Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform for GRC professionals, executives, and anyone else who wants to increase their knowledge in the GRC space!
"Compliance is the security referee - frameworks are the playbooks."In this episode, I'm joined by Tim Golden, Founder of Compliance Scorecard, to unpack the misunderstood, and mission-critical world of cyber GRC.Tim shares what he's learned from decades of hands-on work - from implementing NIST frameworks before “GRC” was even a term, to helping teams understand why writing policies is just as important as patching vulnerabilities.Here are some highlights from the episode:What GRC actually means - and why governance is the most misunderstood partWhy people who say "compliance isn't security" are missing the pointHow explaining the "why" of cybersecurity controls aids in acceptanceWhy data retention policies can protect you from major legal headachesAnd yes… a story about how Tim accidentally ransomwared himself
Cybersecurity frameworks can learn a lot from HITRUST.In this episode, Ryan Patrick of HITRUST explains how HITRUST approaches the assurance problem, from centralizing the certification process to frequent updates to the control sets based on threat data.I barely knew anything about HITRUST going in, but it's clear they're tackling the cybersecurity assurance problem in a radically different way.Here's what stood out to me:HITRUST reviews its security controls quarterly based on threat intel and control effectivenessThere are three distinct assessment levels (like CMMC)HITRUST itself issues a certification after the 3rd party assessment and running the assessment results through two stages of QAEvery 3rd assessment gets reviewed. Every. Single. One.The centralized approach of HITRUST allows them to provide feedback to its assessment community after each and every assessment which results in assessments that are more consistent and higher quality.HITRUST certified organizations are contractually required to report incidents which then allows them to evaluate the effectiveness of their controls.I personally think that commercial cybersecurity frameworks should take a look at HITRUST.What were your biggest takeaways? Let me know in the comments.Follow Ryan on LinkedIn: https://www.linkedin.com/in/ryan-patrick-3699117a/HITRUST Website: https://hitrustalliance.net/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e8&utm_campaign=courses#hitrust
"Outread the others" - that's how Ryan Bonner mastered CUI.If you're confused about Controlled Unclassified Information (CUI) - you're not alone. Many defense contractors (not to mention DoD themselves) misunderstand what is CUI, where it comes from, and how to handle it.In this episode, Ryan Bonner, CEO of DEFCERT, gives a masterclass in understanding CUI from the actual laws and regulations - not just hearsay.
HR guy leads his company to CMMC level 2 certification!
CMMC rolls out in a few months and there are STILL companies who are JUST getting started!In this episode I'm joined by Daniel Akridge of Summit 7 to talk about the real challenges facing the Defense Industrial Base - and the FASTEST path to CMMC certification.To CUI Enclave, or not to CUI enclave - that is the question!
“We built a second company from scratch…”Is that what it takes for MSPs to get CMMC'd!?!
Preparing for a CMMC assessment, but don't know what to expect?Get ready to learn from CMMC Lead Assessor Fernando Machado as he explains EXACTLY what happens in each phase of the CMMC assessment process!Fernando is the Managing Principal of Cybersec Investments which is an authorized C3PAO. Fernando has been involved with CMMC starting in 2020 as a member of the Cyber AB's Standards Management Industry Working Group.Cybersec Investments has already issued 12 CMMC certifications since CMMC assessments began in January of 2025 and previously participated in nearly 20 Joint Surveillance Voluntary Assessments (JSVAs).
CMMC and DFARS compliance is hard - especially in the cloud.Got AWS? They've given you tools that make compliance much easier!In this episode, I sit down with Travis Goldbach from Amazon Web Services (AWS) to break down the solutions AWS has created to simplify CMMC and DFARS compliance.
It's been a long and wild ride on this #cmmc ship! ⛵In this episode, I speak with Stacy Bostjanick who is the Director of the CMMC program at DoD CIO!Here are some highlights from the episode:Expectations for the initial phase in of CMMCWho determines CMMC levels for contracts?How will CMMC waivers work?Criteria for CMMC level 2 self-assessments and CMMC level 3Early use of NIST 800-171 r3And so much more!First mentioned in 2019, CMMC 1.0 was released in 2020 under the Trump administration.CMMC 1.0 was reviewed during the Biden administration, they released CMMC 2.0 in late 2021, and then… There was a great silence.If you threw a small rock, you'd hit ten people who thought CMMC was going away.All this time though, the DoD was quietly marching on.They released the proposed CMMC program rule in December 2023 and released the final CMMC program rule in October 2024 - which is now EFFECTIVE.After all of that, CMMC will FINALLY begin to phase into DoD solicitations and contracts by this summer.CMMC has been a LONG time coming, and it was an honor to hear the back story and why certain decisions were made!What were your biggest takeaways? Let me know in the comments!Follow Stacy on LinkedIn: https://www.linkedin.com/in/stacy-bostjanick-a3b67173/DoD CIO CMMC website: https://dodcio.defense.gov/CMMC/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e43&utm_campaign=courses#cmmc #nist #cybersecurity
Your MSP could be a CMMC disaster.
