Author of "Why CISOs Fail" is joining us today to tell us about the success of his first book as well as introduce us to his forthcoming book, "Security Hippie. Barak is best known for pioneering the concept of the virtual (or fractional) CISO model nearly two decades ago. Over the twenty years since then he has applied that model and strategy to b…

Ben Carr will lead us in a discussion about the origins of the role of CISO, roles/responsibilities, and what it's like to be a CISO. We'll touch on qualifications, organizational structure, its place in security and compliance, what it's like to be hero or scapegoat. All this and more! Show Notes: https://securityweekly.com/scw98 Visit https://www…

There’s something happening here – and what it is ain’t exactly clear to O.G hackers like John Threat or our own Mr. Jeff Man. We’re going to devote an episode talking about how things used to be back in the day from a hacker/penetration perspective and discuss how things are today. Are things better? Worse? Depends on your attack vector, perhaps? …

In the early days of PCI there was an online column called StorefrontBacktalk which focused on retail and technology issues. The column provided valuable insights from various specialists on the interpretation and application of many of the more challenging security requirements found in PCI DSS which was reflected in its tag line, “Techniques, Too…

CISA recently published guidance for how managed service providers (MSPs) should approach security for their operations based on the premise that cyber threat actors are known to target MSPs to reach their customers. MSPs provide remote management of customer IT and end-user systems and generally have direct access to their customers’ networks and …

Join us on this episode of SCW for a general discussion about how to do this whole security/compliance thing better; how compliance really needs to come first; how it's all risk-based or should be RGC not GRC; legal and privacy issues/focus - and how they help or hinder the cause; other factors like burnout/gatekeeping/etc. that all contribute to o…

With cybersecurity skills already in short supply, the prospect of losing what little workforce there is to pull from to resignations (especially in the context of the ‘Great Resignation’), is a disturbing one. Rick McElroy will speak to the causes of security burnout and the steps organizations need to take to prevent the loss of the precious reso…

Tony and Thomas will discuss the importance, value, and challenge of cross-mapping security frameworks, and the rationale and process used by CIS to create end support mapping, and some real-world examples and some real-life problems. Show Notes: https://securityweekly.com/scw92 Visit https://www.securityweekly.com/scw for all the latest episodes! …

We’re getting closer to the Q1 2022 release of PCI DSS 4.0, which is expected to differ from the current PCI DSS 3.2.1 version in a few key ways. This includes giving organizations more options in how they become compliant, along with customized implementation. In this podcast, Chris Pin, VP of Privacy and Compliance at PKWARE, will discuss what cu…

Tune in for this discussion on social engineering and its merits on being recognized as a legitimate component of cyber security. We'll also dive into the whole notion of motive and intent as it pertains to deliberately misrepresenting yourself, or simply lying to your customer in order to get them to be more secure. Show Notes: https://securitywee…

This week we're talking all things ISO27001 with Wim Remes! We're starting with what it is, the who, what, where, when, why etc. then we'll talk about the bad and the good. Tune in for this special listener requested topic! Show Notes: https://securityweekly.com/scw89 Visit https://www.securityweekly.com/scw for all the latest episodes! Follow us o…

This week, we welcome Casey Ellis, Founder/Chair/CTO at Bugcrowd, to talk about Compliance and “The Crowd”! Crowdsourcing and multi-sourcing focus on risk identification and reduction, and they seem to be effective... but my auditor doesn't understand what it is yet - Will it meet the requirements of security compliance standards? Jeff and Casey wi…

This week, we welcome Johanna Baum, CEO, Founder at Strategic Security Solutions, to talk about Activism v. Hacktivism! "Hacktivism" is a controversial term with several meanings. The word was coined to characterize electronic direct action as working toward social change by combining programming skills with critical thinking. But just as hack can …

This week, we welcome Jim Henderson, Insider Threat Mitigation Training Course Instructor & Consultant at Insider Threat Defense Group, Inc., to discuss Insider Threats Overview - Going Beyond The Norm! Show Notes: https://securityweekly.com/scw86 Visit https://www.securityweekly.com/scw for all the latest episodes! Follow us on Twitter: https://ww…

This week, we welcome Christopher Bulin, Founder & CEO at Proven PCI, to talk about The Truth Behind the Payments! SMB needs to understand the importance of being PCI compliant and that just because the verbiage on a website says the vendor is compliant, doesn't make the merchant compliant. Just because it says it from a service provider standpoint…

This week, we welcome Tim Callahan, SVP, Global CISO at Aflac, to talk about From Compliance to Resiliency: The Evolution of InfoSec! Because only maintaining compliance is not enough to protect your business from the ever-evolving threat landscape, in this session, we will consider the intersection and codependence of compliance with security, mat…

This week, we welcome Naomi Buckwalter, Founder & Executive Director at Cybersecurity Gatebreakers Foundation, to discuss Gatekeeping in Cybersecurity! The “cybersecurity skills gap” is a myth. There is no skills gap. There are tens of thousands of amazing, highly intelligent, passionate people around the world looking to break into cybersecurity, …

