Bryan Tomczyk serves as a Cybersecurity Engineer at GP Strategies Corporation, where he works closely with senior IT and infrastructure teams to secure systems across a large, global organization. GP Strategies operates primarily as a training and professional services company, supporting clients across multiple countries and industries. Bryan's role places him at the intersection of security engineering, vendor risk management, and user education, with a strong emphasis on enabling the business rather than obstructing it. His background reflects a long term evolution into cybersecurity, shaped by decades of security focused thinking before formally entering a cyber role.

• Why cybersecurity must be embedded into every role, not isolated to IT teams

• How security advocacy grows organically through education and experience

• The real risks of AI adoption without proper guardrails

• Why large language models are not a complete solution for security

• How supply chain risk has become one of the biggest threats to organizations

• What secure by design actually looks like in modern environments

• Practical considerations for evaluating AI tools and SaaS vendors

Bryan Tomczyk explains why the idea that security is everyone's job only works when organizations invest in education and context. He describes how working directly with users, especially after incidents, creates awareness that policies alone cannot achieve. Security, in his view, must enable productivity while quietly reducing risk in the background.

The conversation dives deep into AI and cybersecurity, with Bryan outlining why machine learning excels at correlating massive volumes of data but struggles when used without constraints. He cautions against treating large language models as universal solutions, noting their susceptibility to hallucination, prompt injection, and misuse. Instead, he advocates for narrowly scoped, self learning systems that are heavily restricted in access.

Bryan also addresses the growing complexity of modern environments, from email security and MFA fatigue to operational technology and supply chain risk. He highlights why vendor reviews, SOC 2 reports, and infrastructure transparency are no longer optional. Throughout the discussion, he reinforces a consistent theme that security must evolve thoughtfully, balancing innovation with responsibility to protect users, data, and operations.

Zach Lewis serves as both CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis, bringing nearly a decade of experience across engineering, systems administration, help desk leadership, and executive IT leadership. He oversees technology operations and cybersecurity for one of the oldest pharmacy institutions in the United States, balancing academic continuity, research integrity, and institutional resilience. Zach is also the author of the upcoming book Locked Up: Cybersecurity Threat Mitigation, Lessons from a Real World LockBit Ransomware Response, which documents a firsthand ransomware incident and the leadership decisions required to navigate it. His perspective blends technical depth with lived experience under real pressure.

• What actually happens inside an organization during a LockBit ransomware attack

• Why incident response planning looks very different in practice than on paper

• How leadership stress, decision making, and communication shape outcomes

• Why recovery and resilience matter more than the illusion of prevention

• How tabletop exercises help but still fail to predict real world chaos

• What CISOs should expect emotionally, operationally, and politically during an incident

• Why transparency and shared learning are still rare but critically needed

• How post incident investments and tooling decisions should be evaluated

Zach Lewis walks through the ransomware incident that ultimately inspired his book. The attack began with system outages that initially looked like aging infrastructure failures during a period of delayed hardware refreshes caused by supply chain issues. After briefly restoring systems, the environment collapsed again, revealing a ransomware note at the hypervisor level. By that point, core files had been encrypted, leaving little opportunity for traditional endpoint or EDR controls to intervene.

Zach explains the rapid shift from disaster recovery to full incident response. External forensics teams, negotiators, cyber insurance, legal counsel, and federal authorities were brought in while the university worked to remain operational. Thanks to a SaaS first strategy adopted prior to the incident, students and faculty were largely unaffected, even as backend systems were rebuilt. Full recovery and remediation took nearly two months, with teams working long hours under extreme pressure.

A central theme of the conversation is the human side of ransomware. Zach describes the stress placed on leadership, the emotional toll on staff, and the importance of remaining calm when others are overwhelmed. He emphasizes that CISOs are not hired to prevent every incident, but to respond, recover, and lead through uncertainty. Clear communication with executives, boards, and end users became just as important as technical recovery.

Zach also discusses why he chose to write Locked Up. Ransomware incidents are often hidden due to legal and reputational concerns, leaving practitioners without real guidance. By openly documenting what happened, including mistakes and lessons learned, Zach aims to provide a practical framework for others who will inevitably face similar events. He closes with advice on incident response planning, out of band communication, backup testing, password manager access, and the value of pre established relationships with the FBI and CISA.

Guest Introduction

Andrew DeBratto, Chief Information Security Officer at Hunton Andrews Kurth LLP, leads cybersecurity strategy for one of the world's top 100 law firms. With more than 25 years in IT and two decades in the legal sector, Andrew combines operational discipline with forward-thinking innovation. His leadership at Hunton Andrews Kurth emphasizes cybersecurity as both a client obligation and a business enabler. Guiding a global IT team of more than 90 professionals, he champions "operational excellence" as the foundation for secure innovation. His practical insights reveal how large legal organizations can maintain stability while exploring emerging technologies like AI, automation, and micro-segmentation.

Here's a Glimpse of What You'll Learn:

• Why operational excellence is the foundation of every successful IT department
• How Hunton Andrews Kurth builds trust through proactive cybersecurity practices
• The role of ethical AI use in the legal industry
• Why attitude and aptitude outweigh certifications in IT hiring
• How the firm applies micro-segmentation and zero trust principles effectively
• Why lawyers must remain human-in-the-loop when using AI tools
• How innovation and practicality coexist in modern law firms

In This Episode:

Andrew DeBratto shares an inside look at how Hunton Andrews Kurth balances cybersecurity, innovation, and productivity across its global operations. He explains that "keeping the lights on" through operational excellence creates the foundation for innovation. When systems run smoothly and attorneys can focus on their clients, IT earns the credibility to explore transformative projects like AI integration and advanced endpoint protection.

Andrew dives into the realities of cybersecurity in the legal sector, where firms are prime targets for sophisticated threat actors. Hunton Andrews Kurth conducts regular penetration tests and tabletop exercises not for compliance, but for genuine improvement. "Find the flaws," Andrew insists, emphasizing that vulnerability detection drives resilience. His team uses a best-of-breed approach, prioritizing specialized tools that deliver depth of security over one-size-fits-all platforms.

The discussion also explores AI's growing influence on legal practice. Andrew acknowledges its potential but insists that every AI implementation at the firm is bound by responsible-use training. Attorneys must complete ethical certification before using any generative AI platform. "You are still responsible for your work," he reminds listeners, underscoring that human judgment must remain central even as technology accelerates productivity.

Later in the conversation, Andrew highlights the firm's AI strategy, which blends internal development on Microsoft Azure OpenAI with external best-of-breed tools. Rather than chasing every new platform, the firm uses a "buffet approach," allowing experimentation without overspending. AI, he notes, is still in its exploratory phase, and meaningful productivity gains will come only when the right tools align with specific workflows.

On leadership, Andrew emphasizes hiring for attitude and aptitude. Technical skills can be taught, but curiosity, collaboration, and integrity are essential. His philosophy has built a team that is both technically capable and deeply aligned with the firm's mission of trust, innovation, and client service.