From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

IT Brew

Software Development

Caroline Nihill

itbrew.com

What do a kitchen and an IT group have in common? More than one would think, actually.

Myke Lyons, now the cybersecurity and information security officer (CISO) for Cribl, a software company that specializes in data solutions and tools for security and IT teams, started his career in culinary school before realizing he had a passion for cybersecurity and IT.

Lyons said that he loves watching individuals early in their cyber careers “go through these epiphany moments when you could just look in their face and see that they just unlocked a box that they’ve been trying to get unlocked for a while.”

What gets him excited, he adds, is “the human side of seeing people just flourish and grow and do things they didn’t think were possible.”

Lyons sat down with IT Brew to share how he went from serving up deliciousness in culinary school to protecting servers as a CISO.

The conversation has been edited for length and clarity.

Why were you interested in being a chef, and what that was like?

I went to culinary school with the full intent to become a chef. It was very early, and the things like food TV were not that long out, maybe only a couple of years, and I had a great experience cooking. I’ve been cooking since I was 14, 15 in restaurants, [but] I ended up getting a summer job. The summer job was at a large advertising agency, and they had just won the Xerox printer advertising business and the printers they had everywhere were HP printers…Immediately, overnight, these HP printers became the worst printers in the whole wide world, because they weren’t Xerox. I got to move computers around, these giant printers around, in the back of a cart.

There was a woman who was helping me at the time…She taught me some of the very early basics of what a printer driver was, what a three-and-a-half-inch floppy disk was.

My wife…taught me how to copy and paste, so I was not a tech person.

How did you get interested in technology and what was transferable from being in culinary school, if anything at all?

One of the things that I discovered was that so much of the culinary field, oriented around recipes and processes, this has to happen and then that has to happen, started to just map back into the way that technology was deployed.

Very quickly, after moving these printers, within a matter of days people…would ask me for an additional level of help because I was an IT person at that point. Even though I didn’t really know anything about it, I was still part of the IT team. I remember being asked, “Hey, well, since you’re here, can you look at my email?” Something to that effect. I didn’t want to say “no,” because in my interpretation, everyone—because I came out of a service industry—was an executive. It didn’t matter what role they were.

The thing I found pretty interesting when I was looking around on the search engines at the time, which was not Google, I would end up in these forums. It turns out that they were hacker forums and there were people talking about all different stuff…learning how to make a key generator so you could enter a key into a software package that you may or may not have paid for. And they would talk about the algorithms there. Then there was the idea of ports and IT addresses.

[I was] sort of obsessively going after all this information and learning all this information…In the back of my mind, I realized a couple things. If I could just say, do I have my preparedness: [Do] I have the software that I need, I have the hardware I need, I have the program…that I need; these would be what you would equate to as 

 in the culinary world, which is effectively all your ingredients prepared and ready to go and you could then do whatever the activity was.

So, now you’ve made this journey into being a CISO, what keeps you up at night?

I think I have fairly typical CISO traits. Stuff that keeps me up at night are that attackers are way more persistent than ever. Where we are now, where these are exceptionally large, complicated businesses with CEOs and CFOs and they run tons of different activities like every other business in the world would run, and it’s just unreal. Why I say that’s so concerning is because [bad actors are] dedicated to effectively watching me slip-up or having some weakness.

There’s also a significant amount of stigma attached to the mistake, to getting compromised, and I think what keeps me up at night is that we haven’t been able to detach the stigma from the event.

I feel that people are being attacked in more complicated ways than they could ever imagine. I’m sure you’ve received a million text messages that say things like, “Hey, how are you?” or “Hey, I’m gonna miss dinner tonight,” or some text from a number you’ve never seen. I get 10 a day, so what keeps me up at night is someone clicking on one of those things.

[I] also would say that AI adoption is keeping me up at night. Not me adopting it, not my company adopting it—I couldn’t be more excited and I think that’s going to improve our businesses massively. But the fact that when we adopt AI, as a company, we have to be very thoughtful. These attackers, they’ve been adopting AI way before us, and they are full-on using it day in and day out.

A cutout of a man, Myke Lyons, CISO at Cribl, breaking the frame of an abstract shape with diamond shaped icons on each side.

