podcast: the resilience room
3 TopicsThe Black Belt of Cybersecurity: What a Former Military Pilot Turned SecOps Leader Knows About Surviving the Chaos
🎧 Listen now to The Resilience Room In 2012, a young Air Force officer named Michael Vetri walked out of his commanding officer's office having just been told his career was about to change forever. He'd trained as a pilot. Now he was being reclassified into a field almost nobody in the room understood. "I'm so sorry you were reclassified into cyber," his flight instructor told him. "If you need someone to talk to, let me know." That's not a joke. That's how misunderstood cybersecurity was fourteen years ago — obscure enough that getting assigned to it sounded like a consolation prize, or worse, a diagnosis. Fast forward to today, and that reluctant recruit is Senior Director of SecOps at a SaaS company serving the biopharma industry, a black belt Krav Maga instructor, and — going by the enthusiasm with which he brought up Assassin's Creed unprompted — a certified nerd in the best sense of the word. Mike sat down on The Resilience Room and covered a lot of ground: emotional intelligence as a revenue driver, the four things that keep security teams from burning out, why AI is currently winning the fight, and how disarming a training knife in a Krav Maga studio taught him more about incident response than most corporate leadership seminars ever did. If you work in this field, several of these are going to land uncomfortably close to home. Good. That's the point. Empathy isn't a soft skill. It's a spreadsheet line item. Mike leads with rank, but not with authority — a distinction the military drilled into him early. "In the civilian world, you can't just say, 'I'm a captain, you're an NCO, you'll do what I say.' No — it's a lot more influential leadership, invoking those empathetic muscles more." He points to a Harvard Business Review study of 189 companies that measured how deeply organizations embedded emotional intelligence principles — self-awareness, self-regulation, empathy, motivation — into their culture. The companies that did it well beat their revenue targets by roughly 20% year over year. The companies that didn't, missed by about the same margin. For an industry that still occasionally treats "soft skills" as a nice-to-have bolted onto technical competence, that's a hard number worth sitting with — especially if your last performance review mentioned "communication" in a slightly ominous tone. The four pillars that keep security teams from quitting Burnout in cybersecurity isn't news to anyone reading this. But Mike's framework for fighting it is refreshingly concrete. He tells every team he leads that people will stay if you give them four things — not in excess, just in moderation: Time. If someone's been grinding through late nights, notice. Let them come in later. Build in recovery. Money. Pay fairly for what they contribute — full stop. Recognition. Not just for wins. How you handle underperformance, professionally and without ambush, matters just as much. Development. Give people room to grow into who they're becoming, not just who they were hired to be. One detail worth stealing: when an underperformance conversation is looming, Mike doesn't open with the problem. He opens with "how are you doing? Everything okay outside of work?" — asked more than once if needed. People under pressure, especially newer employees still trying to prove themselves, often won't volunteer that something's wrong. They'll white-knuckle through it instead. A little space to be asked, rather than told, changes what people are willing to say. During one incident that dragged on for months, Mike built a shift schedule with staggered four-hour windows so his team could claw back rest without falling behind. He also borrowed a page from Air Force operational risk models: a short questionnaire — how much sleep did you get, how many consecutive night shifts, how long since you've touched this system — that produces a risk score. Score too high, and you talk to a duty officer before you're cleared to keep going. It's the kind of instrumented self-check most SOCs could use and almost none have. Be the eye of the hurricane Ask any incident responder what makes a bad night worse, and it's rarely the incident itself. It's the Slack DMs. The "hey, what's going on?" pings stacking up while you're still trying to pull logs. Mike's answer is to act as an umbrella for his team — absorbing pressure from above so the people doing the actual work can think. That starts with managing expectations upward immediately: this is fresh, I'm still learning it, I'll update you in an hour. One sentence, enormous operational space. It tells leadership "I've got this" while telling the incident team "go dark and go deep." Underneath that is a military framework Mike leans on constantly: the OODA loop — Observe, Orient, Decide, Act. In a live