The Cybersecurity Readiness Podcast Series

Social engineering continues to be the primary gateway for cyberattacks, responsible for nearly 80% of fraud and ransomware incidents. And notably, 1 in 4 of these social engineering attacks originate via phone calls. Yet many enterprises continue to leave their phone systems exposed. In this episode, Dr. Dave Chatterjee engages Richard Quattrocchi, Vice President of Digital Transformation, Mutare Inc., in a compelling discussion on the often-overlooked threat of voice-based cyberattacks, particularly vishing (voice phishing). Richard shares his professional journey, personal motivation rooted in a family scam incident, and the alarming rise of social engineering via phone calls—especially in the era of AI and deepfakes. The conversation underscores how organizations continue to leave phone systems vulnerable due to siloed ownership and outdated assumptions.Richard presents a layered defense strategy combining people, process, and technology, and introduces Mutare's voice traffic filtering solution. This technology proactively intercepts malicious calls using metadata analysis before they reach users, drastically reducing exposure to fraud. The discussion also dives into real-world cases, including the MGM breach, and offers actionable guidance for enterprises and individuals to better secure voice channels.To access and download the entire podcast summary with discussion highlights -- https://www.dchatte.com/episode-84-stopping-social-engineered-vishing-attacks-before-they-start/Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications & Press Releases:“Meet Dr. Dave Chatterjee, the mind behind the CommitmentPreparedness-Discipline method for cybersecurity,” Chicago Tribune, February 24, 2025."Dr. Dave Chatterjee On A Proactive Behavioral Approach To Cyber Readiness," Forbes, February 21, 2025.Ignorance is not bliss: A human-centered whole-of-enterprise

Dr. Dave Chatterjee and David Close discuss the implications of post-quantum cryptography (PQC) on cybersecurity readiness. David, a Chief Solutions Architect at Futurex, explains the evolution of cryptographic methods to counter quantum computing threats. He highlights the importance of NIST's role in standardizing quantum-resistant algorithms like Kyber and Dilithium. David shares practical examples, such as Google and Cloudflare's hybrid TLS implementation and a financial institution's use of PQC for data storage. They emphasize the need for organizations to develop roadmaps, inventory cryptographic assets, and ensure vendor readiness. Dr. Chatterjee stresses the importance of a proactive, holistic approach to cybersecurity governance.To access and download the entire podcast summary with discussion highlights -- https://www.dchatte.com/episode-83-future-proofing-your-data-preparing-for-the-post-quantum-era/Latest Articles and Press Releases on The Cybersecurity Readiness Podcast Series:Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Yahoo!Finance, Dec 16, 2024Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Marketers Media, Dec 12, 2024.Cybersecurity Readiness Podcast by Dr. Dave Chatterjee Reaches 10,000 Downloads Globally, Business Insider/Markets Insider, Dec 10, 2024.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications & Press Releases:“Meet Dr. Dave Chatterjee, the mind behind the CommitmentPreparedness-Discipline method for cybersecurity,” Chicago Tribune, February 24, 2025.“Dr. Dave Chatterjee...

The adoption of Artificial Intelligence (AI) and Generative Artificial Intelligence (Gen-AI) applications and tools are exploding. The global AI infrastructure market is projected to reach over $96 billion by 2027. AI applications are being used to empower every organizational function and industry, from logistics and supply chain to manufacturing, healthcare, finance and banking, marketing and sales, and customer sales. However, such adoption and use of AI tools and platforms has greatly expanded the attack surfaces and the attack vectors. They are presenting many more opportunities for hackers to break into systems and networks and also violate individual privacy and reputation, thereby causing irreparable harm and damage. In this episode, Dr. Dave Chatterjee and Oliver Friedrichs, Founder, and CEO of Pangea, discuss the risks associated with adopting and using AI and Generative AI applications and platforms. They share examples of AI-powered attacks, such as deepfake scams and ransomware attacks, and stress the need for continuous learning and proactive security measures. They also underscore the importance of continuous security assessments, incident response plans, and AI literacy for individuals and organizations.To access and download the entire podcast summary with discussion highlights https://www.dchatte.com/episode-82-securing-ais-blind-spots-the-hidden-risks-in-enterprise-ai-adoption/Latest Articles and Press Release on The Cybersecurity Readiness Podcast Series:Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Yahoo!Finance, Dec 16, 2024Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Marketers Media, Dec 12, 2024.Cybersecurity Readiness Podcast by Dr. Dave Chatterjee Reaches 10,000 Downloads Globally, Business Insider/Markets Insider, Dec 10, 2024.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications & Press Releases:Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness

Dr. Dave Chatterjee hosts a discussion on elevating your offensive program with Mark Carney, CEO @ Evolve Security, and Yaron Levi, Chief Information Security Officer (CISO) at Dolby Labs. They emphasize the importance of a proactive, continuous approach to cybersecurity, contrasting it with traditional reactive measures. Key points include the need for a threat-informed, programmatic mindset, continuous threat exposure management (CTEM), and the integration of business objectives. They stress the importance of intelligence, risk assessment, and the role of third-party providers as partners. The conversation highlights the necessity of senior leadership commitment and the challenges of defining and measuring risk in cybersecurity.To access and download the entire podcast summary with discussion highlights -- https://www.dchatte.com/episode-81-elevating-your-offensive-security-program/Latest Articles and Press Release on The Cybersecurity Readiness Podcast Series:Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Yahoo!Finance, Dec 16, 2024Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Marketers Media, Dec 12, 2024.Cybersecurity Readiness Podcast by Dr. Dave Chatterjee Reaches 10,000 Downloads Globally, Business Insider/Markets Insider, Dec 10, 2024.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications & Press Releases:Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness"Getting Cybersecurity Right,” California Management Review — Insights, July 8, 2024.

Dr. Dave Chatterjee and Kee Jefferys, Technical Co-Founder of Session, discuss the use of blockchain technology in enhancing the security and privacy of messaging apps, specifically Session. Session, which has over a million monthly active users, uses a decentralized network of nodes incentivized by Session tokens. Unlike traditional messaging apps, Session does not require a phone number for sign-up and employs onion routing and end-to-end encryption to protect user data. Kee emphasizes the importance of considering the threat model and user needs when choosing a messaging app. Session is best suited for high-threat scenarios, while other apps may be more appropriate for regulatory compliance. Session is free, with potential future premium features, and is primarily for individual users.To access and download the entire podcast summary with discussion highlights -- https://www.dchatte.com/episode-80-using-blockchain-technology-to-make-messaging-apps-more-secure-and-private/Latest Articles and Press Release on The Cybersecurity Readiness Podcast Series:Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Yahoo!Finance, Dec 16, 2024Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Marketers Media, Dec 12, 2024.Cybersecurity Readiness Podcast by Dr. Dave Chatterjee Reaches 10,000 Downloads Globally, Business Insider/Markets Insider, Dec 10, 2024.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications & Press Releases:Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness"Getting Cybersecurity Right,” California Management Review — Insights, July 8, 2024.

Despite companies' best efforts, stored access credentials inevitably get stolen or misused. Whether it is a disgruntled employee posting the data, an employee that makes an innocent mistake exposing that data, a company needing revenue selling the information, a criminal hacker group stealing the information, or a government-backed group stealing the information, etc. it is simply a matter of when not if that information will be stolen.“The only truly safe way to handle people's secrets is never to store them in the first place – what is not stored cannot be stolen,” says Tina Srivastava, Ph.D., an MIT-trained rocket scientist and privacy expert who has cracked the code on stored credentials She is the co-founder of Badge, a platform that allows users to enroll and authenticate on any device without storing Personally Identifiable Information (PII). In this episode, Tina and I discuss how the new technology works, its implications, and how organizations should ensure they are not storing user credentials.To access and download the entire podcast summary with discussion highlights -- https://www.dchatte.com/episode-79-authenticate-without-storing-credentials-mit-scientist-cracks-the-code/Latest Articles and Press Release on The Cybersecurity Readiness Podcast Series:Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Yahoo!Finance, Dec 16, 2024Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Marketers Media, Dec 12, 2024.Cybersecurity Readiness Podcast by Dr. Dave Chatterjee Reaches 10,000 Downloads Globally, Business Insider/Markets Insider, Dec 10, 2024.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications & Press Releases:Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness

In this episode, Shrav Mehta, Founder, and CEO at Secureframe, joins me to discuss major cybersecurity incidents in 2024, highlighting five significant breaches: National Public Data (2.7 billion records), AT&T (50 billion), Ticketmaster (500 million), Change Healthcare (145 million), and Dell (49 million). We emphasize the importance of proactive measures, such as data minimization, continuous training, and zero-trust models. I stressed the need for leadership engagement, robust incident response plans, and a holistic approach to security. Shrav underscores the role of automation and continuous monitoring in enhancing protection. We both agreed on the necessity of evolving security practices to counter emerging threats like deepfakes and AI-enabled attacks.To access and download the entire podcast summary with discussion highlights -- https://www.dchatte.com/episode-78-lessons-from-2024s-biggest-cyber-incidents-and-building-stronger-defenses-for-2025/Latest Articles and Press Release on The Cybersecurity Readiness Podcast Series:Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Yahoo!Finance, Dec 16, 2024Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Marketers Media, Dec 12, 2024.Cybersecurity Readiness Podcast by Dr. Dave Chatterjee Reaches 10,000 Downloads Globally, Business Insider/Markets Insider, Dec 10, 2024.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications & Press Releases:Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness"Getting Cybersecurity Right,” California Management Review — Insights, July 8, 2024.

In this episode, Aaron Painter, CEO at Nametag, joins me in discussing the Deepfake fraud phenomenon and how organizations and individuals should protect themselves from such scams. A recent study conducted by finance software provider Medius finds that over 53% of businesses in the U.S. and U.K. have been targets of financial scams powered by “deepfake” technology, with 43% falling victim to such attacks. 85% of the finance professionals polled view such scams as an “existential” threat to their organization's financial security. In the United States, families lose an average of $11,000 in each fake kidnapping scam. According to data from the Federal Trade Commission, Americans lost $2.6 billion last year in imposter scams.Latest Articles and Press Release on The Cybersecurity Readiness Podcast Series:Cybersecurity Readiness Podcast by Dr. Dave Chatterjee Reaches 10,000 Downloads Globally, Business Insider/Markets Insider, Dec 10, 2024.Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Marketers Media, Dec 12, 2024.To access and download the entire podcast summary with discussion highlights --https://www.dchatte.com/episode-77-stopping-deepfake-threats-protecting-organizations-through-identity-verification/Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications & Press Releases:Cybersecurity Readiness Podcast by Dr. Dave Chatterjee Reaches 10,000 Downloads Globally, Business Insider/Markets Insider, Dec 10, 2024.Press Release — Dr. Dave Chatterjee Hosts Global Podcast Series on Cyber Readiness, Marketers Media, Dec 12, 2024.Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness

IBM recently reported a 71% year-over-year increase in attacks using valid credentials. This continued use of stolen credentials is also evident through ongoing public incidents like the string of attacks targeting Snowflake's customers that resulted in breaches at AT&T and Advanced Auto Parts. Lynsey Wolf, Team Lead and Insider Threat Analyst at DTEX Systems believes that users' psychological and behavioral traits are being overlooked when it comes to defending against credential misuse. In this episode, we discuss how best to mitigate such threats using a proactive approach to insider risk management by focusing on user behavior and indicators rather than just incident response.To access and download the entire podcast summary with discussion highlights -- https://www.dchatte.com/cybersecurity-resources/Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publications: Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness"Getting Cybersecurity Right,” California Management Review — Insights, July 8, 2024. Published in USA Today — “Dave Chatterjee Drops the Cybersecurity Jargon, Encouraging Proactiveness Rather than Reactiveness,” April 8, 2024Preventing Security Breaches Must Start at the TopMission Critical --How the American Cancer Society successfully and securely migrated to the cloud amid the pandemicLatest Webinars & Podcasts with Dr. Chatterjee as the GuestCybersecurity Readiness: Essential Actions For CXOs, August 12, 2024

Accelerating into the cloud without caution often brings complexities that can cause more harm than good. Gartner has noted that cloud configuration errors cause 95% of cybersecurity breaches. With the rapid pace of cloud adoption, less time is spent ensuring systems are built and operated effectively with proper cyber hygiene. In this episode, Dale Hoak, Director of Information Security at RegScale, joins me in discussing cloud compliance-related challenges and best practices. Here are some terrific Dale Hoak one-liners:"Compliance is essentially where fun went to die.""Nobody steals your work. So, we need to use automation to do the work.""Compliance is a key driver of trust in our world."Action Items and Discussion HighlightsInvest in automation to gather and maintain compliance evidence.Implement "compliance as code" to bake compliance into the software development lifecycle.Automate change management processes to speed up compliance reviews.Establish a single pane of glass to prioritize and manage compliance issues.Conduct regular manual reviews to validate automated compliance processes and findings.Ensure prompt action on compliance alerts and issues to avoid consequences.Time Stamps00:02 -- Introduction03:12 -- Dale Hoak's professional highlights05:34 -- Given your experience in the Navy and then with the NYPD and now you're in the corporate world, what are the similarities or differences in how security practices happen?08:46 -- Commitment-Preparedness-Discipline Framework and Creating a High-Performance Information Security Culture11:12 -- Building a culture of compliance13:26 -- Why do organizations tend to be lax with compliance requirements and take the superficial check-the-box approach?16:19 -- Key problems with the ATO (authority-to-operate) compliance process19:15 -- Practical recommendations23:05 -- If we go the automation route, what kinds of checks and balances should be in place where there is periodical and prompt human intervention to ensure you can pick up on errors or glitches?26:17 -- Prompt processing of threat intelligence27:06 -- Narrating an incident of non-securely migrating to the cloud29:33 -- American Cancer Society's migration to the cloud.31:51 -- Closing ThoughtsMemorable Dale Hoak Quotes/Statements"Compliance is essentially where fun went to die, and it became very complex. It was very subjective, and it was the enemy of innovation.""Today, as the cloud expands, particularly with AI, we're seeing that innovation is outpacing compliance.""Regulatory compliance is becoming more challenging, but also more central in a cloud-first world.""We've got to put compliance up there in front, and we've got to bake it in instead of bolt it on.""Folks just tend to recycle and use compliance as the checklist." "Compliance becomes highly interpretive and subjective, depending on your auditor -- if you bring in an experienced auditor versus a less experienced auditor.""To be honest, compliance can be subjective, and compliance does not equal security. Just because you meet the guidelines and pass an audit does not make you secure.""If you give a company an opportunity to save money by slacking on security, they're going to.""Small companies just don't have the funds it takes to build a reliable security platform in a timely manner.""Often regulatory compliance guidelines are outdated. They can't keep up with the speed of innovation out there.""So, how do we make...

