John Verry is the Managing Director at CBIZ Cybersecurity, ISO 27001 certified lead auditor since 2006, and has guided hundreds of organizations through ISO 27001, SOC 2, CMMC, FedRAMP, and HITRUST. He has seen firsthand what separates organizations that get genuinely secure from those that just collect certifications.

In this episode, John breaks down the gap between compliance and actual security, why shadow AI is already embedded in tools your team uses daily, and why agentic AI is the risk no CISO is truly prepared for yet.

He explains:

◼ Why you can be fully compliant and completely insecure at the same time

◼ Why operationalizing your security program inside tools your team already uses matters more than buying another GRC platform

◼ How 65% of SaaS platforms now have AI built in and why most organizations have no inventory of it

◼ Why the EU AI Act's August 2026 deadline is real and what organizations need to do now

◼ Why agentic AI shifts the risk from hallucination to autonomous business decisions made at scale without a human in the loop

Timestamps

(00:00) Introduction

(06:27) Meet John Verry: Managing Director at CBiz Cybersecurity

(07:47) What compliance theater actually means and why it matters

(09:34) Security is a journey, compliance is a destination

(12:30) The most common mistakes companies make after getting certified

(15:07) What it actually takes to operationalize a security program

(17:34) The merchants of complexity problem and why less tooling wins

(20:50) Third party risk management and the hidden operational debt of every new vendor

(22:19) What shadow AI is and why most organizations still do not know they are using it

(28:21) How to balance moving fast on AI with slow-moving compliance frameworks

(31:40) Why ISO 27001 updates slowly and why that might actually be a good thing

(36:41) How to risk model different types of AI from Grammarly to agentic systems

(40:14) Why shadow AI is lower risk than deeply integrated AI but still dangerous

(43:29) Sycophantic AI behavior, what causes it, and why it creates real danger

(52:29) AI coding AI, the hard takeoff, and the model collapse problem

(54:24) EU AI Act deadlines, ISO 42001, and why AI compliance urgency is now

(58:44) How ISO 42001 works as an extension of ISO 27001

(01:01:27) When auditors do not understand AI governance and certifications become theater

(01:02:28) The main blocker stopping CISOs from escaping compliance theater

(01:05:41) The next 12 to 18 months: why the era of agentic AI is already here

(01:07:48) Closing thoughts: What should actually scare every CISO right now

Connect with John Verry on LinkedIn

https://www.linkedin.com/in/jverry/

Hosts ⬇️

Alex: https://www.linkedin.com/in/alex-paguis-53a21815/

Yegor: https://www.linkedin.com/in/yegor-sak-725330b2/

Powered by Control D

Devon Ackerman is the Global Head of Digital Forensics and Incident Response at Cyber Reason and a former FBI Supervisory Special Agent focused on counterintelligence and cyber investigations. He is also the author of Diving In: An Incident Responder's Journey and one of the most experienced breach investigators working today.

In this episode, Devon walks Alex and Yegor through exactly how modern intrusions unfold in the real world, from the first point of entry to full compromise, and what most organizations are still completely missing until the damage is done.

He explains:

◼ Why attackers ditched malware and are stealing identities to hide inside normal user behavior

◼ How one phone call to a help desk bypassed MFA and gave full network access without a single alert

◼ Why phishing kits intercept your authentication token, not your password

◼ Why hardware keys stop most kill chains cold and where that still breaks down

◼ The four threat actor categories and why each one requires a different defensive response

Time Stamps

(00:00) Devon Ackerman Introduction

(01:48) Why digital forensics and incident response belong together

(04:28) How modern investigations have changed in the last 5 years

(06:49) Are attackers moving faster than defenders?

(08:41) Can digital forensics become proactive?

(11:31) Will AI turn cyber defense into a war of bots?

(14:50) Why security adoption still lags behind new threats

(16:43) Identity becomes the primary attack surface

(19:56) War story: help desk social engineering, password resets, and disabled MFA

(22:52) A real vulnerability exploited within 12 hours

(25:18) What happens when CVE-to-exploit timelines shrink to minutes

(28:29) How adversary-in-the-middle MFA phishing works

(33:16) Why MFA bypass is really about intercepting authentication

(35:54) Hardware keys and where phishing kill chains usually stop

(39:14) Hacktivists, nation-states, organized crime, and initial access brokers

(42:47) The economics of selling access vs exploiting it yourself

(46:56) Devon’s final advice for defenders: reduce blast radius

Connect with the speakers ⬇️

Devon: https://www.linkedin.com/in/devonackerman/

Yegor: https://www.linkedin.com/in/yegor-sak-725330b2/

Alex: https://www.linkedin.com/in/alex-paguis-53a21815/

Powered by Control D

Matan Eli Matalon breaks down AI-driven cyberwarfare, Iran-linked threat intelligence, and what CISOs must protect when attackers are trying to cause disruption. This episode had to pause mid-recording after Matan, a former CISO who reverse-engineered Iran’s Handala malware, received a missile warning and had to take shelter. We picked the conversation back up the next day.

Matan Eli Matalon breaks down what cyberwarfare actually looks like on the ground right now: why Iran-linked groups are winning with basic techniques and propaganda, how AI is giving attackers a speed advantage defenders can't match, and what CISOs need to stop doing if they want to protect what actually matters.

He explains:

• Why groups like Handala choose quantity over sophistication and how that makes them harder to defend against
• How AI removes friction for attackers without changing the attacks themselves and why defenders can't keep up
• Why protecting everything equally is the fastest way to protect nothing
• The 3-step CISO framework: define failure, map every attack path to it, validate it's closed

Timestamps:

• (00:00) Intro - Cyberwar is already here

• (03:00) Disruption over dollars

• (06:45) The Handala playbook exposed

• (08:07) Inside Handala’s malware

• (10:29) AI didn’t make hackers smarter, it made them faster

• (12:20) Anthropic’s leaked “Mythos” model

• (13:48) Stop protecting everything, protect what can kill you

• (18:00) AI is breaking your security perimeter from within

• (22:20) The house analogy that changes how CISOs think

• (34:25) The CISO isn’t the department of no

• (46:45) Agentic AI is a black box and CISOs hate it

• (51:05) Slop squatting: the attack no one’s talking about

• (54:00) The Iranian hack that almost took everything down

• (1:00:00) When the goal is deletion, not data theft

• (1:03:18) The backup that wasn’t

• (1:06:30) The 3-step framework every CISO needs

• (1:08:25) Why this 28-year-old chose defense over offense

• (1:10:50) Cybersecurity in 3 years: Matan’s prediction

Connect with Matan Eli Matalon on LinkedIn

Powered by Control D