This is identity at the center. Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good, I got some breaking news. I got married on Saturday, Valentine's Day. So now it's Mr. and Missus McDonald. Denise McDonald, for those who maybe know her, she goes to, she's gone to a lot of conferences with me and you over
the past few years. Yeah. Congratulations. I knew it was happening but you literally like told me right before we hit record, so you gave me no time at all. I should. Now that I think about it, I shouldn't have even told you then. I should have just waited and popped it on you right now. And you. Because when I told you, you looked completely floored. I, you know, I figured it would be like sometime in the summer or, you know, whatever it may be.
But yeah, no, congratulations to you and Denise. Like I said, you know, Denise has been visible, I think a lot of the conference we've been to kind of recently and over the last couple years. So yeah, punching way above your. You're punching way above your weight class, Sir. Yeah, well, that's for sure. That's for sure. But yeah, it's exciting stuff, man. I'm really happy. That's good. That's the whole point of it.
I want to ask you a question because we had, I had a LinkedIn post, I think the other day, I think it might have been our 400th episode 1. And you posted how are you? Hey, Jeff, how are you? And I'm wondering if it was a subtle nod to how we intro almost every show. Or you say how are you and I say not so bad yourself. Exactly. That's exactly what it was. You did get it. And I was actually thinking, I was going to say for the 400 and first time, hey, Jeff, how are
you? But then I was thinking, well, there were probably about 10 episodes that I wasn't on. So anyway, I just went with that. I'm glad you got the subtle, subtle hint. It took me a a day or two. I was like, is that what I think it was? I'm like, is Jim that clever? Yeah, and. I and, and we got it. So no. Well, congratulations, that's great to you. And Denise, what else we got going on in the world. We got a bunch of conferences that we're going to be hitting up here.
I think it's March by the time people listen to this. We've got EIC and Berlin coming up. So we've got discount code for that on our website, idacpodcast.com. Just Scroll down. I've got a discount code for that. What else? We got ideniverse in June, just a couple weeks after that. Tip for both of those if you think you're going to go to the conference, well, especially at
Ideniverse, right? Because hotel cancellation rules are usually pretty LAX in the US is book your hotel, especially if you can do it without a cancellation fee. Because they're so often that we're at the conference maybe with our close compatriots who knew they were going to go to the conference. And they're like, yeah, I'm staying like 10 properties over. This place was sold out. And you're just like, how does that keep happening to you, man?
That is the pro conference attendee move is to make sure you stay at the hotel of the conference. Or if you don't want to be seen with anybody after the conference, then don't stay at the conference hotel. Stay far away. You know, whatever that looks like depending on your persona and your style and however that one is. But you know. Be strategic about it, yeah. For this, I think it just makes sense. Less walking.
You know, I know lots of people, myself included, have like ended up staying at the Luxor and then having to walk to Mandalay. And that's, that's legit like a mile walk every day. It's air condition but if you are like outside and having to walk in June in Vegas, it could easily be 100°. Yeah I wouldn't recommend. No, if you are carrying a heavy bag or God forbid you put a like a Sport coat on or something. You know, stuff like that. Not fun.
Yeah, no. So stay at the hotel, book early, book often, go for the cancellation. I booked my Ideniverse hotel I think in like January and it was like straight through Mandalay and I got to tell you my rate is way cheaper than what the what the rate. Was I, I use the the room block that the Cyberisk Alliance had and I think it was like 178 tonight. So you can't say you haven't been warned, right? Get out there, book the room. Hopefully you have the approval
already. Use the discount code that we have on idacpodcast.com. Yeah, save some money and show some support for the show. So there you go. You do that for EIC, do that for Ideniverse. If there's other events, let us know what you're looking at attending. And who knows, maybe Jim and I can pull some strings and get some discount codes for those as well. That's our goal. All right, let's talk about our main topic for today, which is the RSM 2026 Attack Vectors report.
We don't typically we'll get into like a lot of RSM stuff on this show because we don't want it to turn like a commercial for RSM. And ours is very generous. This is for a lot of people don't know, it's like we do not do the podcast full time. This is nights and weekends. RSM is our employer. You and I are identity consultants by day. Been doing that for almost a decade together the last few years, you know, here with RSM. So we have this report that has just come out.
It's called the Attack Vectors report. And we've got the person really kind of in charge of all that, David Lawrence. He's the principal with RSM or a principal with RSM, I should say. So let's get him on the show. Welcome to the show, David. Hey, thank you. Thank you for having me. So I've known you for almost 4 years because I'm coming up on four years with RSM and you know, we've kind of worked in
the same circles. You've moved to other areas where this attack vendors report is of, you know, probably a key component of that. But before we get into the report, before we get into all that stuff, I always like to find out histories, backstories, origin stories. How did you get into the world of cybersecurity and is it something that you chose or did it choose you? Well, I think it kind of kills me.
I mean, in high school, I had a pretty active, I guess, group of people that I used to hang out with. And whenever we went into computer lab, I mean, we just started playing with different things. And at that time, back in the 1990s, there was this thing that we was called Netbus, basically like a root, a rootkit Trojan type of thing. So I guess I'm accepting that between my friends and I, basically we installed netbooks across all the computer lab computers.
And one of the things that this thing could do is just allow you to open the CD-ROM or close the turn on the TV, the monitor or, or just turn it off make sounds like modify the way that the computer was was working from another computer, right. So it was really cool to see all your friends.
What I mean, basically doing whatever in their computer and then all of a sudden you're open the CD-ROM and then they will they will be surprised about it and then you'll be able to close it again or just turn off the computer. So it would be just chaos overall, having a good time. That was one of the things that basically piqued my interest and I was just like, I want to know how this works and what is the back end to follow this? And that's how I got interested
into cybersecurity. And the second thing that got me interested into cybersecurity was in the same computer lab. That was the time where everybody was going into, I mean, opening e-mail accounts. And I mean, the first few times where you would communicate with your teacher through e-mail. And at some point I logged in into my e-mail and I didn't notice this, but my e-mail was compromised or hacked by someone else. And I didn't know better to to
understand that. I mean, obviously if we installed netbooks on computers all across the computer labs, it was probably not a great idea to log into your e-mail and just just look at your e-mail in the same computer. But I didn't know any better, right? So my e-mail got compromised and someone I never learned who took my e-mail and sent a really nasty e-mail to a teacher in that school. And I almost got spell at that
point. And I remember spending two days just trying to find ways to prove that it was, it hadn't been me and that in all honesty, it had been someone else to the point that the principal told me, if you're able to show me that it wasn't you, then I'll, I'll reconsider the, the, the punishment. And that's how I got into cybersecurity. I started doing forensics investigations in a lot of computers that were compromised, trying to find a way to clear my name in front of a teacher.
