Tag: cybersecurity

  • Urgent Alert: Spot Fraudulent Job Offers Impersonating Pendo—and Protect Your Career

    Urgent Alert: Spot Fraudulent Job Offers Impersonating Pendo—and Protect Your Career

    In my role leading product management, I take brand trust and cybersecurity seriously—especially when it affects people’s livelihoods. Over the past few weeks, I’ve seen a troubling uptick in brand impersonation and social engineering targeting candidates. It’s a reminder that protecting our community isn’t just a technical problem; it’s a product management leadership and stakeholder management responsibility.

    We want to warn you about recent instances of fraudulent job offers purporting to be from Pendo and/or its affiliate companies.

    If you receive an unexpected outreach claiming to be from Pendo with a fast-track offer, requests for payment, or a push to move conversations to informal channels, treat it as a red flag. Scammers often spoof logos, clone profiles, and use vague role descriptions to create urgency. Their goal is to extract personal data, money, or access—classic social engineering tactics that undermine data governance and privacy-by-design principles.

    Here’s how I advise candidates to protect themselves while keeping their job search momentum. Validate every opportunity through the company’s official careers page and confirm the recruiter’s identity through corporate channels. Check that email addresses and domains match publicly listed corporate information, and be wary of communication conducted exclusively through messaging apps. Never pay fees, buy equipment up front, or share sensitive data like Social Security numbers or banking information before a formal, verified offer is in place.

    If something feels off, pause and verify. Contact the company via the channels listed on its website, ask for a video meeting with the recruiter using an official corporate account, and request written details on the role and interview process. If it’s fraudulent, report it to the company, the platform where the outreach occurred, and—when appropriate—local authorities. Acting quickly helps with threat detection and response and protects other candidates from harm.

    From a product and security perspective, this is a cross-functional issue that benefits from AI risk management discipline. Strong signals include clear public guidance on recruiting practices, a dedicated reporting mailbox for suspected scams, and hardened email authentication (SPF, DKIM, DMARC). Pair these with privacy-by-design reviews for hiring workflows, recruiter verification checklists, and ongoing education for talent teams. These measures reduce attack surface while reinforcing brand integrity.

    If you believe you’ve shared information with a fraudulent recruiter, take immediate steps: change any reused passwords, enable two-factor authentication, place fraud alerts or freezes with credit bureaus as appropriate, and monitor accounts for suspicious activity. Document all communications; they can help security teams and platforms act faster.

    Recruitment fraud is emotionally taxing and can erode confidence in the process. Don’t let scammers slow your momentum. Stay vigilant, verify before you trust, and share this warning so others can avoid similar traps. If you’re ever unsure about a message that appears to come from Pendo, pause, validate through official channels, and prioritize your safety first.

    Inspired by this post on Pendo – Perspectives.

    Book a consult png image
  • WTF is MCP? The powerful protocol giving enterprise AI agents real-world autonomy

    WTF is MCP? The powerful protocol giving enterprise AI agents real-world autonomy

    I get asked this constantly by boards, CIOs, and product teams: WTF is MCP, and why does it matter for enterprise AI? Here’s my straightforward take from the trenches of rolling out agentic AI across complex, regulated environments—and why it changes how we design, govern, and scale autonomous capabilities.

    “Model Control Protocol gives your AI agents arms and legs to go do stuff with your data.” That framing resonates because it’s both simple and accurate. MCP turns passive “chatbots” into active agents that can safely take action within defined guardrails.

    In practice, MCP is the connective tissue between models and the tools, systems, and workflows we trust. It standardizes how agents request permissions, execute tasks, and report outcomes—so enterprises can move from demos to durable operations. The benefit isn’t just autonomy; it’s autonomy with accountability, aligned to our AI Strategy and data governance obligations.

    When I pilot agentic AI in production, I start with a narrow scope: which systems the agent touches (for example, CRM integration via HubSpot), what actions it can take (read, write, or propose), and what evidence it must log (inputs, outputs, and approvals). That discipline keeps us compliant with privacy-by-design while unlocking real business impact.

    Great MCP use cases emerge where read-write actions compress time-to-value. Think: pulling Amplitude analytics cohorts to personalize outreach, auto-generating Pendo in-app guides based on feature adoption, or triggering customer support workflows with predefined playbooks. Each action is observable, reversible, and measured—because in the enterprise, repeatability beats novelty.

    From a product management leadership perspective, I treat MCP-enabled agents like any other product surface. We define clear outcomes, not outputs: success rate per task, mean time to resolution, quality score, and safety incidents. We validate uplift with A/B testing and a minimum detectable effect (MDE) before scaling. Then we feed results into an Agent Analytics dashboard, just as we would for product-led growth funnels.

