The Virtual CISO Podcast

In today's cyber landscape, business leaders and security professionals need every edge they can gain to better protect their organizations and plan their defense against attackers. . Why do hackers do what they do? What are they trying to steal from you? Who do they partner with to make money and avoid getting caught? In this episode, hosted by John Verry, CISO and Managing Partner at Pivot Point Security,  sits down with Raveed Laeb, Vice President of Product for KELA, who provides answers and explanations to explain the cybercrime business models, supply chains, and operational strategies. Join us as we discuss: · How understanding your financially motivated adversaries can directly benefit your cybersecurity posture, incident response, and executive decision-making · “Business models” and “supply chains” that hackers use to monetize your assets (which can be a lot more than just your data) · What you need to hear to dispel any lingering notion that your org has nothing hackers want · How and why bad actors are increasingly specializing based on skill sets, and where and how they choose their business partners · How forward-looking businesses are using cyber threat intelligence (CTI) to reduce cyber riskTo hear this episode, and many more like it, we would encourage you to follow the Virtual CISO Podcast here. You can find all our full length and short form video episodes on our YouTube here. To Stay up to date with the newest podcast releases, follow us on LinkedIn here.  Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Orgs in the DIB need to protect CUI in alignment with the NIST 800-171 cybersecurity standard—and soon the Cybersecurity Maturity Model Certification (CMMC) requirements—or face legal and compliance penalties as well as potential lost business. To clarify the biggest questions and reveal the most dangerous unknowns in the convoluted realm of CUI, your host John Verry, Pivot Point Security CISO and Managing Partner, sits down with Stephanie Siegmann, Partner and Chair at Hinckley Allen to share her knowledge on the subject. Join us as we discuss: · The difference between CUI Basic and CUI Specified · Criminal penalties for “export controlled” CUI violations that will probably shock you · Sound advice on handling data subject to ITAR, NOFORM and other regulations · How to get your CUI questions answered—and what to do if you're still not sure · The US Department of Justice Civil Cyber Fraud initiative, the False Claims Act, and why you don't want to fire the whistleblower To hear this episode, and many more like it, we would encourage you to subscribe to The Virtual CISO Podcast here. You can find all our full length and short form episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast playerVCISO YouTube  

Over 90% of security breaches in the public cloud stem from user error, and not the cloud service provider. Today, your host John Verry sat down with one of Amazon Web Services (AWS) own Temi Adebambo, to understand what is going wrong with public cloud security, and how you can eliminate your biggest risks. This episode features Temi Adebambo, Head of Security Solutions Architecture at Amazon Web Services (AWS), to explain exactly what's going wrong with public cloud security, how users can eliminate their biggest risks, and much more. Join us as we discuss: • The 2 mistakes public cloud users make that cause the most security breaches • How using “higher-level” services can reduce your security burden • Ideas for baking security into your DevOps pipeline • The critical importance of “guardrails” for your team and how to implement them • The top AWS security tools all users should leverage To hear this episode, and many more like it, we would encourage you to subscribe to The Virtual CISO Podcast here. You can find all our full length and short form episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast playerhttps://www.pivotpointsecurity.com/

Managing Cybersecurity through an Economic downturn is no easy task. With increasing concerns on how to stay secure and compliant in a down economy, John Verry tackles this podcast himself giving you his ten best fundamental practices. This episode features your host John Verry, CISO & Managing Partner, from Pivot Point Security, who provides answers and explanations to a variety of questions regarding how to stay compliant, secure, and budget in a down economy. Join us as we discuss: · How to be Strategic in a Down Economy · How to leverage automation · How to get more from your vendors · Which security investments to maintain and eliminate To hear this episode, and many more like it, we would encourage you to subscribe to The Virtual CISO Podcast here. You can find all our full length and short form episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

