Podcasts about National Cybersecurity Center

In this episode of CSO Tradecraft, host G. Mark Hardy introduces 'The Full Irish,' a cybersecurity framework based on the '12 Steps to Cybersecurity' guidance from Ireland's National Cybersecurity Center. The episode covers comprehensive steps from governance and risk management to incident response and resilience, making it a valuable resource for cybersecurity professionals. G Mark also discusses the implications of multinational companies operating in Ireland, including tax strategies and notable GDPR fines. The episode provides pragmatic guidance and actionable insights to enhance your cybersecurity program. References: https://www.ncsc.gov.ie/pdfs/Cybersecurity_12_steps.pdf Transcripts: https://docs.google.com/document/d/1VLeRozClLZAkZsusYsUn4Q9_1v7WCoN0 Chapters  00:00 Introduction to the Full Irish 01:32 Why Ireland? 02:40 Tax Avoidance Schemes 04:25 GDPR Penalties and Data Protection 05:54 Overview of the 12 Steps to Cybersecurity 07:19 Step 1: Governance and Organization 09:24 Step 2: Identify What Matters Most 10:31 Step 3: Understanding the Threats 12:35 Step 4: Defining Risk Appetite 14:10 Step 5: Education and Awareness 16:00 Step 6: Implement Basic Protections 18:00 Step 7: Detect and Attack 19:37 Step 8: Be Prepared to React 21:24 Step 9: Risk-Based Approach to Resilience 22:52 Step 10: Automated Protections 23:58 Step 11: Challenge and Test Regularly 25:29 Step 12: Cyber Risk Management Lifecycle 26:29 Conclusion and Final Thoughts

On this episode of the Six Five Webcast: The 5G Factor, hosts Ron Westfall and Tom Hollingsworth delve into the significant 5G ecosystem developments that have marked the onset of 2025. They highlight Cisco's recent update on its strategic relationship with Boost Mobile, demonstrating how Cisco's Test Automation Framework and SDN controller, the Cisco Crosswork Network Controller, were crucial in testing new services and activating cell sites. This ensured Boost Mobile met its 5G deployment targets, while also evaluating the future prospects for Boost's parent company, Echostar/DISH Wireless, through 2025 and beyond. Their discussion covers: The impact of Cisco's Test Automation Framework and Cisco Crosswork Network Controller in facilitating Boost Mobile's 5G service deployment and site activation. An analysis of Echostar/DISH Wireless's future in the 5G space following the latest developments with Boost Mobile. Nokia's collaboration with the National Institute of Standards and Technology's National Cybersecurity Center of Excellence to enhance 5G security, highlighting Nokia's commitment to address security and privacy challenges in mobile networks. The U.S. Department of Defense's selection of Federated Wireless, subcontracting JMA Wireless for RAN infrastructure and HPE for core network software, to deploy its first commercial private 5G  network. This move spotlights the growing business case for P5G across military installations.  

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   Justin Smulison interviews Daniel Eliot of NIST about NIST, its new publications on cybersecurity, including two Quick Start Guides, the Cybersecurity Framework 2.0, and more, Daniel's history with cybersecurity for small businesses and his career-long passion for helping small businesses protect themselves against cybercrime.   Listen in for the latest information on NIST and cybersecurity guidelines for your organization. Key Takeaways: [:01] About RIMS. [:14] RISKWORLD 2025 will take place in Chicago, Illinois from May 4th through May 7th. The call for submissions is now open through August 27th. A link to the submission form is in this episode's show notes. [:30] About this episode. We will be joined by Daniel Eliot from the National Institute of Standards and Technology, or NIST. [:52] First, let's talk about RIMS Virtual Workshops. The full calendar of virtual workshops is at RIMS.org/VirtualWorkshops. August 15th starts the three-part series, Leveraging Data and Analytics for Continuous Risk Management. Other dates for the Fall and Winter are available on the Virtual Workshops full calendar at RIMS.org/VirtualWorkshops. [1:14] Let's talk about prep courses for the RIMS-CRMP. On September 10th and 11th, the RIMS-CRMP Exam Prep will be held with NAIT. There is another RIMS-CRMP Exam Prep on September 12th and 13th. [1:29] The next RIMS-CRMP-FED Exam Prep course will be hosted along with George Mason University on December 3rd through 5th, 2024. Links to these courses can be found on the Certification Page of RIMS.org and in this episode's show notes. [1:44] We've got the DFW RIMS 2024 Fall Conference and Spa Event happening on September 19th in Irving, Texas. Learn more about that event in Episode 299, which features an interview with the Texas State Office of Risk Management. [2:02] Also on September 19th is the RIMS Chicago Chapter's Chicagoland Risk Forum 2024. Register at ChicagolandRiskForum.org. [2:12] Registration opened for the RIMS Canada Conference 2024 which will be held from October 6th through the 9th in Vancouver. Visit RIMSCanadaConference.ca to register. [2:25] Registration is also open for the RIMS Western Regional, which will be held from September 29th through October 1st at the Sun River Resort in Oregon. Register at RIMSWesternRegional.com. [2:38] We want you to join us in Boston on November 18th and 19th for the RIMS ERM Conference 2024. The agenda is live. The keynote will be announced soon. We want to see you there! A link is in this episode's show notes. [2:53] The nominations are now open for the RIMS ERM Award of Distinction 2024. Nominations are due August 30th. A link to the nomination form is in this episode's show notes. [3:07] If you or someone you know manages an ERM program that delivers the goods, we want to hear about it. A link is in this episode's show notes. All RIMS regional conference information can be found on the Events page at RIMS.org. [3:24] On with the show! In October, we will celebrate National Cybersecurity Awareness Month. You should observe it all year round, of course. My guest today has a lot of great insight into risk frameworks. He is Daniel Eliot, the Lead for Small Business Engagement in the Applied Cybersecurity Division of The National Institute of Standards and Technology (NIST). [3:48] NIST is part of the U.S. Department of Commerce. Today, we will discuss some of the publicly available risk management frameworks and how they've evolved through the years and the new frameworks that address AI, as well. [4:05] You may remember Daniel from his appearance on an episode in April 2020, when he was with the National Cybersecurity Alliance. He is back to provide some new tips for the global risk management community. [4:18] Daniel Eliot, welcome back to RIMScast! [4:42] Justin and Daniel comment on some things that have changed since April 2020. Daniel was at the National Cybersecurity Alliance (NCA). [5:50] Now Daniel is the Lead for Small Business Engagement in the Applied Cybersecurity Division of The NIST. He shares his journey from NCA to NIST via the National Cybersecurity Center of Excellence, a NIST facility operated by Mitre. [6:52] Daniel is happy to be back supporting the small business community. [7:04] Daniel had worked in a small tech startup for almost seven years. He helped them scale the business and manage the development of their product. Next, Daniel joined the University of Delaware's Small Business Development Center, helping tech businesses start and scale. [8:16] Daniel applied for an SBA grant to help small businesses with cybersecurity. This was in 2014. The Cybersecurity Framework was published in 2014. Daniel applied the Cybersecurity Framework to small businesses. That started Daniel's career in small business cybersecurity. [9:32] There's a new NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide. Daniel's role at NIST is to coordinate across NIST, government, and the private sector, to create opportunities for the small business community to engage with NIST expertise. [10:19] The RMF Small Enterprise Quick Start Guide is a product of that coordination across NIST, government, and the private sector community. In February, NIST produced the Cybersecurity Framework 2.0 Small Business Quick Start Guide. [10:44] NIST decided to do a Quick Start Guide for a risk management framework for small to medium enterprises. The Risk Management Framework is a process. It's a holistic and repeatable seven-step process for managing security and privacy risks. [11:23] The NIST RMF Quick Start Guide provides an overview of the seven steps of the process, the foundational tasks for each step, tips for getting started with each step, a sample planning table, key terminology and definitions, questions to consider, and related resources. [11:53] It's RIMS plug time! Webinars! All RIMS Webinar registration pages are available at RIMS/org/Webinars. On August 27th, Riskonnect returns to discuss How To Successfully Deploy AI in Risk Management. [12:12] On September 5th, Merrill Herzog makes their RIMS Webinars debut with the Role of Insurance in Building Resilience Against an Active Assailant Attack. On September 19th, Origami Risk returns to deliver Leveraging Integrated Risk Management For Strategic Advantage. [12:28] Justin jumped ahead a bit. On September 12th, HUB International returns to deliver the third part of their Ready for Tomorrow series, Pivot and Swerve: Staying Agile During Shifting Market Dynamics. [12:44] Justin is delighted to be joined by the moderator for that session, the Chief Marketing Officer for Canada at HUB International, Linda Regner Dykeman. Justin welcomes Linda to RIMScast! [13:13] The webinar will be at 1:00 p.m. Eastern Time on September 12th. Linda says they will be discussing current market trends and challenges. The industry has been able to produce some very strong profits over the last few years. [13:29] The market needed correction after many years of unprofitability driven by weather events in the property line where rates seemed to be unsustainable. Casualty also had its issues, particularly with Directors and Officers Liability. [13:47] As a result of the profitability the industry was able to achieve over the last few years, most carriers have become more competitive in growing their books of business. This competition is not being seen in all lines, segments, or geographies. [14:04] Some catastrophe-prone zones such as BC and Alberta have not seen the same level of competition across the board. As the market transitions from a hard market to a competitive environment, there is some unusual and inconsistent behavior. [14:21] Carriers in Canada are being more flexible with their appetite. London is looking to grow significantly over the next couple of years with goals of hitting $100 billion by 2025. Add to that NGAs who are seeing their market share change as local carriers become more competitive. [14:39] As we transition out of what was considered to be a hard market, we see a lot of inconsistency in this market. [14:48] Add to this the supply chain issues, which are not what they once were, the economy is flat with spending, once normalized for an increase in population, it reflects that of a market in a recession. [15:02] We, as brokers are finding competitive solutions to protect our clients. We have to pivot and swerve to discover the right opportunities. [15:13] We had a significant rain event in Toronto, followed by one of the worst wildfires Jasper has ever seen, seemingly a once-in-a-hundred-year event; weather catastrophes are more severe and more frequent. [15:27] How is this going to change the availability of capacity and pricing? Time will tell, as insurers try to figure out if their pricing models included the right loadings for these events. [15:49] Being informed by what is happening in the market; the trends, the opportunities, what's available, and partnering with the right broker, will help a risk manager make an informed decision, appropriate for their business. [16:11] The panelists have decades of experience and expertise across North America. They work with clients, markets, and other experts and bring a much broader perspective and experience to this session. [16:26] Steve Pottle is the risk manager on the panel. He's been omnipresent in RIMS Canada for years. He's a former RIMS VP and is currently the Director for Risk and Safety Services at Thompson Rivers University. Justin says he's one of the best and Linda agrees. [16:57] Linda will moderate. She'll ask the panelists questions HUB International has received from its clients, based on what they are seeing happening in the environment around them. She would also like the audience to pose some questions. Audience participation is encouraged. [17:21] Justin thanks Linda Regner Dykeman of HUB International, and will see her again on September 12th, 2024 for the third installment of HUB's Ready for Tomorrow series, Pivot and Swerve: Staying Agile During Shifting Market Dynamics. [17:37] Let's return to today's interview with Daniel Eliot from NIST. [17:53] Daniel states that the Risk Management Framework is a repeatable seven-step process for managing security and privacy risks. It starts with preparation, categorizing, and understanding the information that your organization processes, stores, and transmits.  [18:20] Then you select controls, and implement those controls to protect the security and privacy of the systems. Then you assess, authorize, and monitor the controls. Are the selected controls producing the desired results? Are there changes to the organization that require new controls? [18:45] You follow the seven steps of the framework in order and repeat them in a cycle. Keep going through it. Every organization regularly changes. Technologies change. People change. That's why the framework has to be repeatable and flexible. [19:05] NIST published this Risk Management Framework Smal Enterprise Quick Start Guide as a tool to raise awareness within the Small and Medium Enterprise (SME) Community about what the Risk Management Framework is and how to get started with it. [19:26] This Quick Start Guide is not intended to guide you on your journey from start to finish for a comprehensive risk management implementation. It is a starting point. [19:41] The Guide has an overview of the steps of the Risk Management Framework, some foundational tasks for each of the RMF steps, some tips for getting started, some sample planning tables, and graphics to help people understand concepts that might be new to them. [20:02] NIST spent a lot of time defining key terminology, extracting terms out of the Risk Management Framework, and highlighting them in this Quick Start Guide. There are phrases and terms in the Risk Management Framework that some people new to it might not understand. [20:24] For example, “authorization boundary.” The Guide highlights and illustrates what these terms mean in the Risk Management Framework and adds questions for organizations to consider and use internally for discussion. The answers may be different for every organization. [21:12] This Guide is a derivative tool from the existing publication that went out for public comment. The Quick Start Guide did not go out for public comment but NIST has circulated Quick Start Guides to some small businesses they know to make sure it's hitting the right note. [21:56] Daniel monitors commentary and looks at how the Guide is received out in the world once it's published. In every Quick Start Guide, there is an opportunity for people to contact NIST if they have questions or if there is an error. NIST is always open to feedback. [23:03] In small businesses, Daniel finds the owner or operator is the Chief Risk Officer, the Janitor, the CISO, and the Chief Marketing Officer. Anyone can use the Risk Management Framework. It's a process. [23:25] Federal agencies, contractors to the federal government, and other sources that use or operate a federal information system typically use the suite of NIST Risk Management Standards and Guidelines to develop and implement a risk-based approach. [23:48] A lot of the audience for this Small Enterprise Quick Start Guide might be small universities, small municipalities, or small federal agencies implementing this Risk Management Framework. [24:27] We have time for one more break! The Spencer Educational Foundation's goal is to help build a talent pipeline of risk management and insurance professionals. That is achieved, in part, by a collaboration with risk management and insurance educators across the U.S. and Canada. [24:45] Whether you want to apply for a grant, participate in the Risk Manager on Campus program, or just learn more about Spencer, visit SpencerEd.org. [24:55] On September 12th, 2024, we look forward to seeing you at the Spencer Funding Their Future Gala at The Cipriani 42nd Street in New York City. Our recent guest from Episode 293, Lilian Vanvieldt-Gray, will be our honoree. [25:11] Lilian is the Executive Vice President and Chief Diversity, Equity, and Inclusion Officer at Alliant Insurance Services and she will be honored for her valuable contributions to supporting the future of risk management and insurance. [25:28] That was a great episode, so after you finish this one, please go back and listen to Episode 293. [25:34] Let's conclude our interview with Daniel Eliot of NIST. [26:10] Daniel introduces the U.S. AI Safety Institute, housed within NIST. It's tasked with advancing the science, practice, and adoption of AI safety across the spectrum of risks, including those to national security, public safety, and individual rights. [26:39] The efforts of the U.S. AI Safety Institute initially focused on the priorities assigned to NIST under President Biden's Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. [26:51] On July 26th, 2024, they released resources for a variety of aspects of AI technology. Two are new to the public. The first is an initial public draft of a guidance document intended to help software developers mitigate the risks of generative AI and dual-use foundation models. [27:19] The other is a testing platform intended to help AI system users and developers measure how certain types of attacks can degrade the performance of an AI system. These are two opportunities for the public to provide comments on these publications and tools. [27:49] There is a link to the call for comments in this episode's show notes. [28:03] At NIST, foundational publications go out for public comment. NIST wants to hear from U.S. citizens and people all over the world to get their perspectives on NIST's approach to what they're addressing. This is a community effort. Comment periods are important. [28:37] From Daniel's perspective of small business, he seeks the comments of small businesses on these publications. Authors need to hear from organizations, large and small. [28:53] These two new publications are open for public comment. [28:59] three releases are final publications. One is The AI Risk Management Framework Generative AI Profile, which helps organizations identify unique risks posed by generative AI. It includes actions for generative AI risk management. [29:34] A second publication is the Secure Software Development Practices for Generative AI and Dual Use Foundation Models. It addresses concerns about Generative AI systems being compromised with malicious training data that would adversely affect system performance. [30:16] The third publication is A Plan for Global Engagement on AI Standards. It's intended to drive worldwide development and implementation of AI-related consensus standards. Standards require global input from businesses, governments, non-profits, and academia. [30:57] These three final publications have been informed by public comment periods. They're ready to hit the ground running and people can put them into action. [31:15] Daniel is part of the Applied Cybersecurity Division of NIST. The U.S. AI Safety Institute is a different part of NIST. [31:44] Every once in a while, public comments receive spammy messages. [32:23] Daniel says all cybersecurity and privacy risk management comes back to governance and having policies and procedures in place, knowing your contractual and legal responsibilities. Organizations need policies that guide behavior for the appropriate use of AI in their business. [32:59] Individuals in companies have pasted confidential company information into publicly available AI systems. That creates a vulnerability. Have a policy around the use of these tools. [33:31] Criminals have used AI to upgrade phishing scams, reduce grammatical errors, and craft more convincing appeals. [35:00] NIST is raising awareness of different ways of identifying phishing attacks besides looking for grammatical errors, such as looking at the links and the calls to action and other factors that show it is a phishing scam. AI is contributing to their increasing sophistication. [35:43] Daniel shares his tip for new risk professionals. Familiarize yourselves with the suite of resources that NIST has available for cybersecurity and privacy risk management. They have a broad variety of risk management frameworks and resources, like the Quick Start Guide. [36:42] There are online courses, extensive FAQs with answers, and archived talks from SMEs. Take advantage of these resources. Also, let NIST know what other resources might be helpful to you. The core of NIST guidance for any framework is good governance. [37:21] Understand your mission and requirements. Create and maintain policies for good behavior. Understand your supply chain dependencies and vulnerabilities. Good governance sets your organization up for success when implementing and monitoring risk-mitigating controls. [37:56] NIST offers consistent, clear, concise, and actionable resources to small businesses. Since 2018, they have maintained a website, NIST Small Business Cybersecurity Corner, with over 70 resources on the site, all tailored to small businesses. The Quick Start Guides are there. [38:32] The resources include short videos, tip sheets, case studies, and guidance organized by both topic and industry. All the resources are free and produced by federal agencies, such as NIST, FBI, CISA, as well as nonprofit organizations. It's a one-stop shop for this information. [39:04] The resources are regularly updated and expanded to keep the content fresh and relevant. The resource library has the Cybersecurity Basics Section, with eight basic steps businesses can inexpensively implement to reduce cybersecurity risks. [39:28] The Cybersecurity Framework Page highlights the CSF and small business resources related to the CSF. There is topical guidance on Multi-Factor Authentication, Ransomware, Phishing, Government Contracting Requirements, and Choosing a Vendor or Service Provider. [39:53] All the resources are available at NIST.gov/ITL/SmallBusinessCyber. The link is in this episode's show notes. The resources are there for you to use in your organization. [40:30] Justin says, “It has been such a pleasure to reconnect with you here on RIMScast! I always love it when you post on LinkedIn! I think you're great! You're keeping me informed. Happy National Cybersecurity Awareness Month to you!” [40:55] With developments in tech and AI, cybersecurity has taken a back seat, but Justin says it will come back pretty hard. Justin feels it will be sooner than four-and-a-half years for Daniel to return to RIMScast. [41:23] Whatever new technology comes out, cybercriminals are looking at it to see how they can exploit it. There will always be a cybersecurity component to it. [42:05] Daniel Eliot, thank you so much for rejoining us here on RIMScast! [42:10] Special thanks again to Daniel Eliot of NIST for rejoining us here on RIMScast. Lots of links are in this episode's show notes to aid small enterprise owners and risk professionals. [42:25] These resources are publicly available and complimentary, so by all means, use them and leverage them to ensure your organization's cyber resilience. I've got lots of links in this episode's show notes for more cybersecurity coverage from RIMS, as well. [42:44] It's RIMS plug time! The RIMS App is available to RIMS members exclusively. Go to the App Store and download the RIMS App with all sorts of RIMS resources and coverage. It's different from the RIMS Events App. Everyone loves the RIMS App! [43:18] You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes. RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [44:02] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [44:20] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [44:36] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org. [44:58] Thank you for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!   Mentioned in this Episode: DFW RIMS 2024 Fall Conference and Spa Event | Sept 19‒20 Chicagoland Risk Forum 2024 — Presented by RIMS Chicago Chapter — Sept. 19, 2024 RIMS Western Regional — Sept 29‒Oct 1, Oregon | Registration is open! RIMS Canada Conference 2024 — Oct. 6‒9 | Registration is open! Spencer Educational Foundation — Funding Their Future Gala 2024 | Sept. 12, 2024 RIMS ERM Conference 2024 will be in Boston, MA Nov. 18‒19 | Register Now RIMS ERM Award of Distinction — Nominations Open Through Aug. 30, 2024! RISKWORLD 2025 will be in Chicago! May 4‒7 Education Content Submissions for RISKWORLD 2025 NIST Risk Management Framework Small Enterprise Quick Start GuideCybersecurity Framework 2.0 Small Business Quick Start Guide NIST Small Business Cybersecurity Corner U.S. Artificial Intelligence Safety Institute New Guidance and Tools to mitigate AI Risks Managing Misuse Risk for Dual-Use Foundation Models Testing How AI System Models Respond to Attacks Users can send feedback to: dioptra@nist.gov RIMS DEI Council RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS Strategic & Enterprise Risk Center NEW FOR MEMBERS! RIMS Mobile App   RIMS Webinars: How to Successfully Deploy AI in Risk Management | Sponsored by Riskonnect | Aug. 27, 2024 Role of Insurance in Building Resilience Against an Active Assailant Attack | Sponsored by Merrill Herzog | Sept. 5, 2024 HUB Ready for Tomorrow Series: Pivot and Swerve — Staying Agile During Shifting Market Dynamics | Sept. 12, 2024 Leveraging Integrated Risk Management For Strategic Advantage | Sponsored by Origami Risk | Sept. 19, 2024 RIMS.org/Webinars   Upcoming Virtual Workshops: Leveraging Data and Analytics for Continuous Risk Management (Part I) 2024 — Aug 15 See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops   Related RIMScast Episodes: “Daniel Eliot's 2020 RIMScast Debut: Cybersecurity Tips for Small Businesses” “300th Episode Spectacular with RIMS CEO Gary LaBranche” “Mid-Year Risk Update with Morgan O'Rourke and Hilary Tuttle” “Emerging Cyber Trends with Davis Hake” “Cybersecurity Awareness Month with Pamela Hans of Anderson Kill”   Sponsored RIMScast Episodes: “Weathering Today's Property Claims Management Challenges” | Sponsored by AXA XL (New!) “Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company (New!) “Partnering Against Cyberrisk” | Sponsored by AXA XL (New!) “Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh “Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos “Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL “Elevating RMIS — The Archer Way” | Sponsored by Archer “Alliant's P&C Outlook For 2024” | Sponsored by Alliant “Why Subrogation is the New Arbitration” | Sponsored by Fleet Response “Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd. “Subrogation and the Competitive Advantage” | Sponsored by Fleet Response “Cyberrisk Outlook 2023” | Sponsored by Alliant “Chemical Industry: How To Succeed Amid Emerging Risks and a Challenging Market” | Sponsored by TÜV SÜD “Insuring the Future of the Environment” | Sponsored by AXA XL “Insights into the Gig Economy and its Contractors” | Sponsored by Zurich “The Importance of Disaster Planning Relationships” | Sponsored by ServiceMaster   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS-CRMP Stories — New interviews featuring RIMS Risk Management Honor Roll Inductee Mrunal Pandit!   RIMS Events, Education, and Services: RIMS Risk Maturity Model® RIMS Events App Apple | Google Play   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guests: Daniel Eliot, Lead for Small Business Engagement Small Business Cybersecurity CornerApplied Cybersecurity DivisionNational Institute of Standards and Technology U.S. Department of Commerce Linda Regner Dykeman, HUB International, Chief Marketing Officer for Canada   Tweetables (Edited For Social Media Use): I'm happy to be back at NIST, supporting the small business community. — Daniel Eliot   The industry has been able to produce some very strong profits over the last few years, after many years of unprofitability driven by weather events in the property line. — Linda Regner Dykeman   Follow the seven steps of the framework in order and repeat them in a cycle. Keep going through it. Every organization regularly changes. Technologies change. People change. That's why it has to be repeatable and flexible. — Daniel Eliot   There are phrases and terms associated with the Risk Management Framework that some people who are new to this might not understand. — Daniel Eliot   When talking about small businesses, the owner or operator is the Chief Risk Officer, the Janitor, the CISO, and the Chief Marketing Officer. — Daniel Eliot   An AI system is only as good as the information that's put into it. — Daniel Eliot    

