of churn both positive and negative within the market.

Just because we as an organization look at those and kind of do hold those things as this is the benchmark. This is what we should be doing.

and like self-evident truths.

and kind of spinning it to where, well, maybe we need to take a critical look at that and not blindly follow the new shiny thing.

you know, had some people get pause and we had some really good conversations around it. And again, it's not that the frameworks are inherently bad. They are, they're inherently good, but we have to leverage those against what our business requirements are and what smart decisions are for our organization. I know two organizations are exactly the same and even two organizations within the same field are not exactly the same. So we can't just go, well, I'm just going to do it like my nearest competitor.

Speaker 2 (35:10.924)
because there's going to be something that's different that we need to take into account.

Now you've had experience in...

federal systems, working in the government space as well as in private industry. What are some of your observations about the silos or the disconnect between the two? When I think of CMMC, think of that's like a one framework, one rule that is finally going to start happening. And it really does blend the two together, right? That private public.

partnership and control.

We've seen it for years where whatever the federal government does eventually seeps down to the rest of the industry. And I'll use certifications as an example of that. Back in say 2006 to 2009 timeframe when DoD came out with their 8570 requirement for folks who were in DoD that they wanted to professionalize the network, you know, make sure that the folks that they had running and maintaining these critical defense systems.

Speaker 2 (36:23.404)
knew what they were doing, wanted them to be credentialed. So everyone had to go get A plus, net plus, security plus, CISP, whatever the case may be for their role. Now, you know, we're talking two decades later, and you go look at most job requirements for even small organizations, you're seeing the same requirements where, you know, we want them to have security plus and have X number of criteria is met. So

Ultimately, whatever we do in the federal government is eventually going to roll down in some way, or form, whether it's just through attrition or through matching what they're doing. But ultimately it comes down to, we doing the right things? know, CMMC is a great example where that is going to vastly change the landscape of how not only do federal prime contractors handle business, those second and third order effects down.

I'm over with the-

Speaker 2 (37:23.416)
where they're going to have to have some level of attestation and it might not be a self-certification level based off of what they're doing.

Right. It's going be in all the bids. It's going to be everything. And I think it's, look, when it comes to things that are related, even the six degrees of Kevin Bacon, like even if it's related on down the line, but when it's tied to national security and the Department of Defense, like it should be like in like, I don't really have a concern myself with it. mean, I think it's something that really does need to take effect. It's going to

be painful for a lot of organizations because they're not used to it.

Yeah, I think the biggest heartburn with CMMC and its rolling effect will be will it draw small to medium businesses out of federal contracting space? getting to that level of attestation is not easy nor is it cheap.

But also you're dealing in the national security space. Maybe I don't care that it's going to take these very small mom and pop businesses out of the supply chain if they're not willing to meet the standard. So like anything else is going to come down to what are the changing table stakes for the industry. 20 years ago for any SaaS provider, it didn't really matter. You just put out your security policy and that was it. We expect to see

Speaker 1 (38:55.607)
So

a robust trust website that includes their SOC 2 or their ISOCERT. And we're expecting to see, you know, lots of policies and, you know, what your data privacy policy is, how do you handle GDPR. And that's been things that have rapidly changed over last 20 years for any size organization. So we're going to see that change. And I think over time, the default standards just going to keep getting raised is ultimately

It's a thing to either either come to the table or be competitive at the table.

Absolutely. address risks of shadow AI. We touched on a little bit earlier, but what is, you know, one emerging threat that you believe is severely underestimated?

particularly shadow AI, it's your proprietary data being used in a learning model that then gets published somewhere else, whether it's to a competitor or to the free market. And in turn, you have now lost critical intellectual property that would be detrimental to your business. And it's very, very concerning for organizations that are building

Speaker 2 (40:14.86)
Software products, building SaaS products where your code is your money. That's the thing that you're making your dollars and cents off of. So protecting that should be kind of a first order priority because that's your family jewels, the things that really matter. But if you're just dumping code into Claude for it to go do clean up or do code review, do we really know that that's not being stored simply ourselves? Do you have the agreements in place?

Are they using the corporate one instead of just their personal one that, you know, absolutely doesn't have those requirements in place? How are we going to secure things around that if you don't know they're using it? And if you know they're using it, they're not using the right one.

And that's really important. And I think that so many organizations have just been tinkering with generative AI and they haven't really gone forward and

created policies and actually executed on them and found secure ways of doing it, right? And then provided prompt training. I think that's going to be pretty standard pretty soon. When I look, if I'm reading tea leaves looking in the future, I'm like, prompt training is going to be part of or separate, but required annually if not quarterly in terms of security brand awareness training.

I think everybody needs to know how to prompt correctly at this point.

Speaker 2 (41:51.724)
You're absolutely right. You know, we at my organization just implemented not only a mandatory AI training that says here are the things that you can do here. The things that me permission to do here are things that you absolutely can't do that would get you fired if you do this. But as a follow on to that, we actually provided prompt engineering training because you know, folks keep saying AI is going to come for your job. Mike, it is what it isn't.

what it's going to do is it's going to change fundamentally how jobs are done. It's no different than, you know, robots and manufacturing. know, 70 years ago, when automotive manufacturing robots first came out, people were all up in arms saying this is going to, you know, do away with all humans in manufacturing. 2025, we still employ thousands upon thousands of people in automotive manufacturing, working alongside robots. And we've also introduced a whole new field of

building and maintaining those robots.

Right. Managing them. you're not just turning the screws or the wrenches. You are managing the device now that does that. And it's a higher skill set. It's a higher pay. It's all of those things. Right. Everybody's kind of evolving up upward.