Building Cloud Native Applications can bring about many operational and security problems. Today, we sat down with an expert in this field to talk about building cloud native applications, and deploying applications that are secure in the cloud. This episode features Fausto Lendeborg, Co-Founder & CCO, from Secberus, who provides answers and explanations to a variety of questions regarding Building applications in the cloud, deploying applications securely in the cloud, and much more. Join us as we discuss: · Building Cloud Native Applications · Deploying Applications Securely · Managing a Cloud · Security, Compliance, and Governance · DevOps To hear this episode, and many more like it, we would encourage you to subscribe to The Virtual CISO Podcast here. You can find all our full length and short form episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast playerhttps://www.pivotpointsecurity.com/

Digital Business Risk Management helps companies track and disrupt the most advanced bad actors.  Team Crymu specializes in Digital Business Risk Management & Attack Surface Management, giving clients insight and help relating to cyber threats. This episode features David Monnier, Chief Evangelist and Team Cymru Fellow, from Team Cymru, who provides answers and explanations to a variety of questions regarding Business Risk Management, ASM (attack surface management), and much more. Join us as we discuss: ● Attack Surface Management ● Digital Business Risk Management ● Electronic Assets ● Data Breaches/Exposures ● Discovering malevolent infrastructures To hear this episode, and many more like it, we would encourage you to subscribe to The Virtual CISO Podcast here. You can find all our full length and short form episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

Governance, Risk, and Compliance (GRC) platforms can be tricky to construct.  Today, we sat down with an expert in this field to talk about building and deploying secure applications in the cloud. This episode features Jeff Schlauder, Information Security Executive, from Catalina Worldwide, who provides answers and explanations to a variety of questions regarding deploying applications securely in the cloud, using AWS (amazon web services), and much more. Join us as we discuss: · Building and deploying secure applications in the cloud · The Logistics of Web Applications · Building, operating, and maintaining secure Cloud applications · Containerized vs Not-containerized applications · How to keep applications deployed secure To hear this episode, and many more like it, we would encourage you to subscribe to The Virtual CISO Podcast here. You can find all our full length and short form episodes here . Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

You cannot have privacy without security. While they once existed quite distinct from one another, they are now so delicately woven that they are nearly indistinguishable. Over time, the GDPR has cemented the relationship between physical security and information security, and now, it's incorporating data privacy. This compliance triad has become the new normal for businesses everywhere– but what does it mean? Rosemary Martorana, Chief Privacy Officer at Corning, joined me to discuss the blurring line between privacy and security and why compliance may be more approachable than you thought. A critical key to fostering a compliant security culture and enabling compliance is transparency. Transparency does a few things for your business & security: - Increases trust - Decreases DSRs - Limits phishing attempts - Decreases likelihood of breaches Follow the link below or find The Virtual CISO Podcast on your favorite streaming service to learn more about what compliance, information security, and data protection means for your business.

CMMC (Cybersecurity Maturity Model Certification) can raise many red flags and concerns - As CMMC rulemaking approaches in 2023, we take a break from our normal podcast and answer the most asked CMMC questions to date to help ease the unknown. This episode features George Perezdiaz, FedRisk Practice Lead, with Pivot Point Security, who provides answers and explanations to a variety of questions we have received regarding CMMC. George is extremely knowledgeable on CMMC topics while being one of the top industry experts on the topic. During this episode, he helps answer our top 20 most asked questions regarding dates for rulemaking, achieving compliance for the DIB (Defense Industrial Base), the cost to become CMMC certified, and much more hopefully providing a path for those who need it. Join us as we discuss: · When CMMCV2 will become effective · Who needs to be CMMC certified · Can a small business affordably achieve CMC compliance · CMMC Level 2 and 3 requirements · And much more!+ To hear this episode, and many more like it, we would encourage you to subscribe to The Virtual CISO Podcast here. You can find all our full length and short form episodes here . Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

