Jason Lawrence is the Cybersecurity Director at Yancey Brothers, the oldest Caterpillar dealer in the United States and a company that has been in business since 1914. As the first person to hold this role at the organization, Jason is building the cybersecurity program from the ground up, reporting directly to the CIO. Before joining Yancey Brothers, Jason built a career spanning security operations, identity management, and strategic risk, and he also co-founded Security Reimagined, a firm focused on securing small businesses and communities across Georgia. His approach to cybersecurity is rooted in business outcome thinking, treating cyber defense not as a technology problem but as a revenue protection function. 

Here’s a glimpse of what you’ll learn: 

• Why Jason separates AI into generative AI and machine learning and why that distinction matters more in cybersecurity than anywhere else
• How the OODA Loop framework from military strategy applies directly to cyber defense and why disrupting the attacker's decision cycle is the real objective
• Why non-human identities now outnumber human identities in enterprise environments and what that means for your security posture
• How agentic AI and RAG systems are introducing a new insider threat vector that most organizations are not yet accounting for
• Why AI-powered penetration testing and continuous threat exposure management are changing how organizations prioritize and remediate vulnerabilities
• Why Jason believes cybersecurity is a business problem first and a technology problem second
• How hardening the tools you use to manage your own infrastructure is the most overlooked security priority right now
• Why human imagination remains the one capability AI cannot replicate and why that matters for both attackers and defenders

In this episode…

Matthew Connor on LinkedIn
CyberLynx Website
Jason Lawrence on LinkedIn
Yancey Bros Co. Website

Sponsor for this episode...

This episode is brought to you by CyberLynx.com  

CyberL-Y-N-X.com.

CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.

The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.

Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied. 

To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.

Check out other related episodes:

How AffirmedRX Is Using Technology to Fix a Broken Healthcare System with Laurel Cipriani

 The Two AI Attack Paths Every Security Leader Needs to Understand Now with Sinan Al Taie 

 IT Leadership in Regulated Industries: Service Management, AI Risk, and the CIO Mindset with Bryan Younger 

Transcript: 

Cyber Business Podcast – Jason Lawrence, Cybersecurity Director at Yancey Bros Co

Matthew: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Jason Lawrence, Cybersecurity Director at Yancey Bros Co. Jason, welcome to the show.

Jason: Glad to be here.

Matthew: Glad to have you. Before we get too far in, a quick word from our sponsors.

[SPONSOR READ: Hackers are getting smarter. Is your security keeping up? CyberLynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time — so you know about an attack before the damage is done, not after. Learn more at CyberLynx.com.]

And now back to our show. Jason, for those who aren't familiar, can you tell us about Yancey Bros Co and your role there as Cybersecurity Director?

Jason: Yancey Brothers is a Caterpillar dealer — Caterpillar being the manufacturer of heavy earth-moving machinery. Yancey Brothers is actually the oldest Caterpillar dealer in existence. We've been in business since 1914, which is over a decade before Caterpillar even became Caterpillar. So we're likely the first dealer Caterpillar ever had. We sell earth-moving equipment, power supplies, and we're also a Bluebird bus dealer. We do maintenance and parts as well. Our power solutions division sells power generators. So the business is selling tractors, selling buses, maintaining equipment, selling parts, and selling power supply.

Matthew: And as Cybersecurity Director — I think this is interesting because for a lot of people, when they think cybersecurity, they picture large financial organizations. But every organization needs cybersecurity. I think Yancey Brothers is a case where people might assume IT handles it as an offshoot. It's great to see it prioritized with a dedicated role. How long has this position existed?

Jason: I've been with Yancey for about four months, so I'm fairly new to an organization that's 112 years old. And as the title Cybersecurity Director, I'm the first person to hold this role. I report to our CIO, but for all practical purposes, I'm the head of cybersecurity — in other organizations this would have been called the CISO. Most businesses today run on technology and on data, and data is at the core of everything we do. Data needs to be secure. And when it comes to cybersecurity, everyone is a target. If you have anything of value, someone will target you.

My boss recognized the need for a dedicated role focused specifically on building and maturing our cybersecurity program — and that's what I'm doing. One of the core cultural tenets at Yancey Brothers is safety, and I equate safety and cybersecurity as fundamentally linked. When the company talks about safety, they mean it in the OSHA sense — the physical safety of people working with heavy machinery and warehousing equipment. But as IoT has come in, cyber and physical safety overlap, and that overlap needs to be addressed. So one of my goals is to create a genuine culture of cybersecurity and extend it to everyone who touches a computing device here.

