In this episode of Chasing Entropy, I sit down with cybersecurity trailblazer Wendy Nather for an honest, insightful, and occasionally hilarious conversation that spans career origin stories, hammer metaphors, and how empathy is the secret weapon of modern security leadership.

From Swiss Banks to Strategy

Wendy Nather’s journey into cybersecurity is anything but conventional. From wrangling Unix systems at a Swiss bank to being unexpectedly appointed head of EMEA security, her career has been a series of “say yes and figure it out later” moments. Her creation of the security strategist role at Duo (where she helped bring Dave onboard) laid the groundwork for today’s Advisory CISO model—distinct from field CISOs and rooted in trust-building and strategic influence.

Understanding the Security Poverty Line

Wendy unpacks her now-famous concept of the “security poverty line,” a lens for understanding how underfunded, understaffed organizations struggle to meet industry best practices. It's a call to move beyond judgment and toward practical empathy—especially when small businesses with outdated gear and little budget become backdoor vulnerabilities in the broader digital ecosystem.

The Human Side of Cybersecurity

The conversation dives deep into the need for empathy, especially at the CISO level. Wendy argues that real leadership in security isn’t about technical perfection—it’s about understanding people, building influence, and leading with compassion. For those just entering the field, she reminds listeners that many roles in cybersecurity today didn’t even exist a decade ago, and that we’re all still “making this up as we go.”

Agentic AI, Zero Trust, and a Spoon

The pair also reflect on the rise of agentic AI and its implications for zero trust architectures. Wendy challenges the assumption that AI introduces completely new risks, suggesting instead that it’s a matter of awareness, contract transparency, and figuring things out as a community. She also revisits her “spoon” analogy from past keynotes: good security design should be as intuitive as using a spoon—hard to mess up, universally usable.

Final Thoughts

Wendy closes with advice for veterans and newcomers alike: surround yourself with peers you trust, keep learning, and don’t buy into gatekeeping myths that overvalue technical credentials. What really matters is adaptability, collaboration, and understanding the bigger picture.

Subscribe to Chasing Entropy on your favourite podcast platform and join us next time as we continue to unravel the systems and stories shaping cybersecurity.

In this episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Adrian Sanabria—Principal Researcher at the Defenders Initiative and founder of Destroyed by Breach—for a wide-ranging and candid conversation about the challenges, myths, and future of cybersecurity.

From Help Desk to Hacking the Narrative

Adrian shares his unconventional journey into the cybersecurity world, tracing it back to retail tech support and internet help desk gigs where he developed resilience, empathy, and a knack for communication. He talks about how early experiences handling confused customers over phone lines laid the groundwork for a career in community engagement, public speaking, and eventually running B-Sides Knoxville.

Debunking Security Myths

Adrian doesn’t pull punches. From phishing simulations and forced password resets to the overhyped impact of breaches, he challenges many “best practices” that persist in cybersecurity. He notes that while the industry once operated on instinct and guesswork, we now have decades of actionable data—but still struggle to act on it meaningfully.

Agentic AI, Shadow IT, and the Next Frontier

The conversation turns to emerging threats and opportunities, particularly around Agentic AI and open-source vulnerabilities. Adrian warns that while companies rush to adopt automation and AI tools, they’re often ignoring foundational problems—like identity management and shadow IT—that have plagued organizations for decades.

Policy, Priorities, and the Security Industry’s Missed Opportunity

Both Dave and Adrian agree: governments are stepping in with cybersecurity policies because the security industry has failed to manage its own narrative. Marketing budgets, FUD, and vendor agendas have diluted the voice of practitioners. The episode urges listeners to advocate for more grounded, evidence-based conversations in the field.

What’s Next and What Matters Most

As AI hype barrels forward, Adrian sees it as both a distraction and an opportunity. “It’s useful tech,” he says, “but we’re not using it wisely.” Instead of slow, GPU-hungry processes, he calls for smarter automation and attention to patterns that really matter.

He also reflects on his own growth: learning to play to strengths, managing ADHD, and finding fulfilling work that delivers real feedback.

Final Advice for Aspiring Cybersecurity folks

Adrian closes with advice that’s equal parts practical and personal, encouraging newcomers to the field to be self-aware, adaptable, and unafraid to seek help—be it professional diagnosis or community mentorship.