This marks our 100th episode of The Virtual CISO and an insightful journey into having the opportunity to have frank discussions with thought leaders that provide the very best information security advice and insights.  I am happy to have invited Dimitri Sirota, CEO & CoFounder of BigID, to walk through BigID's approach to privacy, security, and data governance on this momentous episodic occasion.  Join us as we discuss: The merits of gathering data beyond the usual locations Why discovery is a foundational piece of BigID's approach How BigID supports efficient data collection To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

Supply chain risk management can prove to be a slippery slope—why should you take pains to conduct a proper risk assessment, and how do they impact IT and business continuity?  From international restrictions to balancing generic and specific risk assessments, any guidance is welcome in the world of supply chain management. I invited Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance at SGS, onto the show to provide insights into supply chain risk management. Including definitions, best practices, and where to turn for guidance. To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

What are the merits of the Software Assurance Maturity Model (SAMM), and how does it differ from the Application Security Verification Standard (ASVS) model? And why should you care? From design to operations, there are several crucial considerations to hold regarding business functions and use cases. I invited Taylor Smith, Application Penetration Testing Lead at Pivot Point Security, onto the show to provide insights into SAMM. Including definitions, the differences between SAMM, ASVS, and BSIMM, and how these models are relevant in today's software development environment.  To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

Application development is moving from a web-centric world to an API-centric world. If you're wondering what that looks like, what the security implications are and what an API is, you're in the right place. There is no shortage of new application security strategies to familiarize ourselves with as cybersecurity adapts to changing times. That's why I invited Rob Dickinson, CTO at Resurface Labs, to explain APIs, continuous API operation observability, and prevalent challenges in the API economy. Join us as we discuss: Moving from a web-centric to an API-centric world The value of opbersing API operation in production environment  Tackling security issues in the API economy To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

Most recognize the value preservation in cybersecurity. But forward thinking professionals also see the value creation in having a secure information posture. Cybersecurity is the foundation of preserving sensitive data and providing peace of mind but does it create value for the organization and if so, how do we measure that value? Tracking the return on investment on cyber security can be challenging. Much like auto insurance, you gain the most obvious value when something goes wrong—however, that doesn't mean insurance isn't valuable during smooth sailing. I invited James Fair, Senior VP at Executech, to discuss the value of compliance, measuring ROSI, the Return on Security Investment, and budgetary considerations in cybersecurity. Join us as we discuss: The value of cybersecurity vs the costs of a breach Convoluted cybersecurity budgets and industry averages How compliance supports value preservation and value creation To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

What exactly is a Software Development Life Cycle, and how does NIST's Secure Software Development Framework impact that cycle and your organization? Of note, the SSDF will definitely impact you if your software is used by the US Government and will likely impact you even if it isn't. There are a few choice practices that can help make sense of these two critical processes and provide the highest chance for success. I invited Elzar Camper, Director of Cyber Security Solutions & Practices at Pivot Point Security, onto the show to unpack SDLCs, the SSDF and lay out the shifting landscape of government regulations and software development. Join us as we discuss: Defining SDLC's and the SSDF Four core best practices in cybersecurity Assessing existing procedures and adapting to the SSDF How you can use the SSDF to your advantage To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

Today, information is worth more than riches. The new currency is data. With this being true, the state of cybersecurity within the upper branches of the government was shockingly under-prepared. In this episode, I speak with Mark Montgomery, the former Executive Director of the Cyber Solarium Commission, about the report the commission published in March 2020 and how that document has influenced the US Government's roadmap to improve cybersecurity, prevent cyber attacks, and protect the nation's data. Join us as we discuss:  Critical steps forward for cybersecurity   Six pillars of importance in federal circles  Challenges in the cybersecurity workforce To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.  If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Don't wait for an emergency; secure your database correctly right out of the gate. Think of everything outside of your database as the wild west.  What can you do to create the most controlled environment possible for all of your most sensitive data?  I invited Robert Buda, President of Buda Consulting, Inc, and an expert in database technology, onto the show to help us learn the value of database security and what you can do today to improve your security measures.  Join us as we discuss: Why database security is undervalued Critical risks to be aware of regarding your database Avoiding a sense of false security with the cloud Ensuring your database is as secure as possible  To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.  If you don't use Apple Podcasts, you can find all our episodes here.  Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