This week, we welcome Matthew Erickson, Vice President of Solutions at SpiderOak Mission Systems, to discuss Protecting Comm. & Collaboration in Contested Environments! Protecting digital communication and collaboration is critical to both our military and private sector industries in driving mission success. Our ability to secure the local and rem…

Priya Chaudhry joins us today as co-host and we are eager to catch up with her and get her legal perspective on recent litigations and proposed legislation that impacts our world of security and compliance. Hear ye, Hear ye! The court is now in session. Show Notes: https://securityweekly.com/scw81 Visit https://www.securityweekly.com/scw for all th…

This week, we welcome Joseph Kirkpatrick, President at KirkpatrickPrice, to talk about Your Security Is ALWAYS in Scope! Our client was using a hosted service to perform remote monitoring and management and resisted its inclusion in the audit scope. The vendor's external scans revealed critical vulnerabilities. Prior to a highly-publicized breach, …

We'll start with a brief discussion of what HIPAA and is not (e.g., it's doesn't prevent your employer from ask you about your health). Then discuss recent developments like ongoing how ransomware attacks are targeting healthcare and, when successful, are reportable breaches; and the recent final rule on interoperability and information blocking th…

This week, we welcome Steve Lenderman, Director, Strategic Fraud Prevention at ADP, to discuss CARES Act Fraud, Paying People & Fraudsters! We will review how synthetics are being utilized to perpetrate pandemic related frauds in the Payroll Protection Program and Unemployment Insurance. An overview of the government programs will take place with t…

Join Dr. Casey Marks for a two-part discussion of the merits of cybersecurity certification and learn whether and how it provides training or proves experience or both, the pros and cons, how to start or approach getting certified, and more! Visit https://www.securityweekly.com/scw for all the latest episodes! Follow us on Twitter: https://www.twit…

Join this segment with Danny Akacki to learn about educating both practitioners and executives on security topics of the day and helping to build community initiatives like trust groups and community groups like local DEF CON chapters. Show Notes: https://securityweekly.com/scw76 Visit https://www.securityweekly.com/scw for all the latest episodes!…

This week, we welcome Doug Landoll, CEO at Lantego, to talk about CMMC Program and the DIB Preparation! Doing business with the Federal government has always had its share of requirements and regulations, especially when it comes to storing, processing, or transmitting any sensitive data. In fact, organizations doing business with the Federal gover…

This week, we welcome Allan Friedman, Director of Cybersecurity Initiatives at NTIA, to discuss SBOM! What is SBOM? Who needs to think about this? Is this required today, and what might the future of compliance look like? What is in the recent EO? Show Notes: https://securityweekly.com/scw74 Segment Resources: https://ntia.gov/SBOM Visit https://ww…

A flurry of legislative and legal activity is re-shaping the way privacy and cybersecurity professionals conduct business. As a result, in addition to actually carrying out their protection responsibilities, professionals charged with protecting private and confidential data must be also be constantly aware of these evolving regulatory and legal ob…

Just last month, Virginia became the second state in the U.S. to pass a privacy law – the Consumer Data Protection Act (CDPA). While this doesn’t take effect until 2023, it’s important for businesses to understand what it means for them and start preparing for data security compliance now. Chris Pin, VP of Security and Privacy at PKWARE, will be di…

Richard Struse, Director of The Center for Threat-Informed Defense from MITRE Engenuity joins the SCW crew for a two part interview! -What is threat-informed defense and how does it relate to other aspects of cybersecurity? -The importance of ATT&CK as a lens through which you can view your security posture. -Center for Threat-Informed Defense R&D …

This week, we welcome Chris Hughes, Principal Cybersecurity Engineer at Rise8, to talk about Compliance Innovations in the Cloud. Cloud has and continues to disrupt many traditional business processes, activities and IT paradigms. Compliance will also be revolutionized by cloud computing. In this session we will dive into many of the headaches and …

Today we are going to take a look at security awareness training programs in organizations. We are joined to day by Kelley Bray and Stephanie Pratt who will help facilitate the discussion. We'll start with the history and evolution of security awareness programs; what has worked, or more precisely what hasn't worked. We'll also touch on how most se…

Errol will talk about his experiences with information sharing and building the world's first Information Sharing & Analysis Center in 1999. Errol brings unique perspective to the table as he was the service provider behind the Financial Services ISAC, then a subscriber and ISAC member for 13 years in the banking and finance sector. Show Notes: htt…

The SCW hosts discuss Rafal Los' recent blog post "Vulnerability Management is Still a Mess" ( https://blogwh1t3rabbit.medium.com/vulnerability-management-is-still-a-mess-27519ffcecc0 ). In the first segment, we will learn all about Rafal's cybersecurity background and why vulnerability management has not evolved in line with the technology. In the…

This week, Jeff, Liam Downward, Scott, & Josh talk PCI with Dan DeCloss and Shawn Scott from PlexTrac! Show Notes: https://securityweekly.com/scw66 Visit https://securityweekly.com/plextrac to learn more! Visit https://www.securityweekly.com/scw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Fac…

