Podcasts
Data Security Decoded
Ep 40
Data Security Decoded 12.2.25
Ep 40 | 12.2.25

Top CISO Priorities and Global Digital Trust with Morgan Adamski

Show Notes
Transcript

>> Morgan Adamski: We were only seeing about 24% of people significantly investing in proactive security measures versus reactionary. And so, what that means is, when you think about proactive measures, it's monitoring, consistent validation, putting protections in place, things that would stop the adversary from initially getting into a network, but if you're constantly preparing for a bad day and not trying to stop it from ever happening, you're just kind of assuming that you're going to be a victim.

[ Music ]

>> Caleb Tolin: Hello and welcome to another episode of "Data Security Decoded." I'm your host, Caleb Tolin, and if this is your first time joining us, welcome to the show. Make sure you hit that "Subscribe" button so you're notified when we drop new episodes, and if you're already a subscriber, thanks for coming back. We encourage you to give us a rating, drop a comment below, let us know what you think about the show. This really helps us reach more listeners like you who are eager to learn more about reducing risk across their business and make sure the content that we're developing for you is really, really valuable. Now, in this episode, I had the pleasure of sitting down with Morgan Adamski, a senior cybersecurity leader with extensive experience across the NSA and the U.S. Cyber Command. Morgan is currently at PwC where we got to explore some of the interesting findings in their new report, "The 2026 Global Digital Trust and Insights Report." Let's get into it. Well, Morgan, thank you so much for joining us on the "Data Security Decoded" podcast, so excited to have this conversation with you today. Before we dive into the meat of the conversation, I'd love to get a sense of what you're obsessed with that has nothing to do with cyber. I'll start first. The thing that I'm obsessed with recently is a show on Netflix. I just binged the whole thing. It's called Boots. It is, I think, set in the late 80s, early 90s. It's about a set of Marine recruits that are going into the Marines and going through boot camp, and it follows this one very specific kind of non-traditional recruit and his experience. And I found it to be a really, really cool story and I really enjoyed it, so that's the thing that I'll say I'm obsessed with now. How about you?

>> Morgan Adamski: No, that's awesome. I've seen that series. I haven't been able to watch it yet, so after I watch it, I may come back, and we'll have to talk about it separately. So for me, kind of celebrating a bit of a big birthday this year. And so, around this specific day --

>> Caleb Tolin: Happy birthday.

>> Morgan Adamski: Thank you, and just kind of reflecting on the past year, to be honest with you, transitioning out of the U.S. government after spending 16 years there -- I was in national security, and I've been interested in it since high school. And so, it's, literally, everything and anything that I've done, having spent 10, 11, 12 hours a day in a secure facility, not having access to my phone. And so, right now, I'm just kind of trying to live, learn to live my life on the outside. You know, just being able to have sunlight and windows and being able to access different technologies and be able to walk into a kitchen and have lunch that I have direct access to my house. It's just -- everything's fascinating to me. I feel a little bit out of my element and learning to walk again for the most part. But also, you know, spending a lot of time with family. I have kids. So, you know, Googling "6-7," what that means, that's a big thing, as well as learning about Labubus. And so, just a lot of that type of stuff is kind of what I'm obsessed with outside of cyber life.

>> Caleb Tolin: You know, the 6-7 thing is something that just came up at dinner with my team. We were chatting about that last night. This is new to me, so if you want to educate me and our audience, what is 6-7? I do know what Labubus are. And hopefully, everyone listening -- I'm sure everybody knows what Labubus are, but what is the 6-7 thing?

>> Morgan Adamski: You know, it's something -- as I've learned, it's kind of a meme for like, so-so, it was a play, so that's how I've learned what it means. If someone has a better definition, I'm happy to be educated, but we did, like, a whole trunk-or-treat around 6-7, just because all the kids are really, really fascinated with it, so just learning my new terminology.

>> Caleb Tolin: Wow. Well, if anybody else has a different definition of it, drop it in the comments. Let us know. This is something you can educate us on.

>> Morgan Adamski: But it was, like, the word of the year in the Urban Dictionary.

>> Caleb Tolin: Oh, wow.

>> Morgan Adamski: Yeah.

>> Caleb Tolin: Wow. Wow.

