Share this
dnsUNFILTERED: Tiernan O'Malley, Framework Security
Podcast > Episode 42 | December 08, 2025
In this episode of dnsUNFILTERED, Mikey Pruitt interviews Tiernan O'Malley, Director of Client Services at Framework Security. They discuss the concept of Zero Trust in cybersecurity, emphasizing its importance as a strategy and culture rather than just compliance. The conversation explores the role of AI in enhancing cybersecurity measures, the necessity of governance frameworks for AI, and the challenges of communicating cybersecurity risks to stakeholders. Tiernan shares insights on the significance of security awareness training and the need for a proactive security mindset within organizations. The episode concludes with a look at future trends in cybersecurity, particularly the integration of AI and risk management.
- Zero Trust is more about culture than compliance.
- Visibility in cybersecurity is crucial for effective risk management.
- AI will play a significant role in the future of cybersecurity.
- Security awareness training should be interactive and frequent.
- Leadership buy-in is essential for effective training programs.
- Risk assessments can directly impact financial decisions.
- Creating a security mindset is vital for organizational safety.
- Compliance should not feel like a checkbox exercise.
- Human intuition is irreplaceable in cybersecurity assessments.
- Continuous learning is necessary in the evolving cybersecurity landscape.
Mikey Pruitt (00:00)
Welcome everyone to another episode of DNS unfiltered. Today I'm joined by Tiernan O'Malley, Director of Client Services Framework Security. Tiernan, how are you?
Tiernan O'Malley (00:10)
Doing well and thank you for having me, Mikey. It's great to be here and excited to chat with you.
Mikey Pruitt (00:15)
Yeah, so Taryn and I were having fun with the studio app that we have here, changing our virtual backgrounds, trying to figure out if we looked better with our natural backgrounds, which we ended up with, or like a cool moody purple and black. But now I've got to paint my entire wall because we've got some cool backgrounds. But anyway, Taryn, thanks for coming to hang out with me and chat a little bit. I really had just had some questions about you and framework security and I you talk a lot about zero trust so I wanted to get into that as well. But first let's start with just a little bit about your background. So you run client services at framework. How did that career kind of get started?
Tiernan O'Malley (00:52)
Yeah, after college, I went into sales because I graduated with a business degree and ended up with not really any hard skills. I started in sales, did a bit of cybersecurity staffing, and then moved into getting closer and closer to the cybersecurity space and kind of moved on from there. I wanted to move into a role that was closer to the business side of things, but cybersecurity is such a vast and interesting area to be in. And so I don't, I don't plan on leaving anytime soon.
Mikey Pruitt (01:25)
Yes, I think sales is like the ultimate soft skills tester. It's like, you good at communication and empathy and like all those things? It's a good place to learn, learn how to be human, I guess.
Tiernan O'Malley (01:40)
Yeah, it's, mean, sales, whether it's aggressive or not, it's part of, think, every operation, you kind of need it to grow a profitable business. you know, it turns it into a much softer conversation as you grow. But I think that aspect will always be there. So good, good foundation.
Mikey Pruitt (01:58)
Yeah, that probably helps with dealing with clients. I specifically want to talk about how you describe zero trust. Like, let's get the cat out of the bag and zero trust. Like, what is it? What does it mean? Tell me about it.
Tiernan O'Malley (02:12)
Yep, absolutely. So think of it as a sort of strategy or a culture. It's not, and we'll talk about compliance here in a bit and how that can also be a strategy, but it's really training your workforce and educating your workforce to understand and pause and think prior to taking any action versus
Yes, no, it's something that you're wanting to train and develop as a strategy so that you can implement it in every area of your business. And yeah.
Mikey Pruitt (02:49)
Yeah, like a mindset. makes sense. So how do you ensure, since you brought it up, compliance and risk programs don't feel like like check boxes that clients are going through? How do you make them feel like a strategic lever people can use?
Tiernan O'Malley (03:06)
Yeah. And compliance can be challenging because when you think of audits, I mean, when I used to think of audits, I think of someone coming to look at your books and they're going to find something and there's going to be a problem. You know, it's not, not a good thing. So now it's more so when you're going through these controls and going through a framework, it really gives you insight to kind of what is going on within your business.
Mikey Pruitt (03:19)
That's how I think of it.
Tiernan O'Malley (03:32)
So I think it is something that can truly excel and bolster your operations, how your processes, everything versus going through and checking the box and getting it done with. It's something that allows you to have visibility. And then as you're implementing these controls, you want them to be continuous. You want them to be monitored. So it's really something that can enable you to operate more efficiently, have less downtime, less oversights, better operations in general.
Mikey Pruitt (04:02)
It seems like when you go down this path of compliance and risk, like assessment audit, the word that you use, it is kind of a scary word. It makes me think of taxes. So when you're going down this road, it kind of almost forces you into this zero trust mindset that you were talking about a minute ago, because you're going to have to kind of record what you're doing, see who has access where; what systems are connected. it seems like a good way to force yourself into a zero trust culture.
Tiernan O'Malley (04:34)
Yeah, and I mean, can be nerve wracking going into an engagement where you know someone is going to kind of rip your system apart and show you all the places, you know, if you think it's operating fine, most people do, there's always something going on that you don't know about. So yeah, so it really pulls away, allows you to have that visibility. And then once you're going through these controls, it's kind of tightening all of those gaps. And then from there, yeah, a strategy moving forward. I mean, with the way you're kind of any methodology within your system or your workforce.
