The Biggest Cybersecurity Challenges Facing Regulated and Mid-Market Sectors - with Cody Barrow of EclecticIQ

Welcome, everyone, to the AI in Business podcast. I'm Matthew DeMello, Editorial Director here at Emerge AI Research. Today's guest is Cody Barrow, CEO at Eclectic IQ. Eclectic IQ is a global cybersecurity leader specializing in threat intelligence technology. Trusted by governments in critical sectors worldwide, Eclectic IQ's intelligence center platform empowers security teams with decision-making against advanced threats in cybersecurity and beyond. Cody joins us on today's show to discuss how advanced threat intelligence is transforming cybersecurity operations through AI-driven analytics and automation. Our conversation also explores practical improvements in threat detection workflows, enhanced incident response times, and measurable ROI driven by reducing security breaches and operational overhead. Today's episode is sponsored by Eclectic IQ, but first, are you driving AI transformation at your organization? Or maybe you're guiding critical decisions on AI investments, strategy, or deployment. If so, the AI in Business podcast wants to hear from you. Each year, Emerge AI research features hundreds of executive thought leaders, everyone from the CIO of Goldman Sachs to the head of AI at Raytheon and AI pioneers like Yoshua Bengio. With nearly a million annual listeners, AI in Business is the go-to destination for enterprise leaders navigating real-world AI adoption. You don't need to be an engineer or a technical expert to be on the show. If you're involved in AI implementation, decision-making, or strategy within your company, this is your opportunity to share your insights with a global audience of your peers. If you believe you can help other leaders move the needle on AI ROI, visit Emerge.com and fill out our Thought Leader submission form. That's Emerge.com and click on Be an Expert. You can also click the link in the description of today's show on your preferred podcast platform. That's Emerge.com slash expert one. Again, that's Emerge.com slash expert one. Without further ado, here's our conversation with Cody. Cody, welcome to the program. It's a pleasure having you. Thanks a lot. Happy to be here. Absolutely. I've been having cybersecurity conversations since I got into podcasts 15 years ago. This is such an interesting space. Just over the last year, though, that we've been focusing on this subject vis-a-vis what's going on in AI, we've seen the conversation in cybersecurity move rapidly from generative AI into agentic AI, where attackers are now able to scale and automate their operations in new ways. For large enterprises, particularly those in the regulated space, they're already struggling with alert fatigue, skills shortages, supply chain exposure, depending on the industry. And this shift raises urgent new challenges. But just from your advantage point, looking at the space, especially from the cybersecurity side, what do you see as the biggest challenges enterprises and critical national infrastructure face today, especially given the rise of new agentic capabilities? Well, I think that setting aside agentic, there's always a challenge with arguing for yourself, right? Helping executive decision makers, often even the CEO, board of directors, CFO, CIO, understand why you need intelligence and security operations because it looks like an expense, right? It's not generating revenue. So we usually say that cybersecurity is revenue protection. It's protecting your revenue, right? So that's one of the biggest challenges. Specifically with agentic AI, what you're seeing is, and it's actually happening a little bit slower than you'd think, but we're seeing the automation of lower-skilled attacks. So it's now easier if you've ever seen an email where something is obviously fake or obviously malicious or trying to fix you or hack you. Have a lot of spelling errors. It's clearly not legit, right? Well that now becoming easier to formulate so that it looks more legit It looks real And we seeing that really carry over into a lot of areas And I think the scariest one is in deepfaked live videos So I often tell my wife and my family members, make sure you have a sort of code word between yourself and your family to authenticate you are who you say you are, because it's now easier for bad guys. Yeah, Yeah, exactly. So it's now easier for the bad guys to make a WhatsApp call, a FaceTime call, and it'll look just like you. And they'll be saying, I'm in an emergency situation. I need this now. Can you just transfer the funds? And you just say, wait a minute, what's the code word? Right. Really fascinating that, especially at the individual level, we're going to start to need to make these changes and everybody's turning into secret agents with code words. That being said, the rules tend to change at each of these different levels that we're going to talk about today between critical national infrastructure, highly regulated industries and mid-market sectors like manufacturing and retail. Maybe best to start from the bottom and work our way up here. Tell us about how those challenges look, especially from the perspective of manufacturing and retail and we'll move to highly regulated industries. Yeah, I think that so starting with the sort of mid market, and so that's things like manufacturing and retail, I think we're seeing that one of the biggest