Every week, Sprocket Security CEO Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.
We recently spoke with Vivek Menon, CISO & Head of Data at Digital Turbine. Here are the top takeaways from the interview.
#1: Leverage AI Simulations to Understand Your Adversaries Better
“Staying within the theme of the podcast, I would say that AI is generally now talked about as a possible attack vector, AI-driven attacks, so to speak. But I think of the benefits that come with AI-simulated attacks as well, where you understand the adversaries a whole lot better.
“By going through simulation scenarios that otherwise would have been cost prohibitive or even the technical wherewithal would have been pretty limited. But with simulation that AI provides and AI tools provide around attacks, I think we can cover a whole host of scenarios and be a lot more prepared. I think that's the biggest sort of boon for me.
“I wouldn't focus necessarily on what could go wrong with AI and how AI-driven attacks could manifest for companies. I think the possibilities are endless and that's what I choose to focus on.”
Actionable Takeaway: AI-driven attack simulations unlock previously cost-prohibitive testing scenarios that dramatically improve threat understanding. Instead of fixating on AI as an attack vector, security teams can use these tools to run comprehensive scenarios that were technically or financially impossible before, creating better preparation against real adversaries.
#2: Map Your Complete Attack Surface Before Legacy Systems Bite Back
“To me, the biggest blind spots are around not fully knowing the landscape that you're trying to protect and then not aligning that landscape with business priorities. And so any CISO you would have a conversation with would say that one of the first things they do when they get into their role is to identify that business risk matrix and identify their crown jewels, their high-risk applications, and so on.
“Most times there are legacy applications that you ignore because they don't seem to come up in conversations when you talk to your engineering teams and your DevOps teams and so on. But when you do start doing assessments, that's when you realize that there is a critical legacy application that is interconnected with all of the modern apps that you've built on cloud.
“If that legacy app does not function or is not tested appropriately or has vulnerabilities that you have overlooked for many, many years, it could come back to bite you. And I think that's usually a blind spot that I see in companies that I've worked with. And I get to interact with CISOs as well. They always complain about not knowing the full landscape of what they're trying to protect.”
Actionable Takeaway: Hidden legacy applications often serve as critical interconnection points for modern cloud infrastructure, creating cascading vulnerability risks. CISOs consistently struggle with incomplete landscape visibility because these systems rarely surface in engineering conversations, yet they can undermine entire security programs when overlooked during assessments and testing cycles.
#3: Govern Shadow AI Before Employees Expose Company Data
“Shadow AI is my favorite term. It's probably the term of 2025, and it's also a term that I have been living with for the past few months. So much like shadow it, which was sort of the buzzword a few years ago, Shadow AI is folks — over-enthusiastic, well-intentioned folks — adapting to capabilities that AI can deliver on, but in a very haphazard fashion.
“My friend told me a Zapier agent allows me to produce a report much faster. I'm going to build something on Zapier and just connect and expose all of my company data to it. Do we have guardrails and controls in place to stop sensitive data from getting out? Yes. But at the end of the day, we rely a whole lot on human judgment and what they should be doing and not doing to protect our IP and our customers’ IP and so on.
“And today we have a proliferation of systems or agents or models, however you want to put it, that exist out there that we don't have a full grasp on. And so it's a very real problem. It's a now problem. It is not a hypothetical. And I see a lot of companies on the floor, on the RSA floor focusing on that. And I'm glad about it. I think some of these capabilities will coalesce and we'll come into a tool or a platform that we can truly leverage. But it's a here and now problem that most security leaders are facing.”
Actionable Takeaway: Well-intentioned employees are connecting sensitive company data to external AI tools like Zapier agents without proper oversight, creating immediate exposure risks. This isn't a future threat — shadow AI is happening now across organizations, requiring urgent governance frameworks to prevent IP and customer data from flowing to uncontrolled systems.
