Ep 35: Securing the Circular Economy and AI Attack Surface with Eastman CISO Adam Keown

Evan Reiser: Hi there and welcome to Enterprise AI Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyberattacks. In each episode, Fortune 500 CISOs share how AI has changed the threat landscape, real-world examples of modern attacks, and the role AI will play in the future of cybersecurity. I'm Evan Reiser, the founder and CEO of Abnormal AI.

Mike Britton: And I'm Mike Britton, the CIO of Abnormal AI. Today on the show, we're bringing you a conversation with Adam Keown, Chief Information Security Officer at Eastman Chemical Company. Eastman is a Fortune 500 global specialty materials manufacturer. Their products go into medical devices, packaging, and many of the plastic and chemical solutions that keep modern manufacturing and safety systems moving.

There are three interesting things that stood out to me in the conversation with Adam. 

First, Adam defines cybersecurity at Eastman around business continuity and intellectual property protection. When you manufacture materials for medical devices, stopping isn’t an option. His team’s mission is clear—keep operations running and protect the innovation that gives Eastman its edge.

Second, the threat landscape is shifting. Attacks are moving from endpoints and networks to cloud identity, social engineering, and SaaS misconfigurations. Adam shared an experience from his days in the FBI where criminals compromised multiple identities along the chain. It’s another proof that identity attacks now carry the biggest blast radius in cloud‑native environments.

And finally, Eastman is re‑engineering how it defends and educates. Adam’s team shifted focus from chasing indicators to detecting behaviors and outcomes. They’re also rolling out in‑the‑moment microlearning—training employees as risks happen—to create a faster, smarter security culture built for real‑world threats.

Evan: Well, Adam, first of all, thank you so much for being here and taking time to join us today. Maybe to start off, do you mind giving our audience a little bit about your background—how you got to where you are today—and maybe a little bit about Eastman for those in the audience who may not know?

Adam Keown: I started my career in IT, like many other folks in cyber, and was working with—not IBM—but HP mainframes in the electric‑utility industry. And during that time, I was also a firefighter—taking care of burning buildings and emergency calls and such, having just a great time in life. And I’ve always had public service in my background.

And that’s when I met the FBI. And when I connected with the Bureau and found out I could use my hazardous‑materials background and my computer‑science background in one job, I fell in love. I’m like, “Yes—let’s go do this.” I’m thankful to say I was an FBI agent for just about 11 years. Loved every minute of that chapter—it was fantastic.

I spent that entire time in incident response. My first few years I chased spies, but outside of that, I spent the rest of the time in cybersecurity and doing a lot of incident response—running through logs. There are a few hundred agents who are dual‑trained in investigations and forensics, and I was one of those. Like I said, I loved every minute of that chapter.

But it was one of those situations where I saw so much harm being done that I wanted to be on the defensive side. I wanted to change that chapter and be in an area where I could help protect and do more before things happened—versus just helping after a situation occurred.

So I spent just over a decade in the Bureau, and then I spent just over a decade in the private‑sector market. A lot in risk management, a lot in understanding and explaining complex technology to folks across the board, and really learning how to talk to people and have conversations so we could have a true connection on the seriousness of the situation and make sure everyone understood what was going on.

And now I’ve been here at Eastman for six years as the CISO, and having a great time at it.

Evan: I think there’s a bigger impact you all have when you’re protecting both your customers and maybe the greater world. Can you help put that in perspective a little bit? What’s really at stake when it comes to cybersecurity at Eastman?

Adam: Yeah. So conversations not only at Eastman but with different businesses—I’ve always felt land best when you have discussions that seal the deal for them. And so when it comes to manufacturing, one of the best ways to have conversations is around business continuity.

We don’t want all these labels to stop being printed. We’ve got safety data sheets that are highly important so everyone can go home safe just the way they came in that morning. We are producing plastics that go into all these medical areas—a face mask or an oxygen‑mask type area. Those types of needs are vital and can’t slow down.

And so we always have to be thinking about what we can do to help stack the deck in our favor the most so the business can continue moving forward. Cybersecurity here at Eastman has two main pillars: one is to make sure the business continues running, and two is to protect our intellectual property that gives us an advantage in the market.

Mike: What do you think sets you all apart from others in the chemical and manufacturing sector?

Adam: One is our focus and our drive on the circular economy. It’s always about how we can make things or create things that not only surprise and benefit folks today, but are also sustainable for the future ahead of us. That kind of focus has made us uniquely even traded in some ESG mutual funds in the past. It’s one of those great avenues that makes you proud to be at this company.

Technology is a huge advantage we have here at Eastman.

Evan: I’m curious—what are some of the unique use cases or maybe novel attacks you see in your industry that others might not fully appreciate?

Adam: Attackers are very sophisticated when coming after large entities. They run into situations—and this was one of my old FBI cases, actually. I’ll tell you about it.