In this episode, Mike Manrod, the Chief Information Security Officer (CISO) of Grand Canyon Education, and Ori Eisen, the Founder and CEO of Trusona, joined me to discuss how best to reduce the risks of social engineering attacks on IT support and help desk personnel. This episode was motivated by the major cyber attack that brought MGM Resorts International's operations to a screeching halt. It was a social engineering attack where the attackers gained super administrator privileges by providing the MGM Help Desk with basic employee information.Action Items and Discussion Highlights"Bypassing the human verification is something super critical we need to address. It's something we can't afford to wait on, and it's low-hanging fruit."Implement a driver's license validation solution to authenticate callers to the IT help desk.Explore expanding the use of identity verification technologies beyond the IT help desk, such as for wire transfers and other high-risk financial transactions.Adopt a layered approach to establishing a robust defense. "You need a good tech stack, user entity behavior analytics, conditional access policies, MFA, and security awareness training." Educate IT support staff on identifying potential social engineering attempts, even when the caller appears to be using advanced techniques like voice cloning.Implement a policy instructing employees to hang up and call back when they receive requests for sensitive information or transactions.Stay vigilant and continue to explore new solutions to combat the evolving threat of social engineering attacks.Time Stamps00:02 -- Introduction02:45 -- Mike Manrod's professional highlights03:38 -- Ori Eisen's professional highlights06:36 -- Why is Mike Manrod so passionate about this discussion topic?08:45 -- Breaching MFA13:25 -- Securing the Organization from Human Vulnerabilities17:57 -- Defense-in-Depth and People-Process-Technology19:44 -- Technology underlying authentication22:40 -- Seamless adoption of authentication technology26:15 -- Evolution of authentication technologies30:02 -- What advice would you have for practitioners like you who are on the fence about investing in such technologies?31:10 -- Closing ThoughtsMemorable Mike Manrod Quotes/Statements"Multifactor authentication (MFA) carried us a long way, but now that it's everywhere, it naturally creates a cyber evolutionary force, driving adversaries to have to solve it.""I think the future is that of a layered approach. No one solution solves the whole problem. You need a good tech stack; You need user entity behavior analytics; You need conditional access policies; You need MFA; You need security awareness training." "You can't simply rely on five verification questions that anybody could guess.""We were really excited about the driver's license validation aspect, you know, let's take a trusted authority like a driver's license bureau. Let's take a trusted identification with multiple attributes that can be verified and then put it on a clock so that if somebody somehow tries to socially engineer those chains, we detect and report on that too.""Bypassing the human verification is something super critical we need to get on top of, and it's something we can't afford to wait on, and it's low-hanging fruit."Memorable Ori...

In this episode, Laurie Salvail, Ph.D., Executive Director of CYBER.ORG, joins me to discuss the importance of cybersecurity education for K-12 students. Primarily funded by the Cybersecurity and Infrastructure Security Agency (CISA), CYBER.ORG is a powerful and free resource available to K-12 students and educators in the United States. CYBER.ORG's Range, a cloud-based virtual environment, empowers K-12 students with real-world cybersecurity skills in a secure platform.Action Items and Discussion HighlightsTo inquire about professional development opportunities and resources for your school, contact CYBER.ORG at info@cyber.org or through the website.Cybersecurity and Infrastructure Security Agency (CISA) is one of the main funders of CYBER.ORG.CYBER.ORG offers no-cost professional development for teachers and caregivers across the US.Currently, over 35,000 teachers have access to CYBER.ORG content and other resources.Resources at Cyber.Org are available to all schools -- public, private, and homeschools.If a child is old enough to receive some type of technology, then they are old enough to learn how to use it.For cybersecurity education and training to be effective, they should be delivered in a fun, interactive, and immersive manner.Encourage industry professionals in your network to volunteer at local schools, speak to students about their cybersecurity-related careers, and help promote awareness about the field.Time Stamps00:02 -- Introduction00:49 -- Guest's Professional Highlights02:41 -- About Cyber.Org06:08 -- Vulnerability of youth to different forms of cyber attacks07:22 -- Gaining access to Cyber.Org resources08:34 -- Gaps in cyber education from K-1213:36 -- How early should kids be exposed to cybersecurity awareness programs?15:21 -- Cybersecurity is everyone's business17:13 -- Should cybersecurity education be part of the K-12 core curriculum as early as possible? 22:35 -- Many schools have their own cybersecurity curriculum and cybersecurity program. So, where do cyber.org resources fit in for these schools?28:26 -- How can listeners, as well as their organizations, help the cause of K-12 cybersecurity education?Memorable Laurie Salvail Quotes/Statements"A big part of who we are, though, is that we do grant writing to make our resources available completely free of charge for any school district teacher; we will never charge the user for anything at all.""We are very thankful to receive funding from the Cybersecurity and Infrastructure Security Agency (CISA). They're one of our main funders right now, allowing us to create these resources for students across the US. "We are able to offer no-cost professional development for our teachers and caregivers across the US.""If you want to teach a student about cybersecurity, come to cyber.org, and we've got free resources for you to dive into and learn how to have those conversations where we're exciting our children.""We have over 35,000 teachers right now that have access to our content.""Cybersecurity is an important topic for all students at all grade levels. There's an age-appropriate way to do it at those levels, and we're here to help, so spreading that message is really important.""Resources at Cyber.Org are available to all schools, public, private, and homeschool families.""Every school is unique, and every school is different, and we hop on a call with each school to say, what will work in your building, what do your students

As machine learning algorithms continue to evolve, Large Language Models (LLMs) like GPT-4 are gaining popularity. While these models hold great promise in revolutionizing various functions and industries—ranging from content generation and customer service to research and development—they also come with their own set of risks and ethical concerns. In this episode, Rohan Sathe, Co-founder & CTO/Head of R&D at Nightfall.ai, and I review the LLM-related risks and how best to mitigate them.Action Items and Discussion HighlightsLarge Language Models (LLMs) are built on specialized machine learning models and architectures called transformer-based architectures, and they are leveraged in Natural Language Processing (NLP) contexts.There's been a lot of ongoing work in using LLMs to automate customer support activities.LLM usage has dramatically shifted to include creative capabilities such as image generation, copywriting, design creation, and code writing.There are three main LLM attack vectors: a) Attacking the LLM Model directly, b) Attacking the infrastructure and integrations, and c)Attacking the application.Prevention and mitigation strategies include a) Strict input validation and sanitization, b) Isolating the LLM environment from other critical systems and resources, c) Restricting the LLM's access to sensitive resources and limiting its capabilities to the minimum required for its intended purpose; d) Regularly audit and review the LLM's environment and access controls; e) Implement real-time monitoring to promptly detect and respond to unusual or unauthorized activities; and f) Establish robust governance around ethical development and use of LLMs.Time Stamps00:02 -- Introduction01:54 -- Guest's Professional Highlights02:50 -- Overview of Large Language Models (LLMs)07:33 -- Common LLM Applications08:53 -- AI-Safe Jobs and Skill Sets11:41 -- LLM Related Risks15:30 -- Protective Measures19:09 -- Retrieval Augmented Generation (RAG)20:57 -- Securing Sensitive Data23:07 -- Selecting Appropriate Data Loss Protection Platforms25:00 -- Human Involvement in Processing Alerts26:56 -- Closing ThoughtsMemorable Rohan Sathe Quotes/Statements"Large Language Models (LLMs) are built on specialized machine learning models and architectures called transformer-based architectures, and they are leveraged in Natural Language Processing (NLP) contexts. It is really just a computer program that has been fed enough examples to be able to recognize and interpret human language or other complex types of data. And this data comes from the internet.""The quality of the LLM responses depends upon the data it's trained on.""LLM is a type of deep learning model, and the goal is to understand how characters, words, and sentences function together and do that probabilistically.""There's been a lot of ongoing work in using LLMs to automate customer support activities.""The LLM usage has dramatically shifted to include creative capabilities such as image generation, copywriting, creating designs, and writing code.""There are three kinds of core LLM attack vectors. One is just to attack the LLM model directly. The second is to attack the surrounding infrastructure and the integrations that the LLM has. The third is to attack the application that may use an LLM under the hood.""I have seen a lot of infrastructure attacks and attacking the integrations around the LLMs. And then, of course, just the standard attack: attacking...

The importance of maintaining uninterrupted services cannot be overemphasized, especially in light of the recent global IT outage fiasco. With the increasing dependence on cloud-based services, uninterrupted connectivity is essential to maintaining business continuity. Since identity providers control access to an organization's application and data, any downtime can shut down mission-critical operations. It was great to have Eric Olden, Co-Founder, Chairman, and Chief Executive Officer of Strata Identity, share his thoughts and perspectives on this critical topic.Action Items and Discussion HighlightsInventory applications and dependencies to understand risk exposure.Conduct risk assessment to quantify risk and start with highest priority applications.Identify single points of failure.Trust but verify. You want to test things repeatedly so that when that inevitable outage happens, you're confident that the incident will not have drastic consequences.Balance investment in identity continuity solutions against the cost of potential downtime.Consider using existing on-premise identity systems like Active Directory as a low-cost redundancy option.Consider implementing identity orchestration and continuity solutions to introduce redundancy after evaluating cost vs risk.Create a culture of resilience that is not surprised when an outage happens but can handle it with grace and confidence.Time Stamps00:02 -- Introduction02:33 -- Guest's Professional Highlights04:32 -- Eric Olden's Perspective on the Global IT Outage Fiasco09:16 -- Practicality of Maintaining Redundancy13:21 -- Identity as Mission-Critical Systems14:03 -- Identifying Single Points of Failure20:00 -- Developing Always-On Identity Continuity Solution21:59 -- Interruption Factors23:12 -- Continuous and Meticulous Risk Assessment25:11 -- Incident highlighting a proactive approach to identity risk management29:42 -- Lessons from the Incident36:35 -- Final ThoughtsMemorable Eric Olden Quotes/Statements"I think a lot of people are realizing that there's more single points of failure in their environments, which creates a significant amount of risk.""Identity system is like the front door of the house; without identity security, you cannot access those applications. So identity has become a mission critical system because it has a primacy in terms of how people access the applications and the data to run today's modern enterprise.""Understand where you have single points of failure because until you do that analysis, you may be assuming that you aren't in a dependent situation because you've got rid of single points of failure in your data infrastructure, but what about the other parts that are not necessarily under your control.""Trust but verify. You want to test things repeatedly so that when that inevitable outage happens, you're confident that things will not take your business down with you.""It's not a question of whether something bad will happen in the future. It was a question of when it will happen and how bad it will hurt.""If you think about the cost of an investment for continuity, you want to ensure that you're not spending more for continuity than it would cost you for downtime.""Create a culture of resilience that is not surprised when an outage happens, but can handle it with grace and confidence."Connect with Host Dr. Dave Chatterjee and Subscribe to...

In this episode, Chris Petersen, Co-Founder and CEO of RADICL, and I discuss the challenges of securing the small and medium-sized businesses (SMBs) that serve the United States defense industrial base (DIB) and critical infrastructure. These SMBs play a significant role in supporting the Advanced Defense Systems that protect our nation from domestic and international threats. So, it is imperative to review what it takes to keep these SMBs safe from cyber-attacks.Action Items and Discussion Highlights• Treat cybersecurity as a strategic opportunity and invest adequate resources to build and sustain this competency.• Establishing fail-safe software development practices.• Software testing and rollout models must be continuously and rigorously tested.• Proactively determine disaster scenarios and stress test organizational resilience in dealing with those situations.• Consider establishing key metrics to measure the effectiveness and maturity of cybersecurity operations.• Demand visibility and transparency into the specific activities a managed service provider is conducting to protect the organization, such as vulnerabilities remediated, security incidents handled, and training completed. Regular reporting should be provided.• Conduct thorough due diligence when selecting a cybersecurity service provider, including validating the qualifications and expertise of the individuals responsible for security, the technologies used, and references from other customers.Time Stamps00:02 -- Introduction02:09 -- Guest's Professional Highlights04:32 -- Chris Petersen's Perspective on the Global IT Outage Fiasco08:01 -- What could Delta have done differently? Could they have proactively predicted such a disaster scenario and prepared for it? 11:45 -- Key Findings from RADICL's 2024 DIB Cybersecurity Maturity Report13:29 -- Chris Petersen's take on the survey findings19:49 -- Recommendations on how SMBs serving the defense industrial base and critical infrastructure can meet and exceed compliance requirements.24:21 -- Cybersecurity as a strategic opportunity28:43 -- Guidance on selecting service providers and managing outsourced relationships34:27 -- Advice for SMB CEOs37:18 -- Closing ThoughtsMemorable Chris Petersen Quotes/Statements"When we build software, our quality practices need to be fail-safe, especially when you have a footprint like CrowdStrike does that can be so impactful if there is an issue.""CrowdStrike needs to look at their testing model and perhaps their rollout model of how they roll out content updates.""Microsoft also shouldn't be so susceptible to a program operating in the kernel that can repeatedly cause a blue screen of death. There should be some resiliency built into the operating system itself.""I think the technology providers need to build more resiliency into their technologies, especially when they're foundational and are platform-level technologies. For security, folks need to make sure we are doing a really thorough job on the quality side.""I'm especially concerned because most of these companies typically don't have sophisticated incident response operations in place." "I'm concerned that these companies have accounts that have been compromised, have endpoints that have been compromised, but the vast majority of them don't have that class of forensic capability to detect and remove the malicious files.""The thing with compliance, though, is it comes down to how well you achieve compliance.""Fundamentally, business operations are...

In this episode, John Funge, Managing Director at DataTribe, and I discuss the Global IT Outage caused by a flawed update to CrowdStrike's cloud-based security software. We also review DataTribe's recently published report on cybersecurity trends and predictions for 2024. In closing, John shares some tips and recommendations for those seeking cybersecurity funding. Action Items and Discussion HighlightsOrganizations need to incentivize and spend more time and effort hardening the QA cycles.Continue to focus on building secure software through tools/processes that embrace best practices.Assess the concentration of risks and take proactive mitigation steps.Take malware at scale, reverse engineer it, and look inside the malware to use that as training for AI models that can detect and mitigate entire classes of malware.Create a set of tooling that can monitor what happens in CICD (Continuous Integration & Continuous Delivery) pipelines, create the necessary evidence to help enforce process and risk management compliance, and make the software development process much more transparent.Cybersecurity trends include quantum computing, security for serverless architecture, operational technology (OT) security, autonomous defenses, passwordless authentication, AppSec 2.0, and AI SOC Analyst.Time Stamps00:02 -- Introduction01:44 -- Guest's Professional Highlights06:33 -- Global IT Outage Fiasco -- Lessons08:11 -- Hardening QA Cycles10:41 -- Software Malfunction in an AI-Driven World -- Corrective Action15:50 -- Reviewing Cyber Trends -- Quantum Computing, AI-Enabled Autonomous Defenses, AI SOC Analyst, AppSec Scans, etc.25:30 -- Cybersecurity Governance Process Improvements and Innovations31:18 -- What does DataTribe, a cyber foundry, look for when evaluating potential investment opportunities?34:35 -- Cyber Predictions36:44 -- Closing ThoughtsMemorable John Funge Quotes/Statements"Software is just really brittle and creaky. Over time, there's been a combination of incentives toward speed of delivery and time to market rather than spending more effort hardening QA cycles.""Within the security industry, there's this sort of patch advice: Just keep your systems patched, etc. There isn't much discussion in that conversation about how we can engineer the software so it's more secure with fewer bugs.""It's unclear whether we are increasing the hardness of many software tools and systems at the same time that their responsibility is increasing.""At the end of the day, AI is really a tool for consolidating training data and creating a decision mechanism based on that.""Security is just so rich with data. So, if you follow the data, you really do start to see interesting opportunities to potentially create predictive models that allow you to increase your security performance and efficacy.""There is this opportunity to create a set of tooling that can monitor what goes on in CICD (Continuous Integration and Continuous Deployment) pipelines and create all the necessary evidence that can help enforce process and give confidence to auditors risk management compliance, and essentially take what's going on inside the software development process, and making it much, much more transparent.""AI models and the data science teams that work on them represent a bit of a black box, and it can be challenging to...

