Overview
What if you could stop cyberattacks before they happen? In this episode of Cyber Sessions, host Joan Goodchild sits down with Erin Whitmore, former CIA case officer and current Head of the CYNTURION Group for CYPFER, to discuss how her team uses intelligence and AI to anticipate and prevent attacks before adversaries strike. Whitmore reveals how proactive cybersecurity is blending human intuition, artificial intelligence, and offensive tactics to predict threats β while balancing the line between privacy and protection.
Hosts
ContributorCyber SessionsJoan Goodchild is a veteran writer and editor with more than 20 years of experience covering cybersecurity, technology, and business strategy. She is the former editor-in-chief of CSO and has contributed to leading publications including CIO, Dark Reading, and SC Media. Joan has partnered with global security companies to produce thought leadership content, executive communications, and industry research. She is also the creator of CyberSavvy Mom, a consumer-focused brand that helps families be smart, secure, and civil online.
Transcript
Joan Goodchild
I'm Joan Goodchild, and welcome to another episode of Cyber Sessions. Today I'm thrilled to be joined by Erin Whitmore of Cynturion Group.
She is a former CIA Case Officer, currently leading a team of elite operators focused on proactive cyber protection, using intelligence and AI to stay ahead of adversaries before they strike. Joan Goodchild
Welcome, Erin, thank you. Erin Whitmore
Thanks for having me. Joan Goodchild
so you've got a fascinating background, you know, tell me a little bit more about it. You were in the CIA for a while. Let me, you know, hand it over to you to tell me a little bit more about your journey before you got into cyber security.
Erin Whitmore No, of course.
Thank you. So kind of an interesting, interesting start. So I am third generation service to my country. My grandfather was served in World War Two Korea and was killed on an Air America flight in Vietnam.
He's on the first panel of the wall, honestly, or obviously, there's, you know, a lot of interest there, as Air America is a now declassified CIA mission, and that sort of that service was kind of instilled in me young, from a very young age.
My father, in that that's my grandfather, my mother's side. My father, right, was a career in combat helicopter pilot. He flew Black Hawk helicopters for my entire life.
And I remember when I was nine years old, he served in he was going to serve in Bosnia on a peacekeeping mission.
And he handed me a book called slary, and it was about a little girl in the siege of Sarajevo, and he said, I need, I want you to read this book so that you can understand why I'm going to go help these people and I won't be there for you.
And that was a really pivotal and changing point in my life, because it set me on this trajectory of wanting to do something in national security at first, right? And when I went to college, I wanted to go to law school.
And I was so determined that I was going to, you know, it's going to go, it's going to do international humanitarian law, which is known as law of armed conflict. So I studied abroad in Geneva.
I did all those things, and then I graduated in the unfortunate year of 2009 when we went into a massive global recession and there were no entry level jobs. So I said, okay, so everybody was flocking to law schools and doing this and that.
And I said, well, I need to go get some experience. So I raised my hand. I went to AmeriCorps, where I worked in Baltimore City high schools working to help basically underserved and underprivileged communities.
So it was through that time that I ended up meeting a lot of people that served in the intelligence community. And I thought to myself, Oh, this is something that I think I'd like to do. So I jumped in.
I ended up i The minute I learned what a case officer was, I was like, that's what I want to do. Unfortunately, a lot of people at that time did, and the hiring was still going on, but it was very competitive.
So I tried my my I took my first shot right out of school. Didn't make it the first time. But I thought, You know what? I'm going to go get in the intelligence community. I'm going to apply again. So that's what I did.
I started, I supported the Defense Intelligence Agency, at first, doing traditional counter intelligence, traditional CI work and analysis, and then I ended up supporting NGA, the National Geospatial Intelligence Agency for some time doing the same thing, and then my career took a complete different path.
I happened to be at the right place, right time, and I applied for a position at the Director of National intelligence's National Cyber center, the intelligence community security coordination center, the icscc, and that's a tier zero Policy Center that looks at protecting all national intelligence priority framework networks.