We're excited to have Priya Chaudry with us today, so we are going to focus our discussion on news and events with legal implications (or the legal implications of news and events)! For starters, the U.S. Cyber Command recently held a virtual edition of its 2021 Legal Conference. The annual conference explores current law and policy issues related …

This week, we welcome Jim Gilsinn, Principal Industrial Consultant at Dragos, to discuss ICS/OT Regulation! Industrial Control Systems (ICS) and Operational Technology (OT) have risks and consequences in the real world, such as the health and safety of people, but how those industries handle the potential cybersecurity risks varies greatly dependin…

This week, we welcome Albert "Nickel" Lietzau, V and Mike Volk from PSA Insurance & Financial Services! Nickel Lietzau and Mike Volk have heard that we are not huge fans of cyber insurance on SCW, and they have graciously agreed to subject themselves to our scrutiny. In the first segment we'll touch on common myths and misconceptions about Cyber In…

This week, we welcome John Threat, Hacker at Mediathreat, followed by Chris Cochran and Ronald Eddings from Hacker Valley Media! Jeff, Flee, & Scott talk to John Threat about his background and what led him to becoming a hacker. The world of hacking and the threat actors that do that sort of thing. What are the implications on comp sec in 2021 for …

This week, our co-host, Priya Chaudry will enlighten us on several other topics of interest to our community. There might be a mention of Solarwinds, Southwest Airlines, HIQ Labs, and more! We welcome our resident legal expert and co-host Priya Chaudry to catch us up on the status of the Supreme Court case concerning the Computer Fraud and Abuse Ac…

This week, we welcome Wendy Nather, Head of Advisory CISOs at Duo Security at Cisco, to discuss The Security Poverty Line! Securing an organization means more than just spending money. For those that fall below the "security poverty line," many other dynamics come into play that make it harder for them to accomplish even the basics. How do we help …

This week, we welcome Anthony Palmeri, Enterprise Account Executive at Ekran System, to talk Insider Threats! Mitigating insider threats is a key cybersecurity priority for any organization that works with sensitive data. And to do that, you need an insider threat program. Such a program not only is required by numerous cybersecurity regulations, s…

This week, we welcome Jim McKee, Founder & CEO at Red Sky Alliance for an interview!We're going to dissect what we know about the Sunburst/SolarWinds hack to this point - SCW style! We'll touch on the things that keep coming up in the news - attribution, conspiracy theories, implications, consequences, and so forth. In the second segment, we will s…

This week, we start the new year off with a roundtable discussion amongst the hosts looking back on the highs and lows of 2020! We don't want to have the typical "predictions" episode, but do want to chat about what we might expect in the coming year; what is changing? what is coming back? and when? (if at all)? Looking back: -Solarwinds (not in de…

The penetration testing mythology as it applies to information security is all screwed up. If nothing else, we're going to attempt to define a penetration test, focus on the goals, and what should be in a report. You better believe there is going to be an overarching "PCI" context to this discussion. We'll continue our discussion of penetration tes…

This week, we welcome Padraic O'Reilly, Chief Product Officer & Co-Founder at CyberSaint, to talk about The Cyber Risk/Compliance Transformation Solution! We want to take the time in the segment to formally introduce you to one of our new co-hosts, Mr. Fredrick "Flee" Lee. Flee is currently the Chief Security Officer for a company called Gusto and …

This week, we're going to take on a different aspect of the cybersecurity skills gaps in this episode. Namely, the lack of diversity in our industry when it comes to African Americans and what can we all do about it. To facilitate the discussion today we are joined by AJ Yawn, who is a founding board member of the National Association of Black Comp…

This week, we welcome Zulfikar Ramzan, Ph.D., Chief Digital Officer at RSA Security, to talk about how Zero Trust Intersects XDR in Today’s Digital Era! In the second segment, the SCW crew and Dr. Ramzan talk about Cyber Credit Score Industry! Someone made an offhand comment about the Cyber Credit Score Industry on one of our shows a couple weeks a…

This week, we have the pleasure of welcoming the newest member of the CRA/Security Weekly family, Adrian Sanabria! What is his role at Security Weekly, and what is the plan for rolling things out over the next 12-18 months? We'll continue the discussion with Adrian Sanabria and explore if and how the plans for CRA/Security Weekly will impact the Se…

This week, we welcome back Liam Downward, CEO at CYRISMA, to talk about Data, Data, Data! You've scanned your data to uncover risks and vulnerabilities and assigned accountability through mitigation plans to meet compliance mandates. Now you must classify, rank, prioritize and score your data to track efforts and stay organized. Show Notes: https:/…

This week, we welcome Frank Macreery, Co-Founder and CTO at Aptible, to talk about Cloud Computing Compliance: Intelligent vs. Basic Automations, this this special two part interview! Show Notes: https://wiki.securityweekly.com/scw50 Visit https://securityweekly.com/aptible to learn more about them! Visit https://www.securityweekly.com/scw for all …