About
Articles by Brian
Activity
9K followers
-
Brian Fricke posted thisI’m happy to share that after 4 1/2 Years at City National Bank of Florida; I’m starting a new position as Chief Information Security Officer at AutoNation! I am incredibly grateful to my team and all the partners who have supported me these past years in the Financial Services sector. I know James Kim, Roel Raymore, CISSP, and Pedro Dominguez will continue to do great things at CNB! I am happy that Edward Contreras will be taking over as Chair of the Midsized Bank Coalition of America (CISO Group), and look forward to the new journey in the Retail Industry! #onward
-
Brian Fricke shared thisJoin the networking, knowledge share, and show and tell that is #BSides SOFL!Brian Fricke shared this🚨 Speaker Announcement 🚨 Dennis Chow joins us with a highly practical session: A dual-sided deep dive into evasion techniques that bypass modern detection logic — plus working defensive detection code. Real techniques, field-tested at UKG and validated by Microsoft’s Red Team, with tools you can use immediately. 🔗 https://lnkd.in/eEEbMRZk 👀 More speakers coming soon — we’re still making selections. #CyberSecurity #RedTeam #BlueTeam #SIEM #InfoSec
-
Brian Fricke shared thisExcellent callout. The controls an organization puts into place must be a layered architectural approach like with traditional security stacks. There is never just 1 control plane.Brian Fricke shared thisHeretic exposes one of the biggest illusions in AI security. Heretic is a useful wake-up call for the AI industry. The repo automates removal of LLM safety alignment using directional ablation, packages it as a simple CLI workflow, and reports that the process can be done without expensive post-training. It also claims strong refusal suppression with relatively low capability damage, plus broad community adoption. My takeaway: We need to stop confusing alignment with security. If a model's built-in refusals can be systematically removed, then those refusals were never the control you should have trusted most. For enterprise AI, the real controls need to be outside the model: - strong identity and access boundaries - least privilege for tools and data - runtime policy enforcement - monitoring and fast containment Heretic is not the problem. It is the proof point. The model is not your security perimeter. https://lnkd.in/e6XEpEjU
-
Brian Fricke reposted thisBrian Fricke reposted thisCrazy vulnerability - introducing Clinejection! An attacker hid a prompt in a GitHub issue title. An AI triage bot read it, interpreted it as an instruction, and handed over the npm token. https://lnkd.in/dRYhh6t8
-
Brian Fricke shared thisGood takwaways!Brian Fricke shared this3 takeaways from the Global Cyber Innovation Summit that are still simmering for me: ✅ SPEED HAS COLLAPSED. The median time to exploit a vulnerability fell from 285 minutes to 17. Fastest recorded breakout? 27 seconds. Attackers are running at machine speed, but we defenders are still operating at meeting speed. Most security programs weren't built for 17-minute problems. ✅ WE'RE PATCHING THE WRONG THINGS. 99% of vulnerability alerts are never exploited. Just 0.15% drive 30-50% of financial losses. Here's the dirty secret: most of what we're patching doesn't matter. If everything is urgent, nothing is strategic. ✅ SPACE IS NOW A CYBER DOMAIN. Low-Earth orbit satellites may grow from ~20,000 to 300,000 in the next few years. About $800 in equipment can intercept unencrypted satellite communications. Our dependence on satellites is growing faster than the security around them. Most boards aren't thinking about it yet. Which of these are we underestimating right now? Grateful to Bob Ackerman, Phil Venables, and Christina Riboldi for curating such an intimate room with leaders from Anthropic, Google, McKinsey, PWC, Cisco, Okta, Verizon, WWT, and multiple federal agencies.