>> Morgan Adamski: I think saw that somewhere, and I was, like, oh, I really need to get educated quick.

>> Caleb Tolin: New York Times is going to have to figure out how to get it into the Wordle or something.

>> Morgan Adamski: Yes.

>> Caleb Tolin: I swear. I swear.

>> Morgan Adamski: Yeah.

>> Caleb Tolin: Awesome. Awesome. Well, I love it. Thank you so much. I will say, the first time I heard you speak was at Cyber War Con in 2023, and at the time, I believe you were at NSA, not quite U.S. Cyber Command yet, but you were talking a lot about China pre-positioning in U.S. critical infrastructure, not necessarily for espionage or intelligence gathering, but really, pre-positioning for some type of larger scale conflict. They were compiling a list of zero days and living off the land, escalating their privileges over time. Now, it's very interesting to think about that conversation that we were having, you know, about two years ago, and those themes are really, really relevant today, especially with groups like Scattered Spider that we're hearing with kind of similar tactics at a high level, but aren't, you know, connected to the nation state of China. But those themes are coming up more and more, so from your vantage point, what progress has been made since that talk that you gave in 2023? And what can organizations do to prepare themselves for attacks like this?

>> Morgan Adamski: Yeah, that was one of my most-favorite talks, because I was just so passionate about the fact that we have a threat; we know what they're doing; we can see them; and we need to work together to be able to stop them, and I think it was very passionate. I was there to rally the troops, and a lot of people stepped up to the cause. So from a progress perspective, I think one of the biggest things that happened around talking about those China-based actors pre-positioning U.S. critical infrastructure is it really brought a national-level conversation across multiple sectors, across multiple companies, and it wasn't just about cyber, right? It was about geopolitical risk and the fact that these actors wanted to be in these systems and these networks to cause societal panic at a time of their choosing, most likely connected to a potential conflict between U.S. and Taiwan. And we wanted people to recognize, like -- people are like, oh, why is this new? We thought they were in critical infrastructure anyway. We're, like, no, like, the scope and scale of their operations is extensive. The fact that they're not only pre-positioning in U.S. critical infrastructure, but also in telecommunications networks and conducting espionage; the fact that they're doing information operations; it is every different pillar of type of offensive operations that we care about. It's across every industry that you can name and in critical services that we all depend on every given day. So that national-level attention was really important. I think, second, the fact that the reason that we found them and knew what they were doing and were able to work together to be able to detect that activity, because the public sector and the private sector brought together critical parts of that information. We knew about intent, or we knew about the actors or specifically what they were trying to accomplish. And then, we had industry who had insights into the infrastructure that they were using. And we had victims come forward and say, hey, I see these type of actors in my networks. I'm being able to detect them, and here's what I'm learning about what they're doing in my networks, and people were sharing it with each other, so that other people could find it as well. And I think that collective defense and everyone working together is where I've seen a lot of progress happen over the last couple of years because we're continuing looking to track, detect it, and protect ourselves against it. And we also saw a lot of the public announcements from the U.S. government on how they were disrupting the infrastructure, right, and how they're naming the personas, and that's a really big thing, as well, because we're taking down the critical components that they rely on to be successful. The part where I think we could probably continue to do well is -- maybe we're not talking about as often or as much as we used to -- so what I don't want people necessarily to think is, oh, maybe this isn't occurring anymore, or this is an activity they don't think is interesting. Oh, no, it's still occurring, right? This is part of a national strategy. And so, we've got to continually talk about it, think about it, adapt to how the adversary potentially is kind of changing their tactics, and we have to work together. We have to share that information amongst each other. And so, I think those are things that I see as progress and things need to work on. When you talk about things like Scattered Spider, like, to be honest with you, living off the land is not a new technique, right? That's not something that people do. Social engineering, social phishing, trying to imitate legitimate users, these are all things that work. We don't see adversaries having to use malware anywhere anymore as much, like, being able to be detected, so they're getting creative and they're adapting to how cyber defenders are being able to find them. And so, Scattered Spider is just leveraging what works. And so, it's, you know, they're building on that business model. And so, I think those are kind of things I wouldn't say they're mimicking national nation-state actors, but they are using what works, and so are nation state actors. And so, unfortunately, they're continuing to be successful.