The recent breach of the Change Healthcare platform serves as a strong reminder that the healthcare sector remains extremely vulnerable to different types of attacks. In late February, a ransomware gang known as Black Cat claimed responsibility for hacking Change Healthcare, a subsidiary of UnitedHealth Group. The intruders disrupted operations and stole up to four terabytes of data, including personal information, payment details, insurance records, and other sensitive information. It is also reported that a ransom payment of $22 million was made. What is even more concerning is that Change Healthcare is being extorted again by another ransomware group. Incidents such as this jeopardize the survival of countless healthcare providers nationwide due to delays in patient care and delays in making reimbursements. This hack generated massive economic and legal shockwaves across the US healthcare industry, from major industry players to small-town, rural physician practices. In this episode, Amer Deeba, CEO and Co-founder at Normalyze joins me to review the state of cyber security and maturity of the healthcare industry and talk about proactive defense strategies to fortify sensitive healthcare data.Action ItemsQuantify the value of sensitive data assets and identify the highest risk areas.Implement continuous monitoring and controls where sensitive data resides.Connect data security priorities to organizational mission and goals to gain leadership buy-in.Innovate solutions focused on data visibility, classification, access controls, and continuous auditing.Time Stamps00:02 -- Introduction03:18 -- Guest's Professional Highlights04:19 -- State of Cybersecurity Maturity in the Healthcare Industry9:01 -- Consequences of healthcare data leak10:54 -- Challenges of securing healthcare data12:03 -- Practical strategies for securing healthcare data18:07 -- A proactive approach to securing healthcare data21:55 -- Best practices29:21 -- Making the business case32:46 -- Closing ThoughtsMemorable Amer Deeba Quotes/Statements"We're expecting that by 2026, about 175 zettabytes of data will be available across multiple types of cloud environments.""It all starts by understanding where are your most important and critical assets, where are your crown jewels, and whether you are able to understand at any point in time where this information is, who has access to that information, how can they access that information? Do you have the right controls and mechanisms in place in order to secure it, to understand the value of it for your organization and make sure that it's fortified from such attacks.""With data exploding and moving everywhere, between environments and between cloud and SaaS applications and on-prem, this is the new frontier for attackers.""You're not boiling the ocean; you are prioritizing based on where your most sensitive information is, and you are making sure there are no attack paths to this data."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website:

The fast-evolving quantum computing phenomenon represents a paradigm shift in how computers process data. Due to its ability to process vast amounts of data and solve complex problems at an unprecedented speed, quantum computing holds great promise for new material discovery through the simulation of physical systems, portfolio optimization in finance, and more. It also poses a significant threat to cybersecurity, requiring a change in how we encrypt our data. Even though quantum computers don't technically have the power to break most of the current forms of encryption yet, we need to stay ahead of the threat and come up with quantum-proof solutions now. If we wait until those powerful quantum computers start breaking our encryption, it will be too late. I had the pleasure of discussing the quantum computing phenomenon and its cybersecurity implications with Duncan Jones, Head of Cybersecurity, at Quantinuum. We discussed the potential threats and opportunities of quantum computing for cybersecurity, as well as its potential to revolutionize various industries. We recognized the need for new algorithms resistant to quantum computing, staying ahead of technological innovations, investing in cybersecurity measures, and prioritizing the migration of sensitive data to quantum-resistant algorithms. Action ItemsAssess organizational risk exposure from quantum computing threats like "store now decrypt later" attacks.Prioritize migration of sensitive long-term data to quantum-safe encryption.Speak to vendors about their roadmaps for quantum-safe migration.Explore available quantum random number generators and other quantum cybersecurity technologies through pilot programs and starter kits.Choose credible service providers who are partnering with reputed organizations and prove their claims.Raise awareness of quantum computing implications among leadership and get buy-in for piloting relevant quantum cybersecurity technologies.Time Stamps00:02 -- Introduction01:59 -- Guest's Professional Highlights06:19 -- Overview of Quantum Computing08:19 -- Commercially Leveraging Quantum Computing 10:51 -- Evolution of Quantum Computing and Cyber Attacks12:55 -- Recommendations on Leveraging Quantum Computing Benefits and Securing Data from Quantum Computing Enabled Cyber Attacks17:49 -- Roadmap for Proactive Safeguards23:34 -- Can quantum computing enabled encryption ensure that even if a human is a victim of a phishing attack, it will be hard to get into systems? Is that a fair aspiration? 26:38 -- What recommendations would you make for organizations who are trying to explore and adopt quantum computing?29:19 -- Cybersecurity Challenges and Hurdles32:52 -- Challenges of Quantum-Safe Migration34:09 -- Cryptographic debt37:32 -- Final ThoughtsMemorable Duncan Jones Quotes/Statements"I think of my career as a series of very fortunate accidents, rather than some very carefully planned out thing.""Quantum computing as a different form of computation, as opposed to necessarily always a better form of computation.""Leading companies are now starting to engage with quantum computing because they know they have to build the skill sets, they have to develop the intellectual property that will begin to deliver value in the not too distant future.""Quantum computers are becoming more and more powerful every year.""We'll actually see Quantum as a as a big benefit for cybersecurity, but we've got some headaches to get through...

In this podcast, I enjoyed talking with Chirag Shah, Model N's Global Information Security Officer and Data Privacy Officer, about creating a security-minded culture. Infusing a security culture within organizations starts with leadership buy-in and support. Chirag highlighted the need for interactive and engaging training programs tailored to specific departments, involving real-world examples and practical scenarios. He stressed the significance of fostering a security mindset among employees through daily reminders and reinforcement and leveraging free or low-cost resources to implement effective security awareness programs. Chirag also emphasized the need for a strategic approach to security and a security-minded culture where employees are empowered and responsible for maintaining a strong security posture.Action ItemsDevelop an interactive that delivers bite-sized security awareness content, quizzes, and scores performance.Organize escape room and security hackathon events as hands-on learning initiatives.Contextualize training for specific employee roles and responsibilities.Incorporate security into employees' goals and recognize adherence to policies.Lead by example and make security part of a company's vision and operationsTime Stamps00:02 -- Introduction02:38 -- Guest's Professional Highlights04:14 -- Why do you emphasize the importance of infusing a culture of security? 06:35 -- How do you create a security-minded culture?09:42 -- How do organizations create engaging and effective cybersecurity awareness training to develop security-minded cultures and cyber hygiene habits among employees?15:49 -- Personalizing security19:49 -- Dealing with common challenges and hurdles associated with creating security-minded cultures. 27:53 -- How do you get top management buy-in?29:05 -- Creating a culture of accountability36:35 -- Treating cybersecurity as a strategic enabler37:57 -- Final ThoughtsMemorable Chirag Shah Quotes/Statements"Security belongs to everyone, not just the security team. It's about embedding security awareness and responsibilities into the vision, mission, and day-to-day operations of all departments and employees.""Security should become part of the daily goals for the execution of the business.""Focus on security awareness training that is engaging, fun, and rewarding for employees, and move beyond annual compliance training to create a continuous security learning culture.""When anyone asks, how big is your security team, I say about 1300 some people, right, because that's what my company is. All of them are our security team, and they are the security champions, and they helped me manage and drive the security program to the next level.""What you want to do is implement a phased approach to security awareness training, starting with basic concepts and gradually increasing the complexity of those concepts.""90% of the employees in US companies use laptops to conduct personal transactions, whether they're paying the credit card bill or they're booking travel tickets, they're all doing it online, and using a company laptop.""Appoint security champions within different departments to assist in training and awareness.""The message has to be very simple and to the point, so employees can understand and have an open dialogue.""Implement pre-and post-training assessments and measure changes in employee knowledge.""Leaders and managers should lead by...

Student-led cybersecurity clinics are increasingly playing an essential role in strengthening the digital defenses of nonprofits, hospitals, municipalities, small businesses, and other under-resourced organizations in our communities while also developing a talent pipeline for cyber-civil defense. Sarah Powazek, Program Director - Public Interest Cybersecurity at the University of California, Berkeley Center for Long Term Cybersecurity (CLTC), sheds light on this important development. One of the highlights of the discussion was the recognition that the cybersecurity field is such a melting pot of different skill sets. In Sarah's words, "it's actually one of the biggest advantages we have; threats are changing every day. If we don't have folks from different backgrounds and different life experiences, we're really not going to be prepared; we're not going to be able to adapt."Time Stamps00:02 -- Introduction01:46 -- Guest's Professional Highlights04:35 -- Center for Long-Term Cybersecurity (CLTC) Initiatives06:13 -- Training students07:20 -- How do the cybersecurity clinics benefit students?09:11 -- Resources for Non-Profits and Under-Privileged Organizations11:01 -- Types of Clients for Student-Run Cybersecurity Clinics11:42 -- Guidance to universities who want to create student-led cybersecurity clinics14:29 -- Consortium of Cybersecurity Clinics17:20 -- Not-technical roles in cybersecurity18:46 -- Cybersecurity field is a melting pot of different skill sets21:12 -- Different Cybersecurity Roles23:32 -- Final ThoughtsMemorable Sarah Powazek Quotes/Statements"Cybersecurity clinics are modeled after medical and law school clinics.""We're running programs where students will learn how to provide a cybersecurity maturity assessment. We accept students from all different majors, at least at UC Berkeley, it's very interdisciplinary. They spend the first part of the course learning all about cybersecurity and about the basics, basic cyber hygiene, multi-factor authentication, regular patching schedules, incident response plans, etc.""There isn't a real clear academic pathway into cybersecurity.""One of the big student-run clinics is the University of Nevada, Las Vegas. They operate as a student club; the students train each other, create programming, and engage with the clients, and they operate year-round. They've got a really interesting model for clinics where they're working with clients, but the students are really the ones taking on that responsibility. And the faculty advises them.""We have a toolkit on the Consortium's website that actually has step-by-step instructions on how to design a clinic. How do you pick out the curriculum? ""There's a couple of things that we really encourage folks to have, if they want to start up a clinic program, the first is a faculty champion.""So we've really switched the focus and formed the consortium a number of years ago around centralizing resources, making it easier for folks around the country to start up programs, making the programs even better and more effective at both training students and providing real value to clients. And we have a goal of having a clinic in every state by 2030.""I think that there are many people worldwide who care about the mission and protecting their communities but haven't gotten some of those skills yet. And anyone can learn. Anyone can learn cybersecurity. I truly believe that, I think people from all backgrounds provide something really valuable to the field.""Cybersecurity is really a trade. It's something that anyone can learn." "I'm starting to meet a lot of...

Developing and maintaining resilient and secure data centers is a huge part of cybersecurity readiness. Spiros Liolis, Chief Technologist and Managing Consultant, EYP Mission Critical Facilities, Part of Ramboll, joins me to discuss the challenges and best practices of creating and maintaining state-of-the-art data centers. Topics covered include a) elements and attributes of resilient data centers, b) creating and maintaining a resilient and adaptive data center, and c) the different types of risks – geological, meteorological, and human – that must be considered when building and maintaining the data centers.Time Stamps00:02 -- Introduction00:49 -- Setting the Stage and Context for the Discussion01:54 -- Guest's Professional Highlights02:56 -- Overview of Data Center Resiliency05:41 -- Criticality of Data Centers 07:53 -- Key Elements of a Resilient Data Center12:06 -- Build Your Own or Co-locate15:00 -- Assessing the Effectiveness of a Data Center19:32 -- Significance of Simulated Exercises/Tabletop Exercises21:46 -- Importance of On-Site Visits23:56 -- Technical, Commercial and Operational Due Diligence26:17 -- Adaptive Design28:32 -- Data Center Facility Locations30:15 -- Best Practices & Final ThoughtsMemorable Spiros Liolis Quotes/Statements"Everything we do today, as professionals and as consumers, relies heavily on data centers.""There's a cloud of course, but nothing up there, 35,000 feet above the ground, is hosting servers. The cloud is practically data centers on Earth, right.""What do we mean by secure and resilient data centers? will refer to the ability of essential data center infrastructure to withstand and recover from disruptions and ensure their continued operations.""When we talk about potential threats, we need to think of them in terms of geological, meteorological, accidental, or even intentional risks. These are primarily the risk types we talk about when it comes to data center resiliency.""The moment you power up a data center, you practically cannot shut it down.""So the resiliency of a data center must consider how to build enough redundancy by design and by implementation into these data centers.""So our methodology is to look at the different risk factors that may have an impact on the facility itself, whether it is your own, or whether it is being hosted; you need to evaluate, and measure the impact of different risks and these are geological risks, meteorological risks and human risks, whether accidental or unintentional.""Nothing beats an on-site visit to check a data center's resiliency.""So the hybrid design is really all about building the necessary critical infrastructure that capitalizes on multiple sources of energy.""Education awareness is absolutely paramount. And that is probably one of our faults as well, data centers today are considered to be the naughty neighbors. I mean, they say, Oh, they're energy consuming, they take our water, they take our power; we as an industry need to educate our communities, we need to tell them what is it that we do. And of course, we need to make sure that we build them in a sustainable way, we'll use renewables, we will become community friendly. All of that must happen."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms:...