challenges is that there is a broad surface of weak links, right? So especially for something like retail, website retail, where you're, you know, for shopping, we've seen a lot of this this year, there are a lot of supply chain weak links. So if an attacker brings down the payment systems, then we've already seen that you can lose a lot of revenue if you're spending weeks bringing that fully back online. And that sector or that realm is much less likely to have serious regulatory mandates to make sure that they're secure across all of their weekly. And there are usually a lot of different tentacles that kind of program into the big brain. So that's something you see in that area. You also see that it's easier to fall victim to opportunistic attackers. As you move up that chain into highly regulated industries, I would say like finance, telecom, things like that, you'll find that especially in finance, a lot of these industries are some of the most mature on cybersecurity. So, for example, years ago, Bank of America's CEO mentioned that they spent a billion dollars a year on information security. And the CEO at that time said he considered it money well spent, right? Revenue protection. So what that means is that if you have such a mature cybersecurity program and such a mature cyber threat intelligence program, then your problem is that you are overwhelmed by too many alerts. too many things that look like they could be signals, but aren't. And you are overwhelmed by skill shortages, or I should say, finding the right skill set for the right job. And you are overwhelmed by trying to understand where you should focus your intelligence and your security operations, because you're not an intelligence agency. Maybe some of these highly regulated organizations like Bank of America, like Citibank, like these very large financials have a lot of funding. But at the end of the day, they don't have this super mature framework that you see at the national level. So they need to figure out how to prioritize their threats and then act on them effectively. And that's really challenging. Right. And just out of curiosity, what does that national infrastructure look like? And how does that impact the really different challenges that we see, especially where for, as you're saying, the regulated folks drowning in alerts, manufacturing and retail, struggling to cover the bases. A lot of them aren't theirs or in the supply chain where it's really hard to kind of get that cooperation and coordinate. There on the defense side, you have a little bit more clarity on your priorities because you understand that you need to have hardcore service availability. If you are a government, then you generally have policies set by some sort of policymaking body. Obviously in the US that the executive branch So usually the presidency and their staff And so you sort of have clarity of mission You know where your priorities are which you also do in the regulated industries to some extent but you have to craft them versus at the national level, those are always being crafted by national policy. And if you're in that sort of critical infrastructure level where maybe you're not government, but your energy sector or you are otherwise critical for the function of society, then you are often being targeted by state-backed or geopolitically motivated threat actors. So they might be looking for leverage. They might be looking for disruption. They might just be looking to get into the infrastructure so that someday if there is a conflict, they can shut you down. So they're patient, they're well-funded, and they're looking for stealth, which is very hard considering often critical infrastructure and the private sector is not well-funded for security. Absolutely. And just starting from there, I know we're kind of going back and forth from the bottom to the top, but I think it helps, especially for the regulated industries. That's a little bit more what the proverbial bad guys sort of look like. What solutions are proving most effective for regulated industries under this constant scrutiny? I know we've had a lot of conversations on the show just about the potential for AI to really bring down that kind of alert drowning as you're terming it. I think that it's so things like AI, it's really only a partial solution. So it's helpful, but it's not magic, right? You often see AI framed as a sort of magical solution. I think that's changing a bit, actually, at Lightspeed, really, but it's not magical. So AI can help a bit with producing some extra context. It can help a little bit with sorting through and triaging alerts. It can help with summarizing reports. It can help with a lot of things like that. But honestly, what's really the most helpful or most effective is a little bit less sexy. And it's really culture and organizational alignment. So you're most effective if you're a cyber intelligence team or a security team that has active communication with your executive level priorities. So, for example, if you're a financial institution and you're working in security operations, you should be asking the executives if they have enough time and they should to just answer what keeps you up at night. And usually they're not going to say, oh, it's so-and-so hacker or it's something technical. They're going to say, oh, well, over in West Virginia, we have this line which is vulnerable to somebody issuing fraudulent