 Meet chef-turned-CISO Myke Lyons

Lyons sat down with IT Brew to share how he went from culinary school to a CISO role.

Brianna Monsanto

The foundations that support public open-source infrastructure say the times are a-changin’—and organizations need to pick up the slack.

 published to the Open Source Security Foundation’s website on Sept. 23, several stewards of public open-source infrastructure were candid about the massive financial constraints they’re facing due to increased expectations and demands from organizations who rely heavily on their public package registries (like Maven Central, PyPI, and OpenVSX) for software development.

While the stewards claim to serve billions of downloads per month, they said their services are only funded by a small number of commercial vendors and nonprofits. The majority of “large-scale users” consuming their services do so in an unsustainable manner, they added.

“Most of these systems operate under a dangerously fragile premise: They are often maintained, operated, and funded in ways that rely on goodwill rather than mechanisms that align responsibility with usage,” the stewards wrote.

The letter was signed by a total of eight organizations, including the OpenJS Foundation, Python Software Foundation, and Sonatype.

In their letter, these stewards called attention to the “enormous strain” that continuous integration systems and large-scale scanners place on open-source infrastructure. They said GenAI and agentic AI are also to blame as the emerging technology continues to drive an “explosion of machine-driven, often wasteful automated usage.”

Mike Milinkovich, executive director of the Eclipse Foundation, told IT Brew that the stewards are unable to increase funding at the pace of these increased demands, adding that the business model powering their community is “broken.” He said demand for OpenVSX, for example, has seen a fourfold increase in demand (i.e., number of downloads) in the past year, with no increase in funding during that time.

“We don’t have a business model that links demand to revenue,” Milinkovich said. “And basically this letter is telling the world we have got to get there.”

Increased demand is not all that stewards are juggling. Milinkovich said some also grapple with the increased expectation of making sure repositories are protected from 

“There’s this steady little incremental, drip, drip, drip of, ‘You need to do more. You need to do more. You need to do more,’” Milinkovich said. “And I think we’re here to say that the camel’s back is broken and we collectively need help.”

In their letter, the eight organizations provided a short list of things organizations and individuals can do to alleviate the current operational burden. This includes staying educated on the funding models and needs of the different foundations, supporting foundations financially through memberships and sponsorships, and more conscious usage.

The stewards asserted individual players in the open source ecosystem will “adopt the approaches that make the most sense in its own context.” However, they suggested several moves in the letter that could help address the current problem within their industry, such as establishing partnerships with commercial and institutional entities and enforcing tiered access models that provide larger consumers with “scaled performance.”

“These are not radical ideas,” the stewards wrote. “They are practical, commonsense measures already used in other shared systems, such as internet bandwidth and cloud computing.”

Stewards of public open-source infrastructure say it’s time to change how it is funded

Most of these systems operate under a dangerously fragile premise: They are often maintained, operated, and funded in ways that rely on goodwill,” write stewards of public open-source infrastructure.

Stewards of public open-source infrastructure say a better funding model is needed

Life is full of trade-offs. A late-night Uber may get you home faster, but for a higher price than walking. A pair of cute heels may win you compliments, but can hurt your feet…and AI coding may speed up development, but can open your software to large security risks.

 from agentic application security platform Apiiro suggests AI coding assistants might speed up developers’ workflow at a hefty security-related cost.

Apiiro researchers examined code from thousands of code repositories produced by developers from Fortune 50 companies. They concluded that AI-assisted developers produced 3-4 times more commits than regular coders, but had fewer push requests, a crucial part of the coding process that enables other team members to review code.

“If the pull request is very large [and] it contains a lot of code, it’s really hard to do a proper review because it overloads the security review that you need to do,” Apiiro Product Manager Itay Nussbaum told IT Brew.

Apiiro researchers also claim that while AI-written code had significantly fewer syntax errors and logic bugs, it often opened the door to much larger issues. 

 paths increased 322% in AI-assisted coding compared to standard-written code. Meanwhile, architectural design flaws jumped 153%.

“In other words, AI is fixing the typos but creating the timebombs,” the report wrote. “That makes reviews and automated scans less effective, and raises the stakes for context-aware analysis at design and code time.”