And then from that point forward, I was just like, this is never happening to me again. I mean, I could go into a computer and I'd better know what I do. I'll never get compromised. And I'm sure that I got compromised, and I mean a few other times, but I've never, least not to the extent that I was compromised on that day. So that's what got me into computer.
And then really from that point forward, it was all about trying to get into computers, trying to hack computers and try to teach people how to not get hacked, to be honest. So you got into this because of poor digital identity security? Oh, absolutely. Pure, like, yeah, absolutely. Like everybody was using the same username and password in the computer lab, right? So just from starters, that was
an issue, right? And that's why we could basically start this Netbus product into all these different computers. And then second, I remember that my password back in the day wasn't as strong, even though there was a key logger into Netbus as well, so they could read my passwords. But that was the reason for sure why I got into cybersecurity. So I introduced you as a
principal with RSM. People may not be familiar with consulting terminology, but maybe briefly explain what a principle is and then your specific role with RSM because it's changed a couple times over the years that I've known you. But I think what you're doing now is really kind of the sets
the table for the topic today. Yeah, I think that what a principle is in RSMI would say is just a partner without a CPAI mean someone that is part of, I mean the leadership of the company and is helping the company to, I mean, going the direction that the company wants to go from a strategy perspective. And I think the CPA firms distinguish between someone that has ACPA and someone that doesn't and they decide to call the whoever doesn't have a CPAA
principal. So that's what a principle is. And then my role in RSM today, I lead the offensive security team and the cyber response team in RSM. And I'm also the product creator or owner of RSM Atlas, which is an, I guess, a, a tool, AI enabled tool that helps a lot of companies just to rationalize their controls and make sure that they have the right information in their GRC tools.
So a lot of hats I guess, but mostly offensive security and leading the offensive security in RSM and globally as well. Well, Jim and I, you know, joke an awful lot that this is the show sometimes turns into AI at the center. And we'll probably want to have a separate conversation around, you know, Atlas and kind of what that does. But let's focus on on, you know, the offensive side of things and this report, so it's called the 2026 RSM attack vectors report.
What is it? How does it get generated and maybe kind of take us to the background of it before we start talking about what what it entails. So. This is a report that we published every year for the last, I think four to five years. And the reason why we started doing this report is because we have obviously a number of engagements on the offensive security side with different clients and we have identified a number of trends every single
year, right. For example, two years ago, you could see that companies were going into cloud and they were heavy on cloud and you could see a lot of the identity and access management components focusing on on cloud heavy
implementations. And, and one of the things that we're trying to do is just still share what we expect companies to do from a technical point of view to protect themselves against, I mean, any attacker or any hacker that is using the most common techniques, right, like the low hanging fluids that
you see out there. And one of the things that I was discussing with Jim the other the other day was that it's, it's funny how when you're doing offensive security, you hear a lot of cybersecurity practitioners talk about all their own perspective, I guess, topics and themes.
But it, it does feel that sometimes offensive security just lives in a different world 'cause we see things that most other consultants, professionals don't really focus on because we're really, I guess going one step further into the technical aspect of things, right, Of just techniques, I would say.
So the, the report itself, what it's trying to do is just create some big themes that people can take and then just leverage those, those themes to implement recommendations into their own environment without really trying to go through the whole effort of doing an offensive security test in their whole environment. Right. And it gives you specific recommendations on how you can implement identity and access management in your environment.
The specific challenges that we see in each of these companies that we test in general levels, configuration management, vulnerability management and so on. With the idea that eventually, if you go through the report and you take the, the key takeaways and implement them in your environment, you're really moving the needle forward honestly, in, in a better and you're, you're getting to a better place than your competitors in, in, in most
cases, right. So that's the idea just to share with the community and allow the community to understand what is happening across different companies, different sizes, different technologies, different industries and take what they're were giving them back so they can get better without, I guess like to to to buy services from us, you know. So David, we're recording this episode prior to the report being dropped. I think it's going to drop on 2/22. So February 22nd, this episode
is going to drop on March 2nd. We'll have a download link in the show notes. We don't have that link to verbalize it today, but I'm sure if you follow us on LinkedIn, you're going to see us reposting this thing because it's a ton of value. I got to review kind of a preview copy of it. And no surprise here, there's identity security is highly mentioned within the report. Wonder if you could speak to that and tell us like why? Why do you think that is? Yeah.
I mean, obviously identity has taken a big, a big role into every single organization. And I mean, especially in 2025, we saw a lot of companies heavily investing on, I mean, just application development, cloud services and on top of that trying to push for AI services being enabled in both sides, the cloud and application. And then with that, you need to manage your identities better,
right? Like I think in 2024, for example, we saw a lot of, hey, let's just focus on client identities and make sure that client identities are working well because that's our user experience. In 2025, we saw a huge push, especially on the second part of 2025 from companies to enable AI in their own applications, make sure that they had some sort of, I don't know, functionality or feature related to AI And that created, I mean, multiple
challenges, right? I mean, now I was just mentioning this to Jim, like one of the things that we saw in many applications where we're doing our offensive test is chat bots, right? Like this is a thing that I mean, it's an easy thing to add to your application. So you can think about, oh, let's just embed AI into our
day-to-day applications. And one of the things that companies didn't do well at the very beginning is they they were not taking the identity of the user and matching it with the chat bot, right. So if David Lauren goes in into the application and then he's using a chat bot, you would expect that chat bot to be as restricted as David when David is using that chat bot to extract, to get free information
and and review. I mean different things that I might have access as a user into the application. Well, many, many companies implemented chat bots just with way more privileges into the data and into the application overall. That created I mean some of the attack vectors that were I mean mentioning in the attack report for example. Yeah, you just mentioned there the over privilege accounts and that's something that I think that's been the bane of Jeff and My's existence for the last two
decades. But I'm kind of wondering like what are some of the tell tale signs differences between organizations that got breached within a couple of hours and maybe didn't even discover it to those that were able to contain the breach or even prevent being breached?