Should you NEVER pay after a ransomware attack?In this episode I speak with Frank Riccardi about cybersecurity in healthcare and the event that triggered much more cyber accountability for the C-suite.Here are some of the highlights:Why healthcare workers are prone to social engineering attacksReasons you SHOULD and should NOT pay after ransomware attacksManaging shadow IT after acquisitions/mergersWhy every member of the C-suite must understand cyberThe importance of a culture of reportingFrank is a former C-level executive with 25 years of experience developing compliance and privacy programs for large healthcare systems comprised of hospitals, physician practice groups, urgent care centers, and other healthcare organizations.I really enjoyed Frank's description of shadow IT! I always thought of an employee who is using an unauthorized application, but I never thought of it from the standpoint of an acquisition/merger.What stood out most to you? Whatever your thoughts are, feel free to let me know in the comments!Follow Frank on LinkedIn: https://www.linkedin.com/in/frank-riccardi-261831b1/Frank's Book (Mobilizing the C-Suite: Waging War Against Cyberattacks): https://www.amazon.com/Mobilizing-C-Suite-Waging-Against-Cyberattacks/dp/1637424248/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e41&utm_campaign=courses#cybersecurity #healthcare #hospital #informationtechnology
SOC 2 isn't the only SOC out there!
Do you use Android at work, but don't really understand it?In this episode Hahna Kane Latonick teaches an Android cybersecurity masterclass for cyber GRC teams:Here are a few highlights from this episode:How the Android project is managedHow Android devices are compromisedThe many steps to update Android devicesMost important steps to secure Android devicesIs Apple more secure than Android?Hahna is the Director of Security Research at Dark Wolf Solutions. Some of her focuses include Android reverse engineering and exploit development. She has been featured on national media outlets including Fox Business News, ABC News, and many others!Too often companies integrate mobile devices at work without truly understanding how they work and the risks involved.Hahna explained these concepts so well! And of course, we had some back and forth on what is more secure, Android or Apple.I really enjoyed this episode and learned more about Android myself! What were your takeaways?Follow Hahna on LinkedIn: https://www.linkedin.com/in/hahnakane/Dark Wolf Solutions Website: https://darkwolfsolutions.com/Android Security Research Playbook: https://asrp.darkwolf.io/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e38&utm_campaign=courses#android #cybersecurity #informationsecurity
Introducing the Penn State Whistleblower.In this episode, the whistleblower explains how he tried to stop Penn State from misrepresenting their NIST 800-171 compliance to the DoD and what he has faced since he blew the whistle!Whistleblower attorney Julie Bracker also shares what the media got wrong in this case and the latest on the Georgia Tech FCA case!Here are a few highlights from this episode:- Hear directly from the whistleblower in this False Claims Act case- What the media got wrong- Recommendations to universities- Advice for other whistleblowersMatthew Decker was the Chief Information Officer at the Applied Research Laboratory at Penn State from 2015 until 2023 and the interim Vice Provost and CIO responsible for all of Penn State from January 2016 until September 2016. Matthew currently serves as the Chief Data and Information Officer at NASA's Jet Propulsion Laboratory since 2023.It was fascinating to learn that the university assumed compliance with their own AD95 security policy meant they were automatically compliant (at least to some measure) with NIST 800-171. This is a great reminder that the details always matter!Special thanks to Matt for sharing his story with us, and to Julie Bracker for coordinating this interview!Follow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/Bracker & Marcus LLC Website: https://www.fcacounsel.com/Connect with Matt on LinkedIn: https://www.linkedin.com/in/matt-decker-cio/Whistleblower's Handbook: https://www.amazon.com/New-Whistleblowers-Handbook-Step-Step/dp/1493028812/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e37&utm_campaign=courses#whistleblower #cmmc #cybersecurity
Confused about Microsoft 365 and DFARS/CMMC compliance?In this episode, I speak with Richard Wakeman, Chief Architect for cybersecurity of Aerospace & Defense @ Microsoft!We discuss the history of the government clouds, the need behind GCC and GCC High, and much more!Here are some highlights:The origins of the Microsoft cloudsWhich clouds support DFARS 7012 complianceWhen will GCC High be FedRAMP authorized?CUI enclave considerationsRichard is a wealth of knowledge, and I have personally benefited from his compliance blog articles since at least 2020!If you are currently operating in the Microsoft cloud or are trying to decide which Microsoft cloud to buy, you won't want to miss this!Were you aware that GCC High isn't FedRAMP authorized yet? What about Microsoft 365 commercial not being compliant with DFARS 7012?Whatever your thoughts are, let me know!Follow Richard on LinkedIn: https://www.linkedin.com/in/wakeman/Microsoft Cloud compliance article: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-dod-amp/ba-p/4225436Microsoft 365 Roadmap: https://www.microsoft.com/en-us/microsoft-365/roadmap-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e36&utm_campaign=courses
Is your MSP a cybersecurity liability?In this episode, I speak with Brian Hubbard, President of Evolved Cyber Solutions and the MSP Cybersecurity Exchange!We discuss the state of MSP cybersecurity and how MSPCyberX is elevating the security posture of MSPs everywhere!Here are some highlights:- Why MSPs are so critical to our nation's security- The inevitable regulations that will target MSPs- MSPs involvement during CMMC assessments- How MSPCyberX can helpGRC Academy partnered with MSPCyberX early on to provide CMMC training to its members at a discount! It was great to hear about MSPCyberX's origin story!If your MSP is not a member of MSPCyberX, it is in your best interest that they join!Follow Brian on LinkedIn: https://www.linkedin.com/in/brian-scott-hubbard/Follow MSPCyberX on LinkedIn: https://www.linkedin.com/company/mspcyberx/MSPCyberX Website: https://www.mspcyberx.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e34&utm_campaign=courses