With that I happen to be I had no cyber experience, so it's a bit serendipitous, right? And but I had the right clearance, and I could write and I could articulate things. So I was hired because it was very hard to find talent at that time.
And so I stepped in, and I remember just being completely overwhelmed. I was the only woman on the team, and I did not know a lot about cyber, but I didn't, I didn't let that deter me. I focused. I learned on the job.
I listened to my colleagues, and it was over that time, and I was there for several for a few years, I got the opportunity to support the National Security Council, large group for cyber from about 2014 to 2016 and it was at that time that, you know, it just sort of blew the barn doors off of my career.
Now, I had actual credentialed experience. I had a depth of knowledge in this emerging, you know, security, space, cyber security, which at that time, I mean, it'd been around forever, of course, but it was really coming to the forefront. So at that point, I reapplied to the agency.
I was accepted, and I went and became a CIA case officer. And what made me unique there is that most case officers focus more on traditional hard security, like the physical security side of things.
You know, though, the stuff you read about in spy novels, all of that stuff you read about the Cold War. But in this case, I had a very interesting expertise of understanding computer network defense and how cyber actors, you know, advanced persistent threats, operate.
So that allowed me to apply that expertise and really carve out a niche and understanding ad. Adversarial cyber actors, particularly from adversarial nation states. Joan Goodchild
Okay, well, so, you know, we were talking before this too. And you know, I mentioned, like, you know, as this field has evolved, we see a lot of people now with intelligence backgrounds, you know, increasingly getting involved in cyber security roles.
So kind of bridge that over for me, and, you know, kind of like those early years and working in intelligence, some of that experience you just referenced, and how it was the obvious, you know, path into cyber security, and the kinds of things that we see now in the threat landscape.
Erin Whitmore
Well, I think for me, like I really, it allowed me to put a lens on, on, I think the cyber landscape that a lot of people haven't, you know, looked at traditionally, we're looking at what's in binary.
We're looking about like what's behind this discrete, what's affecting our networks.
But we're not always and of course, with social engineering, we're thinking about the people aspect, but we haven't looked at it from the way that like a that somebody with operational experience that's trying to prevent the the prevent the missteps, or prevent the thing that you didn't intend or you didn't plan for from happening.
Right? Intelligence operations are really about being methodical, tried and true and and being very, very direct and intentional, and how you plan out things. And also, we joke all the time, right? Murphy's Law.
Murphy will get you if you're the unintended things that can happen no matter you know, best best laid plans, best intentions. Sometimes it doesn't always happen.
So for me, having that, you know, early on in my career, I did physical surveillance, so understanding like where somebody might go, being predictive about that, thinking about the logical next steps.
Those were all things that I think really kind of tied in together that helped me really understand how cyber security, you know, would work, and looking beyond the keyboard.
And to that point, I think the most important thing that the agency taught me that really led me into cyber security right was how to anticipate the next threat when you're doing, when you're when you're doing the kind of work I used to do, you always backwards plan.
You're always looking at what you know you're stopping from the end goal, and you're backwards planning to where you're starting from. And what that allows you to see is, is what, what you may not anticipate.
If you forward plan, you may not see the things that the risk or the the new factors that you didn't account for, or the things that could go wrong.
So whenever I'm looking at cyber security, or we're talking about proactive security, I'm always reaching and saying, Okay, what is the landscape going to look like in five years, and I'm thinking backwards. I'm saying, Okay, I'm not a mind reader.
I don't have a crystal ball, but in five years, I'm looking at the technological, you know, rollouts. I'm looking at the next threat landscape.
How might adversarial either in geopolitics and economics, in the cyber security realm, like, how might nation states or cyber criminals adjust their behavior for the next, you know, five years of environment in cyber, in cyber security, you can almost truncate that down to three years because it's removed so fast.
But I'm always looking at that. I'm like, what is it in five years and three years and in one year? And then I'm, I'm planning that backwards, and I'm looking for the next pitfall.