The CyberMaryland Conference is an annual event presented by the CyberMaryland Advisory Board in conjunction with academia, government and private industry organizations. In this episode, host Heather Engel brings us special coverage from the event, which took place from December 6th to 7th, 2023, in Hyattsville, Maryland. Highlights include commentary from Cherilyn Pascoe, Director of the National Cybersecurity Center of Excellence at NIST; Ray Vazquez, President at Vertex11; Laura Baker, Executive Director at CyberWyoming; and Dr. Blair Taylor, Director of Cybersecurity Center at Towson University. Learn more about the CyberMaryland Conference, and our sponsor, the Federal Business Council, at https://cybermarylandconference.com.

Mark Weatherford, Chief Strategy Officer at the National Cybersecurity Center, is an Advisory Board Member at SecurityScorecard. In this episode, he joins host Steve Morgan to discuss cybersecurity metrics and KPIs, as well as how companies can determine security posture and reduce risk, and more. SecurityScorecard is the leading security rating company, used by more than 2,500 top companies. To learn more about our sponsor, visit https://securityscorecard.com

Executive Director Erin Miller shares insights about the Space ISAC National Cybersecurity Center's partnerships and missions

Douglas Brush, Founder and Court Appointed Neutral of Accel Consulting is our feature interview this week, interviewed by Frank Victory. News from Xcel Energy, Guild Education, National Cybersecurity Center, Coalfire, Red Canary, Zvelo and a lot more. Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week's news: Colorado has the four most expensive housing markets in U.S. not on a coast Ten Reasons Why Denver Is a “Bastion of Geekdom” Colorado designated as official tech hub for quantum industry Aurora data center to become one of Xcel Energy's biggest customers, rivaling mines and steel mills Denver-area tech unicorn Guild just made a big investment in AI education National Cybersecurity Center Hosts Project Pisces Training And Onboarding - National Cybersecurity Center Maximizing the value of threat modeling Guardians of IoT: Strengthening the security of IoT-connected medical devices in the healthcare industry Validating detection for Gootloader with Atomic Red Team Cyber Insurance Tightens the Reins to Lower Risk Job Openings: Tiktok - Converged Security Technology Security Specialist Maximus - VP - Business Information Security Officer Tanium - Senior Cloud Cybersecurity Engineer, CCS Advanced Energy - Manager, IT Governance, Risk & Compliance Western Union - Cyber Security Governance Business Manager US Bank - Risk Framework Professional Datavant - Head of Information Security Governance Kroll - Vice President, Policy Writer, Cyber Risk Modivcare - Sr. IT Governance Analyst Meta - Security Partner - Infrastructure Upcoming Events: Let's Talk Software Security - What's Your Biggest Security Challenge? - 11/8 ISSA Denver - November Chapter Meeting, Asset Management - 11/8 CISO Debate Series: Will more government regulation help drive better security? - 11/9 ISSA Denver - The New SEC Reporting Rule and the End Cybersecurity as We Know It - 11/9 ISSA COS - November Mini Seminar - 11/11 CSA Colorado - Security Insights With James Condon - 11/14 ISSA COS - November Chapter Meeting - 11/14 ISC2 Pikes Peak - November Meeting - 11/15 ISSA Denver - Inaugural Veterans Special Interest Group meeting - 11/16 ISACA Denver - SEC Cybersecurity Disclosure - 11/16 ISSA COS - Mentoring Mixer and Log Wars - 11/30 Colorado Cyber Security - Cyber First Friday - 12/1 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

In 2021, the federal government provided initiatives for a move to zero trust; after two years it is time to look at the progress agencies have made. Today's discussion includes federal experts who have made remarkable progress in the implementation of Zero Trust.  The group also includes an experienced subject matter expert from a large commercial organization, IBM. The conclusion from the short discussion is the value of taking into consideration many of the human aspects of implementing zero trust. This human aspect can be divided into three areas: strategy, design, and leveraging guidance from the federal government. Strategic concerns begin with understanding the nature of a zero-trust implementation.  As Wayne Rogers points out, one can't throw a switch and have zero trust just emerge from those bits and bytes.  He suggests a test pilot program, getting feedback, and then continuing until it is complete. When it comes to multiple cloud vendors, Wayne brings brilliant insight.  He looks back at traditional federal tech implementations, he observes that they were using a variety of vendors.  His suggestion is to apply the same strategy to cloud based zero trust.  Using multiple clouds yields benefits like resiliency and reducing cyber-attack vulnerability.  If one vendor gets attacked, your secondary provider will be available.  As far as reducing risk goes, he details an approach where you distribute the technology for Zero Trust among several Cloud Service Providers. For example, one can place SASE on one, ICAM on another, and storage on a third.  Although it can be complicated, he shows that it can increase speed drastically. IBM's Akiba Saeedi recommends that a federal manager should look at a transition to zero trust by focusing on use cases.  Take one implementation and examine it regarding disruption, privacy, and remote work.  She has seen success when working with several vendors on specific use cases.  All guests agreed a great place for guidance on a zero-trust transition is NIST's Center of Excellence on Zero Trust called the National Cybersecurity Center of Excellence, or NCCOE project.

As we adopt technology at every level of our lives, these technological advancements can also open the door to more cyber risks. The increasing sophistication and frequency of cyberattacks are a threat to government agencies, private companies, and individual users alike. Given the interconnectedness of our digital economy, how can public users and companies take steps to protect themselves from cybercriminals? What steps can we take to guard our data from criminals? And can we identify vulnerabilities before they are exploited and defend our digital assets from attacks?Today's guest has thought deeply about these questions and works to address emerging cyber threats head-on. Today's guest, Lieutenant General Harry Raduege, is the President and CEO of the National Cybersecurity Center, a nonprofit that works to raise cyber awareness and integrate cybersecurity into every aspect of our interconnected lives. The Center helps serve small and medium businesses, partners with K-12 schools and higher education to create educational programs, and brings together people and organizations to learn about protecting systems and devices from cyber attacks and how to solve cyber-related problems. Before his work at the National Cybersecurity Center, Harry served in the Air Force for over 30 years where he was the Chief Information Officer of the Space Command, Chief Information Officer of NORAD, and Commander of the Joint Rask Force-Global Network Operations. Lieutenant Raduege joins the show with invaluable insights from working in cybersecurity.

This is a hybrid event. Students are encouraged to attend in person: STEW G52(Suite 050B)As the commercial and international space community grows to reach the projected $1T for the global economy, the vast domain of space becomes increasingly congested and contested. In this Seminar the Space Information Sharing and Analysis Center (Space ISAC) and the National Cybersecurity Center (NCC) team up to share their perspectives and insights on the intersection of cyber and space, how the game is changing, and what effect this will have on government, industry and academia. This talk will discuss the technology trends in the industry, threats to space systems, and make recommendations to students and faculty about how to navigate the landscape of space domain cybersecurity over the next five years. About the speaker: Mr. Scott Sage is the Chief Operating Officer of the National Cybersecurity Center, a national-level nonprofit organization that provides collaborative cybersecurity knowledge and services to the United States. He encourages, engages, and equips others to solve worthwhile hard problems like his most recent assignment to develop a new space cybersecurity market for Peraton Inc. He also recently developed a complicated IR sensor development from a blank sheet of paper to launch and operation in under 24 months, and his prior conception and execution of an Insider Threat and Information Warfare Behavior Based Analytics R&D project that generated 2 patents and increased interest from DoD and Intelligence Community customers. Past accomplishments include: ·      Automated Mission Impact Assessment of Network Disruptions - Patent 8347145 ·      Concept to Low Earth Orbit IR Sensor for Space Development Agency < 2 years ·      Northrop Grumman Sector Cyber and Information Operations Strategy Development ·      Industry-leading technology development for scalability in satellite C2 automation ·      Increased worldwide frequency access for Low Earth Orbit satellite communications ·      House Armed Services Committee praise for highly classified space advocacy plan ·      Conceptualized, researched and constructed unique DoD Space Order of Battle Annex ·      Highly praised Master of Science thesis addressing satellite radiation effects Before devoting his work full time to visionary growth development for Peraton, Scott managed counter- hypersonics development for Northrop Grumman, advanced cyber defense systems development for AT&T, and advanced space operations programs for aerospace companies and the US Navy. Scott has published international export material on cybersecurity issues associated with virtualization and cloud computing and developed a nation-wide R&D network for Northrop Grumman that allowed critical technologies to be brought online for use on high priority captures worth over $8.6B in future revenue. Scott has also been a Certified Information Systems Security Professional (CISSP) and Homeland Security Expert since going to work after completing 15 years of US Navy service as a Commander. Scott volunteered as the co-chair of the Space ISAC Information Sharing Working Group and co-chair for the DHS CISA Future of Space Working Group and has volunteered at Penrose hospital and the Colorado Springs Rescue Mission, along with being a leader at his church. Formal degrees include a M.S., Space Systems Electrical Engineering from the Naval Postgraduate School in Monterey, B.S., Nuclear Engineering & B.A., Journalism & Mass Communication from Iowa State University, Ames, IA. Ms. Erin M. Miller is the Executive Director of the Space Information Sharing and Analysis Center (Space ISAC). Space ISAC serves as the primary focal point for the global space industry for "all threats and all hazards." Stood up at the direction of the White House in 2019, Erin led the Space ISAC to open its operational Watch Center, alongside its Cyber Malware and Analysis Vulnerability Laboratory in Colorado Springs, CO, USA. Under Erin's leadership, Space ISAC's headquarters facility is already serving several countries to achieve its mission of security and resilience for the global space industry. Each year Space ISAC puts on the Value of Space Summit (VOSS), co-hosted with The Aerospace Corporation at the University of Colorado Colorado Springs. Erin has over a decade of experience building meaningful tech collaborations and has formed hundreds of formal partnerships between government, industry and academia to solve problems for war fighters and national security. As a serial entrepreneur in the non-profit space, she thrives in launching new programs and new organizations from stand up through building and scaling operations. Erin was the Managing Director of the Center for Technology, Research and Commercialization(C-TRAC) and brought three USAF-funded programs to bear at the Catalyst Campus for Technology & Innovation (www.catalystcampus.org). Her expertise in brokering unique partnerships using non-FAR type agreements led to the standup of the Air Force's first cyber focused (#securebydesign) design studio,AFCyberWorx at the USAF Academy, and the first space accelerator, Catalyst Accelerator, at Catalyst Campus in Colorado Springs - in partnership with Air Force Research Laboratory and AFWERX. In 2020 Erin was a recipient of the Woman of Influence award. In 2018 Erin was recognized by the Mayor of Colorado Springs as Mayor's Young Leader (MYL) of the Year Award for Technology. She is also the recipient of Southern Colorado Women's Chamber of Commerce Award for Young Female Leader in 2018. In her previous roles she developed and managed intellectual property portfolios, technology transfer strategies, export control/ITAR, secure facilities, and rapid prototyping collaborations. Erin serves on the advisory board of CyberSatGov, CyberLEO and is a board member for the Colorado Springs Chamber of Commerce & EDC. She has guest lectured at Georgetown University, United States Air Force Academy, University of Colorado at Boulder, and Johns Hopkins University. She is frequently found public speaking at notable events like, Defense Security Institute's Summits, CyberSatGov, State of the Space Industrial Base, and other forum focused on security and space resiliency and critical infrastructure.