FREE CMMC gap assessments!! FREE penetration tests!! FREE SOC & incident response!!This is a hidden CMMC treasure that no one's talking about!In this episode, I speak with Darren Mott about the FREE cybersecurity services offered to the DIB by the National Cybersecurity Operations Center!Here are some of the FREE services they offer:CMMC gap assessmentsPenetration testingSOC & Incident responseForensic analysisThreat intelligenceI had no idea the National CSOC existed! This is an AMAZING opportunity that small defense contractors should take advantage of quickly before they reach capacity!On another note, I actually listened to Darren's podcast when it first came out. I never thought I'd actually host a podcast let alone speak with him!Follow Darren on LinkedIn: https://www.linkedin.com/in/darrenmott/The CyBUr Guy Podcast: https://podcasts.apple.com/us/podcast/the-cybur-guy-podcast/id1526491250National CSOC Website: https://nationalcsoc.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e34&utm_campaign=courses
Want a high paying job in GRC? Want to build a powerful GRC team?In this episode, I spoke with Kenneth Moras, Security GRC Lead at Plaid.Kenneth has worked in critical GRC roles in big tech companies like Adobe and Meta! He was heavily involved in the cyber response to international regulators after severe breaches.Here are some highlights:What you need to do and know to get a job in GRCHow to master GRC3 critical skillsets you need in your cyber GRC teamHow regulatory incident response differs from traditional cyber incident responseKenneth is a true GRC master! His advice for folks wanting to get into GRC is the best I've heard! His tips on building successful GRC teams were excellent as well!What were your biggest takeaway? Do you agree that GRC teams need technical knowledge? Looking forward to your thoughts!Follow Kenneth on LinkedIn: https://www.linkedin.com/in/kennethmoras/Plaid Website: https://plaid.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e33&utm_campaign=courses
Throw away your plastic driver's license - digital IDs have entered the chat!In this episode, I spoke with Dr. Paul Ashley, the CTO of Anonyome Labs.Paul explains how widespread online surveillance is, the evolution of digital identity from centralized to decentralized models, how digital wallets work, and what big tech doesn't want you to know!Here are a few highlights from this episode:Big tech's surveillance economyEvolution of digital identityDecentralized IdentityGlobal adoption of digital ID wallets - including in the USA!I had no idea this was happening. More than 20 states in the USA are adopting digital driver's licenses!It's fascinating to think of how digital IDs could be used personally and at work!It's also scary to think of how some governments could abuse this technology.Whatever you think, I'm looking forward to hearing your thoughts!Follow Paul on LinkedIn: https://www.linkedin.com/in/drpaulashley/Anonyome Labs Website: https://anonyome.com/My Sudo App: https://mysudo.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e32&utm_campaign=courses
Introducing the Georgia Tech Whistleblowers.In this episode, the whistleblowers explain how they tried to stop Georgia Tech from allegedly LYING to the government about their NIST 800-171 compliance and what they have faced since they blew the whistle!Whistleblower attorney Julie Bracker also shares what could come next and how much Georgia Tech may have to pay out!Here are a few highlights from this episode:Hear directly from the whistleblowers in this False Claims Act caseDetails on the "Fictitious" NIST 800-171 SPRS ScoreHow much money Georgia Tech might have to payRecommendations to universitiesAdvice for other whistleblowersBoth of the whistleblowers have a long history with Georgia Tech and truly care for the institution.Christopher Craig has worked at Georgia Tech for more than 20 years. He was the Associate Director of Cybersecurity where he managed all central cyber security personnel and built the GRC team until Georgia Tech demoted him to an Enterprise Security Architect.Kyle Koza worked at Georgia Tech for more than 15 years until he left his role as a Principal Information Security Engineer in 2022. He got his bachelor's and master's degrees from Georgia Tech and also co-wrote and still teaches a security incident response master's degree course at the university.I thought Christopher's recommendation (24:37) for universities to centralize their labs was excellent!How can a university expect to maintain its NIST / CMMC compliance if multiple labs are built and managed by different teams who may not even be familiar with the NIST 800-171 security controls?I also loved hearing Chris tell us about the support he has received from the cyber community (38:00)! Who in cyber doesn't want to do the right thing? I would like to think those with bad intent are an extremely small percentage.Special thanks to Christopher and Kyle for sharing their stories with us, and to Julie Bracker for coordinating this interview!Follow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/Bracker & Marcus LLC Website: https://www.fcacounsel.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e31&utm_campaign=courses