So we so just to give you some context, what we have in the report is we have I mean just anonymized data that we analyzed from upper market all the way to middle market, different industries and then different levels of activity as well,
right. So when you try to extrapolate this into what is that is working for some companies and what is not working for some companies, it's really difficult because we do have a lot of companies that I mean for some that are on the upper market scale is really a big challenge because they have such a large enterprise environment that is really difficult to manage. And it's not easy to just
pinpoint one thing. And then there's other companies in the middle market that are, I guess smaller and they're, I mean, better managing security, but they're missing budgets, they don't have the tools and they don't know how to implement some of these identity things. So going back to your question, what are the common things that you see companies doing that I mean, really work? I would say the easy one, right?
And we did, we do point out this in in the report as something that is not well implemented, but is the easy one that you can implement right away is MFA multi factor authentication. If you're not implementing multi factor authentication for your users, especially for anything that external is externally exposed or internally for anything that is sensitive, that's an issue by itself and something that is an easy path for attackers. The second one is privileged
access management. I think that is becoming a big, big, big, big theme again. Like I think 10 years ago everybody was just like, let's just implement Pam for all my privileged users, right? And it was just like human identity. Nowadays I think it's getting back to the point where non human identities are taking front and center of everything, especially with AI agents and
just applications in general. So companies that were doing privileged access management correctly were the other companies that I mean it was a hard time to compromise them. And then the last one, which is less related to identity from a point of view of what what they were doing, but is related to identity as an indicator or something is wrong, which is
lateral movement. The way that you identify lateral movement in many organizations is by seeing the same user jumping from computer to computer to computer to computer in a way that doesn't make sense from a human perspective. Like you don't want to see Jeff, for example, going into Jim's computer and then from Jim's computer to David's computer, or using the same identity all across different computers. Because the only way that you would use that is coming from a server.
If it's coming from a computer, that's a problem. So identifying those patterns, whether it's someone using the wrong identity in the wrong places, someone using. The I mean a privileged identity across multiple systems in in a matter of, I mean minutes instead of matter of hours or days or someone logging from, I don't know, country A without going into, I guess an specific country, just country A and then logging in from the US as well. That would be another issue,
right? Like if you have the same login coming from the the two different, I guess remote locations or different geographical locations, that's an indicator that I mean immediately can tell you, you know what, these guys are compromised. So you're not, you need to be careful with that. So those are the three things that I would say are main topics. And then for the more advanced companies, I would say, I mean just credential rotation.
We have faced some really cool companies that every freaking days, every 8 hours, they would just rotate all their privileged user accounts like this. So as an attacker, you would come in and you would compromise A privileged user account. And the team that I managed, they would feel really confident that they were really good to go, right?
Like I have a privileged user account and I have the whole week to just do whatever I want in this company and then next day they show up and all these credentials were rotated. They cannot access these credentials anymore. And every time that they try to use that credential is creating a new alert or flagging something that is a problem for them. And then they need to restart to try to compromise anything. So that is what I have seen most
companies doing. Well, it's easier said than done to be honest. Like it's, it's just there's a lot of caveats to what I just said. And I know that it's not not easy to implement, but those are the things that I would say are common themes on, on really good companies that that have done identity and access management
well and security well as well. So I'm glad you put that asterisk towards the end because I was going to say, you know, secrets rotation is I think, a target that most companies want to get to, but not a lot do it still, relatively speaking, right? Well, in in again, it, it depends on the industry and the complexity. But if you think about secrets and non human entities specifically, you're going to have service accounts that are
more Microsoft based. And I think those are the easy ones once you start going into, I mean databases, specific local passwords for, for servers that are not Windows based, things of like that are just not easy to manage in general, right. And then the the last piece, which is probably the biggest challenge for most organizations is that many companies think that they know what they have. And what the engagements that we deliver really point out is that many of them just know, don't
know what they have. They don't know what assets they manage, they don't know what identities they manage. And because of that, they think that they are really doing things well in their own world, but they they really miss the point of what is the universe, right? And that's the biggest challenge, I think in cybersecurity thing, why you bring sometimes, I guess, consultants, right? It's easy to just get lost in your own chaos and, and lose the bigger picture.
And consultants, sadly, for whatever reason, can come in and just tell you, hey, you know what, you're too lost in here just to step back and look at the bigger picture. So David, you've kind of referenced 2 of the biggest topics that I really wanted to get into with you today on the non humans. That's really, I've always felt like we, we've kind of figured out how to manage human identities within the enterprise.
But then there's the attack path that you also referenced, which is, you know, switching roles and, and basically lateral movement. And your goal may be to get up and take over the like the Active Directory and have the global administrator account access. Maybe start with a service account, You move to a help desk account, you reset the credentials for the global admin and bingo, that company's out of business. But I wanted to go back to something else that you said.
I don't want to like let it go without talking about it because you did talk about large enterprise. Then you talked about the middle market, which is the main area that RSM focuses on and the this attack vectors report, a big focus is on the middle market. And I guess when I think about the middle market, I, I think you mentioned a good point,
right. The scope is probably smaller of what we have to protect than a large enterprise, but a lot of times we're also playing with a smaller budget to put towards cybersecurity. So my question to you really is, is what's more important? Is that the size of the budget? Is it you know how much money you spend on cyber or is it the like how well you spend the dollars or is it just inseparable? Oh man, that's a great question. So to, to me, there's, there's, there's a threshold, right?
There's, there's a point in time where you can have a budget and still you can make it work. But there's some companies that don't have even that, right. And I think if you're not past that threshold where you have enough budget to make it work, then I mean, just just forget it. There's nothing that you can do or, or a few things that you can do because you're still going to need licensing.