incident, the goal is to move through that loop faster than whatever you're up against. The moment you get stuck in "orient," unable to commit to a decision, you've lost the initiative. Everything else — the calm voice, the reassurance, the "breathe, I've got your cover" — exists to keep the team moving through the loop instead of freezing in it. And underneath that is the least glamorous ingredient of all: reps. "You wouldn't want a surgeon who hasn't performed one in three or four months operating on you," Mike says. Tabletop exercises, drilled relentlessly, are what makes calm possible when the real thing hits. AI is winning the speed war — for now This is where the conversation gets genuinely unsettling, in the way only a good SOC-lead story can. Mike cited threat intel research his own team pulled showing that traditional, manually written phishing emails land at about a 12% click rate. AI-generated phishing is landing at 54%. That's not an incremental shift — it's a different category of threat. His framing borrows from military history: "Just like the English were doing great with their longbowmen until they were met with cannons — we're doing great against traditional malware, traditional phishing, until we're met with AI-based malware, AI-based phishing." He pointed to Phantom Raven as a case study in the new normal — a highly polymorphic strain that reshuffles its own hash and callback domains the moment defenders try to contain it, sometimes riding in through a malformed open-source package nobody scrutinized closely enough. Mike's answer isn't to out-human the machines — it's to fight AI with AI, using it to accelerate investigation and triage so humans can make faster calls. But he draws a firm line at execution: "I still think it's a bad idea to let AI execute actions on your security stack." Not because it can't make good calls, but because when it's wrong, it's wrong at machine speed — locking down a developer's test script as if it were a live threat and taking a production deploy down with it. Assessment and evaluation, yes. Pulling the trigger, not yet — not until AI has earned the trust that comes from track record, the same way a junior analyst earns it. He's also thinking about a subtler insider-risk problem taking shape as advanced AI systems move into more sensitive testing and evaluation programs. His concern isn't the technology itself — it's what happens when knowledge of where that technology lives becomes valuable enough to bribe someone for. New capability, same old human vulnerability. Train at black belt level, or don't bother training at all Mike's been doing Krav Maga since a college roommate walked in mid-Assassin's Creed session and told him the game's weapon disarms were based on a real martial art taught nearby. He put the controller down, went and checked it out, and got hooked on his very first class — which happened to be weapon disarming. He made it to black belt in 2014, taught for years, and — genuinely one of the better anecdotes on the episode — met his wife through a self-defense class he was running as a side gig at New Mexico State. Her kicks, he reports, had "so much pepper behind them." The parallel he draws to cybersecurity is the episode's sharpest idea: you're only prepared to handle the level you've actually trained for. A yellow belt can handle a yellow belt. Theoretically, maybe an orange. Train your team only against script kiddies and spray-and-pray attackers, and script kiddies and spray-and-pray attackers are all you'll ever be ready for. The nation-state actor doesn't care what belt is hanging in your dojo. It shows up in the small stuff too — like treating every incident, however minor, as if you might have to defend your handling of it in court one day. Heavily documented, no matter how low-level it looks. "Don't give the opposing attorneys any reason to pierce your veil," as Mike puts it. Complacency doesn't announce itself. It just quietly lowers the belt you're actually prepared to fight at. The throughline of this whole conversation is one Mike states almost in passing but clearly means as a core operating principle: technical skill gets you in the room, but judgment, empathy, and relentless preparation are what keep your team — and your organization — standing when things go sideways. AI is changing the speed of the fight. It isn't changing who has to decide what to do about it. Catch the full conversation with Mike Vetri on The Resilience Room – available on most podcast platforms.21Views0likes0CommentsIt's Software, Not Magic: Navigating the Vulnerability Speed Wave and Shadow AI