Zero Trust is NOT complicated!Don't believe me? Let me introduce you to its creator!In this episode, Jacob speaks with John Kindervag, the creator of Zero Trust.John is the Chief Evangelist at Illumio where he accelerates awareness and adoption of Zero Trust Segmentation.In the episode he shares the origin story of Zero Trust starting with his time at Forrester Research. He explains the fundamental principles of Zero Trust, debunks common misconceptions, and how you can implement Zero Trust using a 5-step model.Here are a few highlights from this episode:The broken trust model that has allowed the largest data breachesDefining Zero Trust and misconceptions about itHow to implement zero trust in 5 steps"Things Run Amok" poem - if Dr. Seuss wrote about the Internet of ThingsJohn's elevator pitch for Zero Trust is a masterclass in itself.If you want to convince business leaders to invest in cybersecurity, you have to focus on how that investment will benefit the business. John does exactly that here and we should all take note.Illumio is a Zero Trust Segmentation company that prevents breaches and ransomware from spreading across hybrid environments. Their platform visualizes traffic flows, automatically sets granular segmentation policies, and isolates critical assets and compromised systems. Founded in 2013, Illumio protects organizations of all sizes, from Fortune 100 to small businesses.Follow John on LinkedIn: https://www.linkedin.com/in/john-kindervag-40572b1/Illumio Website: https://www.illumio.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e30&utm_campaign=courses
Introducing the Cisco Whistleblower.In this episode, Jacob speaks with lawyer Hamsa Mahendranathan about the FIRST cybersecurity False Claims Act (FCA) lawsuit that reached a settlement!This goes all the way back to 2008 believe it or not… The lawsuit was FINALLY settled in 2019!As we all know, the DoJ has intervened in the Georgia Tech NIST 800-171 FCA whistleblower complaint.Wonder what the whistleblowers may be dealing with? Maybe you want to blow the whistle yourself and don't know what to expect?Here are a few highlights from this episode:How Hamsa's client unwittingly became a whistleblowerThe fallout he experienced for doing the right thingMitigations for career consequences of blowing the whistleThe complexity of working with federal, state, and local False Claim Act lawsAnd so much more!If you are interested in the False Claims Act and cyber compliance, you won't want to miss this one! This episode is truly one for the history books!Read the whistleblower complaint: https://cdn.grcacademy.io/web/20240824091900/us-ex-rel-glenn-vs-cisco-fca-complaint.pdfFollow Hamsa on LinkedIn: https://www.linkedin.com/in/hamsa-mahendranathan/Whistleblower Partners Website: https://www.whistleblower.law/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e29&utm_campaign=courses
Think your users are resistant to CMMC? You ain't seen nothin' yet!In this episode, Jacob speaks with Daniel Stark of Meerkat Cyber about the unique CMMC compliance challenges in a manufacturing environment.Here are some highlights:Daniel's experience running IT in a family-owned manufacturing shopHow Controlled Unclassified Information (CUI) flows on the shop floorPhysical and environmental security constraints unique to manufacturingHow ISO 9001 / AS9100 can help get the buy in for CMMCAdvice for manufacturing IT staff dealing with CMMC complianceTips on hiring the right CMMC consultant and assessorI really enjoyed learning more about how machine shops operate and the unique challenges they have when it comes to CMMC compliance!It's awesome that there are folks in the CMMC ecosystem that are familiar with manufacturers!Manufacturing is an extremely different type of environment and in my opinion "normal" office IT assessment experience won't cut it. Hire wisely, folks!Follow Daniel on LinkedIn: https://www.linkedin.com/in/daniel-stark-a85694222/Meerkcat Cyber Website: https://meerkatcyber.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e28&utm_campaign=courses
So… How do I get a CMMC'd early?In this episode, Jacob speaks with Steven Molter of IntelliGRC about his experiences helping IntelliGRC clients complete NIST 800-171 Joint Surveillance Voluntary Assessments (JSVAs).Here are some highlights:The JSVA process & how to request oneThe different teams within DIBCACThe challenge of subjectivity during assessmentsAdvice for companies preparing for JSVAsHow a company convinced DIBCAC to "upgrade" from a traditional DIBCAC high assessment to a JSVAAccording to the proposed CMMC program rule, JSVAs are eligible to convert to CMMC level 2 certifications once the CMMC program goes live assuming certain conditions are met:Perfect assessment scoreNo open assessment POA&MsSteve shared some great lessons for those preparing for JSVAs and CMMC assessments. If you're prepping for either, you won't want to miss this episode!Also, just in case you didn't know, IntelliGRC customers receive my DIB-focused CMMC Overview Training! No other GRC platform that I'm aware of today provides comprehensive foundational CMMC training to their customers!If you are looking for a GRC platform to manage your CMMC compliance program, check out IntelliGRC!Follow Steve on LinkedIn: https://www.linkedin.com/in/steven-molter-apologeticz/Follow IntelliGRC on LinkedIn: https://www.linkedin.com/company/intelligrc/IntelliGRC Website: https://www.intelligrc.com/IntelliGRC YouTube Channel: https://www.youtube.com/@intelligrc-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e27&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode, Jacob speaks with Brian Kowalski, Senior Vice President of Federal at Hypori.In the episode they discuss Hypori's origin story and its innovations in the mobile security space.Here are some highlights from the episode:Hypori's origin story and its roots starting as an NSA Commercial Solutions for Classified Program (CSfC) productHow it is different from traditional Mobile Device Management (MDM)How it works, its certifications, and its deployment optionsHow Hypori can help achieve CMMC complianceWe don't think about it much, but mobile devices really are a huge risk - just think of how much information is on your phone!If you work in cybersecurity, you should know about this unique option to provide secure mobile access!Follow Brian on LinkedIn: https://www.linkedin.com/in/brian-kovalski-057b8a7/Hypori Website: https://www.hypori.