And then ultimately, we always want to keep human in the loop. So we're not going to ever let AI run completely rampant and do whatever it wants. Have I used AI to check other AI? Absolutely. But there is still a human in that loop verifying all the things are in place and that the AIs are doing the things that I want them to do. Because ultimately, it goes back to that someone has to be responsible. And legally,

Speaker 1 (43:23.31)
100.

Speaker 2 (43:38.35)
AI cannot be responsible for anything. It's not a person. It doesn't have personhood. It can't be sued. If I'm using it in my environment, you know, I'm not going to sue open AI because the AI I taught to do something violated a rule. That's not their fault. That's my fault for not programming the prompt properly. So exactly right. Giving folks

Right. Right.

Speaker 2 (44:06.41)
right and left bounds, putting the guardrails in the AIs that you're using, and then giving them appropriate training on how to get prompts to make what you're doing not only get the right result, but doing the most efficient means possible.

Excellent. Well, as we wrap up, let's do a quick lightning round. Give me a short answer to the first thing that comes to your mind. I just have a few questions. All right. What's the biggest buzzword in cybersecurity today that you'd love to ban forever?

Speaker 2 (44:40.663)
AI enabled.

AI enabled. love it. I love it. Because if it's plugged in, it now has AI. Right? That's exactly right. Yeah.

I need you to tell me what kind of AI you're using and you know describe to me how it's you know, rejects with more steps

Absolutely. What's the most overrated tool or platform in a sock today? Is there one?

think the most overrated tool in a sock would be Sim and Soar combined capabilities. Because ultimately, it's really great to have that automation and orchestration piece, but you still need someone to figure out what those things are. You need to spend a lot of time setting it all up. And sometimes it still gets it wrong.

Speaker 1 (45:24.312)
Yeah.

Speaker 1 (45:32.758)
Right. constantly be tuning it, right?

So automation's great for a lot of things, but sometimes you need to do it in a very methodical method to make sure that you're not gonna have unintended consequences.

Is there a book other than your own obviously that every kind of person that's going to go be a blue team or be a defender ultimately be a C-cell should read?

Speaker 2 (46:04.332)
give you two and they're from different perspectives. One is a book by Nick Dimaio called Cyber Defense. Fantastic book on you know, blue teamer mindset, you know, how to really be a efficient blue team person. And then I will give you ironically, it's a book that has nothing to do with cybersecurity directly. But Simon Sinek start with why

why. I think everybody should read that period. Like, I don't know why they're not teaching that in college. That should just be mandatory. I agree with you, 100%.

Because ultimately, if you take the ethos from that book and apply that to anything cybersecurity, why am I doing this? No, no. Why are you really doing this? No, no. Why are you really, really doing this? And kind of get to that root thing. One, it makes your job explaining it to your board to get money much easier because you're getting to the root cause. It's not, I want to do this because it's best practice and the framework says I need to do it.

Yeah.

Speaker 1 (47:07.946)
some frameworks as we're supposed to do this. Like that's not gonna move. It's not gonna drive behavior.

I want to implement this because it will do these five things that will make our business more profitable, make it more secure and more marketable.

That's great. That's fantastic. If you want in cybersecurity, what would you do for a living?

I wasn't in cyber security. Um, this is actually something I thought about quite a bit and having multiple conversations with my wife and my friendship group. Uh, they all have agreed that I should be in cyber law because I really like to argue and you know, it's a emerging field within the legal field and something that I'm passionate about. So it'd probably be, you know, a law lawyer focusing on, on all things cyber.

That's phenomenal. What's the worst career advice you've ever heard somebody give about entering cybersecurity field?

Speaker 2 (48:14.176)
It's the same worst advice I got before I left for basic training. Don't volunteer for anything.

And I absolutely say that's the worst advice because every good thing that has ever happened to me is because I volunteered for something that was completely out of pocket for what I was supposed to be doing at the time. I'm here in cybersecurity because they needed a volunteer for something.

That's phenomenal. Well, sir, thank you so much for your time today. I really appreciate it. Unpopular opinion, everybody check it out. I promise you, you will get it. It will. It will resonate with you. It is concise. It's got the data. What I like about it is it's not just concise Josh, and it's not just short, right? Without the substance, it's got all the substance in there, but you don't have to like

hear somebody babble on for pages and pages and pages to get to the point and then synthesize it. You've done that in there. It's really, really good. I'm proud of you. That's fantastic. Any last thoughts, any predictions of what's coming as we're pushing up to 2026? Do you have any tea leaves or things that you've been thinking about or things you want to share with the audience that you're going to be

I know you do a lot of public speaking, a lot of other things.

Speaker 2 (49:45.25)
Yeah, I will be at multiple conferences over the next few months, particularly if you see me out there, feel free to stop, talk to me. I love having conversations with folks. If I'm looking at the tea leaves, what I'm seeing is that cybersecurity is going to become a increasing focus for any publicly traded company or company that's trending towards an IPO because ultimately not only do they have to record in their NK filings,

But it's something that everyone's caring about. And there's a big push from federal gov to do better security across the board, particularly for those organizations that have intersections with critical infrastructure. So water treatment, power grid, and all the things that surround that all PLC monitors, things of that nature. Because ultimately that's going to be, I think, the biggest home threat to the United States.

is not, you know, actual invasion from a bad threat actor. It's going to be continued cyber threats to those pieces of critical infrastructure that will cause not necessarily death, but extreme harm and massive recovery issues to our population.

Absolutely. Great insight, my friend. Thanks so much. And check out Joshua Copeland on LinkedIn. You can find his unpopular opinion posts. I'm telling you, it's gold. So I absolutely love reading it and just keep on doing what you're doing, man. Thank you so much for all your contribution and for your service to our country. Fantastic. Thank you, my friend.

Thank for having me. I appreciate it.

People on this episode

David Mauro

Host

Cyber Crime Junkies