Application Programming Interfaces (APIs) play a vital role in modern software development, enabling the integration of services and facilitating the exchange of information. The ubiquity of APIs is a testament to their success in supporting many functions. However, their prominence has also made APIs a target for cyberattacks. Jeremy Snyder, Founder & CEO of Firetail.io, joins me in discussing how to secure APIs effectively. Our discussion revolves around the following questions:What do we need APIs for? Why do we need API security? What are the consequences of lax API security?What are the risks of APIs today? How can we remedy current API security issues?Time Stamps00:02 -- Introduction00:49 -- Setting the Stage and Context for the Discussion02:26 -- Guest's Professional Highlights04:37 -- Overview of APIs09:12 -- Common API Security Risks and Vulnerabilities12:29 -- Design with security in mind13:23 -- Securing APIs13:36 -- Integrating Security into the Development Process13:52 -- Different Ways of Security Testing APIs17:08 -- Vulnerability Monitoring and Promptly Acting on Alerts19:22 -- Role of Humans in Acting on Vulnerability Alerts21:33 -- Staying on the Right Side of the Law23:37 -- Significance of Maintaining Logs25:36 -- Selecting Robust APIs27:59 -- Key Takeaways28:57 -- API Governance30:25 -- Zero Trust Approach32:10 -- Use of APIs in Leveraging Large Language Models (AI)33:41 -- API Governance and Taking Ownership36:12 -- Final ThoughtsMemorable Jeremy Snyder Quotes/Statements"Application Programming Interface (API) -- It's basically the way two pieces of software talk to each other, that can be to send data from system A to system B, or that can be for system A to request system B to process something for it.""We've got sensitive data crossing the wires over an API, but we've also got critical business functions like processing credit card transactions over an API.""API's are pretty much happening behind the scenes, they enable a huge volume of interactions and transactions every day.""So we've been cataloging the API data breaches for the last couple of years, these breaches go back about a decade or started about a decade ago, or let me say started to be recognized about a decade ago. And as we've catalogued them, we've kind of categorized them as well, to try to understand in each of these breach scenarios, what was the primary error or breach vector? How was the API breached? And if there's a secondary cause, or things like that, we look at that as well. Two of the main things that we see are are really authentication and authorization." "Authorization turns out to be the number one root cause of data breaches around API's. And this has been true for many years now.""Proactive security is always much cheaper than reactive security.""From the proactive standpoint, the number one thing that any provider of an API can do is actually just check the API's before they go live.""You should actually pen test your API's before they go live.""Very often, we find that API's get shipped into production environments without going through either the static code analysis, or the pre launch testing." "The average time that a vulnerability existed in a production environment before being patched and updated, was around 180 days.""The best practice that we recommend to customers about reacting to the logs or the alerts or the suspicious conditions that you're seeing in your logs

Attackers have started increasingly targeting victims' backups to prevent organizations from restoring their data. Veeam's "2023 Ransomware Trends Report" found more than 93% of ransomware attacks specifically targeted backup data. My discussion with Gabe Gambill, VP of Product and Technical Operations at Quorum, revolves around the following questions: • What vulnerabilities of data backups do ransomware hackers exploit?• What are the common mistakes and barriers when recovering against a ransomware attack?• How to successfully recover from a ransomware attack?Time Stamps00:02 -- Introduction00:49 -- Setting the Stage and Context for the Discussion01:41 -- Guest's Professional Highlights02:16 -- Revisiting Ransomware Attacks03:24 -- Phishing, the Primary Delivery Method for Ransomware04:33 -- Ransomware Attack Statistics05:34 -- Payment of Ransom06:51 -- Protecting and Defending from Ransomware Attacks08:07 -- Franchising Ransomware08:51 -- Last Line of Defense against a Ransomware Attack10:23 -- Data Backups and Prioritization11:33 -- Data Recovery Best Practices13:31 -- Holistic Approach to Tabletop Exercises14:40 -- Significance of Practicing the Data Recovery Process14:48 -- Common Mistakes and Barriers when Recovering from a Ransomware Attack18:47 -- Being Appropriately Prepared For Disaster Recovery20:38 -- Vulnerability Management21:37 -- Reasons for Not Being Proactive24:48 -- CISO Empowerment25:54 -- Cross-Functional Involvement and Ownership26:56 -- CISO as a Scapegoat28:43 -- Multi-factor Authentication29:47 -- Best Practices to Recover from Ransomware Attacks31:26 -- Final ThoughtsMemorable Gabriel Gambill Quotes/Statements"The next logical step was ransomware, where they're taking your data, and they're literally encrypting it right from under your nose and holding you accountable, so that they can get money out of you to give you back your own data.""More people are paying and not talking about it, which is the worst thing you can do in that situation.""80% of people that are hit with ransomware are hit again. So if I'm the ransomware person, who am I going to attack? I'm going to attack Caesars Palace (hotel in Las Vegas) again, I know they're going to pay. So there's the trade off there between the right thing to do and the hard thing to do.""The last line of defense are your backups. So it's like an onion, you're gonna have multiple layers of defense, you're gonna have security layers on your perimeter, you're gonna have antivirus, you're gonna have endpoint protection, you're gonna have things such as network scans. There's all kinds of things you can do to provide layers of protection into your environment." "The ransomware attack is not through vulnerabilities as much as through phishing. And because of that, people are the weakest link in your security plan, inevitably, it's going to happen to everybody.""The most common thing that I've found is when they recover from ransomware, they don't contact their insurance first. And the bad part about that, whether you're going to pay whether you're not going to pay, if you didn't contact your insurance first, chances are, they're not going to pay you back.""The other big mistake I see is people rushing the recovery to get back online versus getting back online safely.""On the technical side, the mistakes that I often see people make is they want everything to be integrated and simple. And there is a level for that in your production environment that is...

While tabletop exercises (TTX) are considered a proven tool for finding gaps in an organization's security posture, they can be painstakingly challenging to plan and implement effectively. In a time where information security teams are understaffed and overworked, are TTX still worth the time and resources? Or are there other ways of ensuring incident response readiness? Navroop Mitter, the CEO of ArmorText, a mobile security and privacy startup, sheds light on the various aspects of tabletop exercises and their effectiveness as a preparedness tool.Time Stamps00:02 -- Introduction00:49 -- Setting the Stage and Compelling Stats02:48 -- Guest's Professional Highlights05:12 -- Overview of Tabletop Exercises07:15 -- Comparing Tabletop Exercises to Simulation11:12 -- Benefits of Running a Tabletop Exercise12:36 -- Table Top Exercise Resources15:18 -- Legal Representation in Tabletop Exercises 17:07 -- Doing Tabletop Exercises Right23:20 -- Mistakes To Be Avoided29:14 -- Building Resilient Communication Capabilities34:28 -- Final ThoughtsMemorable Navroop Mitter Quotes/Statements"A tabletop is a tool for organizations seeking to enhance their cyber resilience and readiness. It helps you develop muscle memory and identify gaps in your existing plans or other opportunities for enhancement.""Unfortunately, too often, tabletops are seen as something the cyber folks do alone in their dungeons. But they're just as essential for C-suite senior leadership and the board.""When we're helping organizations think through tabletops, or the simulations they're going to run, whether it's a very quick, lightweight discussion around the table, or a much more nuanced, immersive simulation, we're asking them to assemble stakeholders like senior leadership board members, IT and security teams, public relations, communications teams, legal counsel, human resources and finance together. This is not about the technologist. It's not just about security. This is about operational resilience. And that means the entire organization.""When you test your IR plan, even without having a formal team in place, just testing the IR plan alone was nearly as effective; you still had 48 days saved just by having rehearsed and tested your plan, just by having run the playbook before, and understanding what it was to be in that scenario, or something similar to it.""I think the need of the hour is increased executive and senior leadership involvement.""Done right, tabletops are actually there to help you prepare for managing regulatory litigation and reputational concerns that often follow these events."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

As artificial intelligence (AI) technologies continue to evolve and be leveraged, organizations need to make a concerted effort to safeguard their AI models and related data from different types of cyber-attacks and threats. Chris Sestito (Tito), Co-Founder and CEO of Hidden Layer, shares his thoughts and insights on the vulnerabilities of AI technologies and how best to secure AI applications.Time Stamps00:02 -- Introduction01:48 -- Guest's Professional Highlights03:55 -- AI is both a cure and a disease04:49 -- Vulnerabilities of AI07:01 -- Hallucination Abuse10:27 -- Recommendations to secure AI applications13:03 -- Identifying Reputable AI security experts15:33 -- Getting Rid of AI Ethics Teams19:18 -- Top Management Involvement and CommitmentMemorable Chris Sestito Quotes/Statements"Artificial intelligence systems are becoming single points of failure in some cases.""AI happens to be the fastest deployed and adopted technology we've ever seen. And that sort of imbalance of how vulnerable it is and how fast it's getting out into the world, into our hardware and software, is really concerning." "When I talk about artificial intelligence being vulnerable, it's vulnerable in a bunch of ways; it's vulnerable at a code level, it's vulnerable at inference time, or essentially, at real time when it's making decisions, It's vulnerable at the input and output stages with the users and customers and the public interacting with your models, it's vulnerable over networks, it's vulnerable at a generative level, such as writing vulnerable code.""Hallucination abuse would be the threat actor trying to manage and manipulate the scope of those hallucinations to basically curate desired outcomes.""We should be holding artificial intelligence to the same standards that we hold other technologies.""The last thing we want to do is slow down innovation, right? We want to be responsible here, but we don't want to stop advancing, especially when other entities that we can be competing against, whether that's in a corporate scenario, or a geopolitical one, we don't want to handcuff ourselves.""If we're providing inputs and outputs to our models to our customers, they're just as available to threat actors. And we need to see how they're interacting with them.""If you're bringing a pre trained model, and and you're going to further train it to your use case, scan it, use the solution to understand if there is code where it doesn't belong." "If we're providing inputs and outputs to our models to our customers, they're just as available to threat actors. And we need to see how they're interacting with them.""Red teaming models is a wonderful exercise but we also need to look at things that are a little bit more foundational to security before we get all the way to AI red teaming.""The threats associated with artificial intelligence are the exact same threats that are associated with other technologies. And it's always people. It's always bad people who want to take advantage of the scenario and there's an enormous opportunity to do that right now."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn:

The latest disaster recovery statistics reveal that modern businesses still face costly interruptions due to a variety of threats, ranging from ransomware attacks to sudden hardware failures. The monetary costs of disasters and outages can be significant. According to results from Uptime Institute's "Annual Outage Analysis 2023" survey, 25% of respondents reported that their latest outage incurred more than $1 million in direct and indirect costs. In addition, 45% reported that the cost of their most recent outage ranged between $100,000 and $1 million. Another research report reveals that just over half of organizations have disaster recover plans and around 7% of organizations never test their disaster recovery plans. It was a real pleasure having Sagi Brody, Co-Founder and CTO at Opti9 on the podcast to shed light on the various aspects of disaster recovery and how to do it well.Time Stamps00:02 -- Introduction00:54 -- Disaster Recovery Statistics and Guest Introduction03:08 -- Guest's Professional Highlights04:40 -- Overview of Disaster Recovery09:12 -- How do you ensure that the disaster recovery infrastructure does not become the next security incident?11:51 -- Disaster Recovery Best Practices15:23 -- Around 7% of organizations never test their disaster recovery plan. Why is that the case? Why wouldn't organizations want to ensure that whatever they have documented whatever they have planned actually works?19:49 -- How effective are tabletop exercises in the context of rehearsing for disaster recovery? Should organizations be doing more than tabletop exercises?22:09 -- Disaster Recovery and Outsourcing25:09 -- Final ThoughtsMemorable Sagi Brody Quotes/Statements"When you think of backups, I like to think of the word RECOVER. When you think of disaster recovery, I like to think of the word RESUME, you're not restoring data, you're resuming your business operations after a disruption.""I think one of the biggest mistakes that people make is they sort of build their entire production infrastructure, or their application, get it all up and running, make it perfect. And then later on, they want to focus on disaster recovery.""Imposing disaster recovery strategy on an already built, let's say, application is much more difficult than having resilience be part of your thought process as you go along building your production environment.""We need Runbooks (or Playbooks) for what we do during a disaster. Not only that, but we need Runbooks for different types of disasters. If we need to fail over one application versus our entire environment, we need a separate Runbook for testing.""Today, a lot of people have their applications highly integrated with third party SaaS platforms. So let's be sure that when we test our disaster recovery infrastructure, we're testing the applications, we're not poisoning our production data sitting somewhere else inadvertently.""You have to be super careful when making decisions on what platforms, what vendors, what software you're using to build your applications and your infrastructure. When you make those decisions, you have to weigh them against your resilience framework and your security framework."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee

In a very thought provoking discussion, Artificial Intelligence (AI) expert, Tony Hoang, Ph.D., traced the evolution of Gen AI, highlighted the many benefits, and also shared his concerns about the irresponsible and abusive use of this technology. What got my attention were the following realities:Innovators often prioritize speed over responsible AI development, leading to potential negative consequences.How easy it is to create a software-generated duplicate of someone's voice or video avatar without their consent, using online content such as images and videos.There are no current safeguards to prevent someone from exploiting AI-generated images of someone else, making it a challenge for parents to advise their children on how to protect themselves.Time Stamps00:02 -- Introduction00:49 -- Dr. Tony Hoang's Professional Highlights02:47 -- AI's evolution, data science, machine learning, and generative AI10:05 -- Generative AI and cybersecurity14:07 -- AI and cybersecurity threats in the enterprise18:45 -- AI-generated explicit content and its impact on teenagers22:48 --AI-generated content and its potential impact on society30:05 -- AI-generated fake reviews and their impact on businesses34:55 -- The potential dangers and benefits of generative AIMemorable Tony Hoang Quotes/Statements"Right now, there is a big emphasis on the on the client-side of obviously, privacy and security, on the development side, there isn't primarily because of the fact that everyone wants to rush to the top.""So, what they're doing is they are taking all of the responsible AI committees, all of the privacy committees, and they basically just laid everyone off in the past six months. And that's kind of frightening to see, because what that means is when you fire your responsible AI committee, what that signals is they want to go fast, because these committees actually slow them down in order to accomplish their goal.""The stuff that really worries me the most about Gen AI isn't phishing attacks, or any of that stuff; my biggest fear right now is the replication of human images, or video or voices.""One of the ways that you could use Gen AI to take down a competitor, you would go on their website onto the product review, hit it with AI generated responses and just flood it with negative one star or two star reviews. So that's a way to destroy a company's reputation using Gen AI, and we're actually seeing that right now.""There's no way for anybody to detect AI generated content right now in an automated fashion."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