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e26&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode, Jacob speaks with Mr. Mark Nicholls!Mark is the CEO of Information Professionals Group and has over 30 years of experience!In the episode they discuss the business case for information security, and how cybersecurity professionals can effectively communicate with the C-suite and other business leaders!Here are some highlights from the episode:The Importance of information security in businessThe Importance of securing dataHow cyber professionals should engage with business leadersRoleplaying exercise - bad/good examples of a cyber pro trying to convince a CEOHow active listening can help you make a differenceFollow Mark on LinkedIn: https://www.linkedin.com/in/markdnicholls/Information Professionals Group Website: https://www.informpros.com.au/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e25&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode, Jacob speaks with Penetration Tester & Social Engineer Chris Silvers!Chris Silvers is the founder of CG Silvers Consulting! Chris has a vast amount of experience ranging from CMMC assessments to penetration testing. He even won the prestigious DEF CON black badge during the DEF CON 24 Social Engineering Capture the Flag (SECTF)!In this episode they focus on how organizations can defend against social engineering attacks!Here are some highlights from the episode:Winning the DEF CON SECTF black badgeSocial engineering tactics and toolsCEO impersonation / fraud attacksHow can GRC help defend against social engineering?Why businesses shouldn't start with a penetration testFollow Chris on LinkedIn: https://www.linkedin.com/in/cgsilvers/Chris's Website: https://www.cgsilvers.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e24&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode, Jacob speaks with ISO 27001 expert Aron Lange!Aron is the founder of the GRC Lab, and a Udemy instructor with more than 11,000 students! He is an experienced auditor for management systems based on ISO 27001, ISO 9001, ISO 27018 and ISO 22301.In this episode they discuss the essentials of ISO 27001 including the history of the standard and the changes in the latest revision, but also the significance of the organizations involved and the danger of ISO “certification paper mills.”Here are some highlights from the episode:The history of ISO 27001Changes in ISO 27001:2022Who are the IAF, accreditation bodies, and certification bodies?The importance of hiring an IAF affiliated certification bodyISO scopingMaintaining an ISO certificationBest practices for internal auditsFollow Aron on LinkedIn: https://www.linkedin.com/in/aronlange/Aron's Udemy courses: https://www.udemy.com/user/aron-lange/Aron's Website: https://www.aronlange.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e23&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode, Jacob speaks with cybersecurity researcher Patrick Garrity!Patrick Garrity is a seasoned security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors.In this episode they discuss the importance of integrating threat intelligence into vulnerability management using the Exploit Prediction Scoring System (EPSS), CISA Known Exploited Vulnerabilities Catalog, and the changes in CVSS 4.0!Here are some highlights from the episode:How Exploit Prediction Scoring System (EPSS) can predict exploitationHow vulnerability scanners integrate EPSSCISA's Known Exploited Vulnerabilities (KEV) CatalogThe national security implications of vulnerability managementFollow Patrick on LinkedIn: https://www.linkedin.com/in/patrickmgarrity/VulnCheck Website: https://vulncheck.com/Thanks to our sponsor Keeper Security!Need a FedRAMP authorized Password Manager? See how Keeper can help you comply with CMMC: https://www.keepersecurity.com/cmmc/?utm_source=grcacademy&utm_medium=display&utm_campaign=cmmc_videoStart a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e22&utm_campaign=courses
In this episode, Jacob speaks with attorney Julie Bracker!Julie is the whistleblower attorney for both the Penn State University and Georgia Tech University FCA complaints. These complaints essentially allege the defendants misrepresented their compliance with NIST 800-171!They discuss the False Claims Act and the DOJ's Civil Cyber Fraud Initiative, and what federal contractors can do to avoid being the subject of a whistleblower complaint!Here are some highlights from the episode:What is the False Claims Act?What is the DoJ's Civil Cyber Fraud Initiative?What are the risks and rewards for whistleblowers?Who are the targets of the initiative?Can companies blindly rely on their MSP and be safe?How to quantify damages of cyber noncompliance fraudDoJ Civil Cyber Fraud settled lawsuits so farGeorgia Tech and Penn State FCA casesFollow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/Bracker & Marcus LLP Website: https://www.fcacounsel.com/Penn State FCA Complaint: https://cdn.grcacademy.io/web/20240325204912/penn-state-university-false-claims-act-complaint.pdfGeorgia Tech FCA Complaint: https://cdn.grcacademy.io/web/20240325204909/georgia-tech-university-false-claims-act-complaint.pdf2023 DoJ Report of FCA settlements (more than $2.68 billion): https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-268-billion-fiscal-year-2023-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e21&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode, Jacob speaks with a panel of information security experts from universities about CMMC and their experience preparing for it!They discuss security and compliance challenges at universities, the Penn State NIST 800-171 False Claims Act lawsuit, and much more!Here are some highlights from the episode:How universities are different from other types of organizationsDifferent compliance requirements for universitiesWho is involved in the execution of a government contract?The drivers of cybersecurity compliance at universitiesThoughts on the Penn State False Claims Act lawsuitHow to drive positive cybersecurity change at a universityCUI enclaves at universitiesAreas of CMMC that need clarificationHere are the panelists:Jay Gallman - Duke University (https://www.linkedin.com/in/jay-gallman/)Kolin Hodgson - Notre Dame (https://www.linkedin.com/in/kolin-hodgson-cisa-cissp-4bbb9a/)Melissa Kimble - University of Maine (https://www.linkedin.com/in/melissa-kimble/)Wendy Epley - University of Arizona (https://www.linkedin.com/in/wendyepley/)Thanks to our sponsor Keeper Security!Need a secure file sharing solution? Register for a webinar showing how Defense Contractors can share sensitive information using Keeper: https://grcacademy.io/ref/keeper/webinar-cmmc-file-sharing-april-2024/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e20&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode, Jacob talks to Dr. Raghuram Srinivas from MetricStream!They discuss the beginnings of AI, how it has evolved over time, and the risks and opportunities it presents to companies around the world!Raghuram is the Senior Vice President of Product Management at MetricStream. He is an AI expert and has worked in AI-focused roles at JPM Chase, KPMG, as well as the Watson Group at IBM.Here are some highlights from the episode:The history of AIHow do large language models (LLMs) work?AI for GRC & GRC for AIUsing AI in cyber operationsThe future of cyber riskFollow Ragu on LinkedIn: https://www.linkedin.com/in/raghuramsrinivas/MetricStream website: https://www.metricstream.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online cyber GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e19&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode, Jacob talks to Patrick Perry from Zscaler. They discuss Zscaler's experiences navigating the FedRAMP and DoD Impact Level processes as well as Zero Trust!Pat is a cybersecurity expert with over 20 years of experience. He currently works at Zscaler as Field CTO and is responsible for the alignment of Zscaler capabilities to the DoD and IC mission sets in order to provide dynamic, mission-focused, innovative approaches to enable transformation and zero trust to warfighter organizations.Zscaler U.S. Government Solutions enables the U.S government and their strategic partners to securely transform their networks and applications for a mobile and cloud-first world. Zscaler's FedRAMP Moderate/High/DoD IL5-authorized solutions ensure fast, secure connections between users and applications, regardless of device, location, or network.Here are some highlights from the episode:Zscaler's Approach to FedRAMP, DoD Impact Levels, and CMMCShared Responsibility Between Cloud Service Providers and UsersWhat Zero Trust is and how it relates to CMMCZero Trust PillarsThoughts on Federal Approach to Zero TrustFollow Patrick on LinkedIn: https://www.linkedin.com/in/perrypn2019/Zscaler website: https://www.zscaler.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e18&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with Derrich Phillips from Aspire Cyber about best practices and tips when filling out cybersecurity questionnaires.Derrich Phillips is a cybersecurity expert with over 20 years of experience in the field. He started his career in the Army's security operations center, defending networks against cyber attacks. As the founder of Aspire Cyber, he focuses on helping small companies prove their cybersecurity readiness to handle information for enterprise customers.Here are some highlights from the episode:How Derrich get into cybersecurityThe what and why of security questionnairesHow to save time and money while filling out a security questionnairesWhen to push back on overly burdensome requirementsCheck out this video where Derrich and I discuss how ChatGPT can be used in information security compliance: https://youtu.be/IAAJPJLBeaYFollow Derrich on LinkedIn: https://www.linkedin.com/in/derrichphillips/Aspire Cyber website: https://www.aspirecyber.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e17&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with Shauna Weatherly from FedSubK.com.Shauna recently retired from the federal government after serving more than 35 years in the federal acquisition / contracting space! During her career she served as chief of contracting, contracting officer representative, and as an advisor to the Civilian Agency Acquisition Council (CAAC).She even has direct experience in the federal rulemaking process, and contributed to FAR case 2017-016, also known as the FAR CUI rule, which will contractually require the implementation of NIST SP 800-171 on federal contracts.Join us as we pull back the curtain on the federal rulemaking process and more!Here are some highlights from the episode:Shauna's backgroundSteps and roles involved in the federal rulemaking processWhat is a FAR case?What is OIRA's role?The relationship between the FAR and DFARSHow to provide effective public comments on regulationsImpacts of FAR case 2017-16 - CUI ruleImpacts of FAR case 2021-17 - Cyber Threat and Incident Reporting and Information Sharing regulationImpacts of FAR case 2021-019 - Standardizing Cybersecurity Requirements for Unclassified Information SystemsFollow Shauna on LinkedIn: https://www.linkedin.com/in/shauna-weatherly/FedSubK website: https://www.fedsubk.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e16&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with Michael Greenman from Deltek.Michael has worked in government and cloud-based technology for over 20 years, and currently works at Deltek in the Product Strategy group and is the evangelist for cybersecurity compliance and cloud services!Michael shares Deltek's perspective on security and compliance as a cloud service provider.Here are some highlights from the episode:How Michael got into cybersecurityDeltek's government cloudsDFARS 252.204-7012's C - G incident reporting requirementsHow cloud providers can demonstrate FedRAMP moderate equivalencyWhat is a shared responsibility matrixThe need for a defense focused CSP / ESP / MSP marketplaceFollow Michael on LinkedIn: https://www.linkedin.com/in/michael-greenman-94952a3/Deltek website: https://www.deltek.