So I'm always, you know, the joke is in a lot of places, in my previous role, and now at cipher, I'm sometimes called Debbie Doomsday, because I roll out these potential scenarios that seem natural to me, because I'm looking at predictive next thought, right?
How they might things roll out and occur that will change the risk landscape, and how might the attacker, right, or the adversary exploit those? Joan Goodchild All right, great.
Now let's, let's dig into that a little bit more, because that's all really interesting. So you're running a division now, and it's called cipher correct within Centurion group, yes.
And it's, you know, about proactive cyber security, kind of, it was described to me as sort of the Minority Report, you know, that movie with Tom Cruise, Minority Report for cyber security. So what's that all about? You know, give us give us some more details. Erin Whitmore
Yeah, so Cynturion Group is really unique. So our CEO of cipher has had this very and our executive chairman had this very insightful need to create a group that addressed both the physical and cyber security needs right of different clients.
And so it just so happened to intersect that I was looking for my next opportunity. And that intention, with my intentions to progress my career right, intersected, and we ended up, I ended up being brought on to Cypress team to launch Cynturion group.
And centurion is unique in the risk industry because it fuses intelligence grade tradecraft right with enterprise level security operations. It was built. It is built by former CIA, NSA, FBI and JSOC operators.
Right, Cynturion brings the same precision and discipline and adversarial insight that is used in the national security sector into the private sector. And what we do is we operate at that intersection of.
Mapping how digital vulnerabilities, human behavior and physical exposure converge in real and real world threats, right and satorian delivers a really niche 360 degree security assessments, unlike anything else that helps businesses protect tangible assets like critical infrastructure, as well as people who might need comprehensive additional cyber and physical security thinking, like family offices, high net worth individuals, individuals with a very high risk profile and very visible public face who might just need a little bit more nuanced right?
And I think what sets Cynturion apart is that it's proactive and holistic, right, in its approach, rather than just reacting to incidences, right?
We try to identify the weak links in it, the weak links in various different facilities and people's lives in disrupt those patterns that really lead to being able to be exploited in some way, shape or form. Whether that's a physical pattern or a cyber pattern, right?
If you create a repeatable pattern, it's easily exploited. So what we're trying to do is ground every assessment in adversarial methodology and human intelligence and contextual analysis so that we can really produce executive ready intelligence that drives, you know, really confident, measurable outcomes and decisions and hopefully, right?
Not hopefully, but the result is that organizations and leaders don't just have to. They don't just respond to risk, right? But they stay ahead of it. Joan Goodchild
So what is true proactive cyber security look like in practice? Erin Whitmore
Yeah, so I think when we talk about a truly proactive cyber defense model, I think it's shifting from detection to anticipation, right?
And I think we're really seeing that in the revolution of AI, which I'm where I'm sure we're going to get into and I'm ready for it, right? And what we're seeing is we're no longer waiting for an alert, right?
It's understanding how an attack is most likely to happen and then hardening those points before the adversary gets there. It's about identifying the proverbial lowest hanging fruit, right? We talk about that hackers.
I think a lot of people that don't live in the cyber security space, they really focus a lot on like, Oh, I'm not a target because I'm not a big fish, or what do I have to offer them? Or I don't do any work with the government.
So why would a nation state go after me? Well, that's not always the case, right? Number one, you never know where you're in the food chain for something of interest to an adversarial nation. So I think that that is a little bit of hubris.
You just never know why you might come across their radar. But also, too, we know that hackers go after the lowest hanging fruit. They are looking for individuals who are, you know, that are leaving, leaving various things of their infrastructure unprotected, right?
They're scanning the internet at all times, looking for unpatched vulnerabilities, looking for credentials they can exploit, you name it. And I think really, right now, in an organization security posture, the best programs are intelligence driven. They're aligned to real adversarial tradecraft, not just compliance frameworks, right?
We've really become really honed on compliance frameworks, because that's the standard, and we need it, but that's not predictive. And I think we're moving into a realm of technology where predictive is going to be very possible, as we look at AI, right?