A 2023 State of Vulnerability Management Report finds that only half of the surveyed organizations (51%) have, at best, a moderate level of visibility into vulnerabilities. Several other vulnerability management metrics, such as maturity levels, frequency of vulnerability scans, and patch deployment speed, reveal an alarming and troublesome trend. In this episode, Ashley Leonard, CEO at Syxsense, joins me in reviewing the research report findings and discussing vulnerability management challenges and best practices.Time Stamps00:02 -- Introduction02:20 -- Ashley Leonard's Professional Highlights04:00 -- Scope of Vulnerability Management06:34 -- Human Vulnerability Factor08:57 -- AI-enabled Phishing Attacks09:32 -- Vulnerability Management Objectives15:50 -- Continuous Vulnerability Scanning and Remediation18:24 -- Practicality of Continuous Vulnerability Scanning22:37 -- Securing All Attack Surfaces, Especially IoT Devices and Cloud Assets25:57 -- Vulnerability Management Maturity Levels31:33 -- Apparent Disconnect Between Scanning and Visibility 36:15 -- Promptly Acting On Vulnerability Report Findings41:49 -- Selecting Appropriate Vulnerability Management Tools and Solutions43:55 -- Vulnerability Management Best Practices46:30 -- Final ThoughtsMemorable Ashley Leonard Quotes/Statements"We try and train most of our users not to log in an unknown USB device. But there have been cases where threat actors will take the USB devices and drop them in the parking lot of companies they're trying to breach. People will often pick up these USB sticks, wonder what's on it, walk into the office, and plug it in. It's shocking.""I would share that patching should not be a monthly process. Many companies do this kind of, "Oh, it's Patch Tuesday, so we're gonna go and deploy our patch Tuesday patches to our organization." It's not even a weekly process, this should be a continuous process.""New vulnerabilities are being published constantly, we have a whole threat research team that is constantly publishing new content. And if you're not scanning on a continuous basis, then your organization's exposed. So you really need to find technologies and partners that can do this kind of continuous vulnerability management for you.""In the past, after a vulnerability was publicly announced, it typically took three to seven days before you started to see attackers actually weaponizing these vulnerabilities and attacking, which meant you kind of had a week or so to get your act together, deploy the patches and make sure your organization was safe. It's now down to 24 hours. And that's a problem. That's a huge problem for most organizations, because, unless you are doing continuous vulnerability scanning and remediation, you're not going to be able to respond quickly enough, and your organization is going to be exposed. So you really need technology to step in here. And you need automation that you can use to deploy these patches to your most vulnerable assets as quickly as possible.""Patches don't get tested normally as much as a full release of a product; that's also a risk.""Automation can really help you respond quickly but also thoughtfully in the way that you go about remediating these patches.""Think carefully about the data, categorize how important it is, and think about where it's stored. And that's a really good starting place." "Threat actors are now using AI to analyze the exfiltrated data from the organization. And then using that data from the AI, for example, finding customer lists, and then contacting those customers, and getting those customers

While cloud computing has become a great digitization enabler to enterprises, multiple clouds—especially when intersecting with on-premises systems and one another—can produce some challenges. Many organizations can end up with an "identity gridlock" of competing identity systems and protocols since each cloud platform cannot exchange access policy data with other cloud providers. It was an absolute pleasure having Gerry Gebel, Head of Standards at Strata Identity, join me to discuss the significance of standardizing identity management.Time Stamps00:02 -- Introduction02:09 -- Gerry Gebel's Professional Highlights04:15 -- Role of Standards in Identity and Access Management08:14 -- Avoiding Identity Gridlocks11:38 -- Competing Interests in Developing Standards14:49 -- Role of Standards in Achieving Fine-Grained Access Controls18:25 -- Rationale Behind Having Numerous Standards21:02 -- Senior Leadership Involvement in Standards Setting Process25:39 -- Streamlining and Standardizing Security28:07 -- Final ThoughtsMemorable Gerry Gebel Quotes/Statements"Standards allow for interoperability between domains that different organizations run, and this can provide the user with a lot of convenience.""Each of these cloud and computing platforms has its own way of defining and configuring access to resources. That's where the gridlock comes in because they're not interchangeable; they are not interoperable.""Realize that you're not standardizing the whole offering; you're standardizing different pieces that have maybe become a commodity.""It really comes down to having customers involved in the process, because they're the ones who ultimately, will, or will not purchase products. If there's a lock-in, or there's a lack of interoperability, the customer may choose to stay away from that product or solution.""You can be an active participant (in the standards-setting process) and look out for your own interests, rather than delegating that to someone else who may not represent the same point of view.""What is the purpose of creating these standards? And we've sort of alluded to that a couple of times here. I think that's where the enterprise perspective is very important. Because, as a programmer, as a developer, we can easily get lost in the weeds of the technology, you know, how do I write this Go routine? Or how do I write this API? And I think the enterprise perspective keeps the focus on what's the real business purpose for doing this. Does it enhance security? Does it give us vendor independence? Does it reduce risk in some way? Or does it enable new business? So I think it's important to have that [customer] voice in the conversation.""I would say from the enterprise administrative perspective, there's more capability to properly govern the deployment, the configurations, if you have standards involved, because it gives you more visibility of exactly what is connected to what and who has access to what. It gives you better visibility or reporting capability to show, "Oh, well, I'm compliant with these HIPAA rules, or I'm compliant with, you know, some of their financial rules." So, that's where the standards can be of great benefit in overall governance."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn:

With the global cost of cybercrime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative. According to the Diligent Institute survey 'What Directors Think,' board members ranked cybersecurity as the most challenging issue to oversee. Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. Kayne McGladrey, Field CISO at Hyperproof and a senior IEEE member, sheds light on this important aspect of cybersecurity governance. The driving question being: How informed is the Board of Directors to provide effective oversight of cybersecurity governance?Time Stamps00:02 -- Introduction03:06 -- Kayne McGladrey's professional highlights04:01 -- 2023 Global CISO Survey Findings -- Do the Board of Directors have the necessary expertise to provide cybersecurity governance oversight?07:24 -- CISO and Board of Directors Relationship 14:22 -- Effectively Empowering the CISO20:07 -- Reasons for Board of Directors' Lack of Involvement 26:35 -- Board Members Cybersecurity Education and Training 45:27 -- Final ThoughtsMemorable Kayne McGladrey Quotes/Statements"Interestingly enough, fewer than half of the board members regularly interact with their CISOs. This is an indicator of a communication gap, and potential alignment issues between board members and CISOs, which is really hindering progress in cybersecurity.""I know a lot of businesses still see cybersecurity as a cost center. They don't see it as a strategic advantage.""I can think of a CISO who I was just chatting with at Blackhat this year, who turned down a job they matched on salary expectations. But, they matched on job expectations, and they matched culturally. They will be reporting as the CISO to the Director of IT, not to the CIO, not to the CEO, but they're going to report to some down-level director, and they wouldn't be offered directors and officers insurance either. So effectively, they'd only be a CISO in title and C-level executive in title only, but not in practice. They recognize they were being hired in as a scapegoat. I think that's a persistent problem that we've seen associated with how companies are recruiting CISOs.""I think CISOs should ideally report to the CEO or another C-level executive like the chief operating officer or chief financial officer. And that really allows for a direct line of communications to the top-level management and that emphasizes and underscores the importance of cybersecurity and strategic decisions.""Cyber risk is a business risk. Cyber is just an influence.""Boards think in terms of business risks. CISOs, unfortunately, don't often communicate in terms of business risks. CISOs often communicate a technical risk, like a risk of ransomware, or the risks associated with generative AI; those aren't risks; that's driving the communications gap. Literally how we talk as CISOs is part of what causes a lack of oversight on the part of the board because the board doesn't understand what it is that they should actually care about. And so, they disengage.""Don't go to the board and say I have a problem, because they're not there to solve your problem. They want to know what you're doing about the problem. Also, they want to know if it's going to materially affect the business, I think if you go there with a problem, a solution and a proposal, you're probably going to have a much better time."

According to a 2023 IBM report, companies take 197 days to identify a breach and 69 days to contain one on average. The delay between infection, detection, and containment can cost businesses millions of dollars. Only 45% of the companies polled had an incident response plan in place. In this episode, Markus Lassfolk, VP of Incident Response, Truesec, and Morten von Seelen, Vice President of the Truesec Group, who have extensive hands-on experience in dealing with major cyber attack incidents, shed light on this very important subject matter. Time Stamps00:02 -- Introduction02:47 -- Markus Lassfolk professional highlights04:28 -- Morten von Seelen professional highlights06:17 -- What does incident response mean? Why is it important?09:10 -- Extent of organizational preparedness15:32 -- How should organizations prepare to help incident responders do their job better?20:49 -- What are the different roles associated with major incident response engagements? How do you build a team to handle these engagements and how you retain the talent?25:18 -- What are some of the most common mistakes that you see customers making?30:27 -- How effective are tabletop exercises?36:00 -- How important are security drills?37:21 -- How should organizations go about looking to identify real expertise in incident response?39:25 -- What kind of help can small companies get who don't have the budget? What would be your advice to them?42:58 -- When I was reviewing some industry reports, one survey finds that while only 45% of the companies polled had an incident response plan in place, 79% of the companies have insurance. So they're almost implying that many companies could be of the view that let's not worry about the incident response plan. If we have good insurance, we are covered. Can you dispel that myth?46:35 -- What's exciting, what's interesting, what are some challenges, what kind of mindset and skills one needs to have to pursue a career in incidence response? 51:23 -- Final thoughtsMemorable Markus Lassfolk Quotes/Statements"If organizations gets hit by ransomware, they are usually down for three weeks, 21 days, on average.""From a preparedness standpoint, it helps if the customer has secure and safe backups that we can use." "In most of the cases, customers are either totally unprepared, or they're not prepared in the right way.""During an engagement, having the log files will help us get answers of what's been going on in the breached environment. When we don't have the log files, it's so much harder, then we have to start looking at other things which takes more time, which sometimes does not provide the answers, and then we have to start guessing.""The best thing that the leadership team can do is to give the incident responders and the IT department the support and room to do their job and and not expect to have status meetings every 30 minutes or every two hour because that does not give us time to work and actually produce stuff." "We advise our customers to make sure that they identify the key personnel on their site and try to reduce the single point of failures in personnel as we call it, because in every incidents, when we come in and start working, we start to see a pattern; there is one person who has the answers to everything and who everyone points to. And that person is the single point of failure.""They (customers) start restarting or...

While large language models such as ChatGPT can be used to write malicious code, AI tools are increasingly used to proactively detect and thwart cyber-attacks. There is growing recognition of AI's potential to fight cybercrime. Ian L. Paterson, CEO, Plurilock, sheds light on how AI has impacted the cybersecurity industry, especially how Generative AI is changing the industry. Describing the role of the AI as a co-pilot, he says, "The way I think about leveraging AI is typically having a human do the first 10%, and the last 10%, an AI is really good at doing the 80% in the middle. So it's not a replacement for the human, but it's an enabler for that human and allows them to do more with less."Time Stamps00:02 -- Introduction02:26 -- Ian L. Paterson's professional highlights04:56 -- What is generative AI and how does it work?10:34 -- How can we protect ourselves from phishing attacks?16:12 -- Leveraging AI for behavioral biometrics21:21 -- What is generative AI? How are these tools being used to thwart cyber attacks?24:45 -- How do we speed up detection and remediation?28:20 -- Cybersecurity is a team sport and it is a team game32:29 -- Guidance and recommendations36:19 -- Final thoughtsMemorable Ian Paterson Quotes/Statements"What we see today is that large language models can appear as if they are themselves intelligent.""One of the chief dangers of this new (AI) type of technology is that you can now author convincing text at scale.""What we are seeing today is both an increase in the volume of attacks and an increase in the severity and the convincingness of some of these attacks. I call them multimodal attacks because you're using not only the modality of text but you can also use the modality of video or audio. I think we're going to have to deal with these types of attacks, with these problems, for many years to come.""You're not going to have a ransomware attack on Monday at 10 am when everybody's refreshed from the weekend; it's going to be Friday afternoon, it's going to be on Christmas Day, it's going to be when you don't want to deal with those types of situations.""You can certainly use large language models to accelerate or help cut down on some of the minutiae when writing code.""Large language models are being used as co-pilot in Security Operations Center, to do log analysis, to speed up monitoring, identification, and notification of potential threats.""We've always had this need in cybersecurity to increase productivity because there are not enough people to do the work needed to stay safe. So, AI will help, it will be a productivity boon.""The way I think about leveraging AI is you typically have a human do the first 10% and the last 10%, an AI is really good at doing the 80% in the middle. It's not a replacement for the human, but it's an enabler for that human and allows them to do more with less, and hopefully, highlight the area they need to focus on.""The reality is that cybersecurity is a team sport, and you need a host of products and solutions working in harmony to adequately address the threats out there and reduce the attack surface.""In summation, AI is good, we're certainly going to see cybersecurity-related innovations, but it's not going to replace the people it takes to deploy and leverage those solutions.""It's really about having that defense-in-depth strategy. I think that makes a difference between somebody with pretty good security and somebody with great security."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to...

Cloud migration and remote work requirements are forcing organizations to modernize their applications and identity systems. Making the transition is both time-consuming and expensive using traditional software development practices. By decoupling applications from identity, orchestration can alleviate the burden while allowing companies to seamlessly mix and match different cloud providers as well as MFA and passwordless technologies. In this episode, Eric Olden, Co-founder and CEO at Strata Identity sheds light on identity orchestration strategies and best practices. Time Stamps00:02 -- Introduction02:16 -- Eric Olden's professional highlights05:11 -- State of maturity of identity management, and where does identity orchestration fit in.08:13 -- When should an organization consider an identity orchestration strategy?11:33 -- Identity orchestration, a plug-and-play approach15:17 -- Use of the "adapter" metaphor to understand identity orchestration16:50 -- Identity Orchestration and Single Sign-On -- What is the nature of the relationship?18:47 -- Eliminating security vulnerabilities with application modernization and identity orchestration 22:06 -- Wide-scale implementation of passwordless authentication 25:47 -- Challenges and success factors in formulating and implementing identity orchestration strategies30:24 -- Guidance in selecting service providers and vendors 34:31 -- Making a business case for identity orchestration38:59 -- Final thoughtsMemorable Eric Olden Quotes/Statements"I see identity providers themselves, the IDPs, are today's hardware in that customers need them, they have to run something, but they don't want to be locked into any one thing. So, we've created an abstraction layer that allows you to decouple the applications from the identity provider. So you can mix and match and do different things.""Identity orchestration makes sense when you have more than one identity provider.""If you find yourself trying to modernize applications and move from legacy to modern, that's another really important use case for orchestration.""The abstraction layer allows you to avoid rewriting any of the applications because, from the application standpoint, the orchestration layer presents a facade that looks exactly like the application is expecting it before orchestration came in.""We're able to bring modern security to legacy applications and do that without ever changing them.""All of these five A's -- authentication, access, authorization, attributes, and audit, need to find their way into this new distributed environment.""Today, with orchestration, you no longer need an application-specific connector because all of the patterns in the protocols that the applications need are already part of the abstraction layer in the orchestration.""I told my developers, look, if you ever find yourself typing the word password in your code, stop, you're doing it wrong. So you need to back that up and figure out why someone was trying to bring a password in the first place and give them an alternative. So that is a bit of a heavy lift at the beginning, where you need to change people's mindsets.""The world today is about self-service, and you want to have things bought and not sold."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr....