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e15&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with Dr. Thomas Graham who is a CMMC assessor.Thomas is the Vice President and CISO at Redspin, and Redspin is the first CMMC Third Party Assessor Organization (C3PAO)!This episode has a lot of great information for the defense industrial base!Here are some highlights from the episode:Redspins' experience becoming the first C3PAONotable changes in NIST 800-171 r3CMMC challenges and misconceptionsTips for selecting the right CMMC consultant and assessorOther countries interested in CMMCEach phase of the CMMC assessment processWhat CMMC practices can be POA&M'd according to current guidanceAnd more!Follow Thomas on LinkedIn: https://www.linkedin.com/in/tgrahamphd/Redspin website: https://www.redspin.com-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e14&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob Hill talks with Jacob Horne from Summit 7!Jacob Horne is Summit 7's Chief Security Evangelist, and has a unique genetic superpower that allows him to delve into NIST publications & government regulations without experiencing even a hint of boredom!In the episode Jacob Horne explains the history leading up to the CMMC program, when CMMC may be required, and the significance of the FAR CUI rule!Here are some key topics we discussed:How he started in cybersecurityThe history leading up to CMMCWhat is rulemakingThe two CMMC rules we are waiting onWhen CMMC may appear in contractsThe FAR CUI rule and its importanceWhy DHS and VA regulations were silent on NIST 800-171When will the FAR CUI rule drop?Follow Jacob on LinkedIn: https://www.linkedin.com/in/jacob-evan-horne/Summit 7 website: https://www.summit7.us/Jacob Horne's Deep dive on CMMC rulemaking timeline: https://www.youtube.com/watch?v=qyLDQxo-YPgFederal Rulemaking book: https://www.amazon.com/Rulemaking-Government-Agencies-Write-Policy/dp/1483352811/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e13&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob talks with Dr. Ron Ross from NIST! This is the final of a three-part series with Dr. Ross.In the episode Dr. Ross shares his thoughts on topics like ChatGPT, zero trust, his top 5 security controls, advice to folks new to cybersecurity, and much more!Here are some key topics we discussed:Top challenges in federal cybersecurity complianceHow to enable positive cybersecurity cultureThe missing strategic view in cybersecurityZero TrustLLMs like ChatGPTThe importance of managing complexityDr. Ross's top 5 critical security controlsCareer advice to folks new to cybersecurityDr. Ross is the author of multiple publications including Risk Management Framework (RMF), NIST 800-53, NIST 800-171, and many more!Dr. Ross leads the FISMA Implementation Project which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure.He also leads the Joint Task Force, an interagency group that includes the DoD, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for developing a unified information security framework for the federal government and its contractors.Follow Ron on LinkedIn: https://www.linkedin.com/in/ronrossecure/NIST CSRC Website: https://csrc.nist.gov/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e12&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob talks with Dr. Ron Ross from NIST! This is the 2nd of a three-part series with Dr. Ross.In the episode Dr. Ross shares a status update on NIST 800-171 revision 3. At the time of this recording, NIST has released the 1st initial draft, and the 1st public comment period has closed.Here are some key topics we discussed:Notable changes in NIST 800-171 r3Thoughts on public commentsStrategy on the ODPsEncryption (FIPS 140) control ODPIndependent Assessment controlSecurity Protection AssetsImplementation examplesDr. Ross is the author of multiple publications including Risk Management Framework (RMF), NIST 800-53, NIST 800-171, and many more!Dr. Ross leads the FISMA Implementation Project which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure.He also leads the Joint Task Force, an interagency group that includes the DoD, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for developing a unified information security framework for the federal government and its contractors.Follow Ron on LinkedIn: https://www.linkedin.com/in/ronrossecure/NIST CSRC Website: https://csrc.nist.gov/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e11&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob talks with Dr. Ron Ross from NIST! This is the 1st of a three-part series with Dr. Ross.In the episode Dr. Ross shares the fascinating history of NISTs involvement in cyber security!Here are some key topics we discussed:How he started at NIST and the projects he has worked onNIST's and the Joint Task Force's MissionHow he convinced the DoD to transition from DIACAP to RMFThe history of continuous monitoring programThe origins of NIST 800-171Why NIST did not adopt ISO 27001The goal of NIST 800-160Dr. Ross is the author of multiple publications including Risk Management Framework (RMF), NIST 800-53, NIST 800-171, and many more!Dr. Ross leads the FISMA Implementation Project which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure.He also leads the Joint Task Force, an interagency group that includes the DoD, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for developing a unified information security framework for the federal government and its contractors.Follow Ron on LinkedIn: https://www.linkedin.com/in/ronrossecure/NIST CSRC Website: https://csrc.nist.gov/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e10&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob talks with operational technology (OT) cybersecurity expert Joseph Loomis!Joseph is the President of Secrabus Inc where he performs cybersecurity assessments on Oil & Gas companies to help elevate their security posture and protect their critical assets.Joseph shares his experiences after more than 15 years in the Oil & Gas industrial control system (ICS) and OT cybersecurity space.Here are some key topics we discussed:How he started in cybersecurityThe just in time deliverability aspect of Oil & GasIT and OT convergenceDefense in depth architectureGRC Standards that apply to the Oil & Gas industryPurdue Model for ICS SecurityHis risk assessment methodologyInteresting storiesAnd more!Follow Joseph on LinkedIn: https://www.linkedin.com/in/josephloomis/Secrabus Inc's Website: https://secrabus.com/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e9&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob talks with GRC professional Jonathan Fisher.Jonathan shifted into the GRC field after 20 years in the military supporting aircraft maintenance, and explains how others can do the same!Here are some key topics we discussed:What GRC isHow he transitioned into GRC and cybersecurityHow nontechnical folks can transition into cybersecurity by starting in a GRC roleHow most folks already have transferrable experienceWhat GRC frameworks to focus onHow to use LinkedIn to boost your careerFollow Jonathan on LinkedIn: https://www.linkedin.com/in/jonfisher11/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e8&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with privacy attorney Donata Stroink-Skillrud. Donata is the chair of the American Bar Association's ePrivacy committee, and has an excellent understanding of privacy laws in the US and the EU.She shares the impact of US and EU privacy laws on businesses, how they can plan to comply, and much more!Here are some key topics we discussed:The importance of privacy lawsDifferences between EU and US approaches to privacyThe impact of GDPR and why many consider it to be the gold standard in privacy lawsCurrent and emerging state-level privacy laws in the USImplications of privacy laws for small businessesThe importance of only collecting the information you needThe status of the US's federal privacy law and how it compares to the GDPRHow GRC compliance frameworks like NIST's Privacy Framework and ISO 27001 can help complyDonata's website: https://termageddon.comFollow Donata on LinkedIn: https://www.linkedin.com/in/donata-stroink-skillrud/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e7&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with Koren Wise who is a highly experienced CMMC consultant, assessor, and instructor. Koren offers insights from her experience helping companies prepare for CMMC, and gives advice on hiring the right CMMC consultant and assessor for your business - and much more!.Here are some of the topics we discussed:How she got to where she is todayCommon misconceptions businesses have about CMMCWho should take the CMMC Certified Professional (CCP) courseReal world problems and solutionsWhat is a CUI enclave?Addressing CUI data sprawl in a businessJoint Surveillance AssessmentsManaging CMMC compliance like a projectHiring the right CMMC consultantHiring the right CMMC assessorFollow Koren on LinkedIn: https://www.linkedin.com/in/koren-wise/Koren's website: https://www.wtinetworks.com-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e6&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with Rick Rosenberry about Cyber Insurance in the context of DoD and government contracting.Rick is an insurance broker and a CMMC Registered Practitioner, and he explains that not all cyber insurance policies are equal and the importance of working with an insurance broker that understands cybersecurity and your regulatory environment.Here are a few of the topics we discussed:Overview of cyber insurance fundamentalsKey roles in the cyber insurance processHow underwriters assess a business's cyber riskCritical security controls underwriters want in placeBenefits of compliance frameworks like NIST 800-171 and ISO 27001False Claims Act cyber insurance claim scenariosGetting the right coverage to support DFARS 252-204-7012 incident reportingFollow Rick on LinkedIn: https://www.linkedin.com/in/rick-rosenberry/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e5&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with Laura Rodgers about her work helping to prepare North Carolina businesses for the DoD's Cybersecurity Maturity Model Certification (CMMC).Laura has established an excellent training program that guides North Carolina businesses in the creation of cybersecurity programs. The effort is in collaboration with the North Carolina Military Business Center, North Carolina State University, and other strategic partners.Here are a few of the topics we discussed:Unique challenges faced by small businessesConcerns the government is not properly marking or is overmarking documents as CUIImportance of collaboration between technical and compliance teamsChallenges that incident response presents to small businesses.Follow Laura on LinkedIn: https://www.linkedin.com/in/lauradrodgers/Cyber NC website: https://www.cybernc.us/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e4&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with Jon Watkins about power grid security. Jon is a cybersecurity expert and the founder of the Rural Electric Cyber Advancement Program (RECAP)!RECAP enables peer cybersecurity assessments among electric utility cooperatives. Jon has conducted multiple RECAP assessments for co-ops throughout the US.Jon tells us about how he started in cybersecurity, the history of electric cooperatives, how power grid cybersecurity is different, how OT and SCADA are used to enhance the reliability of the grid, notable power grid cyber incidents, and RECAP.Follow Jon on LinkedIn: https://www.linkedin.com/in/jonrwatkins/-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e3&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
In this episode Jacob speaks with master Certified Ethical Hacker instructor Eric Reed about his background, how he started teaching, and several scenarios explaining how hackers compromise business networks.Eric's website: https://ericreedlive.com/Follow Eric on LinkedIn: https://www.linkedin.com/in/ericreedlive/Eric Reed is a master cybersecurity instructor with more than 30 years of IT experience! He has been teaching since 2005 and is a master at his craft.Eric specializes in instructor led cybersecurity training for the following certifications:Certified Ethical Hacker (CEH)Computer Hacking Forensic Investigator (CHFI)Certified Security Analyst CertificationCertified Network DefenderCompTIA's Security+Certified Information Systems Security Professional (CISSP)-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e2&utm_campaign=coursesNeed a FedRAMP authorized Password Manager?Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/
© 2020-2025 Ivy Podcast Discovery LLC