As of June, Apiiro said AI code produced 10,000 new security findings per month, a ten-fold uptick since December 2024.

Apiiro’s research echoes several concerns around AI-assisted coding as it continues to make waves across the industry. IT Brew has previously reported on the 

Quentin Rhoads-Herrera, VP of security services at Stratascale, told IT Brew that he leverages AI-assisted coding in his personal life and has seen firsthand the risks that come with it.

“I’ve seen pretty much everything I’ve coded as a hobby has vulnerabilities in it because it’s just giving me working code to my exact request, not looking at what the best practices are,” Rhoads-Herrera said.

Nussbaum said AI-assisted developers should make sure they have protective mechanisms in place, such as automating the security review process, to protect themselves from vulnerabilities.

Rhoads-Herrera also advised AI-assisted teams to continue to keep the human in the loop: “The human review of all the code is still very critical.”

Opened ai hand with falling red binary code and scattered red arrows.

AI is fixing coding typos, but creating ‘timebombs’: report

As of June, AI code produced 10,000 new security findings per month, according to research from Apiiro. 

Pat Casey, the chief technology officer and EVP of development operations at ServiceNow, wasn’t always a technologist.

He first went to college to be an engineer, but switched his major to biology after becoming disillusioned with engineering and realizing, “I could spend my whole career in the US, and you built like one bridge. It just wasn’t a lot of infrastructure, in my perception, being built.”

Casey later pursued a PhD program for neurophysiology while working at Aldus PageMaker, a desktop publishing company. Aldus, which was later bought by Adobe, put Casey to work in IT. He would install mail onto a computer, reset someone’s password, or help another to figure out why their C drive wasn’t working.

“I remember I woke up one morning, sometime [in] my second year as a graduate student, and I was just in this horrible mood,” Casey said. “Then I realized I had my days wrong, it’s actually one of the days I was going into the office…My mood lifted. I’m suddenly looking forward to the day.”

Shortly after this epiphany, Casey dropped out of the neurophysiology program and took a full-time position at Aldus.

Casey found himself working for Adobe in Seattle. He said that others had told him the dreariness of the Pacific Northwest was going to get to him, but he figured that was just to keep Californians from moving there.

By the second winter, the weather was starting to get to him.

“The weather was so depressing for me, I don’t know a better way to put it,” Casey said. “It got so bad that I would actually get in my car and I would drive out to the top of the Snoqualmie Pass just to get in the sun, like stop at the side of the road.”

A friend of Casey’s got in touch with him because their software company Peregrine Systems in San Diego was hiring in its engineering department. Casey said the weather in San Diego was appealing, and that “I’d love to be in engineering instead of IT.”

Fred Luddy, who was serving as Peregrine’s chief technology officer, interviewed Casey for the position. Luddy would later begin ServiceNow, where Casey now works.

Luddy was inspired to begin ServiceNow after working for Modernfold Doors, where he worked on the order entry system. Luddy worked to automate the process for putting orders in their system and presented it to an employee whose job it was to manually type in delivery addresses.

“For [Luddy], that was a trivial piece of work, for her, that had meaningfully changed her life for the better,” Casey said.

After working at Peregrine for a few years, Casey decided to start his own company writing maintenance management software.

Casey sold the company he started to the Peregrine customer base because he knew them and because it was a reseller group. The company would sell his product, and both he and Peregrine would profit.

“Hopefully, everybody won, including the customers,” Casey said.

He said that for the first six months of working on his own, it was “glorious.” As a “super strong introvert,” he was productive, but also felt himself going into a “small hole of introversion.”

“I realized that, independent of the economics of it, I needed to be in a working environment to have people around me, which was really important—at least it was for me,” Casey said.

“I think I have a really strong need to have other people in my life…For me, being at work, it’s one of the ways I get to meet people.”

Casey joined ServiceNow in 2004, motivated by what Luddy was doing at the company and that Casey would get to work with people again, “as opposed to working with myself from the couch.”

Casey also said he didn’t join the company “because my goal in life is to be part of a really successful, multi-billion dollar software company.” He said that it was important for him to work in an environment with a positive culture, and that “the work we were doing helped a human being.”

