Chris opens with a description of Rehab Medical that reframes what IT means in a mission-driven organization. The company provides mobility equipment to people who cannot move without it, including chairs that respond to eye direction alone. Chris is not on the front lines fitting those chairs, but he supports the people who are, and he carries that awareness into every security decision he makes. It shapes how he talks about risk, how he frames the budget conversation, and why he does not have much patience for security theater. When something actually matters to the people depending on it, the gap between a real defense and a false sense of security is not theoretical.
The two demonstrations Chris walks through in this episode are the kind of practitioner storytelling that earns credibility with any audience. The first happened in a meeting where his infrastructure team was explaining why email spoofing from their own domain was impossible. As they talked, Chris quietly sent one of them an email from himself, with the subject line "Yes I can." The point was not to embarrass anyone. It was to make the threat feel real before asking the team to defend against it. The second happened after a leadership meeting about integrating AI into the company's software platform. Chris went back to his desk, built a deepfake of the company president in roughly 10 minutes, loaded it onto a flash drive, and walked it upstairs. What he forgot was that the same flash drive held a USB drop test he had been running to see if anyone in the building would plug in a found device and open the files on it. The president plugged it in, saw a file labeled 2025 payroll report, and nearly clicked it. The deepfake and the payload test landed simultaneously, and the result was more security autonomy than any formal presentation would have produced.
The AI section of this episode is where Chris gets most direct about what he sees working and what he sees being oversold. He makes the machine learning versus LLM distinction clearly and without jargon, using Darktrace as the example of what genuine behavioral AI looks like in practice. He is equally candid about the Copilot demonstration he ran for leadership, where he used his own domain admin account to pull up three dozen documents that were not his, and used that moment to cut the requested license count in half without fully disclosing that he had elevated permissions. The lesson he draws is not about deception. It is about what it takes to make a permissions conversation land with someone who does not live in the infrastructure. His approach to teaching prompt specificity follows the same logic: skip the theory, make a mess with cookie dunking or dirty dishes instructions, and let the confusion do the teaching. The people who figure out why the instructions failed become the ones who write good prompts.
Resources mentioned in this episode
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
AI Is Draining the Grid: Behind-the-Meter Power Solutions with Tony Uttley - Ep 215
Why Silence After a Breach Helps the Hackers with Scott Dickinson - Ep 214
Breaking Things on Purpose: An Honest Take on AI Readiness and Leadership with Shawn Hamm - Ep 213
Director of IT
Rehab Medical
Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Chris Pacifico, Director of IT at Rehab Medical. Chris, welcome to the show.
Chris Pacifico: Thank you. I appreciate you having me.
Matthew Connor: I appreciate you being on. Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.
Chris, for those who aren't familiar, can you tell us about Rehab Medical and your role there as Director of IT?
Chris Pacifico: Sure. Rehab Medical is what's called a DME provider — Durable Medical Equipment. In essence, it's all about mobility. We give people who don't have the ability to move independently the ability to move. That covers everything from basic wheelchairs and scooters to complex powered chairs — ones with joysticks, and some where the person controls the direction just by looking. The chair goes wherever their eyes go. It was kind of a surreal experience when I first started there. You don't think much about it until you actually see what these people go through day to day. I'm not on the front lines getting people into their chairs, but I get to help the people who do. That's rewarding in its own right.
Matthew Connor: That really is fascinating work. We're seeing some remarkable advances in connecting the mind to devices — I know you mentioned eye-tracking, but is there work happening on the neural interface side too?
Chris Pacifico: There are a lot of advances happening and they move quickly. What I see most directly is on the technician side — the ability to help a patient get a replacement part or a software fix without requiring a technician to be physically present. As far as neural integration, I haven't seen anything like that deployed yet, but I can't imagine it's that far out. And just the progression from having to push a chair, to using a joystick, to using eye-tracking — and some of the newer chairs that are essentially mobile beds for people who are completely immobile — those advances alone are remarkable. There are always whispers of "can we hook into the nervous system" type capabilities, but I haven't seen that in practice yet.