You're going to need all the things that would help you, especially with technology today to manage everything that you need to manage in cybersecurity. Once you're past an specific threshold and you have that budget already approved, then it does matter how you spend it and it does matter how you're managing your own technology, how you're managing your investments, and how you're collaborating with other departments. I think this is something that
is really easy to miss. When you talk about cybersecurity, especially cybersecurity professionals. We tend to be in a silo and feel that we're in a silo. And the better cybersecurity teams are the teams that are really good collaborating with the rest of the enterprise, whether it's a small middle market company all the way to the enterprise. They find ways to make what is important happen, whether it's with their budget or some other
else's budget. And they've, they, they identify really good ways to understand what is important to the business and not to the cybersecurity professionals. And you made, you made a really good point on, on your comment about, well, you might be coming in and trying to compromise Active Directory or compromise my identity and access
management solution. And that might be relevant for the cyber security professional that that is in front of me on the other side, right, like the CISO or whoever. But in reality, one of the things that I think is really easy to me is from a cyber security point of view is what is important to the business. And I have been and this is this
I think a privilege. I have been in organizations where you can compromise their whole Active Directory and the CEO, the CFO, the CEO can just watch it. This is like, I don't care. This is not important to me. My business is somewhere else. I know that I can recover. It's going to be a really uncontrolled day for the CIO and the CIO. So I give you that. But my business is going to continue to run.
So I think there's this balance, right, where you, when you talk specifically about cybersecurity of what is important for cybersecurity professionals and what is important to the business. And I think the people that understand what is important to the business are the people that are actually investing their budget correctly. So that that would be my long winded way of saying that that's how I see cybersecurity being spent correctly, if that makes
sense. Well, I think that's valuable because if you can use other people's budget to further security goals, that's a win as far as I'm concerned. And the best way to do that is to tie security objectives with business objectives. Absolutely. And this is something that, again, not a lot of cybersecurity professionals do well because it tends to be a confrontational relationship and a lot of friction. But I have seen really smart people using internal audit for their own purposes. Why?
Because internal audit talks about the business risks. And if you're able to present your cybersecurity challenges through internal audit, most likely the CEO and the CEO and, and others are going to pay attention to this is an independent party that is coming in and just saying the same thing as the cybersecurity professional has been shouting for a very long time to the same people, right?
So that's an example of how some of the better CISOS have that I know have I mean done well creating internal relationships in the organization to accomplish what they they need even with a really small budget or I guess a less of of not a good budget I would say. Yeah, they might be shorted somewhere, right? Everyone's trying to claw back
money. I feel like this is definitely where there is where you know, the vertical or industry you're in definitely impacts probably what tools you can afford and how mature you are, right? Finance probably doesn't have a problem spending with it because you know you're you're you're saving dollars and risk and things like that.
But the reality is there are so many other organizations that are not in maybe highly regulated industries that would like to be more secure but have to get creative from a.
Budget, well, absolutely. And that's the other thing that I think going back to the question that Jim just just made, right, the other good part of the cybersecurity professionals that I know of at the executive level, some of them are really good explaining the risk through other means and collaborating, collaborating with other parts of the
business. And some of them are really good understand explaining to the business how cybersecurity is a business enabler instead of a business deterrent. Because when you talk about risk, the first thing that comes up immediately is, Oh my God, like I'm going to have to start to stop my operations. This is going to be uncomfortable to someone. It's going to be really
annoying. But if you implement, and this works really well in identity, like if you implement a really good identity and access management program, I mean, you can enable your business from a client perspective, right? Because a good identity and access management user experience, I mean, it's a huge benefit for the business and it attracts better clients to your business as well, right.
So those are the, the other places where I see really good security professionals coming in and those, I mean, making a change. I mean, with, with a better story other than, Oh my God, we're going to get compromised. I mean, it's going to be a horrible day when we get hit by ransomware and then our operation is going to be, I mean, really bad. Nobody wants that day. Nobody wants that day, but I mean you can, you can recover from that day if you understand the business as well, in my
opinion. And hopefully you've got like good backups and the backups haven't been like tainted in any way. So we did a whole episode on recovery and resilience. Okay, that's good to know because you were going to drive me into that rabbit hole of, I mean, where to invest if you're really concerned about those things. And for sure in mutable backups would be one thing that I would immediately invest on.
So print out your entire system, right, put it on to like a binder and put it into like a shelf on an offset location and then code it back all in. You can use AI right? Probably to help you, you know, vibe code your entire business operating. System you can call that in mutable as well in some sort of way, right? I mean, probably not agile, but in mutable for sure. We have the backup. We we can't restore it, but we.
Have the backup. I want to go back to a little bit about the service account and sort of this non human identity, because look, this has been sort of the topic du jour in the identity world for like the last, I'd say six months, maybe approaching a year at this point. And you know, look, it's it's an explosion of these accounts, right? I think everyone's familiar with like service accounts from like an Active Directory perspective or, you know, SQL or whatever those, you know, systems are.
But now we've got non human identity, agentic identity AI, right? All this stuff is happening. And I'm curious, you know, based on sort of the report, what are some of the things maybe that you want to kind of pick out around that idea of not only the service accounts, but this idea of, oh boy, now we've got a new, a new class of citizen called Agentic. Well, I mean, so first I would highlight that for me it's awesome because it's job security. I mean, in all honesty, it's.
Tell me your consultant without being a. Without telling me you're a consultant. It's insanity right now because it feels like we went back maybe 20 years ago when I mean, and that tells you that I'm really old. But I mean, back in the day, you would see everybody going crazy because the Internet was there. Everybody wanted to have a website. And then creating a website was like the thing that you wanted
to have, right? And people would be paid, I mean, just crazy amount of money to create a really basic website. But now you could say as a company that you have your website and no one cared about security, no one cared about how that was being built. Everybody was wanted to just have their website and then just move on. So it's, it's seems to me that AI is so similar to that. Everybody wants AI. Everybody wants a gentic to be working. Everybody wants to claim that they're using AI.
No one is paying attention to security, no one is paying attention to these identities that are being created and these are going to stay for a very long time out there. So going back to the report, one of the things that my team is, has been able to do, I mean, throughout the years, but just lately more and more is compromising service accounts with, with high privileges, right?