Michele Richards, the SVP of impact engineering at ServiceNow and the 

(a group of technical or technical-adjacent employees who aim to help customer experience) project management officer, said that after being at the company for 10 years, Casey has taken on larger, public roles over time.

“Now he’s on stage…and he’s really accepted, as his role has grown, that people do want to see him,” Richards said. “If he’s in the UTG Connect and you’re in a social event, he will really work the room.”

“He has really grown from being a real introvert, hands on keyboard [and] head down, to being this impressive leader.”

How a "super strong introvert" rose to lead a major tech company

 ServiceNow’s co-founder, chief technology officer, and EVP of dev ops talks changing careers, changing careers and more

How a ‘super strong introvert’ rose to lead a major tech company

The White House released long-awaited AI guidance in July, and it’s a mixed bag. While the Trump administration’s “anti-woke” executive order takes aim at perceived diversity, equity, and inclusion (DEI) initiatives in the development of large language models, IT pros who spoke with IT Brew were pleasantly surprised to find a focus on open source in its separate AI action plan.

According to the EO signed by President Trump, DEI in regard to AI is considered the “suppression or distortion” of factual information about race or sex. It continues: “DEI displaces the commitment to truth in favor of preferred outcomes and, as recent history illustrates, poses an existential threat to reliable AI.” The Associated Press 

 the order as an attempt at censorship, and noted that it “still faces a study period before it gets into official procurement rules.”

Asad Ramzanali, the current director of AI and tech policy at the Vanderbilt Policy Accelerator and former official at the White House Office of Science and Technology Policy under President Biden, told IT Brew that he imagines the implementation of the “anti-woke” order may look like a government-established test for systems.

“I worry that in the hope of creating neutrality, you just mandated an ideological purity test,” Ramzanali said. “I’m allowed to have a political view, you’re allowed to have a political view, your company can have a political view. That’s really tricky to push companies ostensibly through procurement to meet some kind of neutrality.”

While experts maintain that the anti-woke EO that follows the action plan’s release is concerning, they also agree that the administration’s positioning toward open-source models is a benefit to the private sector.

Seemingly more substantive guidance on AI is outlined in the administration’s action plan, titled “Winning the Race,” which points to the government’s ability to “accelerate the maturation of a healthy financial market for compute” through collaborating with industry and using other vehicles in the federal space, like the National AI Research Resource Pilot and the National Institute of Standards and Technology, for open-source models.

The administration recommends ensuring access to “large-scale computing power for startups and academics by improving the financial market for compute. Currently, a company seeking to use large-scale compute often must sign long-term contracts with hyperscalers—far beyond the budgetary reach of most academics and many startups.”

The action plan further states that the US has “solved this problem before” through spot markets (when assets are purchased or sold immediately without a long-term commitment) and forward markets (where contracts are made to purchase or sell assets at a determined price in the future). This is in concert with the industry and government approach the administration believes can hasten the maturation of a healthy market for compute.

the action plan focuses on infrastructure and diplomacy—pointing directly toward encouraging both open-source and open-weight models.

 webpage points to releasing open-source software as a benefit from the standpoint of having more perspectives. It states that open-source work has “benevolent results” but it is not “an act of charity.” It goes on to say that having an open-source approach can yield higher returns than the initial investment.

, however, pointed to open-source software as having limited support and functionality, compatibility issues, and more. It looks to open-source security risks, as well, if the software is maintained incorrectly—specifically, vulnerabilities can allow attackers to access sensitive information or take control of a system.

Policy and industry experts, like Travis Hall, the director for state engagement at the nonprofit and nonpartisan Center for Democracy and Technology and Dhruv Patel, CEO of Syncurrent—a company that provides digital services to match local governments to grants—point to the action plan’s stance on open source as a positive for the market.

Hall highlighted the open-source and open-weight systems of the action plan as a potential positive.

“I think that this is a big deal, particularly for industry and IT professionals, because there have been debates…on whether or not open systems should be allowed, whether they can be exported, whether there should be expert controls on model weights or open-source systems,” Hall said. “It means that the tendency towards large model, proprietary systems being the only thing that is available is not going to be the case.”

