Podcasts about nist cybersecurity framework

The implementation manual for the NIST Cybersecurity Framework gone missing. Can it be found? Let's find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.    Want a deep discount on Kip's new Udemy course "Implement version 2 of NIST Cybersecurity Framework"? This one is valid until May 31, 2025 -- CRM_PODCAST_FRIEND   https://www.udemy.com/course/implement-version-2-of-nist-cybersecurity-framework/?couponCode=CRM_PODCAST_FRIEND   If you need to quickly get up-to-speed with the changes in NCSF v2 listen to this episode -- https://cr-map.com/podcast/141/

Cos'è il NIST Cybersecurity Framework e perchè è importante conoscerne le linee guida? Quali sono le novità introdotte con l'ultima versione? In che modo il whitepaper AWS può aiutare a navigare il NIST CSF? Oggi ne parliamo con due colleghi di AWS, Carmela Gambardella (Senior Solutions Architect) e Francesco Grande (Partner Solutions Architect).Link utili:- Aligning to the NIST Cybersecurity Framework in the AWS Cloud

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin interviews CISA Chief Privacy Officer James Burd about data privacy and protection. Topics include how CISA protects agencies and critical infrastructure, how they responded to a recent data attack, and what risk professionals and data privacy professionals can work together to ensure their organization is resistant to data breaches.   Listen for actionable ideas to improve the cyber security at your organization. Key Takeaways: [:01] About RIMS and RIMScast. [:14] Public registration is open for RISKWORLD 2025! RIMS wants you to Engage Today and Embrace Tomorrow in Chicago from May 4th through May 7th. Register at RIMS.org/RISKWORLD and the link in this episode's show notes. [:32] About this episode. We will discuss data privacy with James Burd, the Chief Privacy Officer of The Cyber Infrastructure Security Agency (CISA) here in the U.S. [:58] RIMS-CRMP Workshops! On February 19th and 20th, a two-day virtual workshop for the RIMS-CRMP will be led by former RIMS President Chris Mandel and presented by the RIMS Greater Bluegrass Chapter, the 2024 RIMS Chapter of the Year. [1:20] The next RIMS-CRMP-FED exam course will be held from February 4th through the 6th, 2025. Links to these courses can be found through the Certification page of RIMS.org and this episode's show notes. [1:36] Virtual Workshops! Chris Hansen will return on February 11th and 12th to lead the two-day course “Claims Management”. Gail Kiyomura of The Art of Risk Consulting will host the “Fundamentals of Insurance” virtual workshop on February 19th and 20th, 2025. [1:59] On February 26th and 27th, Elise Farnham of Illumine Consulting will lead “Applying and Integrating ERM”. “Managing Data for ERM” will be hosted by Pat Saporito. That course starts on March 12th, 2025. [2:22] A link to the full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode's show notes. [2:34] The RIMS Legislative Summit 2025 is back! It will be held on March 19th and 20th in Washington, D.C. Join RIMS for two days of Congressional meetings, networking, and advocating on behalf of the risk management community. [2:51] This event is open for RIMS members only so if you're not a member, join now! Visit RIMS.org/advocacy for registration details. [3:02] Interview! It is Data Privacy Week here in the U.S., through January 31st. This is an annual effort to promote data privacy awareness and education. Its events are sponsored by the National Cybersecurity Alliance. This week's theme is Take Control of Your Data. [3:23] Here to discuss how to take control of your data, and the best practices that risk professionals and business leaders need to know, is Chief Privacy Officer of CISA, James Burd. [3:36] James is the senior agency leader responsible for managing and overseeing CISA's privacy, external civil rights, civil liberties, and transparency programs. [3:46] We're going to talk about some of the big events that made headlines in late December and early January around cybersecurity and data privacy and the frameworks and strategies that risk professionals can implement to take control of their data. [4:02] CISA Chief Privacy Officer James Burd, welcome to RIMScast! [4:18] James has a fantastic team of privacy, transparency, and access professionals who provide transparency to the American public while integrating full privacy rights, liberties, and protections into the management of a safe, secure, and resilient infrastructure. [4:48] As Chief Privacy Officer, James Burd's primary responsibility is to ensure that privacy is at the forefront and integrated into every initiative, program, and policy CISA undertakes, regardless of whether it's by policy, process, or technical solutions. [5:00] This includes ensuring compliance with Federal privacy laws and embedding privacy considerations in the agency's operations and partnerships. [5:08] Protecting critical infrastructure inherently involves safeguarding sensitive and critical information that any organization holds, whether it's CISA or any of the many stakeholders of CISA. Privacy and cybersecurity are inherently interconnected. [5:21] CISA ensures its cybersecurity programs focus on protecting systems, networks, and data from unauthorized access while the privacy portion ensures that personal and sensitive data are handled responsibly, ethically, and securely. [5:39] What are the keys to a strong cybersecurity strategy? [5:52] The work CISA does in the privacy world is to ensure that the information CISA is holding is secure and safeguarded and also to tell the public how exactly they do that. [6:14] In the early days of CISA, it was a Computer Emergency Readiness Team (CERT). CERTs respond to major cybersecurity incidents at a state, local, national, or international level. A cybersecurity incident in the U.S. is similar to a cybersecurity incident in any nation. [6:50] All nations are facing the same cybersecurity issues. CISA's international work is about information sharing and helping each other understand what threats we all face. [7:19] Integrating privacy into risk management frameworks is a core consideration. A lot of the privacy work CISA does with risk managers is for ERM, identifying privacy risks and impacts and ensuring that mitigation strategies align with goals. [7:42] Risk managers are key partners in implementing strong data governance practices. CISA works with them to establish policies for data handling, access, and usage that align with the security needs and privacy protection of an agency or organization. [7:56] Risk managers have the opportunity to help privacy officers identify a privacy problem or privacy risk all across the organization. That's part of the risk manager's job as a point person. [9:13] CISA wants to do this privacy protection work with organizations before a breach. Many privacy professionals have learned the hard way that if you don't collaborate up front, you have to collaborate later, as a result of your emergency. That's not a great day. [9:29] Risk professionals have different viewpoints to consider. They may see that some privacy risks overlap with some financial risks, depending on the risk owner's point of view. It doesn't make sense to solve the same problem in 10 different ways. [10:30] The National Institute of Standards and Technology (NIST) is a valuable partner of CISA's. NIST can see what works or doesn't work as a conceptual or technical framework. NIST studies a problem from several angles and gives CISA an effective solution for the framework. [11:23] Daniel Elliott of NIST has been on RIMScast. James has collaborated with Daniel. [11:49] CISA is a collaborative agency. It does not exist without its partners and stakeholders. When NIST facilitates conversations between CISA and other stakeholders, it helps CISA figure out, of all the problems in the world, which critical problem we need to solve right now. [12:17] CISA has Cyber Performance Goals or CPGs, which are a subset of the NIST Cybersecurity Framework. CISA will tell a small business that they should start with the CPG and get it right, and then expand to everything else. [12:38] CPGs are not a substitute for a risk management framework, but they are a starting point. The CPGs would not exist if not for the work NIST had done in talking to small, medium, and large businesses and figuring out all the different issues they face. [13:08] In December, Chinese cyber attackers infiltrated U.S. agencies. When there is a major incident like that, there is a whole-government response. CISA plays an important role in that response, like a firefighter. Law enforcement plays the role of investigator. [14:16] CISA and its interagency partners are heavily involved in responding to recent Chinese activity associated with both Salt Typhoon and Volt Typhoon. They've been working very closely with the Treasury Department to understand and mitigate the impacts of the recent incident.  [14:35] There's no indication that any other Federal agency has been impacted by the incident but CISA continues to monitor the situation and coordinate with other authorities, like the FBI, to ensure that there's a comprehensive response. [14:50] The security of federal systems and data is of critical importance to national security. CISA is working aggressively to safeguard any further impacts. The People's Republic of China is a persistent threat, specifically, the GRC and related entities, who perform these activities. [15:12] They're one of the most persistent and strategically sophisticated adversaries we face in cyberspace today. The PRC has decades of experience in conducting rampant cyber espionage against U.S. businesses and critical infrastructure. [15:26] CISA has become increasingly concerned over the last year that the PRC is not just doing espionage but is trying to burrow into the critical infrastructure for a rainy day. These state-sponsored activities are coming from campaigns like Volt Typhoon and Salt Typhoon. [15:45] What happened to Treasury provides a stark example of these types of tactics. These tactics target critical infrastructure such as telecommunications, aviation, water, and energy. [15:56] Their goal, as far as we can tell, is not to cause immediate damage but to gain persistent access to those systems and remain undetected until they want to do something. [16:08] CISA has been very involved, not just responding to these incidents, but deeply studying these incidents to understand what is happening and what we need to do as a government and nation to protect ourselves from these burrowing activities. [16:27] Plug Time! RIMS Webinars! Resolver will be joining us on February 6th to discuss “4 Themes Shaping the Future of GRC in 2025”. [16:39] HUB International continues its Ready for Tomorrow Series with RIMS. On February 20th, they will host “Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025”. [16:55] More webinars will be announced soon and added to the RIMS.org/webinars page. Go there to register. Registration is complimentary for RIMS members. [17:07] Nominations are also open for the Donald M. Stuart Award which recognizes excellence in risk management in Canada. Links are in this episode's show notes. [17:20] Let's Return to My Interview with James Burd of the Cyber Infrastructure Security Agency!   [17:42] Whether talking about AI, IoT, or 5G, the issues are hardware problems and software problems. [18:02] The issues of the 1970s are similar to the issues of the 2020s, regarding vulnerabilities, exposure, and unsafe practices when developing software and hardware. [18:20] What we're seeing in the emerging technology space with AI, IoT, and 5G is an increase in the volume and velocity of data. The improvement of technology in this space is based on power and efficiency. Software improvement is based on the reach of interconnectivity. [18:34] Privacy and cybersecurity risks do not just appear. We're seeing existing risks and issues increasing in size and complexity. What we previously thought of as a perceived risk is now a real risk, thanks to advances in computational power and the amount of data available. [18:54] It's always been a risk but it was less likely to occur until this point where there's more data, more volume, and more complexity. AI systems rely on a vast amount of personal data, raising concerns about data security, algorithmic bias, and a lack of transparency. [19:11] We've heard about these risks with machine learning and big data databases. They require governance frameworks that address how data is collected, stored, and used in systems, or, in this case, AI models. [19:28] Those frameworks should be familiar to anyone working in the data protection space or the risk management space for the last three decades. Insurers getting into the cybersecurity space have been paying stark attention to this. [19:58] We've found out that IoT devices are probably the easiest and most risky entrance points within networks into homes and critical infrastructure devices. The biggest risks they create are unauthorized access, data breaches, and potential surveillance. [20:19] These are not new risks. They're existing risks that are promulgated because of the new avenue to get in. It used to be that the worst thing that could happen to an IoT device like a router is that it gets compromised and becomes part of a botnet to take down websites. [20:38] Today, that still happens, but that IoT device is looked at as the back door for entering someone's network if it's not properly secured. [20:49] In itself, 5G is awesome. There are fantastic things to do with increased data flow. With increased speed and connectivity come the ability to move more data at a time and we're facing data being transferred in an insecure manner. People don't know what data they're sharing. [21:15] We're running into the same classic issues but they're exacerbated by something we view as a major success, access. Access should be celebrated but we shouldn't open doors because we can open them. We need to be able to make sure those doors are secured. [21:48] James paraphrases Mark Groman, a privacy expert formerly with the FTC. “Privacy and cybersecurity are sometimes viewed as competing priorities. They are two sides of the same coin. I refuse to live in a world where you compromise security for privacy or vice versa.” [22:11] We live in a world where you can have both. The great thing about advancing technologies is that we can do both. Both cybersecurity and privacy aim to protect sensitive data and systems, just from slightly different angles and for different reasons. [22:31] There has to be a collaborative approach between cybersecurity and privacy. An intermediary like a risk professional can help cybersecurity and privacy teams work together. [22:41] By leveraging things privacy-preserving technologies and designing privacy into cybersecurity measures, organizations can bridge the gap and achieve harmony between the two essential functions. This strengthens the organization and its overall risk management. [22:58] When a risk is realized in one area, it's common for it to be a harmonious risk with another risk in a different area. In the privacy and cybersecurity space, risks overlap often. Conflicts between cybersecurity and privacy are easily bridged. [23:24] Cybersecurity professionals want to collect more data; privacy professionals want you to minimize the amount of data you collect. [23:34] Cybersecurity relies on extensive data collection to detect, monitor, and respond to threats. Privacy wants to collect only what's necessary and maintain it for a minimum time. [23:46] Security monitoring tools like intrusion detection systems may gather logs or metadata that could include personal data, creating potential privacy risks, especially for an insider threat. [24:00] Organizations can implement privacy-aware cybersecurity solutions that anonymize or pseudo-anonymize data where possible, allowing cybersecurity professionals to get to the root of the problem they're trying to solve while masking sensitive data. [24:13] If you're investigating an insider threat, you can unmask the data. Do you need that data to do the job that you're tasked to do? If not, why run the risk of inappropriately accessing it? [24:53] Privacy frameworks will always encourage transparency about data usage and sharing, especially by private entities doing consumer business and handling personal information. [25:07] The public needs to know what you are collecting from them, how you are using it, and whether are you sharing it. They need to know if you are handling their data securely. [25:38] James would tell cybersecurity professionals that if they think obscurity is security, they should find another job. Obscurity is typically the worst way to secure things. [25:51] There are ways to describe how data is being held or secured by an organization without compromising the cybersecurity tools or techniques used to monitor or look for vulnerabilities. [26:03] Transparency can be maintained without compromising security and can be used in a way to assure the public that an organization is keeping serious security techniques in mind when handling the public's data. James tells how to share that message with the public. [27:08] When James opens software, he reads the Third Party Agreements. He knows most people don't. Government agencies include a plain language version of the agreement. Some private companies are doing the same to help people understand how their data is being used. [28:40] Quick Break for RIMS Plugs! The first of hopefully many RIMS Texas Regional Conferences will be held in San Antonio from August 4th through August 6th, 2025. [28:58] This groundbreaking event is set to unite the Texas RIMS Chapters and welcome risk management professionals from around the world! Also known as the Risk Management Roundup in San Antonio, you can join as a speaker!  [29:11] The Conference planning committee is interested in submissions that explore technology and cyber risk, workforce protection and advancement, energy and sustainability, extreme weather, construction, restaurant, retail, hospitality, and other trending now sessions. [29:28] The deadline to submit your proposal is Monday, February 24th. The link to the event and the submission process is in this episode's show notes. Go check it out! [29:39] The Spencer Educational Foundation's goal to help build a talent pipeline of risk management and insurance professionals is achieved in part by its collaboration with risk management and insurance educators across the U.S. and Canada. [29:58] Since 2010, Spencer has awarded over $3.3 million in general grants to support over 130 student-centered experiential learning initiatives at universities and RMI non-profits. Spencer's 2026 application process will open on May 1st, 2025, and close on July 30th, 2025. [30:20] General grant awardees are typically notified at the end of October. Learn more about Spencer's general grants through the Programs tab at SpencerEd.org. [30:30] Let's Return to the Conclusion of My Interview with the Chief Privacy Officer of CISA, James Burd! [31:00] A lot of ERM frameworks exist because they were required by regulation or law. [31:10] Privacy professionals are starting to see the same risks that risk management and compliance professionals have been dealing with for decades. The big tools that privacy professionals use are called Data Privacy Impact Assessments (DPIA). [31:29] DPIAs vary, depending on the regulatory framework or law. DPIAs do two things: they identify what data assets you have and they examine the risks that are associated with the handling of those data assets and what mitigations must be in place to buy down those risks. [31:48] That assessment can populate half of an ERM framework's register. Getting involved with your privacy program manager as they do these DPIAs may first cause the privacy program manager to resist your risk assessment, but a risk in one space is a risk in another space. [32:21] The DPIA is a valuable source of information for a risk manager. You can see the risks earlier. You can identify with the privacy program manager what some of the major risks might become. That means both realized and unrealized risks, which are equally important. [33:06] A privacy program manager will be preoccupied with a lot of the perceived risks. A risk manager wants to know which risks are more likely and identify them early. [33:40] A likelihood assessment will help the privacy officer identify how many “calories” to spend on this risk. The risk manager and privacy manager have a mutually beneficial relationship. They help each other. [34:17] CISA provides cybersecurity education, news on vulnerabilities and cyber threats, threat intelligence, and service to critical infrastructure providers once there is an incident of some sort. The CISA website shows cyber threat indicators of what a compromise might look like. [35:40] CISA has found novel patterns on networks that make it hard to tell that your network has been compromised. CISA calls those things “Left of Doom.” On the “RIght of Doom,” CISA prioritizes the incidents that it responds to. [36:02] CISA focuses primarily on critical infrastructure. If you have a situation CISA cannot respond to, they will assist you by a local field office to find the people to help you, whether it's law enforcement, local cyber security service providers, or a local Emergency Response Team. [37:03] Companies are involved in the California wildfires. Could an incident like that distract them that they might become susceptible to data breaches? James notes that you can't address every problem at the same time. Prioritize, rack, and stack. [37:17] Incidents are going to happen. CISA asks agencies and companies to take the time and spend the resources to knock out all the low-hanging fruit. The great majority of incidents CISA sees are bad actors exploiting very simple, easy-to-fix vulnerabilities. [37:55] It might be companies not using encrypted traffic, or only using a password to secure access to a server. The fix is relatively low cost or low impact. It takes time to figure out how to do the fix, but you'll be grateful that you took the time and spent the money to implement it. [38:24] The cost of a greater fix from the breach of a simple vulnerability will be far greater than the resources you'd spend to address it in the first place. Establishing that floor will help you focus on other “fires” that pop up while assuring you won't get “popped” for a silly reason. [38:49] If somebody's going to get you, make sure they've tried their hardest to get you. [38:58] It's Data Privacy Day today, as this episode is released! It's the start of Data Privacy Week! The theme is Take Control of Your Data!  [39:22] Robust privacy governance tips: Figure out where your data asset inventory is for your organization. Keep track of it and keep track of the risk associated with each data asset, Each data asset may have a different set of risks. [39:47] Every organization should maintain a comprehensive inventory of data assets, detailing what data is collected, where it is stored, who has access to it, and how it's used. [39:56] The risk professional probably isn't the one who takes the inventory, but they should have access to it and they should be evaluating that inventory.  [40:06] The risk professional can help the privacy manager by helping them establish clear policies and procedures for handling data, access control, and breach response, based on real risk. A privacy officer sometimes has difficulty identifying a real risk over a perceived risk. [40:23] By focusing on real risks, you avoid the problem where privacy officers spend too much energy coming up with solutions for the most unlikely scenarios, leaving organizations unprepared for what's likely to happen. [40:42] Special thanks again to James Burd of CISA for joining us here on RIMScast! There are lots of links about Data Privacy Day and Data Privacy Week in this episode's show notes. [40:54] Also see links to RIMS Risk Management magazine coverage of data privacy through the years and links to some RIMScast episodes that touch upon the topic. Be sure to tune into last week's episode with Tod Eberle of the Shadowserver Foundation on cyber risk trends of 2025! [41:18] More RIMS Plugs! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes. [41:47] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [42:05] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [42:23] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more.  [42:39] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [42:53] Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org. [43:00] Thank you all for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!   Mentioned in this Episode: RIMS Risk Management magazine RISKWORLD 2025 — May 4-7. | Register today! RIMS Legislative Summit — March 19‒20, 2025 Cyber Infrastructure Security Agency National Cybersecurity Alliance | Data Privacy Week 2025 Nominations for the Donald M. Stuart Award Spencer Educational Foundation — General Grants 2026 — Application Dates RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Texas Regional Conference 2025 | Submit an Educational Session by Feb. 24. RIMS Webinars: RIMS.org/Webinars “4 Themes Shaping the Future of GRC in 2025” | Sponsored by Resolver | Feb. 6, 2025 “Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025” | Sponsored by Hub International | Feb. 20, 2025   Upcoming RIMS-CRMP Prep Virtual Workshops: “Stay Competitive with the RIMS-CRMP” | Presented by the RIMS Greater Bluegrass Chapter February 19‒20, 2025 | Instructor: Chris Mandel Full RIMS-CRMP Prep Course Schedule Upcoming Virtual Workshops: “Claims Management” | February 11‒12, 2025 | Instructor: Chris Hansen “Fundamentals of Insurance” | Feb. 19‒20, 2025 | Instructor: Gail Kiyomura “Applying and Integrating ERM” | Feb. 26‒27, 2025 | Instructor: Elise Farnham “Managing Data for ERM” | March 12, 2025 | Instructor: Pat Saporito See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops   Upcoming RIMS-CRMP Prep Virtual Workshops: “Stay Competitive with the RIMS-CRMP | Presented by the RIMS Greater Bluegrass Chapter” February 19‒20, 2025 | Instructor: Chris Mandel Full RIMS-CRMP Prep Course Schedule Full RIMS-CRMP Prep Course Schedule   Related RIMScast Episodes: “Cyberrisk Trends in 2025 with Shadowserver Alliance Director Tod Eberle” “Kicking off 2025 with RIMS CEO Gary LaBranche” “Year In Risk 2024 with Morgan O'Rourke and Hilary Tuttle” “AI and Regulatory Risk Trends with Caroline Shleifer” “Cybersecurity Awareness and Risk Frameworks with Daniel Eliot of NIST” (2024) “Cybersecurity and Insurance Outlook 2023 with Josephine Wolff”   Sponsored RIMScast Episodes: “Simplifying the Challenges of OSHA Recordkeeping” | Sponsored by Medcor “Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report” | Sponsored by AXA XL “How Insurance Builds Resilience Against An Active Assailant Attack” | Sponsored by Merrill Herzog “Third-Party and Cyber Risk Management Tips” | Sponsored by Alliant “RMIS Innovation with Archer” | Sponsored by Archer “Navigating Commercial Property Risks with Captives” | Sponsored by Zurich “Breaking Down Silos: AXA XL's New Approach to Casualty Insurance”| Sponsored by AXA XL “Weathering Today's Property Claims Management Challenges” | Sponsored by AXA XL “Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company “Partnering Against Cyberrisk” | Sponsored by AXA XL “Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh “Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos “Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL “Elevating RMIS — The Archer Way” | Sponsored by Archer “Alliant's P&C Outlook For 2024” | Sponsored by Alliant “Why Subrogation is the New Arbitration” | Sponsored by Fleet Response “Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd. “Subrogation and the Competitive Advantage” | Sponsored by Fleet Response   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS Vice President Manny Padilla!   RIMS Events, Education, and Services: RIMS Risk Maturity Model®   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guest: James Burd, Chief Privacy Officer, Cyber Infrastructure Security Agency (CISA)   Production and engineering provided by Podfly.  