Recent cybersecurity workforce study reports reveal that a) there's still a global shortage of 3.4 million workers in this field, and b) only 25% of the global cybersecurity workforce are women. In this episode, I had an engaging discussion with panelists Ashley Podhradsky, Vice President of Research and Economic Development at Dakota State University, and Kriti Arora, Security Global black belt, Threat Intelligence and External Attack Surface Management, Microsoft, North America, on attracting more talent, especially motivating and inspiring women to become cybersecurity professionals. One of the key messages that came out of the discussion was not to allow a certain stereotype or image to influence career decisions. A woman's innate traits and abilities, such as multitasking, problem-solving, organizational skills, curiosity, and the zeal to go above and beyond, will serve her very well as a cybersecurity professional.Here are links to some useful cybersecurity training and awareness resources:https://www.girlsecurity.orghttps://www.sans.orgwww.CybHER.orgWww.WiCyS.orghttps://www.isc2.orgTime Stamps00:02 -- Introduction03:33 -- Ashley Podhradsky's professional highlights04:59 -- Kriti Arora's professional highlights08:22 -- Dakota State University's cybersecurity initiatives11:30 -- Kriti Arora's exposure to cybersecurity education and her reflections on the learning experience14:17 -- Holistic approach and human element in cybersecurity17:21 -- Core cybersecurity offerings at educational institutions19:23 -- Cybersecurity awareness and training throughout the organization21:43 -- Gender discrimination in cybersecurity25:23 -- Cybersecurity stereotypes30:05 -- Cybersecurity skillsets33:19 -- Why women are likely to be very successful in cybersecurity37:38 -- Industry-academic partnership42:55 -- How would you promote cybersecurity to your female friends?45:08 -- Resources for cybersecurity education and training53:22 -- Final thoughtsMemorable Ashley Podhradsky Quotes/Statements"When I was in school, I was usually the only woman and I wanted to do what I could to help bring more women into this field. It's incredibly exciting and a wonderful environment to be in.""As I have a seat at the (senior leadership) table, I scooch over and make a seat for someone else; I find great job satisfaction and take immense pride in helping promote, support, and advance women in this field and be their champion.""Showcasing collegiate women to middle school girls in the near-peer mentoring model has been very positive for girls to understand that they can also be a part of this cybersecurity field and experience.""I've heard "No" a lot. But the only thing that tells me is that I'm talking to the wrong people. And I need to try something different and talk with someone else. And then I can get to that, "Yes.""If we're only focusing on the people who are in the right age group, right now, we're never going to solve the (woman in the cybersecurity workforce) problem, we have to...

Research finds that there was a 44% increase in insider threat incidents across all types of organizations, and 56% of the reported incidents were due to negligence. Equally alarming is that the average annual cost to remediate a negligence incident was $6.6 million. Dr. Eric Lang, Ph.D., Director, Personnel and Security Research Center (PERSEREC), United States Department of Defense, draws upon his research to share some of the (science-based) commandments for understanding and countering insider threats. Emphasizing the criticality of human factors, Dr. Lang contends that "without individuals' sincere commitments, the most extensive insider threat policies will fail."Time Stamps02:27 -- So Eric, let's first talk about yourself and your professional journey.04:36 -- What motivated you to write the article Seven [ Science-Based] Commandments for Understanding and Countering Insider Threats?07:51 -- The first commandment states that "Human factors are paramount. Thou shalt not worship technology above personal and social dynamics solutions." Tell us more about it.15:16 -- Moving along to your second commandment, you say, "Employees are an organization's greatest strength, especially for identifying insider threats. Thou shalt improve supervisory and co-worker reporting." Many employees are reluctant to report potential threats they encounter. I would assume organizations recognize the challenges and have appropriate structures and mechanisms in place to encourage more honest reporting. Your thoughts?20:45 -- Many psychological factors could come in the way of somebody alerting the organization about a possible insider threat. Thoughts?26:36 -- I will be very surprised if great organizations, when they make decisions to improve cybersecurity, governance, cybersecurity readiness, those decisions are not influenced by experts in human psychology, the clinical psychologist, or whoever the right person is. Thoughts?31:07 -- A reactive approach to cybersecurity governance doesn't cut it. Thoughts?38:37 -- So let me ask you, what do you think are any of the top three things that most employees care about for their job?43:33 -- Before we conclude, if you'd like to share a few final thoughts.Memorable Eric Lang Quotes/Statements"73% of the successful exfiltration incidents were conducted without using technology.""Technology is necessary but not sufficient, humans will find a way around it. And in this case, 73% succeeded in the exfiltration.""What was a common successful method for foreign adversaries to get sensitive US industrial information? The answer is they asked for it. It was a form of social engineering in very many cases.""Technology [often] misperforms not because of malicious intent, but because it was ill-developed.""So why do employees in an organization with a See Something Say Something policy, often hesitate to report? There are a number of social psychological factors such as 'don't be a snitch' cultural norm. They don't want a coworker to lose their job. They might have a fear of retaliation."Social psychologists often note an effect called "diffusion of responsibility" when people don't report a potential exfiltration incident."If you are aware of something of potential concern, and there are many other people also in the environment, you might think that many people have the same awareness I do, I'm sure someone else will report it. This is called "diffusion of responsibility" in social psychological research.""Policy is important, but the execution of it, and bringing employees into correct awareness and engagement is the most important...

Significant fines in excess of $2 billion have been levied on organizations in the financial services sector for failing to capture, retain and supervise communications. This crackdown on non-compliant communications is the clearest indicator yet that regulators have lost patience with firms that still haven't addressed supervision and record-keeping risks that were exacerbated by the pandemic. In this episode, Garth Landers, Director of Global Product Marketing at Theta Lake, discusses how businesses can mitigate risks from unmonitored communication channels.Time Stamps02:20 -- Please share some highlights of your professional journey with the listeners.05:10 -- Different types of modern communication tools.12:05 -- The 2022 Modern Communications Compliance and Security report(produced by Theta Lake) finds that unmonitored communication channels remain the biggest risk. What are these risks?21:19-- What are some best practices in securing the different communication channels?28:47 -- Do you think an organization would be well served if they had written guidelines of the do's and don'ts when using certain channels and making that document readily available to all organizational members?34:09 -- It's about helping individuals do the right things so that the communication is secure, as compared to gotcha, you made a mistake, and you should have done better. Thoughts?36:51 -- I emphasize the importance of creating and sustaining a high-performance information security culture. Only when you create that culture, that work ethic, securing communication channels is sustainable in the long run.40:43 -- We are talking about a proactive approach driven by a change in the mind shift where the leaders are looking at this apparent challenge (securing communication channels) as a strategic opportunity.45:11 -- Can you address the archival and retrieval challenges? 52:00 -- If there were three or four takeaways that listeners should walk away with from today's discussion, what should they be?Memorable Garth Landers Quotes/Statements"Two-thirds of an organization believe that inside their organization, employees are using unmonitored communication channels.""Unmonitored communication channels pop up because, in many cases, organizations decide not to empower their employees, they give them a Zoom, or a Cisco WebEx or a Microsoft Teams, or a RingCentral, or a Slack, etc., but they don't fully enable them. They don't turn on chat, or they don't allow file sharing, polls, or whiteboards. This forces employees to adopt and use unmonitored communication channels.""From a process standpoint, don't take a top-down approach to implement modern collaboration platforms.""Research shows that, on average, at least four different unified/modern communication tools are being used by organizations.""Most end users are not engineered towards malfeasance and bad behavior, it's carelessness. And the greatest insider threat is that sort of carelessness, and lack of awareness.""Policy works best when it's not some sort of abstract reality that you pull out when a bad thing happens." "Technology is out there to get to that balance point of maximum productivity, productive IT but productive and efficient and compliant work as well." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Dr. Chatterjee's Professional Profile and...

Traditional authentication methods are outdated and need many layers of code, which can take time and resources away from developer teams. If developments like FIDO2, WebAuthn, and passkeys are to be the cornerstones of a passwordless future, then every application (not just Apple, Google, and Microsoft) needs an easy way to adopt these methods and weave them into current user authentication flows. Slavik Markovich, Co-founder and CEO, Descope, discusses current and future authentication trends and the importance of building a low-code/no-code passwordless authentication solution for app developers.Time Stamps02:52 -- Slavic, share with us some background information, some highlights of your professional journey.04:19 -- What are the pain points when it comes to authentication?09:55 -- So Slavik, where are we headed in terms of the next stage or the next phase of evolution when it comes to more sophisticated authentication systems?16:01 -- What is that low code, no code, passwordless authentication solution that would make it feasible for developers to focus on developing solutions and functionalities?25:00 -- There are products in the market, open source or proprietary, that can help take away that additional pain or challenge of developing the authentication part of the solution. The developers can then focus on what they are good at, developing the product functionalities. Is that a fair, high-level representation of what you said?26:17 -- So where are we with biometric authentication? Have we made more progress?33:53 -- Are we further along in getting to that ideal goal where just compromising an account doesn't mean the end of the world or doesn't mean a major problem?36:55 -- Please share some final thoughts.Memorable Slavik Markovich Quotes/Statements"If you have a token that you use to authenticate, that's pretty secure, it's very hard to phish it, and it's very hard to steal it.""A lot of effort is being made in creating authentication around who you are versus what you know. So using biometrics-based authentication is a big step in that direction." "Use of passkeys, which allow a secure and somewhat frictionless way of authenticating, without having to remember anything." [Note: "With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords"] (https://developers.google.com/identity/passkeys#)"Like everything in security, the devil is in the details.""There is an inherent tension between the security teams and the developers. You kind of try to solve it by bringing security into the development teams.""Security shouldn't become a bolt-on process but should be part of the architecture, design, review, and implementation.""Security doesn't sell your product. Eventually, features will sell your product.""Most developers are not security experts. So, if they implement authentication, there might be big holes that they cannot catch. Then, you end up with account compromises and stolen data from the application.""The biggest obstacle to biometric authentication is actually education.""The best password is no password."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Dr. Chatterjee's Professional Profile and Media Kit:

It is well known that a proactive intelligence-driven approach to cyber governance is the way to go. But it is easier said than done. Embracing and sustaining such an approach requires high commitment, preparedness, and discipline. Kriti Arora, Security Global Black Belt, Threat Intelligence and Enterprise Attack Surface Management, Microsoft, shares her experiences guiding clients to adopt an intelligence-driven proactive approach to thwarting attacks. She also shares her passion for the field and the satisfaction of training and serving as a cyberwarrior.Time Stamps00:48 -- Before we get into the details of a proactive resilient approach to cybersecurity, how about sharing your professional journey? What got you into this field?03:58 -- You described yourself as a first-generation cyberwarrior during our planning meeting. I found that quite intriguing. Please expand.06:54 -- Can you shed some light on the different types of opportunities that a cybersecurity career can present to the first generation (of cyber warriors) or people trying to pivot from their existing careers into cybersecurity?11:14 -- Kriti, share with us briefly about your role at Microsoft? At a generic level, could you share what you do at Microsoft with the listeners?15:16 -- What is a proactive, resilient approach?18:08 -- Why do organizations vary in their level of proactiveness? What are some reasons?21:10 -- What are the five or six things one should do to get started on the path of proactiveness?27:43 -- Maintaining a log of security intelligence received, and actions taken might be very useful, especially when an organization is trying to defend itself in a court of law. What are your thoughts?34:24 -- Every organizational member has a role to play in securing the organization. Do you agree?36:28 -- Asset prioritization and data retention strategies are key aspects of proactive cybersecurity governance. What are your thoughts?40:59 -- What measures or metrics are useful in assessing proactive resilience?45:02 -- Please share some final thoughts and key messages for our listeners.Memorable Kriti Arora Quotes/Statements"So, at one moment, you're fighting crimes, doing these investigations like a detective, and researching a problem to find a solution. At another time, you could be troubleshooting a typical problem and providing customer support services.""The adaptive quality of the field is what makes it thrilling. That's what excites us, the cyber warriors, who are trying to experiment, learn new things, and save the world with different techniques and tactics.""I consider a proactive approach to be intelligence-driven and holistic. It represents a mind shift on how cyber threats are thwarted.""In this proactive approach, we focus on indicators of attackers; we try to keep a watch on the entire network and its processes. It's a holistic approach. I would not call it a technique; I would call it a mind shift because you need that mind shift to understand proactiveness. It's like being alert, thinking about the worst-case scenario, trying to prevent it or be prepared to recover from it quickly.""It's very important to focus on the attack surfaces, whether internal or external. A full or 360 view of your attack surface is very important." "Successful implementation and sustenance of a proactive resilient approach depend on a high level of cybersecurity awareness and knowledge.""Organizations must strive to be both secure and productive." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe...

“While developed markets may today bear the brunt of cyber breaches, emerging markets are no less vulnerable. Their risks arise from weak processes and governance, the complexity of global supply chains, the need to remain low cost to attract investment, and the rapid adoption of technology without adequate cyber defenses.” Andre Keartland, Solutions Architect at Netsurit, Johannesburg, South Africa, speaks to these realities and offers guidance on managing cyber risks and implementing robust security solutions.Time Stamps00:49 -- We have a lot to talk about. But let's first talk about your professional journey.04:05 -- It would be beneficial if you shared with listeners what we mean by emerging markets. You could talk about that first before talking about the trends.07:20 -- Bottom line, it is my hunch that the cybersecurity phenomenon doesn't discriminate, every country, whether they are part of the emerging block or the developed block, the experiences are kind of similar. What do you think? What are your reactions?09:54 -- Research finds that risks to emerging markets arise from four areas: 1) the complexity of supply chains; 2) the need to remain low cost to attract investments; 3) the rapid spread of technology without adequate availability or awareness of training; and 4) weak regulations. Would you agree with these?15:46 -- Andre, you're based in South Africa. Let's say some of the listeners might be interested in working or starting a venture there. As they evaluate the business scene, the pros and cons, how should they look at cyber security as a risk factor? What would be your message to them?20:57 -- The initial bonding and acquaintance phase is challenging when establishing reliable outsourcing relationships. Andre, any thoughts on that?25:09 -- What can organizations in the developed world learn from organizations managing cybersecurity in emerging markets? 32:05 -- In developing markets, organizations are more alert, more hungry, and more motivated in putting in place the best possible cyber governance practices. So, the sharing of knowledge, the sharing of experiences can be hugely beneficial. Your thoughts?43:20 -- I always like to give my guests the final word. So now is your time for some final thoughts.Memorable Andre Keartland Quotes/Statements"There might be a perception that developed markets aren't as much of a target, which makes them more of a target because it makes it appealing for the attackers.""There's even a trend of attackers doing proof of concept of the threats inside an emerging market before they go mainstream and try to attack Fortune 500 companies in North America.""Threats have no boundaries; once they get going, they affect everybody.""A low cost model often drives economies in the developing markets. That leads to a mentality and an approach where the organizations will then say, well, let's try and cut our costs as much as possible; let's invest in the core of our products, product development, building, the factory. Supporting functions, like cybersecurity, like governance, become de-prioritized.""What I recommend in general, when going into any emerging market, and as somebody who's now done business in many, many different countries, you need to take a view of the legislative framework. You need to understand whether the local legal system enforces things like copyright, intellectual property, and privacy laws; sometimes, those are not high priorities in emerging markets.""The best way to get your skills is to build your skills, get the people in the door, put in place training programs, put in place...

