Hacking the End of Compliance

#1736442: Hacking the End of Compliance

Description:	We often frame cybersecurity as an endless reactive process. We've heard the term "cat-and-mouse game" used to describe the interaction between attackers and defenders. It's a vicious cycle. Is there any way to end it? Check out this post for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Rob Allen, chief product officer, ThreatLocker. The vulnerable stack The attack cycle persists because the vulnerability spans the length of the stack. Sree Venkat Paruchuri of Deloitte traced the throughline, saying, "Most modern attacks perpetrate through insecure code, whether that is technical, schematic, or logical gaps. To the extent that code can continue to be written in vulnerable ways and compiled and shipped, and run on infra that can be vulnerable too, and connected by vulnerable protocols, we will continue to see this cycle." Ross Young of CISO Tradecraft® pointed to the root of that problem. "New technology is usually built by developers, not penetration testing experts, so the code has weaknesses in it." The path forward may run through AI. "We may get to a place where all code is tested by LLMs with every code weakness test going forward." Changing the structural economics Detection speed alone won't break the cycle. Archie Jackson of Forcepoint argued the only way out is to change the game's underlying economics. This requires moving to memory-safe architectures and secure-by-design principles that "mathematically eliminate entire classes of vulnerabilities." In addition, use AI to dynamically randomize network topologies rather than relying on static infrastructure, and shift AI from detection engineering to "executing machine-speed isolation." The posture, he said, should assume breach and use immutable infrastructure to "instantly evaporate and replace compromised environments rather than trying to clean them." Victor M. Font Jr. of CyberGovernanceCenter.com didn't mince words about why this perpetuates. "Attackers win when we define security as detection velocity. That guarantees a permanent 'cat and mouse' cycle." We don't win with a faster cat. "It is architectural simplification, enforced governance, and consequence-backed accountability." Change the terrain If you can't outrun the adversary, make the ground harder to run on. David Sledge, CISO at Secure Seed Capital, reframed the goal: "Instead of just trying to detect more, why not refocus on driving up attacker friction? If we lean into temporary identities, just-in-time access, and constant revalidation, we break their ability to scale." The win, he said, isn't zero attacks. "It's making the payout so uncertain and the effort so high that their business model falls apart." Richard Wilder of Trace Systems Inc. pointed to history as a guide. Memory exploit mitigations reduced classic exploits, TLS limited passive interception, sandboxing reduced impact, and MFA raised the bar on credential abuse. "The next phase should focus less on detecting everything and more on removing attack surface through OS guardrails, identity-centric controls, microsegmentation, crypto agility, and continuous validation," said Wilder. The cost-benefit equation There will always be some threat actors incentivized to attack you. "We're not trying to end the race, we're trying to make attacking your environment more expensive," said Eyal Worthalter of Marvell Technology. Cryptography proved that architectural shifts can create asymmetric advantages. The open question is whether zero trust, identity-centric models, or something not yet named, can deliver that kind of durability, "or are we just building faster hamster wheels?" Soumen Bhattacharya of Capital One took an optimistic view of where AI tips that equation. If non-experts can now leverage AI to build attack tools, "technical folks and experts should be better placed to build bulletproof defenses: write and generate code preventing vulnerabilities, continuous intelligent scanning and testing, SOC empowered through AI, automated remediation of vulnerabilities, network security through AI."
More info:	https://www.linkedin.com/pulse/breaking-reactive-cycle-cybersecurity-cisoseries-pjv4c/?trackingId=ykN%2F5MQtRQWe%2BkgjkXYpyg%3D%3D

Description:

We often frame cybersecurity as an endless reactive process. We've heard the term "cat-and-mouse game" used to describe the interaction between attackers and defenders. It's a vicious cycle. Is there any way to end it?

Check out this post for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Rob Allen, chief product officer, ThreatLocker.

The vulnerable stack
The attack cycle persists because the vulnerability spans the length of the stack. Sree Venkat Paruchuri of Deloitte traced the throughline, saying, "Most modern attacks perpetrate through insecure code, whether that is technical, schematic, or logical gaps. To the extent that code can continue to be written in vulnerable ways and compiled and shipped, and run on infra that can be vulnerable too, and connected by vulnerable protocols, we will continue to see this cycle." Ross Young of CISO Tradecraft® pointed to the root of that problem. "New technology is usually built by developers, not penetration testing experts, so the code has weaknesses in it." The path forward may run through AI. "We may get to a place where all code is tested by LLMs with every code weakness test going forward."

Changing the structural economics
Detection speed alone won't break the cycle. Archie Jackson of Forcepoint argued the only way out is to change the game's underlying economics. This requires moving to memory-safe architectures and secure-by-design principles that "mathematically eliminate entire classes of vulnerabilities." In addition, use AI to dynamically randomize network topologies rather than relying on static infrastructure, and shift AI from detection engineering to "executing machine-speed isolation." The posture, he said, should assume breach and use immutable infrastructure to "instantly evaporate and replace compromised environments rather than trying to clean them." Victor M. Font Jr. of CyberGovernanceCenter.com didn't mince words about why this perpetuates. "Attackers win when we define security as detection velocity. That guarantees a permanent 'cat and mouse' cycle." We don't win with a faster cat. "It is architectural simplification, enforced governance, and consequence-backed accountability."

Change the terrain
If you can't outrun the adversary, make the ground harder to run on. David Sledge, CISO at Secure Seed Capital, reframed the goal: "Instead of just trying to detect more, why not refocus on driving up attacker friction? If we lean into temporary identities, just-in-time access, and constant revalidation, we break their ability to scale." The win, he said, isn't zero attacks. "It's making the payout so uncertain and the effort so high that their business model falls apart." Richard Wilder of Trace Systems Inc. pointed to history as a guide. Memory exploit mitigations reduced classic exploits, TLS limited passive interception, sandboxing reduced impact, and MFA raised the bar on credential abuse. "The next phase should focus less on detecting everything and more on removing attack surface through OS guardrails, identity-centric controls, microsegmentation, crypto agility, and continuous validation," said Wilder.

The cost-benefit equation
There will always be some threat actors incentivized to attack you. "We're not trying to end the race, we're trying to make attacking your environment more expensive," said Eyal Worthalter of Marvell Technology. Cryptography proved that architectural shifts can create asymmetric advantages. The open question is whether zero trust, identity-centric models, or something not yet named, can deliver that kind of durability, "or are we just building faster hamster wheels?" Soumen Bhattacharya of Capital One took an optimistic view of where AI tips that equation. If non-experts can now leverage AI to build attack tools, "technical folks and experts should be better placed to build bulletproof defenses: write and generate code preventing vulnerabilities, continuous intelligent scanning and testing, SOC empowered through AI, automated remediation of vulnerabilities, network security through AI."

More info:

https://www.linkedin.com/pulse/breaking-reactive-cycle-cybersecurity-cisoseries-pjv4c/?trackingId=ykN%2F5MQtRQWe%2BkgjkXYpyg%3D%3D

Date added	May 7, 2026, 10:07 p.m.
Source	Linkedin
Subjects	Compliance regulations / Ethics - Various PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI - CISO and Higher Level