>> Caleb Tolin: Right, right. Absolutely. Something you said at the beginning of that about how what China is doing is it's not necessarily just related to cyber. There was a really great interview, you know, at the time of recording this. This was a couple of weeks ago. There was a really great interview on 60 Minutes about China pre-positioning in U.S. critical infrastructure from a cyber perspective. And so, I think it's really interesting to see how this conversation is starting to become a little bit more mainstream. And, you know, we had a podcast with Nicole Perlroth, To Catch a Thief, great series that really tells the entire story from -- in a really beautiful and understandable way all about this story as well. So it's really interesting to see it kind of start to make its way more into the mainstream, and people, you know, who aren't in the threat intelligence community or in cyber security roles in the private sector, more people are becoming familiar with it. So we've got to keep talking about it, definitely. I agree with you there.

>> Morgan Adamski: Yeah, absolutely. I think that's a really critical component.

>> Caleb Tolin: Right. Absolutely. So shifting gears to your current gig, now you're at PwC. You are leading Cyber, Data, and Tech Risk, and you recently released a report. It is the PwC 2026 Global Digital Trust Insights Report. I'd love to drill into some of the insights from that report. I think we'll spend a decent amount of time talking about that, and I know we were just talking about geopolitics. It is a huge theme throughout the report. One of the results that stood out to me was it says, "Sixty-percent of business and tech leaders are reacting to the geopolitical landscape by making cyber risk investment one of their top three strategic priorities for the year ahead." What was surprising to you about where folks are investing from a proactive versus reactive perspective?

>> Morgan Adamski: Yeah, I think one of the surprising things is that we were only seeing about 24% of people significantly investing in proactive security measures versus reactionary. And so, what that means is when you think about proactive measures, it's monitoring, consistent validation, putting protections in place, things that would stop the adversary from initially getting into a network. And we saw a stronger investment in things like recovery and liability and having legal services on hand, which is great as well. You need all of those things, but if you're constantly preparing for a bad day and not trying to stop it from ever happening, you're just kind of assuming that you're going to be a victim. And while that's hard sometimes to avoid in the cyber arena, we have to have a balance in both, right? You should be investing in those proactive measures as well as those reactionary things, and you should constantly be looking at those investments and saying, okay, do I have the right balance? Am I prepared in the right way? Have I thought through the playbook a lot to think about, okay, what are all the things that I might need to have in place in case one of these things happen? And do I have all the right contacts and people aware of what their role and responsibilities is, if, in fact, that does occur? And so, I think that's really important, but here's three strategies that I'd probably talk about a little bit more, as people think through what they should be investing in. So build all -- build in all of those foundational proactive measures that I was talking about, right, zero trust, having exposure management, and patching. I know there's so much patch fatigue out there, but you've got to continue to think about patching and prioritizing where you're putting all of those resources against, and are there best ways to prioritize how you're managing your patch management system, which really should be relying on, quite honestly, threat intelligence? I'm a huge supporter of threat intelligence, but if you know what adversaries are looking to try to accomplish and what they're exploiting, it helps you figure out what you need to patch first. And then, also, segmentation and third-party controls, we really talk a lot about the fact that there's a lot of third-party risk, and you've got to think about those dependencies and potentially what risk you're taking on, and how you're going to manage that, and how you're going to hold them accountable to ensure that their security measures are up to par with what you're expecting. Second, I think that you've got to be ready to move fast. You've got to be agile. You've got to be the fact that if you do have a bad day, how do you have things like AI and automation in place that will enable you to be able to deal with that crisis management and any type of breach faster than before? We've seen that it's shortened the breach life cycle. So AI and automation has shortened the breach life cycle to less than 80 days, which is really good because it's usually much more significantly multiple months in the past. And so, when people have those type of things in place, it's allowed them to kind of not have to spend a lot of time doing the rudimentary day one type work. They can pull the data together very quickly. And lastly, I think this is the most important part that you just talked about, right? Making resilience the outcome and making the board the owner. And what that really means is that this isn't just a CISO cyber problem. Everyone needs to fundamentally understand at the C-suite board level that their dependencies and the fact that investing in cybersecurity protects their overall business risk and operations. And so, I think that's going to be critically important for everyone to kind of have an understanding of.

