In this episode of The Chasing Entropy Podcast, I talk with Matt O'Leary, who leads M&A and strategic partnerships at 1Password, about what changes when security is tied directly to the product, the brand, and the deal itself.

The core idea is simple. When a company makes an acquisition, it inherits the whole business, not just the part that looked attractive in the pitch. That includes the technology, the team, the process gaps, the legal exposure, and any security weaknesses that were not obvious at first glance. O'Leary makes the case that strong dealmaking starts with risk discipline, because a transaction only creates value if the company can integrate what it buys without importing problems that slow everything down.

He also explains that good corporate development starts with the roadmap, not the deal. An acquisition makes sense when it helps the company move faster than building on its own. That is why corp dev has to stay tightly aligned with product, engineering, and security leadership. In a cybersecurity company, technical diligence carries extra weight. If a target has a serious security or technology issue, that is not a detail to clean up later. It is a reason to walk away.

The conversation also sharpens the distinction between partnerships and acquisitions. O'Leary argues that deep partnerships can create major leverage because they expand reach, increase product value, and connect a platform to the tools customers already use. But they also transfer risk. If two companies are tightly integrated, trust becomes shared. A failure on one side can damage both. In that sense, partnerships may be lighter than acquisitions, but they still demand the same seriousness around diligence, reputation, and customer impact.

One of the strongest parts of the episode is the discussion about integration. O'Leary is clear that post-close integration is the hardest part of M&A. Retaining key people, understanding founder motivation, aligning technical architecture, and planning how products and teams will come together all matter before the announcement, not after. The lesson is practical. Do the hard work up front. Know what has to be true on day zero, and what could break if it is not handled early.

For anyone interested in corporate development, O'Leary’s advice is direct. Curiosity matters more than a fixed career path. The best operators learn across functions, ask better questions, and build enough context to understand how product, security, legal, and finance decisions connect. For founders, his advice is just as clear. Build relationships with corp dev teams before you want an outcome. Trust and credibility take time, and good deals depend on both.

Listen to the full episode, then pull up your current acquisition or partnership checklist and pressure-test it against the issues raised here: roadmap fit, technical and security diligence, founder retention, integration readiness, and customer communication.

In this episode of The Chasing Entropy Podcast by 1Password, I speak with Dustin Heywood, known to many as EvilMog, executive managing hacker and senior technical staff member at IBM. The conversation stays grounded in real security work, from password cracking and Active Directory abuse to AI privilege creep and quantum planning. The through line is simple, most security failures start with access, trust, and bad assumptions about how systems behave under pressure.

Heywood’s background explains why he sees the problem this way. He came up through network engineering, military communications, enterprise infrastructure, and offensive security. That path matters because his view of security is operational, not theoretical. He keeps coming back to one point, businesses are not trying to be secure for its own sake. They are trying to keep operating. Security has to support that goal or it gets bypassed.

A big part of the episode focuses on agentic AI. Heywood argues that AI is exposing access problems that were already there. Service accounts already had too much privilege. Internal systems already trusted broad integrations. AI agents just make those weaknesses easier to trigger at scale. His main concern is the gap between identity and intent. A user might want an agent to buy concert tickets under a clear budget and time window, but today’s systems rarely encode that level of permission. In practice, the agent often gets broad backend access and can do far more than the task requires.

That leads to the episode’s strongest point about machine identity. Most organizations still think clearly about human access and far less clearly about machine access. That model does not hold up when a company has thousands of employees and tens of thousands of machine identities tied to services, devices, integrations, and automation. If those identities are overprivileged, an AI layer on top of them becomes a force multiplier for existing risk.

The discussion then shifts to quantum threats, and Heywood makes the issue concrete. He is less focused on dramatic “decrypt everything later” scenarios and more focused on the systems around the data. If quantum-capable attacks weaken the trust layers behind OpenID Connect, SAML, certificate authorities, VPN certificates, and federation systems, attackers do not need to break every encrypted file directly. They can go after the identity and key infrastructure that grants access. That is the planning problem security leaders need to understand now.

His advice on crypto agility is practical. Start with inventory. Know where cryptography lives in your environment, how certificates are issued and renewed, and what would have to change if a major algorithm or trust model becomes unusable. He also points out that many companies still struggle with certificate management at a basic level. If certificate rotation is manual, the organization is already behind. Automation is not optional here.

On credentials, Heywood takes a hard line that is worth adopting, assume every password entered into a remote system will eventually leak. That changes the goal. The answer is not more password theater. The answer is unique credentials, automated rotation where possible, stronger storage, and lower user friction. If security makes daily work harder, people will work around it. He is blunt about that, and he is right.

This episode is most useful for security leaders who are dealing with AI adoption, identity sprawl, legacy authentication, or PKI debt and need a clearer way to frame risk. Heywood does not treat security as a checklist exercise. He treats it as a systems problem tied directly to business operations, user behavior, and the cost of getting access control wrong.

Cyber conflict makes more sense when you stop treating it like a technical sideshow and start looking at history, doctrine, and political intent. In this episode of Chasing Entropy, Dave Lewis sits down with analyst and author Allie Mellen to discuss the ideas behind her book Code War, and why the cyber strategies of the United States, China, and Russia reflect much older national patterns.

Mellen’s central argument is clear. Cyber attacks are powerful, but not because they replace conventional force. They matter most when they are coordinated with military action, intelligence work, and influence campaigns. That thread runs through the whole conversation, from the Gulf War to Russia’s war in Ukraine. The point is not that cyber stands alone. The point is that cyber becomes far more effective when it is part of a larger campaign with a defined objective.

That framing leads to one of the episode’s strongest ideas, history still shapes how nations operate online. Mellen traces the US approach back to a culture of experimentation and technical tinkering. China’s cyber ecosystem grew out of hacktivism and state-linked talent pipelines. Russia’s path was shaped by post-Soviet collapse, where cybercrime became tied to survival and later overlapped with state interests. Those origins still show up in how these countries organize teams, define targets, and pursue advantage.

The conversation also pushes back on the way cyber conflict is usually portrayed. Pop culture tends to reduce it to a screen full of code and a few elite operators. Mellen argues that this misses the real story. Cybersecurity is technical, but the motivations behind cyber campaigns are understandable. Power, leverage, coordination, survival, influence. Those are not obscure concepts. They are the same forces that shape conflict everywhere else. One of the more memorable examples in the episode is her explanation of how WarGames helped push US policymakers to take computer security seriously in the 1980s. Public narratives matter, even when they get the details wrong.

Another key theme is attribution. Mellen argues that defenders need to understand who is behind an operation, not just what malware was used. Attribution helps explain motivation, likely targets, and what may come next. That matters for governments, but it also matters for enterprises building realistic threat models. If you understand how a group operates and what it wants, you can make better decisions before the next incident lands.

The final stretch of the episode focuses on AI, and the tone is sober. Mellen sees real value in automation, especially where AI can speed up workflows and reduce manual effort. She also sees a harder problem taking shape. AI lowers the cost of deception, makes false flag activity easier, and complicates attribution. Add that to a more fragmented internet and a more unstable geopolitical environment, and the result is a tougher operating environment for defenders.

This episode is a strong listen for anyone trying to understand how cyber power actually works in practice. Listen to the full conversation, pick up Code War, and then review whether your threat model still treats cyber as a stand-alone technical problem. That assumption is getting harder to defend.

Click for Allie's Book