Matthew Connor: We're definitely seeing some cool things with AI helping interpret neural patterns. Exciting to think about where that leads for quality of life. But AI is my favorite topic these days, so let me ask — where are you actually using AI? On the security side, the operations side? And what's your experience been? A lot of people have fumbled with it and found it more cool toy than useful tool. Others have gone deep and found real value. Where do you stand?
Chris Pacifico: Everything you just said — I've lived all of it. Rehab Medical does a company-wide conference every year in Indianapolis, and this year they gave me a speaking slot. I got to do a talk on AI: the quick 30,000-foot view of the do's and don'ts. Given that I'm security-centric, when I started hearing people were using AI in the business, I had something of a minor heart attack. It was like — oh no, we are not ready for this. So we started putting guardrails in place, and the conference was a great opportunity to have an honest conversation with everyone about the good, the bad, and the ugly.
There was a wonderful woman there who said, "AI is just like Google." I asked her what she meant. She said, "I can go to Google, type in 'give me a hot dog recipe,' and get thousands of results." I said, "Sure — but watch this." I went to Copilot and said, "Give me a hot dog recipe using these three specific ingredients I have in my pantry." And it did exactly that. She went, "Oh." Simple example, but it shifted her thinking. The point I kept coming back to is: it's not what you say, it's how you say it. My mom told me that my whole childhood and apparently I wasn't listening — but it turned out she was right.
Matthew Connor: Ha. And from a security implementation standpoint — are you a Gartner Magic Quadrant person when it comes to filtering through the noise of all the new AI security products?
Chris Pacifico: Magic Quadrant is great for narrowing choices quickly — I do use it. The challenge is that the products that perform best on the quadrant typically come with substantial price tags. And honestly, in my current role, IT is a cost center. I spend money, I don't make money. So there are times when I want Darktrace but I'm shopping at Walmart when I'd prefer Macy's. I've been to Microsoft Ignite, talked to the Darktrace guys multiple times — I love what they do. When I was at my previous employer, I brought Darktrace in and it was incredible. It just stops the bad guys cold. But it's a tough pitch at Rehab when the numbers don't line up the way I need them to.
That's actually where the Magic Quadrant still helps — it lets me find the right step-down. Not the shiny AI startup that claims to do everything but delivers nothing, but something that still represents real capability at a more realistic price point. The quadrant helps you find that floor.
Matthew Connor: Totally agree. And I think it's a useful filter specifically because you can't evaluate everything. The other thing I've been excited about on the AI security side is the machine learning piece that I think has been undervalued until recently. Things like Darktrace — that's machine learning understanding how Chris writes email, when Chris sends email, what his network traffic looks like — and flagging when something deviates. That's different from just bolting an LLM onto a security gateway, which actually creates new problems like prompt injection. The machine learning approach is the right tool for the right job in a lot of security contexts.
Chris Pacifico: A hundred percent. And you touched on something I care a lot about — the tabletop exercise side. I haven't done one with the C-suite yet, because they require a more careful approach. But I have done them with my team. When I started at Rehab, I had a young team — two guys on infrastructure, three on the help desk, and a manager in the middle. They were good and wanted to learn, but there was a lot of "that's not really a thing" or "that can't actually happen." Classic.
So we were in a meeting talking about email spoofing, and one of my infrastructure guys was confidently explaining why you can't send someone an email from their own address — we've got all these controls in place, cross-tenant protections, and so on. And as he's talking, I'm quietly typing away. Right in the middle of his explanation, he gets an email — to him, from him — with the subject line: "Yes I can." He goes, "Did you just do that?" I said yeah. He goes, "How?" I said, "That's not the point. The point is that it can be done."
Those are the tabletop exercises I've been running — not formal board meetings, but real-time demonstrations that make it visceral. Because once you get buy-in from the people on the front lines, it becomes a much stronger case when I sit down with the C-suite and say here's why I need the budget.