>> Caleb Tolin: Right. Absolutely, and another interesting finding that stood out, and you kind of referred to it at the start of your response to that last question, was that 39% reported that they're looking at changing their cyber insurance policies. So are most organizations that you're working with looking at increasing those, the coverage with cyber insurers? Are they decreasing it? What does that kind of really say about how organizations are looking at cyber insurance and measuring that against their risk?

>> Morgan Adamski: I think one of the most valuable things that organizations are doing when they look at cyber insurance is they're not necessarily looking at it as a financial product. They're looking at it more as a way to assess their overall hygiene, right? I think that's really critically important because of the fact that they can say, okay, overall, how do I look? How am I doing? How do I test? Do I have all the right security controls in place because, from an underwriting perspective, they're going to want to make sure that they all exist and they're running and they're functioning the right way. So cyber insurance almost gives them kind of that report card. Does this make sense? So people are looking to invest more in cyber insurance. And we had 4 out of 10 companies looking at geopolitical politics and the volatility in that environment and saying, hey, we need to better assess and evaluate our cyber insurance policy to make sure we have all the right controls and things in place. And those people that are going through a bad cyber breach or risk, or they've gone through it, they're going back and relooking at their policies, as well, and trying to make sure they have all the right things in place and maybe taking some lessons learned.

>> Caleb Tolin: Right. That's a really interesting perspective of how organizations are leveraging those policies to kind of build that scorecard, if you will. I hadn't really thought about it in that way, so that's really interesting. And another thing that the report pointed out was the top priorities for CISOs, and those were labeled as threat hunting, agentic AI, event detection, and behavioral analytics. I don't think that that would probably come to any of our listeners as a surprise. Those are very hot button issues, but based off of the work that you're doing with PwC clients that are looking at these areas as strategic investments or that they have been doing that for a long time, maybe not so much with the agentic AI piece, but, you know, the threat hunting and event detection and behavioral analytics, the organizations that are doing really well in these areas, what stands out in terms of how they're deploying these things?

>> Morgan Adamski: Yeah, so threat hunting is the top AI-enabled capability for all security professionals. That shouldn't shock anyone, and nearly half of all security professionals are ranking as their top priority, which I think is really important. But what we're seeing is that clients leading in this space are using AI agents to augment their SOC analysts, right? They're using it to make them more efficient and more effective, and I think that's really important. There's a lot of discussion around, will agentic AI or will an AI agent replace me? The fact of the matter is, that's not where we're at right now. Right now, we're trying to create capability to allow cyber defenders to deal with their daily workload, which is always significant as much as possible, right, to help them do their analytics. But we always, and I was on a panel last week where I talked about the importance of having governance, frameworks, and guardrails, and humans in the loop, all involved in how we're leveraging AI for cyber defense. Because we just need to validate some of the findings and the information that we see, because quite honestly, you've got to pair a lot of different datasets, and cyber defenders are just really well positioned, at times, to be able to say, that doesn't look right. I see an anomaly. I see something that doesn't make sense. Adversaries are adapting. We talked about the fact that living off the land, they are literally acting as legitimate users. They look like everyone else. And so, sometimes it just takes a cyber analyst, a net defender, a SOC analyst to be able to come in and say, okay, this is all the data. So it's telling me, but what am I missing? What do I not -- what am I not thinking about this pattern of life that this individual is potentially doing? Are they accessing networks they shouldn't have access to? And that's going to be really important, so I think that's where we see clients leading is how do we use it to augment our daily lives? How do we enable us to move faster and be more efficient? But then, how do we also validate it from a human perspective?

>> Caleb Tolin: Right. Absolutely, that governance and observability element with agents is something that I think is very top of mind for many of our listeners and, really, everyone in the market. And, you know, interesting point that you made on how, you know, SOCs are deploying AI agents. We had a really great conversation with Grant Oviatt. This was -- I believe it was over the summer. He's over at Profit Security, and that is what they specialize in, and they're building out a product there. So if any of our listeners haven't heard that episode, I definitely recommend you check it out because we dive into that topic very specifically there. Another point that stood out to me while I was reviewing the report was your respondents had very little confidence in their ability to withstand cyberattacks targeting specific vulnerabilities, especially given what we were talking about at the top of the call in terms of geopolitics and these sophisticated threat actors. Paint a picture of what that means, this lack of confidence.