    Governance is where MCP earns trust. I enforce least privilege, time-boxed credentials, environment isolation, and tamper-evident audit logs. Every tool call is tied to a business purpose, owner, and SLA. We integrate with existing threat detection and response processes so cybersecurity teams see the same telemetry they’re used to—no shadow AI, no surprises.

    There’s also an adoption playbook that works: start with a contained domain, ship a sandboxed agent, require human-in-the-loop approvals, then progressively relax controls as accuracy and alignment improve. Document the boundaries in plain language, and instrument everything from day one. This is how we de-risk AI risk management while accelerating impact.

    The most exciting shift is cultural: teams move from asking “Can the model do this?” to “What outcomes should the agent own—and what guardrails make that safe?” That mindset unlocks empowered product teams, clearer ownership, and faster iteration. MCP is simply the operational backbone that lets those choices stick.

    If you’re evaluating where to start, pick one workflow with high frequency, clear rules, and measurable outcomes. Wire it to MCP with tight scopes, ship it to a friendly cohort, and learn aggressively. Autonomy isn’t the end goal—reliable, governed value is. MCP just makes that scalable.

    Inspired by this post on Pendo – Best Practices.

    Book a consult png image

  • 3 Powerful Ways AI Is Reshaping Cybersecurity—from Ruthless Attacks to Rapid Defense

    Every week, I watch the cybersecurity landscape bend under the pressure of AI. The pace isn’t linear—it’s compounding. What worked for IT teams last quarter often needs a rethink today, and the difference between merely coping and truly competing lies in how quickly we adapt our strategy, tooling, and operating rhythms.

    Learn the ways in which AI is transforming both cybersecurity offense and defense for IT teams.

    From my vantage point leading product strategy, I see three shifts that matter most right now: AI is supercharging attackers, accelerating defenders, and reshaping governance. Together, they redefine how we prioritize investments, measure risk, and align product and security roadmaps.

    First, AI has leveled up the offense. Large language models can industrialize social engineering—hyper-personalized spear-phishing at scale, deepfake voice notes that spoof executives, and highly convincing support chats that trick users into bypassing controls. Code-generation tools lower the barrier to crafting polymorphic malware and automating reconnaissance. The net effect is ruthless efficiency: more credible lures, faster campaigns, and broader reach with fewer human operators. I now assume adversaries have an AI co-pilot—and plan defenses accordingly.

    Second, AI is accelerating the defense. Modern detection and response stacks are moving beyond rules to behavioral analytics—correlating identity signals, endpoint telemetry, and network events to spot subtle anomalies that signature-based tools miss. Copilot-style assistants are augmenting SecOps by summarizing incidents, explaining probable root cause, and proposing next steps. The aim isn’t blind automation; it’s decision acceleration—shrinking mean time to detect and respond while reducing analyst toil. On the build side, AI-assisted code scanning and dependency analysis help teams shift security left, catching vulnerabilities earlier and turning secure defaults into muscle memory.

    Third, governance is being rewritten in real time. As AI models ingest sensitive data and generate code and content, data governance and privacy-by-design move from compliance checklists to active risk management. We’re formalizing AI risk management alongside traditional AppSec: model inventories, usage policies, red-teaming prompts, and guardrails against prompt injection and data leakage. Identity remains the control plane—zero trust principles, least privilege, and continuous verification become nonnegotiable. I’ve found that aligning security, product, and IT leadership on a single policy-as-code backbone prevents drift and keeps audits predictable.

    Practically, I guide teams to start with a crown-jewel inventory: What data and systems would materially impact customers, revenue, or brand if compromised? Map data flows, instrument comprehensive telemetry, and prioritize detection coverage where it matters most. Choose AI to augment before you automate—prove the loop with humans in the middle, then graduate to higher autonomy levels with clear rollback paths and audit logs.

    Culturally, this is a product problem as much as a security one. We bring empowered product teams and SecOps into the same room, set measurable objectives (signal-to-noise ratio, mean time to contain, escaped defect rate), and iterate with the same cadence we use for product features. When security outcomes are treated as customer outcomes, adoption soars and friction recedes.

    The takeaway: AI has tilted the field, but not inevitably against defenders. With a clear AI strategy, disciplined data governance, and pragmatic automation, IT leaders can turn reactive security into a proactive advantage—meeting attackers’ speed with speed, and outlasting them with better judgment.

    Inspired by this post on Pendo – Perspectives.

    Book a consult png image