And the reality that many organizations don't have a strategy to take high privilege service accounts, embed them into a process or a factory model, where before even just creating that identity, you have a way to embed it into your Pam or embed it into your identity and access management infrastructure and then secure that identity before it becomes something that is live. What happens is the opposite,
right? The identity, I mean for whatever reason, it starts us as a strong high privilege identity that goes live and then everybody forgets about it and then they remember when we compromise them. So the way that we usually compromise them and in identities is there's two different ways identity through cover asking which is something that is really on but still out
there. And the second one would be just, I mean misconfigurations on, on the specific certificates that you're assigning to different identities and how certificate based type of a type of authentication is being used in a Microsoft tomorrow, right. So those are the 2 main main ways I guess or techniques that we're using. So one of the things that struck me as I kind of read it was this idea of prompt injection is is a very real threat. I don't want to get into specific statistics.
I want to say it was like 70 or 75% of the things that were tested fell prey to some sort of prompt injection, which, OK, so now we've got to worry about that. And those are just the things that, you know, as me, as a security person, these are the ones that I know about. Imagine all the shadow AI that's taking place as an organization, and that's how to protect those. I mean that is another topic by
by it's own right. Like, I mean, so many organizations have AI right now that I mean, they don't even know that they're using. But going back to the prompt injection component, it goes back to what I mentioned with Jim, right? Like you have this chat bot of some sort that is exposed to the application and then you know that that chat bot is going to have access to more things that you do as an user. And the thing with AI is that they usually don't have really long term memory.
Like they can have context for, I mean, few prompts, but then little by little they start losing that memory, right? And that's the main risk, the main issue with the other lens. So what my team usually does is they continue to inject new things into the prompts until the, the, the bot or the lens starts getting lost into the prompts. And then they start asking questions with assumptions or
things that they can imagine. And from there, I mean, the, the prompt would just, the, the chat bot would just forget the context that they're in. And then they start to giving information back that they shouldn't be giving. And this happens not only with the chat bots that we have tested, but just many, many AI applications that are out there right now. But yeah, that's a, that's a
challenge by itself. And again, I don't think companies even realize that the biggest challenge is not as simple to fix because once you create that chat bot and you didn't create the right identity and access management structure in your application and you didn't segment data correctly and everybody's using that application for whatever reason, this is a vulnerability that can live there for years without you
knowing. And people can be extracting information and it would be close to impossible to monitor that someone is doing this through the application. So to me, really exciting times, as I mentioned, like there's a lot of really interesting things that are happening that are going to be there for a very long time for my team to continue to test. But in reality, a really difficult challenge to match if I'm on the other side, right?
Like if I'm someone that is a CISO or cybersecurity professional in a company and I have my CEO and the rest of the board just asking me to implement AI no matter what. I mean, I can't see why some companies just go directly into AI and then they just don't have a real security assessment before even doing these things, right?
I think some companies are getting better and clever, but most of the companies that I have seen or we have seen implementing AI, they have not been able to implement correctly. And I mean with really simple tests you would be able to compromise data that is extremely sensitive for those companies. So Dave, we've recorded over 400 episodes and our focus has always been on the practitioner. And one of the things that we've always tried to do is make our episodes be actionable for the
practitioner. And you kind of talked about some of the framework and some of the philosophies. So whether working like a DIY from a DIY perspective or working with a partner, what are some of the things that the practitioner can do to kind of self assess or to assess where they stand, where their weaknesses are? Because we talked a lot about those weaknesses today, and I think if you know where they are, you can do something about it. Yeah.
I, I mean, I, I, I'm going to sound like I'm promoting myself, but I'm not. I I think we have documented really well some of the actionable recommendations in the report that you and Jeff mentioned.
Like we do have really a specific things that we recommend people to follow for the most part is really having a, as much as possible good hygiene with your identities, being able to monitor when things don't look precisely as as a natural way of operating, whether it's human or non human, you can identify it if you know your environment. I think over communicating also helps across the enterprise so
people can understand the risk. And one thing that I think as a practitioner, I mentioned that I'm expecting from people to do that we don't do enough as cybersecurity professionals or identity and as management professionals is really understand what are the main business drivers and I mean main business risks, right? Like a lot of people that live in technology, they live in technology without understanding what is important to their own company.
If you understand what is important to your own company and then from there you drive the rest of the investments, I think everything clears out, right? If not, you're going to be in this weird, I mean rabbit hole and cycle where you're investing things and you don't feel that you're really making a good progress or moving the needle. So those would be really, I guess, high level things that I
would think are actionable. And then the the last piece more technical to your, to your, I guess to your listeners would be make sure that you're matching identity and access management with something else. These are the things that I think sometimes are missed. Many companies as I mentioned have MFA, have Pam, have I mean good identity and access management hygiene, but they miss to manage configuration well or they miss to do logging and monitoring well.
So if you do identity and access management and you add one thing more, whether it's configuration management, whether it's logging and monitoring like something else that you're really good at, usually those two things complement themselves really well and you end up being a really good environment that you can manage, right. So I don't know how actionable that that is, but I mean, at the very least I can tell you that that is what I would, I would recommend to people.
And then again, if you want to go into the technical details, I'll, I'll refer you to the report. But I mean, I think that is what I would recommend to some of the people that you have that are listening to this. There's a lot to cover here and I think, you know, one of the things that was out there was run MFA and I don't want to spend too much time on it because I think the the gist of that finding was that's great you've got MFA, but do you have
MFA everywhere? There were some findings that maybe there were still some holes in the deployment of MFA where there weren't, you know, it really wasn't everywhere. There were certain. Well, so I'll explain like, I mean, the report itself says that you can have MFA, but then MFA can be implemented in really secure ways on just or just in a
more generic way, right? And what my team is able to do in other teams as well, not on my team is basically able to trick the users to go through the MFA process, but then steal their token or their session when they go through the MFA process. Once they go through the MFA process, and I mean, the attacker has your session and you still have your session. You can have two logins going in, but then you have a starting point as an attacker, as a non
privileged user. And the beauty of this is that once you cross that line from a no user to a non privileged user as an attacker, the whole world opens up because now you have access to data, you have access to assets, you have access to, I mean multiple identities that are already lingering over there that you can see if you can basically compromise or not. When you are not a user in a company, you have no access to everything, right? So everything that you're
gathering is external. Once you get that first user is just like day and night for for the people that work in my group. And once you get that user, even as a regular user, as I mean, one of the things that we point out is the the certificate based challenges that you might have in Active Directory as a regular user, you could compromise and escalate privileges all the way to domain admin if you didn't configure your Active Directory correctly with that certificate
based vulnerability. Well, not vulnerability, but misconfiguration that you can have in Microsoft, right? So that's one of the things that I mean in matter of hours can get you from no user to regular user to full compromise. So those are the things that I think again, you can implement MFA, but if it's not implemented correctly, it's, it's a challenge. Now the report will tell you the best way to protect against this is implement 5O2 and like a GODB
key or whatever. And everybody in your podcast is going to say what the hell? I mean, this is, I mean, many are going to say that's impossible to implement. It's it's close to, I mean, it's not a user friendly and, and you still have to manage the hardware.
