Sprocket CEO and Founder Casey Cammilleri interviews experts leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

In this episode, he spoke with Seth Arnoff, cybersecurity engineer at MacArthur Foundation, at Black Hat 2025 to to unpack the reality of building a resilient, proactive security program without breaking culture or burning out your team.

This isn’t a conversation about shiny tools or security theater. It’s about what works.

From Day-to-Day Security to Strategic Impact

Seth starts by breaking down the reality of his role: the balance between the fundamentals (patching, vulnerability management, log review) and longer-term initiatives that actually move the needle. At a relatively small organization doing globally impactful work, every security decision has to be intentional.

One standout example? The MacArthur Foundation’s move toward passwordless authentication using Windows Hello. Seth explains how security initiatives like this succeed or fail based on communication, transparency, and trust.

Why Continuous Penetration Testing Won

The conversation quickly moves into proactive security and why MacArthur shifted from traditional point-in-time penetration tests to a continuous penetration testing model.

Seth shares:

  • Why annual or one-off tests weren’t enough
  • How continuous testing provides a real view of security posture over time
  • The operational benefits for smaller teams that don’t have bandwidth for constant vendor coordination
  • Why verified remediation matters more than static reports

For organizations following frameworks like NIST CSF, this episode offers a grounded explanation of how continuous testing supports maturity, not just compliance.

AI, Third-Party Risk, and Guardrails That Actually Work

With AI dominating the Black Hat show floor, Seth and Casey dig into what most organizations are struggling with right now: how to allow AI usage without losing control of data.

Rather than relying on “don’t do this” policies, Seth explains how his team:

  • Accepts that employees will use AI tools
  • Builds frameworks, guidelines, and internal controls around them
  • Involves legal early to address data ownership and training risks
  • Monitors usage trends to inform training without becoming invasive

They also dive into third-party risk management, including how MacArthur evaluates every vendor (yes, every one), how SOC 2 reports fit into the process, and why repeatability and consistency are the hardest—and most important—parts of vendor security.

Reporting Security the Right Way

One of the most practical segments of the episode focuses on security reporting to leadership and the board.

Seth explains why massive “scary” numbers don’t actually help decision-makers—and what does:

  • Clear, measurable objectives
  • Tracking progress and drift over time
  • Metrics that tie back to real risk reduction (like phishing reporting rates, not just email volume)

It’s a refreshingly honest take on what security leaders should and shouldn’t put in front of executives.

The Threat We’re Not Talking About Enough

When asked about emerging threats, Seth doesn’t say AI. He says quantum computing.

The discussion highlights why quantum isn’t just an encryption problem—it’s a geopolitical and economic race that could reshape everything from logistics to national security. It’s a moment that sticks with you long after the episode ends.

Who This Episode Is For

  • A security leader at a small or mid-sized organization
  • Balancing proactive security with limited resources
  • Trying to introduce AI safely
  • Building vendor risk or reporting programs from the ground up

This episode will feel uncomfortably familiar in the best way.

 

Listen to the full episode of Ahead of the Breach now and hear how real security teams are navigating today’s threat landscape without losing sight of people, culture, and impact.