Mikey Pruitt (05:11)
Well, let's talk about some of those controls and like methodologies, specifically where they come from. So I know you deal with a lot of security frameworks like NIST, all the other acronyms that I'm sure you know and I don't. How do you kind of balance the depth of those framework versus speed and helping clients get that complexity?
Tiernan O'Malley (05:31)
Yeah, I think there are few ways that you can help to prioritize these. If a client comes to you and they say we need XYZ or ABCDE, you know, all the acronyms. One, that's going to be a huge cost to your organization. So you don't want to throw it all in at once. But really, there are two pieces, I think, that are most, or the first touch point.
One, what is the sense of urgency? Why? Is it because it's an industry standard? Or is it because a potential customer is wanting you to hold some kind of certification before they do business with you, which is great for them? And secondly, you want to see where the largest areas of risk are within that organization and start with that framework.
And a lot of these frameworks have overlapping controls. So if you do a somewhat phased approach, you can kind of see what you're knocking out, what will be the best strategic next framework to go to, and what's the most important, what are the priorities of the customer, and so on.
Mikey Pruitt (06:41)
When I was doing a little research on Tiernan and framework security, I came across Minerva Insights, which is like an AI testing or reporting, I guess is what it does. Can you tell me a little bit about that and about the use of AI in this whole compliance risk, zero trust process?
Tiernan O'Malley (07:00)
So, yeah, absolutely. Minerva, we launched it earlier this year. It was developed internally. It is a pen testing reporting tool, which is fantastic. So the idea of having an automated reporting tool, you know how much time it can take to create these reports. And then it's just pages and pages and pages.
Having a kind of dashboard that you can see, you can see all of your reports from years prior. You can see, you can analyze, it's huge with analysis. You can analyze and tweak things. It's something that will allow you to be more scalable and more organized and more talking, consistently talking about visibility, monitoring. This is perfect. When it comes to pen testing,
We, so we offer automated, hybrid and manual. Though, vulnerability scans and automated pen testing seem to have quite a bit of overlap. I think manual testing will always be something that is a necessity. You can automate, you can automate a lot of things around pen testing and yes.
Role scans are great to do consistently. Though that human element, I think, is so crucial. You know, we're seeing these AI threats coming through, so you can't have AI and AI. combating each other, well, I mean, it will be like that, but, and then on the other hand, we know that people are the largest attack vector and the biggest threat to your
Confidential information and the biggest problem. So I think showing that, knowing that in turn having a manual pen test, having a person physically going in there, that it's just such a necessity because there's a different level of intuition that comes along with it.
Mikey Pruitt (08:50)
Yeah, that's actually actually what I was thinking of. I was like a follow up question to that is how do you kind of coach somebody and understand their business to determine whether they need that manual hybrid or kind of fully automated approach? What are some of the signs that one approach is better for that business?
Tiernan O'Malley (09:11)
Well, I you couldn't say that you had a true pen test without doing a manual pen test. And if you look at a lot of these frameworks, like SOC 2, a pen test will be required. You can't do an automated pen test. It won't be as sufficient. So most of the time, we would generally recommend manual alongside vulnerability scans. And you could do a hybrid, but I think it's just that.
Human pen testing with a security analyst behind the screen.
Mikey Pruitt (09:45)
Yeah, I think it kind of makes sense to have AI really help with the reporting aspect and the documentation process. It's not quite, I guess, trustworthy enough in 100 % of the time to do like just automated pen test. That makes sense. speaking of AI, so framework also offers a governance framework for AI. So what is the
What are the steps that an organization can take to start governing AI responsibly?
Tiernan O'Malley (10:16)
So as we've all seen, AI has just massively become immersed into our world lately, know, ramped up and has kind of become a piece of a lot of our day to day and especially within our work in our work lives. What I would say and I think is kind of generally thought of is the first step is just knowing what
what tools are being used. So really creating visibility into what's being used, who's using it and creating a sort of inventory. I spoke to someone recently and they asked, yeah, what do you know if you guys are using AI? Is anyone in your company using AI? What are they using? And their response was, I don't think so. I just... Wrong.
There's no part of me that could believe that's true in any way. So obviously, their first step will be visibility. So yeah, so looking into it, creating an inventory, and then I think you don't have to go straight toward putting in hard policies, you can kind of take it gradually, but having some sort of
Mikey Pruitt (11:09)
Yeah.
Tiernan O'Malley (11:34)
expectation on the way it is used and making sure that is known within your organization. And that would be the first step. And then, you know, obviously, I would, whenever you're ready, which I would say sooner than later, I would say, go ahead and find an AI risk assessment. can, you can come to framework security if you like, but I think that
It's based on ISO 40 2001. So it's a highly regarded framework. it's, I think it's so important because as AI threats increase and it's really understanding, like with this zero trust, this perfect example, what are you putting into this LLM? People might think it's kind of this black hole and everything you're putting in dissipates once it's there.
which is the complete opposite, right? It's getting recorded, it's all getting reused, it's permanent. And so that message really needs to be shared and practiced and embedded within your company.
Mikey Pruitt (12:34)
I have a question basically to get some free advice from you, the expert here. We were having a pretty big discussion this morning at DNS filter about what is considered an AI tool versus just some other tool, because every tool almost now includes some portion of AI. So like, where do you draw the line to categorize AI tooling versus others?
Tiernan O'Malley (12:56)
When you, excuse me, when you're looking at, you're going through and creating this inventory, you want to look at every tool that has an AI component, which like you mentioned is a lot. Our CRM has an AI agent, our sales enablement tool, our, you know, have co-pilot, it's endless, but those all need to be tracked. They're equally relevant. They're equally utilizing your information.
