Cybersecurity Today Weekend with Carey Frey, VP and Chief Security Officer at TELUS

Feb 28, 2026

Carey Frey, Chief Security Officer at TELUS with roots at Canada’s Communications Security Establishment, recounts identity’s messy history and TELUS’s FIDO2 lessons. He explores session token theft, why SSO tokens can be dangerous, and how agentic AI and auto-browse amplify risk. He calls for stronger cryptographic roots, proof-based tokens, re-authentication across domains, and fine-grained delegation guardrails.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

ANECDOTE

From Co-op To TELUS CSO

Carey Frey recounted starting at Canada's Communication Security Establishment as a 19-year-old co-op and moving into telecom security over 30 years.
His career arc led to TELUS CSO where he runs internal security and managed cybersecurity services at scale.

INSIGHT

Why Early Identity Went Wrong

The internet's identity model started with ISP email as root of trust and evolved into brittle email+password credentials.
Cryptographic PKI promised a stronger foundation but never became user-friendly or widely adopted, leaving passwords dominant.

INSIGHT

PKI Lost To Convenience

PKI failed partly because centralized control and usability barriers made X.509 certificates impractical for everyday users.
SSL's decentralized, easier certificate model and passwords won because services prioritized frictionless adoption.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Identity, AI Agents, and the Session Token Time Bomb | Carey Frey (CSO, TELUS) on Cybersecurity Today

In this Cybersecurity Today weekend edition, David Shipley interviews Carey Frey, Chief Security Officer at TELUS, about the evolution of identity security and why it's a growing risk in the age of generative and agentic AI. Frey recounts his career from Canada's Communications Security Establishment to leading TELUS's internal security and managed cybersecurity services, then explains how convenience-driven identity decisions led from PKI's unrealized promise to passwords, bearer/session tokens, and today's widespread session cookie theft. He describes lessons from TELUS's deployment of FIDO2 phishing-resistant tokens, the dangers of long-lived SSO tokens across SaaS ecosystems, and how agentic "auto-browse" could amplify harm via the "lethal trifecta" and ephemeral agents with poor auditability. Frey highlights the Syne/SignNet CISO Identity Handbook and calls for stronger cryptographic roots of trust, proof-based tokens, re-authentication across trust domains, and fine-grained delegation guardrails.

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst

00:00 Sponsor Message 00:24 Weekend Edition Intro 00:32 Meet Carey Frey 02:07 Carey's Cyber Origin Story 03:47 Telus Security Two Hats 06:22 Identity's Broken Legacy 08:43 Why PKI Didn't Win 11:25 Passkeys Missed Moment 14:10 SSO Tokens Surprise 19:50 Session Theft Reality 23:18 Agentic AI Stakes 24:17 Building Identity Playbook 25:24 Identity Maturity Model 25:49 Fixing OAuth and SAML 27:00 Industry Call to Action 27:37 Where to Find the Handbook 28:06 Not a Vendor Pitch 30:13 Agentic AI Identity Gaps 31:30 Auto Browse Threat Scenario 33:12 Lethal Trifecta Explained 34:31 Ephemeral Agents and Forensics 37:08 Supply Chain Agent Malware 38:20 Crypto Roots of Trust 39:35 Proof Tokens and Reauth 40:17 Delegation Guardrails 42:34 Regulation or Market Forces 44:25 Practical Risk Decisions 46:20 Wrap Up and Next Resources 48:00 Sponsor and Closing Credits