Jeff Apolis
Cybersecurity and AI strategist
Atlanta, Georgia, United States
Actions
Jeff Apolis is a cybersecurity and AI strategist with more than 25 years of experience helping organizations innovate quickly while maintaining security, trust, and operational resilience. He works at the convergence of cybersecurity, information technology, and artificial intelligence, guiding organizations through decisions where technology, risk, and business outcomes intersect.
Jeff is known for reframing cybersecurity from a cost center into a strategic enabler of business velocity and helps to turn complex issues like software supply chain exposure, AI adoption risk, and secure SDLC implementation into clear and prioritized paths to value. Jeff brings a practical, outcomes focused approach that favors measurable progress over the pursuit of perfection.
His work focuses on solving the systemic root causes of cyber risk, especially the incentive imbalance that continues to favor attackers over defenders. Jeff advocates for security designed to enable the business, controls people don’t have to work around, processes that scale, and software that is secure from the start.
A frequent voice on secure software development, AI governance, and the economics of cyber defense, Jeff focuses on what actually works: reducing attacker opportunity, improving decision quality with guardrails, and creating systems that fail safely rather than catastrophically. His philosophy is simple: security succeeds when it becomes invisible, intuitive, and built into how people already work.
Jeff holds an MS in Information Technology (Information Security & Assurance) from Carnegie Mellon, as well as CISSP, CCISO, CRISC, GSTRT, CCSK, and AWS Solutions Architect certifications.
Area of Expertise
Topics
Your Biggest Risk Isn’t Your Code, It’s Your Dependencies
Modern software is no longer built from code your team writes alone. It is assembled from open-source packages, containers, SDKs, SaaS integrations, generated code, and third-party services layered across the stack. In many applications, the majority of the code running in production was never authored, reviewed, or maintained by your developers. That means much of your attack surface lives outside your repo.
This session explores why dependency risk has become one of the biggest engineering and security challenges in cloud-native development. Using incidents such as Codecov, Log4Shell, SolarWinds, and the XZ Utils backdoor, we examine how a single compromised component can move silently through CI/CD pipelines, artifact registries, containers, and production environments.
Rather than focusing only on CVE counts, this talk shows developers how supply chain risk actually enters systems: transitive dependencies, over-permissioned packages, abandoned libraries, tampered build pipelines, unsigned artifacts, and blind trust in upstream maintainers. We will break down why traditional vulnerability scanning alone often creates noise without reducing real exposure.
Attendees will learn practical engineering controls that work: Software Bills of Materials (SBOMs), dependency minimization, version pinning, signature verification, provenance attestation, reproducible builds, least-functionality package selection, runtime inventory, and policy gates in CI/CD pipelines. We will also discuss how AI-generated code can introduce risky packages faster if dependency hygiene is weak.
Developers will leave with actionable patterns to reduce blast radius, improve visibility, and build software supply chains that are faster, safer, and easier to trust.
Shipping Fast Without Shipping Vulnerabilities: Secure Coding for Cloud + AI Teams
Modern engineering teams deploy faster than ever, yet common vulnerabilities continue to reach production through rushed design decisions, insecure defaults, weak testing coverage, dependency sprawl, and unsafe coding patterns. In cloud-native systems, these issues scale quickly across APIs, containers, serverless functions, CI/CD pipelines, and distributed services. AI coding assistants can accelerate delivery, but they can also reproduce insecure patterns at machine speed if guardrails are absent.
This session provides a developer-focused framework for building security into the software delivery lifecycle without slowing releases. We will break secure development into Five Pillars: Requirements, Architecture, Coding Standards, Automated Testing, and Continuous Monitoring. Each pillar maps to practical engineering controls teams can implement immediately.
Topics include threat modeling during design, secure authentication and authorization patterns, secrets management, dependency and SBOM hygiene, static and dynamic analysis, IaC scanning, API security testing, runtime telemetry, and secure code review practices for human- and AI-generated code. We will also examine how to integrate these controls into workflows and CI/CD pipelines so security checks become part of normal delivery rather than last-minute blockers.
Using data from NIST and CISA, we will explore the Time-to-Fix Multiplier and show why defects found in design or pull requests are dramatically cheaper than those discovered after deployment. Real examples will demonstrate how early feedback loops reduce rework, incidents, and production outages.