Mikey Pruitt (13:23)
That's not the answer I was hoping for.
Tiernan O'Malley (13:25)
More inventory!
Mikey Pruitt (13:26)
Well, you're absolutely right, though. You can't just ignore things because they're not an AI tool. Because the AI is in there, and you are kind of touching on how the data we put into these systems is then used in some circumstances to be trained, to be used in training data. But there are mechanisms and there are companies that will promote that they can not train on your data. In fact,
Even on LinkedIn, if you post on LinkedIn by default, there's a setting that says your post can be used to train the content creation AI for LinkedIn. You can turn that setting off, but it's on by default. But all these other systems, Gemini, ChatGVT, all have a legal framework around. We will honor your request not to be used. Whether that happens or not, I think it's a different story, but there is a legal agreement in there.
Tiernan O'Malley (14:18)
Sure. Though, and we talk about, you know, talk about like vendor risk management. Sure, LinkedIn has that legality set there. Though, if anyone is able to get into their system, they have all your information, they can pull it out. So it's a ripple effect. The supply chain, the how everything is connected, it's...
If anyone were to get into any of these systems, can, that data is still there. It's still live. It doesn't go away. It's just, it may not be used, being used by where you initially put it, but it's be very wary. Yeah.
Mikey Pruitt (14:56)
100%. So we're all kind of building these, what is colloquially called an AI agent. There's workflows, there's agents, there's connectors, all sorts of different AI things, but we are all trying to build systems that can communicate with each other and use the strengths of one versus the other and the data in one versus the other. And I'm curious what type of like AI access to internal systems or data is appropriate.
Tiernan O'Malley (15:24)
I think that would also depend on, again, the ripple effect. It would depend on what you're utilizing that tool for and kind of what the policies are around it. If it's something where you're putting in customer information, I think there should be a higher level of discretion there. If it's something where you are using a tool to crunch numbers for you, sure, that's not as proprietary.
So, and then that can come along with creating these policies and beginning with the inventory and figuring out what level of protection you need with each of them.
Mikey Pruitt (15:59)
Let's get back to humans for a minute. right. well, humans are messy. AI is messy and humans are the worst. you're, you know, you're dealing with like C level clients. How do you kind of translate all this technical stuff, all these risk findings, penetration test reports? How do you translate that into a language that they not really only understand, but kind of start to care about?
Tiernan O'Malley (16:02)
no.
Yeah. And I think this has always been a challenge. Beginning in sales, selling cybersecurity is like selling insurance and people, you know, in the past have generally not had the budget. So insurance has been around for a while. Typically there's a budget allocated. People know they have to do it. But with cybersecurity, it became kind of this
How do I sell that you won't get breached this year? Or you will probably, but we will have a higher level of protection for you. especially with these, budgets have been increasing definitely, but back in the day, it really, there was no allocation. And it did seem like, we're not gonna put money toward this. And the same challenge holds today, like currently in my current role, when a client comes to you and says, we're up for renewal, we want to work with you, but we need to bring something to our stakeholders that shows that there is ROI. And again, it's like, how do you quantify, you didn't lose any, you spent some money, but you didn't lose all of your data. It's such a challenge. But I think
What helps is when you talk about real world kind of ways that it'll affect you. So you could use use cases from former clients, or you could kind of paint a story where it's, this is what this is. This is what may happen. This is the likelihood of this happening. This is what you can do to prevent that. This is how much it will cost and then go from there. So if you're pulling it toward
The things that stakeholders typically care about, money, finances, reputation, things like that. can kind of paint a picture and talk through and work in that way.
Mikey Pruitt (18:11)
Yeah, there's like a level of complacency where, know, the big like let's use framework here to or DNS filter as an example, like our big number for you this quarter is zero, like zero data breaches. the, the, receiving the customer is like, like, why am I paying you for that? And that's crazy. But that's, that is the best case scenario. Like that's what they don't.
That's what you're saying to kind of drill into them. Best case scenario is that zero things happened.
Tiernan O'Malley (18:40)
Yep. We want no activity.
Mikey Pruitt (18:44)
That's.. exactly. That's a good thing. So let's talk about security awareness training, social engineering training, how to spot a phishing email. They're kind of like undervalued. And I don't want to say they're not effective. But I think there's a misconception that they're not necessary or not.
Utilize fully maybe is a good way to say it. But like what are some of the things in like security that is kind of overrated? What do think?
Tiernan O'Malley (19:16)
Yeah, and speaking on training, I think the statements you made can be true depending on how the training is done. I was recently speaking with a group of my peers and we were talking about training and they were, here my ears are like burning, they were talking about the different types of cybersecurity training that they had in their organizations and how it
they would click through it, how's the pain. And one of them, one person was saying, yeah, but with mine, can't, you have to watch the full video. They don't allow you to skip it and just do a rapid click through. So you have to watch the full video and then go to the next one. So what they were doing is they were, and you couldn't open a new tab in the same, say Chrome, you couldn't just open a new tab.
Mikey Pruitt (20:05)
Focus.