In this episode of The New CISO, Steve is joined by returning guests Michael Meis, Associate CISO at The University of Kansas Health System, and Mark Weatherford, the Chief Strategy Officer at The National Cybersecurity Center.For the 100th episode, Mark and Michael are back to share their thoughts on decision-making, mentorship, learning, and leadership, amongst other topics essential to the security industry. Tune into today's episode to learn more about the career opportunities Mark and Michael didn't take, how to measure your journey and the importance of an effective team.Listen to Steve, Michael, and Mark discuss managing stress while diving head-first into challenging situations and how to maximize the growth of junior team members:Welcome Back (1:32)Jumping in, Steve presses returning guests Mark and Michael on the most interesting career opportunities they didn't take. While in the navy, Mark received a call transferring him to Virginia for a promotion. Although he did not want to go, this transfer was great for him.For Michael, when he was in the army, he turned down a promotion multiple times. He decided early on in his career that the military would not be his long-term career.Sound Career Advice (13:04)Determining when you feel fulfilled professionally allows you to make better career choices. Although our goals evolve, it's important to reevaluate our priorities at different life stages.From a leadership perspective, it's valuable to not think of yourself as the most intelligent person in the room but instead surround yourself with people who can fill in the gaps in your skillset. Leaders need their junior-level colleagues to succeed, and giving these employees real responsibilities allows them to transition into more significant roles.Best Mentorship Books (21:30)Mark and Michael share the books they would recommend to new and future leaders. These books are worthwhile resources that help prepare CISOs to take on higher-level work when it is presented.New To The Job (28:02)Mark and Michael explore what new CISOs should assess when new to running their teams. It's essential to determine if you have good people who have lacked effective mentorship or if your organization lacks talent. Ultimately, you must ensure you have the right employees to succeed.Ultimately, you need to see if people add value or not in a crisis.Owning A Crisis (35:40)Steve presses Mark and Michael on their leadership perspective in a crisis. Mark reflects on an experience involving the government, where one of his employees took ownership of their security breach. Mark is still in touch with this colleague today and credits his help resolving a high-level issue.Michael reflects on a junior analyst who quickly worked his way up because he had a can-do attitude. The best career advice is to take work off of other's plates because the people you help will never forget.Staying Grounded (40:46)To close, Steve asks Mark and Michael a more individualized question. What helps them stay grounded during stressful times in the field?For Mark, he admits he's not great at taking a step back from work. He is passionate about the business and understands a 9-5 clock would not work for most security professionals. He can manage his stress, but he knows he lacks life balance. Though to relax, he keeps honey bees.Michael encourages everyone to eliminate the preconceived notion that this path is like other jobs. Security professionals are all-in on their work and must decide what balance means to them. For Michael, he does meditation to center himself and regulate the physical manifestations of stress.Links mentioned:

In this episode of the TechTank Podcast, co-Host Nicol Turner Lee discusses what is new in the more recently updated Cybersecurity Framework 2.0. Joining the podcast to discuss those changes is Cherilyn Pascoe, Director of the National Cybersecurity Center of Excellence, National Institute of Standards and Technology (NIST), who also shares resources and tools that all organizations of any size and sector can access. Hosted on Acast. See acast.com/privacy for more information.

Brandon Stewart, CEO at Nereus Systems is our feature interview this week, interviewed by Frank Victory. News from Teriyaki Madness, DISH, Echostar, Ball Corp, Blazy Susan, Ping Identity, Coalfire, and a lot more. Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week's news: Join the Colorado = Security Slack channel Denver-based fast-casual chain rolls out new tech to be 'faster than a drive thru' Here's what execs say will come from a Dish Network, EchoStar merger Behind the deal: Here's why Ball Corp.'s CEO says it sold off its aerospace business 134 Colorado companies rank among the fastest-growing in America, according to Inc. As VC funding slows in Colorado and the West, it's rising elsewhere Colorado receives $1M grant to allay cyberattacks and threats Pikes Peak Small Business Development Center, National Cybersecurity Center, and University of Colorado Colorado Springs Unite to Drive Impactful Cybersecurity Initiatives with $927,236 Grant - National Cybersecurity Center Thoma Bravo Merges ForgeRock with Ping Identity How Fortune 500s are building brand value by communicating security posture Twelve Planning Tips to Avoid Complications with the SEC's Cybersecurity Disclosure Rules: Part II Job Openings: Ibotta - Director, Compliance RingCentral - Director, Security Programs Western Union - Senior Manager, Information Security Holland & Hart - Information Security Manager Astroscale - Security Manager/FSO Charles Schwab - Information Technology Asset Manager Risk Governance Flexential - IT Security and Compliance Analyst Quantinuum - Senior Cybersecurity Engineer Krayden - Cybersecurity Analyst Modivcare - IT Governance Analyst Upcoming Events: This Week and Next: ISSA Denver - September Chapter Meetings (DTC and Downtown) - 9/13 ISACA Denver - September Chapter Meeting: Getting Started in Blue Teaming & Advanced Concepts and Testing Strategies for Auditing SAP - 9/14 CSA Colorado - September Chapter Meeting: The API Security Landscape and what we are seeing in the field - 9/19 SecureWorld Denver - 9/19 Let's Talk Software Security - Operating Models for Modern Software Security - 9/21 ISC2 Pikes Peak - September Meeting - 9/27 ISA Automation and Leadership Conference - 10/4-6 ISACA Denver - ISACA CommunIty Day 2023 : Denver Parks: Preparing Wash Park for Fall/Winter - 10/7 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

ESA's JUICE ice-penetrating Radar for Icy Moons Exploration (RIME) antenna has finally escaped its mounting bracket. NASA's Jet Propulsion Laboratory's Lunar Flashlight mission can't orbit the moon as planned due to a propulsion system issue. USSPACECOM welcomes the National CyberSecurity Center to their Academic Engagement Enterprise, and more.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our weekly intelligence roundup, Signals and Space, and you'll never miss a beat. And be sure to follow T-Minus on Twitter and LinkedIn. T-Minus Guest Our guest for today's episode is Michelle Hanlon, Co-founder of For All Moonkind and Co-Director at the University of Mississippi School of Law. Michelle discusses her nonprofit “For All Moonkind” and Ethics of Space Exploration. You can follow Michelle on LinkedIn and learn more about For All Moonkind at their website. Selected Reading Juice's RIME antenna breaks free- ESA NASA ends Lunar Flashlight mission because of thruster problems- SpaceNews NATIONAL CYBERSECURITY CENTER WELCOMED TO USSPACECOM ACADEMIC ENGAGEMENT ENTERPRISE (AEE)- Cyber Center NASA's TBIRD Mission Demonstrates Breaks its Own Record With 200 Gbps Optical Downlink- Via Satellite Space Development Agency issues draft solicitation for 100 satellites - SpaceNews Planet Expand Agreement with AXA Climate for Drought Insurance Program- Via Satellite SpaceX hires former NASA human spaceflight official Kathy Leuders to help with Starship- CNBC Stratolaunch Successfully Completes Separation Test of Talon-A Vehicle- Stratolaunch PR Readout of President Joe Biden's Meeting with President Pedro Sanchez of Spain- The White House  ChatGPT on Mars: How AI can help scientists study the Red Planet- Space.com Audience Survey We want to hear from you! Please complete our 4 question survey. It'll help us get better and deliver you the most mission-critical space intel every day. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at space@n2k.com to request more info. Want to join us for an interview? Please send your pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

If you're not concerned about cybersecurity at your organization, you're putting your job at risk. A single successful cyberattack can negatively impact an organization's revenue, reputation, and data for years. So what can you do to help protect your organization from data breaches, cyberattacks, and hacking incidents? Forrest Senti, Vice President of Programs and Operations at the National Cybersecurity Center, has some great tips to share. In this episode, he explains how organizations can improve their cybersecurity by using creative training methods, building better data policies, and adequately vetting the security of new tools. Rely on automation Shift manual and paper-based processes to digital systems to minimize errors and risk. Create thorough processes Ensure all employees know how to properly handle data by instilling clear procedures. Invest in security training Find creative ways to engage employees in security training that keep it interesting and top of mind.   Become an insider today: https://www.formstack.com/practically-genius-insider

Chris Bishop's latest Quantum Tech Pod with Jack Hidary CEO of SandboxAQ is live! Jack is a serial entrepreneur and co-founder of several tech companies, including EarthWeb/Dice, which he led from its founding through IPO. In July, SandboxAQ was selected for NIST's National Cybersecurity Center of Excellence Migration to Post-Quantum Cryptography Project. With a focus on encryption management for large enterprises and governments in the face of Store-now-decrypt-later attacks, SandboxAQ developed AQ Analyzer - a piece of enterprise software that crawls around on prem or in the cloud to uncover encryption vulnerabilities. The company is also working on quantum-driven solutions in biopharma, materials science, and battery chemistry. Take a listen to this great conversation! #quantumcomputing #quantumencryption #SNDL #Alphabet Inside Quantum Technology #IQT #sandboxaq

Podcast: Control Loop: The OT Cybersecurity Podcast (LS 28 · TOP 10% what is this?)Episode: Looking to the future of the OT space.Pub date: 2022-11-16The US Department of Energy seeks to improve visibility into ICS environments. NIST has issued a proposal for upgrading cybersecurity at water plants in the US. A patch has been issued for a critical vulnerability that affects flow computers from ABB. Guest Ashif Samnani of Cenovus Energy shares insights from his nearly two decade career in the OT world. In the Learning Lab, hear the third in a series with Mike Hoffman, a Principal Industrial Consultant at Dragos, teaching infosec professionals how to think about OT security. This segment discusses looking at crown jewel analysis and understanding what really matters within your environment.Control Loop News Brief.US Department of Energy seeks to improve visibility into ICS environments.“DOE Pivots Security Strategy as 'Smart' Tech Use Soars,” (GovCIO)NIST proposal for upgrading cybersecurity at water plants.“NIST proposes project to improve cybersecurity at water utilities,” (FedScoop)“[Project Description] Securing Water and Wastewater Utilities: Cybersecurity for the Water and Wastewater Systems Sector,” (NIST)“Securing Water and Wastewater Utilities,” (National Cybersecurity Center of Excellence)Critical vulnerability affects flow computers.ABB Oil and Gas Flow Computer Hack Can Prevent Utilities From Billing Customers (SecurityWeek)CISA releases twenty ICS Security Advisories.CISA Releases Twenty Industrial Control Systems Advisories (CISA)Control Loop Interview.Guest Ashif Samnani, Industrial Control System Cyber Security Leader at Cenovus Energy, shares some insights from his nearly two decade career across the OT world.Control Loop Learning Lab.Our Learning Lab segment is the third in a series of three with Mike Hoffman, Principal Industrial Consultant at Dragos, teaching infosec professionals how to think about OT security. This segment discusses looking at crown jewel analysis and understanding what really matters within your environment.The podcast and artwork embedded on this page are from CyberWire Inc., which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

The US Department of Energy seeks to improve visibility into ICS environments. NIST has issued a proposal for upgrading cybersecurity at water plants in the US. A patch has been issued for a critical vulnerability that affects flow computers from ABB. Guest Ashif Samnani of Cenovus Energy shares insights from his nearly two decade career in the OT world. In the Learning Lab, hear the third in a series with Mike Hoffman, a Principal Industrial Consultant at Dragos, teaching infosec professionals how to think about OT security. This segment discusses looking at crown jewel analysis and understanding what really matters within your environment. Control Loop News Brief. US Department of Energy seeks to improve visibility into ICS environments. “DOE Pivots Security Strategy as 'Smart' Tech Use Soars,” (GovCIO) NIST proposal for upgrading cybersecurity at water plants. “NIST proposes project to improve cybersecurity at water utilities,” (FedScoop) “[Project Description] Securing Water and Wastewater Utilities: Cybersecurity for the Water and Wastewater Systems Sector,” (NIST) “Securing Water and Wastewater Utilities,” (National Cybersecurity Center of Excellence) Critical vulnerability affects flow computers. ABB Oil and Gas Flow Computer Hack Can Prevent Utilities From Billing Customers (SecurityWeek) CISA releases twenty ICS Security Advisories. CISA Releases Twenty Industrial Control Systems Advisories (CISA) Control Loop Interview. Guest Ashif Samnani, Industrial Control System Cyber Security Leader at Cenovus Energy, shares some insights from his nearly two decade career across the OT world. Control Loop Learning Lab. Our Learning Lab segment is the third in a series of three with Mike Hoffman, Principal Industrial Consultant at Dragos, teaching infosec professionals how to think about OT security. This segment discusses looking at crown jewel analysis and understanding what really matters within your environment.

Steve begins by introducing himself and his company before giving a high-level overview of the evolution of IoT security he's witnessed in his 15 years of working in the field. He then moves into a discussion about what companies should consider and the advice he would provide for adopters. Steve also touches on challenges in the industry and what identity as a basis is for security.​​For 15 years, Steve has been influencing the design of secure semiconductors for secure applications at WISeKey, Lynx Corporation, and Atmel/Microchip. He is an innovator with expertise in IoT Architecture, Blockchain, PKI, Anti-Counterfeit, and Privacy. As a Security Technologist at WISeKey, Steve has written patents and been involved in shaping the semiconductor features to conform to the changing security landscape. In the IoT industry, he has been involved with setting security standards as a member of the Security Working Groups, including Wi SUN FAN, Open Connectivity Foundation (OCF), and Industrial Internet Consortium (IIC). Most recently, he worked with NIST's National Cybersecurity Center of Excellence on the Trusted IoT Network Layer Onboarding project.WISeKey (NASDAQ: WKEY; SIX Swiss Exchange: WIHN) is a leading global cybersecurity company currently deploying large-scale digital identity ecosystems for people and objects using Blockchain, AI, and IoT, respecting the Human as the Fulcrum of the Internet. WISeKey microprocessors secure the pervasive computing shaping today's Internet of Everything. WISeKey IoT has an installed base of over 1.6 billion microchips in virtually all IoT sectors (connected cars, smart cities, drones, agricultural sensors, anti-counterfeiting, smart lighting, servers, computers, mobile phones, crypto tokens, etc.).Their technology is Trusted by the OISTE/WISeKey's Swiss-based cryptographic Root of Trust (“RoT”). It provides secure authentication and identification for the Internet of Things and Blockchain in both physical and virtual environments. The WISeKey RoT serves as a common trust anchor to ensure the integrity of online transactions among objects and between objects and people.

Global supply chains have grown much more complex than simply figuring out how to get products and services from Point A to Point B. Companies also depend on second-tier, third-tier, and even nth-tier vendors they don't know and have no relationship with for the services and components they require to operate.Cyberattacks on software across these complex supply chain ecosystems have resulted in disruptions, defects, and diversions that are difficult to identify and resolve—one weak link in the chain can bring the entire ecosystem to a halt.In this episode, Mark Weatherford—CSO at AlertEnterprise and Chief Strategy Officer at the National Cybersecurity Center—examines the importance of understanding vendor cybersecurity postures, not only primary suppliers but also their suppliers as well. Weatherford also discusses how enterprise software components can come from vendors all over the world and how global events can impact supply chains. Weatherford then presents why the jobs of CISOs are so difficult in defending supply chains, along with a few tips for organizations to protect their operations._______________________Community Member Contributor: Mark WeatherfordCSO at AlertEnterprise [@AlertEnterprise] and Chief Strategy Officer at the National Cybersecurity Center [@NATLCyberCenter]On Twitter | https://twitter.com/marktwOn LinkedIn | https://www.linkedin.com/in/maweatherford/Host: Sean MartinOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin______________________For more podcasts from Crucial Conversations with The Blue Lava Community, visit: https://www.itspmagazine.com/crucial-conversations-podcastTo access the full collection of Blue Lava Community resources, visit: https://itspm.ag/blclog22To learn more about Blue Lava, visit: https://itspm.ag/blue-lava-w2qs______________________Are you interested in sponsoring an ITSPmagazine Channel?

Global supply chains have grown much more complex than simply figuring out how to get products and services from Point A to Point B. Companies also depend on second-tier, third-tier, and even nth-tier vendors they don't know and have no relationship with for the services and components they require to operate.Cyberattacks on software across these complex supply chain ecosystems have resulted in disruptions, defects, and diversions that are difficult to identify and resolve—one weak link in the chain can bring the entire ecosystem to a halt.In this episode, Mark Weatherford—CSO at AlertEnterprise and Chief Strategy Officer at the National Cybersecurity Center—examines the importance of understanding vendor cybersecurity postures, not only primary suppliers but also their suppliers as well. Weatherford also discusses how enterprise software components can come from vendors all over the world and how global events can impact supply chains. Weatherford then presents why the jobs of CISOs are so difficult in defending supply chains, along with a few tips for organizations to protect their operations._______________________Community Member Contributor: Mark WeatherfordCSO at AlertEnterprise [@AlertEnterprise] and Chief Strategy Officer at the National Cybersecurity Center [@NATLCyberCenter]On Twitter | https://twitter.com/marktwOn LinkedIn | https://www.linkedin.com/in/maweatherford/Host: Sean MartinOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin______________________For more podcasts from Crucial Conversations with The Blue Lava Community, visit: https://www.itspmagazine.com/crucial-conversations-podcastTo access the full collection of Blue Lava Community resources, visit: https://itspm.ag/blclog22To learn more about Blue Lava, visit: https://itspm.ag/blue-lava-w2qs______________________Are you interested in sponsoring an ITSPmagazine Channel?

