Why $50 Bribes Are Breaching Enterprises

Harry Baldwin:
Welcome to the Cyber Security Matters podcast. Your hosts today are me, Harry Baldwin, and Matt Rose. We are delighted to be joined today by Michael Waite. Michael is the co-founder and CTO of Dune Security, a company focused on protecting enterprises from modern social engineering threats. Michael's career spans building secure platforms, leading large-scale cloud migrations, and scaling security solutions for some of the world's biggest organizations. At Dune Security, Michael has helped grow the business from an idea into a venture-backed company, raising up to $8 million in pre-seed and seed funding while tackling one of the hardest problems in security today. Welcome to the show, Michael.

Michael Waite:
Hey, thank you so much for having me on. I'm looking forward to the conversation, gentlemen.

Matt Rose:
Our keen listeners will also note that this is another person joining us from Dune Security, so we'd encourage you to listen to David's episode, which we recorded a year or so ago. Michael, I'm really looking forward to learning more about you, your perspectives on the industry, your career so far, and all things really. But we always start the podcast with the same first question. Michael, how did you first get into the security industry?

Michael Waite:
You know, it's been an interesting journey. I started my career in enterprise consulting and did that for about 10 years. That’s where I learned all the things about tech. I was able to hone my skills, apply the things I learned from university, and learn about building large, high-performance, scalable systems. I learned how having copious amounts of good data enables robust and accurate decision-making. Then, through happenstance, I met my co-founder David, who has been in the cybersecurity space for years. I've always been interested in the space, and especially now over the last couple of years, there’s been a paradigm shift in cybersecurity. The types of attacks we’re seeing, the level of sophistication, and the number of successful attacks, it's just terrifying. There’s never been a better time to be involved. I was able to take what I learned about building large systems and working with big data sets with Fortune 50 companies and apply that to the problems enterprises are facing today in cybersecurity.

Harry Baldwin:
That’s really interesting. The consulting entry point is unique because we've had many people on who haven't had that specific background. What drew you to consulting in the first place?

Michael Waite:
It’s a good question. When I was graduating from university, I had my degree and was ready to get into technology, but I didn’t know exactly what I wanted to do. Consulting fascinated me because you get to work on many different types of projects with all sorts of companies facing different problems. You get to interface with upper-echelon folks at these large enterprises. I’ve always been passionate about continuous learning, and consulting provides exposure to unique and challenging problems. It’s a great place to start if you’re graduating and want to grow quickly. That experience helped me step into this role as co-founder and CTO and apply the knowledge I gained while scaling Dune Security.

Matt Rose:
That sounds like an amazing starting point. Consulting gives you so much exposure to different problems, and I’m sure it’s impacted the way you lead and have developed Dune Security today. I know Harry has more questions about your career, so I’m going to hand over to him.

Harry Baldwin:
Absolutely, thank you so much, Matt. Michael, from your perspective, are there any key influences or lessons you’ve taken from your consulting journey that shaped where you are today?

Michael Waite:
Yeah, definitely. During my consulting years, I had the pleasure of working with some of the most competent leaders I’ve ever met. They were managing directors on projects, senior leaders within the companies we were serving. I learned a lot about what good leadership is—facing really complex problems, the level of commitment and perseverance these leaders showed. It opened my eyes to what good leadership is and the importance of looking a problem in the eye and having the confidence to figure it out, even if you don’t know the solution right away.

What also stood out was the ability to understand an individual’s capabilities and build great teams. Good leaders are always building teams and know how to help people grow into their best version. As I lead Dune Security, I try to embody that—finding people who may not be perfect but have the potential to grow into the best versions of themselves.

Matt Rose:
That’s really insightful. Moving from consulting to co-founder and CTO, there’s a clear mindset shift. What was the biggest personal change for you in that transition?

Michael Waite:
It’s been an interesting shift. Early on, I was doing a lot of hands-on work—keyboard problem solving and building. But as the team grew, it naturally became more about strategy. I had to shift from individual delivery to strategic thinking, long-term planning, team building, and road mapping. It’s about making the right decisions today while setting up for growth in the future. It’s a transition from hands-on work to more deep strategy and planning.

Harry Baldwin:
You’ve had some great successes so far at Dune. Are there any moments or milestones you’re particularly proud of?

Michael Waite:
One thing I’m really proud of is the creation of our CISO advisory council. Early on, we wanted to make sure we were solving one of the toughest problems in cybersecurity: the human element. It’s easier to patch servers than to address the human side. So we built a council of top CISOs who’ve helped us shape our product, understand their pain points, and give us guidance. They’ve been instrumental in our success. We’ve been able to build something that truly solves the problem, thanks to their feedback.