Tiernan O'Malley (20:06)
Yeah, so they had Firefox, Safari and Chrome all open going through. And here I am like, like this is terrible. So like what we do at Framework Security and I, what I think it's kind of the best way to do it is making it very interactive. We will either do it in person or can do it virtually, but there's a person speaking with you and gearing the material toward the organization or towards the role of whatever group you're presenting and working with. And even sometimes we'll gamify it. So it's very interactive. Another point I think that is so important is not just having it be this kind of one-time clock in your lap and then you don't see it again. I think it should be frequent. I think
This is something that you can somewhat measure. And so you can see improvements if you're doing training, social engineering, things like that. And there needs to be a level of kind of remediation if people are not responding and the material is not, it's meant to be educational. And this is part of the zero trust thing. It's like enabling your workforce with the information to know what's going on to think before doing human behavior and just really be aware of what the ramifications are if something happens. And having an escalation plan in place. I think that's so important because if someone clicks but someone feels too embarrassed to say something or you know, that's the end of your company. Could be, potentially. Yeah, and another piece of that, I think leadership buying is huge. I think people mimic the enthusiasm, sometimes that the enthusiasm that their leadership has. And so if your leadership is saying, ⁓ we have to do this, let's get it done. And maybe saying the same thing about compliance too, another audit.
If your leadership is kind of there with you wanting to help you to be better and to improve and really implement what you're learning into your day-to-day tasks.
Mikey Pruitt (22:21)
Yeah, so it sounds like you're really trying to instill the security mindset or culture into people that are taking the training, not just trying to get to get the checkbox very similar to compliance, which is, which is, I assume what triggered that in your mind too. So getting people into a place where they care about security and understand the risks, like, I think we all understand the risks, but I don't think we feel it personally, or the quote, the burn hand is the best teacher. I think it comes from the Lord of the Rings actually. But you know, until you get some type of breach happening in your life or in your company, you can't really feel it. So I guess you have to like make it as real as possible without actually burning someone.
Tiernan O'Malley (23:06)
Yeah, yeah, that might go against another works.
Mikey Pruitt (23:10)
I think it's a HR policy violation.
Tiernan O'Malley (23:13)
Yeah, and that can be a part of it, but that interactive, you can create scenarios and kind of see how it would play out. And yeah, absolutely agree with you.
Mikey Pruitt (23:22)
So when you're in the, so your job is to kind of scale this client services portion of framework security. So how do you make that bigger and better without diluting the quality or the consistency?
Tiernan O'Malley (23:35)
Yeah, I think one, I think bringing on people who want to be there, people who care, that makes a huge difference. I also think being as structured and organized as possible, so getting your processes in place, making sure people are following them, and then automation can help.
but not to replace to assist. So anything administrative. So say with the Minerva platform, that's fantastic. That will be an enabler for scaling because it is taking care of administrative tasks and it's also organizing our data so that we can, you you want to stay organized.
Mikey Pruitt (24:17)
be like, you're in this director role. What type of practices or habits help you stay effective with everything changing so fast around us? How does your chair and stay up to date and
Tiernan O'Malley (24:31)
Well, I think you have to constantly be learning. mean, we wake up every day and something new has happened and it's a totally different world each day because everything else around us is constantly evolving. So I think learning, I think speaking with other individuals, other people have great innovative ideas, being a part of that community. And yeah, just constantly upskilling, constantly; observing things that are happening, see, I mean, breaches are happening all the time. But if you look at what's actually happening with them, like the Jaguar one, lack of segmentation between OT and IT, we just saw with Gucci getting in and getting high profile people's information, you really don't need much, you don't need credit cards, you don't need, you just need the identity. So as we're observing these, we can learn from all of these and make sure that we are not allowing ourselves to replicate that situation. We're trying to get closer to not allowing, right? There's no absolutes ever, yeah.
Mikey Pruitt (25:29)
There is a famous hacker Australian guy by the name of Chris Rock, not to be confused with the comedian. However, American Airlines is very confused. And I was talking to him recently and he basically said he could use all of Chris Rock, the comedian's points for all his flights. And he's a hacker type. So it wasn't that hard for him to social engineer somebody to think he was the Chris Rock instead of a Chris Rock.
Tiernan O'Malley (25:56)
It's that easy. It is that easy. is. They need some awareness training.
Mikey Pruitt (26:01)
Exactly, exactly. So looking ahead like the future of framework security and for you and your role, like what kind of new service lines or industry do you think are most likely to develop in our like cybersecurity ecosystem?
Tiernan O'Malley (26:16)
Yeah. I think we've just touched the tip of the iceberg with AI. So I think we're going to see a lot of regulations and more compliance leading into that. It's going to be huge. We're seeing automated phishing simulations. We're seeing the vishing all sorts of false media, Sora 2, the reality in that is just blowing my mind. It's scary. So AI is, I think, is going to become a huge central focus for all industries, all areas of business. And then another part that I am personally kind of excited for, I mentioned I'm not.
You know, I don't have an engineering background. I don't have a network background. I the area of cybersecurity that I like is closer to the kind of core of the business and how it affects it. So I think I think the overlap in risk and financial or revenue is going to kind of close in. So I'm hoping with these risk assessments, you know, we're going to see risk modeling and financial modeling done.
In immersion. and I think that will allow, we spoke about how it can be challenging to translate the ROI of cybersecurity or especially preventative cybersecurity. I think that will really allow it to be a bit more quantified versus where it's mostly qualified right now. So.
Mikey Pruitt (27:50)
That's really interesting. So you're saying the modeling for financial like revenue like 2026, we're expecting this amount of And then also in 2026, we're expecting these compliance rules or regulations and you're thinking those will be developed together and kind of feed off of each other?
Tiernan O'Malley (28:09)
I think when you're going through and doing risk assessments, it'll be looking at the impact that these risks have on your finances. So it'll be a direct correlation. I'm very excited to kind of move in that direction.
Mikey Pruitt (28:21)
and I'm gonna have to like, I'm gonna have to go do some research with GBT or something to learn more, because that is very interesting. Well, Ternan, thanks for joining me today. Where can people find you on the internet?