And I think it comes from continuous visibility, being proactive does right? Knowing what's in your environment, knowing you know what your critic where your critical data lives, who's touching it, what you can protect. You know you really can't protect what you can't see.
So the next layer is, of course, if you're looking at a true proactive model, right? So you're looking at testing and validation, you should be looking at Red teams and tabletop exercises and crisis simulations, right? All of this is to make sure your plans work when it matters.
And finally, of course, right? The most mature companies treat cybersecurity as a business function, not a technical one. It's embedded in decision making and supply chain and even physical security, right? That's what real life resilience looks like.
It's a living intelligence driven defense model that evolves as fast as the threat landscape. Joan Goodchild
Now, you mentioned physical security already, but let's go back into that a little bit.
And I've been covering this space for 20 years now, and at the beginning there was a lot of emphasis in our coverage on CSO, on physical security, because so you know, so much of the concerns of the CSO at the time were both physical and digital.
And now, you know, we've seen the evolution to the role of CISO is the more common one, as opposed to the CSO. But you know, there's, there's been a lot, especially lately. It's not like physical security ever went away.
But you know, we're really being reminded again, of the integrity of physical systems and how they are intertwined with digital systems.
So talk to me a little bit you know, again, about physical and digital threats, how they're converging, and you know, where organizations are on their awareness of that right now? Erin Whitmore
Yeah, I think you're that's a really spot on assessment, right? We're seeing a complete convergence of physical and digital threats, right? The line between them doesn't it doesn't really exist anymore. A cyber attack can now unlock a door.
It can manipulate an H back system, or can track someone's location through a compromised camera or through spy. I mean, how many times have parents reported their baby monitors, right? Like that's a thing. So conversely, right? A physical breach, you know, say, plugging in a device.
These are the tried and true that we know, right? Employee finds a USB says, Huh, what's this? Plugs it into the computer, and now you have a data breach, right? But that still happens. It still does, right?
Or somebody stealing a badge, you know, something along those lines, and that can open the door to a much larger digital intrusion. And I think what's fueling this connectivity, right, is that almost everything in an enterprise environment now has an IP address, right?
We've got security cameras and building systems. But even more than that, you have smart TVs, and you have refrigerators, right, those really fancy fridges that have the cool panels on the front, all of them have an IP address.
Technically, they're all in part of the internet of things, right? So many of those devices sit outside the traditional IT oversight, right? And again, if hackers are looking for the lowest hanging fruit, they're looking for things like that, right? So the second layer is obviously human right?
We see threat actors often target executives or family members through personal devices, pattern, travel patterns, and this is a big one, right? Social media exposure to reach organizations.
If an executive's child has a very prolific social media account and they're posting pictures of like their parents, office or their home or anything else, the amount of information that you can glean from that or pattern of life analysis is incredibly high, so just being aware of that threat and then teaching folks to be aware of that is really important.
And then I also think most companies miss this because their teams are really siloed.
We're still doing a model, and I think companies are getting much better at this, but we're still doing a model where corporate security is on one side and cybersecurity is on the other and no one's really connecting the dots there.
And now, in this environment of Internet of Things, and this really AI advancement, we have to start doing that.
And I think the organizations that get it right are creating integrated threat intelligence programs that fuse the digital forensics and physical surveillance, and they gives them, you know, full access to control logs and behavioral data and all of those things, and that's where the industry is heading, I think, towards a unified, intelligence driven model of those protections.
Interesting. Joan Goodchild
Now, you mentioned, like, you know, the executives, you know, kid on social media and some of that, you know, there's, there's so many different entry points now, but you know, there's also the question too, about privacy and so forth.
You know, is it possible to anticipate cyber attacks truly, without crossing into any kind of ethical or privacy invasion lines at all, in order to be able to do that effectively? Erin Whitmore
Yes, I do think anticipating cyber attacks without crossing ethical or privacy lines really comes down to how we collect and use data, right proactive defense doesn't mean surveillance. It means using the right intelligence in the right way.