Telehealth -- on the rise at Veterans Affairs and in the private sector -- has one thing in common with every other digital service: It's a cybersecurity risk. Now the National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology, is planning a healthcare project to establish best practices for security and privacy in telehealth situations. To find out more about the project, Federal Drive host Tom Temin spoke with Ron Pulivarti, senior cyber engineer.

Security and protection of personal data are core tenants in driving trust in the use of remote devices and technologies for monitoring or delivering virtual care. As healthcare intersects more with consumer wellness trends, the vulnerabilities and threats to security and privacy are even more amplified.  Nakia Grayson and Ronald Pulivarti from the National Cybersecurity Center of Excellence (NCCoE) at NIST, share the latest trends and efforts on how the industry is educating and offering practical guides to safeguarding the telehealth experience.

Today's guest on our next “Spotlight” series is Vance Brown, CEO of the Thrivers Leadership Institute as well as former 4-year CEO of the National Cybersecurity Center. In addition, Vance has founded and led multiple non-profits, authored a book telling his story and learnings as an entrepreneur, as well as been the CEO for three other software companies in his extremely illustrious career. Who should we talk to next? Email: info@signaturewmg.com.Learn more at signaturewmg.com

What kind of projects does one get to lead at an applied cybersecurity center within the National Institute of Standards and Technology (NIST)? This talk will offer insight on the cybersecurity challenges being addressed by projects led by the speaker since he began working at the National Cybersecurity Center of Excellence in 2016. The talk will touch upon the establishment of collaborative team made up of industry, academic, and government members for each project, and discuss how each project leverages a cybersecurity standard or best practice in the functional reference designs built for each project. Throughout each phase of each project, we seek to collaborate, share (document in NIST Special Publication 1800 series practice guides), and advocate for the adoption of our work. This talk will offer some insight into the evolving series of NIST Special Publications known as practice guides (or 1800 series documents) and how these publications connect with the foundational NIST Special Publications in the 800series that are often used to set Federal government standards in computer security, information security, and cybersecurity while often being voluntarily adopted as guidance and standards by industry. This talk aims to leave enough time to address questions and explore whether the audience has new challenges that should become an NCCoE project in the future. At some point during the lecture, the following terms or phrases will be used: cybersecurity framework (functions, categories, subcategories), privacy framework, risk management framework, security and privacy controls, mitigating cybersecurity and privacy risk.

Podcast: Control System Cyber Security Association International: (CS)²AIEpisode: 29: How to Be a Good CISO Even in the Face of Challenges with Mark WeatherfordPub date: 2022-03-08Derek Harp is happy to have Mark Weatherford, the CSO at AlertEnterprise, and the Chief Strategy Officer at the National Cybersecurity Center, joining him today for another episode in the series of security leader interviews!Mark grew up on a farm in an agricultural community in Northern California and left the farming life to embark on a career in the Navy and travel the world as a technologist, helping companies in cyberspace. Throughout his career, he always planned to get back into ranching. Apart from being a well-known security leader, Mark is a military veteran, technologist, beekeeper, hunter, pilot, and a soon-to-be rancher and gardener. He is also a husband and father.Mark has had various executive-level cybersecurity roles, including Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, a Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation, and Chief Information Security Officer for the state of Colorado. He was appointed in 2008 by Governor Arnold Schwarzenegger to serve as California's first Chief Information Security Officer. In 2011, he got appointed by the Obama Administration as the Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security. Mark is a well-rounded individual who does a variety of interesting things. In this episode of the (CS)²AI Podcast, he shares his backstory and describes his career journey. He talks about the challenge CISOs face today, explains why relationships are vital, and discusses what it takes to be a good CISO today. He also offers some valuable nuggets of career advice for listeners.You will not want to miss this episode if you are in a first-time CISO role or considering making a career in cybersecurity. Stay tuned for more!Show highlights:Growing up, Mark was always playing around with electricity, wiring up motors and lights, and often overloading circuits and blowing breakers. (3:20)Mark became a cryptologic technician in the Navy and focused on signals intelligence. (4:50)In 1994, Mark wrote his grad school thesis on information security. That changed his life and set the stage for his future. (7:59)Mark created the Navy's first operational red team. (10:14)Mark explains why a CISO cannot be an expert today. (12:20)Mark got hired as the first CISO for the state of Colorado. It was a great learning experience! (15:06)Why is becoming a CISO is all about developing relationships? (19:47)Mentoring others is one of the most satisfying things Mark has ever done. (25:28)Mark had a lot of influence in his role at DHS. (32:01)Some advice for people thinking of taking on CISO roles. (35:34)What do you need to focus on and learn if you are aiming for a senior CISO position? (38:24)What do people in advisory board roles do? (46:08)Links:(CS)²AIMark Weatherford on LinkedInAlertEnterpriseNational Cybersecurity CenterThe podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Derek Harp is happy to have Mark Weatherford, the CSO at AlertEnterprise, and the Chief Strategy Officer at the National Cybersecurity Center, joining him today for another episode in the series of security leader interviews! Mark grew up on a farm in an agricultural community in Northern California and left the farming life to embark on a career in the Navy and travel the world as a technologist, helping companies in cyberspace. Throughout his career, he always planned to get back into ranching. Apart from being a well-known security leader, Mark is a military veteran, technologist, beekeeper, hunter, pilot, and a soon-to-be rancher and gardener. He is also a husband and father. Mark has had various executive-level cybersecurity roles, including Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, a Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation, and Chief Information Security Officer for the state of Colorado. He was appointed in 2008 by Governor Arnold Schwarzenegger to serve as California's first Chief Information Security Officer. In 2011, he got appointed by the Obama Administration as the Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security.  Mark is a well-rounded individual who does a variety of interesting things. In this episode of the (CS)²AI Podcast, he shares his backstory and describes his career journey. He talks about the challenge CISOs face today, explains why relationships are vital, and discusses what it takes to be a good CISO today. He also offers some valuable nuggets of career advice for listeners. You will not want to miss this episode if you are in a first-time CISO role or considering making a career in cybersecurity. Stay tuned for more! Show highlights: Growing up, Mark was always playing around with electricity, wiring up motors and lights, and often overloading circuits and blowing breakers. (3:20) Mark became a cryptologic technician in the Navy and focused on signals intelligence. (4:50) In 1994, Mark wrote his grad school thesis on information security. That changed his life and set the stage for his future. (7:59) Mark created the Navy's first operational red team. (10:14) Mark explains why a CISO cannot be an expert today. (12:20) Mark got hired as the first CISO for the state of Colorado. It was a great learning experience! (15:06) Why is becoming a CISO is all about developing relationships? (19:47) Mentoring others is one of the most satisfying things Mark has ever done. (25:28) Mark had a lot of influence in his role at DHS. (32:01) Some advice for people thinking of taking on CISO roles. (35:34) What do you need to focus on and learn if you are aiming for a senior CISO position? (38:24) What do people in advisory board roles do? (46:08) Links: https://www.cs2ai.org/ ((CS)²AI) https://www.linkedin.com/in/maweatherford/ (Mark Weatherford on LinkedIn) https://alertenterprise.com/ (AlertEnterprise) https://cyber-center.org/ (National Cybersecurity Center) Mentioned in this episode: Our Sponsors: We'd like to thank our sponsors for their faithful support of this podcast. Without their support we would not be able to bring you this valuable content. We'd appreciate it if you would support these companies because they support us! Network Perception Waterfall Security Tripwire KPMG Cyber Join CS2AI Join the largest organization for cybersecurity professionals. Membership has its benefits! We keep you up to date on the latest cybersecurity news and education. https://cs2ai.captivate.fm/cs2ai (Preroll Membership)

On today's episode of The Daily Scoop Podcast, General Dynamics has filed a bid to protest a Department of Homeland Security (DHS) cloud contract award. Nick Sinai, Senior Advisor and Venture Partner, Insight Partners and former U.S. Deputy Chief Technology Officer, explains how the U.S. Digital Corps is working to increase diversity and inclusion in the federal IT workforce. Natalia Martin, Acting Director, National Cybersecurity Center of Excellence, joins CyberScoop Editor-in-Chief Jeff Stone during CyberWeek to discuss priorities at NIST's Information Technology Laboratory. Matthew Travis, CEO, CMMC Accreditation Body, joins FedScoop reporter Jackson Barnett during CyberWeek to break down what the defense industrial base should know about Cybersecurity Maturity Model Certification (CMMC). Peter Romness, Cybersecurity Programs Lead, U.S. Public Sector, Cisco Systems, shares insight on the recent cybersecurity push from the federal government and how agencies can leverage zero trust and dual-factor authentication. This interview was underwritten by Cisco Systems. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

In this episode, Pete chats cybersecurity with Kyle Glaesar of Underline. How do we work security into the conversation? As networks grow, their exposure gets greater. It's vital that organizations get ahead of the curve as data and network systems become more exposed and vulnerable. Click now to listen. Also, be sure to follow the Broadband Bunch on your favorite podcast platform so you never miss an episode! To learn more about cyber security visit: National Cybersecurity Center

Listen in as your hosts Just Nate and DK (along with a in house listener, PhD Chris) talk with Prakhar Gautam, Program Coordinator. Prakhar works for Exponential Impact out of Colorado Springs, CO. Exponential Impact's mission is simple: Give early-stage entrepreneurs focused on emerging technologies the best start humanly possible. We develop founders and startups by equipping them with resources and expertise, then strengthen their connections to create rich environments of innovation and collaboration. STUNNING ENVIRONMENT. MODERN FACILITIES. The business climate is booming in Colorado Springs, with gains in virtually every industry. We have a rich history in technology and innovation, and industries like cybersecurity and defense are growing exponentially. Colorado Springs is only one hour from Denver and minutes from the mountains. XI is situated next to the National Cybersecurity Center and the University of Colorado Springs. Our state-of-the-art facilities offer a graduated workspace for your teams to meet and grow your ventures. Listen in as Prakhar talks us through what his program does and he teaches us all about Pre Seed money, seed money and Series Money. Pre-Seed Money = $50k Seed Money ~ $150k Series A Round ~ $4-$5M Look them up at: https://www.exponentialimpact.com/ or you can go here: https://www.exponentialimpact.com/springsstartup/ --- Send in a voice message: https://anchor.fm/thesmalls/message Support this podcast: https://anchor.fm/thesmalls/support

Our feature interview this week is with Chris Stolley, Chief Revenue Officer at SecurityAdvisor, interviewed by Janelle Hsia. News from Swimply, SolarAPP+, Endeavour Capital, Palantir, National Cybersecurity Center, CyberGRX, Coalfire, Red Canary and a lot more! Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week's news: Join the Colorado = Security Slack channel A growing number of the Denver metro's backyard pools are available to rent Coors and Chipotle, sure, but did you know these other national brands started in Colorado? Can tech born in a Colorado lab solve rooftop solar's biggest headache? Why this private equity firm is hyperfocused on the West, including Denver Denver's Palantir launches new initiative to support early-stage startups New Adult Education Class Starting in September EY winner CyberGRX scales cybersecurity for business Thinking about data privacy strategically: four key questions Debbi Blyth leaves CISO position Red Canary Adds Chief Trust Officer to Enhance Customer Security Job Openings: Red Canary - Director, Product Security Red Canary - Program Manager, Trust Red Canary - Product Security Engineer Coalfire - Director Strategy, Privacy and Risk Advisory - Healthcare Western Governors University - Application Security Engineer Trimble - Cyber Security Risk Analyst Western Union - Cloud Cyber Security Senior Engineer Premier Members Credit Union - AVP Information Security IHS Markit - Compliance Manager Crocs - Sr. Manager, IT Security Guild Education - Senior Security Engineer Upcoming Events: This Week and Next: ISSA Denver - August Chapter Meeting - 8/11 SecureSet - Hacking the Cybersecurity Job Market | In-Person - 8/11 Measuring your Software Security Program - 8/13 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

The largest fuel pipeline in the United States, Colonial Pipeline, halted operations because of a ransomware attack. The attack was carried out the cybercriminal group DarkSide. Much of the pipeline remains offline, although the pipeline operator aims to restore service by the end of the week. Mark Weatherford is the CISO at AlertEnterprise, Chief Strategy Officer at the National Cybersecurity Center and the former Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security. He joins Juliet to discuss what the Colonial Pipeline attack suggests about the state of critical infrastructure security, national security concerns and what steps critical infrastructure companies should take to secure their enterprise.

Feds will eventually travel again on business. And when they do, their personal data will end up in property management systems. The systems hotels use to manage and book space. Turns out these systems are vulnerable to hackers seeing personal information. Now the National Institute of Standards and Technology has released results of focused work with the industry to help the situation. Joining the Federal Drive with more, National Cybersecurity Center of Excellence engineer Bill Newhouse.

In episode 43 of The Cyber5, we are joined by Steve Brown, Director of Cyber & Intelligence Solutions for Europe at Mastercard. Steve discusses the key aspects of cyber defense learned while working international cyber crime investigations with the United Kingdom's National Crime Agency. He will discuss the proven approach of prevent, protect, prepare, and pursue. We will also discuss the role Mastercard is taking in fighting cyber criminals, key aspects of adversary attribution, and how the public and private sector can forge better partnerships to combat cyber crime.  5 Topics Covered in this Episode: 1) Four P Approach: Prevent, Protect, Prepare, and Pursue: (01:59 - 06:08) Cyber criminals are not siloed. They coordinate on what is working and adjust quickly to take advantage of new vulnerabilities. To combat their adaptive approach, enterprises must have an equally collaborative model. Prevent: Mastercard is working with charities, non-profits, research centers, and universities to encourage individuals with technical backgrounds to pursue a career outside of cyber crime.  Protect: Providing customers of Mastercard with the right knowledge and intelligence to proactively protect themselves. Prepare: Complementing playbooks with red teaming and resilience for Mastercard and its customers to ensure business continuity when an attack occurs. Pursue: It's not just about arrests; it's about Mastercard providing intelligence on infrastructure takedowns, victim engagement, and witness testimony. 2) Mastercard's Cyber Security Strategy: Pioneering the Security of the Digital Eco-System: (06:08 - 09:57) Mastercard's cybersecurity strategy is about securing the entire digital eco-system, both within and external to the perimeter. They want to be actively involved in the cybersecurity community and prioritize technologies that better define authentication across payment systems, identify anomalies that are congruent to compromised data and fraud, and improve standards and best practices. In November 2020, they launched Mastercard Cyber Secure, a unique AI-based technology that better addresses account data compromise events through identification and notification. In practice, victims are generally notified after initial intrusion. After the alert, cyber criminals use the compromised data to facilitate other crimes, including fraud, human trafficking, and espionage. Using risk assessment technology, Mastercard identifies, assesses, and prioritizes those vulnerabilities to Mastercard acquirers around the world. This is particularly critical for the small business community. 3. Mastercard's Role in Third Party Risk Management: (09:57 - 11:43) A critical part of securing the external perimeter is understanding third party suppliers. Mastercard's acquisition of RiskRecon is a testament to their dedication and diligence around third party vulnerabilities.  4. Know Your Adversary: Attribution is an Aspect of Resilience: (11:43 - 20:45) Attribution must be a critical part of enterprise cybersecurity strategy. Proper attribution can be a major source of resilience when responding to a cyber attack. Understanding infrastructure, personalities, actor groups, and TTPs informs proper controls and response strategy. Data collected by enterprises is critical to fighting cyber crime, and enterprises must facilitate ways to legally process and share data and experiences. Enterprises must rely on gaining information and attribution on cyber crime and espionage efforts without the assistance of government organizations. Illustrating the ability to scale security operations and recover from a cyber attack is of critical concern to boards, investors, and shareholders. 5) Private Sector's Increasing Role in Preventing Cyber Crime: (20:45 - 26:00)  The private sector must increase collaboration with the public sector. While this is happening at the tactical, strategic, and inter and intra-governmental levels, it is still not happening at the speed and scale necessary to be effective. The National Cybersecurity Center in the UK and the National Cyber Forensics and Training Alliance (NCFTA) are two organizations that bring together cybersecurity practices and investigative techniques.