Tiernan O'Malley (28:34)
Yeah, absolutely. I would say LinkedIn is the best. is another Ternan O'Malley. Oh, there are a more Ternan O'Malley's out there. But yeah, framework security. I'm in Southern California. Or feel free to send me an email. I can share that now or whatever is easiest.
Mikey Pruitt (28:52)
Yeah, go for it. What's your email? Sure. You want all the people to test for you?
Awesome. Well, Taryn and thank you for joining me today and look for the Taryn and Amali on LinkedIn.
Tiernan O'Malley (29:03)
Thank you so much, Mike. It was so great to be here and yeah, looking forward to learning more.
Welcome everyone to another episode of DNS unfiltered. Today I'm joined by Tiernan O'Malley, Director of Client Services Framework Security. Tiernan, how are you?
Tiernan O'Malley (00:10)
Doing well and thank you for having me, Mikey. It's great to be here and excited to chat with you.
Mikey Pruitt (00:15)
Yeah, so Taryn and I were having fun with the studio app that we have here, changing our virtual backgrounds, trying to figure out if we looked better with our natural backgrounds, which we ended up with, or like a cool moody purple and black. But now I've got to paint my entire wall because we've got some cool backgrounds. But anyway, Taryn, thanks for coming to hang out with me and chat a little bit. I really had just had some questions about you and framework security and I you talk a lot about zero trust so I wanted to get into that as well. But first let's start with just a little bit about your background. So you run client services at framework. How did that career kind of get started?
Tiernan O'Malley (00:52)
Yeah, after college, I went into sales because I graduated with a business degree and ended up with not really any hard skills. I started in sales, did a bit of cybersecurity staffing, and then moved into getting closer and closer to the cybersecurity space and kind of moved on from there. I wanted to move into a role that was closer to the business side of things, but cybersecurity is such a vast and interesting area to be in. And so I don't, I don't plan on leaving anytime soon.
Mikey Pruitt (01:25)
Yes, I think sales is like the ultimate soft skills tester. It's like, you good at communication and empathy and like all those things? It's a good place to learn, learn how to be human, I guess.
Tiernan O'Malley (01:40)
Yeah, it's, mean, sales, whether it's aggressive or not, it's part of, think, every operation, you kind of need it to grow a profitable business. you know, it turns it into a much softer conversation as you grow. But I think that aspect will always be there. So good, good foundation.
Mikey Pruitt (01:58)
Yeah, that probably helps with dealing with clients. I specifically want to talk about how you describe zero trust. Like, let's get the cat out of the bag and zero trust. Like, what is it? What does it mean? Tell me about it.
Tiernan O'Malley (02:12)
Yep, absolutely. So think of it as a sort of strategy or a culture. It's not, and we'll talk about compliance here in a bit and how that can also be a strategy, but it's really training your workforce and educating your workforce to understand and pause and think prior to taking any action versus
Yes, no, it's something that you're wanting to train and develop as a strategy so that you can implement it in every area of your business. And yeah.
Mikey Pruitt (02:49)
Yeah, like a mindset. makes sense. So how do you ensure, since you brought it up, compliance and risk programs don't feel like like check boxes that clients are going through? How do you make them feel like a strategic lever people can use?
Tiernan O'Malley (03:06)
Yeah. And compliance can be challenging because when you think of audits, I mean, when I used to think of audits, I think of someone coming to look at your books and they're going to find something and there's going to be a problem. You know, it's not, not a good thing. So now it's more so when you're going through these controls and going through a framework, it really gives you insight to kind of what is going on within your business.
Mikey Pruitt (03:19)
That's how I think of it.
Tiernan O'Malley (03:32)
So I think it is something that can truly excel and bolster your operations, how your processes, everything versus going through and checking the box and getting it done with. It's something that allows you to have visibility. And then as you're implementing these controls, you want them to be continuous. You want them to be monitored. So it's really something that can enable you to operate more efficiently, have less downtime, less oversights, better operations in general.
Mikey Pruitt (04:02)
It seems like when you go down this path of compliance and risk, like assessment audit, the word that you use, it is kind of a scary word. It makes me think of taxes. So when you're going down this road, it kind of almost forces you into this zero trust mindset that you were talking about a minute ago, because you're going to have to kind of record what you're doing, see who has access where; what systems are connected. it seems like a good way to force yourself into a zero trust culture.
Tiernan O'Malley (04:34)
Yeah, and I mean, can be nerve wracking going into an engagement where you know someone is going to kind of rip your system apart and show you all the places, you know, if you think it's operating fine, most people do, there's always something going on that you don't know about. So yeah, so it really pulls away, allows you to have that visibility. And then once you're going through these controls, it's kind of tightening all of those gaps. And then from there, yeah, a strategy moving forward. I mean, with the way you're kind of any methodology within your system or your workforce.
Mikey Pruitt (05:11)
Well, let's talk about some of those controls and like methodologies, specifically where they come from. So I know you deal with a lot of security frameworks like NIST, all the other acronyms that I'm sure you know and I don't. How do you kind of balance the depth of those framework versus speed and helping clients get that complexity?
Tiernan O'Malley (05:31)
Yeah, I think there are few ways that you can help to prioritize these. If a client comes to you and they say we need XYZ or ABCDE, you know, all the acronyms. One, that's going to be a huge cost to your organization. So you don't want to throw it all in at once. But really, there are two pieces, I think, that are most, or the first touch point.
One, what is the sense of urgency? Why? Is it because it's an industry standard? Or is it because a potential customer is wanting you to hold some kind of certification before they do business with you, which is great for them? And secondly, you want to see where the largest areas of risk are within that organization and start with that framework.