Ron Gula, President and Co-Founder of Gula Tech Adventures, has a very specific goal: To defend the country in cyberspace by investing in companies and nonprofits that help close the gap in technology and the workforce.  He also knows that in order to successfully achieve this goal, organizations must understand the basics of data protection.  Today, Ron joins the show to talk about the mindset shift that can start in the information security disciplines through communication.  Join us as we also discuss: The importance of asking the right questions of business owners Building a trusted ecosystem within the information security disciplines Creating a measure of security to determine the safety of your company's data The small business IT shops defining corporate America To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

There's no denying that cybersecurity risks in the workplace have increased exponentially in recent years. From the pandemic causing employees to work from home to Russia's invasion of Ukraine, organizations are more vulnerable than ever. That's why it's crucial to understand how to best protect yourself and your business. On this episode, Eric Jesse, Partner at Lowenstein Sandler LLP, joins the show to give an attorney's perspective on the importance of cyber liability insurance. Eric talks about protecting your company as a policyholder in today's new landscape. Join us as we discuss: Why companies should have their cyber liability insurance policies reviewed by knowledgeable attorneys Strategies for improving your security posture to reduce premiums How best to ensure your Cyber Liability insurance dovetails with other insurance policies to confirm you are covered across all types of cyber incidents  To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

To invest in CMMC or to not invest in CMMC, that is the question. CMMC (Cybersecurity Maturity Model Certification) is a lofty yet necessary investment for the Defense Industrial Base. With all signs pointing to May 2023 for when we can expect CMMC to be included in contracts, anyone who is considering CMMC should do it sooner rather than later as implementing any comprehensive cyber security program could take a company 9 to 12 months. On this episode, our host John Verry recaps his most important takeaways from the recent CMMC Day conference held in Washington DC on May 9, 2022. Join us as we discuss: CMMC Level 2 and 3 requirements CMMC's three-year certification process False claims acts and the impact CMMC will have on the review process by the Justice Department Differing opinions of CMMC from conference attendees and CMMC experts 

Alberto Yepez joins the show to share his perspective as a venture capitalist working to help entrepreneurs build Cybersecurity businesses. He started his wildly successful career at Apple and he is now the Co-Founder and Managing Director at ForgePoint Capital.  Join us as we discuss: Information security challenges from the 2000's that we still face today Alberto's experience working at Apple Criteria that makes investing in a company worthwhile   Three models of private equity  To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

We've spent the last two and a half years with rapidly rising cloud adoption. It was a rocket ship before that, but the COVID-19 pandemic has only accelerated it and caused everybody to scramble.  We're still trying to play catch up and get equivalent security treatments for people working remotely to the folks working in the office. Every client has concerns about their current exposure, which is why our guest on this episode of Virtual CISO is so important.  Michelangelo Sidagni is the Chief Technology Officer at NopSec, and he was on this episode to talk to us all about:  Why his firm is all in on Attack Surface Management, and how it's different than your standard vulnerability management How ASM fits into current vulnerability & configuration management strategies Attack Path Analysis, what it is and what it isn't The NopSec client customer journey To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.  If you don't use Apple Podcasts, you can find all our episodes here.  Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

As technology advances, there will always be new threats from malicious actors seeking to exploit these advancements — whether that be in the digital realm or physical. With technologies increasingly blurring the lines between the two, today's security professionals must adapt as the sectors of physical security and cyber security converge into one. Today's guest, Chris Ciabarra, Co-Founder and CTO of Athena Security, is one of the physical security experts leading the charge on this front and he joins the show to share his insights into the inevitable security convergence in our future. Join us as we discuss: Why the lines between physical security and cybersecurity are increasingly blurred The technologies Athena Security are advancing in the physical security domain How Athena accidentally made a COVID-19 detector  To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