Hall believes this aspect of the plan is a “pro-competitive move that will help IT professionals in particular” through having a broader set of choices than what is currently available—like those provided by Linux, WordPress, and Android. He also said that IT pros can benefit from having the ability to use open-source systems and “innovate on their own.”

“Everybody knows that open-source software is available, it is a thing,” Hall said. “It hasn’t made commercial proprietary software go away, but it does help to diversify the ecosystem and also help support a more competitive ecosystem.”

Patel told IT Brew that those who adopt open-source models will be impacted, but said he doesn’t know if it’s “for the better or for the worse.”

“Right now, I lean more good than bad, particularly because of the emphasis on supporting open source and supporting open models, as opposed to not,” Patel said.

He continued: “For tech businesses, for tech startups, it’s incredibly important that we have robust open-source models. But even more so for nutritional IT tech-enabled businesses, businesses that don’t directly have a fingerprint in tech but they’re tech-enabled.”

Trump administration’s AI plan takes aim at ‘anti-woke’ large language models

The action plan, released at the end of July, also contains language in support of ensuring access to open models for startups and academics.

Billy Hurley

Software engineer Joshua McKenty had worked on enough open-source projects by 2010 to know that the Global Earthquake Model (GEM) was not on a path to being open source.

With stints at NASA, Netscape, and a consultancy leveraging open-source tech, McKenty had experience designing publicly collaborative code, using a shared, continuous-release philosophy known as 

He and the earthquake scientists knew their teams could use a little Agility.

Helen Crowley, former researcher and GEM’s secretary general, said scientists at the time only 

“For us, it meant maybe you would make your software available somewhere at the end, once it was ready for other people to look at. But I think what Josh really explained to us is that it had to be 

McKenty shared how he helped to turn GEM—and develop its software engine OpenQuake— into an open-source, community-driven initiative, literally bringing together two teams that hadn’t always shared the same spaces: developers and scientists. The process involved a lot of Agile, which in theory meant iterative development and in practice meant offsites in the mountains and paired programming at desks.

“I focused a lot more on cultural transformation, rather than just, ‘Let’s produce software and feel proud of ourselves,’” he told us.

In 2010, McKenty was asked to review the then-in-progress Global Earthquake Model, which at the time was on year two of a five-year grant.

The GEM team wanted to create an open-source model to estimate earthquake-related impact and calculate human or economic losses for a collection of assets—the kind of tool that could help everyone from city planners to insurance providers.

“You need to have a first release now, not at the end of five years, so that you build a community around the software,” he remembers. That meant changing development practices.

McKenty took a six-month contract as interim secretary for IT—moving to Italy and occasionally commuting to the GEM office in Switzerland.

The definition of software, McKenty says, is it will be wrong—often because of a communication problem between the person with the problem and the engineer building the solution.

And that lack of cooperation exists at a wide range of organizations, not just the ones making earthquake models.

A global survey of 3,500 developers, published in July by Atlassian, found 55% of knowledge workers had difficulty tracking down information despite knowing a lot of people at their job,” and 56% said their companies “plan and track in different ways, which makes it hard to collaborate.”

Principles in the Agile manifesto, created in 2001, include tenets like delivering working software frequently, collaborating with business and developers, and reflecting regularly.

McKenty saw an occasional lack of agility (there’s that word again) in the methods of scientists, who often need their software to work just once in a lab, McKenty said. An 

, however, had to work constantly for a world of contributors.

In those six months, McKenty shook up the team, focusing on collaboration. It was not uncommon for a scientist and programmer to pair up on a task like simulating the shaking of the Earth. With this setup, no one had to wait for an email about which of a library’s many algorithms best resembled earthquake movement.

“You understand the science and I understand the software, and let’s make that work minute by minute, instead of month by month, or requirement by requirement,” he told us.

With McKenty at the helm, GEM’s team of coders and scientists produced a new feature or version every two weeks—what Agility proponents often call “sprints.”

Crowley remembers an offsite code sprint in Switzerland—“a weekend featuring lots of couches and pizza and just a good atmosphere.”

During McKenty’s tenure, the team had 20 or 30 releases, McKenty said, that culminated in OpenQuake 1.0’s release in 2013.