-
Brian Fricke shared thisKey takeaway from Anthropic ’s “Stop Building #AIAgents. Build Skills Instead.” talk: real leverage comes from moving up the stack—from raw capability to governed, reusable value. 👏 Shout-out to @BarryZhang (framing why agents are the wrong abstraction) and @MaheshMurag (showing how “skills” become the durable application layer). The three layers, moving up the stack: #Models (Processors) Foundation models that transform inputs to outputs. Threats: model hallucination, data poisoning, training data leakage. Controls: model evaluation, input/output filtering, provenance tracking, usage constraints. #Agents (Operating Systems) Orchestration logic that chains tools, memory, and models to act autonomously. Threats: runaway execution paths, tool misuse, privilege escalation, cost explosions. Controls: policy-based guardrails, deterministic workflows, budget/time caps, kill switches. #Skills (Applications) Composable, task-bounded capabilities with clear intent and interfaces. Threats: over-privileged skills, logic abuse, unintended business actions. Controls: least-privilege design, explicit contracts, auditability, outcome validation. Bottom line: Agents are an implementation detail. Skills are the control surface. If you care about safety, cost, and enterprise adoption—optimize for the top of the stack.
-
Brian Fricke shared thisExcellent insights into the market from Chenxi Wang, Ph.D. on #AIBrian Fricke shared thisAs an investor, I am getting many Agentic startup pitches every day. On the enterprise side: • Agentic platforms for marketing • Agentic platforms for HR • Agentic platforms for Security • Agentic platforms for IT • Agentic platforms for Finance On the consumer side: • Agents for content creation • Agents as a chief of staff • Agents for personal productivity • Agents for activity planning But do we really need a different agentic platform for every function? Under the hood, many of these platforms look strikingly similar: ✅ Connect to data sources or services ✅ Build a context layer ✅ Spin up agents for specific tasks ✅ Orchestrate everything via prompts ✅ Same architecture. Different labels. And many are pitching their own "Agentic OS" that comprise these infra layers. Surely, we don't need a different Agentic OS for different applications Why wouldn't we have one core agentic platform, with domain-specific know-how, policies, workflows, and context injected as needed? Much like the old days, one OS and many applications on top? So instead of: “An agentic platform for marketing” “An agentic platform for finance” We get: - A general agentic operating layer -- the OS - and modular expertise packs for each function Curious how others see it: Of course the question is who is at a position to produce and dominate such a horizontal agentic OS? Microsoft? Amazon Web Services (AWS)? Salesforce? ServiceNow? Glean? This debate is just getting started... David B. Cross, David Brumley, Warren Small, Monica Jain, Haiyan Song, Siqi Chen, Aysha Khan, Yousuf Khan, Amit Lubovsky, Piyush Sharrma, Tyler Shields, Shaun Khalfan, Matthew Rosenquist, Chris Hughes
-
Brian Fricke reposted thisI enjoyed hosting a panel on Accelerated AI Governance at SINET Scottsdale recently. The panel featured Sonia E. Arista, Brian Fricke, CISSP, CISM and Rick Orloff, CISSP, CAPI , who brought invaluable insights and ample humour to the discussion. Key topics included: 1. The expanding role of CISOs: Organizations are increasingly looking to CISOs for guidance on navigating AI risks. Some are open to the growing remit (‘Chief Digital Risk Officer’), while others are focusing on bootstrapping and scaling to appropriate organizational structures. Clarity in roles and responsibilities is essential in all scenarios. (Credit: Phil Venables for this future looking prompt) 2. Board Engagement and Reporting: Many companies are implementing AI-specific cyber reporting. Education for boards is crucial, especially regarding clarity on roles and responsibilities, particularly when CISOs take on expanded roles. 3. Risk Tolerance: It is timely to revisit discussions on risk tolerance as organizations strive to balance speed, innovation, and responsible development. 4. Data Strategy: Now is the perfect moment to enhance enterprise data strategies, which can also improve data security, focusing on identifying authoritative data sets, data catalogs, semantic models, and metadata management. 5. IP/Data Protection: This remains a top priority for risk and cyber executives. Our conversation explored everything from dedicated contractual terms to evaluating architectural patterns that safeguard IP and data during training and inference. A special thanks to Robert Rodriguez and Heather Rodriguez for fostering such an incredible community. I am always impressed by the strength of the relationships and the openness of dialogue.