As the implementation of CMMC by the DIB picks up pace, the frequently shifting requirements can be daunting — especially when the guidance is already so complex. And that's doubly true for managed service providers (MSPs), who have to contend with some of the most confusing CUI requirements. In today's episode, making his 3rd guest appearance, I'm joined by Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, who is here to clear up the confusion and share his insights into how the rollout of CMMC into the DIB impacts MSPs. Join us as we discuss the current state of CUI for MSPs in the DIB, including: The controls MSPs have responsibility for in a client's environment The controls clients have responsibility for in their environment The controls MSPs have to implement in their own environment to meet DFARS flow down requirements To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Inclusivity and diversity aren't just about who you hire — it's about the culture you create. Sure, you can get talent from all walks of life, but if you haven't built an inclusive culture… Well, good luck getting them to stick around. Today, I'm speaking with Deidre Diamond, Founder and CEO at CyberSN, who shares her 8-step framework for creating an inclusive culture in your organization. Join us as we discuss each step and its importance, including: The need for emotionally intelligent managers The power of positivity The art of win-win communication To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

What if you could be proactive in your approach to cloud data security rather than a reactive one once the attack has been made? This is exactly the solution our guest is providing at Panther Labs. We speak with Jack Naglieri, Founder & CEO, about the cloud-native approach and exactly why SIEMs are getting left behind. Join us as we discuss: Developing Panther & taking a different cloud-native approach Understanding Snowflake & data lakes Creating a proactive security response rather than reactive Interesting findings from the state of SIEM  To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Even before the pandemic, the majority of businesses were already moving to the cloud.   Now, it seems you can't do business without it.  Which means cloud security and compliance is more important than ever.   That's why I'm speaking to one of the authorities on cloud security, John DiMaria, Assurance Investigatory Fellow at Cloud Security Alliance, in today's episode — to demystify cloud security.  Join us as we discuss: How CSA's STAR program can help you strengthen your cloud security The biggest vulnerabilities organizations face when operating in the cloud How landing on CSA's CCM registry can give your organization more visibility  To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.  If you don't use Apple Podcasts, you can find all our episodes here.  Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

CMMC has come a long way in recent years… But organizations still face plenty of challenges navigating the guidance. What are the biggest hurdles and how can we reduce the confusion? To answer these questions, I'm joined by Kyle Lai, Founder and CISO of KLC Consulting, and Caleb Leidy, the CUI Protection and CMMC Consultant at Pivot Point Security. Join us as we discuss: Why CMMC scoping continues to confuse organizations How to accurately mark CUI Contracts passing the buck and the costs associated with compliance To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Open source is a transparency issue. Being able to see what code is running on your computer — as well as what's being monitored — gives you practically SaaS-level visibility across data, apps, and usage. In this episode, former open source developer Mike McNeil, CEO at Fleet Device Management, an open source company, talks with me about why open source is so imperative. Join us as we discuss: The business impact of open source Why open source grants such necessary visibility How the open source community removes friction Vulnerability management and automation What's next for Mike and Fleet To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Links here: Mike McNeil, CEO at Fleet Device Management Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

Traditionally, companies have relied on the promises of vendors when it comes to reaffirming their security stance. However, LimaCharlie has a far more radical approach—provable security. How are they doing it? In this episode, Maxime Lamothe-Brassard, LimaCharlie's founder, explains the “AWS approach” the company employs for cybersecurity and how being born in the cloud provides infinite scalability and enables them to deploy a wide range of security capabilities. Join us as we discuss: Moving past promise-based security positions to knowable security The extra level of control and breadth of security you receive with LimaCharlie How infinite scalability enables support of both security and compliance Doubling down on low-code approaches and integrations  To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