>> Morgan Adamski: Yeah, I think it's just gaining a better understanding and appreciation for how interconnected so many systems are, right? And the fact of the matter is, is that we've been building technology on technology and networks on networks for decades. And so, there's consistent vulnerabilities and risks associated with legacy systems, supply chain dependencies, and authentication controls. I mean, those are the three main areas that we think about things that we need to protect against. When you think about legacy systems, right, significant vulnerabilities, constantly patching. The fact of the matter is, is that a lot of clients are struggling to figure out, okay, what's connected to my network? What have I assumed from a tech debt responsibility effective? What are all the endpoints? What's my perimeter defense? I've got to think through all of these different types of components. And I have to have, to your point, visibility into where all of that potential risk is, and I think people are still struggling to think about that. And it kind of makes them nervous from a vulnerability perspective. Very few people are going to come out and say, I know all the things I can protect against everything. I understand every threat that's coming at me every single day, and I have full visibility, and I can deal with that. And so, I think it's great for people to come out. It's actually kind of a little bit encouraging for people to say, okay, I don't know what I don't know. And so, therefore, I have to prepare for the worst from a vulnerability perspective. The supply chain dependencies is really fascinating just because I think people, when they saw various crisis and conflicts over the last two years, just saw how impactful that geopolitical volatility can be on getting critical components, on trying to make sure that they have resiliency and redundancy and communication set up when you talk about the telecommunication sector for their clients. And so, having to map out all of those dependencies, I think, is a really interesting conversation for a lot of people these days that if A, B, or C scenario occurred across the world, how would it impact them from a business operations perspective? Because while people think about it, I think a lot of people experienced a lot of different types of scenarios over the last couple of years that maybe said, okay, maybe we need to think about this a little bit differently, which is really important too. And the authentication controls is similar, right? I just, adversaries are constantly evolving to what we're doing and how we're operating in the cyberspace domain. You think about the discussion that happens around North Korean IT workers, right? How they're being creative, and the fact of the matter is -- and how they're being, you know, hired into high-profile companies. They're being able to operate. They're generating that revenue to take back to the regime. It is, they're just being creative, and the fact of the matter is, a lot of those opportunities came because a lot of people moved to workplace flexibilities, bring your own device type capabilities. And so, as our adversaries continue to adapt, we've got to be more creative when we think about, okay, how are we going to do authentication controls, in-person verification? But you know, what's going to make that so much more complicated -- AI agents, right? And so, authentication of AI agents is going to be a fascinating thing as we move forward. If you're going to enable them to be able to do certain functions from a business operations perspective.

>> Caleb Tolin: Right, right, no shortage of, you know, threat vectors to kind of think about these days. So Morgan, thank you for joining us. Where can folks find you and learn more about the incredible work that you're doing?

>> Morgan Adamski: Yeah, so obviously, I'm on LinkedIn. If you want to find me personally, we post a lot of pieces, but if you go to our pwc.com, we have a lot of great thought leadership pieces that have been coming out, both on agentic AI, just recently published our forecast for 2026, which is all the issues and topics, I think, that will still continue into 2026, but also future topics like quantum and 6G. And so, you can follow us there, and, of course, just reach out. You know, we've got a lot of expertise and insight at PwC that we can tap into to just help people/clients think about the problem a little bit differently.

>> Caleb Tolin: Wonderful. We'll link to all of those resources in the show notes for our listeners to check out too. Morgan, thank you, again, for joining us and look forward to having another conversation soon.

>> Morgan Adamski: Thanks, Caleb. Really appreciate it.

[ Music ]

Data Security Decoded
Podcast Info
HOST(S):
Caleb Tolin
As the host of Data Security Decoded, Caleb Tolin dives deep with cyber experts to deliver actionable, vendor-agnostic insights to reduce data security risks and improve cyber resilience outcomes. Caleb asks the incisive questions that you need answered, extracting actionable guidance for defenders. Come be obsessed with improving your organization's cyber resilience.
Schedule: Two times per month. Every other Tuesday.
Credits: Data Security Decoded is a podcast by Rubrik.
Creator: Rubrik
Data Security Decoded