-
Brian Fricke shared thisNot all #AI #Agents are the same and your #technologygovernance and #riskmanagement approach should scale accordingly. How have you defined it?
Experience & Education
-
AutoNation
View Brian’s full experience
See their title, tenure and more.
or
Licenses & Certifications
-
Human Capital and Talent Strategies
University of Miami Herbert Business School
-
-
-
-
ISO/IEC 20000: 2011
APMG-International
IssuedCredential ID ISO/US009091 -
-
Security +
CompTIA
Issued -
ITIL v3 Foundation - IT Infrastructure Library
EXIN
IssuedCredential ID 100341 -
-
GSLC - GIAC Security Leadership Certification
Global Information Assurance Certification
Issued ExpiresCredential ID 6388
Volunteer Experience
-
Chair of CISO Resource Group
Mid-Size Bank Coalition of America
- Present 2 years 9 months
Science and Technology
Curate annual programming, survey and best practice engagement for ~150 Member Bank CISOs.
http://midsizebanks.com/ -
Committee Member
Mid-Size Bank Coalition of America
- 2 years 1 month
Science and Technology
http://midsizebanks.com/
-
Advisory Committee on Cybersecurity for Executive Education
USF School of Public Affairs
- 5 years 1 month
Education
The Cybersecurity for Executives Certificate Program at USF Muma College of Business is a unique immersive learning experience. Participants work collaboratively in small teams to solve messy real-world problems with seasoned experts helping guide them along the way. Integrating technology into the learning experience, working professionals see how the best firms in the industry are employing digital safety technologies in new ways to drive innovative and valuable customer experiences.
-
Senior Information Assurance Analyst
Cyber Security Forum Initiative
- 2 years
Science and Technology
Subject Matter Expert in the Information Assurance (IA) group supporting the Chief Information Assurance Officer (CIAO). Assists in the development of information assurance strategies, policy and guidelines. Provides consultation in the development of processes to solve Information Assurance and Informaiton Security issues. Represents CSFI at various DoD and Federal meetings and symposiums. This is a volunteer position for a non-profit organization.
CSFI MISSION: “To provide Cyber…Subject Matter Expert in the Information Assurance (IA) group supporting the Chief Information Assurance Officer (CIAO). Assists in the development of information assurance strategies, policy and guidelines. Provides consultation in the development of processes to solve Information Assurance and Informaiton Security issues. Represents CSFI at various DoD and Federal meetings and symposiums. This is a volunteer position for a non-profit organization.
CSFI MISSION: “To provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners.” -
Member Board Of Directors
OutServe
- 3 years 5 months
Civil Rights and Social Action
Determine and promote SLDN’s strategies, mission, vision and goals.
Support the Executive Director and assess his/her performance.
Ensure effective organizational planning.
Approve an annual budget and provide fiscal oversight.
Enhance SLDN’s public image.
Ensure legal and ethical integrity and maintain accountability.
Recruit and orient new Board members and assess the Board’s own performance. -
Boardmember
National Technology Security Coalition
- Present 2 years 1 month
Science and Technology
Participate in advocacy efforts, learn about the latest cybersecurity policy trends at events and roundtables, and gain access to some of the nation’s leading subject matter experts who serve on the NTSC Advisory Council and NTSC Policy Council.
Publications
-
A CISO’s Guide to a Robust Employment Agreement, Employment Risks, and Technology Risk Governance
SINET
A guide to keeping the interests of Technology Risk Executives aligned with the Board of Directors and Executive Officers before, during, and after a Data Security Incident. Discussing Liability, Insurance, Board Access, Risk Reporting, Legal Expense coverage, Separation & Severance, Risk Governance protections and much more!