Melissa Cooper, Director, Privacy and Compliance at Sovrn Holdings, Inc. and John Rosendahl, Engineer at Sovrn Holdings, Inc. are our feature guest this week and are interviewed by Janelle Hsia. News from Whataburger, Frontier Airlines, The National Cybersecurity Center, Stack Hawk, Red Canary, Optiv, zvelo, Webroot, and a lot more! Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week’s news: Join the Colorado = Security Slack channel Whataburger Plans New Location on the Moon...and in Colorado Frontier Airlines finally lands on the stock market with $570 million IPO The 50 Best Places to Travel in 2021 A champion is crowned in the 2021 Tech Madness competition Election officials herald Colorado's process as "gold standard" in voting NATIONAL CYBERSECURITY CENTER LAUNCHES NATIONWIDE CYBERSECURITY INITIATIVE Launches Nationwide Take action with the 2021 Threat Detection Report Optiv Security Introduces Enterprise Lab Focused on IoT in IT zvelo Launches Cybersecurity Professional Services for Malware Analysis, External Threat Hunting and Brand Vulnerability Assessment Why MSPs Need to Shift from Cybersecurity to Cyber Resilience Job Openings: The Broadmoor - Information Systems Network Administrator Red Canary - Senior Incident Handler OTS - OTS DevSecOps Engineer Checkpoint - Chief Information Security Officer (CISO), West Randori - HOC Attacker Oracle - Senior Assurance Engineer Spectrum - Security Engineer I Brownstein Hyatt Farber Schreck - Information Security Analyst Colorado Judicial Branch - Network Security Engineer Conga - Lead Information Security Analyst TrackVia - Security Automation Engineer Upcoming Events: This Week and Next: ISSA COS April Chapter Meeting - 4/6 ISSA CO Mini Seminar - 4/10 CTA - COLORADO PRIVACY ACT WEBINAR - 4/13 ISSA Denver - April Chapter Meeting - 4/14 ASIS - WIS : COFFEE CHAT WITH KATIE JUMP - 4/15 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

Hotel chain data breaches have resulted in huge financial loss and reputational harm. Unlike other consumer-facing businesses, such as retail stores, hotels must hold onto payment card data for extended periods passing this valuable data among many participants in the payment security ecosystem as customers make reservations and complete travel. In this podcast, our guests will identify and discuss how organizations can reduce the risks associated with handling payment card information for hotels and, in turn, begin to strengthen the cybersecurity of the property management system (PMS). For more information, visit NIST’s project on Securing Property Management Systems. https://www.nccoe.nist.gov/projects/use-cases/securing-property-management-systems Speakers: John T. Bell, Founder and Principle Consultant, Ajontech LLC Arshad Noor, CTO, StrongKey Bill Newhouse, Cybersecurity Engineer, National Cybersecurity Center of Excellence (NCCoE) Kacy Zurkus, Content Strategist, RSA Conference

On behalf of F5 and Carahsoft, we would like to welcome you to today's podcast, focused around zero trust, where Scott Rose, computer scientist at NIST and a co-author on NIST's 800-207, Zero Trust Architecture publication; Gerald Caron, Director of Enterprise Network Management for the Department of State; Brandon Iske, Chief Engineer at DISA; and Jason Wilburn, zero trust engineer at F5, will discuss the pros and cons of different zero trust designs, how other federal initiatives tie into zero trust, and understanding what zero trust principles do for cybersecurity posture. Ryan Johnson: Thank you. Once again thanks, everyone, for joining. My name is Ryan Johnson. I'm a solutions engineering manager with F5 Government Solutions. Today, we have a group of exciting guests, mostly from the federal space, to discuss zero trust in theory and talk about the implementation of zero trust. First off, I have Scott Rose with NIST. Scott, would you like to talk a little bit about yourself?Scott Rose: Sure, thanks. I'm Scott Rose. I am currently at the Information Technology Lab at NIST. I am the coauthor of the NIST special publication 800-207, Zero Trust Architecture, and also, attached as a subject matter expert for the upcoming NCCOE, or National Cybersecurity Center of Excellence Project on Zero Trust Architecture.Ryan Johnson: Thank you, Scott. If anyone hasn't had a chance to read that 800-207, definitely take a look. It's well worth your time. Next off, we have Gerald Caron who's with HHS. Gerald, would you like to tell us a little about yourself?Gerald Caron: Well, I'm on detail to HHS, but technically I am the representative of the Department of State, then SES. I'm the director for Enterprise Network Management at the Department of State. Basically, the infrastructure person, do the network, active directory, a lot of the security implementation aspects of things. I am participating and starting to co-chair the CIO's innnovation council working group on zero trust. I am Forrester certified and zero trust strategist as well.Ryan Johnson: Very good. Thank you, Gerald. Next up, we have Jason Wilburn with F5 Networks. He's identity and access guru or [inaudible 00:02:20], if you will. Jason, would you like to tell us a little bit about yourself?Jason Wilburn: Sure. Thanks, Ryan. So, I'm a system engineer, covering the system integrator space for F5 Federal. But as Ryan mentioned, I am also the co-lead for [inaudible 00:02:35], which is anything related to access and authorization controls or access policy manager product.Ryan Johnson: Thank you, Jason. Next up, we have Brandon Iske with DISA. Brandon, would you like to tell us a little bit about yourself.Brandon Iske: Yes, thank you, Ryan. So, I'm Brandon Iske. I'm the Chief Engineer for our Security Enablers Portfolio. So, that includes ICAM or Identity and Credential Access Management, Zero Trust reference architecture development, Public Key Infrastructure, PKI, and then Software Defined Enterprise. So, I'm part of the Defense Information Systems Agency. Again, it's a [inaudible 00:03:12] support agency to the Department of Defense. Thank you.Ryan Johnson: Well, thank you, Brandon. There are two topic we're going to talk about. The first is behind the theory Zero Trust, understanding federal zero trust straight from the source. The second topic is the reality, the implementation of zero trust. So, jumping into the first topic, the theory. This question to you, Scott Rose. You're one of the authors of NIST 800-207 Zero Trust Architecture. Can you tell us briefly what problem zero trust is trying to solve, and what are the main goals?Scott Rose: Well, yeah, zero trust is the new paradigm of how you want to look at enterprise security. Basically it's taking a lot of the trends that we saw emerging over the last 10 years or so and pulling them together and layering them together to solve what we see is like company attacks that the common script from attacks that you see are going out there. It's where the initial breach happens. The attacker then moves laterally through the network, and then performs the actual attack ransomware, data exfil, whatever. Then they're not discovered until the next audit, some six, eight months later.Zero trust tries to minimize that kind of attack scenario where you segment away, you micro segment away resources, you do endpoint security, you do strong authentication both inside the infrastructure, on-prem as well as outside coming in to limit that lateral movement and make sure that every connection from a client to an enterprise and resource is both authenticated and authorized. The ideas that you want to try, don't rely on your perimeter defenses anymore, but you're doing it every step of the way. So, there's a little mini perimeter around like now, every resource and every user. So, you always have, at least, more knowledge, not total knowledge, of what's going on in your enterprise.Ryan Johnson: Thank you Scott. This next question is for you, Gerald. What is the biggest misconception about zero trust?Gerald Caron: First of all, the level setting on the definition that I find is most difficult and people really understanding. No offense to any of the vendors here, but depending on who you talk to, they spend the definition their own way. So getting that common understanding of what zero trust is, is really important. Some people think its identity, but it's a little more than that. As Scott was saying, it's about protecting what's important and shifting that paradigm in that culture that we do. We're very compliance-focused culture. FISMA makes us that way, put our scorecards, things like that.But I think zero trust gets us to a more effective cybersecurity posture. Commonly, we've done that peanut butter spread approach, where we try to protect everything equally, with Frederick the Great says, "If you try to protect everything equally, you protect nothing." That quote up, basically, but great IT innovator that he was. But really that peanut butter spread approach is not sustainable. You can't cover everything you can't 100 be and 100% patched when you have 109,000 workstations across the world. It's pretty unlikely.So what's important, as Scott was talking about? What's important? Definitely, if you need to understand what zero trust is. You're grappling with that definition. Yes, definitely. Don't suggest, but do read 800-207. I believe, and Scott would agree with me that, that's going to morph as new technologies and capabilities and concepts come about, that that is going to morph and mature as we go along on this journey as well.Ryan Johnson: Yeah, I would agree with you on that. This next question's to Brandon. Looking ahead, what are the next or the biggest stumbling blocks for creating a zero trust environment?Brandon Iske: Thank you for that question. So from my perspective, I think within DISA and DoD again, we're a very large environment. So I think from our vantage point, just trying to set the standards is really what where we're at. So again, we very much leverage the 800-207 as a framework for DoD and what we develop for the zero trust reference architecture. So, we've recently approved that. So that's available internal to the DoD right now. So that's our way to get the common framework, and language, and taxonomy established across the department.Other trends, we see, again a lot of the pillars of zero trust really do rely on existing capabilities and cybersecurity efforts that we have. From my vantage point, I think there are a few gaps in those technologies, at least, for what the department has adopted from an enterprise perspective. So, I'll talk on some of those. Again, it's making sure we're doing the existing capabilities, whether it's ICAM, whether it's endpoint, whether it's network segmentation. All those things really have to start coming together. Again, it's eliminating those stove pipes and enabling more API access to these capabilities, tighter integration, and really trying to drive towards conditional access beyond just what we do with PKI, CAC, or PIV today.The one gap I see the department has been looking at pretty heavily across the board is as how do we access our IL5 cloud environments from commercial internet. Really with COVID and mass telework, that's been a big challenge for us is to enable secure, collaboration, and access to applications and data, but still from most of us being off the network. So, for [inaudible 00:09:07] that's a big challenge because, in those cases, a lot of our designs assume all the users are on inside the perimeter. So, this concept really changes that or turns the problem on its head. So again, that's secure access.We're also looking at some of the SASE-type capabilities or secure access edge capabilities. But even in that space, the duty is large. We're not going to be able to just use one vendor across the board. So, trying to drive interoperability of those capabilities, looking at what's best of breed, but also how can we... I don't want to have 10 agents on my computer just to be able to get to different applications across the department. So those are some of the big challenge I think we still see us ahead beyond just the obvious cultural challenges of getting everyone to understand the concept, build their maturity model towards that, and then adopt these concepts and integrations.Ryan Johnson: Yeah. I would definitely agree with you. This is not a single vendor solution by any means. This will be a grouping of different vendors to maybe some homegrown stuff to address these type of issues. Thank you, Brandon. Next question is to Jason Wilburn. Zero trust makes identity to the new perimeter. Why does zero trust take this approach?Jason Wilburn: So, one of the things that I always laugh when I hear that it's the new perimeter because I've heard that it's the new perimeter for 10 years. I think I even have it coined from F5 from eight years ago, they said identity is the new perimeter. So I guess my wife's car that's 10 years old is still new to her. So, the fact is, is identity, really, is a linchpin in a zero trust infrastructure because without identity, you can't really secure anything because we have to know who that person is or what is making that request. That becomes really important in a couple of things.One is the account creation. Are we creating accounts? Where do those accounts live, and how many entities of that identity actually just wrote an organization because the identity of John Smith can exist in multiple places? Really, what we're trying to do is to reduce the number of identities down to really holistically one single identity for, say, John Smith. But also, the next piece and that is really getting down to how they authenticate or how they assert themselves inside of the environment. That really gets down to things like multifactor neighbor, or if we can really get to the holy grail of going full password, which in the federal space we do a lot of password list-based authentication, doing things like smart cars, CAF, PIV, things like that.That's really what we're trying to do is truly validate that that user is who they really are because to truly achieve zero trust, a lot of things revolve around one knowing who that user is and then once that user starts doing things within the network, really, should he be able to do those things in this network based off the permission levels and their user behavior and the device they're coming from, and where they're going to, but it all really revolves around the first step, and that user... they're truly identifying who that user is.Ryan Johnson: Yeah. That ties into what everyone else has said, as well Jason. Appreciate that. The-Gerald Caron: Ryan, can I add something to that question?Ryan Johnson: Absolutely.Gerald Caron: That identity of the new perimeter thing really scares me because then people get super focused on identity and say [inaudible 00:12:57] zero trust. That's just a, for lack of a better term, a pillar. Everything Jason said is absolutely important. But if Jason's account got compromised, for instance, what's the first two questions probably the cyber guy is going to ask that's looking at the problem? What did he have access to, and is there [inaudible 00:13:16]?So it actually becomes about the data more than anything. So, it's about protecting that data at the end of the day. So I think it's really important. I think one of the things that, really, an identity itself is we do it very linear today, where it's one-time authentication, it's one-time access and then. Okay. Have a nice day. It's got to be a constant dynamic checking and rechecking of many other factors, as well as authentication and access. It's going to be continuous.Jason Wilburn: Yeah. You're completely right, Gerald. Identity really is just one more data point to determine access to something, right?Gerald Caron: Yeah, I totally agree. I just like to clarify that that's just one piece of it. [crosstalk 00:14:01].Ryan Johnson: Not the entire enchilada, if you will.Gerald Caron: Correct because I see a lot of people talk about it that way.Jason Wilburn: No, no.Ryan Johnson: Yeah, I would agree with you on that because a lot of places aren't doing that currently, and they think this is the solution, but it's just, like you said, part of the solution.Jason Wilburn: Right. The enforcement point, like to take back to Scott's document, with the 207, the enforcement point's right, they will know about the identity, but the enforcement point takes in a lot more consideration beyond just the user's identity. There's all that telemetry data that we're getting in. What's the machines coming from? What they're trying to access? There's lots more information than just the user identity to determine access control.Gerald Caron: Right. It's not always a human, right.Jason Wilburn: That's right.Gerald Caron: There's data flowing all the time and then there's data at rest. So, you got to protect that. There's not always the human involved.Jason Wilburn: Completely right. So let's go down the road of what do we do with the service account that's coming from and making an API call from one PC to another PC in the same data center. How do you validate that and secure that beyond really when I think... a lot of times when we talk about zero trust, a lot of times we talk about remote users or just users in general, talking to resources and what we've been trying to get away from [inaudible 00:15:24] the user doesn't really matter where they live, whether they live in corporate environment or whether they live at home, or they're in Starbucks, where the user live resides doesn't really matter because at a network level, that's just an IP address.We care about, one, how did they authenticate; and two, what device are they trying to access from, not just... is he on the corporate... The corporate land might give us more information and more telemetry by just being on the WiFi at Starbucks, but it's more than identity definitely.Ryan Johnson: One thing that really hits home for me is the proliferation of modern applications, and API's talking everything. You got APIs on the cloud or even within the same agency or interagency or app, however, and Gerald's point about these non-human interactions verifying those, especially, when it's so spread out with different APIs. To me that really hits home. The next question is to Scott. There are multiple architectures listed in the 800-207. Why would an organization choose one architecture over another?Scott Rose: Basically, as they need to look at whatever they're trying to push a zero trust architecture on, what workflow, what mission they're doing, all that will help decide which model will fit best for them. You got to take into account, both what they may already have owned or what technology needs they have, what can they just... what they can use anyway, just configure in a different way. Let's say they already went with vendor A and they have an installed base, but there are certain features that they're not using now, but as they move towards a zero trust architecture, they just turn those on because some things work better than others, some solutions require like agents installed, may not be able to put agents on things, especially if you're looking at [inaudible 00:17:28] an IoT kind of deployment. You can't push a lot of agents on the small form devices, but you have to go with a different model there.But when it comes to the approaches that we described, like the enhanced identity governance, microsegmentation, software-defined perimeters, I think of the most mature as zero trust enterprises and architectures out there will have elements of all three. Those three approaches, we're just calling those like what is the load bearing technology that you're using in your architecture, whereas the models are more of what kind of products are you using, that dictates the model. Whereas like what technology are you putting the emphasis on, whether you're the identity management governance part, the micro segmentation parts, or using a software-defined networking or software-defined perimeter model. All those depends what's you're doing in that initial analysis, both what is the mission or workflow that you're working on to try and make more secure, and then you develop the other set of policies and controls around those, and then those guide you as to which model that you may be going towards.Ryan Johnson: Thank you, Scott. Appreciate that. Next question is to Gerald. Looking into the future, what's next in zero trust? What technologies are going to impact zero trust security or require security in a different way than we see right now?Gerald Caron: Technology moves so fast nowadays, you can't keep up. As I'm speaking right now something new, something new just come out that I don't know about. But Brandon, I think, mentioned SASE and edge computing. I think that's something that people are very much looking at services through the cloud. One of the things I advocate for that I'm looking at is I hate being tethered to an on-premise network. We're in a new normal. Everybody's working mobily now. I have to Boomerang back just to go back out to the cloud on the internet. So, how can I be untethered but to have all the security that I need in telemetry to make the right decisions is something that I'm looking at. So, it's something that I advocate for as well.So, technology is moving so fast. I think some are a little more mature than others in this space. But I see it's going to be very much competitive because we're all looking this way now. I think, as I said before, we're all trying to become more effective at our cybersecurity, not just check marks and coming compliant. We really need to protect the data and then the things that we need to protect. I equate I get to protect the crown jewels versus the bologna sandwich. You can have my bologna sandwich. But I'm going to put my concentration on those crown jewels.So understanding what's important to you and understanding what the heck is your risk posture. A lot of people struggle with accepting and understanding what their risk is. There is a lot of non-technical aspects to zero trust that people need to understand, the methodologies, what is your risk tolerance and the processes, and what is the data, and where is your data, and what is that categorization of that data. Those are all non-technical things. There's a lot of work in those areas that people do struggle with that I find. So, there's a lot. But I see every day talking with a lot of vendors, there's a lot of maturity in the space, and I just look forward to seeing some of the capabilities because there's a lot of concepts in 800-207, like I talked about ongoing authentication and ongoing access.Right now, it's very linear still. That's something that would be maturing that people are looking at doing so. I think there's a lot. I look forward to it because a lot of people are putting their emphasis here, especially, with what we just experienced with the solar winds. There's a lot of focus in this area now, even more so if there wasn't before.Brandon Iske: Ryan, if I can add in there, I think, Gerald is spot on. I think, as we can build towards more dynamic access, conditional access, and then having applications be aware of that context to govern what I can and can't do what's on that application. I think that's where... As all this comes together, those are the type of outcomes that we start to get at, whether if I'm from a personal device and maybe a low-assurance model, maybe I can't download attachments or something, but I can view those or view some content. So, those additional granular controls, I think, start to come out there, become achievable once we have some of these capabilities, conditional access and aggregation of telemetry together as well.Jason Wilburn: If I can jump in, too, Ryan. I think that just being able to absorb the additional telemetry data, whether it be some sort of behavioral analytics coming out of a risk engine, just coming out of various security tools, I thought had mentioned this before, the breaking down of the silos between the team. I think that's one of the biggest things about zero trust. Holistically, from a security model perspective, what we're saying is that, hey, it all needs to work together as a single point of control that is closest to the resource, that Gerald mentioned. There can be some context around it that no longer is it just the firewall blocking IPEs and things like that, and DLP looking at data exfil, and antivirus looking at what's happening on the server from a virus perspective or malware happening on the client. It all needs to work together, and it all needs to come back because that becomes part of the behavior or of the workflow that's happening between the client and the resources for accessing so that we can truly understand, is this a permitted flow? Yeah, this is a permitted user coming from a permitted device to a resource that it should have allowed to.But based off not just what happened at the very beginning of the session, but what's happening throughout the life of the session, what's changed throughout the life of the session, that becomes critically important to really secure everything day one because back to Gerald's data exfil comment. Cool. You've got access to the data right now. Should you be able to download some document or upload some document five minutes into the session based off what something has changed? Maybe not.Ryan Johnson: Yeah, I agree that's what we're trying to get to. All right. That concludes the first topic of the theory. Now, we're going to jump into the second topic, the reality, adopting zero trust. The first question is once again to Scott Rose. What components are available to federal entities to assist in forming zero trust architecture?Scott Rose: Well, most of these are not real solid technologies, but it's more of frameworks and things that may help. There are existing government programs already out there. Both like a DHS, they have their CDM program. There's FICAM, things like that. These are already in place to actually build these, kind of like what Gerald called the pillars of zero trust. They've already been in place for a while. We looked at how zero trust extends those, how those reliant on those programs.I mean, as well as we have for NIST, there's the risk management framework. That isn't the end all be all, but you can think of that as a tool to help one level down. Once you've developed that architecture, the RMF can maybe help develop that set of controls and checks in place to actually ensure that what you're doing, you're implementing correctly to your stated goals. These things are in place that are basically technology neutral, that whatever vendors you're using, you can always apply these frameworks and tools to help along the way.In a way, that NIST, the Special Publication 800-207, that's also... think of that as a framework, [inaudible 00:25:53] just both on the architects, but also the way that the architects can then talk to the procurement people. They can, hopefully, understand what exactly you want. So when the procurement and the architects talk to the vendors, they're all speaking that same set of term, not just [inaudible 00:26:09] randomly zero trust or something like that. There's actually a set of rules and uses for these technologies that they can both use as a common set of terms.Ryan Johnson: All right, next question... Thanks again for that, Scott. Next question is for Gerald. What are the things that enterprise needs to understand before migrating to ZTA or zero trust architecture?Gerald Caron: That's a really good question. Think of the difficulty that some folks are going to have. I mentioned the data, understanding the data, where it is, where it's going and what classification it is. The where it's going. Where is it normally go? What is the flow? What is normal look like? How do you baseline normal? That's going to be really difficult because understanding what normal looks like will depend on when something happens now, what actions do I have to take? So understanding where that data flow is, where that data resides, what it is, who owns it because you're going to have to work with data owners. It's going to take a village. It's not just the network guys, not just the IT guys. It's going to take a village to do with zero trust in my estimate at an agency.But, as Scott was saying, be on the same page with terminology and things like that. But I think that's the difficult part. I think that answers one of the questions is how do you know what abnormal is? Well, you got to know what normal looks like to know what abnormal looks like. So I think that's really important. So, I like the inside out method, that start with the data, and then all right, what's facilitating access to that data. Device app. What do you do with those things, and then work back to the identity, given the right access to the right people at the right time.We talked about this from the end user standpoint a lot. I want to go back to this. The administrators as well are very powerful. So you have to address the administrators. I think that gets lost a lot of times when people start talking about... They talk about users accessing data. Well, your administrators need to be addressed as well in a zero trust. So that's something that's difficult.The one other thing I would say that's difficult, Ryan, is that we all, as different agencies, we all share data, we all classify it differently. If I want to share with Brandon a certain amount of data, I do sensitive but unclassified, but he may classify it in a different way. Where do we meet when we want to share data with those different classifications, so that we can properly do that? Then when I give Brandon my data, it's my data. He's going to be a good steward for it. If he doesn't have the right things in place, now, I've put my data out there. So, how can we all get on that same page? Interagency sharing is I think going to be a challenge as well.Ryan Johnson: Absolutely. It makes complete sense. That's a big, big challenge. Next question is for Brandon. Is it necessary to have a ZTA if the enterprise does not utilize cloud resources?Brandon Iske: Thank you for that question. I would say absolutely. Again, the threat is the same whether you're in the cloud or not. So, whether you have disconnected resources, or closed networks, or connected networks. You still have very similar threats to some extent. So I think it absolutely applies. Again whether you look across the pillars, whether it's identity or endpoint, we still have to do those same things and even what we're doing in DoD to enhance our identity ICAM processes. Again, it's all about authentication and account lifecycle management. Those are the big pieces that... We still have a long journey to get to from an enterprise perspective to get those under control in a better fashion than what we do today.We have CAC or PIV programs that are very strong, but again, those are a strong authenticator. It's the entire lifecycle of the additional pieces of identity that come into play. Again, all those same concepts apply regardless of where the data or applications exist. Other efforts that we've done in this arena as well, too, I would say is our cloud-based internet isolation. So again, this is a way that we move the end user browsing to a cloud environment for our actual benefit. So, in this case, basically, my browsing session is going to be terminated in a cloud environment. From a data protection and exploit perspective, those drive by downloads basically would happen in that cloud environment, not on my endpoint. So, it actually comes to help us also in this mass telework environment as well, too.So, I can split my traffic going straight to the cloud for browsing and not backhaul that all the way back to the VPN to come on to the internal network. So, that's given us a few really big benefits, again, in a very hybrid model where in some cases, we're using cloud; in other cases, we still have a huge set of legacy that's still going to be on-prem for the foreseeable future until they modernize or whatever schedule they have to modernize.Jason Wilburn: Brandon, if I could ask a question about the browser isolation component. Is this going to be in when a user is accessing internal resources inside of the agencies, or is this going to be also a service that's internet-facing? So, when a user's setting on-prem or anywhere, and he's now going to the internet once they go to Google, is all internet traffic really going to be browser isolated? Is that the envisioning?Brandon Iske: So, it is what we're doing. So, the basically .com or any commercial internet browsing [inaudible 00:31:55] capability [inaudible 00:31:57] .mil is going to bypass that. So, whether I'm on a VPN or the .mil resources already internet facing, those are the [inaudible 00:32:08]. So I mean, basically, you're not routing either way. So, it does allow us to basically not be backhauling that traffic back onto the doden or [inaudible 00:32:16] for duty terminology, for our internal network.Ryan Johnson: Thank you, Brandon. Next question is to Scott Rose. Looking to the future, what is next in zero trust? What technologies are going to impact it or acquired in a different way than what we see right now? I love the question.Scott Rose: Yeah. I don't know for sure because everybody makes predictions and are constantly surprised about how they don't pan out. But at least in the near term, I see a lot of people focusing both on IoT like we are as well. How do you get those and manage those in an automatic fashion? So, you don't actually have to have human administrators going out and touching all those devices or doing something to those devices. They're getting to the point where you can just quickly get them onboard them onto a network. You know exactly what they're doing because they say what they're doing in [inaudible 00:33:19]. Manufacturer vouches for them. You onboard them, you have go through the entire lifecycle, and you offboard them if you need to all in a more streamlined automated fashion. That's going to be coming on as people look for IoT solutions.The other one is we're seeing more people looking at machine learning when it comes to developing user profiles as feedback to what we call like the policy engine or the trust algorithm moving on. Building up again, what does this user normally do in order to see when something abnormal happens? You always [inaudible 00:33:57] this. You have a person, say, working in HR, and they connect to this database with all the user information. They do roughly, say, three to five gigs of traffic going back and forth from this database a day. Suddenly, you see that jump up to 800 gigs. That should cause a red flag going up because that's abnormal. But then again, maybe it's because there's the annual performance review, where they're downloading everything and going through everything.Maybe that happens every year at a certain time. Then again, you're building up that profile saying, "Okay, we know that does happen at a certain timeframe. So what happens outside of that timeframe, then maybe something strange is going on." Those kind of trends we're seeing, just try and improve the dynamic nature of zero trust. That's kind of the things that are just on the horizon and starting to appear.Ryan Johnson: Thank you, Scott. Next question is for Gerald. What mistakes or what are the biggest misunderstandings with zero trust in the industry or within federal entities right now?Gerald Caron: Definition. Understanding the totality of zero trust, understanding as a full architecture, full framework. People talk about it in bits and pieces. Unfortunately, some vendors will talk about zero trust, but you got to understand the whole landscape of it because they may come in and do the authentication and access management piece, but not do the data segmentation piece, or the app hardening piece, or network mapping for understanding where your data's flowing and things. So, understanding that it's not just a one-product thing. It is truly going to be an integration. It's going to take a whole effort, a whole village to do it.So, really understanding and getting level set, and understanding the use cases and understanding what your risk tolerance is, is very important. What are you willing to take risk for? What's important to you? Putting your emphasis on what's important. The cafeteria schedule, okay. But your medical records, I'm going to put a little more emphasis on that probably than the cafeteria schedule. So, and understanding where does that reside? How do I protect that and things? So, really understanding what it is you're trying to accomplish, and then we all have our little special snowflakes in all of our different agencies. So, what is our little spin on things? So understanding what your use cases are, I think's really important.Ryan Johnson: Thank you, Gerald. Next question is for Jason. Let's go to another identity question, Jason. If identity is a new perimeter, what should federal agency entities consider when looking at making identity their enforcement point? How is this achieved?Jason Wilburn: So, it's not going to be the enforcement point. It's just going to be another piece of information, a data point that can be used by an enforcement point. To Gerald's point, it needs to be looked at holistically. Identity just needs to be one part of it. I think the biggest thing is understanding really where are all your identities within an organization. Are they all in active directory? Are they all in a SaaS-based [inaudible 00:37:22]? Do each application have their own directory structure? So, while you think that John Smith's account only exists in say active directory, it might exist in multiple locations. So then you need a good strategy to onboard identity, decommission identity, and then also validate identity. That means back into needing some sort of MFA or a good authentication method.Ryan Johnson: Next question is to Scott. What are the concerns a federal entity needs to understand before migrating to ZTA?Scott Rose: Well, the concerns I need to think or that they need to worry about is, basically, they need to know what they do, they need to know their mission, they need to know the risks inherent to that they're doing their mission, and then they need to know what they have, who both.... These are accounts of the network, the devices, the workflows, they need to have those knowledge at first. They need to be able to detect and monitor things previously before they can actually start moving down this road to zero trust because you can't really build a policy and a set of checks around things that you don't actually know. So, those are the main concerns.Other concerns are how it will impact the users. We need to educate them to make sure everybody else is onboard because if the other kind of operating units in an organization or a federal agency or something, if they're not onboard, there's going to be a problem because the way things are... because they may result in the changes of the workflow of [inaudible 00:39:02] times. They're accessing things. What permissions they have or don't have? There's always that learning curve when you're trying to actually refine these policies. If that becomes aggravating, they're going to start trying to find ways around it. That's the last thing you want because then you have the shadow IT springing up behind it and things that you've sorted all these strange traffic that you're not seeing on the network, but people claim that it's very important for them to do their job. Those sorts of things. So you need to actually realize that going down the road of zero trust is a unified front. Everybody needs to take those steps together.Ryan Johnson: Yeah. Thank you, Scott. Probably the last question here, this is directed to Gerald once again. How does zero trust relate to TIC 3.0 and CDM?Gerald Caron: So, I think the great thing about CDM, for those that have been participating in it, it's such a good foundational things that I think you can build on for zero trust. I think Brandon said it, well, earlier, is like, you're probably already doing some things and taking a good inventory of some of those efforts that you already have going on, and how it fits into the zero trust architecture that... So, there may be some tweaks. TIC, I think, definitely is part of... a contributor to the solution, especially, some of these efforts that allow for the telemetry and the services to do that untethering that I was talking about, and get all that data and make decisions based off that.Definitely. I think the way CDM is taking in and doing like the asset discovery, a lot of the understanding of the mapping, eventually in the subsequent phases later on to do the network access control, so you can quarantine or trigger an action on a device. There's a lot of good things that I think they provide some good building blocks that will get you a part of your zero trust solution. Not the totality. Of course, we've already talked about that, but I think there's some good foundational pieces that they've put in place that contribute to the overall zero trust architecture.Scott Rose: Yeah. To follow up on that, if you go through the part of the NIST 800-207, we have a coauthor from DHS, and he's the head of the TIC program. We made sure that, at least, the text that we had in those sections where we talk about CDM and TIC, we had a lot of input and overview from DHS there. So, he made sure that the wordings and both of the tone and both matchly don't contradict. So yeah, we made sure that we were expressing the fact that these programs are interlaced. Thanks for listening. If you would like more information on how Carahsoft or F5 can assist your federal agency, please visit www.carahsoft.com or email us at f5-sales@carahsoft.com. Thanks again for listening, and have a great day. 