This episode was created in Notebook LM using a NIST based cybersecurity framework I created that focuses on nonprofits. This document outlines a cybersecurity framework for nonprofits, based on the NIST framework. It prioritizes the protection of various data types (member, donor, employee) and assets, emphasizing cybersecurity training and insurance. The framework addresses five core cybersecurity functions: identify, protect, detect, respond, and recover. Each function is mapped to specific organizational objectives and categorized by risk level (high, medium, low, or not applicable). The ultimate goal is to provide a structured approach to managing cybersecurity risks within nonprofit organizations.For more information please email me at info@techandmain.com or visit www.techandmain.com.

How do phishing scams, AI-powered attacks, and strategic governance intersect? Together, they're redefining the future of cybersecurity. Organizations are navigating a mix of challenges and implementing innovative solutions to proactively address today's threats.  Today's guest is Kelly Hood. She is the EVP and cybersecurity engineer at Optics Cyber Solutions. She is a CISSP who specializes in implementing cybersecurity and privacy best practices to manage risks and to achieve compliance. She supports the NIST cybersecurity framework and serves as a CMMC registered practitioner, helping organizations strengthen their cybersecurity posture and develop effective risk management strategies. Show Notes: [01:06] - Kelly is a cyber security engineer at Optic Cyber Solutions. It's her job to help companies protect themselves. [02:17] - Don't be embarrassed if you fall for a phishing scam. [03:01] - These attempts are getting more realistic. Kelly shares how she was briefly fooled by a phishing scam that looks like an email from her mother. [05:25] - The NIST Cybersecurity Framework is a voluntary framework for defining cybersecurity. An update was put out in February of 2024. They also added a new function. [06:01] - The five functions that organize a cybersecurity program have been to identify, protect, detect, respond, and recover. They recently added the govern function. [06:38] - The govern function is about defining your business objective and then putting protections in place that makes sense for those objectives. [09:01] - The identify function is focused on knowing what we have. [09:40] - Protect includes everything from identity management, authentication, training, data security, and platform security. [10:12] - Detect is looking at what's happening around us. It's continuous monitoring and knowing what happens if something goes wrong. [11:00] - Respond is knowing what the plan is when something does happen. [12:01] - Recover is about getting back to normal after something happens. [16:22] - Data centers want to make sure that they have redundant power supplies. [17:33] - We discuss some of the things that people might forget when identifying cybersecurity assets. Data and people need to be thought about as well as systems and hardware. [21:00] - We need to write things down and understand what systems and data connections we have. [23:10] - We talk about the importance of being aware of the physical space and who is actually supposed to be there. [24:46] - Data is one of the assets that often gets overlooked for protection. There are many new requirements that require data to be protected. [27:54] - Monitoring to understand what traffic you should expect and what is and isn't normal activity is also important. [31:10] - Transparency and communication are paramount for creating trust. [33:51] - Sometimes recovery doesn't mean 100%. Get up and running and prioritize the systems that matter most. [36:56] - With governance, you really want to look at what you're trying to do with the business and then translate cybersecurity to fit that objective. [37:27] - Have guidance documentation in place and have oversight. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.  Links and Resources: Podcast Web Page Facebook Page whatismyipaddress.com Easy Prey on Instagram Easy Prey on Twitter Easy Prey on LinkedIn Easy Prey on YouTube Easy Prey on Pinterest Optic Cyber Solutions (MaPT) Maturity and Progress Tracker Optic Cyber Solutions on LinkedIn Optic Cyber YouTube NIST Cybersecurity Framework

Guests: Asaf Dori, Cyber Security Lead, Healthshare NSWOn LinkedIn | https://www.linkedin.com/in/adori/Ashwin Pal, Partner – Cyber Security and Privacy Services, RSM AustraliaOn LinkedIn | https://www.linkedin.com/in/ashwin-pal-a1769a5/Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesAt the AISA CyberCon 2024 in Melbourne, Sean Martin sat down with Asaf Dori and Ashwin Pal to explore the often-overlooked areas of the NIST Cybersecurity Framework: response and recovery. Both guests highlighted the critical gaps organizations face in these domains and shared practical insights on addressing them.Asaf Dori, a cybersecurity professional in healthcare and a researcher at the University of Sydney, underscored the need for governance-driven awareness to improve response and recovery capabilities. His research revealed that while organizations invest heavily in prevention and detection, they frequently neglect robust recovery plans. He emphasized the importance of comprehensive disaster recovery exercises over isolated system-based approaches. By linking governance to practical outcomes, Dori argued that organizations could better align their strategies with business resilience.Ashwin Pal, a partner at RSM with 26 years of experience in IT security, brought a field perspective, pointing out how recovery strategies often fail to meet business requirements. He discussed the disconnect between IT recovery metrics, such as RPOs and RTOs, and actual business needs. Pal noted that outdated assumptions about recovery timeframes and critical systems frequently result in misaligned priorities. He advocated for direct business engagement to establish recovery strategies that support operational continuity.A key theme was the role of effective governance in fostering collaboration between IT and business stakeholders. Both speakers agreed that engaging business leaders through tabletop exercises is an essential starting point. Simulating ransomware scenarios, for instance, often exposes gaps in recovery plans, such as inaccessible continuity documents during a crisis. Such exercises, they suggested, empower CISOs to secure executive buy-in for strategic improvements.The discussion also touched on the competitive advantages of robust cybersecurity practices. Dori noted that in some industries, such as energy, cybersecurity maturity is increasingly viewed as a differentiator in securing contracts. Pal echoed this, citing examples where certifications like ISO have become prerequisites in supply chain partnerships.By reframing cybersecurity as a business enabler rather than a cost center, organizations can align their response and recovery strategies with broader operational goals. This shift requires CISOs and risk officers to lead conversations that translate technical requirements into business outcomes, emphasizing trust, resilience, and customer retention.This dialogue provides actionable insights for leaders aiming to close the response and recovery gap and position cybersecurity as a strategic asset.____________________________This Episode's SponsorsThreatlocker: https://itspm.ag/threatlocker-r974____________________________ResourcesLearn more and catch more stories from Australian Cyber Conference 2024 coverage: https://www.itspmagazine.com/australian-cyber-conference-melbourne-2024-cybersecurity-event-coverage-in-australiaBe sure to share and subscribe!____________________________Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverageTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastTo see and hear more Redefining Society stories on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-society-podcastWant to tell your Brand Story Briefing as part of our event coverage?Learn More

Guests: Asaf Dori, Cyber Security Lead, Healthshare NSWOn LinkedIn | https://www.linkedin.com/in/adori/Ashwin Pal, Partner – Cyber Security and Privacy Services, RSM AustraliaOn LinkedIn | https://www.linkedin.com/in/ashwin-pal-a1769a5/Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesAt the AISA CyberCon 2024 in Melbourne, Sean Martin sat down with Asaf Dori and Ashwin Pal to explore the often-overlooked areas of the NIST Cybersecurity Framework: response and recovery. Both guests highlighted the critical gaps organizations face in these domains and shared practical insights on addressing them.Asaf Dori, a cybersecurity professional in healthcare and a researcher at the University of Sydney, underscored the need for governance-driven awareness to improve response and recovery capabilities. His research revealed that while organizations invest heavily in prevention and detection, they frequently neglect robust recovery plans. He emphasized the importance of comprehensive disaster recovery exercises over isolated system-based approaches. By linking governance to practical outcomes, Dori argued that organizations could better align their strategies with business resilience.Ashwin Pal, a partner at RSM with 26 years of experience in IT security, brought a field perspective, pointing out how recovery strategies often fail to meet business requirements. He discussed the disconnect between IT recovery metrics, such as RPOs and RTOs, and actual business needs. Pal noted that outdated assumptions about recovery timeframes and critical systems frequently result in misaligned priorities. He advocated for direct business engagement to establish recovery strategies that support operational continuity.A key theme was the role of effective governance in fostering collaboration between IT and business stakeholders. Both speakers agreed that engaging business leaders through tabletop exercises is an essential starting point. Simulating ransomware scenarios, for instance, often exposes gaps in recovery plans, such as inaccessible continuity documents during a crisis. Such exercises, they suggested, empower CISOs to secure executive buy-in for strategic improvements.The discussion also touched on the competitive advantages of robust cybersecurity practices. Dori noted that in some industries, such as energy, cybersecurity maturity is increasingly viewed as a differentiator in securing contracts. Pal echoed this, citing examples where certifications like ISO have become prerequisites in supply chain partnerships.By reframing cybersecurity as a business enabler rather than a cost center, organizations can align their response and recovery strategies with broader operational goals. This shift requires CISOs and risk officers to lead conversations that translate technical requirements into business outcomes, emphasizing trust, resilience, and customer retention.This dialogue provides actionable insights for leaders aiming to close the response and recovery gap and position cybersecurity as a strategic asset.____________________________This Episode's SponsorsThreatlocker: https://itspm.ag/threatlocker-r974____________________________ResourcesLearn more and catch more stories from Australian Cyber Conference 2024 coverage: https://www.itspmagazine.com/australian-cyber-conference-melbourne-2024-cybersecurity-event-coverage-in-australiaBe sure to share and subscribe!____________________________Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverageTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastTo see and hear more Redefining Society stories on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-society-podcastWant to tell your Brand Story Briefing as part of our event coverage?Learn More