After years, ISO 27002 is finally here.  What does that mean for your business?  Luckily, the transition should be pretty seamless…  But if you're worried, have no fear because in today's episode I'm joined by Danny Manimbo and Ryan Mackie, Company Principals at Schellman, who helped design the new standard.  Join us as we discuss: - What's new with ISO 27002 - What has stayed the same - The reasoning behind the update to the standard - The grace period for getting certified To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

If you look around at what's happening in the world of cybersecurity, you'll notice one thing:    Security never stops…   Which means neither should compliance.    That's why I invited Andrea Willis, Senior Product Manager at Exostar ,an expert in continuous compliance onto the show to help you figure out how to stay compliant.   Join us as we discuss:  -The importance of continuous compliance  -How CMMC 2.0 and continuous compliance interact  -How cybersecurity is like the immune system of your organization To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

We've had another bumpy year in 2021. So, what's coming down the pike in 2022? And what impact will the ongoing information security challenges of today have on the world of tomorrow? In this episode, I answer those questions and more. Plus, I will assume the role of Nostradamus and make 8 information security predictions for 2022. To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

NIST, ISO, CMMC… If you're beholden to government security guidance — and let's face it, if you're a company operating in the US, you very likely are — the list can be overwhelming at first. So, it helps to look back on where we've been and how we got where we are today. And in this solo episode, Our Host John Verry does exactly that — and hopefully, shine a light on what the guidance means and why you should care. To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

You've probably heard the hype: IoT is the next frontier in the information revolution that promises to make all our lives easier… And that's doubly true for hackers. In this episode, I'm joined by Joe Grand, also known as Kingpin, a computer engineer, hardware hacker, product designer, teacher, advisor, daddy, honorary doctor, TV host, member of legendary hacker group L0pht Heavy Industries, proprietor of Grand Idea Studio (www.grandideastudio.com), and partner in offspec.io, a cryptocurrency wallet recovery service. He has been creating, exploring, and manipulating electronic systems since the 1980s and is hereto take a look at the vulnerabilities hackers exploit in IoT (and how you can defend against them). Join us as we discuss: - Why, despite what many believe, hardware is no less vulnerable than software - The common vulnerabilities in IoT devices and what you can do about them - How security standards factor into IoT security To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

There is an age-old conflict between security and development teams. Development teams are focused on time-to-market and packing features into the product. Security teams are often seen as speed bumps on the way to achieving those goals. How can we bridge the gap between the two? According to Harshil Parikh, CEO at Tromzo, new methodologies are presenting an incredible opportunity for security teams to get involved in the development process in a much more effective way. Plus, there's some exciting new software that is solving this challenge in interesting ways. In this episode, we discuss: - Opportunities presented by agile development methodologies and DevSecOps - The root of the conflict between security and development - How to close the gaps between the two teams - How Tromso is solving the challenge through software To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

What's more secure? A cloud-based or on-prem document management system? It's a question that gets asked a lot in our industry. So, I invited Mark Richman, Principal Product Manager at iManage, on to the show for a wide-ranging discussion on the topic. In this episode, we discuss: - Why a SaaS-based document management system is more secure than on-prem - Implementing compensating controls to mitigate potential damages - iManage's customer-managed encryption keys and threat manager - What a cloud provider should be doing from a security perspective To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Configuration management is the best kept secret in security. Not only will it save time and money, it also helps you marry compliance and security — something we all need to get used to. The question is: Why isn't everyone using it? Today's guest, Brian Hajost, Founder and COO at SteelCloud, joins me on the show to give some compelling reasons why you should. In this episode, we discuss: - What configuration management is - How it saves you time and effort - How it saves you money To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