🎧 Listen now to The Resilience Room What does a 31-year career at one company look like in cybersecurity? For Lee Stephens, it looks like research, marketing, sales, operations, and consultancy — and never a dull moment. In this episode of The Resilience Room, Lee sat down with host Sam Dickison to cut through the noise on ransomware, the collapsing patch window, Shadow AI, and the looming quantum reckoning. The Retail Ransomware Wake-Up Call Last year's wave of attacks on the UK retail sector made cybersecurity front-page news. For Lee, the most striking thing wasn't the sophistication of the attacks — it was the opposite. "What came home was actually the simplicity of the attacks. Those really fundamental, boring basics are absolutely critical — and involved in so many of the incidents we deal with." While the media spotlight has moved on to AI, the threat landscape hasn't changed nearly as much as the news cycle suggests. The fundamentals remain the same: strong unique passwords, kept systems, tested backups, and a plan for a bad day. As Lee puts it, you don't need to outrun the bear — just don't be the slowest runner. The Vulnerability Speed Wave: Your 90-Day Patch Window Is Gone Here's the stat that should reframe every conversation about patch management: 2021: Average time from CVE disclosure to active exploit — one year 2025: Shrunk to one month 2026: Now at one week and one day 2027 projection: Potentially an hour — or a minute This geometric progression is being driven by AI-assisted vulnerability research on both sides. The traditional 90-day patch window is functionally dead, and some vendors are already moving to fortnightly cycles. Speed is now a security control in its own right. AI in the SOC: Real Benefits, Realistic Limits SOC analyst burnout is real. The volume of alerts, the repetitive triage work — AI-assisted automation has genuine potential to help. But fully autonomous SOCs? Lee remains cautious. "At times AI feels like magic. It's not magic, it's software. And from thirty years ago when I did my computer science degree: garbage in, garbage out." His recommendation: don't chase the ten-times transformation. Chase the ten percent improvement and compound it. Organisations that have tried to automate everything often find they're spending more time maintaining automations than the work would have taken. Shadow AI: The New Shadow IT Problem Most people using unofficial AI tools aren't being malicious — they're trying to get their job done. But the risk is real, especially around feeding confidential data into models without proper data handling agreements. Some of Lee's clients require all data to remain in the UK at all times, which effectively rules out certain major tools that can't guarantee that under peak load. His cautionary scenario: a team uses AI to diagnose an infrastructure problem. The output gets translated for customers, then condensed for a senior exec. Each iteration drifts further from reality — and when the fix doesn't work, multiple conflicting versions of "the truth" are already in circulation. "AI has no conscience, it doesn't care. It's a prediction engine. It's software. Not magic — software." The solution is culture and training as much as technical controls, combined with IT teams designing better corporate solutions so people don't need to go off-piste in the first place. What's Next: Quantum's Y2K Moment Quantum computing has been "just five years away" for decades — but the trend lines are genuinely moving. More qubits, better coherence times, major advances every few months. The security implication is stark: the maths underpinning asymmetric encryption is trivially easy for a quantum computer to solve, which means every piece of encryption on the planet eventually needs replacing. NIST has published post-quantum cryptography standards, and vendors are beginning to implement them. But the migration is a massive undertaking. "It's akin to a Y2K moment where everybody needs to upgrade — for really no benefit at all, just to stay standard. The only disadvantage is we don't know when the moment is." The organisations best placed will be the ones who've already done their cryptographic inventory and know what they'd need to upgrade and in what order. Whether the topic is ransomware, patch windows, AI, or quantum — Lee's message is consistent: there's no silver bullet, no magic. Just fundamentals, applied consistently, with humans staying in the loop. After 31 years, it's the message that keeps working. The Resilience Room is hosted by Sam Dickison. New episodes explore the human and technical realities of cybersecurity with guests from across the industry.19Views0likes0CommentsPODCAST: The Resilience Room
https://www.immersivelabs.com/resources/the-resilience-room 👆 Listen on your favourite podcast app or online here Welcome to The Resilience Room, where cyber professionals sit back and chat about their lives, passions and experiences. We discuss cyber culture, thought leadership, technical topics and emerging trends. Hosted by Sam Dickison, Community Manager at Immersive. 💡 We'd love to hear your questions for guests, or guest suggestions! Please comment on this post with any ideas.110Views1like3Comments