Matthew: This is the most exciting time in history when it comes to cybersecurity — particularly because of AI. The arms race dynamic is clear: as one side leverages AI, the other has to as well. You see companies like Darktrace doing it the right way — purpose-built machine learning, not just bolting an LLM onto a legacy email gateway and calling it AI. That latter approach introduces all kinds of new problems like prompt injection. So what's your take on where AI stands in cybersecurity right now, in March of 2026?

Jason: I'd like to separate AI into a few distinct categories. What's dominated the news is predominantly generative AI — chatbots and large language models. That's a genuinely good use case for security operations: helping analysts distill enormous volumes of data into actionable observations quickly. That's where generative AI shines. Then you have machine learning, which is what Darktrace uses. That's the other side of AI, and it doesn't get as much press — but I think it's actually more important in the cybersecurity context than generative AI. Machine learning helps us automate and reduce the impact of attacks, including attacks that are themselves being generated by AI tools.

When I separate those two categories: one, we want to arm our people with better information faster so they can respond effectively. Security is never perfect. A sufficiently motivated attacker will eventually find a way past your defenses — that's the nature of this game. The question is how quickly you identify them in the environment and how quickly you respond. If we can ensure the attacker doesn't achieve their objective, we win — even if they did get in. Their goal isn't to get in; their goal is to get something inside your environment. Prevention is great, but detection and response are equally critical.

There's a concept I've borrowed from the Air Force — Major John Boyd in the 1960s developed something called the OODA Loop: Observe, Orient, Decide, Act. Cyber defense has the exact same loop — we call it the kill chain or the MITRE ATT&CK framework. Attackers have their own OODA loop. If we can disrupt theirs before they disrupt ours, we achieve our objective. It's adversarial combat in cyberspace.

And at the center of all of this is data. Everything we do in security revolves around data. Generative AI needs data to build its models. Attackers want data — for ransomware encryption, for intellectual property theft, for whatever advantage they're seeking. So we need to focus our defenses at the data level, not just the network layer, but at the endpoint and wherever the data actually lives.

Matthew: That's a great framework. And with recent events — like the significant uptick in attacks since the conflict with Iran escalated, the Stryker breach being a notable example — what's your practical advice for organizations right now?

Jason: Situational awareness first. Be aware of what's happening in your environment and in the broader threat landscape. What the Stryker incident illustrated — and this is something I've been concerned about for years — is the vulnerability of the management tools themselves. We use various tools to manage endpoints, servers, and networking devices. If those management tools are compromised, the attacker has complete control of your environment. That's what happened to Stryker — their Intune instance was compromised. This isn't a new attack vector; it's the most recent in a series. Landesk experienced similar attacks, and there have been others.

These endpoint management tools — RMMs, remote monitoring and management platforms — are what I've called for years "self-inflicted rootkits." They run with root-level access in your protected space. If someone takes control of them, they're root on every device you manage. So my first piece of sage advice: harden the tools you use to manage your infrastructure.

Second: roll out MFA everywhere possible. And go further — I'm a strong believer in passkeys as a real solution for identity security. Which leads me to the most important theme right now: identities.

Attackers no longer need to breach a firewall. That model is outdated. Our perimeter is now identity. And we've traditionally thought of identities as human users — but identities have morphed far beyond that. Everything in your environment has an identity: data, devices, applications, services. There's a statistic I came across recently — for every human identity in an enterprise, there are up to 144 non-human identities. These NHIs typically have privileged access, and they're often overlooked.

Now tie that to the AI conversation: we are rolling out agentic AI and RAGs — Retrieval Augmented Generation systems. These agents have access to your crown jewels, your key data, your key systems. And those agents have identities that need to be protected. One of my biggest concerns is what happens if your agentic AI becomes your insider threat — because that's exactly what attackers are working to leverage. They're trying to turn these powerful new capabilities against us. So the question I'd ask every organization: do you have a complete identity inventory? Not just device inventory — identity inventory. Do you understand and track all the identities that are active in your environment?

Matthew: That is so on point. The Stryker breach, MGM — time and again it comes down to an identity being compromised. Once an attacker has the right credentials, they have the keys to the kingdom. And that's where tools like Darktrace Identity become so compelling — using AI to monitor those identities and flag anomalies immediately. If something doesn't compute, shut it down and escalate. The action happens in seconds rather than hours. That's the right use of AI in security.

Jason: Exactly. And I agree completely. AI will augment humans — it will help us do things faster, more precisely, more repeatably. But I don't see AI replacing human imagination in the security space, and I think human imagination is actually one of the primary reasons attackers are successful. They use creativity to approach problems in ways we don't anticipate.

