A conversation with Rod Schultz, CEO at Bolster, and Anthony Lauderdale, Founder and CEO at Magna Reign
The lines between cybersecurity and fraud are blurring. What was once a clear distinction between nation-state actors and opportunistic scammers has collapsed into a complex threat landscape where a teenager with basic tools can breach major corporations. In a recent fireside chat, two security leaders explored how this shift is forcing organizations to rethink their approach to both cyber and fraud.
The Collapse of Threat Boundaries
Anthony Lauderdale, who began his career at the FBI before moving to companies like Motorola, United Airlines, and Zoom, described how the threat landscape has fundamentally transformed over the past decade.
Pre-2016, the cybersecurity world operated in distinct layers. Nation-state actors wielded sophisticated zero-day exploits. Criminal syndicates like those behind the Target breach focused on profit through point-of-sale malware. Activists launched DDoS attacks in response to political disagreements. And at the bottom, script kiddies ran basic scams that were easy to spot.
Then everything changed. When groups like the Shadow Brokers released nation-state toolsets to the world, the barriers collapsed. WannaCry weaponized these tools to disrupt 300,000 systems globally. NotPetya caused $10 billion in losses across companies like FedEx and Merck. Advanced persistent threat groups began planting false flags to masquerade as criminal gangs.
Most striking was the rise of groups like Lapsus, where teenagers using basic social engineering successfully breached Nvidia, Microsoft, Okta, and Uber. As Lauderdale noted, “It’s really hard to differentiate between a nation state and a kid in the basement.”
The introduction of AI has eliminated the remaining technical barriers. Large language models now write convincing phishing emails and generate malware, making sophisticated attacks accessible to anyone. The telltale signs of fraud have largely disappeared.
Rod Schultz, CEO at Bolster, compared the shift to moving from “a light rain to a storm.” These attacks can now be duplicated and distributed instantly, erupting at unpredictable times and scales. “They don’t have to come from the god of thunder anymore or a nation state,” he explained. “It comes from a kid or a set of kids who are kind of bored looking to make some money.”
Why Fraud Remains the “Little Brother” of Cyber
Despite the growing threat, fraud continues to be treated as secondary to traditional cybersecurity. Schultz attributes this to organizational structure. While the CISO role has risen in prominence over 25 years (now appearing on boards and carrying significant liability), fraud lacks a clear owner in most organizations.
“I need one person to own this because I need a single throat to choke,” Schultz recalled a VP at Zoom saying. When fraud is a committee problem, everyone can point fingers. Without a single point of accountability, it becomes difficult to address the rising frequency and impact of AI-generated fraud.
Lauderdale echoed this challenge from his government experience. In the FBI, he could assemble a consistent team to work a fraud case. In the private sector, budget constraints and fragmented KPIs slow response times dramatically. “If it takes six to nine months to get a budget, it’s too late at that point,” he said.
The Compliance Trap
One of the most provocative points in the discussion centered on where security programs invest their resources. Lauderdale argued that most organizations are overinvested in governance, risk, and compliance initiatives while underinvested in real-time detection and response.
The problem isn’t malicious; it’s philosophical. GRC frameworks provide language that boards understand. When sales teams can quantify that achieving SOC 2 certification will unlock $20 million in deals, the ROI is clear. But how do you quantify the value of preventing a breach that hasn’t happened yet?
This leads to a dangerous assumption: that compliance equals security. “Name a company that wasn’t compliant when they were breached,” Lauderdale challenged. “You can’t name one because they all have SOC 2, ISO, whatever the case may be.”
Compliance is measurable. It involves checklists, policies, and audits that teams can complete and check off. Detection and response capabilities are harder to justify until an incident occurs, and by then it’s too late.
Schultz framed this as the difference between static and dynamic security. Static programs like SOC 2 are easy to measure and budget for. Dynamic threats (protecting against evolving attack surfaces and brand impersonation) are harder to quantify and show ROI on, despite being critically underinvested.
When Remote Work Created New Vulnerabilities
The shift to remote work exposed gaps in organizational security that many companies hadn’t anticipated. Lauderdale shared a striking example from his consulting work: an employee who was never on camera, rarely spoke in meetings, but produced good work.
Investigation revealed that the employee had flown to another country immediately after being hired, leaving their laptop there while someone else did the actual work. The employee collected a $250,000 salary while paying the remote worker $50,000, creating a massive insider threat.
This case illustrates a broader challenge. Pre-pandemic security relied on physical visibility and social reinforcement. Now, with drop-shipped laptops and virtual onboarding, how do organizations verify that the person they hired is the person doing the work?
The answer, according to both experts, is continuous monitoring rather than point-in-time authentication. Security can no longer be a one-time verification at hiring. Organizations need systematic processes to validate identity and behavior throughout employment.
Practical Advice for Security Leaders
When asked how to frame risk in terms of attacker readiness versus compliance, Lauderdale recommended using frameworks like MITRE ATT&CK to identify gaps, then connecting them to actual incidents or tabletop exercises.
“Never let an incident go to waste,” he advised. Public breaches at companies like Okta, Microsoft, or Nvidia provide lessons learned that can be surfaced to leadership. If low-level social engineering compromised another organization, that’s the perfect opportunity to request better security awareness training or additional controls.
For organizations struggling with impersonation threats amid overwhelming noise, Lauderdale emphasized understanding your specific vertical and talking to frontline teams. A banking company with a 1-800 number will face different impersonation risks than other industries. Spending time with threat intelligence teams and call centers reveals which threats actually matter most.
The Mindset Shift: Upstream Fraud Leads to Downstream Cyber Crime
Schultz identified an important evolution in how savvy CISOs are thinking about fraud. They’re recognizing that upstream fraud (fake websites, brand impersonation, phishing infrastructure) leads directly to downstream cyber-enabled crime.
Five years ago, these challenges were owned by brand and legal teams. Now they’re migrating into threat intelligence and security operations centers because the impact is undeniable. Fraud is finally becoming a first-class topic in cybersecurity discussions.
Unpopular Opinions on the Future
Both leaders closed with contrarian takes on where the industry is headed.
Schultz argued that the RSA conference has become nearly impenetrable for decision-makers trying to understand real value propositions amid marketing smoke and mirrors. As fraud amplifies cybersecurity challenges, the industry needs to communicate true value more clearly and measurably.
Lauderdale pushed back on the AI hype cycle. “You can’t LLM your way out of the trust problem,” he said. While AI can summarize logs and mimic tone, it can’t build culture, enforce identity integrity, or replace judgment forged through experience.
AI models rely on well-labeled data, structured environments, and clear baselines, none of which exist in most security programs where data is messy and contexts are complex. Rather than autonomous AI-powered security operations centers, the realistic future is a hybrid model where AI augments human decision-making but doesn’t replace it.
“We’ll still need people to validate these findings,” Lauderdale concluded. “The tools will evolve, but human intuition, critical thinking, and pattern recognition remain indispensable.”
The Bottom Line
The convergence of cyber and fraud represents both a challenge and an opportunity for security leaders. As AI democratizes sophisticated attacks and remote work expands attack surfaces, organizations can no longer afford to treat fraud as someone else’s problem.
Success requires clear ownership, continuous rather than point-in-time security, balanced investment beyond compliance checkboxes, and recognition that the human element (both as threat vector and defender) remains central to security.
The storm isn’t coming. It’s already here. The question is whether security programs will evolve fast enough to meet it.
This article is based on a fireside chat hosted by Bolster featuring Rod Schultz, CEO at Bolster, and Anthony Lauderdale, Founder and CEO at Magna Reign.