In this in-depth conversation, Jason Waits, Chief Information Security Officer (CISO) at Inductive Automation, provides a comprehensive exploration of Industrial Control System (ICS) cybersecurity. With decades of experience securing critical infrastructure and navigating the complexities of Operational Technology (OT) environments, Jason offers actionable insights into the current state and future of cybersecurity in industrial sectors like manufacturing, energy, and water treatment.The discussion begins with an overview of what makes ICS cybersecurity distinct from traditional IT security. Jason explains how OT systems prioritize availability and safety, presenting unique challenges compared to the confidentiality-driven focus of IT. The conversation highlights key vulnerabilities in ICS environments, such as legacy systems that lack modern security features, poorly designed protocols without encryption, and the risks posed by IT/OT convergence.Jason dives into common attack vectors, including social engineering (phishing), lateral movement from IT to OT networks, and physical access breaches. He explores real-world case studies like the Colonial Pipeline ransomware attack, the Oldsmar water treatment plant hack, and the Stuxnet worm, illustrating how these vulnerabilities have been exploited and the lessons they offer for building stronger defenses.The video also emphasizes the critical role of compliance and standards, such as ISA/IEC 62443, the NIST Cybersecurity Framework, and CIS Controls. Jason underscores the difference between compliance and real security, advocating for a "security first, compliance second" philosophy to ensure that organizations focus on mitigating actual risks rather than merely checking regulatory boxes.As the conversation unfolds, Jason discusses the role of vendors and OEMs in securing ICS environments, detailing how Inductive Automation uses proactive measures like Pwn2Own competitions, bug bounty programs, and detailed security hardening guides to improve the security of their products. He highlights the importance of collaboration between vendors and customers to address challenges like long equipment lifecycles and the growing adoption of cloud services.Emerging technologies also take center stage, with Jason exploring how artificial intelligence (AI) is transforming threat detection and response, while also enabling more sophisticated attacks like personalized phishing and adaptive malware. He addresses the implications of IT/OT convergence, emphasizing the need for collaboration between traditionally siloed teams and the importance of building shared security frameworks.For organizations looking to strengthen their cybersecurity posture, Jason offers practical steps, starting with foundational measures like asset management and configuration baselines. He explains how leveraging free resources, such as CIS Benchmarks, and creating a roadmap for cybersecurity maturity can help organizations of all sizes navigate these challenges, even with limited budgets.Timestamps0:00 – Introduction and Overview of ICS Cybersecurity3:15 – Meet Jason Waits: Background and Journey to CISO6:45 – What Is ICS Cybersecurity? Key Differences Between IT and OT10:30 – The Importance of Availability and Safety in OT Systems13:50 – Challenges of Legacy Systems and Long Equipment Lifecycles17:20 – Attack Vectors: Social Engineering, Lateral Movement, and Physical Access20:10 – Case Studies: Colonial Pipeline, Oldsmar Water Treatment Plant, and Stuxnet25:35 – Compliance vs. Security: Jason's “Security First, Compliance Second” Philosophy30:00 – The Role of Vendors and OEMs in Cybersecurity34:45 – Inductive Automation's Approach: Pwn2Own, Bug Bounties, and Security Hardening Guides40:00 – Emerging Technologies: AI in Threat Detection and the Risks of Sophisticated Phishing45:10 – The Growing Adoption of Cloud in ICS and Its Implications50:00 – IT/OT Convergence: Opportunities and Challenges55:15 – Practical Steps for Organizations: Asset Management and Roadmaps1:00:10 – Building a Security Culture: Collaboration Between IT and OT Teams1:05:30 – Future Outlook: Increasing Regulations, Ransomware Risks, and Innovation1:10:00 – Using Cybersecurity as a Competitive Advantage1:15:00 – Closing Thoughts: The Need for Continuous Learning and Proactive ActionAbout Manufacturing Hub:Manufacturing Hub Network is an educational show hosted by two longtime industrial practitioners Dave Griffith and Vladimir Romanov. Together they try to answer big questions in the industry while having fun conversations with other interesting people. Come join us weekly! ******Connect with UsVlad RomanovDave GriffithManufacturing HubSolisPLCJoltek

Today, we will dive into the next episode of the Navigating Cybersecurity Series, explaining the NIST Cybersecurity Framework 2.0 step by step. Listen to experts Larry Zorio and Jeramy Cooper-Leavitt as they explore the third core function of the NIST CSF: Protect. The Protect core function supports an organization's ability to secure its assets by reducing the likelihood and impact of adverse events while increasing its ability to take advantage of opportunities successfully.

In an era where cyber threats are becoming increasingly sophisticated and devastating, organizations can no longer afford to treat cybersecurity as the sole responsibility of their security teams. This episode of the Pure Report features industry veterans Jason Walker, Tech Strategy Director of Cyber Resilience, and Jason Langer, Tech Evangelist, to explore why cyber resilience must be approached as a team sport, breaking down the traditional silos between IT operations and security teams. Drawing from their extensive experience in data protection and security, the two Jasons delve into the stark realities of cyber impacts, including the sobering statistic that one in five organizations report employee terminations following outages. They examine the NIST Cybersecurity Framework through a collaborative lens, offering insights into how different teams can work together across the five key areas: Identify, Protect, Detect, Respond, and Recover. Through real-world examples and strategic discussions, listeners will develop a deeper understanding of why alignment between IT leaders and CISOs is crucial for building true cyber resilience. As organizations grapple with evolving threats, this timely discussion during Cybersecurity Awareness Month offers actionable strategies for fostering cross-team collaboration. The episode explores the evolution of cybersecurity conversations over the past five years, provides practical advice for improving security posture through teamwork, and highlights Pure Storage's role in enabling organizations to build robust cyber resilience strategies. Whether you're an IT professional, security specialist, or business leader, this episode provides valuable insights into transforming your organization's approach to cybersecurity from a siloed responsibility to a collaborative effort. For more information on Pure Storage and Cyber Resiliency during CyberSecurity Awareness Month, go to: www.purestorage.com/cyber-resilience.

In this episode we map the contributions of Certificate Lifecycle Management into the new NIST Cybersecurity Framework 2.0.

Send us a Text Message.Ever wondered how to ensure your organization's cybersecurity measures meet international standards? Join us for an action-packed episode as we unpack Domain 6.5 of the CISSP exam, exploring crucial assessments, tests, and audit strategies every cybersecurity professional should master. Learn the importance of choosing a consistent framework like ISO 27001 or the NIST Cybersecurity Framework to steer your audit processes. We'll dive into internal and external audits and the pivotal role they play in aligning security measures with legal and regulatory compliance.Discover the essentials of security control testing within your organization. We discuss various mechanisms such as vulnerability assessments, penetration testing, and log review analysis, focusing on their significance in pinpointing and mitigating potential security threats. Highlighting tools like Nessus and Qualys, we examine their effectiveness in regular vulnerability scanning, along with the importance of log reviews to detect malicious activities. From black box testing on web applications to understanding how hackers manipulate logs, we cover all the bases to fortify your defenses.In our cloud security management segment, we tackle the risks associated with orphaned accounts and offer best practices for managing cloud-based accounts. Regular management audits, multi-factor authentication, and semi-annual reviews are just a few of the key strategies we discuss to ensure robust cloud security. We also emphasize the importance of cybersecurity audit planning and reporting, sharing practical examples and tips for creating actionable reports for different stakeholders. Finally, we underline the value of mentorship and the importance of certifications like CISSP for advancing your career in cybersecurity, highlighting the critical role certified professionals play in safeguarding our global economy from cyber threats.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

With the release of NIST Cybersecurity Framework 2.0, CIS felt strongly that an update to The Controls was necessary to crossmap to CSF 2.0. Specifically the strongest driver, was the release of the Govern function.Co-hosts:Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Brian Blakely: https://www.linkedin.com/in/bblakley/Eric Woodard: https://www.linkedin.com/in/eric-woodard/Sponsored by Right of Boom cybersecurity conference: https://www.rightofboom.com/