And, and I agree with that. And what we recommend instead of implementing Fido, even though there's some organizations that they shouldn't have an option, just have Fido too and GOB keys for most of the organizations that is not a reasonable type of implementation. So what is actionable? What is actionable is implement the MFA and then add configuration management on top of that, which is conditional
access. Impossible logins like for example, David and and another person in another country shouldn't be logging at the same time and this and at the same time just implement processes around those configuration controls so you can act on it immediately when someone gets compromised. That is the part that is missing, right? So MFA can't be implemented. But if you know it's implemented incorrectly, you need to add more steps and security in depth so you can actually manage your
risks overall, right? So that that's a little bit of I guess of the recommendation. Dave, you sound like a modern day identity security guy. So look, you're on identity at the center. Sometimes it feels a bit like an echo chamber, but what I'm going to say is identity security is a board level issue. I mean, we say that on the podcast a lot. I want to know does that resonate with you? I mean, I think so. I'm not an identity Nexus management experts.
I'm going to challenge anyone over that comment just in general, right? I think that board level issue to me is identity as a whole because I want to engage my clients, I want to engage my customers. I want to make sure that identity is enabling my business in some sort of way. Identity security, it's a board relevant issue, but it's not a board issue itself. I guess because it there's that's why you have a CIO&ACISO that would manage and would help you, right.
But at the board level, I see, I would say maybe other more relevant challenges being managed. Now again, depending on the industry, I would say yes, if you're talking about cybersecurity as being one of the major risks in any enterprise risk management framework, identity has to be part of the conversation for sure, if that is what you're referring to. So let me let me spin that question a different way, OK?
OK. Instead of presenting identity to the board, right identity security, let's flip it. Should the board be asking questions around how are we doing an identity security as part of their due diligence to make sure that security for the organization is good. Now, this assumes that the people who are on the board know what questions to ask, but I bet we've got a lot of board members who are listening to this podcast now. They probably know identity's important.
At least I hope they do. Otherwise, why are you? Listening to. Right, but should the board start asking more identity security related questions to their CI OS and C CS? OK, so that's a yes. I mean short answer is yes. And the reason why the, I mean the, the, it's a no brainer, first because of the importance and second because a lot of people at the board level can be intelligent about their questions related to identity.
Identity is something that I mean you can understand at a high level and still ask really tough questions to someone that is technical, right? So you don't have to be extremely technical to understand identity and challenge someone on the way that they have it, I mean, implemented identity or the way that they're securing your systems with the identities, I guess management processes that they have. So her answer is yes, like at that level for sure. And then you mentioned just are
they required? So if you're a public company, you probably need to be looking at this because there's a SEC rule that says that you're liable as well if you get compromised. So yes, some of the boards need to be thinking about this and they need to be asking. That question for sure. OK, see we got to yes. So now we're back on the same page. I want to wrap up the conversation with, you know,
something actionable. You know, Jim and I like to make this a conversation that people can kind of take back and say, oh, let me go ask these questions or go find out these answers. So there was a lot to read in this report. And so coming out again, a link will be in our show notes and I'm sure you'll see it, you know, plastered all over LinkedIn with RSM and probably Jim and myself sharing in yourself, etcetera.
And I'm actually working on a follow up article for RSM that kind of the specific identity components of the attack vectors. I meant, I want to say I meant like 3500 words so far. I don't know if that'll be the final version or not after it gets edited and kind of, you know, reformatted or whatever, but there's a lot to cover.
So let's digest this in a way that something in a see, so reading this report saying, OK, what are the next three things that I need to be focused on for the next year? So let's say through the rest of 2026. According to David Lawrence and the RSM Attack Vectors report, these are the three things you should be spending time on. I mean Pam, Pam to me is just I, I mean, I see so many companies misusing and miss implementing Pam.
So that would be my first one. If you have to invest money in some sort of way and time and effort, I would say Pam is significant, right? And there's so many solutions out there now that can help you in many, many ways. So Pam would be the first one to me. The second one, I mean just removing as much as possible privileges from users. And I think when I say this, users are just like, Oh my God, this guy's insane.
What I'm, but in reality, one of the things that I think is, is extremely important is as a user and, and I, I say this and I don't want my, my RSMIT team ever listening to this comment. I don't need to be an administrator on my computer to do my day-to-day job, right? I don't need to have administrative privileges or high privileges in other places,
right? So that clean up of users while you're implementing Pam is, I mean just the best thing and and most of the financial services companies that I visit that have implemented this correctly are really, really hard to compromise. David, why is that so important? Because I think that's like the third rally, try to take some most administrative privileges away.
Why is this so important to do? So from an attacker's perspective, because in general terms, if you're not implementing this type of let's take away from users their privileges and then let them use their privileges, high privileges when they are just needed. It's almost impossible to identify when, when a compromise just happened, right? If you think about everything that we just discussed, Jim, service accounts, non human identities, and then high privileged user accounts.
If those three things are used always in a specific places at a specific times and you know that there's a pattern because non human identities usually have a pattern, whether we like it or not. They're always enacted in some sort of way that you can identify patterns on it, unless you have an spaghetti of things, which can happen at the enterprise table, but that is one thing, right?
And then the second piece, users, like humans, usually need their privilege, their privileges when you're acting on a change, right? If you're not changing anything, you don't need those privileges. You just need, I mean, to act as a regular user when you're acting as a privileged user all the time. It's the best way for anybody to
hide under that noise. So at some point in time, if anybody uses that privileged account in a malicious way, whether it's an internal person or someone else, you'll find out, I mean days, months, years in advance and you'll never know why, right? So that is, that is the key piece of everything. That's just, there's no need. And if there's no need and you don't restrict it, then you're just going to allow someone to hide themselves in the noise.