The US Department of Defense (DoD) has just announced CMMC 2.0, a new strategic direction for its cybersecurity program based on public comment and internal assessment. So what does it all mean? Many sources say that CMMC 2.0 is about "less requirements,"—but it's really much more about changing how the DoD will hold defense contractors accountable to the NIST SP 800-171 requirements that have been in place all along. We're speaking to two of our best Security Consultants from right here within our ranks at Pivot Point Security: George Perezdiaz, CMMC / NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor. In this episode, we discuss: - What's new and what's not with CMMC Level 1 (for securing FCI) and what is now called CMMC Level 2 (for securing CUI) - The overall realignment of the US government's cybersecurity audit program with NIST 800-171 - "Bifurcation" and who will and won't need a third-party audit if you handle CUI - How CMMC 2.0's new accountability process fits with the recent cybersecurity executive order, the Civil Cyber-Fraud Initiative, the False Claims Act, and upcoming rule changes to 32 CFR and 48 CFR - Why "letters of affirmation" are a boon to SMB security and IT leaders compared to the threat of a third-party audit Mentioned during the podcast: eCFR :: Home To hear this episode and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

A lot of people want to break into cybersecurity. And why not? Where else can you have a blast, work with really smart people, earn a great living, have awesome job security, and do something truly impactful for the company you work for. However, it can be a particularly difficult industry to break into, especially if you don't have the financial resources to pursue the education necessary to get hired. Gerald Auger, Chief Content Creator at Simply Cyber, noticed this gap between the haves and the have nots and he's been working hard to create a pool of resources that are accessible to anyone, anywhere, for free. In this episode, we discuss: - Giving people access to a free cybersecurity education - The catch-22 of listing entry-level jobs that require 2-3 years of experience - Which cybersecurity roles serve as the best entry points into the industry - Where Simply Cyber will go over the next few years Mentioned during the podcast: - Cybersecurity Career Master Plan - Simply Cyber YouTube Channel To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

In a world where new vulnerabilities appear seemingly every minute, threat intelligence is more important than ever. And one of the most intriguing approaches to threat intelligence is attack surface management. To explain the ins and outs of attack surface management, I invited Steve Ginty, Director, Threat Intelligence at RiskIQ, onto the show. He shares the work RiskIQ is doing in the field and how it could benefit your organization. In this episode, we discuss: - What attack surface management is and how RiskIQ can help - How RiskIQ can let you respond faster when new vulnerabilities arise - The importance of gaining visibility into not just your own attack surfaces, but those of your vendors To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

As public trust in technology erodes — for the first time — it's clear that we need to reevaluate our approaches to security and compliance. The way we've been doing it is no longer working… But continuous compliance might. Today's guest, Mosi Platt, Senior Security Governance, Risk, Compliance & Assurance Partner at Neflix, join s the show to explain why. In this episode, we discuss: - The benefits of continuous compliance and what you need to know to implement it - The role continuous compliance can play in regaining trust - How continuous compliance factors into auditing To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

When it comes to healthcare InfoSec, it's the Wild West. Most healthcare organizations just don't have the necessary IT budgets to make it a priority. But it should be a priority. The truth is a large number of hospitals have been targeted by ransomware in the last few years. Today's guest, Hoala Greevy , Founder and CEO at Paubox , shares how his company is arming healthcare organizations with HIPAA-compliant email and APIs in their ongoing battle against cyber threats. In this episode, we discuss: - The current state of information security in healthcare - How Paubox provides HIPAA-compliant email and APIs - Where security and privacy in healthcare is headed To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