Episode SummaryIn this episode of The Secure Developer, David Imhoff, Director of DevSecOps and Product Security at Kroger, shares insights on implementing DevSecOps in large organizations. He discusses balancing regulatory compliance with business objectives, fostering a security culture, and the challenges of risk mitigation. David also explores the importance of asset management, security champions, and the potential impact of AI on cybersecurity practices.Show NotesIn this episode of The Secure Developer, host Danny Allan speaks with David Imhoff, Director of DevSecOps and Product Security at Kroger, about implementing security programs in large organizations. David shares his experience transitioning from blue team operations to engineering and back to security, emphasizing the importance of understanding both security and engineering perspectives to create effective DevSecOps programs.The conversation delves into the challenges of starting a security program in a large retail organization, with David highlighting the importance of understanding regulatory requirements, such as HIPAA, and aligning security measures with business objectives. He discusses the use of the NIST Cybersecurity Framework for measuring and reporting security posture to the board, and the process of balancing security needs with business risk appetite.David explains Kroger's approach to building a security culture, including the implementation of a security champions program and the use of Objectives and Key Results (OKRs) to drive security initiatives. He details the company's strategies for centralizing security policies while allowing flexibility in implementation across different engineering teams. The discussion also covers the integration of security tools into the development pipeline, including the use of GitHub Actions for vulnerability scanning and management.The episode explores various security technologies employed at Kroger, including Software Composition Analysis (SCA), Static Application Security Testing (SAST), API security, and secrets scanning. David shares insights on the challenges of prioritizing security alerts and the ongoing effort to provide a cohesive view of risk across multiple tools. The conversation concludes with a discussion on the potential impact of AI on security practices, including the new challenges it presents in areas such as data poisoning and model management, as well as the potential for AI to improve threat modeling processes.LinksNIST Cybersecurity Framework Follow UsOur WebsiteOur LinkedIn

In this episode of “Automation Chat," Executive Editor Theresa Houck highlights news in industrial automation and manufacturing. Learn about the NIST Cybersecurity Framework2.0; a new GenAI prescriptive maintenance work-order software; research about digital services and about global supply-chain conditions; Endress+Hauser's new Pennsylvania facility; Rockwell Automation plans for an India facility; and a BionicBee! As always, get your family-friendly, silly Joke of the Day. Resources from this episode: NIST Cybersecurity Framework 2.0. Learn about the Fiix Asset Risk Predictor Software with GenAI prescriptive maintenance work orders. Learn more about the ARC Advisory Group Digital Services Study. Download The Journal's 2024 "CPG Automation" eHandbook. Watch video of the Festo Corp.'s Watch video of the Festo Corp.'s BionicBee in flight. To subscribe to our 4 print magazines (Feb., May, July and Oct.), e-mail Anna Hicks at ahicks@endeavorbusinessmedia.com. Subscribe to our 4 digital magazines at http://rok.auto/thejournal-subscribe. Please leave us a 5-star rating and a review — we appreciate it. “Automation Chat" is brought to you by The Journal From Rockwell Automation and Our PartnerNetwork magazine. ** Named Best Podcast 2 Consecutive Years! 2022 & 2023 Apex Awards of Publication Excellence.

On this episode of Compliance Unfiltered - It's finally here! NIST Cybersecurity Framework 2.0 has finally been released and the CU guys are going to give you the full breakdown. What's new? What's different? What is going to make the biggest difference in the way you approach NIST CSF? All these answers and more on this week's Compliance Unfiltered!

"You can find your top 5 cyber risks using a “top down” approach with the NIST Cybersecurity Framework. Along the way, you can shift your organization towards better practice of reasonable cybersecurity. Know how? Let's find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates. You can see our ""zero through ten"" scale scorecard here -- https://b.link/scorekey You can watch our interview prep video here -- https://b.link/interview"

NIST's new Cybersecurity Framework published earlier this year gives organizations a new set of harmonized cybersecurity guidelines and best practices. It's the first major update in 10 years and broadens its scope beyond critical infrastructure entities. Cherilyn Pascoe, director of NIST's Cybersecurity Center of Excellence, had a large role in developing the new framework. She said the plan emphasizes the importance of cybersecurity in an evolving technological environment and discusses how others can tailor it to their organizations across missions. Pascoe also highlights a growing focus in broader cybersecurity priorities around post-quantum cryptography and AI, and explains how NIST's Center of Excellence is developing additional guidance for the community.

Lots of people pay attention to the Cybersecurity Framework from the National Institute of Standards and Technology. NIST came out with a major update recently. The first such update since 2018. For an analysis of what's changed, Federal Drive Host Tom Temin spoke with attorney Lance Taubin, senior associate on the Cyber and Data Team at Alston and Bird. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Lots of people pay attention to the Cybersecurity Framework from the National Institute of Standards and Technology. NIST came out with a major update recently. The first such update since 2018. For an analysis of what's changed, Federal Drive Host Tom Temin spoke with attorney Lance Taubin, senior associate on the Cyber and Data Team at Alston and Bird. Learn more about your ad choices. Visit megaphone.fm/adchoices

Talking Cyber is a Cybercrime Magazine podcast series that covers the latest news and breaking stories on the cybereconomy, hackers, intrusions, privacy, security and much more. In this episode, which is sponsored by Adaptive Shield, host Amanda Glassner is joined by Heather Engel, Managing Partner at Strategic Cyber Partners, to discuss SaaS compliance through the NIST Cybersecurity Framework. To learn more about our sponsor, visit https://adaptive-shield.com.

Bem-vindo ao episódio de hoje do Blue Team Academy, onde mergulhamos profundamente no recém-lançado NIST Cybersecurity Framework 2.0 (CSF 2.0) e exploramos como ele pode revolucionar a segurança cibernética na sua organização. Se você é um profissional iniciante em cibersegurança ou já tem experiência na área, este episódio é essencial para entender as novidades que o CSF 2.0 traz e como implementá-lo efetivamente. Neste episódio, cobrimos os fundamentos do CSF 2.0, incluindo as adições e ajustes feitos desde a versão anterior. Discutiremos a nova função "Govern", a importância reforçada da gestão de riscos de cadeia de suprimentos e as estratégias para uma implementação bem-sucedida, garantindo que sua organização não apenas atenda aos padrões atuais, mas também esteja preparada para os desafios futuros de segurança cibernética. Além disso, oferecemos insights valiosos de especialistas em segurança cibernética e compartilhamos estudos de caso reais de organizações que já estão implementando o CSF 2.0. Eles compartilharão suas experiências, os desafios enfrentados e como superá-los, oferecendo dicas práticas que você pode começar a aplicar hoje mesmo. Não importa se sua organização é pequena ou grande, o CSF 2.0 é uma ferramenta flexível projetada para ajudar a melhorar a segurança em todos os níveis. Assista a este episódio para descobrir como você pode utilizar o CSF 2.0 para fortalecer a postura de segurança da sua empresa, melhorar a resiliência cibernética e promover uma cultura de segurança consciente e proativa. Junte-se a nós no Blue Team Academy para se manter à frente das ameaças cibernéticas e transformar a segurança da sua organização com o NIST Cybersecurity Framework 2.0. Não esqueça de curtir, comentar com suas dúvidas ou experiências e se inscrever no nosso canal para mais conteúdo valioso sobre segurança da informação. Até lá, mantenha-se seguro e informado! #BlueTeamAcademy #CSF20 #NIST #Cibersegurança #SegurançaDigital #FrameworkDeSegurança

Mark Sangster, cybersecurity author and expert, is the Chief of Strategy at Adlumin. In this episode, he joins host Heather Engel to discuss the latest updates and advancements in cybersecurity frameworks and best practices, focusing on the recently released Version 2.0 of the widely adopted NIST Cybersecurity Framework, or CSF. Cyber Tide is a Cybercrime Magazine podcast series brought to you by Adlumin. Working to revolutionize the way organizations secure sensitive data, Adlumin finds the newest cracks being exploited and shines a light on correcting the issue in real-time, with expert guidance. To learn more about our sponsor, visit https://adlumin.com

For our first episode, we're thrilled to welcome Larry Zorio, Chair of the IJIS Cybersecurity Working Group, and valued Working Group member, Jeramy Cooper-Leavitt, who will lead us through an insightful discussion. Together, they'll explore the intricacies of cybersecurity frameworks and the critical role they play in bolstering an agency's cyber risk management. This episode is the first of multiple that will examine the core functions of the NIST Cybersecurity Framework.