I think we can stay left of boom right by focusing on open source and behavioral indicators, things like emerging phishing domains, exploit chatter on dark web forums, shifts in malware tools. You know, none of that requires intruding on private communications or employee data.
But I would also say AI is changing the game here, right? Because it can analyze millions of data points in real time, you know, from network telemetry to threat feeds. It can also identify subtle patterns that humans might miss.
It can even predict right of the way a known actor is preparing to pivot to a new sector based on historical behavior. But AI doesn't really, you know, it doesn't replace human judgment. It just kind of amplifies it, in my opinion, right?
Analysts still need to validate those findings, they have to apply context, and they have to ensure ethical standards are met. So I think the key here is governance. And I say this because this is two pronged.
I think that this is going to become very important in the future, right? I think clear rules on what data is collected and how it's anonymized and who can access it. That compartmentalization is really critical and key.
But I also think when you pair those controls with AI driven Analytics, you can anticipate threats responsibly and sort of maintain that trust in security sustainability.
I think this also helps mitigate the other rising security threat that I really see coming in the forefront, which is data poisoning and distortion to manipulate AI outputs.
So if you're doing all these things correctly, you're compartmentalizing your keeping your data integrity really sharp, and you're making sure it can't be tampered with. All of that, you're really doing everything you can to protect that data integrity and mitigating that emerging risk as well. Joan Goodchild
Let's, let's talk about, you know, you said AI really can't replace, you know, the human aspect of things in a lot of instances. So let's talk about how AI and human intuition, you know, kind of work together when it comes to proactive cyber security.
And you know, kind of your perspective on that. Erin Whitmore
Yeah, I think human intuition and AI complement each other in ways that proactive cyber that really make proactive cyber defense possible, right?
If AI gives a scale meaning, it can really scale to a high level, like much faster than the human brain or your average human can work right, and it can process millions of signals and detect anomalies and surface.
Patterns faster than any team could manually, but what it can't do is interpret intent or context, right? We've all seen that. I mean, I think one of the biggest jokes about AI is how it's always so complimentary, right?
Those sort of things like, you always have to train the model to not be so comfortable, right? Yeah, nuanced, both in features that make it make it neat, still need a lot of human governance, and I think that that's where human intuition steps in.
I think an experienced analyst can sense when something doesn't fit right. Maybe the timing feels off, or an adversary's behavior doesn't match their usual technique or techniques or tactics, right? And that human judgment kind of transforms raw data into intelligence.
And I think the best programs kind of they combine both, right? I think AI does the heavy lifting. The faster sorting makes humans much more efficient.
It filters out the noise, and it allows humans to focus on what truly matters, and that's connecting the dots and asking why, and anticipating the next moves. So I think over time, the system becomes smarter, right?
Every human insight also retrains that AI model, and it creates a continuous learning loop, right? And that's the real future. I think, of proactive defense is that machine speed guided by human instinct. Joan Goodchild
And how do you think you know, the understanding from some of that too, like about of you know, offensive tactics and so forth help to make defenders better at their jobs. Erin Whitmore
I think offensive tactics is one of the most powerful ways to strengthen defense. I mean, that's how I started this this interview, right?
I said the agency taught me to lean forward and think about predictively what was coming next, what I might not have thought about if I forward planned. Well, you can build resilient systems if you don't understand how attackers actually think, right, or how they operate.
So when you when you study offensive trade craft, how adversaries move laterally or escalate privileges or hide in normal traffic, right? You start just sign designing defenses that disrupt those exact behaviors. Because it's not about glorifying the attacker, really. It's about thinking like one, right?
The Insight helps you prioritize what truly matters and closing those gaps that they'd exploit, rather than spreading the resources thin across everything, because you're trying to protect everything, right? It's also the culture teams become proactive, not reactive.
They move from asking, What if we were attacked to, how would I attack us? And how do I stop it first? And that that I mean, one of my favorite phrases is the best defense is a good offense, right? Sports analogy there.
The best defenders I've worked with, they think like adversaries. The mindset builds faster detection, smarter prevention, and ultimately stronger resilience. Joan Goodchild
So looking ahead, what do you think will surprise us most about cyber threats in the next five years?
