Episode 108 -- The Invisible Foundation: Why DNS Security Is the Governance Gap No One Is Watching

In Episode 108 of the Cybersecurity Readiness Podcast Series, Dr. Dave Chatterjee is joined by Scott Harrell, President and Chief Executive Officer of Infoblox and former leader of Cisco's $20 billion enterprise networking business — to examine one of the most consequential security blind spots in modern enterprise governance: the foundational network infrastructure layer that every other security investment depends on, and that almost no organization actively governs.
The episode opens with the October 2025 Amazon Web Services outage, in which a single automated misconfiguration in a core routing service triggered a global cascade that took down AI services, financial platforms, and consumer applications worldwide, producing an estimated $581 million in losses. The cause was not a sophisticated cyber attack. It was a governance decision that had never been made — nobody was actively watching the foundational layer. That event becomes the opening frame for a conversation about DNS, DHCP, and IP address management: the three-part infrastructure, collectively known as DDI, that assigns every device an address, maps every application name to a network location, and routes every piece of digital traffic to its destination. When it works, it is invisible. When it fails — or when an attacker exploits it — everything built on top of it stops.
Harrell's central argument is structural: 92% of all malware relies on DNS for its initial call-out to attacker-controlled infrastructure. The first thing any malware does when it lands on a network is resolve a malicious domain — and if that DNS request is blocked, the entire incident cascade never occurs. The payload is never downloaded. Lateral movement never begins. Privilege escalation never follows. The problem is that most enterprise security stacks are built to detect and respond to malware after it has activated — not to intercept the first domain resolution that enables everything that follows. This is the difference between reactive and preemptive security, and it is a governance choice that shows up in budget allocations: currently, only 5% of enterprise security spending goes to preemptive activities, with 95% consumed by detection and response. Gartner projects that organizations will need to reach a 50/50 split by 2030.
The conversation addresses how to make the governance case for foundational infrastructure investment, what differentiated DNS security looks like, how agentic AI is about to make network complexity exponentially harder to manage, and what three metrics every senior leader should be demanding from their security teams. Analyzed through Dr. Chatterjee's Commitment–Preparedness–Discipline (CPD) Framework, the episode reframes network infrastructure security from an IT operational matter into a board-level governance imperative. The episode's core message is neither technical nor vendor-specific: the organizations that will withstand the next breach are not those with the most sophisticated detection tools — they are those that have decided to govern the layer on which everything else depends.
To access and download the entire podcast summary with discussion highlights - https://www.dchatte.com/episode-108-the-invisible-foundation-why-dns-security-is-the-governance-gap-no-one-is-watching/
Connect with Host Dr. Dave Chatterjee
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Books Published
Cybersecurity Readiness: A Holistic and High-Performance Approach
Articles & Cases Published
Chatterjee, D. (2026). The Cryptographic Reckoning: Why Quantum Readiness Begins with Agility, Not Algorithms, The INFORMS Analytics Magazine, June 26, 2026
Chatterjee, D. (2026). The New Digital Fragility: How AI-Enhanced Cyber Threats Are Reshaping Operational Resilience, The INFORMS Analytics Magazine, March 4, 2026
Chatterjee, D. (2026). Root: Automating the Remediation Gap, Ivey Publishing, Jan 7, 2026.
Chatterjee, D. and Leslie, A. (2024). “Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness,” Business Horizons, Accepted on Oct 29, 2024.
Chatterjee, D. (2023). “Mission critical – How American Cancer Society successfully and securely migrated to the cloud amid the pandemic,” I by IMD, March 13, 2023.
Chatterjee, D. (2022). “Preventing security breaches must start at the top,” I by IMD, September 28, 2022, Institute for Management Development, Lausanne, Switzerland
Benz, M. and Chatterjee, D. (2020). “Calculated Risk? A Cybersecurity Evaluation Tool for SMEs,” Business Horizons, available online from May 4, 2020
Chatterjee, D. (2019). “Should Executives Go To Jail Over Cyber Attacks,” Journal of Organizational Computing and Electronic Commerce, Vol 29, Issue 1, pp. 1-3.
Abraham, C., Chatterjee, D., and Sims, R. (2019). “Muddling through cybersecurity: Insights from the U.S. healthcare industry,” Business Horizons, July 2019.