Matt Rose:
The CISO advisory council sounds like a unique and effective model. What else would you say are the key themes of your success?

Michael Waite:
Our talent acquisition strategy has been critical. Back in consulting, the success of projects often came down to the team. So from day one at Dune, we focused on building the best team possible. It's not just about having people with the right skills but also aligning them with the mission. We look for people who are passionate about cybersecurity, especially the human element. Many solutions in the market just tick the box with awareness training, but they don't really address the root of the problem. Our team is committed to solving that with a more targeted approach to individual risk quantification and interventions.

Matt Rose:
I think it’s really interesting how much thought you’ve put into talent acquisition and aligning your team with the mission. Switching gears a bit, what do you think about the so-called skills shortage in the security industry?

Michael Waite:
That’s an interesting question. I don’t think the issue is necessarily a skills shortage, but rather a focus on soft skills. When hiring, I look for people who are naturally curious, excited by challenges, and motivated to learn. You don’t need to have every skill, but you need the desire to learn and the confidence to figure things out. Soft skills like curiosity and perseverance are more important than having a perfect skill set. Skills can be taught, but the mindset is harder to change.

Matt Rose:
I love that perspective, especially in a startup environment where things are chaotic. Let’s talk about the state of security at large enterprises. What’s your take on the health of enterprise security today?

Michael Waite:
It's a wide spectrum. Large enterprises, especially those with over 10,000 employees, have a lot of work to do, especially around the human element. Historically, enterprises have relied on standardized security awareness training, but it doesn’t move the needle. The threat landscape has changed dramatically in recent years. Today, attackers are shifting off traditional corporate devices and email and are using off-channel attacks, like personal WhatsApp messages. Enterprises don’t have visibility into these personal interactions, and that’s a big risk.

At Dune, we focus on a data-driven approach, quantifying individual risk and applying targeted interventions. Our platform has shown measurable improvements for our customers, with significant reductions in risk after about 12 months.

Harry Baldwin:
You’ve mentioned the shift to off-channel attacks and personal messaging. What are attackers actually seeking through these tactics? Is it always financial gain, or are there other motivations?

Michael Waite:
It’s a broad spectrum. Attackers might seek financial gain, but they’re also after data, access, or disruption. Sometimes they bribe employees in lower-cost regions, where even a $50 bribe can go a long way. We’ve seen successful attacks with bribes as small as that. Another common tactic is using open-source intelligence to gather data about individuals and then attempt to reset their credentials. A recent example of this was the MGM breach, where attackers used a targeted approach to reset credentials and cause massive disruptions.

Matt Rose:
Do you think small businesses are more at risk now, given that enterprises are increasing their security?

Michael Waite:
I think everyone is at risk. While enterprises are often targeted for their resources, the ease of launching attacks today means that startups, SMBs, and mid-market companies are equally vulnerable. The barriers to entry for cyberattacks are coming down, and with AI making attacks more sophisticated, no one is safe.

Harry Baldwin:
Let’s shift to AI. We often hear about its use by attackers, but how is AI being used defensively in cybersecurity?

Michael Waite:
It’s becoming AI against AI. The sophistication of attacks is increasing, so we need AI to protect ourselves. At Dune, AI is core to everything we do. We use it to assess business impact, look at risk at an individual level, and drive users’ journeys on the platform. AI helps us process vast amounts of data and apply targeted interventions without getting in the way of business operations. It's about quantifying risk, securing individuals, and using AI to enhance existing security infrastructure.

Harry Baldwin:
If you could change one thing about how companies approach security, what would it be?

Michael Waite:
I would shift the mindset from “tick the box” compliance to taking security seriously. Too many enterprises treat security as a minimum requirement, but the consequences of a breach are huge. Security needs to be a core part of the business, and everyone, not just the CISO, should take ownership of it.

Matt Rose:
Finally, what advice would you give to someone entering the cybersecurity industry?

Michael Waite:
Build a network. Meet people in the industry, learn what keeps them up at night, and get plugged into the community. Every CISO and security leader has their own set of challenges. Be creative, solve problems, and stay connected. Cybersecurity is evolving quickly, so embrace the changes, and don’t be afraid to learn and adapt.

Harry Baldwin:
Michael, thank you so much for joining us. It’s been an absolute pleasure.

Michael Waite:
Thank you, gentlemen. I really enjoyed the conversation.