In this week's episode of Security Nation, we interview Adrien Ogee, COO of the CyberPeace Institute.  He discusses what it was like to launch and staff a brand-new nonprofit during the COVID-19 pandemic, and how his team worked to get the cybersecurity industry to trust them and get involved. Adrien also talks about the CyberPeace Institute's recently released "Playing With Lives: Cyberattacks on Healthcare Are Cyberattacks on People" report.Stick around for our Rapid Rundown, where Tod discusses the National Cybersecurity Center's recently released Cyber Action Plan, a short questionnaire that generates actionable recommendations for shoring up your security. He also talks through Portswigger's recently published list of the top 10 web hacking techniques of 2020. 

Manish Kapoor, Founder and CEO at TruKno is our feature guest this week. News from Carvana, TechStars, National Cybersecurity Center, IronCore Labs, Red Canary, LogRhythm and a lot more! Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week’s news: Join the Colorado = Security Slack channel Rezoning request for 8-story 'vehicle vending machine' headed to Denver City Council Colorado’s new effort to prevent unemployment fraud left two-thirds of suspect accounts failing to verify IDs Colorado puts money toward pursuing Space Command headquarters, IT consulting company Techstars Boulder reveals the 11 startups in its latest class New Techstars CEO shares what’s next for the Boulder startup giant National Cybersecurity Center, in Partnership with Tusk Philanthropies, Announces Launch of Future of Voting: Election Resiliency – 2021 Pilot Project Opinion: Huge cyberattack shows it’s time to fix our failing cybersecurity infrastructure Enabling the modern security operations center LogRhythm CEO Mark Logan Discusses MistNet Acquisition Job Openings: Ping Identity - Security Sr Program Manager Ping Identity - Business Analyst, Information Security Ping Identity - Product Security Engineer Absolute Software - Chief Information Security Officer tolmar - Senior Manager/Director IT Information Security Checkr - Senior Technology Compliance Program Manager Fireeye - Principal Incident Response Consultant Red Canary - Product Security Engineer, Web CVS Health - Software Security Analyst Ntirety - Security Operations Analyst (SOC) Upcoming Events: This Week and Next: ASIS - YP NETWORKING HAPPY HOUR WITH TAYLOR PASANELLO - 1/26 ISC2 Pikes Peak - January Meeting - 1/27 Denver ISSA - Your presence matters! How to show up as your best on video - 1/27 ISC2 Denver - Chapter Annual Meeting - 1/28 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

Darin is joined by cybersecurity pioneer and expert Mark Weatherford. Mark has been invocled in cybercybersecurity for over 2 decades and serverd in government and the private sector. Mark served as the Chief Information Security Officer (CISO) for the states of Colorado and California. He also was Deputy Under Secretary for Cybersecurity, US Dept of Homeland Security. Mark worked as Principal at the Chertoff Group, Booking Holdings and vArmour and served as an Advisory and/or Board of Directors for Coalfire, Blue Lava, Interos, Tenable and many others.