Listen & Subscribe

Wherever you get your podcasts. Like, subscribe, all that sort of jazz, and stay tuned for next week’s episode of Chasing Entropy.

In this episode of Chasing Entropy, host Dave Lewis welcomes longtime friend and cybersecurity thought leader Matt Johansen. What unfolds is a deeply insightful, often personal discussion that spans the evolution of an entire career—from a student in a literal church pew to a key voice shaping cybersecurity narratives today.

From Dorm Room to Industry Leader

Matt shares the serendipitous moment that ignited his cybersecurity career: a last-semester class taught by a university CISO, a DVD of James Arlen’s “Black Hat to Black Suit,” and the early encouragement to engage on Twitter and LinkedIn. That first year of digital networking proved foundational—every boss Matt's had, he met during that stretch.

Big Banks and Shadow IT

Matt contrasts his experience building security programs at a scrappy fintech startup with the tightly controlled environment at Goldman Sachs post-acquisition. He discusses how rigid controls can reduce risk but stifle innovation, and unpacks how shadow IT thrives even in the most controlled environments. The lesson? Security postures must match organizational realities.

Mental Health, Burnout & the Myth of the Security Superhero

One of the episode's most powerful threads is Matt’s advocacy for mental health awareness in cybersecurity. He critiques "superhero culture," where the same individuals are always relied on in crises. Instead, he calls for real structural changes—proper rotations, mandatory time off, and leadership accountability. As he puts it, you can’t yoga your way out of burnout.

Identity is the New Malware

Matt and Dave explore how the attack surface has shifted. With SaaS proliferation and stolen credentials replacing malware as the primary attack vector, identity management has become paramount. Highlighting attacks like the TeleMessage breach and the phishing incident involving Troy Hunt, they emphasize that security must make “clicking links” safe—not shame users for doing it.

Vulnerable U & Making Security Accessible

Matt now runs Vulnerable U—a cybersecurity media company delivering digestible infosec news via newsletters, YouTube, TikTok, and Instagram. He reflects on how his early work curating news for Liquid Matrix evolved into a full-time passion for communicating security in a human, relatable way.

Advice for Aspiring Professionals

Matt’s number one tip for newcomers? Create content. Even if you’re still learning, share your process. Blog your breakthroughs, record your thought process, and contribute to the dialogue. That transparency and authenticity open doors.

Mentioned in the Episode:

• Vulnerable U: vulnu.com
• TeleMessage Security Breach
• The "Black Hat to Black Suit" talk by James Arlen

“Clicking links should be safe. What do we have to do to make clicking links safe?” — Matt Johansen

Be sure to subscribe, share, and join us as we continue to chase entropy across the loading construct.

In this compelling episode of the Chasing Entropy Podcast, host Dave Lewis, Global Advisory CISO at 1Password, sits down with renowned cybersecurity expert Runa Sandvik, founder of Granite and longtime advocate for digital security in high-risk spaces. Together, they explore a career dedicated to protecting journalists, challenging the status quo in cybersecurity, and hacking smart rifles (yes, really).

From Oslo to the Front Lines of Press Freedom

Runa recounts her journey from a curious teenager in Oslo intrigued by hacking, to working at the Tor Project, and eventually becoming head of newsroom cybersecurity at The New York Times. Her work there included launching a secure, anonymous tip line for whistleblowers, a pivotal tool for modern investigative journalism.

Building Trust in the Security Community

The conversation dives into how cybersecurity professionals can meaningfully support journalists—by building relationships not only with individual reporters but also with the infrastructure teams behind them. Runa highlights organizations like the Freedom of the Press Foundation and the Electronic Frontier Foundation as crucial players in this ecosystem, alongside companies like 1Password that provide free tools to journalists.

Hacking Smart Rifles: The DEF CON Tale

In one of the more unexpected twists, Runa discusses her 2015 research that exposed vulnerabilities in smart rifles. What began as a curiosity at a gun show evolved into a full-blown technical exploit, revealing how attackers could lock triggers or cause shots to miss targets dramatically. The story underscores a vital lesson: as technology continues to permeate even the most unlikely of devices, security needs to follow closely behind.