And a lot of these frameworks have overlapping controls. So if you do a somewhat phased approach, you can kind of see what you're knocking out, what will be the best strategic next framework to go to, and what's the most important, what are the priorities of the customer, and so on.
Mikey Pruitt (06:41)
When I was doing a little research on Tiernan and framework security, I came across Minerva Insights, which is like an AI testing or reporting, I guess is what it does. Can you tell me a little bit about that and about the use of AI in this whole compliance risk, zero trust process?
Tiernan O'Malley (07:00)
So, yeah, absolutely. Minerva, we launched it earlier this year. It was developed internally. It is a pen testing reporting tool, which is fantastic. So the idea of having an automated reporting tool, you know how much time it can take to create these reports. And then it's just pages and pages and pages.
Having a kind of dashboard that you can see, you can see all of your reports from years prior. You can see, you can analyze, it's huge with analysis. You can analyze and tweak things. It's something that will allow you to be more scalable and more organized and more talking, consistently talking about visibility, monitoring. This is perfect. When it comes to pen testing,
We, so we offer automated, hybrid and manual. Though, vulnerability scans and automated pen testing seem to have quite a bit of overlap. I think manual testing will always be something that is a necessity. You can automate, you can automate a lot of things around pen testing and yes.
Role scans are great to do consistently. Though that human element, I think, is so crucial. You know, we're seeing these AI threats coming through, so you can't have AI and AI. combating each other, well, I mean, it will be like that, but, and then on the other hand, we know that people are the largest attack vector and the biggest threat to your
Confidential information and the biggest problem. So I think showing that, knowing that in turn having a manual pen test, having a person physically going in there, that it's just such a necessity because there's a different level of intuition that comes along with it.
Mikey Pruitt (08:50)
Yeah, that's actually actually what I was thinking of. I was like a follow up question to that is how do you kind of coach somebody and understand their business to determine whether they need that manual hybrid or kind of fully automated approach? What are some of the signs that one approach is better for that business?
Tiernan O'Malley (09:11)
Well, I you couldn't say that you had a true pen test without doing a manual pen test. And if you look at a lot of these frameworks, like SOC 2, a pen test will be required. You can't do an automated pen test. It won't be as sufficient. So most of the time, we would generally recommend manual alongside vulnerability scans. And you could do a hybrid, but I think it's just that.
Human pen testing with a security analyst behind the screen.
Mikey Pruitt (09:45)
Yeah, I think it kind of makes sense to have AI really help with the reporting aspect and the documentation process. It's not quite, I guess, trustworthy enough in 100 % of the time to do like just automated pen test. That makes sense. speaking of AI, so framework also offers a governance framework for AI. So what is the
What are the steps that an organization can take to start governing AI responsibly?
Tiernan O'Malley (10:16)
So as we've all seen, AI has just massively become immersed into our world lately, know, ramped up and has kind of become a piece of a lot of our day to day and especially within our work in our work lives. What I would say and I think is kind of generally thought of is the first step is just knowing what
what tools are being used. So really creating visibility into what's being used, who's using it and creating a sort of inventory. I spoke to someone recently and they asked, yeah, what do you know if you guys are using AI? Is anyone in your company using AI? What are they using? And their response was, I don't think so. I just... Wrong.
There's no part of me that could believe that's true in any way. So obviously, their first step will be visibility. So yeah, so looking into it, creating an inventory, and then I think you don't have to go straight toward putting in hard policies, you can kind of take it gradually, but having some sort of
Mikey Pruitt (11:09)
Yeah.
Tiernan O'Malley (11:34)
expectation on the way it is used and making sure that is known within your organization. And that would be the first step. And then, you know, obviously, I would, whenever you're ready, which I would say sooner than later, I would say, go ahead and find an AI risk assessment. can, you can come to framework security if you like, but I think that
It's based on ISO 40 2001. So it's a highly regarded framework. it's, I think it's so important because as AI threats increase and it's really understanding, like with this zero trust, this perfect example, what are you putting into this LLM? People might think it's kind of this black hole and everything you're putting in dissipates once it's there.
which is the complete opposite, right? It's getting recorded, it's all getting reused, it's permanent. And so that message really needs to be shared and practiced and embedded within your company.
Mikey Pruitt (12:34)
I have a question basically to get some free advice from you, the expert here. We were having a pretty big discussion this morning at DNS filter about what is considered an AI tool versus just some other tool, because every tool almost now includes some portion of AI. So like, where do you draw the line to categorize AI tooling versus others?
Tiernan O'Malley (12:56)
When you, excuse me, when you're looking at, you're going through and creating this inventory, you want to look at every tool that has an AI component, which like you mentioned is a lot. Our CRM has an AI agent, our sales enablement tool, our, you know, have co-pilot, it's endless, but those all need to be tracked. They're equally relevant. They're equally utilizing your information.
Mikey Pruitt (13:23)
That's not the answer I was hoping for.
Tiernan O'Malley (13:25)
More inventory!
Mikey Pruitt (13:26)
Well, you're absolutely right, though. You can't just ignore things because they're not an AI tool. Because the AI is in there, and you are kind of touching on how the data we put into these systems is then used in some circumstances to be trained, to be used in training data. But there are mechanisms and there are companies that will promote that they can not train on your data. In fact,
Even on LinkedIn, if you post on LinkedIn by default, there's a setting that says your post can be used to train the content creation AI for LinkedIn. You can turn that setting off, but it's on by default. But all these other systems, Gemini, ChatGVT, all have a legal framework around. We will honor your request not to be used. Whether that happens or not, I think it's a different story, but there is a legal agreement in there.