mortgages or fraudulent credit cards or fraudulent transfer. And then it's your job as a security professional to then figure out, okay, how would, from a technical standpoint, an attacker compromise that? And that has the most impact if that is compromised. So it's really that alignment in the organization that's most effective. Absolutely. We hear it again and again on the show that this is really a tool and the benefit that it's going to bring you is the discipline of knowing where your data is going and having a very clear idea of the business goals. Those are essential to really make these tools work. Just for the mid-market organizations, I know we were talking about manufacturing and retail before. This is a much larger problem. It really, like as we were saying before, really depends on cooperation and having a keen sense of who you're partnering with. But what are the right steps that maybe mid-market leaders can take right now to strengthen defenses without overextending those precious resources? High impact basics, right? So things like enforced multi-factor authentication across all remote accounts and anybody who has administrative access, ideally everybody. And also to our earlier comments, supply chain partnerships, right? Because if one of your supply chain partners doesn't have the high impact basics implemented, then they can shut you down anyway. Like I said, it may be your payment provider. It may be something in procurement. It could be any number of things that could shut you down for days or weeks. Use things like single sign on to centralize access control and identity control Ensure all of your all of your endpoints are up to date on the latest patches things like that And if you're unable to scale, outsource. So find a man detection and response or 24-7 security operations services provider, because not everybody in that sort of mid-market has the ability to resource a full internal team. Absolutely. Any other factors just going into this conversation has changed so much in the last few years? We've, you know, we used to call it build versus buy. It's not so much like an either or anymore. It's more of a ratio. But any other telltale signs, you know, especially in the mid market space that you're going to want to partner to have that extra expertise to tackle this problem? Well, to be honest, I think the main telltale sign is 2025, right? To be honest, I mean, I think that at this stage, and I don't believe in selling what we call FUD, fear, uncertainty, and doubt. I don't believe in selling fear. But I do believe in reality, right? And I think that if you are finding yourself doing business today, then you should probably think about outsourcing some of your security. So think about what happens if what aspect of my operations is unavailable for three or four days is or if something is leaked or ransomed, is that going to be existential for my business? Well, that means you definitely need to partner with somebody, right? Do you not have a clear recovery plan? Are you not sure what you would do if this happened to you? Do you have a lot of supply chain partners? All of these are red flags that you need to find a mature partner. Yeah, absolutely. And at that point, especially for the mid-market folks, you can really track those alert, those signals that you're going to need assistance with far more ease than we see in the regulated space. but you've done such a great job so far, at least talking about that kind of alert drowning as we were talking about it before. Cody, very, very fascinating stuff. I know this is going to move in a lot of different directions, especially as we see cybersecurity mature. We're just at the tip of the iceberg, so to speak, especially for the potentials of agentic technology and what that means down the line for fraud spaces, for cybersecurity, for really our identities as human beings. And I know you were touching a little bit on that a little bit ago with speaking on deepfakes. Thank you so much for being here. It's a pleasure having you. Thank you so much. I really enjoyed it. Wrapping up today's episode, I think there were a number of critical takeaways for enterprise cybersecurity leaders from our conversation today with Cody Barrow, CEO at Eclectic IQ. Here are three we'd like to summarize before closing things out today. First, integrating AI-driven threat intelligence tools enhances early detection of sophisticated cyber threats, enabling proactive defenses. Second, automating incident response workflows reduces operational strain on security teams while accelerating resolution times. Finally, leveraging advanced analytics to contextualize threat data delivers measurable ROI by minimizing breach impact and improving overall security posture. Interested in putting your AI product in front of household names in the Fortune 500? Connect directly with enterprise leaders at market-leading companies. Emerge can position your brand where enterprise decision makers turn for insight, research, and guidance. Visit Emerge.com slash sponsor for more information. Again, that's Emerge.com slash S-P-O-N-S-O-R. I'm your host, at least for today, Matthew DeMello, Editorial Director here at Emerge AI Research. On behalf of Daniel Fagella, our CEO and Head of Research, as well as the rest of the team here at Emerge, thanks so much for joining us today, and we'll catch you next time on the AI in Business podcast. Thank you.