In this episode, Pamela Senegal, President, Piedmont Community College, shares several best practices, including having an information technology presence in each of the college-wide committees. I had the pleasure of meeting Pamela at a cybersecurity symposium organized by the World View Program at the University of North Carolina-Chapel Hill. Charle LaMonica, the Director of UNC's World View Program, also shared her thoughts and perspectives during this very engaging discussion. Driven by the belief that students and instructors must actively engage in cybersecurity governance discussions, she and her team organized a conference to create such knowledge-sharing opportunities. Time Stamps00:49 -- To set the stage and get things rolling, Charle please provide listeners with an overview of the symposium.03:56 -- I'd like to welcome Pamela Senegal, the President of Piedmont Community College; Pamela, share with the listeners some highlights of your professional career.06:07 -- Pam, how do you relate to these cybersecurity challenges plaguing community colleges?11:52 -- How do you manage providing oversight to cybersecurity governance?16:04 -- Charle, I'd like you to reflect on the cybersecurity symposium. What did you expect the conference to be? And what did it turn out?20:44 -- What are your thoughts on the out-of-the-box methods (such as the cybersecurity carnival hosted by the University of Notre Dame) of making cybersecurity awareness and training a fun experience? 25:43 -- Sometimes, you learn best when you fail. What do you think, Pam?30:47 -- It is very important to go beyond your current domain and learn what others are doing in their respective fields. What are your thoughts, Charlie and Pamela?34:34 -- What are your thoughts about having a proactive and hands-on top management team?39:13 -- I'd like to give both of you an opportunity to share some final words with the listeners,Memorable Pamela Senegal Quotes/Statements"Every president, every CIO, at every community college, we all have a card; we printed them in several different formats -- poster size versions, business card versions. When you believe you are experiencing a cyber attack, you call that number 24 hours a day, seven days a week, 365 days a year, and it will activate an entire team of resources to help your institution recover.""Our systems are set such that you cannot install unauthorized software that has not gone through a proper vetting process. And so things are a little less convenient. But it's a trade-off. And I think it's an important trade-off we've made, where the benefits outweigh the negatives.""We're at a point now as an organization where I don't know how we would survive, quite frankly, without that CIO role being one of my direct reports."Memorable Charle LaMonica Quotes/Statements"Good educators constantly want to learn.""One of the interesting takeaways (from the cybersecurity symposium) was when an instructor walked up to me at the end of the day and said, "I really thought this was going to be IT. But I learned how important it is for students to know as much about cybersecurity as I learned today.""If we don't start listening to what students want and also hear about the world they're creating for themselves, we're all missing out."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease...

In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.Time Stamps02:24 — Take us behind the scenes and share some highlights. What were the drivers? What were the motivators? What can listeners take away from your experience?09:02 -- Let me first focus on that high-reliability, organizational culture that was established in the US nuclear Navy, and you have lived in that culture. Share a bit about what it is like and what could be some takeaways that are relatable or applicable in the world of cybersecurity governance?16:08 — Are there any unique challenges that a medical school faces compared to the other units? And if so, how do you go about dealing with them?19:34 — Research finds that in general, organizations don't do a very good job of rehearsing their incident response plan, sometimes they don't even have a good plan in place. Brian, as a practitioner, what's feasible and what's ideal?21:36 — Is it fair to assume that institutions are rehearsing how to recover from a ransomware attack?22:20 -- Is this rehearsal of proactively or reactively, responding to ransomware attacks, taking place at only certain levels, and not at all organizational levels?23:48 -- So moving on to cybersecurity governance, best practices, there are several out there, would you like to highlight a few that you are really big on?27:03 -- What's the reality around passwordless authentication?28:58 -- I'd like to give you the opportunity to share some final thoughts with the listeners.Memorable Brian Penders Quotes/Statements"The Navy taught me how to learn, and that was more valuable to me at the time than anything I learned about nuclear engineering.""Incident response is really a great way to learn the environment and build partnerships across an organization.""The Navy taught me how to learn. The way admiral Rickover thought through individuals gaining technical knowledge was really amazing. It was based on if you could not draw and explain something to a group of experts sufficiently, then you are not going to move forward.""If I had 30 seconds with a group, I would tell them to keep their software updated.""We need to get out of the business of the shared secret. Passwordless authentication is the new and up-and-coming defense to credential theft.""We have found that folks from liberal arts and humanities can be extremely valuable to supplement and sometimes lead our cybersecurity teams. I'm generalizing, but they're good problem-solvers. They're able to see the big picture, and they're excellent communicators, all amazing skills."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn:

Clinical psychologist Beatrice Cadet, Scientist Integrator at Netherland's Organization for Applied Scientific Research (TNO), draws upon multiple concepts such as 'learned helplessness' to explain why people still fall for phishing attacks despite the training. Beatrice emphasizes the need to factor in human behavioral traits and motivational triggers when developing social engineering solutions and training. Time Stamps00:49 -- Please share some highlights of your professional journey.03:51 -- From a psychologist's lens, what do the social engineering trends look like? What can we expect in the future?08:13 -- You talked about the need for socio-technical solutions to counter social engineering, and there are a lot of solutions out there. What are some of these solutions?10:17 -- Unfortunately, we are in an environment where we have to be mindful, we have to be careful, and we have to prioritize. Your thoughts?13:20 -- Do you think we'll ever get to that stage where humans don't have to worry about making mistakes; because we have great technologies that will cover us? 16:48 -- We are naturally not inclined to be proactive. Your thoughts?18:56 -- You said, "I want to debunk the emotional aspects of social engineering. We need to be more pragmatic about it. We all fall for it at some point. But how to best avoid it and recover." Expand a little bit about the emotional aspects of social engineering.24:35 -- From a psychologist's standpoint, what are your thoughts on the Zero Trust approach to cybersecurity governance?27:37 -- It is so important that human psychology is taken into consideration by involving subject matter experts, such as yourself when training programs are developed. Would you like to add to that?34:41 -- The more I think about it, it makes sense to have a Zero Trust approach. Your thoughts?37:17 -- I'd like to give you the opportunity to share some final words.Memorable Beatrice Cadet Quotes/Statements"I think deep fakes are here to stay. They are likely to be used (by criminals) more and more.""Social engineering can be approached in two ways -- using psychology, i.e., human manipulation to conduct technical cyber-attacks, and using technologies and technical tricks to manipulate people.""Social engineering is nothing new, and we're still falling for the same old trick.""Technology is being increasingly used to manipulate people even more effectively.""When I think of social solutions, I refer to the awareness that comes with training. ""With so much social engineering going on, we cannot expect everyone to always be at their best and ready to check everything.""If you don't have awareness and mindset, you can do every possible training you want, it won't have the desired effect.""People really need to understand why cybersecurity training is important; if you don't get their buy-in, the training will be ineffective.""It has been shown in cybersecurity research that the reason why sometimes things don't work, or people still fall for phishing, is because they know that no matter what they do, or they think that no matter what they do, they will get scammed anyway.""Beyond being well aware of social engineering campaigns and cybercrime in general, it's also very important to be self-aware, and to know your limits, to know that sometimes you might be overstressed and overwhelmed. And you're not going to be able to make the same type of decision as if you're perfectly healthy and mentally well-balanced.""The only generalization we can make is that there are no generalizations that can be made."

In this episode, Patricia Muoio, Ph.D., Partner at SineWave Ventures and Former Chief of Trusted Systems Research Group, National Security Agency, sheds light on the cybersecurity technology landscape and emphasizes the need to develop technologies that are attack agnostic. Some of the questions driving the discussion include: a) what progress has been made in the development and use of cybersecurity technologies? b) What does it mean to be attack agnostic? c) how near or far are we from taking the burden off people trying to protect themselves from different cyber attacks? and d) the ideal government and industry partnership model to develop innovative solutions. Time Stamps02:34 -- How about sharing with listeners some professional highlights? 04:12 -- I'm really intrigued to learn about your career trajectory, considering that you got your doctorate in philosophy, so was it on the liberal side of things? 05:35 -- What's your assessment of the cybersecurity technology landscape? 08:12 -- During our planning meeting, you said, "we need to be able to develop technologies that are attack agnostic." Please expand on that. 12:50 -- While you're saying that it doesn't matter how the hackers get into your system, wouldn't I want to know how they are conducting the attack to be able to prevent it from happening in the future? 14:54 -- If I'm a developer listening in on this conversation, what should be some focus areas for new technology development? And if I'm a consumer of these technologies, how should I approach cybersecurity governance? 27:23 -- Will there ever come a day when I could be as carefree as possible, and click on anything I want, knowing that there is technology that will not allow the perpetrators to exploit that and do damage? Will we ever get to that world?31:57 -- What is your assessment of the government-industry partnership?38:19 -- Please share some final thoughts and key messages for the listeners. Memorable Pat Muoio Quotes/Statements"I think that many problems like endpoint protection, network segmentation, authentication, encryption are essentially solved. There are technologies that do these kinds of things and do them well.""I think where a lot of the work needs to be done is making these technologies work together and work appropriately for the system in which they are used.""We need to be able to develop technologies that should be attack agnostic.""What it means to be attack agnostic -- you stop attackers from getting in, you stop them from moving around, you stop them from getting out, exfiltrating your data, or encrypting your data, executing their payload in any important way. And the details of how they choose to do them, the shape of the malware they choose to execute simply doesn't matter. What matters is that these actions can be identified in the system and stopped in a more general way.""Users ought to know when less is more.""I think people need to be careful to understand when risks that sound very very different in their effect, are actually the same in their cause, and that their solution space needs to address the causes and not the effects.""As these technologies develop, as people become more comfortable with the notion of self- protecting self-healing systems, we will be able to take some of the burden of the users.""Understand solutions that are based on your system, and not concentrated on what the attack looks like; but what is my system and more importantly, my business workflows, what do they look like, and build solutions that protect them, and not solutions that are based on...

Threat modeling is an intrinsic part of information security governance and needs to be done well. However, research finds that many organizations don't do it well, some are pretty haphazard or chaotic in their approach. In this episode, Marcos Lira, Lead Solutions Engineer at Halo Security, sheds light on how to do threat modeling the right way. The key questions driving the discussion were: a) what is the scope and purpose of threat modeling? b) what have people and organizations been getting wrong about threat modeling? c) what is the right way of doing threat modeling? and d) what is the future of threat modeling? Time Stamps01:45 -- Please share with listeners some highlights of your professional journey.03:52 -- Marcus, please provide listeners with an overview of Threat Modeling. What is it? What is its purpose?08:13 -- Threat Modeling is such an intrinsic part of information security governance, and it is so important that it's done well. However, my research finds that many organizations don't do it well. Some are pretty haphazard or chaotic about it. Some want to focus on a few applications and are hasty about it. Your thoughts?14:06 -- There's a lot of guidance out there. But that can be overwhelming and create confusion regarding the right way to do threat modeling. Can you provide some clarity?22:19 -- As a practitioner, what are your thoughts about the future of threat modeling?24:23 -- Please share your final thoughts and help us wrap up the episode for today.Memorable Marcos Lira Quotes/Statements"You can't make informed decisions about business without threat modeling.""What most organizations get wrong is that they believe threat modeling will slow the business down.""What most people get wrong about threat modeling is that it is time-consuming, cumbersome, and confusing because there are so many methodologies out there.""Threat modeling is a proactive approach. It's going to help the organization decrease costs over time.""The threat modeling manifesto said it best -- the right way of doing threat modeling is by answering four questions: a)what are we currently working on? b) What can go wrong? c) What are we going to do about it? d) And if we did a good enough job?"Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

The Cybersecurity and Infrastructure Security Agency (CISA) recently (Oct 31, 2022) released fact sheets urging all organizations to implement phishing-resistant multi-factor authentication (MFA). In this episode, George Gerchow, Chief Security Officer and Senior Vice President of IT, Sumo Logic, and I have an in-depth discussion on this very important security subject matter. The scope of coverage ranges from providing an overview of MFA and its benefits to discussing the challenges and hurdles of implementing phishing-resistant MFA, recommended implementation approaches, and the future of MFA.Time Stamps01:53 -- Please share with listeners some highlights of your professional journey.02:51 -- Please provide listeners with an overview of what multifactor authentication is.03:52 -- A recently published article on Dark Reading reports that a massive phishing campaign targeting GitHub users convinced at least one developer at Dropbox to enter in their credentials and the two-factor authentication code, leading to the theft of at least 130 software code repositories. Essentially, the perpetrators exploited the multi-factor authentication fatigue. George, your reactions.06:51 -- You said that many organizations don't even have multifactor authentication. That begs the question, why is that the case? Is there a technology aspect to it, a technological complexity of having multifactor authentication integrated into existing legacy systems? Is there a cost aspect to it, is it very expensive? What does your experience tell you?08:30 -- From personal experience, I haven't felt the fatigue. Even if I had to review several times or take that extra step to authenticate, I would because I am paranoid about ensuring that access is very secure. So I have brought about a change in my own mindset. I'm just curious to know if organizations are striving to bring about a change in the multifactor authentication mindset. What are your thoughts?12:23 -- As humans, it is our natural tendency to assume, Oh, it's not going to happen to me. And if it does, we'll deal with it then. And I know that organizations also often have that mindset, some organizations know they will get bailed out. George, what are your thoughts?22:21 -- Would you like to expand on how organizations go about implementing phishing-resistant MFA? What solutions are available out there?25:09 -- George, I read about this FIDO authentication, the FIDO Alliance, where they have developed this protocol to enable phishing-resistant authentication. Can you expand on that? 26:50 -- During our planning meeting, you made a couple of very poignant statements, one of which is, "leaders should create a culture where employees feel they can slow down for the sake of security." Help tie this to our discussion on multifactor authentication.30:44 -- Going back to this multi-factor authentication fatigue, is there really a fatigue? Or is it being hyped up? What's the real story?35:33 -- George, I'd like to give you the opportunity to share some final words, some key messages for the listeners.Memorable George Gerchow Quotes/Statements"Absolute laziness is really what it comes down to in the beginning; I don't want to disrupt my organization by having them go through this extra step.""Development organizations that are heavy with startups, the developers do not want to take that extra step. Sometimes executives are also unwilling to follow through with that extra authentication step -- Do I really have to do this? I know it's a policy, but can't I get around this? And the answer should be flat-out No, under any...