John Nellen, Founder and CEO at Todyl is our feature guest this week. News from Sphero, Related Development, National Cybersecurity Center, Ping Identity, Red Canary, LogRhythm and a lot more! Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week’s news: Join the Colorado = Security Slack channel Colorado Inno's 2020 Startup Gift Guide Denver foundations join state in fund to keep rural movie theaters open Colorado Proud: Lone Tree girl named first-ever Time’s Kid of the Year Sphero spinoff debuts initial robot for first responders National apartment developer chooses Denver for regional HQ Retired Air Force general named CEO of cybersecurity center Ping Identity MQ Leader Red canary yellow cockatoo The State of Data Privacy. Do You Have Rights to Your Data? Podcast: Doug Brush On Careers In Digital Forensics - Forensic Focus Job Openings: Ping Identity - Manager, GRC (Privacy Programs) Ping Identity - Manager of GRC Ping Identity - Product Security Engineer Otter Products - Information Security Analyst Colorado Judicial Branch - Manager of Information Security InteliSecure - Vulnerability Management Program Lead ULA - Cybersecurity Analyst 3 Smarsh - Sr. Information Security Analyst Aegon - Senior Information System Security Analyst Opentext (Webroot) - Advanced Threat Researcher Upcoming Events: This Week and Next: Colorado = Security Poker Night - 12/8 NoCo ISSA - December Chapter Meeting - 12/10 ISC2 Pikes Peak - December Chapter Meeting - 12/16 ISSA C.Springs - December Meeting - Chapter Appreciation - 12/17 ISSA / ISACA - Annual joint holiday meeting - 12/17 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

Podcast: ITSPmagazine | Technology. Cybersecurity. Society.Episode: Securing Manufacturing Industrial Control Systems: NIST NCCoE Resources At Your FingertipsPub date: 2020-08-26Redefining Security | On ITSPmagazine Conversations At the Intersection of Technology, Cybersecurity, and Society. Have you ever thought that we are selling cybersecurity insincerely, buying it indiscriminately, and deploying it ineffectively? For cybersecurity to be genuinely effective, we must make it consumable and usable. We must also bring transparency and honesty to the conversations surrounding the methods, services, and technologies upon which businesses rely. If we are going to protect what matters and bring value to our companies, our communities, and our society, in a secure and safe way, we must begin by operationalizing security. Join us as we explore how visionary leaders are Redefining Security. This Episode: Securing Manufacturing Industrial Control Systems: NIST NCCoE Inter-Agency Resources, Labs, and Practice Guides At Your Fingertips Host: Sean Martin Guests: - Michael Powell, National Cybersecurity Center of Excellence, National Institute of Standards and Technology - Titilayo Ogunyale, National Cybersecurity Center of Excellence (NCCoE), The MITRE Corporation - CheeYee Tang, Electronics Engineer at National Institute of Standards and Technology When it comes to tackling a problem, the hardest part is getting started; taking that first step. But, before even getting there, a recognition that the problem exists and is important enough to address must capture some level of appreciation. This holds true for cybersecurity - this holds true in IT and OT environments alike - this holds true in manufacturing settings just the same as it does for other industries. Fortunately, there are some really good people doing some really good things - driven by the public sector and government-enabled grants. One such group is the National Cybersecurity Center of Excellence (NCCoE). From their site: [NCCoE, a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges.] One of the project areas is focused on industrial control systems in the manufacturing space. There are a number of projects and publications available from the inter-agency group. In today's conversation, we take a broad look at the NCCoE's work in the manufacturing sector across government, academic, and industry, taking a deeper dive into the NIST Interagency Report (NISTIR) 8219: Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection. What do you need to recognize the cybersecurity problem and challenges your manufacturing firm faces? Have a listen. What do you need to take that first step to identify the risks your manufacturing environment is exposed to and what are the signs (anomalies) that something is not going to plan? Have a listen. Not in the manufacturing sector but want to hear how other industries tackle these problems? Have a listen. Have no idea what this is all about? Have a listen. __________________________________ Learn more about this column's sponsors: - Nintex: itspm.ag/itspntweb __________________________________ Listen to more Episodes of Redefining Security here: www.itspmagazine.com/redefining-security __________________________________ Interested in sponsoring an ITSPmagazine talk show? www.itspmagazine.com/talk-show-sponsorshipsThe podcast and artwork embedded on this page are from ITSPmagazine | Technology. Cybersecurity. Society., which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Redefining Security | On ITSPmagazine Conversations At the Intersection of Technology, Cybersecurity, and Society. Have you ever thought that we are selling cybersecurity insincerely, buying it indiscriminately, and deploying it ineffectively? For cybersecurity to be genuinely effective, we must make it consumable and usable. We must also bring transparency and honesty to the conversations surrounding the methods, services, and technologies upon which businesses rely. If we are going to protect what matters and bring value to our companies, our communities, and our society, in a secure and safe way, we must begin by operationalizing security. Join us as we explore how visionary leaders are Redefining Security. This Episode: Securing Manufacturing Industrial Control Systems: NIST NCCoE Inter-Agency Resources, Labs, and Practice Guides At Your Fingertips Host: Sean Martin Guests: - Michael Powell, National Cybersecurity Center of Excellence, National Institute of Standards and Technology - Titilayo Ogunyale, National Cybersecurity Center of Excellence (NCCoE), The MITRE Corporation - CheeYee Tang, Electronics Engineer at National Institute of Standards and Technology When it comes to tackling a problem, the hardest part is getting started; taking that first step. But, before even getting there, a recognition that the problem exists and is important enough to address must capture some level of appreciation. This holds true for cybersecurity - this holds true in IT and OT environments alike - this holds true in manufacturing settings just the same as it does for other industries. Fortunately, there are some really good people doing some really good things - driven by the public sector and government-enabled grants. One such group is the National Cybersecurity Center of Excellence (NCCoE). From their site: [NCCoE, a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges.] One of the project areas is focused on industrial control systems in the manufacturing space. There are a number of projects and publications available from the inter-agency group. In today's conversation, we take a broad look at the NCCoE's work in the manufacturing sector across government, academic, and industry, taking a deeper dive into the NIST Interagency Report (NISTIR) 8219: Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection. What do you need to recognize the cybersecurity problem and challenges your manufacturing firm faces? Have a listen. What do you need to take that first step to identify the risks your manufacturing environment is exposed to and what are the signs (anomalies) that something is not going to plan? Have a listen. Not in the manufacturing sector but want to hear how other industries tackle these problems? Have a listen. Have no idea what this is all about? Have a listen. __________________________________ Learn more about this column's sponsors: - Nintex: itspm.ag/itspntweb __________________________________ Listen to more Episodes of Redefining Security here: www.itspmagazine.com/redefining-security __________________________________ Interested in sponsoring an ITSPmagazine talk show? www.itspmagazine.com/talk-show-sponsorships

This podcast discussion features Erin Miller, VP of Operations for Space ISAC, National Cybersecurity Center. Erin has over a decade of experience building meaningful tech collaborations and has formed hundreds of formal partnerships between government, industry and academia to solve problems for warfighters and national security. Currently Erin is building a Public-Private Partnership (P3), called Space ISAC. This is the third non-profit launch Erin has led and has been passionate about P3 for her entire career. Erin was the Managing Director of the Center for Technology, Research and Commercialization (C-TRAC) and brought three USAF-funded programs to bear at the Catalyst Campus for Technology & Innovation (www.catalystcampus.org) from 2016-2018. Her expertise in brokering unique partnerships using non-FAR type agreements led to the standup of the Air Force’s first cyber focused design studio, AFCyberWorx at the United States Air Force Academy, and the first space accelerator, Catalyst Accelerator, at Catalyst Campus in Colorado Springs - in partnership with Air Force Research Laboratory and AFWERX. Erin serves on the board of cyber teaching certifications at Handshake Leadership.

In 2020, national and local elections are top-of-mind for Americans. With headlines being dominated by election integrity, misinformation and disinformation, and safety during the pandemic, National Cybersecurity Center's (NCC) Secure the Vote program is convening leaders to explore an alternative method of participating in our democracy: electronic voting. In this episode, we interview NCC Director and Business Government Initiatives, Forrest Senti, and Project Manager, Mattie Gullixson, as they dive into electronic voting and the challenges and opportunities ahead.   Visit our sponsors: Cyber Resilience Institute BlockFrame Inc. SecureSet Academy Murray Security Services

On today’s show, host Abe Thompson chats with Erin Miller, Vice President of Operations for Space ISAC at National Cybersecurity Center. They discuss the development of Space Force, ISACs and ISAOs, and allowing information sharing. Listen and join in on the conversation! Visit our sponsors: Cyber Resilience Institute BlockFrame Inc. SecureSet Academy Murray Security Services

The next in the National Cybersecurity Center's webinar series on securing the 2020 vote is May 19, at 2:00 p.m. Register at:  www.cyber-center.org/events Listen Now!

You're invited you to join the National Cybersecurity Center as they explore several security issues to help better understand what risks exist and what can be done to protect elections integrity.  Register now at https://cyber-center.org/events/ Listen Now!

Scott Gerlach, Co-Founder & CSO at StackHawk is our feature guest this week. News from: Conga, Techstars, JumpCloud, Xactly, Quizlet, Phase Change, Cognizant, R9B, Ping Identity, Red Canary, National Cybersecurity Center, LogRhythm, Optiv and a lot more! Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week’s news: Join the Colorado = Security Slack channel Broomfield-based Conga acquired for reported $715M Techstars launches workforce development accelerator amid coronavirus These 3 tech companies see opportunities in Denver despite Covid-19 Golden's Phase Change aims to make developers more efficient Cognizant expects to lose between $50m and $70m following ransomware attack | ZDNet R9B Signs Agreement with Global Energy Technology Company Baker Hughes to Expand Cybersecurity Service Offering Ping Identity Reports First Quarter 2020 Results, Provides Outlook for Second Quarter Red Canary launches new MDR offering powered by Microsoft Defender ATP National Cybersecurity Center’s Secure the Vote Launches 2020 Webinar Series: Give Us the Options LogRhythm Selects Optiv as an Authorized Training Partner Job Openings: Ping Identity - GRC Analyst Ping Identity - Product Security Engineer Empower Retirement - Sr Security Engineer CenturyLink - Information Security Engineer I -Federal SOC Newmont Mining - Senior Manager, Cyber Security Delivery DaVita - Senior IT Auditor, Assurance Booz Allen - Red Team, Senior Twitter -Senior Infrastructure Security Engineer New Relic - Senior Cloud Security Engineer Wells Fargo - Adverserial Cyber Operations Specialist ISE6 Upcoming Events: This Week and Next: ASIS - (Virtual) DETECTING ELEVATED SKIN TEMPERATURE (EST) WITH FLIR, CONVERGINT, AND ASIS - 5/13 C.Springs ISSA - May Online Series-Session 2 - 5/14 NoCo ISSA - May Chapter Meeting - 5/14 Women In Security - A panel discussion on the impacts of Covid-19 to our lives, business and Information Cyber Security and Compliance - 5/21 C.Springs ISSA - May Online Series-Session 3 - 5/21 DC303 - May Meeting - 5/22 Other Notable Upcoming Events ??? View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

Erik Huffman, Entrepreneur, Researcher & Cyberpsychologist is our feature guest this week. News from: Strava, VF Corp, Arrow Electronics, DaVita, Zayo, Anschutz Corp, Liberty Global, Ball Corp, Vail Resorts, Boston Market, National Cybersecurity Center, Manetu, ThreatX, DarkOwl, Swimlane and a lot more! Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week’s news: Join the Colorado = Security Slack channel Sträva Coffee Gifting Five, $1,000.00 "Golden Tickets" to Customers Good Works: VF Corp. brands donate convention refunds, Colorado brewing industry launches unique relief campaign Exclusive: 13 prominent CEOs form new group to improve the well-being of Denver Boston Market sold to emerging East Coast restaurant operator These Industries Are Hiring Now in Colorado $3M grant a ‘huge win’ for cybersecurity in Colorado Springs – from Colorado Springs Business Journal Consumer Data Privacy Startup in Colorado Raises $3.5M Veteran Tech Executive Gene Fay Named CEO at ThreatX | Business Wire DarkOwl Selects BlueVoyant to Deliver Comprehensive Managed Detection and Response Security Service Responding to Insider Threats with SOAR | Swimlane Job Openings: Ping Identity - GRC Analyst Ping Identity - Product Security Engineer Staples - Senior Application Security Architect ULA- Information Security Architect 6 Synoptek - Director/CISO Charter/Spectrum - Vulnerability Engineer I - Vulnerability and Remediation Zoll Data Systems - Information Security Engineer State of Colorado - Senior Security Engineer Arrow - Corporate IT Auditor I PwC- Cloud Security DevOps Engineer Upcoming Events: This Week and Next: Global Cyber Alliance - DMARC Bootcamp! - 5/4 Hang out a Shingle Starting Your Cybersecurity Company (Douglas Brush and Daniel Ayala) - 5/5 Hacker Business Models: They are out innovating the Rest of Us (by Steve Winterfeld) - 5/7 NoCo ISSA - May Chapter Meeting - 5/14 Other Notable Upcoming Events ??? View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

With seemingly everyone teleworking, the only way people can meet is through some awkward application or another. Teleconferencing can also mean fresh cybersecurity challenges. To help, the National Institute of Standards and Technology has rushed out some guidelines. To tell us what to watch out for, the director of the National Cybersecurity Center of Excellence, Jeff Greene joined the Federal Drive with Tom Temin.

On today’s show, host Abe Thompson has a discussion with Thomas Russell of the National Cybersecurity Center and Alexia Thompson, a pre-med student and Mr. Russel’s intern. They discuss the importance of cyber and STEM education at a young age, in particular with women and people of color. Listen and join in on the conversation! Visit our sponsors: Cyber Resilience Institute Internet Broadcasting Network BlockFrame Inc. SecureSet Academy Murray Security Services

In news, the Defense Innovation Board releases AI Principles: Recommendations on the Ethical Use of AI by the Department of Defense. The National Institute of Standards and Technology’s National Cybersecurity Center of Excellent releases a draft for public comment on adversarial machine learning, which includes an in-depth taxonomy on the possibilities. Google adds BERT to its search algorithm, with its capability for bidirectional representations, in an attempt to “let go of some of your keyword-ese.” In research, Stanford University and Google demonstrate a method for explaining how image classifiers make their decisions, with Automatic Concept-based Explanations (ACE) that extra visual concepts such as colors and textures, or objects and parts. And GoogleAI, Stanford, and Columbia researchers teach a robot arm the concept of assembling objects, with Form2Fit, which is also capable of generalizing its learning to new objects and tasks. Danielle Tarraf pens the latest response to the National Security Commission on AI’s call for ideas, with Our Future Lies in Making AI Robust and Verifiable. Jure Leskovec, Anand Rajaraman, and Jeff Ullman make their second edition of Mining of Massive Datasets available. The Defense Innovation Board posts a video of its public meeting from 31 October at Georgetown University. Maciej Ceglowski’s “Superintelligence: the idea that eats smart people” takes a look at the arguments against superintelligence as a risk to humanity. Click here to visit our website and explore the links mentioned in the episode. 

Erin Miller, Director of Business Development at The National Cybersecurity Center in Colorado Springs, explains what the Space Information Sharing and Analysis Center (ISAC) is and why we need it. As Erin explains, a 1998 presidential directive requires the development of ISACs to protect our critical infrastructures from threats and vulnerabilities. There are about 25 different ISACs to support major industry sectors such as  financial services, information technology, natural gas and others. As space transcends virtually all these sectors it was only natural that there be a Space ISAC. In this episode of Constellations, Erin will also discuss new developments and strategies to combat increasing cybersecurity and other threats to our space assets.

Vance is the CEO of the National Cybersecurity Center and Chairman/Co-founder at Cherwell Software. Vance also is a mentor to entrepreneurial CEO's, utilizing the Thrivers.com holistic framework. Vance joins Rhett to discuss his new book, Thrivers. #leadership #coaching #mentorship #Thrivers #linkedinlive #newbook #powerlunchlive www.powerlunch.live  

In this episode: Vance Brown and Hannah Parsons of the National Cybersecurity Center, is our feature interview this week. News from: Great American Beer Fest, Techstars, Western Union, Arrow Electronics, Adobe, Marketo, Optiv, root9B, Intelisecure, Virtual Armor, Red Canary, Ping Identity, Zvelo, CenturyLink and a lot more! Want a beer? You’re in the right place People are drinking an awful lot of beer in Denver this week. I-70 is a good place for driving without drivers. What? Techstars, Western Union and Arrow are all looking to innovate. Marketo gets paid. Colorado has 4 top MSSPs. Stories from Red Canary, Ping Identity and Zvelo. And CenturyLink gets a new CSO. Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com Local security news: Join the Colorado = Security Slack channel Colorado brewers win 30 medals at Great American Beer Festival Inrix ranks Colorado's Interstate 70 among top U.S. routes for driverless truck deployment Techstars and Western Union team up for new innovation accelerator Arrow Electronics to build 'Colorado Open Lab' in headquarters to advance smart city technology Adobe to buy Marketo for $4.75 billion in largest acquisition to date Top 100 MSSPs Red Canary blog: Detecting MSXSL Abuse in the Wild The Burden of State Data Privacy Laws: A Q&A with Robb Reck from Ping Identity Zvelo blog: What is Malicious Cryptocurrency Mining? | History and Prevention CenturyLink hires former Apple executive as new security chief Job Openings: Ping Identity - Cloud Security Architect Ping Identity - Product Security Engineer Ping - NOC/SOC Manager (SRE Manager, Cloud Operations) Journey - Cryptographic Software Engineer Journey - Security Architect Splunk - Security Markets Specialist Zillow - IT Compliance Analyst Western Union - Senior Manager, Information Security Incident Response FireEye - Principal Penetration Tester- Red Team RiverPoint - IT Security Manager Transamerica - Manager, IT and Info Security Risk Management Upcoming Events: This Week and Next: C-Suite Awards Celebration 2018 - 9/25 GDPR Meetup - Encryption for GDPR Compliance, Fact and Fiction - 9/25 NCC - Cyber for Executives - 9/26 SecureSet - Capture the Flag - 9/28 Secureset - Expert Series: Chris Martinez - 10/4 Lockton Mountain West Cyber Day - 10/4 Colorado Springs Cybersecurity - First Friday - Cybersecurity Social & Mixer - 10/5 Other Notable Upcoming Events SecureWorld Denver - 10/31-11/1 CTA - Apex Awards - 11/7 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

It sounds like Greek — derived PIV credentials. But a better approach to managing information on personal identity verification cards can help an ongoing federal challenge, namely how to improve cybersecurity for people using mobile devices. Now the National Cybersecurity Center of Excellence has released fresh guidance on so-called derived credentials. Hildegard Ferraiolo, a computer scientist with the Security Components and Mechanisms Group at the National Institute of Standards and Technology, joined Federal Drive with Tom Temin for what it is and how it works.