Join Todd, COO & CISO and Nate, Director of Cybersecurity & vCISO, as they dive into the world of government cybersecurity. In this podcast, they unlock the secrets to safeguarding sensitive data and infrastructure, sharing their expertise on a range of topics. From understanding the unique requirements of federal, state, and local government cybersecurity to leveraging resources and guidance from CISA Todd & Nate leave no stone unturned. They'll discuss the non-negotiable elements and tackle the intricate challenges faced by government agencies, including CJIS, FedRAMP, and software as a service. Stay up to date with the latest updates on the NIST Cybersecurity Framework 2.0 and discover how it can revolutionize governance and implementation strategies. Plus, they'll reveal why CISA should be every government agency's best friend, offering invaluable information, tools, and services to fortify your cybersecurity defenses. Tune in to become a cybersecurity champion in the public sector!Learn more about:CISACybersecurity Alerts & AdvisoriesCyber Hygiene ServicesThe NIST Cybersecurity Framework 2.0

This is the story of Merry Marwig and Innovative Approaches To Data Privacy. Second Episode in series on Privacy with Merry. Merry Marwig, a privacy professional with DataGrail, discusses how to reduce risk when managing data privacy.  She emphasizes the value and power of data, as well as the need for transparency and consent. Merry also discusses the role of privacy in business and the challenges of privacy compliance. She concludes by highlighting the intersection of privacy and security and the importance of aligning the two. Key TakeawaysData monetization has become normalized, with companies collecting and selling personal data without consumers being fully aware.User awareness about privacy practices and data collection is crucial.Moving beyond passwords and implementing stronger authentication methods is essential for better security.Personal privacy can be compromised, and hiring authorized agents can help manage privacy requests.Automation can help operationalize privacy requests and save time and resources.Privacy tools should have least privilege access to ensure data security.  CHAPTERS2:33 The Implications of Data Brokers4:23 Managing Data Sprawl6:03 The Importance of System Inventory9:47 The Threat of Weaponizing Access Requests11:49 The Historical Context of Privacy12:56 The Cultural Differences in Privacy15:22 The Use and Abuse of Data17:24 The Need for Privacy Education19:52 The Importance of Privacy in Business22:34 The Growing Landscape of Privacy Laws24:46 The Impact of State Privacy Laws26:25 The Challenges of Privacy Compliance28:22 The Need for Automated Privacy Solutions30:20 The Intersection of Privacy and Security31:08 The NIST Cybersecurity Framework for Privacy34:45 The Changing Landscape of Privacy36:09 The Importance of Privacy and Security Alignment40:09 Privacy in Organizations51:32 Operationalizing Privacy53:13 Data Monetization and PrivacyTry KiteWorks today at www.KiteWorks.comDon't Miss our Video on this Exciting KiteWorks Offer! Try KiteWorks today at www.KiteWorks.comDon't miss this Video on it!The Most Secure Managed File Transfer System. Watch Video Episodes! And Please...Subscribe to our YouTube Channel. Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews. Submit Your Questions Direct and Find out more www.CyberCrimeJunkies.com Stay up-to-date on Cybersecurity with VIGILANCE Newsletter. Want Gear? We love our Small Business Sponsor, BlushingIntrovert.com. has it all. Women's clothing, cool accessories supporting Mental Health Research. https://blushingintrovert.com

Wondering where to start with cybersecurity management? For the past 10 years, the NIST Cybersecurity Framework has been an essential guiding document. Now, NIST released a revamped version of the CSF. Security Management Senior Editor Megan Gates explains what changes this new edition of the gold standard for cybersecurity best practices brings for security practitioners worldwide. Also in this episode, school psychologist Amy Lowder discusses how students' behavior and related threat assessments have changed in K-12 schools since the start of the COVID-19 pandemic. Additional Resources NIST Cybersecurity Framework: https://www.nist.gov/cyberframework More on cybersecurity from Security Management: https://www.asisonline.org/security-management-magazine/Topics/cybersecurity/ Read more about school security and early intervention here: https://www.asisonline.org/security-management-magazine/articles/2024/03/schools/ Learn about adapting behavioral threat assessment to students' developmental stages: https://www.asisonline.org/security-management-magazine/articles/2024/03/schools/weighing-development-k12-risk-assessment/ Learn how Amy Lowder and Cabarrus Schools are changing behavioral threat assessments: https://www.wral.com/story/nc-schools-adding-threat-assessment-teams-amid-concerns-about-student-safety/21253173/ Read best practices about leveraging school resource officers through NASRO: https://www.nasro.org/clientuploads/NASRO_BestPractices21.pdf

On this week's Security Sprint, Dave and Andy discussed the following topics: Opening TribalHub hosts online Tribal Cybersecurity Summit March 7. Gate 15 is grateful to contribute to Tribal-ISAC and to facilitate the Opening Welcome and Keynote: Cybersecurity Organizational Structures and Best Practices Based Upon Tribe Size and Cyber Maturity Level! Health-ISAC Workshop: Enhancing Threat Awareness and Preparedness for Active Shooter/Hostile Event Response (ASHER) Attacks in Health Services Facilities Healthcare sector “stretched thin” in fight against cyber attacks warns CSO of Health-ISAC PCAST Releases Report on Strategy for Cyber-Physical Resilience   Main Topics   Info Ops – Dave BP article Content Farms. https://www.bleepingcomputer.com/news/security/content-farm-impersonates-60-plus-major-news-outlets-like-bbc-cnn-cnbc/ AI Chatbots Provide False Information About November Elections 2024 Elections Misinformation Tracking Center Pennsylvania creates fact-checking website ahead of 2024 election Media Habits and Misinformation Susceptibility of Adults Aged 55 Years and Older: Findings from a RAND American Life Panel Survey Germany accuses Moscow of ‘disinformation attack' in leaking senior officers' call   Man Pleads Guilty to Firebombing Planned Parenthood Clinic and Plotting to Attack Electrical Substation CDC: Immunization and Respiratory Diseases Bulletin.  Wenstrup Announces Hearing on White House's Role in Pandemic Preparedness and Response   Ransomware Updates: Proofpoint: 2024 State of the Phish 69% of Organizations Infected by Ransomware in 2023. Trend Micro: LockBit Attempts to Stay Afloat With a New Version Top 10 Issues General Counsel Need to Know About Ransomware in 2024 CISA, FBI, and MS-ISAC Release Advisory on Phobos Ransomware Fulton County, Georgia, refuses to pay ransom, again The Mysterious Case of the Missing Trump Trial Ransomware Leak A large US health care tech company was hacked. It's leading to billing delays and security concerns Health-care hack spreads pain across hospitals and doctors nationwide   Quick Hits CORRECTED: SAVE THE DATE! CISA Hosts CISA Live! – Open Source Software Security on Thursday, March 7 at 1:00 PM EST!  The White House Warns Cars Made in China Could Unleash Chaos on US Highways Statement from President Biden on Addressing National Security Risks to the U.S. Auto Industry FACT SHEET: Biden-⁠Harris Administration Takes Action to Address Risks of Autos from China and Other Countries of Concern US to probe if Chinese cars pose national data security risks U.S. launches investigation of Chinese vehicles, citing security risks Senator asks FTC to investigate automakers' data privacy practices CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities FACT SHEET: President Biden Issues Executive Order to Protect Americans' Sensitive Personal Data AI & Tech As House task force work begins, Rep. Bonamici is ‘very worried' about AI — ‘and we all should be' Google working to fix Gemini AI as CEO calls some responses "unacceptable" US tech giants refuse to work with Britain's top secret military censorship board How AI Will Help the World's Top Hospital CEOs Transform Health Care OpenAI claims the Times cheated to get ChatGPT to regurgitate articles Tumblr and WordPress to Sell Users' Data to Train AI Tools Apple to disclose AI plans later this year, CEO Tim Cook says Denmark closes probe into Nord Stream blasts saying there's not enough grounds for a criminal case NIST Cybersecurity Framework 2.0 Officially Released. PRESS RELEASE: Future Software Should Be Memory Safe Joint Statement Endorsing Principles for 6G: Secure, Open, and Resilient by Design Scammers Use Couriers to Retrieve Cash and Precious Metals from Victims of Tech Support and Government Impersonation Scams