This was a bank that does international transfers all day long. What happened was the attackers compromised the person who creates the transfer—they set it up. Then they also compromised the account of the person who validates it and lets it go through. So the attackers had both accounts. Full access to both.

We were trying to figure out how this money got moved. We’re like, “Okay, well, obviously the attackers had to have both accounts.” And the reason they got caught—and the money didn’t transfer—is because the second person who owned that account was on her honeymoon. She had told the transferring company, “Hey, I’m going to be on my honeymoon all next week.”

And when they saw this large‑volume transfer come through, someone at that company said, “I just talked to her—how is she doing this from her hotel room on her honeymoon?” And sure enough, they stopped the transaction—saved over $1.5 million from going out.

The capability of the FBI to bring back money today is much better than it was a decade ago—even five years ago. But especially over a decade ago when I was still in the Bureau—once the money got transferred, it was gone.

So, yeah—$1.5 million saved because someone happened to mention they were going to be on their honeymoon. And when attackers have advanced capabilities—where they’ve compromised multiple areas—they know how the process chain works. That’s when the sophistication kicks in.

Especially when it comes to cloud identity. That is basically the new attack surface we’re all up against. And the privilege is the blast radius of how far that compromise can go. That’s what we’re up against all the time now. That’s why CISOs are spending more money on identity and access management than ever.

As an industry, we’ve spent 10–20 years focusing on endpoint detection and forensics—getting the monitoring and logs. We can do that in our sleep. Now we need to pivot because of the movement of data into all these cloud areas. We have to focus on identity and bring that area up to par.

Mike: What’s something you’re proud of that your team has innovated—something homegrown because the vendor space wasn’t meeting a need?

Adam: Where I’ve really enjoyed the cybersecurity team here at Eastman is their willingness to think outside the box when approaching specific techniques.

We had a billion‑dollar divestiture a few years ago, and there were all these questions about separating data. We talked to lots of vendors and had some outside consultants. But we ended up pulling people into a room and whiteboarding.

I grabbed some key team members—we jumped into a room and started drawing on the board. “What are our end goals? When we’re done with this, what’s going to make us happy from a cybersecurity standpoint?”

And the team stood up and said, “Okay, we see these goals—but what if we go after it through option A? And what if option A doesn’t work? Can we hammer it with a different data‑sifting tool? What about certifications?”

It was awesome to have all that brainpower and ingenuity throwing ideas all over the whiteboard. When people say, “Let’s brainstorm”—it was one of those moments.

I’m happy to say the principles we laid out—about ensuring we identify all employees and data being divested—guided the entire effort. Every time the team got challenged, they responded with those principles. It empowered them: “We’re doing right by the company.”

Evan: Looking for a contrarian take—what do you think will be true about AI’s future impact in cybersecurity that your peers might be underestimating?

Adam: Identity and access management—we’ve got to invest more in that area. It’s about seeing where identities are being used across the board. SaaS, on‑prem, hybrid. We have to close blind spots.

One of the things I’ve put in my team’s performance reviews—not only here but in past roles—is we need more visibility. Always more visibility. Adding more layers of visibility and context is key to figuring out what happened or preventing things from happening.

I’d encourage folks—if you haven’t spent time adding visibility, do it. Those old Linux systems in the corner with dust on them? Get visibility there. Remote offices with poor visibility? Invest.

Attackers getting past weak areas can cause larger issues in the mothership. They can use that access to cause bigger harm.

We’re also seeing some of the biggest breaches in third‑party SaaS services. I won’t name the CRM tool in the news recently—but they said they wouldn’t pay the hackers because “they didn’t really hack us.”

We need to spend a ton of time on security‑posture management for SaaS environments. I so recently on a call with a vendor, “Can you tell me, what configuration capabilities should we have in place to prevent an attack or to prevent us from having a SaaS issue that other customers have had?” And they had nothing to say. They said, “No—we do all the security.”

I said, “Okay, I get the fact that you're looking at network traffic and no one's getting inside our bubble. But I'm talking about our bubble. What configuration changes should we make in our environment? Do you have benchmarks—CIS benchmarks, anything? Even if we’re not following all of them, what can my team aim toward?” And they literally had nothing to provide.

My team and I ended that call and had a quick hot wash afterward. We said, “What’s going on? I can’t believe a vendor this large, with millions of dollars behind them, can’t give us a back-of-the-napkin configuration checklist.” These SaaS providers have got to think in this area.

It still shocks me how many times—in the last 6 to 12 months—I’ve asked vendors about best practices for configuring our environment, because my team is responsible for configuring our environment, not the SaaS provider. And they just don’t have these benchmarks.

Evan: What about on the offensive side? Criminals seem to adopt these technologies faster than defenders. What should we be thinking about there?

