Simplify and secure: top cybersecurity strategies for CXOs
Download MP3All right. Welcome to this episode of the Global CISO podcast with your host, Chuck Herron, Field CISO for F5. Today, I am excited and honored to welcome GigaOm's new CEO, Howard Holton, to the show. Howard and I have known each other for several years. Recently, I had a chance to catch up in Vegas and want to talk about the attack surface of today, the emerging attack surface that defenders and technology teams are dealing with, and some strategies for how CIOs, CTOs, and CISOs can deal with this.
So Howard, welcome to the pod, and let's just dive right in. So we first met, I think in person in 2022 at Black Hat talking about API security when I was CTO of API security company called Wib, which F5 later acquired.
I remember talking to you about the banking case studies that we worked on showing how to move money around via exposed API endpoints without the banks understanding what was going on and the visibility gaps. And in your view, has this type of gap in visibility gotten any better in the last three years with the rise of generative AI, or have things gotten worse, or has it been largely the same? What are your thoughts on the attack surface and how it's evolved just in the last few years?
Sure, that's a great question. So when I look at the attack surface and how it's changed, right, if you go back to the conversation we had, there were kind of two pieces to that. There were the mal-intentioned and the mal-formed, right? Malformed attacks, SQL injection attack type stuff, right? We're used to dealing with that. We know what to look for. We kind of know what those look like. We know what to do with them. The problem is the malformed attack. And a malformed attack, the big problem there is it's free data. That's what a malformed attack is, right?
Let's say you intend to just return records about me. Well, there was an attack not that long ago against the federal government database where they did effectively a select star from vendors. Well, that was mal-intended. The developer never intended that response to be returned, but it's a valid use of the API. When you look at what MCP can do, when you look at what we're doing with AI, it's insane.
So what's the hack there, right? You shouldn't have made it available.
At no point should that have been available and yet it is because it's easy, it's convenient, and a developer's thought is, "How do I get stuff to go as quickly as possible? How do I make this work as quickly as possible? And then I'll loop back later."
Totally. So a few weeks ago, I was on a podcast talking about changes in today's attack patterns and how attackers are working today, as well as how we're writing enterprise software today, which has changed quite a lot in the era of vibe coding. And as much as I hate the term "vibe hacking," I actually hate all of these terms. The hype cycle and the buzzwords are kind of silly. But I said at the time, vibe hacking is real.
While a lot of the other guests kind of rolled their eyes, a couple of weeks ago, we saw a report from Anthropic talking about a vibe hacking campaign that caught at least 17 companies, healthcare to defense. We saw North Korean attackers bluff their way into Fortune 500 companies using AI tools for everything from technical interviews to producing work product for these companies, stealing money, stealing IP. All kinds of things are stacking up.
I'll put more details in the show notes just because it takes too long to run through all of the developments, but things like Hacker One's number one attacker being an AI model, automated reverse engineering of CVEs, automated orchestration of attacking tools with tools like Hextrike, and changes to the way that we write enterprise code. I was at a Google event last week. One of the vendors there talked about a 10x increase in vulnerabilities as a result of the vibe coding that's going on in the enterprise.
So in terms of how much has changed since then if we started from a bad state, how well positioned do you think defenders are to understand not only how attacker tactics are changing, leveraging these tools for the offense, but how we're actually changing the way that we architect and write our own code for the enterprise?
Sure, that's a great question. So if you think about the conference that we just recently were at, right? Think about Black Hat and DEF CON. Those are the sisters. And the way we talk about it is Black Hat is the commercial tools to defend against DEF CON. What we don't really say out loud is DEF CON comes after Black Hat.
So Black Hat is the tools to defend, not against this year's DEF CON, hopefully against last year's DEF CON, but in some cases, maybe even the DEF CON before that, right? Defenders are always behind. It's cool that we talk about vibe hacking and I like that people get upset by it, but really, wasn't all hacking vibe hacking? Hackers are the people that use the shortest distance from point A to point B.
Good hackers do that as a form of defense. Good hackers do that just as kind of a cause of nature. Malicious hackers don't. Hackers will use whatever tools they have available to make the job easy as possible. We used to make fun of script kiddies, but how many hundreds of millions of dollars in damage was done by script kiddies?