I've thought a lot about the "thinking outside the box" concept, and I actually reject it. If you're thinking outside the box, you've already identified the box. You're still beholden to it — how do you know you're outside if you've defined its boundaries? Attackers look at our box, take it apart, and beat us with the pieces. What they do is ask: how would an IT person think about this? Now let's do the opposite. That's where they succeed.

AI is outstanding at predictive analytics — drawing patterns from past performance. But there's an old saying from the modeling world that I think about a lot: "All models are wrong. Some are useful." AI is always hallucinating, in the literal sense — it doesn't have human experience or context. It has calculations, parameters — billions or trillions of them — but mathematical parameters nonetheless. It will be wrong in ways that a human with lived context would not be wrong. That's not a reason not to use it. It's a reason to use it mindfully, in the right scope, for the things it genuinely excels at — and to keep humans in the loop for everything else.

Matthew: And that's the point — not AI versus humans, but AI amplifying humans. I saw a recent example with McKinsey using a fully AI-powered red team to run penetration testing. Where human red teamers couldn't find a breach, the AI identified and exploited a vulnerability in a matter of hours. That's a great use case — using an offensive capability defensively to harden your environment. Not letting it run your entire security program, but using it to supercharge what your people can do.

Jason: And that leads right into something I'm actively evaluating. There are some powerful AI-driven pen testing tools that not only identify weaknesses but go a step further — they attempt to exploit them based on existing knowledge of attack techniques. That gives you a higher confidence level that a finding is real and serious. The tools also outline which attacker groups would target a given vulnerability and what techniques they'd use, so you understand the actual threat context. And you can run these tests continuously — not just once a year or semi-annually. That's a huge advantage, because typically after you patch everything, you can't afford to immediately run another engagement. Continuous, automated testing solves that.

I also recently met with the founder of a company doing AI-driven vulnerability evaluation, prioritization, and automated remediation. They look at your entire environment — all your tools, all the versions — cross-reference against the National Vulnerability Database, check exploitability, and then prioritize what you need to fix. If the fix is a configuration change, they can automate it. And this maps directly to what Gartner calls CTEM — Continuous Threat Exposure Management. That's a genuinely powerful use case for AI in security.

The other critical piece is understanding the business impact of addressing a vulnerability. Some fixes will break other processes. That's why I think of cybersecurity not as a technology problem but as a business problem. What is the business process we're protecting? What technologies support it? What's the impact if it's disrupted? The role of Cybersecurity Director — and CISO in other organizations — is ultimately revenue protection. I want to ensure the business can keep generating revenue. That's partly selfish: I enjoy my paycheck. But it's also just the right framing. Our job is to enable the business to do business with as little friction as possible.

And it connects directly to your email point. If a user has to stop and think: "Is this email safe? Should I click this link?" — that is a cybersecurity failure. The user should be doing their job, not performing security assessments. Every moment they're distracted by evaluating an email is a moment they're not contributing to the business. Historically, security has been the department of no. I prefer to think of it as the department of know — and when I have to say no to something, I've failed. My job is to tell the business how they can do what they want to do — securely. Here are the risks of this path, here's a less risky alternative, here's how we get you where you want to go. That requires really understanding the business, not just the technology. I call it humble inquiry — I don't know everything about every business process, and I need to understand the objective before I can design the right protection around it.

Matthew: That is a perfect place to wrap up. Jason, this has been an absolute pleasure. Before we go, where can everyone find out more about you and about Yancey Bros Co?

Jason: For Yancey Brothers, you can visit yanceybrothers.com — or yanceybros.com. Everything you need to know about our company is there, including, yes, the ability to purchase a Caterpillar earth mover online — though I'd recommend coming to a store. We operate exclusively in the state of Georgia as a Caterpillar dealer, and we have 34 to 36 locations throughout the state.

As for me — LinkedIn is my go-to. Fair warning: if you search Jason Lawrence cybersecurity, you'll find at least three or four of us. We're not all the same person. My LinkedIn handle is ethical_infosec, so find me there. You can also find me at blog.security-reimagine.com, where I write about security, or at security-reimagine.com, which is the personal website for the small firm my wife and I started called Security Reimagined. Our mission is securing our communities, one mom-and-pop shop at a time — because at the end of the day, what I care about is securing what matters: my family, my community, and society as a whole.

Matthew: Fantastic. That's great work you're doing there. Until next time — thank you, Jason.

Jason: Thank you, Matt.