Other authors -
-
Embracing the Jack of All Trades
Government CIO Magazine
See publicationThere is something to be said about mastering a particular skill, and people are often dubious of the “Jack of All Trades, Master of None” types. The federal government identifies its IT workforce staff as “IT Specialists” but there also is a place for IT generalists and it all comes down to an individual’s comfort zone and ability to find balance. CIOs, IT Directors and managers are comfortable operating in the unknown space that IS management. An individual rising high in their career finds…
There is something to be said about mastering a particular skill, and people are often dubious of the “Jack of All Trades, Master of None” types. The federal government identifies its IT workforce staff as “IT Specialists” but there also is a place for IT generalists and it all comes down to an individual’s comfort zone and ability to find balance. CIOs, IT Directors and managers are comfortable operating in the unknown space that IS management. An individual rising high in their career finds their decisions based more on increasingly ambiguous and uncertain information. They must pull from their portfolio of experience to make the best possible choices, often with blind spots. This is where having a well-rounded jack-of-all-trades IT generalist, having worked across the various disciplines, makes for a strong IT leader.
-
International Cyber Readiness Assessment Framework (ICRAF)
American Consortium on European Union Studies (ACES)
2012-13 American Consortium on European Union Studies (ACES) Grant recipient.
http://transatlanticrelations.org/content/aces-working-papers
An International Cybersecurity Readiness Assessment Framework©, (ICRAF©) was proposed as a standard measurement mechanism, a standardized “ruler”, providing a baseline assessment of a Nation’s readiness to operate in the connected world in which we live.
Other authors -
Projects
-
The Future of Secure Banking: An Alternative Method of Securing Transactions
This project included a paper and presentation that were prepared for Garanti Bank in Istanbul, Turkey. The presentation to Garanti Bank was given during our international residency in Istanbul and included:
• Overview of Banking Industry
- The movement to on-line transactions
- Innovation
• Garanti’s methods for cyber protection
- Comparison to other banks
• Transaction Security Breaches Impact on Business
- Common Business impacts of cyber security…This project included a paper and presentation that were prepared for Garanti Bank in Istanbul, Turkey. The presentation to Garanti Bank was given during our international residency in Istanbul and included:
• Overview of Banking Industry
- The movement to on-line transactions
- Innovation
• Garanti’s methods for cyber protection
- Comparison to other banks
• Transaction Security Breaches Impact on Business
- Common Business impacts of cyber security failures
• Threats to a Banking Sector Moving Online
- Threats to Online Transactions
- Mobile Transaction Threats
- Threats to the Turkish Banking Sector
• Data Protection Policies and Laws
- Turkey
- European Union
- International
- United States
- PCI Compliance
- Basel
• Conclusion and Recommendations
Other creators -
-
International Cybersecurity Readiness Assessment Framework
An International Cybersecurity Readiness Assessment Framework©, (ICRAF©) is proposed as a standard measurement mechanism, a standardized “ruler”, providing a baseline assessment of a Nation’s readiness to operate in the connected world in which we live.
Other creators -
-
Release Management Process Development Project
-
Defined, documented and implemented the Release Management Process to facilitate changes to our IT services taking a holistic (people, process, technology) view. Development included all aspects of a change including planning, designing, building, testing, training, communications and deployment activities of releases to both our fleet and shoreside envornments.
Other creators -
-
Remedy ITSM 7.5 Upgrade
-
Challenging project with lots of insight gained from the dynamic and vast configuration options of this system. Remedy ITSM is an amazingly complex and robust tool that requires far more planning and coordination than one might think. Very rewarding project.
Other creators -
Honors & Awards
-
2023 TOP GLOBAL CISO WINNER
Cyberdefense Magazine
https://cyberdefenseawards.com/top-global-cisos-winners-for-2023/
-
2023 CISOs Top 100 CISOs (C100) Winners
Security Current
https://securitycurrent.com/congratulations-to-the-2023-cisos-top-100-cisos-c100-winners/
-
2021 Top 100 CISO
Security Current
https://securitycurrent.com/congratulations-to-all-c100-awards-winners/
-
CSO50 Award Winner 2018
CSO Magazine
CSO50 Awards recognize 50 organizations (and the people within them) for their security project or initiative that demonstrates outstanding business value and thought leadership.
Organizations
-
GWU Veterans
Member
- Present
Recommendations received
2 people have recommended Brian
Join now to viewOther similar profiles
Explore more posts
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content