And, and the last piece, I would say go back to the change management comment. I mean, the biggest issues that we have seen in large scale technologies nowadays is because people implementing changes without really understanding the type of privileges that they had. And the change that they did was so impactful that they couldn't come back to, I guess, a stable state, right.
So even if it's from an operations point of view, remove the cybersecurity component and then just go into CIO view, you cannot be doing changes without a real analysis of what the change is going to be with a privileged account. So that that would be my my immediate reaction to that.
Yeah, and that, you know, I, I've always thought of it as like, if you're not an administrator, if you don't have the ability to install software, you get that attachment that looks like a doc, but it's really an EXE and good to install it. Your computer's going to stop you, and probably that was some sort of malware or spyware or something. So taking away that admin privilege stops them from putting the worm on the network in the kind of the old context, or doing a keystroke log or
something like that. Yeah, like you guys are forgetting something very important here. What if? What if I need that access? Yeah, exactly. And well, and then and then as. Argue with that. Yeah, well and then as IT people you don't want to be dealing with the hey, can you give me this access and then someone that is not in a good mood just I mean delaying the access, right. But I agree with that. The what if is the challenge. And the last piece I would say because you asked for three
things, right. And the last thing is you need to redefine what privilege is in your organization. So you you made a really good point, Jim, which is if I need that, if I don't have admin privileges, then you cannot do XI think one of the main failures in cybersecurity is that everybody thinks that privilege is just admin privilege. And in many cases, you have a lot of privileges in your organization that require the same type of the scooting or more than an administrator.
And we, because cybersecurity doesn't understand the business well or the processes of the business, we decide that the only thing that we shouldn't can protect is the administrators and not maybe other roles that might be way more concerning to the business than just your administrator in IT. So that's that's the last thing that I would say that they they should be focusing on, which are not easy, but those are the things that I would immediately focus on if I was on the other
side, I would say. Well, the definition of privilege is something that I, you know, bring it comes up quite a bit, I think in my day job is how do you define that? Because I think a lot of people just assume when they hear privileged access management, they think of things like, you know, domain admin, cloud admin, right, all the sort of built in rules. But there are a host of admin type privileges that exist within every application out there, including your social media apps.
You know who can go on LinkedIn and post something that maybe your company doesn't want posted? Absolutely. Or Facebook or Twitter or you know, whatever, whatever it's called now X, you know, you know, blue Sky or Mastodon or whatever it is. Like I would argue that social media should be part of the definition of privileged access management, Maybe not managed specifically, but at least from a policy standpoint, how are we
governing these? Accounts, I can see that, especially if you're a public company, right? Because if you're a public company and someone in social media, someone that owns social media publishes something, I mean, they can actually manage to hit your stock in a negative or positive way in some sort of way, right? So I think, I think you have to distinguish obviously between the type of company and the size of the company. But I I would agree with that comment for sure.
Yeah, everyone has to be protective of their public persona, and there's no quicker way to to destroy that than to post something on, you know, a social channel that shouldn't be. There and that that that's
actually a fun story. So one of the things that we find most of the time, I mean, I would say probably 40% of the time in the, in the places that we visit and, and we know this type of offensive security analysis is we do find a lot of SharePoint sites or OneDrive with just usernames and
passwords, right? Which tells you that there's a need for some sort of a Pam and there's a user there that doesn't know what to do. And I mean they're not being enabled in some sort of way, but the by the IT department to manage their credentials correctly. I'm sure every Cecil listening to this just kind of cringed. Oh, they're going to love me. Like it's just like these guys. It's just. All right, we're coming up on an hour here. David. I feel like there's so much to unpack.
Read the report, it's great. And then read my follow up, which will also be great. I'll just show that as well. There'll be links in our show notes. There'll be links kind of everywhere for it. We like to end our shows in a later note. And one of the things that you do in your spare time that you shared with us is you play soccer and you know, other
family type sports. I don't know if we have time to touch on everything, but tell me a little bit about your soccer because I thought it was kind of interesting that did I hear you correctly or that you play you used to play like semi pro or at least approaching pro. Semi pro, I was approaching pro level and at some point I stopped because I didn't want to risk it on my knees to, I mean, basically make my money. But yeah, at some point and I was really competitive for a
very long time. And now I play, which is the, the, the joke of the house in the house is now I play over 40s on Tuesdays and then I play soccer on Saturdays with my kids parents class parents, right? And I mean my son every time that goes and just goes and watch and watches me how I'm playing, he's, he's always telling me, man, it's just like you're playing in a slow motion. You're totally washed. You cannot do what you used to do before because he, he knew me
when I was better, I think. And now I'm not that good. So that's one of the things that, yeah, I I do on my free time, but I don't know how much time I can still do it. I guess we'll see. So what position does a washed player like yourself play these days? Offense, you know, you kind of roaming midfield like where you.
At So I stopped playing on Sunday's league because that was involving the 20 year olds and I was, I mean, basically on the different side, basically on, on the left side defense. On the other teams. I still can't play midfield or forward and I'm, I'm doing pretty well. Like I can run, I can do all these other things, but when I play against the 20 year old guys, I'm the guy that is just kicking and I mean trying to survive for 20 minutes because
it's not to shave anymore. The other thing that happened to me, I mean, I'm you cannot tell, but I'm not a tall guy or really strong person either compared to the average American, I would say. And I used to play soccer in Latin America where you could be playing really hard and strong and, and you'll feel strong because most people are the same size as you are. Then I came into the US, started playing and it was just like it was day and night like I used to. Like I used to go in and class
with people. Like I felt that I could do it and I felt in the best shape of my life. And then I would go clash with all these people and it was just like running into a wall. And I remember like the first two years that I was playing soccer here in Houston is still pretty competitive. My wife, my wife would tell me what the hell is going on with you? Because I would wake up the next day and it would have been like I have taken a beat from someone, right?
Like I couldn't walk. Like I had bruises all over the place. So basically that made me change my style of, of flame and now I'm less, I don't talk trash that much anymore. And then I, I don't crash into failures anymore. But yeah, for sure, soccer is something that I, I love to do and I'll play until I, I can, I guess. So I'll share a soccer story. I used to play in high school and so I played right fullback, which is defender for us. And I'm not a tall person
either. You know, I, I stand up very proud 5-6. Now imagine me in high school and like middle school where, you know, definitely I've been approaching that. And so, you know, I was, I would say I was pretty good for high school. Well, you know, never going to go to like school for anything like that, but I was good enough. And you know, here is this short little, you know, Jeff Wright fullback playing for this team and we were pretty good and we played what was it I want to say?
