Every week, CEO Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

We recently spoke with Joshua Brown, Founder of Digital Defense Consulting & CISO at Spektrum Labs. Here are the top takeaways from the interview.

#1: Build Your Own Threat Intel When Commercial Solutions Fall Short

“I think as any program moves through its maturity, whatever maturity model you use, you go from ad hoc security and firefighting to, okay, we've got steady state, we've got processes, we're executing on those, to getting into the proactive and that's pretty late in the maturity cycle, but it's absolutely critical. And I think there's a few things that are really important:

“So first is observability or visibility you have across the enterprise. If you can't see something, you can't detect that there's a problem getting deep into the business and understanding where the business is trying to go, how the application stacks, or stacks, work, what markets you're moving into. Risk is indexed to market verticals, for example. In my last role at H&R Block, it was a weird niche market because it's tax, well, there aren't a whole lot of tax companies. They're not a bank, they're not an insurance company, they're a financial institution, sort of, but not really. And so the threat intel that you could buy commercially didn't really. And 10,000 retail locations, so you got retail exposure too. But it's not the same as having a store full of product that can get stolen. Although there's personal information. That was the product.

“So we decided to get out in front of this stuff. We tried multiple threat intel sources and none of them really brought the kind of value we would expect. So we built our own threat intel team. And that was a pretty new feature of the team, a new function that we added in probably the last 18 months or 22 months I was there. And the idea is that they're out there trolling, looking for threats. So we would find things on the dark web that indicate pending attacks. Some of the stuff we got through the financial services, ISAC, threat intel sharing that way.

“You have to prepare for what's coming, not what's happened. And so again, it's back to your point about the confidence and the information, you're sort of reading the tea leaves like, where is this going? Where are the attack trends heading? If we start using more AI, what's that going to expose us to? Okay, let's make sure that we've got the appropriate stack in place so that we can be appropriately protective and then react appropriately when the time comes.”

Actionable Takeaway: When your organization operates in a unique industry vertical that doesn't fit neatly into standard categories, commercial threat intelligence often provides limited value. Consider building an internal team dedicated to monitoring dark web markets for indicators relevant to your specific business model. The goal isn't responding to what's already happened but preparing for emerging threats on the horizon.

#2: Cross-Reference Multiple Data Sources to Find Your True Attack Surface

“I think this is a place where the technology has been around for a while, but the move to the cloud changed this somewhat. Having a CMDB, a content management database, where all your assets are indexed, as long as that's a manual process, it's never going to be accurate.

“At [H&R] Block, [we had a] hugely dynamic environment, not so different from a large university. 60 to 70,000 tax pros were onboarded and offboarded every single year and all of the endpoints and tech that went with that. So keeping track of all of that in real time is an immense challenge. If you don't know what your attack surface is, how are you going to defend it? You'd only be accidentally successful, which nobody wants to be accidentally successful. So there's some automated things now that do discovery. What we did is we didn't trust in any single piece of technology. We looked at, of course our CMDB, we looked at our cloud index, we looked at active known IPs, and we looked at our EDR on the endpoints and we matched all those things up and then repped them for differences, so if the count of devices in Active Directory doesn't match the count of devices in CrowdStrike. Okay, now we have a problem. Let's figure that out.

“Part of the concern around asset management and inventory management is making sure that your tech stack is present and configured properly and working on every single device that's out there. There are ways to improve the fidelity of that without necessarily having perfect knowledge of what's in your environment. You can and should build everything from gold images that have all of the configurations built in. You can and should have some sort of configuration management tool that will go out and rewrite to the gold standard if there's configuration drift. So there are things you can do, but it's really not where it needs to be, honestly, from a technical perspective. So you have to, definitely not rely on a single tool, single platform, but bring in the signals from everything.”

Actionable Takeaway: Manual asset inventories inevitably fail in dynamic environments with thousands of endpoint changes. Overcome this challenge by correlating data across multiple platforms, including CMDB, cloud indexes, Active Directory, and EDR solutions, to identify discrepancies. Implement gold image deployment and automated configuration drift correction to maintain reliable security coverage even without perfect inventory knowledge.

#3: Invest in People Over Products to Solve Real Security Challenges

“I'm not sure there's a single biggest thing. So some people would say, what's a talent shortage? At the same time, I know lots of people who have applied for hundreds of security jobs and don't even get an interview. So I'm not sure how much of that is real. I think there's a lot of contributing factors that put cybersecurity programs at a disadvantage compared to the attackers. And we're already back on our heels.

“I don't think the industry has necessarily done us any favors in terms of how products are developed and marketed. Zero trust is a great example. Zero trust is not a product, but it became a marketing term. So if you look at the NIST cybersecurity framework guidance on how to implement a zero trust architecture, it is technology agnostic. It's hard work to do that kind of thing, to provide that kind of an infrastructure. And for companies that weren't built that way from the ground up, it means re-architecting everything. Who's going to do that? Who's going to take on that kind of a disruptive, expensive task? But at the same time, well, the CIO read it on an in-flight magazine and now he wants 100% more zero trust. And so the market, the cybersecurity market, fills that space by offering products that claim to deliver zero trust. Well, no, they may help you achieve zero trust. They may let you shortcut some of the really painful re-architectures.

“So I think too often we reach for technology to solve a problem when we haven't even covered the basics of good policies, good procedures, good standards, and hell, man, I'll take more people over more technology any day of the week. Having smart people who eat, live, and breathe this stuff that are passionate about it and want to solve hard problems. That is the key. And unfortunately, people are expensive, in some ways even more expensive than cybersecurity tooling. And so that can be a really tough sell for CISOs that are trying to grow a program or build a program for a company that doesn't have one.”


Actionable Takeaway: The cybersecurity industry often transforms complex frameworks like zero trust into marketable products when true implementation requires substantial architectural changes. Don't get caught in the hype cycle. Smart, passionate people solve hard security problems better than any tool. Although talent might cost more than technology, skilled security professionals deliver value that no single product can match.