I'll give you another example. We were in a meeting discussing integrating AI into our software platform, and I had all my security "what if" questions running. Afterward, I took about ten minutes and created a deepfake of the president of the company — threw it on a flash drive and went up to his office. I said, "Kevin, I want you to look at something." He plugs it in. And — full disclosure — I forgot that was the same drive I'd used to test whether anyone in the building would pick up a random USB and open files on it. So when he opens it, there's a file labeled "2025 Payroll Report." He goes, "What's that?" I said, "Oh God, don't click that." He's like, "Why?" I explained. He said, "You did that? You're an ***." I said, "Yeah, but I'm your ***, and that's what matters."
Then he opened the deepfake and asked how long it took me to make it. I said ten minutes, roughly, and it was pretty rudimentary. Imagine if I'd put real effort into it. The look on his face — that landed harder than any vendor presentation ever could. Showing someone a deepfake of themselves, made by someone on their own team in ten minutes, changes the conversation.
Matthew Connor: That is a brilliant approach. And it builds the internal credibility you need. On the question of Copilot — that's what you're primarily deploying internally?
Chris Pacifico: Yes. We're a Microsoft shop so it integrates cleanly. And I'll tell you about a quick win I had there. When they initially asked for Copilot licenses, leadership handed me a list of eight or nine people they wanted to have access. I said, "Have you thought about the flip side?" They hadn't. So I showed them — using my own account, which admittedly had admin-level access — I said, "Watch this." I asked Copilot to find my career training Excel spreadsheet and it returned about three dozen documents. Many of them weren't mine. I said, "No guardrails means access to far more than you intended." I maybe didn't fully disclose that I had elevated permissions, but it proved the point. We went from eight or nine requested licenses down to four, and I've only handed out three so far.
Younger me would have come in swinging the hammer and gotten nowhere. Now I use the gentler approach — a soft stick, not a sledgehammer. Hopefully my leadership is hearing this and appreciating the difference.
Matthew Connor: Ha, I think they'll appreciate it. And the education piece is so critical. A lot of people think it doesn't matter what you do, because they're not holding secrets. I worked with a company once making packaging material, and a guy literally said, "I don't understand why we need to lock things down so hard — we're not making airplane parts for the Air Force." Two days later, they got ransomed. Turned out somebody wanted packaging material — or more accurately, they wanted their computers. It's not always about the data.
Chris Pacifico: Exactly. And that's the message a lot of non-IT people don't get — sometimes it's about your computing power, not your data. Sometimes it's purely about disruption: how much does it cost your business to be down for a day? A week? That's the tabletop exercise question. How long can we afford to be down, and what does each day cost us? And once you pay the ransom, if you haven't plugged the hole, they're coming back. This is well documented. So it's not doom and gloom — it's preparedness. Eyes open, not head in the sand.
And with the bad guys now using AI to automate attacks — faster, cheaper, more prolific — the arms race is very real. You need to up your game accordingly. Not everybody is ready for frontline combat. Some organizations are, and they should have the tools to match. Others need to at least understand they're bringing a knife to a gunfight, even if for now their best strategy is a fast recovery plan rather than perfect prevention. Know your situation. That's the key.
Matthew Connor: A hundred percent. And the tabletop exercise is such a low-cost, high-value tool for getting the entire leadership team to really understand this. You schedule a 30-minute scenario, everyone's in the room, and suddenly the CFO, the CEO, legal, operations — everyone is asking "what do we actually do?" and realizing there's no clean answer yet. That's the moment. You've got their attention and their buy-in.
Chris Pacifico: And it costs nothing. Thirty minutes and a whiteboard. The effort-to-value ratio is unbeatable. I can't think of another type of meeting that delivers that kind of outcome for the whole organization.