And this is for my my folks in Illinois. I think we played a school in Schaumburg, IL and they showed up to the to our field and they were all men who showed up for this like 9th grade, you know, high school game. And they were all like 6-2 towering above. And I remember when to that game and, and we won, we beat them because we were a good team. But my dad was watching and he described me as a gnat on the leg of this horse of a forward
that was coming down to my side. And I, I locked that kid down, you know, like he couldn't get past me. I was good. And he got so frustrated that he, like, you know, got a yellow card on me by like shoving me or whatever. But you know, power toll is all the short kings, David. I know. And that's the thing. Like, I mean, for for me soccer, that's the beauty of soccer, right? Like, I mean, you can be not as strong as the other players, but you can still win. And it's a team sport and it's
AI think a really mental sport. People misses that a lot. And we used to have this saying in Mexico when when I used to play soccer and there was a bigger team, like our coach would tell us. I mean, it doesn't matter if they're big or not, you're not going to carry them. You're just going to score on them. It's like that is a true statement. Like you don't carry them. Like I don't have to fight you. I would just have to score on you. So anyhow, you know. All right, let me ask you one
last question. That's trash talk, something that either you've received or given out that someone listening to this, maybe me, maybe Jim, I'm going to ask you the same question here a little bit. But what's a good like trash talk that you were like? I'm pretty proud of that one. That was a good one, either given to you or you've dished
out to somebody else. So the, I mean, the one that I remember that's given me in my head right now is the one that my son applied to me just recently, to be honest, like I mean it. Hurts because it came from inside the house. Yeah, I mean whiff, slipping phone, I mean almost every weekend.
And then he, he's usually getting, he's getting pretty good at it. And at some point when he's getting really good and he's winning point after point after point, he starts saying, Oh, I'm knocked in, I'm knocked in. I'm going to get you, I'm going to get you. And then at some point with the last time that he, I mean, he continued to build up on that, right? Like he said he was like, oh, I'm locked in.
I'm locked in. And I was like, I'm starting, I was starting to get pissed off from myself. Like what is going on? Like, why is this guy just start talking trials? And then he actually won. And, and when he finished the, the, the, the game, he just put his paddle on the table and he was like, I owned you. It was like, Oh my God. And like, that means so many
things for me, right? Because even going from a cybersecurity perspective is like, anyhow, that is probably the better one that that has been applied to me daily. And he always tells me that I'm washed. So those are the two things that I'm just like, but I just live with it now. I don't think I, I, I, I get that often. I just laugh. Then he sets him upstairs to do his homework.
Yeah, yeah, go work, whatever. And then his mom would do the same to me. So she just all across the family that runs in. So what about you guys? Jimmy got good trash talk. You know, I I'm a little old school Jeff, which I'm sure you had no no clue of that. But here's the trash talk. I think it works if you can, if it's actually true and it works in every sport, which is
scoreboard. You know, one thing I can't stand is like a team is down 5 touchdowns or five scores or whatever sport you're playing and they're in the end zone dancing because they got a sack or something. It's like scoreboard, dude. That's all they're that's all you have to say. Yeah, my favorite is when the wide receiver gets up, they've got a first down and a meaningless drive at the end of the game, and it's like, OK, dude. Like yeah, scoreboard.
Get over. It you know, my first down signal like whoa, yeah, I caught a 11 yard pass and we're losing 40 to nothing. Unless that catch got you like $100,000 bonus, go back to the huddle. Yeah, right. You know, my favorite trash talk that I always like to do was I played a lot of basketball and I was, I was pretty good back in the day. You know, Spike being short and all that stuff. I could shoot dribble Dr. you know, it's kind of a point guard. And I would call my shots
against all my tall friends. Oh, nice. And they're all, you know, 6 feet plus. And, you know, in the in the words of your son, David, I owned them. It was my court. And I would call the shot that I would do in the game very much like Larry Bird used to do Nice. Now I have I am. Those days have long passed me by SO. They don't ask you. What were they going to do? I was going to, I, I would score. It will. Let me just put it that way.
Yeah. So that was my trash talking was, you know, OK, here's what I'm going to do. And every once in a while, we would lower the rims in my backyard because I had a basketball hoop in my backyard. And we'd lower it down to like 9 feet and I could dunk on 9 feet and I would call the shot. And I remember one of my friends, you know, shout out, shout out to Chad out there. I've known since 8th grade. I told him that I was going to bounce the ball off his head and dunk it. No. And I did.
Oh my God. I wish it was a. Video for that. Well, I'm I'm glad there wasn't because there was probably a whole bunch of language that probably would not make it safe to error these days. But that was my thing was, you know, that was my safe place was the basketball court. And this is this was my house, and I was going to tell you how it was going to run. That's really cool. I didn't know that you played basketball. So that's. Very, very long time ago. Don't ask me to do it now.
But you should see Jeff's calves or like they're jumping calves. Yeah, I used to be in the backyard. Yeah. It was, you know, it was, it was my thing. That was just bat and soccer. So OK, we're in a like an hour and 10 minutes and we just spent 10 minutes trash talking and talking about soccer and basketball. But go to the website, go to our show notes. You know, we'll have a link to
the the attack vectors report. David, thank you so much for joining with us and sharing your wisdom and, you know, putting us report. You know, I think it's, it's one of the things that we want to get more involved with. I think you know from the podcast perspective is when we have these types of information to share, do it in a way that is as free from commercial as possible. So it is coming from our. Company, this was fun. Thanks so much. Really appreciate it.
So I'm gonna have a link in our show notes to your LinkedIn profile so people can reach out whether it's, you know, something about the attack factors report or maybe a really good trash talk that you'd like to share and we'll. Go. Ahead and leave it there for this week. You can find us on the web, IDC, podcast.com. Like subscribe, share with a friend, share with an enemy. Doesn't matter as long as people are listening, that's all it matters to us.
And yeah, thanks everyone for watching and or listening and we'll catch you with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.