The Persistent Shadow of Shadow IT

Dave and Runa also explore the persistent issue of shadow IT—when employees turn to unapproved tools to get work done. Runa emphasizes the importance of understanding user needs, fostering open communication, and demonstrating the benefits (legal, privacy, and security) of company-approved solutions. Without this approach, she warns, organizations risk being blindsided by their own internal blind spots.

AI, Privacy, and Human Rights

As AI continues to reshape the tech landscape, Runa cautions against jumping on the bandwagon without first establishing clear policies and security frameworks. She draws important parallels between the rush to adopt AI and the ongoing struggles organizations face with basic cybersecurity hygiene.

Looking Ahead

Despite the allure of emerging technologies, Runa concludes by urging listeners not to lose sight of the foundations: training, awareness, clear policy, and human-centered security practices remain the bedrock of any resilient security program.

Resources Mentioned:

• Granite – Runa’s security consulting firm
• 1Password for Journalists
• Freedom of the Press Foundation
• SecureDrop

In the second episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, welcomes a true luminary in the cybersecurity world—Rich Mogull, SVP of Cloud Security at Firemon and CEO of Securosis. What follows is a lively, insightful, and often humorous conversation that ranges from paramedics to Black Swan events, revealing how physical disaster response frameworks can revolutionize cybersecurity.

From Paramedic to Cybersecurity Visionary

Rich shares his unconventional journey into cybersecurity, starting with physical security at university events, then pivoting to paramedicine, software development, and ultimately to security analysis and consulting. His transition into cybersecurity was never part of the plan—it was shaped by curiosity, opportunity, and a whole lot of caffeine.

The Power of Early Opportunities

We reminisce about early career moments, including Dave’s first-ever speaking engagement alongside Rich. These experiences underscore the value of mentorship, peer support, and stepping into discomfort to grow.

Black Swan Events & Incident Response

The heart of the episode centers on a shared talk from IRISSCON in Dublin titled “Digital Doomsday: Building Resilience for Cyber Black Swans.” Rich explains the concept of a Black Swan—unpredictable yet highly impactful events—and how learnings from physical disaster response (like hurricanes or mass casualty events) can be applied directly to incident response in IT.

Bridging Physical and Cyber Crisis Management

Drawing from his extensive background in emergency services and disaster response, Rich advocates for adopting the Incident Command System (ICS) and all-hazards preparedness within cybersecurity. He emphasizes that while the domain (cyber vs. physical) may differ, the principles of coordination, communication, and scalability remain the same.

Why Cyber Keeps Burning Itself

We also explore recurring issues in the industry, like password mismanagement and shadow IT. Rich critiques the idea that security teams should try to control everything, arguing instead for building resilient systems that can adapt to business needs, attacker behavior, and legacy tech constraints.

Final Insights

Rich closes by reflecting on the forces that shape cybersecurity:

• Business decisions and priorities
• Adversary tactics
• Legacy system vulnerabilities
• Human error
• Compliance pressures

He cautions against over-indexing on hot trends while neglecting the fundamentals that could reduce real-world risks—especially in critical infrastructure.

In our first-ever episode, host Dave Lewis sits down with Jennifer Leggio — cybersecurity strategist, marketing leader, and community builder — for a candid conversation on career growth, the evolution of cybersecurity, and why staying true to your passion matters more than chasing titles.

Key Topics Discussed

• The Origins of the Security Twits: How a simple list helped create an early infosec community on Twitter.
• Career Lessons: Why Jennifer left a COO role to return to her marketing roots — and what it taught her about fulfillment.
• Shadow IT Risks: Why "Shadow IT" is a growing organizational threat and how leadership must step up.
• The Importance of Communication: From responsible disclosure to executive messaging, clear communication saves organizations.
• Learning From the Past: Why cybersecurity must do a better job of remembering lessons — like patching and password hygiene.
• Advice for Newcomers: Find great mentors, define your own path, and never be afraid to pivot.

Memorable Quotes

Final Thoughts

Jennifer's journey shows that authenticity, curiosity, and resilience are just as critical in cybersecurity as technical skills. Whether you're a seasoned professional or just entering the field, her advice is a refreshing reminder to build community, learn from the past, and stay true to yourself.