Tiernan O'Malley (14:18)
Sure. Though, and we talk about, you know, talk about like vendor risk management. Sure, LinkedIn has that legality set there. Though, if anyone is able to get into their system, they have all your information, they can pull it out. So it's a ripple effect. The supply chain, the how everything is connected, it's...
If anyone were to get into any of these systems, can, that data is still there. It's still live. It doesn't go away. It's just, it may not be used, being used by where you initially put it, but it's be very wary. Yeah.
Mikey Pruitt (14:56)
100%. So we're all kind of building these, what is colloquially called an AI agent. There's workflows, there's agents, there's connectors, all sorts of different AI things, but we are all trying to build systems that can communicate with each other and use the strengths of one versus the other and the data in one versus the other. And I'm curious what type of like AI access to internal systems or data is appropriate.
Tiernan O'Malley (15:24)
I think that would also depend on, again, the ripple effect. It would depend on what you're utilizing that tool for and kind of what the policies are around it. If it's something where you're putting in customer information, I think there should be a higher level of discretion there. If it's something where you are using a tool to crunch numbers for you, sure, that's not as proprietary.
So, and then that can come along with creating these policies and beginning with the inventory and figuring out what level of protection you need with each of them.
Mikey Pruitt (15:59)
Let's get back to humans for a minute. right. well, humans are messy. AI is messy and humans are the worst. you're, you know, you're dealing with like C level clients. How do you kind of translate all this technical stuff, all these risk findings, penetration test reports? How do you translate that into a language that they not really only understand, but kind of start to care about?
Tiernan O'Malley (16:02)
no.
Yeah. And I think this has always been a challenge. Beginning in sales, selling cybersecurity is like selling insurance and people, you know, in the past have generally not had the budget. So insurance has been around for a while. Typically there's a budget allocated. People know they have to do it. But with cybersecurity, it became kind of this
How do I sell that you won't get breached this year? Or you will probably, but we will have a higher level of protection for you. especially with these, budgets have been increasing definitely, but back in the day, it really, there was no allocation. And it did seem like, we're not gonna put money toward this. And the same challenge holds today, like currently in my current role, when a client comes to you and says, we're up for renewal, we want to work with you, but we need to bring something to our stakeholders that shows that there is ROI. And again, it's like, how do you quantify, you didn't lose any, you spent some money, but you didn't lose all of your data. It's such a challenge. But I think
What helps is when you talk about real world kind of ways that it'll affect you. So you could use use cases from former clients, or you could kind of paint a story where it's, this is what this is. This is what may happen. This is the likelihood of this happening. This is what you can do to prevent that. This is how much it will cost and then go from there. So if you're pulling it toward
The things that stakeholders typically care about, money, finances, reputation, things like that. can kind of paint a picture and talk through and work in that way.
Mikey Pruitt (18:11)
Yeah, there's like a level of complacency where, know, the big like let's use framework here to or DNS filter as an example, like our big number for you this quarter is zero, like zero data breaches. the, the, receiving the customer is like, like, why am I paying you for that? And that's crazy. But that's, that is the best case scenario. Like that's what they don't.
That's what you're saying to kind of drill into them. Best case scenario is that zero things happened.
Tiernan O'Malley (18:40)
Yep. We want no activity.
Mikey Pruitt (18:44)
That's.. exactly. That's a good thing. So let's talk about security awareness training, social engineering training, how to spot a phishing email. They're kind of like undervalued. And I don't want to say they're not effective. But I think there's a misconception that they're not necessary or not.
Utilize fully maybe is a good way to say it. But like what are some of the things in like security that is kind of overrated? What do think?
Tiernan O'Malley (19:16)
Yeah, and speaking on training, I think the statements you made can be true depending on how the training is done. I was recently speaking with a group of my peers and we were talking about training and they were, here my ears are like burning, they were talking about the different types of cybersecurity training that they had in their organizations and how it
they would click through it, how's the pain. And one of them, one person was saying, yeah, but with mine, can't, you have to watch the full video. They don't allow you to skip it and just do a rapid click through. So you have to watch the full video and then go to the next one. So what they were doing is they were, and you couldn't open a new tab in the same, say Chrome, you couldn't just open a new tab.
Mikey Pruitt (20:05)
Focus.
Tiernan O'Malley (20:06)
Yeah, so they had Firefox, Safari and Chrome all open going through. And here I am like, like this is terrible. So like what we do at Framework Security and I, what I think it's kind of the best way to do it is making it very interactive. We will either do it in person or can do it virtually, but there's a person speaking with you and gearing the material toward the organization or towards the role of whatever group you're presenting and working with. And even sometimes we'll gamify it. So it's very interactive. Another point I think that is so important is not just having it be this kind of one-time clock in your lap and then you don't see it again. I think it should be frequent. I think
This is something that you can somewhat measure. And so you can see improvements if you're doing training, social engineering, things like that. And there needs to be a level of kind of remediation if people are not responding and the material is not, it's meant to be educational. And this is part of the zero trust thing. It's like enabling your workforce with the information to know what's going on to think before doing human behavior and just really be aware of what the ramifications are if something happens. And having an escalation plan in place. I think that's so important because if someone clicks but someone feels too embarrassed to say something or you know, that's the end of your company. Could be, potentially. Yeah, and another piece of that, I think leadership buying is huge. I think people mimic the enthusiasm, sometimes that the enthusiasm that their leadership has. And so if your leadership is saying, ⁓ we have to do this, let's get it done. And maybe saying the same thing about compliance too, another audit.