A recent Global SMB Ransomware survey finds that nearly half of small and medium-sized businesses (SMBs) have experienced a ransomware attack, yet the majority aren't sure they are a target, and most are not confident they can fend off such an attack. Since 60% of SMBs are known to go out of business within six months of being hacked, it is a very troubling state of affairs. In this episode, Grayson Milbourne, Security Intelligence Director at OpenText Security Solutions, joins me in discussing the security challenges faced by SMBs and sharing success factors and best practices.Time Stamps02:21 -- Before we get into the details of SMB information security challenges and best practices, let's talk about you a bit. Share with listeners some highlights of your professional journey. 04:19 -- From a cybersecurity risk resiliency and defense standpoint, small and medium-sized businesses (SMBs) are often the most vulnerable and least mature. As one CIO of a midsize bank put it, "many cybercriminals are specifically targeting midsize companies that are in the cybercrime sweet spot. They are big enough to have significant bank accounts, but they often don't use the latest cybersecurity defenses. Also, middle market firms are often the gateway to bigger targets for cyber thieves." Your thoughts and reactions?10:53 -- In a study that my colleague, Mike Benz and I published, we noted that 95% of the surveyed SME IT leaders believe they have an above-average security posture. And so the concern is when you think you are prepared, but actually, you are not, that is a bigger problem. Don't you agree?17:38 -- Grayson, I'd like to go back to the ransomware report, the survey report that your organization published. It's concerning that nearly half of SMBs have experienced a ransomware attack. And yet the majority still don't think or aren't sure they are a target. Why don't you expand on this? 23:57 -- Grayson, what are the top three things that you would recommend SMBs do to protect themselves from, say, ransomware attacks, what would be those top three things?30:43 -- My research finds that time, and again, a lot of planning happens, and a lot of documentation is maintained. But when it comes to execution, that's where organizations fail time and again. Your thoughts?36:05 -- I'd like to give you the floor to wrap things up for us.Memorable Grayson Milbourne Quotes/Statements"What we see in the SMB spaces is that if they encounter ransomware, they don't report it. And they want to sweep it under the rug, move on and pretend it didn't happen. And unfortunately, that has other consequences that come along with it.""One of the biggest things that causes a headache during a ransomware incident is that it's a timed attack. They don't give you a lot of time to pay the ransom before they increase the demand because they know you're going to start scrambling, you're going to start thinking, Okay, what backups do I have in place? If you rehearsed the plan, at least you have a battle card to go to, you have some steps, and you're not scrambling because this is the worst time to be scrambling.""I think one thing that insurance probably doesn't look at is your readiness plan.""It comes down to reacting properly in that critical amount of time when you face one of these types of attacks.""Average downtime can be several weeks. It is right to look at cyber risk as any other risk to your business's continuity.""As your business grows, I think there's tremendous benefit in having an internal security-focused resource.""Ransomware reporting is vastly underreported. People don't want to have that black eye, they don't want to;...

In this episode, Kal Sambhangi, Senior Vice President, Cybersecurity Strategy and Architecture at Truist, shares his vision of the future of cyber governance. According to him, the leadership mindset needs to change whereby they are optimistic and opportunistic about cybersecurity and view developing cybersecurity capabilities as a source of competitive advantage. Kal also emphasized the importance of attracting professionals from other fields. He said, “I think cyber security as a community should start embracing people with other skills. I think there is a lot of opportunity here, for people skilled in software development, program management, product management, and data analytics.”Time Stamps01:28 -- How about providing listeners with some highlights of your professional journey?03:04 -- You said, "the security industry needs to pivot away from getting things done rather than talking about things. This is a problem that does not have a purely technological solution." Can you please expand on this statement? 08:38 -- Based on your experience Kal, having worked in different organizations, currently you're a senior leader in a very large institution, do you feel that steps are being taken to create and sustain a high-performance information security culture? Also, what are your thoughts and perspectives on the ideal CISO reporting structure?16:38 -- I have seen different views of the leadership across different industries and they are not all aligned in terms of seeing cybersecurity as part of their strategic core. What are your thoughts? 34:10 -- I'd like to give you the opportunity of sharing some final words before we call it for for today.Memorable Kal Sambhangi Quotes/Statements"The security industry needs to pivot away from talking about things and why they go wrong into getting things done and fixing things. This is not a problem that has or can have a purely technological solution.""I think the goal of securing a business is a bigger strategic decision rather than a set of technical tasks.""Cybersecurity should not be an afterthought. It should be part of the business model itself, or part of the digital strategy itself.""Cyber leadership should help embed security throughout the company's products, channels, and operations. And to do so, one has to be able to influence fellow senior leaders. It has to be a collaborative effort. If you have to influence fellow senior leaders, then you got to be talking the same language." "It's about how securely we are engaging with our customers, how securely we are running our business. So information security needs to be embedded in the culture.""Cybersecurity could be a competitive advantage.""I think the key is the ability to abstract the technical concepts into messages that would grip senior leaders, both logically and emotionally." "I think cybersecurity needs to move towards the paradigm of product management in terms of delivering cyber capabilities within the organization."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website:

Comprehensive asset discovery is foundational to robust and proactive cybersecurity governance. The Cybersecurity and Infrastructure Security Agency recently issued a directive (BOD 23-01) requiring federal enterprises (civilian executive branch) to perform automated asset discovery every 7 days. Among other things, the directive also requires federal enterprises to initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days. Huxley Barbee, Security Evangelist at runZero and former Cybersecurity Practice Lead at Cisco, discusses the various methods of comprehensive asset discovery and provides guidance in selecting an appropriate asset discovery tool.Time Stamps01:33 -- Please share with the listeners some highlights of your professional journey.03:13 -- Share some stories and anecdotes of the consequences of poorly managed asset inventory.09:37 -- Why didn't organizations engage in comprehensive asset discovery? What were the hurdles, if any? Now that there is a CISA directive, what's the guarantee that organizations will be in a position to follow through with the orders?13:12 -- Let's discuss some solutions, recommendations, and approaches to better managing asset discovery.22:00 -- It seems that the unauthenticated scan is the best approach. Can you please clarify?26:16 -- It is equally important for organizations to report on the actions taken in response to the discoveries. Is there a CISA directive to that effect? Can you shed some light on that, please?33:32 -- Please summarize some of the key takeaways from our chat this morning35:42 -- How about providing listeners with some selection criteria when they're evaluating different products in the market, asset discovery products? What should they be aware of? What are the kinds of questions they should be asking? So it helps them make good selections.Memorable Huxley Barbee Quotes/Statements"The unfortunate reality is that asset inventory is still an unsolved problem for so many organizations. They might have some tooling for dealing with asset discovery, but usually, they end up with spreadsheets.""There is greater recognition, especially from government agencies, of the need for asset discovery.""Asset Inventory isn't just a list of devices that you have on your network. It's also what is on those devices, what services are on those devices, what ports are those devices listening to, and who owns those devices.""There are many hurdles associated with asset inventory management. The one that looms the largest is unmanaged devices, unmanaged assets, that is the achilles heel of any asset inventory program.""Why would the adversary go for a well-managed up to date patched machine when they can just go ahead and attack something that's out of date and unpatched, with numerous exploits that they might be able to download from the Internet.""Unmanaged devices are why customers end up using spreadsheets where the existing tooling just isn't performing as they want. And so they have to end up using spreadsheets instead.""With unauthenticated scanning, you have the best of many worlds, right, you have the ability to go out and find all the assets on the network, even if they're unmanaged. But you don't have the problems of credential spraying. And depending on how the unauthenticated scanner is implemented, you can even talk to OT devices without the fear of crashing, some sort of mission-critical function."Effectively, BOD 2301 is suggesting the use of unauthenticated scans for the asset discovery portion of this particular directive.""A customer...

In a highly engrossing and in-depth discussion, https://www.linkedin.com/in/iamtejpatel/ (Tej Patel, Vice President, and CIO at Stevens Institute of Technology) sheds light on the various information security challenges that plague academic institutions and how best to deal with them. He talks about establishing a highly collaborative and security-centric culture, structuring an ideal CIO-CISO relationship, effective execution strategies, and more. Time Stamps 01:57 Why don't you give listeners an overview of your professional background? 02:57 Let's begin by discussing the information security challenges that academic institutions face. 05:17 So the challenge lies in enabling the university pursue its mission as safely and securely as possible. Is that a fair understanding of the fundamental challenge? 09:09 How do you keep up with all the activities that are going on across campus or at satellite locations if you'll have satellite locations? What's the mechanism in place whereby you would be forewarned, people will feel the need to say, hey, we need to talk to the security office, because this has some serious security implications, and we want to make sure that we are doing it the right way. 13:44 How feasible is it to offer customized guidance to the various operating units at an academic institution? 16:23 What is your vision of an ideal CIO-CISO relationship? 21:40 If you could share an example of how you and your team brought about a change in the security culture at your institution 25:03 What steps do you all take to secure the student population as best as possible? 30:25 People are busy, they have to deal with so many things. So that becomes another chore where you are expected to diligently look through every email and see whether any particular email deserves to be reported. Where are you on this? What's your perspective? 35:25 How should organizations prepare for cyber attacks? And what does it take to execute plans effectively in a sustained manner? 39:49 I'd like to give you the final word. Memorable Tej Patel Quotes/Statements "Cybersecurity is a moving target in higher education." "Cybersecurity is a shared responsibility to provide a protected cyber infrastructure on campus." "Building trust and relationship are so critical; that allows my team and me to have a conversation with our researchers to fully understand what exactly they are trying to achieve." "There are a lot of things that we have changed in our practices to ensure that we instill the culture of cybersecurity in our business from day one." "It's not so much about reporting structures, it's more about how a CISO and CIO can partner together to deliver the message that cybersecurity or security is a strategic value service for any institution or organization." Nowadays, the role of the CISO and the CIO is more geared toward reducing business risk. It's all about risk management. "Organization must spend sufficient time, effort and resources to build a security-centric culture." "It's not so much about reporting structures. It's more about how a CISO and CIO can partner together to deliver the message that cybersecurity or security is a strategic value service for any institution or organization." "The role of CISO and CIO, in my view is more towards reducing the business risk nowadays." "They expect the cybersecurity economy to grow to $10 trillion by 2025." "You have to go back to the basics, do the basics right. Make sure you're transparent, make sure you find good people on your team who are stewards of good security hygiene and do your best efforts daily." "The majority of the breaches happen not through any highly sophisticated cyber attacks. They happen because basic controls are lacking, fundamental training hasn't been provided, unsatisfactory patch management, and more." "We also pay very close attention to finding that balance between user experiences and maintaining the security."...

As more organizations embrace cloud-based services, securely migrating to the cloud is becoming an important capability. https://www.linkedin.com/in/keithaweller/ (Keith Weller), former Vice President, Enterprise Technology Services, American Cancer Society (ACS), spearheaded a highly successful migration initiative where they transitioned a 5000-square-foot donation processing on-premise data center to the cloud. Keith and his team completed the implementation on time (in eight weeks), under budget, and helped the organization realize savings of $18 million in real estate and $2 million in technology costs (projected over three years). In this podcast, Keith shares some highlights of this cloud migration best practice. Time Stamps 00:49 -- Keith, share some highlights of your professional journey. 03:27 -- Provide the listeners with a context for what led the American Cancer Society to consider moving to the cloud. 07:56 -- Based on a discussion that we were having to plan this podcast, you mentioned that you will have to get it done in about three months. Is that correct? 11:03 -- Is there anything else that you would like to share, by way of highlights, when you all were planning the migration and then implementing it? 15:52 -- Talking about the security aspect of the migration, you mentioned following the NIST cybersecurity framework, and complying with the PCI DSS requirements. During our planning meeting, you shared some of the accomplishments under the categories of identify, protect, detect, respond, and recover. Would you like to provide listeners with certain specifics, like what they should be mindful of when they have to undertake such an initiative? 18:04 -- You mentioned the migration vendor. I'm sure listeners might be curious to know how to identify such a vendor. And what factors go into the selection process? And how valuable did you find their service? 20:59 -- For this particular migration initiative, you all decided to go with Microsoft Azure. I assume that is because American Cancer Society was heavily invested in the Microsoft platform, and it made logical sense to stay with the same ecosystem to reduce application dependency-related challenges. Is that what your advice will be for organizations looking to identify a suitable cloud service provider? How should they go about the cloud vendor selection process? 23:15 -- Keith, what is your thought on the challenges that I gleaned from the State of the Cloud report? Do you agree with them? 28:25 -- I think that maybe the SLAs should be written up in a manner and a fashion whereby there should be more joint responsibility and joint accountability. The service provider and client should work as a team to ensure the data is safe, and secure, and there's a constant review to ensure the security level and posture are being maintained. What are your thoughts? 31:57 -- Anything in particular that you want to touch upon in the context of the phased migration effort? 37:47 -- So Keith, I'd like to give you the opportunity to say a few final words before we close our discussion for today. Memorable Keith Weller Quotes/Statements "Being in the cloud actually makes it a lot easier to govern your security, have better visibility of your assets, and make quicker security improvements." "If you're trying to do very challenging, time-constrained work, having everyone engaged and bought into the process is very important. And having a clear vision and goals is also important." "It would be nice if the three big cloud providers were more engaged as a team, securing data and helping make sure that they partner with their customers to ensure that's done right." "And it's not just infrastructure people, it's not just security people, but it's also important for Development and QA to understand those core principles of security." "Every dollar that's spent on operational costs is a dollar taken away from cancer research or services."...

Insider threats are often considered the biggest risk for organizations because they can cause the most destruction. Survey reports, and studies, have found that organizations have spent millions of dollars to recover from insider threat attacks. Proactively detecting and thwarting such threats is a critical aspect of robust information security governance. https://www.linkedin.com/in/doron-hendler-63135/ (Doron Hendler, CEO, and Co-Founder at RevealSecurit)y, sheds light on a context-based detection model that analyzes activity sequences performed when using an application. According to Doron, this User Journey Analytics method is a ubiquitous detection model that can be applied to any SaaS and custom-built application. Since no rules are required, it eliminates the need to fully understand the application business logic. Time Stamps 01:23 First, let's talk about your professional journey before we get into the details of insider threats, detection challenges, and solutions. 03:27 Doron, would you like to add to the reasons why we are having this discussion? 07:29 So, Doron, going back to monitoring using technology, share with the listeners what was the traditional method, what were some of the weaknesses of the traditional method, and what you and your company are offering by way of your platform. 12:23 So given this move to these more advanced, more sophisticated solutions, for folks who are listening in on this conversation, CISOs of companies who have the authority to make purchasing decisions, how do they go about evaluating the different products out there? What should they be looking for in terms of what would work best for their context for their environment? Any advice? Any suggestions? 14:34 What could be possible shortcomings of the user journey analytics approach? 17:26 If a company was going to adopt this (User Journey Analytics) technology platform, what kind of changes does it require? From a change management standpoint, what should an organization be prepared for? 19:13 When the user journey is different from the normal user journey, let's say abnormal user journeys are detected, how does the alert system work? Who is alerted? And is there a way of capturing or documenting whether organizations respond to those alerts? 21:57 How do you convince a potential buyer or potential customer to adopt this new technology solution? What does it take to convince them? What have you experienced when you have engaged with prospective customers? What are their concerns when they're evaluating such platforms? 24:53 I'd like to give you the opportunity to wrap it up for us with some final thoughts and advice. Memorable Doron Hendler Quotes/Statements "The highest risk in today's organizations, in our digital transformation, is our identities." "If you cannot trust anyone, you have to monitor, you have to track, and you have to learn how to do this quickly, accurately, and automatically." "Today's solution around detections, which are based on rules, basically provide very, very limited, ineffective detection, in the application layer." "Accuracy comes with context, if you understand the context, you will have much better accuracy." "This technology will offer a solution which is frictionless, that doesn't require major (organizational) changes or any changes." Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ (https://www.linkedin.com/in/dchatte/ ) Website: https://dchatte.com/ (https://dchatte.com/) Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338...