In this episode: Karen Worstell, former CISO for Microsoft, Russell Investments, AT&T, and now Managing Principal and Founder at W Risk Group, is our feature interview this week. News from: Bird, Lime, Sphero, Amazon, National Cybersecurity Center, Google, Ping Identity, SecureSet, Intelisecure and a lot more! I hope I look this good when I turn 242 years old Happy birthday America! I hope you like fireworks. Denver makes a scooter program. Tariffs might hit Colorado. Will HQ2 come to Denver? We are the Silicon Valley for Blockchain. Google has news. Ping makes a big acquisition. So does SecureSet. It's not to late to vote for the CISO of the year! Visit Karen's website at: karenworstell.com Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com Local security news: Join the Colorado = Security Slack channel Denver unveils pilot program for electric scooters Denver leads U.S. in small-business job growth in June 2018, No. 3 for wage growth per Paychex report Why this Denver tech firm is concerned about tariffs and trade wars Denver ranks No. 4 for Amazon HQ2 in GeekWire reader survey Colorado will be 'Silicon Valley for blockchain technology,' National Cybersecurity Center CEO says Google announces $2.8M in grants, office space to Boulder tech education Ping Identity acquires stealthy API security startup Elastic Beam SecureSet Acquires HackEd to Bring Immersive Cybersecurity Education to Washington D.C. Metro Region Intelisecure - The Economics of Data and Information CISO of the year voting Job Openings: Ping Identity - Site Reliability Engineer - Security Operations Ping Identity - Director of IT Kaiser Permanente - Executive Director, Cyber Risk Defense Center & Deputy CISO PDC Energy - Director, Information Security Jacobs Entertainment - Corporate IT Security Manager GB Protect - Senior Information Security Analyst Department of Homeland Security - IT Specialist (INFOSEC) Centura Health - Security Analyst Comcast - Security Engineer, Incident Response Gaming Labs - Security Specialist CU Boulder - Incident Response Analyst Upcoming Events: This Week and Next: ISSA Denver July Meetings - 7/10-11 CTA - CTA 101 - 7/11 SecureSet - Capture the Flag - 7/13 CSA - July Meeting - 7/17 ISSA COS - July Meetings - 7/17-18 DenSec - Meetup - 7/18 SecureSet - Career Convos: Alison Lawrence Daley - 7/19 ISC2 – Data Protection: Industry Practices to Identify and Protect Sensitive Information - 7/19 ISSA COS - Mini Seminar - 7/21 Other Notable Upcoming Events Colorado Springs - Cyber Security Training & Technology Forum (CSTTF) - 8/22 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

In this episode: Mike Morris, CTO of root9B, is our feature interview this week. News from: SALT Lending, Regis University, National Cybersecurity Center, LogRhythm, Thoma Bravo, Intelisecure, RockCyber, Zayo and a lot more! Demystifying root9B This week we learn a lot about root9B, as Alex sits down with their CTO Mike Morris. But first we get all kinds of news. Summary: Colorado is an awesome place to live and work. Also, people like to victim blame in breaches. Lots of other news too. Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com Local security news: Join the Colorado = Security Slack channel WalletHub: Colorado ranks No. 5 on list of best overall state economies Denver a top moving spot for Californians, says Trulia SALT Lending nonprofit partners with Regis University to offer blockchain class Cybersecurity startups gathering in Colorado Springs as part of program to help them grow Aaron Lafferty's Data Breach Survey Results With Thoma Bravo, LogRhythm Innovation Accelerates | LogRhythm Intelisecure - Theft of Intellectual Property Costs More than you Think Summary - Colorado Governor Signs New Cyber Security Bill Into Law RockCyber cybersecurity company launching in June - Digital Colorado Gail Coury Received ISACA's Prestigious Chair Award Job Openings: Ping Identity - Senior Security Analyst Ping Identity - Site Reliability Engineer - Security Operations eFolder - Security and Compliance Analyst Cherry Creek HS - Security Specialist - High School University of Colorado - Security Analyst Firstbank Holding Company - Information Security Project Analyst S&P Global - Director, Security Architecture Carbon Black - Senior Threat Researcher Fireeye - Industrial Response Security Consultant Optiv - Vice President & General Manager of Emerging Services OverwatchID - Sr C/C++ Software Eng and Java Software Eng Upcoming Events: This Week and Next: ISSA Denver June Meetings - 6/12-13 SecureSet - Hacking 101: Powershell - 6/14 ISC2 Secure Summit Denver - 6/15 ISSA COS - June Meetings - 6/19-20 CSA - June Chapter Meeting - 6/19 ISSA Denver - June Happy Hour - 6/20 AI for GDPR Compliance: In Conversation with Darktrace - 6/21 ISSA COS - Mini Seminar - 6/23 Other Notable Upcoming Events Colorado Springs - Cyber Security Training & Technology Forum (CSTTF) - 8/22 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

In this episode: Casey Smith, Director of Applied Research at RedCanary is our guest this week. News from: NCC, Coalfire, CyberGRX, Red Canary, Webroot, InteliSecure... and a lot more! Let's blockchain this bad boy Yeah, we knew Denver was a great place for start-ups, but now we've got proof. Colorado is starting to look for ways to use Blockchain, and that might actually be a good thing. Ransomware is a real business. Colorado has some good security news (Niwot cyber girls kicking butt) and bad news (audit finds issues in substance abuse treatment program's security). Coalfire has a new CEO. CyberGRX makes the sandbox at RSA. And blogs from Red Canary, Webroot and InteliSecure. Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com Local security news: Join the Colorado = Security Slack channel Denver a top 10 U.S. city for entrepreneurs, startups Blockchain tech to protect state data? National Cybersecurity Center weighs in Pay us bitcoin or never see your files again: Inside the highly profitable underworld of ransomware Colorado audit of substance abuse treatment program reveals gap in state’s data security practices Niwot High girls’ cybersecurity teams excel at national challenge Coalfire names COO to be it new CEO CyberGRX Selected as Finalist for 2018 RSA Conference Innovation Sandbox Contest Red Canary blog: How an IT Service Provider and Red Canary Stopped a Malware Outbreak Webroot Blog: Spectre, Meltdown, & the CLIMB Exploit InteliSecure blog: Properly Framing the Cost of a Data Breach with Executives and Boards Job Openings: Ping Identity - Senior Security Analyst Ping Identity - Infrastructure Security Specialist Ping Identity - GRC Analyst Red Robin - Director, Risk, Compliance and Security City and County of Denver - Information Security Manager Gates Corp - Senior Security Engineer Guild Education - Security Engineer Secureworks - Senior Security Program Manager PwC - Cloud Security Manager FireEye - Associate Security Consultant Upcoming Events: This Week and Next: SecureSet - Career Conversations: Karen Worstell - 3/27 GDPR MeetUp - GDPR & The Legal Basis for Processing: Is consent really required? - 3/27 ISSA COS - 5th Annual Cyber Focus Day - 3/29 SecureSet - Hacking 101 Workshop: Intro To Threat Analysis - 4/3 Critical Infrastructure Hackathon - 4/6-8 ISSA COS - Security+ Exam Preparation Seminar - 4/7 Other Notable Upcoming Events Women in Security Denver - 4/24 Rocky Mountain Information Security Conference - 5/8-10 BSides Denver - 5/11-12 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

Automated cybersecurity attacks using botnets have been a persistent problem for years. Back in May, a Trump administration executive order assigned the Commerce and Homeland Security Departments the new task to come up with a strategy for mitigating the botnet threat. Now the two departments have issued their draft strategy. Tim Polk, internet standards lead at the National Cybersecurity Center of Excellence, a subsection of the National Institute of Standards and Technology, joined Federal Drive with Tom Temin to explain what the agencies found.

In this episode: JD Sherry, Colorado security entrepreneur and CRO at Remediant is our feature guest this week. News from: CHI, SendGrid, Fast Enterprises, Madwire, National Cybersecurity Center, CableLabs, SecureSet, Webroot, LogRhythm, Red Canary, and a lot more! Full notes: https://www.colorado-security.com/news/2017/12/4/45-1211-jd-sherry-colorado-security-entrepreneur We're better than the Broncos Things might not be great for Denver's football game, but it's a great time to do security here. This week's news includes Catholic Health Initiatives merging with Dignity Health, three local companies named to Glassdoor's best employers list, news from National Cybersecurity Center, CableLabs, SecureSet, Webroot, LogRhythm, Red Canary, and a lot more! Please come join us on the new Colorado = Security Slack channel to meet old and new friends. Did you catch our trivia question? Be the first to reply to info@colorado-security.com with the right answer and get any $25 item from the Colorado = Security store. Feature interview: JD Sherry is our feature interview this week, and it's a good one. JD is located right here in the Denver area, and has had a number of executive positions in the security industry, from tech guy to CEO, and from massive companies (Intel) to start ups (Remediant). JD shares with us what he's learned and what he sees coming up next for the security community. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com Local security news: Join the Colorado = Security Slack channel CHI to merge with Dignity Health Three Colorado companies on Glassdoor’s best places to work list New Cybersecurity Center in Colorado Aims to Bring Good Practices to the Masses ENISA's new recommendations for IoT security Founder Spotlight: Bret Fund and His Advice to Cybersecurity Students Webroot's 15th consecutive quarter of double digit business growth LogRhythm named Leader in 2017 Gartner MQ for SIEM Atomic Red Team Tests: Catching the Dragon by the Tail - Red Canary Job Openings: Charles Schwab - Managing Director - Threat Management & Intelligence Trustwave - Supervisor - Security Operations (SOC) MBL Technologies - Information System Security Officer Deloitte - Information Security, Risk and Governance Analyst Dell - InfoSec Analyst - Security Operations CoBiz Financial - Information Security Risk Analyst University of Colorado - Assistant Professor of Information Systems TD Ameritrade - Associate Counsel, Privacy Xactly - Senior Director of IT Upcoming Events: This Week and Next: CTA - CTA 101 - 12/13 ISSA / ISACA Joint Meeting @ Comedy Works - 12/14 CTA - Legislative Outlook - 12/14 Colorado = Security lunch meet-up! (check us out on Slack for details) CitySec - Meetup North - 12/21 Other Notable Upcoming Events: Optiv - 2017 Solution and Program Insight Focus Group: Application Security (AppSec) - 1/18 SnowFROC - 3/8 Rocky Mountain Information Security Confernce - 5/8-10 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

Jen digs into the dark side of the internet and how you can keep you and your family or business safe from a security breach. Also up comings trainings and the importance of having the National Cybersecurity Center right here in Colorado Springs! https://www.nationalcybersecuritycenter.org/

In this episode: Robb interviews Ed Rios & Jenifer Furda of the National Cybersecurity Center. News from LogRhythm, Optiv, Coalfire, Janus, and a robot security guard company in Lakewood. Full show notes: https://www.colorado-security.com/news/2017/6/2/18-65-show-notes RIP Denver video rental scene Can you believe we're already in June? Us either. Summer is upon us... kids are out of school and robotic security guards are coming to get you. Join us this week as we plumb the depths of security in the Colorado community and find a few nuggets worth discussing. My favorite is Coalfire's anatomy of paying a ransom. But don't miss the news of the death of Denver's last video rental store. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. We're continually working to improve the show, and appreciate the feedback we get from our listeners. If you discover any audio issues, or have suggestions for our format, let us know. This week's episode is available on Soundcloud, iTunes and the Google Play store. Reach out with any questions or comments to info@colorado-security.com Feature interview: Robb sat down with Ed Rios (CEO) & Jenifer Furda (COO) of the National Cybersecurity Center. This is a new organization located in Colorado Springs, focused on providing value around incident response, intelligence, and training. Ed and Jenifer shared a ton about current state, where the NCC is heading, and what you can do to help. Local security news: Denver boasts lowest jobless rate of any major metro area Denver's last video rental store closing at the end of the month Vertafore moving HQ to Denver Lakewood based robot security guard company raising funds Deloitte Canada (MSSP) picks LogRhythm's Threat Lifecycle Management Platform LogRhythm contest to use NetMon Freemium to solve a problem on your network... win money! Optiv enhanced intelligence capabilities within their Evantix platform Ransomware: the anatomy of paying a ransom to decrypt hostage files Denver's Janus Capital Group surrenders independence Denver's own Joe McComb named Global CISO of new organization - Janus Henderson Group Job Openings: Gates - Director information security & risk Miller Coors - Sr Director, IT Security TIAA - Sr Director, IT Audit Ball Aerospace - Senior Security Manager, Tactical Solutions EMS Software - Director of Cloud Ops & Security Spectrum - SR Dir, Network Security Ops Spectrum - SR Mgr, Vulnerability Compliance Upcoming Events: This Week's Events: SecureSet - What is NetSec? - 6/5 CTA - SheTech - 6/8 Women in Technology Conference - 6/9 ISSA C.Springs - Security + Training (2 of 2) - 6/10 Notable Upcoming Events: ISSA Healthcare Special Interest Group - (6/22) ISSA Denver Women in Security Meeting - (6/27) Evanta CXO Summit - (6/29) 7th Annual Cyber Security Training & Technology Forum - (8/30-31) View our events page for a full list of upcoming events If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0

The National Cybersecurity Center is a nonprofit organization located in Colorado Springs, Colorado providing collaborative cybersecurity knowledge and services to the nation.Inspired by the vision of Colorado Governor John Hickenlooper, the National Cybersecurity Center was founded in 2016 as a 501(c)(3) nonprofit organization in Colorado Springs, Colorado. The NCC will develop workforce, collaborate with the private sector, military and federal agencies, and support and educate the public sector to better protect our cities, states, and national assets https://www.nationalcybersecuritycenter.org/

Governor John Hickenlooper is back from California, where he visited companies like Google and Dell to find learn the latest cyber security strategies. He also sought support for the new National Cybersecurity Center in Colorado Springs. The center aims to be a national hub to protect companies and governments from attacks. Also, our education reporter learns what it's like for someone with dyslexia to read what look like scrambled words. Then, a preview of a forthcoming album from three Boulder punk rockers.

In our ninety-third episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, Jason Weinstein, and Alan Cohn discuss: proposals requiring social media sites to do more about online terrorist activity; first EU-wide cybersecurity rules for critical infrastructure and how they will affect US companies; Wyndham Hotels agrees to 20 years of privacy and security monitoring by the FTC; and encryption: Rep. McCaul to introduce a bill that creates encryption commission; White House meets with privacy advocates about encryption; FBI Chief says Texas gunman used encryption to text overseas terrorist. In our second half we have an interview with Rod Beckstrom, where we discuss his expansive career which started at DHS’s National Cybersecurity Center, he then headed ICANN; before and after those gigs, he was a Silicon Valley investor and officer in security startups as early as the 1990s and as recently as this year. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

NIST, the National Cybersecurity Center of Excellence and the NSTIC National Program Office are working together on a new project focused on protecting privacy and security when reusing credentials online. The trio is accepting comments on the project, which will examine how commercially available privacy-enhancing technologies may be integrated into identity broker solutions.

This week, Dave and Gunnar talk about affordances, partnerships, and a bunch of reasons Red Hat is a great place to work. Subscribe via RSS or iTunes. Sophisticated multi-touch interfaces in vehicles have consequences. Gunnar gets angry about DRM all over again and gets a ChromeCast while Dave is still thrilled with his Roku 3 Google buys SlickLogin, a startup out to kill the password with sound If you can’t wait for the book or movie, check out the D&G Origin Story Fork your own agency open source policy “Run me on OpenShift” Dave bait: Dear Car Makers: Please Hire People Like This Affordance So we don’t get hate mail from Langdon White: Check out DevNation April 13-17 in San Francisco! Get the lowest rate for the Red Hat Summit by going through your Red Hat account team kpatch! Learn more here Dave on a panel about How to Acquire and Implement Secure Cloud Solutions at the Symantec Government Symposium The National Cybersecurity Center of Excellence welcomes Red Hat as a National Cybersecurity Excellence Partner Alcatel-Lucent and Dell are using Red Hat Enterprise Linux OpenStack Platform for (Software Defined) Networking Red Hat Storage 2.1 released! Test drive this and more on AWS! Red Hat Urges Supreme Court to Address Impediments to Innovation The Best Cloud Computing Companies And CEOs To Work For In 2014 A lifehacker we like: Dave and Gunnar review Jim Whitehurst’s productivity tricks Speaking of CEOs: How to Write Emails Like a CEO Email signature rules of engagement: the now-defunct protocol.by See the archived protocol builder related: remember geekcode? Is that a wallabag in place of Pocket or …? Cutting Room Floor Using Civ IV in schools: ENDORSED Tom Lee: “it’s especially vital now as the current generation of granary workers prepares to retire” HT Uzoma Nwosu: Exploring regional listening preferences The to-be-created OpenShift app of the week: Infinifriends sitcom script generator Bitcoins vs. Beanie Babies Plague Doctors are terrifying Guinea pig alternative: The sugar glider We Give Thanks AT&T U-verse for a great customer support experience. Jim Whitehurst for being a CEO we admire. Tom Lee for reminding us of the granary workers. Uzoma Nwosu for letting Dave know that Florida Georgia Line exists and is really popular in Ohio. Chris Williams found a bug in our mp3 encoding. Thanks, Chris! Problem fixed.