If your leadership is kind of there with you wanting to help you to be better and to improve and really implement what you're learning into your day-to-day tasks.
Mikey Pruitt (22:21)
Yeah, so it sounds like you're really trying to instill the security mindset or culture into people that are taking the training, not just trying to get to get the checkbox very similar to compliance, which is, which is, I assume what triggered that in your mind too. So getting people into a place where they care about security and understand the risks, like, I think we all understand the risks, but I don't think we feel it personally, or the quote, the burn hand is the best teacher. I think it comes from the Lord of the Rings actually. But you know, until you get some type of breach happening in your life or in your company, you can't really feel it. So I guess you have to like make it as real as possible without actually burning someone.
Tiernan O'Malley (23:06)
Yeah, yeah, that might go against another works.
Mikey Pruitt (23:10)
I think it's a HR policy violation.
Tiernan O'Malley (23:13)
Yeah, and that can be a part of it, but that interactive, you can create scenarios and kind of see how it would play out. And yeah, absolutely agree with you.
Mikey Pruitt (23:22)
So when you're in the, so your job is to kind of scale this client services portion of framework security. So how do you make that bigger and better without diluting the quality or the consistency?
Tiernan O'Malley (23:35)
Yeah, I think one, I think bringing on people who want to be there, people who care, that makes a huge difference. I also think being as structured and organized as possible, so getting your processes in place, making sure people are following them, and then automation can help.
but not to replace to assist. So anything administrative. So say with the Minerva platform, that's fantastic. That will be an enabler for scaling because it is taking care of administrative tasks and it's also organizing our data so that we can, you you want to stay organized.
Mikey Pruitt (24:17)
be like, you're in this director role. What type of practices or habits help you stay effective with everything changing so fast around us? How does your chair and stay up to date and
Tiernan O'Malley (24:31)
Well, I think you have to constantly be learning. mean, we wake up every day and something new has happened and it's a totally different world each day because everything else around us is constantly evolving. So I think learning, I think speaking with other individuals, other people have great innovative ideas, being a part of that community. And yeah, just constantly upskilling, constantly; observing things that are happening, see, I mean, breaches are happening all the time. But if you look at what's actually happening with them, like the Jaguar one, lack of segmentation between OT and IT, we just saw with Gucci getting in and getting high profile people's information, you really don't need much, you don't need credit cards, you don't need, you just need the identity. So as we're observing these, we can learn from all of these and make sure that we are not allowing ourselves to replicate that situation. We're trying to get closer to not allowing, right? There's no absolutes ever, yeah.
Mikey Pruitt (25:29)
There is a famous hacker Australian guy by the name of Chris Rock, not to be confused with the comedian. However, American Airlines is very confused. And I was talking to him recently and he basically said he could use all of Chris Rock, the comedian's points for all his flights. And he's a hacker type. So it wasn't that hard for him to social engineer somebody to think he was the Chris Rock instead of a Chris Rock.
Tiernan O'Malley (25:56)
It's that easy. It is that easy. is. They need some awareness training.
Mikey Pruitt (26:01)
Exactly, exactly. So looking ahead like the future of framework security and for you and your role, like what kind of new service lines or industry do you think are most likely to develop in our like cybersecurity ecosystem?
Tiernan O'Malley (26:16)
Yeah. I think we've just touched the tip of the iceberg with AI. So I think we're going to see a lot of regulations and more compliance leading into that. It's going to be huge. We're seeing automated phishing simulations. We're seeing the vishing all sorts of false media, Sora 2, the reality in that is just blowing my mind. It's scary. So AI is, I think, is going to become a huge central focus for all industries, all areas of business. And then another part that I am personally kind of excited for, I mentioned I'm not.
You know, I don't have an engineering background. I don't have a network background. I the area of cybersecurity that I like is closer to the kind of core of the business and how it affects it. So I think I think the overlap in risk and financial or revenue is going to kind of close in. So I'm hoping with these risk assessments, you know, we're going to see risk modeling and financial modeling done.
In immersion. and I think that will allow, we spoke about how it can be challenging to translate the ROI of cybersecurity or especially preventative cybersecurity. I think that will really allow it to be a bit more quantified versus where it's mostly qualified right now. So.
Mikey Pruitt (27:50)
That's really interesting. So you're saying the modeling for financial like revenue like 2026, we're expecting this amount of And then also in 2026, we're expecting these compliance rules or regulations and you're thinking those will be developed together and kind of feed off of each other?
Tiernan O'Malley (28:09)
I think when you're going through and doing risk assessments, it'll be looking at the impact that these risks have on your finances. So it'll be a direct correlation. I'm very excited to kind of move in that direction.
Mikey Pruitt (28:21)
and I'm gonna have to like, I'm gonna have to go do some research with GBT or something to learn more, because that is very interesting. Well, Ternan, thanks for joining me today. Where can people find you on the internet?
Tiernan O'Malley (28:34)
Yeah, absolutely. I would say LinkedIn is the best. is another Ternan O'Malley. Oh, there are a more Ternan O'Malley's out there. But yeah, framework security. I'm in Southern California. Or feel free to send me an email. I can share that now or whatever is easiest.
Mikey Pruitt (28:52)
Yeah, go for it. What's your email? Sure. You want all the people to test for you?
Awesome. Well, Taryn and thank you for joining me today and look for the Taryn and Amali on LinkedIn.
Tiernan O'Malley (29:03)
Thank you so much, Mike. It was so great to be here and yeah, looking forward to learning more.