Matthew Connor: Let's talk about the Microsoft Copilot study for a second — did you see this? When Microsoft deployed it internally, after 90 days they expected about 85% of employees to be heavy users. What they found was the opposite: only about 15% were still using it heavily. When they dug into why, the power users were the ones treating it like a new employee — explaining context, giving clear instructions, training it, giving feedback. The 85% who stopped were expecting it to just know things and get frustrated when it didn't. The skill that made the difference wasn't technical. It was managerial. Leadership and communication skills applied to a digital team member.
Chris Pacifico: That maps exactly to what I see. When I'm teaching people how to use it, I use different analogies depending on the audience. For people who've been around a while, I say: think about how you'd explain to your kids how to do the dishes. If you just say "empty the dishwasher," you might get the clean dishes put away, but The Dirty ones stay in the sink. You have to be specific. Same thing with a prompt.
For others, I use the peanut butter and jelly example — there's a famous YouTube video of a dad following his kids' instructions literally. And I actually had a technical writing course in college where we had to write instructions for how to light a candle. You'd be amazed how many assumptions you make. So I tell people: explain to me how to dunk a cookie in milk. "Take a cookie, dunk it in the milk." Great — so I pick up the whole package and dunk it. That's what you said. That's the AI. And the more specific you get, the better the output. Once people start engaging with it that way — building up those personal prompt contexts — they start seeing real returns.
And yes, that creates new security questions, which is always the double-edged sword. But it trends toward the love side more often than not.
Matthew Connor: Completely agree. And I do think the future gets really interesting when we look at where this all leads. The jobs question is one people are anxious about, but I think history shows us technology consistently creates more than it displaces. And some of what gets displaced honestly shouldn't be done by humans — repetitive tasks we're not particularly good at or well-suited to.
Chris Pacifico: Yeah. I'll give you the fast food example. My wife and I stopped at McDonald's after a long day. Ordered two meals. Got home — cheeseburger instead of a Quarter Pounder, small fry instead of medium. At this point they've removed so much complexity they use pictures instead of words, and somehow the picture of a Big Mac still gets misread. You know what? That's actually a great use case for AI or automation. Not because the person was lazy or bad — it's that the job doesn't naturally engage human strengths. We're not great at pure repetition without variation. When those roles get automated, it frees people for work that actually uses human judgment, creativity, and connection.
The telephone operator analogy is a good one. If some powerful lobby had managed to keep that job protected, it would've been bad for the telephone operators and bad for everyone else. You let technology do what it's good at, and you let humans do what they're good at. That's not a threat — it's a better allocation.
Matthew Connor: And longer term, I genuinely think we're heading toward something like what ancient Rome had — not in the slavery sense, obviously, but in the sense that technology does the labor and what becomes valued is how you spend your free time. In Rome, when most people didn't have to work, the social currency became how educated you were, how well-read, how cultured. Not how many coins you had. I think we'll see something similar. Physical fitness, intellectual curiosity, creativity — those will become the markers of someone worth knowing, because everyone will have access to the material basics.
Chris Pacifico: I think you're right, and I think more of that future is actually self-created than people realize. Some of the loudest "AI is taking my job" voices are in roles that, candidly, AI genuinely does better — and that's okay. Technology has always done that. Rock to spear to bow to gun. It's always been about better tools enabling humans to do more meaningful things. I don't think the Terminator is coming. I think we're headed somewhere much more like Star Trek — abundance, exploration, and humans focusing on the problems worth solving. World peace being one of them, though we'll probably need AI's help on that one.
Matthew Connor: Ha, probably. Chris, this has been so much fun. I loved having you on. Before we go, can you tell everyone where they can find out more about you and Rehab Medical?
Chris Pacifico: For Rehab Medical, head to rehabmedical.com — everything you'd want to know about DME is there. For me personally, I'm on LinkedIn — Chris Pacifico, all one word. If you want to chat about anything we covered today, feel free to send me a message. I'm always open to talking.
Matthew Connor: Fantastic. Thanks for coming on, Chris. Until next time.
Chris Pacifico: Absolutely. Thank you.