In the U.S., it's easy to look at overseas privacy legislation like GDPR and conclude it's a reaction to worrying data practices from today's tech giants. In reality, European privacy legislation can trace its roots back to the nightmarish authoritarian regimes of postwar Europe — and the necessity of securing a future free from repeating these governmental abuses. That's just one of the many privacy insights my latest guest, Jason Powell, GRC and Priv acy Consultant at Pivot Point Security, opened my eyes to. He joins the show to share more than just the history of privacy — he brings a ton of useful ways you can begin preparing for the future of privacy, too. In this episode, we discuss: - Why GDPR is the granddaddy of privacy legislation - What you need to know to handle privacy — whether it's for compliance or just good business practice - Why, despite some overlap, privacy and security are really their own domains and should be (ideally) treated as such To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Chess legend Bobby Fischer once said that winning tactics flow from a superior position. Bobby Fischer would have made a great CISO. That's because information security strategy is all about steering your business to a winning position that makes tactics easy. And it's why your infosec and business strategies are entirely dependent on one another. My guest today, Chris Dorr, Virtual Chief Information Security Officer (vCISO) at Pivot Point Security, is an expert at marrying security and business strategy. He joins the show to share his expertise and help you become one, too. In this episode, we discuss: - Why business strategy and infosec strategy are inextricable - How frameworks can be used to shape effective infosec strategy - The 3 reasons why infosec strategy is more important than ever To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

How well do you know what's happening in your cloud? With so many people in an organization able to access it, managing and tracking every change can be a Herculean task. So, it's no surprise that so many organizations need help tracking drift across their cloud networks. And the best person they could turn to is today's guest, John Grange, Co-Founder and CTO at OpsCompass, a company making software that offers centralized visibility for security, cost management, and compliance from a single dashboard. In this episode, we discuss: - Why you need centralized visibility to track drift in the cloud - How security, compliance and cost management drift are tracked by OpsCompass - The kinds of users leveraging OpsCompass To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Every CISO's dreams is moving from reactive security to purely proactive security posture. In an era of big data and technological advancements in machine learning is this dream finally a reality? To find out, we charged today's guest, Johnna Verry, Intern at Pivot Point Security, with putting machine learning to the test to see if it can really be the breakthrough we need in predictive security. She joins me to share the results. In this episode, we discuss: - The challenge of — and tools necessary for — scraping and cleaning data for use in machine learning - The types of machine learning algorithms and how they work - The results of Johnna's research and what they mean for the future To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Just because ISO 27001 suggests a control, doesn't mean you have to have it – in fact, you could be hurting yourself if you do by wasting money and have more trouble in an audit than you would otherwise. Your controls depend on your risk — not ISO suggestions. That's just one of the many misunderstandings people have about the ISO 27001 standard. In this solo episode, host John Verry, CISO & Managing Partner at Pivot Point Security goes in depth on the most common misperceptions around ISO 27001 compliance. Some notable examples: - Why your controls need to be in accordance with your risk - Why you don't need to go crazy documenting absolutely everything - Why you shouldn't overcommit on controls To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Traditional compliance approaches have served us well for years… But they just don't cut it anymore. We need an approach to compliance that moves at the speed of DevOps. Our guest today, Raj Krishnamurthy, is Founder, CEO and Engineer at ContiNube, where he is helping to bridge the gap between traditional compliance techniques and the agile, fast-paced world of DevOps. In this episode, we discuss: - Why traditional compliance tools are outdated to manage today's rapidly shifting risks - The 5 pillars of bridging compliance and DevOps - How Raj and ContiNube are helping to tackle the problem To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

In this special episode, we're sharing a guest appearance John made on The Perfect Storm. During that episode, he shared how Pivot Point Security helps companies achieve security and compliance throughout different regulatory frameworks and a three-part process for validating your security processes. Topics covered: -What services Pivot Point Security offers - Helping clients understand the importance of cybersecurity - 3-part framework to validate security To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here.

Today's special episode was inspired by a conversation we had with a then potential, now current client of ours at Pivot Point Security. In discussing our Virtual CISO offering, we described our tried-and-true process for helping a client become provably secure and compliant. He loved it and wanted us to train him and his team on it. We've since had a similar conversation with a couple of boards. What we've realized through these conversations is this process delivers a lot of value. So in this episode, we are going to share it with you. Topics covered: - Defining a clear vision - Transforming a vision into an actionable plan - Validating your compliance To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here.