Attendees will leave with actionable patterns, reference architectures, and pipeline guardrails to help teams ship cloud and AI-enabled applications faster, safer, and with greater confidence.
History Repeats - Why Leaders Must Rethink Security Controls
Security controls often fail not because they are absent or technically flawed, but because they collide with human behavior under real operational pressure. History offers a clear warning; during the 1916 Battle of Jutland, the British battlecruiser HMS Invincible was destroyed when safety controls designed to prevent catastrophic explosions were deliberately bypassed to increase the rate of fire. Those decisions were not reckless; they were made by disciplined professionals under leadership pressure to move faster and win. The result was catastrophic.
This talk uses Invincible as a case study in human‑centered control failure and applies its lessons directly to modern cybersecurity. The problem is familiar: when security controls introduce friction that slows mission success, motivated and well‑intentioned people find ways around them. Domain administrator overuse, shared service accounts, skipped reviews, and insecure workarounds are not anomalies—they are predictable outcomes of misaligned incentives and poorly designed controls.
The approach of this session is comparative and behavioral rather than technical. By examining historical post‑incident analysis alongside contemporary enterprise security practices, it demonstrates consistent patterns in how speed, incentives, and leadership priorities shape behavior. The key finding is that strengthening security does not come from more controls, but from controls designed to align with real workflows, cognitive load, and operational urgency.
This session argues that human behavior is not the weakest link—but the design constraint we most often ignore. For defenders and leaders alike, the significance is clear: security controls must be engineered for how people actually work, or they will fail precisely when they matter most.
The Secure Code Dilemma - Why We Fail and How We Can Break the Cycle
Secure software development is widely documented, yet systemic vulnerabilities persist because security is often treated as an "unfunded mandate" secondary to delivery speed. The data reveals a critical skills gap: 53% of professionals lack formal secure coding education, and 75% of junior developers are pushing production code without basic security familiarity.
This session provides a strategic framework for realigning business incentives through Five Pillars of secure development—Requirements, Architecture, Coding Standards, Automated Testing, and Continuous Monitoring. By focusing on the practices that determine SDLC success, we move from the normalization of insecure code to a culture of trustworthy delivery.
Drawing on empirical research from NIST and CISA, we present the "Time-to-Fix Multiplier," demonstrating that addressing vulnerabilities during the design phase is 30–60 times more cost-effective than post-deployment remediation. We will unpack how the cost-escalation model serves as a decisive tool for security leaders to quantify ROI and justify proactive defense budgets.
Attendees will leave with a practical, non-commercial toolkit to transform security from a "drag on innovation" into a driver of security and resilience. By leveraging global frameworks like the NIST SSDF and the EU Cyber Resilience Act, practitioners can bridge the skills gap and build scalable, battle-tested programs that reduce risk and cut costs while maintaining release velocity
Operationalizing AI - A CISO's Guide to Strategic Adoption and Risk Management
Generative AI and machine‑learning systems are rapidly being embedded into core business processes, yet most enterprise AI initiatives fail to deliver sustained value. The problem is not model capability, but governance: organizations deploy opaque, high‑impact systems without clear policy guardrails, risk accountability, or an understanding of how AI decisions reshape human workflows. This gap creates systemic security, legal, and operational risks that cannot be addressed through technical controls alone.
This talk presents a structured, policy‑centric framework for operationalizing AI in business processes. Drawing on enterprise case experience and aligned with emerging standards such as the NIST AI Risk Management Framework, ISO/IEC 42001, and the OWASP Top 10 for LLM Applications, the framework evaluates AI proposals across four dimensions: business value, technical feasibility, risk management, and implementation sustainability. The approach explicitly integrates human decision‑making, organizational incentives, and governance responsibilities, highlighting where misplaced trust, automation bias, and unmanaged organizational change introduce new attack surfaces or failure modes.
Key findings show that AI risk concentrates at organizational boundaries rather than in models themselves: unclear accountability, insufficient change management, and misaligned incentives consistently undermine security and value. The framework reveals measurable indicators that distinguish high‑risk, low‑return deployments from sustainable, defensible AI adoption.
The significance of this work lies in reframing AI security as a policy and coordination challenge at scale. Rather than treating AI as a tooling problem, this talk provides security leaders and policymakers with practical criteria to govern AI deployments that affect people, institutions, and critical decisions—before failures become systemic.
Atlanta Cloud+AI Conference 2026 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top