Adam: One reason criminals adopt tech fast is because they don’t care if it breaks. For the rest of us, we have to keep systems running. Criminals just spray it out there: “Let’s see what happens. If it doesn’t work, we’ll hit the next victim.”

Especially around AI, we’re seeing attackers scale and personalize convincing models to attack people. We’re also seeing a trend where, when attackers get ahold of email inboxes, they pull down all the invoices and data they can—so they can turn around and attack those customers. Smaller customers don’t have the budgets or personnel to defend against these threats.

The second area I’m seeing: multimodal attacks. Phone call from a “CEO.” Email that follows. Then they slam your inbox so email won’t work. Then they call pretending to be IT support. Or a fraudulent job applicant onsite. It’s coming from so many different angles that cyber teams have to build protections in ways we haven’t before.

For years we’ve said phishing is the number-one way attackers get in—and that’s still true, but the phishing percentage is coming down a bit. All these other social-engineering vectors are jumping in: text, phone, deepfakes, multimodal AI.

Evan: How should defenders be using technologies to defend against those things?

Adam: Detection speed is huge. Especially in global companies where attacks hit while teams are asleep or have limited access. Using AI to give directional guidance is a huge win.

Today, we don't chase indicators as much—we chase behaviors and outcomes. Everyone has said “It’s not if, it’s when” forever, but honestly, we’ve gone beyond that. Every company has compromises. Not material breaches, but compromises—Alice in Accounting gets her email popped, Bob in Sales gets his inbox popped. That’s normal.

The program itself must look for cultural behaviors and expected outcomes so when something does happen, it’s contained. A single office. A single PC. How quickly can we shut it down? What observability do we have so we can isolate a segment of the network fast?

Mike: How have you rethought your awareness and education program? I imagine your employee base is everything from plant workers to office workers.

Adam: First, we’ve had direct educational sessions with specific employees—some are targeted more than others. Smaller groups help those messages land.

I’ve reviewed two different vendors in the last six months who said, “We’ve got an AI educational module you can send to all employees.” Then I ask for a copy—and the content is quoting AI capabilities from six months ago. That’s ancient history in AI terms.

Things like “AI can’t write secure code.” Well, it can now. “AI can’t mimic regional dialects.” It can now. So the AI education materials feel like the old “Look for misspellings in emails” era—they’re outdated.

We’re creating targeted material tailored to our employees and building internal communications and educational content for our general population.

Mike: Do you see a role where AI could help personalize training on an employee-by-employee basis?

Adam: Yes. Some of the best training I’ve seen is in-the-moment training. For example, Alice tries to send a confidential document outside the company. The system blocks it, and an educational message pops up: “You can’t send this to a Gmail account—here’s why.”

Those in-the-moment prompts are the most effective. We live in a world of 60–90 second TikTok videos—quick, digestible information is key.

One of the best compliments I’ve gotten was from a VP who said, “Your newsletters are so concise it would take longer to go find the email later than to read it right now.” That’s the type of content we want.

Evan: All right, quick lightning round. Looking for one-tweet takes on questions that are very hard to answer in one tweet.

Mike: What advice would you give someone stepping into their first CISO job—something they might underestimate or overestimate about the role?

Adam: Understand that you're not only responsible for the people you work with, but for creating relationships outside of cyber—communications, HR, business units. All of those are essential to getting your job done. You must build those relationships.

Evan: What’s your advice to your peers on how to stay up to date with the latest in cybersecurity?

Adam: Never stop learning. Podcasts are phenomenal—I run through 30 podcasts a week because I’m an avid runner. That keeps me on top of news, trends, and the broader economy.

I also tinker on weekends—I’ve got several Raspberry Pis in my house, I run my own media server. A few months ago, I spent three weekends learning Docker. I deployed my own infrastructure at home. Just keep learning and surround yourself with experts.

Mike: More personal question—what’s a book you’ve read that’s had a big impact on you and why?

Adam: How to Know a Person by David Brooks. It made me realize how to better connect with people—how to ask real follow-up questions, how to genuinely engage. I’ve applied it to hundreds of conversations since reading it.

Evan: When you think about the future of cybersecurity and AI, what do you believe will be true that most people consider science fiction today?

Adam: I think AI will move into a position where it fixes the majority of vulnerabilities. Baseline activities—asset inventory, patching, detection of misconfigurations—that’s where AI will push us into a much more positive direction so we can operate with good data.

Evan: Adam, really appreciate you joining us today—looking forward to talking again soon.

Adam: Thanks.

Mike: That was Adam Keown, Chief Information Security Officer at Eastman Chemical Company. I'm Mike Britton, the CIO of Abnormal AI.

Evan: And I'm Evan Reiser, the founder and CEO of Abnormal AI. Thanks for listening to Enterprise AI Defenders. Please be sure to subscribe so you never miss an episode. Learn more about how AI is transforming cybersecurity at enterprisesoftware.blog.

This show is produced by Josh Meer. See you next time!