Every week, Sprocket CEO and Founder Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.
He recently spoke with Phillip Wylie, Penetration Tester & Podcast Host of The Phillip Wylie Show. Here are the top takeaways from the interview.
#1: Conduct Continuous Penetration Testing to Close Security Gaps
“I think probably one of the largest ones is frequency of testing, because a lot of companies do one once a year as a checkbox for compliance. And one of the reasons that I believe that it needs to be more frequent is that at one of my consulting gigs, I tested the company, and they had a 90-day retest built into their statement of work. So I did the first test, went back to start testing, doing some initial scans and vulnerability scans and they had remediated the criticals, highs and mediums. And the only thing left from the original test were the lows.
“But, between that time, what had happened is a security researcher figured out an exploit for that low-criticality vulnerability. If I hadn't come back and done a retest or they hadn't did a rescan with a vulnerability scanner, then it would have been vulnerable for a year. And so just knowing the way that exploitable vulnerabilities are coming out more commonly and more quickly nowadays that your time between pentests or a lot of risk there, what you do between those times that you pentest are very critical.”
Actionable Takeaway: Annual penetration testing creates dangerous vulnerabilities when low-risk findings become exploitable between assessments. More frequent, 90-day retests revealed how a remediated environment remained vulnerable after researchers developed new exploits. Organizations must implement continuous testing or regular vulnerability scanning to match the accelerating pace of threat evolution.
#2: Secure IoT Devices Before They Become Your Biggest Weakness
“Our product is an X-IoT — extended IoT — security product because we do more than secure IoT. We also do OT and medical devices and stuff like that. But one of the interesting things that is related to IT security is how a lot of things that we would see as pentesters that we take advantage of default creds are a big problem in IoT. A lot of times people get these IoT devices, they keep the default credentials. They're not practicing your normal security hygiene like changing default creds, rotating out the passwords periodically. They're not doing stuff like that. Doing your normal type of hygiene tasks.
“The interesting thing is, as mentioned, how it's getting more difficult to get a foothold from an IT perspective during pentest. Now threat actors are taking a playbook or something that they probably may have been doing for a while, wouldn't really have to leverage. Since these endpoints are so hard to exploit. They're doing things like exploiting security cameras and printers, just like the Akira ransomware, where they weren't able to get a foothold in the environment, so they were able to exploit this security camera. And then from the security camera, they were able to do an SMB share and spread the ransomware internally from that.
“And one of the things even going back and looking, listening to some other podcasts for other security firms, one of the things I heard several years ago, like on the Black Hills podcast, they were talking about how attacking the endpoint is more difficult. It's like you're having to come from outside, from other devices and things to gain a foothold. So threat actors are doing the same thing. And people really don't take seriously or consider that IoT devices are a security risk.”
Actionable Takeaway: Threat actors pivot to IoT devices when traditional endpoints become harder to exploit. Default credentials and poor security hygiene in cameras, printers, and connected devices create easy footholds for ransomware attacks. Organizations must treat IoT devices as serious security risks requiring credential management, firmware updates, and network segmentation.
#3: Practice Patient Mentorship to Build Authentic Security Communities
“Some of the best lessons I've gained and one of the things I'd share, especially with the more senior people out there, is to be accepting, understanding, of the younger generations. Because one of the things people are taking consideration is that each generation is different. They communicate differently. Be patient and helpful.
“One of the biggest tips that I got from someone and it's just being patient, that's one of the keys. But I had someone that kept coming back to me asking me questions and this is stuff they could have easily Googled. But one of the things that I realized because one day they came back to me and said thank you for always answering my questions and not just tell me to Google it. One of the things too, if you're helping people is realize if they don't understand the topic well enough, they're not going to be able to successfully research and Google those terms. If they more they understand it, the better they can.
“So be patient with people. Come from a place of trying to help people and you will grow your audience and whatever communities that you're trying to grow because they know you're authentic. You want to help people, people get on board with that.”
Actionable Takeaway: Junior professionals asking "Googleable" questions often lack foundational knowledge to formulate effective searches. Patient mentorship bridges knowledge gaps that research alone cannot fill. Senior professionals who understand generational communication differences and provide authentic help build stronger communities where people feel safe learning and asking questions.