Vibe hacking isn't really new. Vibe hacking is the same old thing always done using new tools to make them faster. So of course vibe hacking is real, right? So as defenders, we need to wake up and we need to recognize this. And as business owners and people running organizations and enterprises, we need to make sure people understand this is not going to slow down.
If you're already going down the path of poor hygiene and bad data controls and bad security and insufficient controls, protocols, and governance, and all that you're doing is applying more and more gas, more and more and more acceleration, that doesn't change the quality of the road. That just means when you do finally hit a wall, you're not likely to survive it.
Yeah, totally. I think vibe hacking is just script kiddies plus AI, right? And they don't have to be good engineers. An idiot with a rocket launcher still has a rocket launcher. These are some really powerful tools. So I think being dismissive is probably not that helpful. I don't think it's time to panic, but we do need to understand and take it seriously that these tools are only getting better.
When the number one tool on the global leaderboard is an AI model such that they actually have to change the way they calculate things to separate humans from AI systems, we should be paying attention to that.
So the last question is we're coming into 2026 really quickly. It's a pretty critical time to look not only at your architecture but also at supply chain risks. We've seen a lot of issues for the last several years, everything from SolarWinds to CrowdStrike now, to the issues with SalesLoft just a couple of weeks ago, third party, fourth party, fifth party risks, the rise of quantum computing, the geopolitical environment that we're dealing in, all of the uncertainty.
What's your advice for CIOs, CTOs, and CISOs on planning their priority items for 2026?
It was gonna be a little bit backwards, my advice, right? Because the world around us is increasing in complexity. Well, the solution, the way through it, the way to get the buy-in from the executives that control the purse strings is to simplify, grossly simplify, in some cases oversimplify in any way that you can.
The truth of matter is we need to unlock the urgency and priority and budget from the CEO, the CFO, and the board. And you're not going to do that by burying them in acronyms and buzzwords. Simplify. Simplify your environment. Simplify your tech stack. Simplify how you talk. Simplify, simplify, simplify.
If you're not focused on doing that, all you're doing is effectively pulling the pin on the grenade and then tying it together with various types of, I don't know, duct tape, bail and wire, cotton candy, paper mache, hoping at no point you're the one holding on to that hot potato when it finally explodes.
You're not making it better. We have to make it better and the only way you make it better is to simplify. And if you start with simplification, that's something everyone can understand. It pays huge dividends. It's easier and cheaper to secure a simple stack than a complex stack. So how can you simplify from the beginning?
How can you focus on reducing the blast radius? And when you can't simplify, stop trusting.
Makes perfect sense. I couldn't agree more. I think it's very important that we get as fast as possible, and you can't be and you can't be fast if you're overly complex. We're never going to catch up and keep up if you don't know what your attack surface is. And from a supply chain perspective, I would stop short and I'm sure you would agree, but I don't want to speak for you. You don't want to go with single source vendor, right?
That's too much vendor risk, but where you can get 90 % from 10 tools instead of 10 % out of 90 tools, that's how we're going to get there.
Fill in with point solutions where you need them for your business, your industry, your specific compliance risk, whatever you need, but try to get as much out of as few platforms and key partnerships as you can because otherwise it's just too complicated. There's just too many moving parts.
Yeah, I'm a big car guy and Lotus has my favorite slogan, which is, simplify and add lightness. If we applied the same thing to cybersecurity, think how much safer we'd be, think how much happier we'd be, think how much better off we'd be if we took the same exact strategy. Let's simplify and add lightness. How fast would we be able to move if that was our strategy throughout the entire tech stack?
Ad lightness. That's exactly right.
Completely agree. Couldn't agree more. Howard, I think we're up on our time. Thanks so much for attending. It's great catching up with you again. I'm sure I'll see you at an event sometime in the next several weeks as we're all a million milers and all over the place. And thank you again for your time and congratulations on the new role.
Thanks, Chuck. This has been awesome. I'm looking forward to seeing you again.
Right on. Thanks very much. thanks everyone for listening and watching this episode of the Global CISO from F5. And again, thanks to our guest, Howard Holton, CEO of GigaOm. So, Howard, thanks very much and we'll see you guys soon. Stay safe out there.
