Episode 14 of the Distilled Security Podcast is here!

This week, the team welcomes guest John Zeolla, a cybersecurity expert and AI enthusiast, for a deep dive into the risks, realities, and potential of artificial intelligence.

Topics include:

• Shadow AI in the Enterprise: Why business leaders are adopting AI faster than CISOs can assess the risks—and how features are outpacing controls.

• Third-Party AI Risk: Understanding vendor integrations with ChatGPT and others, and how contracts alone can’t guarantee security.

• Data Sprawl and Provenance: How uncontrolled data flows and poor identity scoping create dangerous exposure in generative AI platforms.

• Threat Modeling for AI: Why traditional frameworks like STRIDE still apply—and how techniques like “LLM as a judge” are reshaping modern risk analysis.

• Hallucinations, Misuse, and Insider Access: From AI-summarized HR documents to leaked board data, the team explores how improper permissions are amplified by intelligent agents.

• AI in Real Business Use: From customer support chatbots to code review tools, where AI adds value—and where it creates new points of failure.

• Governance and Culture: The role of CISOs, legal, and finance leaders in aligning AI ambition with responsible oversight.

• Bourbon Review – Elijah Craig Private Barrel Pick: A smooth 94-proof selection sponsored by Liberty Liquors (MD), bringing sweet caramel and balance to this week’s pour.

• BSides Pittsburgh Preview: With nearly 1,000 tickets sold, the team teases event highlights, panel interviews, and John's upcoming talk on "vibe coding."

Timestamps

00:00 – Welcome & Introductions
02:20 – What’s “Shadow AI”?
06:45 – Third-Party Risk & AI Integrations
11:10 – Contracts ≠ Security
14:00 – Data Sprawl & Identity Challenges
19:05 – Threat Modeling for AI
23:40 – “LLM as a Judge” in Risk Analysis
28:15 – Hallucinations & Misuse Scenarios
33:00 – Insider Access Amplified by AI
36:30 – Real-World Use Cases (Chatbots, Code Review, etc.)
41:55 – Governance, Culture & CISO Alignment
48:20 – Bourbon Review: Elijah Craig Private Barrel
52:30 – BSides PGH Preview & John’s “Vibe Coding” Talk
57:00 – Final Thoughts & Wrap-Up

Hosts

• Justin Leapline – LinkedIn
• Joe Wynn – LinkedIn
• Rick Yocum – LinkedIn
  
  

Guest

• John Zeolla – Zenable.io
  
  

Connect with Us

• Website: distilledsecuritypodcast.com
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Episode 13 of the Distilled Security Podcast is here!

Join us as we explore:

• The Coinbase Breach: A breakdown of Coinbase’s recent insider-driven breach, including social engineering, bribery of offshore contractors, and how the company responded publicly and operationally.
• Building Insider Threat Programs: The crew shares practical approaches to detecting insider misuse, behavioral monitoring, and the potential for "job descriptions as code."
• CISO Liability and Insurance: Discussion on the evolving legal exposure for CISOs, personal liability, and whether directors and officers (D&O) insurance is a must-have.
• Board-Level Cyber Risk: Should cybersecurity roll up to the audit committee or its own risk committee? The team explores where security leadership best fits in organizational governance.
• Communication and Legal Risk: How careless comments—public or internal—can be used against organizations, and why CISOs and leaders must strike a balance between transparency and caution.
• Modern Risk Management: Turning technical issues into business risk conversations, why documentation matters, and how strong risk communication can help CISOs avoid being scapegoated.
• BSides Pittsburgh Update: With over 600 tickets already sold, the team gives updates on ticket tiers, t-shirts, speaker schedules, and why you should register by June 13.
• Bourbon Review – Widow Jane Lucky 13: To celebrate episode 13, the crew samples Widow Jane Lucky 13—a smooth, toffee-forward bourbon aged 13 years.
• Reporting Lines: Where and how security should be structured within the organization, from effectiveness to liability and more.

Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Join us as we reflect on:

• One Year of Podcasting: The crew celebrates a full year of episodes, favorite topics, behind-the-scenes production, and where the show is headed next—including a new studio setup and future sponsors.
• Audit Quality and Risk: A deep dive into the evolution of cybersecurity audits, the growing influence of low-cost providers, and what actually makes an audit valuable and trustworthy.
• Third-Party Risk Management: How companies can assess vendor SOC 2 reports, triage risk among their vendors, and build defensible compliance practices.
• Operational vs. Commercial Risk: The importance of translating audit findings into business impact and strengthening vendor partnerships for long-term resilience.
• Bourbon Review – Jefferson’s Tropics: A tasting of a tropical-aged bourbon matured in Singapore’s climate, featuring notes of toffee and spice.
• BSides Pittsburgh Update: Details on ticket sales, sponsor opportunities, and how to get involved with the local security community’s flagship event.
• Entrepreneurship & Starting a Business: A thoughtful discussion on what it really takes to start your own business—when to consider it, how to prepare, and why it’s often more work (and growth) than expected.

Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com