You know, if you're going to make any kind of predictions or, you know, and so forth, and based on the work that you do now, what should we be keeping our eyes out for? Erin Whitmore
Yeah, so I think what will surprise us most about cyber threats in the next five years is how AI will transform insider risk. This is obviously insider risk.
Is my bread and butter from my background, but I think we're entering in an era where insider isn't just a person. It can be an AI tool, right?
It can be operating inside the perimeter a well meaning employee can use a generative system to summarize sensitive data and not realizing the information is being stored or learned from or even exfiltrated.
And at the same time, we will see adversaries use AI to impersonate insiders or subtly poison internal AI models.
What I think is that's going to shift the human role, or what we again, to reiterate, we'll work faster and more efficiently, but we'll also need to become experts in validating it. Right? We have to validate AI.
The next generation of cyber professionals will focus on data protection, data integrity and authenticating AI outputs instead of just blindly trusting them. And I think the real danger isn't just data theft here. It's data manipulation, something I mentioned earlier, right?
I think when AI systems generate polished but incorrect results and people will act on them without verification, you create a new attack vector in an enterprise, right? We have to that one of my other favorite phrases, right? Trust, but verify, right?
So, man, just, we can't just trust these AI outputs, because it's easy, and human beings are inherently lazy. They will trust if they can do it faster and they can trust it, they won't think twice.
We've already seen this in a couple incidents where lawyers have used AI to cite case briefings or case law, and it's been erroneous. It's cases that have been thrown out of court, you name it.
Well, when we integrate that into the security system side, we start to see people using AI for prediction.
But if that data, or that input is being poisoned in some way, and this is again, thinking forward, what happens if an adversary can can taint the data going into your AI model so they manipulate it just a little bit so that the model tells you the threat actor is going to go right, right?
And then you really, in reality, they've, they've made you think that, but they're going to go left.
It's like, it's almost like, again, to use the sports analogy, using a trick play, they're using a trick play to get in, and I think that that's going to be emerging, right? And organizations that get ahead of this, they're going to train teams to challenge.
And Ji to question the sources and to protect the model integrity as closely as they protect networks. AI will absolutely make us smarter and faster, but we still have to stay human enough to verify what it tells us. Joan Goodchild
So we like to, you know, leave people with some advice and things that they, you know, can use to do their own jobs better.
So what would you recommend is, you know, one step or one thing that they could do today to kind of switch from reactive to proactive security? Yeah. Erin Whitmore
So if I had to pick one change that would move an organization from reactive to proactive, it would definitely be shifting from event driven responses to intelligence driven anticipation, right?
And I think too many companies still wait for an alert before they act, and a proactive model connects those dots before something breaks. That starts with unifying visibility, right?
Cyber, physical, human intelligence, all of that so that an organization sees things as one picture and not separate incidences, right? Again, we're looking for patterns. We're looking how to exploit those patterns. The second piece is operationalizing threat intelligence. Don't just collect Intel, right?
Use it to shape decisions, rules, guide table top exercises and inform and inform board level risk discussions, right? I think organizations that Excel rehearse, right? They test assumptions through Red Team drills and scenario planning. So when the attack comes, it feels like deja vu, not panic, right?
Practice, how you play, you don't go to the Super Bowl without ever having a practice. So why would you risk the security and future and the bottom line of your company without drilling down on your worst case scenario, your worst day?
And so I think ultimately, the biggest shift, shift is going to be cultural. When people across the business understand that cyber security is is part of continuity and trust and that it's not just an IT function, that's when you start moving from reacting to leading Great. Joan Goodchild
Erin Whitmore, thank you so much for joining us today. It was a great conversation. Erin Whitmore Thank you.
Thanks for the for the opportunity Joan Goodchild
great, and thanks to you for watching. If you enjoyed our conversation and want to see more, we encourage you to like, follow, subscribe for now, I'm Joan Goodchild with Foundry and CSO. See you next time you