The GEM Foundation’s OpenQuake has been used in recent years to determine risk profiles for public schools in Peru, roads in Solomon Islands, and buildings in San Francisco. In December 2018, GEM “

 with a total of 30 national and regional seismic hazard models.”

“I am more proud of OpenQuake than anything else I’ve ever worked on, because I spent six months and I got the community in this sort of shape, and I let it go,” he said.

McKenty is currently CEO at fraud prevention company Polyguard.

Agile, as a practice, is hanging in there, even as the idea of paired programming these days might involve a vibe coder and their LLM.

 from this year polled global pros with knowledge of their company’s Agile practices and found that 61% of respondents have been using Agile practices for over five years, and 24% have deployed them within the last three years.

The ability to work in agile, cross-functional teams is increasingly important to IT pros, according to McKenty, who sees the source of good, working software as a collaboration between human teams talking to each other, sharing spaces, and trying to close up a gap that’s always open.

“I think that’s the definition of every software project; usually the product owners or the customer have an understanding of what they want, but not how to make it happen, and the software team has an understanding of how to make it happen, but not actually what they want. And so building good software is about being able to communicate across that divide.”

How to build an earthquake model: Bring scientists and software engineers together (literally)

 Joshua McKenty shares his Agile approach with Global Earthquake Model (GEM).

The link between music and math has been long known; musical notes are the representation of vibrations and frequencies, which math quantifies. The art of music—the way it makes us feel—is how our brains recognize and translate patterns and then translates them into feeling and emotion.

Adam Ribaudo, an artist and IT professional, said that he’s always felt an intuitive link between math and music, specifically when it comes to intuition and harmonies.

“There needs to be some sort of intuition and some mental map of how notes relate to each other,” Ribaudo said. “That mental map can then be transferred more easily to mathematical or some technical concepts where you’re searching in your brain for those harmonic registries.”

Technology, says composer, musician, and technologist Chester Jankowski, is about turning abstractions into patterns. So it’s not all too surprising, then, that musicians frequently make great technologists, coders, and IT professionals, according to 

. Each organization points to how musical artists think and problem solve logically and mathematically.

Jankowski and Ribaudo, along with other musicians who work in IT, say that the overlaps between logic and creativity assist them in both composing code and music. In order to improvise in music, for example, you have to know the foundation of music—how notes and keys work, etc. The same holds true in IT: In order to fix a system, you have to know the infrastructure.

When Wolfgang Wedemeyer, a ServiceNow senior staff software engineer and musician, is in the midst of working or composing, he doesn’t always see the connection between his expertise in music and software until later. Once he’s reflected on an experience, he can begin to connect the two.

“I get into a very similar flow state when I’m working creatively on music and when I’m also working on solving some of the harder software problems,” Wedemeyer said. “When it comes to theory and rules and patterns and all that sort of stuff, I find there’s similarities between doing parallel programming and working on harmonies, where you have to keep multiple things that are happening simultaneously in your head and make them work together in a logical way.”

Jankowski pointed back to the intuition for problem-solving, and said that musicians are often skilled at seeing the “bigger picture.”

“If something’s broken…you could either just go through a checklist and check everything in order, or sometimes you just have this flash of insight,” Jankowski said. “You’re able to go there and retrace your steps.”

Director of software engineering management at ServiceNow,Yaron Guez, told IT Brew that the translation of skills is more subtle. He believes that programming languages and music theory are the same in that both require certain rules to be followed.

“I haven’t had a moment where, because I know this circle of fifths or the way music modes work…that’s going to help me specifically on this programming challenge,” Guez said. “It’s just the same type of problem-solving, or rather, the same type of understanding another language.”

Guez said that in encountering different technologists who are also musicians, he finds that those individuals are often the ones where “this isn’t just math to them.”

“Not to say that math doesn’t have creative elements to it—of course, when it comes to proofs and whatnot—but still, they’re not just following a set of instructions and relying on their knowledge and expertise to do it,” Guez said. “They’re using creative problem-solving to figure it out.”

A close-up of a person's hands playing electric guitar chords with AI data patterns overlaid.