The US healthcare sector is struggling to recover from a cyberattack. Russia listens in via Webex. The former head of NCSC calls for a ransomware payment ban. An Indian content farm mimics legitimate online news sites. The FTC reminds landlords that algorithmic price fixing is illegal. FCC employees are targeted by a phishing campaign. Experts weigh in on NIST's updated cybersecurity framework. Police shut down the largest German-speaking cybercrime market. Guest Mike Hanley, Chief Security Officer and the Senior Vice President of Engineering at GitHub, shares insights with Ann Johnson of Afternoon Cyber Tea. And celebrating the most inspiring women in cyber. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Mike Hanley, Chief Security Officer and the Senior Vice President of Engineering at GitHub, shares insights with Ann Johnson of Afternoon Cyber Tea. You can hear their full discussion here, and tune in to Microsoft Security's Afternoon Cyber Tea every other Tuesday on the N2K's CyberWire Network.   Selected Reading Health-care hack spreads pain across hospitals and doctors nationwide (Washington Post) Russia's chief propagandist leaks intercepted German military Webex conversation (The Record) Cyber ransoms are too profitable. Let's make paying illegal (The Times UK) News farm impersonates 60+ major outlets: BBC, CNN, CNBC, Guardian… (Bleeping Computer) Price fixing by algorithm is still price fixing (Federal Trade Commission) FCC Employees Targeted in Sophisticated Phishing Attacks (SecurityWeek) Industry Reactions to NIST Cybersecurity Framework 2.0: Feedback Friday (SecurityWeek) Germany takes down cybercrime market with over 180,000 users (Bleeping Computer) Exceptional Women Recognised for Contribution to Cyber Industry at Most Inspiring Women in Cyber Awards 2024 (IT Security Guru) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

Could the addition of 'Govern' to the NIST Cybersecurity Framework 2.0 be the game-changer in how we approach cybersecurity governance?  We unravel the significant evolution of the framework, now bolstering enterprise risk management with a holistic approach that's essential for any organization, big or small. We dissect the interplay of the six functions—Identify, Protect, Detect, Respond, Recover, and the new kid on the block, Govern—and how this integration across the entire lifecycle of protection can redefine the conventional cybersecurity steps. No stone is left unturned as we debate the necessity of maintaining distinct cybersecurity and privacy frameworks in the face of increasing overlap, a question that is becoming more pertinent as the digital age advances. Support the show

About this episode In this episode, Kip Boyle and Jason Dion discuss the importance of cybersecurity in the current digital landscape and focus on comparing two different standards: The NIST Cybersecurity Framework and the CIS Top 18. The NIST Framework was created to assist organizations in becoming cyber resilient and offers an adaptable and comprehensive approach to cyber risks. The CIS Top 18, on the other hand, provides an actionable and practical checklist of controls that is prioritized and sequenced. Both of these frameworks provide us with cybersecurity measures that can be used for different applications. They can be used individually, or they can work together by complementing each other in a comprehensive cybersecurity strategy. It is important to realize that the CIS Top 18 can end up being quite expensive for smaller organizations to operate, though, which is why many people are choosing the NIST CSF instead. You should always consider various factors, such as organizational size and specific needs, the type of threats faced, and the budget available for implementation when selecting the framework for your organization. Relevant websites for this episode The NIST Cyber Security Framework (CSF) - https://www.nist.gov/cyberframework The 18 CIS Critical Security Controls - https://www.cisecurity.org/controls/cis-controls-list Other Relevant Episodes EP 62 – The NIST Cybersecurity Framework EP 79 – Mid-Career Transition Success Story with Steve McMichael EP 83 – Automating NIST Risk Management Frameowrk with Rebecca Onuskanich

Ask me a Question Here: https://topmate.io/ken_underhill In this episode, I had the privilege of hosting Shawn Robinson, a distinguished Cybersecurity Risk Management Program Manager with over three decades of experience in the telecommunications, network, and security technology fields, with a strong focus on the financial services industry. Shawn is also a US Army veteran, President of the Charlotte Metro ISC2 Chapter, and holds numerous industry certifications, including the Certified Information Systems Security Professional (CISSP) certification.Join us as Shawn dives into the critical world of cybersecurity risk management and governance.In this episode, Shawn explores:- How risk management and governance play a pivotal role in establishing a robust security foundation for organizations, enabling them to effectively tackle emerging threats.- Insights into the upcoming NIST Cybersecurity Framework and recent SEC rules, highlighting the significant changes and implications they bring for businesses. Learn Shawn's advice for how security leaders can navigate these new waters.- Find out how security leaders can bridge the gap between technical cybersecurity and the strategic decisions essential at the executive level, aligning security with business goals....and much more.Ask me a Question Here: https://topmate.io/ken_underhill Learn how to be successful in job interviews in less than one hour, so you can get higher job offers. https://cyberken23.gumroad.com/l/jbilol/youtube20 If you need cybersecurity training, here are some good resources. Please note that I earn a small affiliate commission if you sign up through these links for the training. Learn Ethical Hacking skills https://get.haikuinc.io/crk0rg6li6qd Get Ethical Hacking skills, SOC Analyst skills, and more through StationX. https://www.stationx.net/cyberlife Support this podcast at — https://redcircle.com/cyber-life/donations

In this episode of the Futurum Tech Webcast, host Steven Dickens converses with Francesco Piccoli, Senior Director at AnChain.AI, about the company's involvement in Ripple's CBDC Innovate 2023 competition. They discuss AnChain.AI's security and risk management role, offering compliance and anti-money laundering services to various sectors, including crypto companies, financial institutions, and governments. They also dive into how AnChain's AI-driven analytics enhance blockchain data understanding and contribute to AML practices, regulatory efforts, and hacking investigations. The discussion also touches on the challenges of blockchain security and AnChain's efforts to apply traditional cybersecurity best practices to the digital asset space. Their discussion covers: An overview of AnChain.AI, a company that specializes in security and risk management, particularly in compliance and anti-money laundering for digital assets. How AnChain.AI uses AI to analyze blockchain data, aiding in risk assessment and understanding smart contracts. How AnChain.AI's AI algorithms streamline investigations, quickly tracing digital asset movements in cases of hacks or fraud. AnChain.AI's focus on improving cybersecurity in the blockchain industry, applying standards like the NIST Cybersecurity Framework to enhance digital asset security. Learn more about Ripple on the company's website and AnChain's entry on Devpost.  

Join us as we explore the dynamic intersection of cybersecurity and the commercial construction industry. Our guest, CJ Dietzman at Alliant Insurance Services, talks about the latest trends in cyber threats, risk management strategies, and innovative solutions shaping the future of digital resilience on construction sites. Don't miss this insightful episode for a blueprint for safeguarding your projects against evolving cyber challenges. #ConstructorCast #Cybersecurity #ConstructionTech #AlliantInsurance #TheMoreRewardingWay Guest: CJ Dietzman Senior Vice President, Alliant Cyber Alliant Insurance Services https://www.linkedin.com/in/cj-dietzman-cissp-cisa Resources: Read Cyber Risk & Security Considerations in the Construction Industry: https://alliant.com/news-resources/article-cyber-risk-security-considerations-in-the-construction-industry/ Learn more about Alliant Cyber: https://alliant.com/risk-management/risk-solutions/cyber/ The NIST Cybersecurity Framework: https://www.nist.gov/cyberframework ISO/IEC 27001: https://www.iso.org/standard/27001 Contact Alliant Cyber at alliantcyber@alliant.com

Brian Haugli is the Co-founder and CEO of SideChannel, a cybersecurity company that provides cyber risk assessment and ensures cybersecurity compliance for mid-sized organizations. He is a 20-year industry veteran who's led programs for the Department of Defense, the Pentagon, the Intelligence Community, and Fortune 500 companies.  With expertise in NIST guidance, threat intelligence implementations, and strategic organization initiatives, Brian is a sought-after speaker and the host of the #CISOlife podcast and YouTube channel. Brian also co-authored Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework, an analysis of cybersecurity risk planning and management principles. In this episode… Public and private companies should prepare to meet SEC regulations with the new cybersecurity rules set to take effect in December. However, with cybersecurity assessment costs starting at six figures, how can small and mid-sized companies maintain compliance? Organizations that lack the resources of larger corporations can reduce costs by securing an information security consultant. These consultancies develop customized compliance programs to identify specific cybersecurity risks and recommend cost-effective strategies. For companies that adopt this type of service, cybersecurity expert Brian Haugli suggests retaining a CISO for at least 80 hours per month. During this time, a CISO should be able to formulate risk management solutions including acceptance, mitigation, and transfer. In this episode of the She Said Privacy/He Said Security, Jodi and Justin Daniels interview Brian Haugli, CEO of SideChannel, for an in-depth conversation about cybersecurity. Brian discusses the inspiration behind SideChannel and its mission, how mid-size companies can afford to retain a CISO, and procedures for navigating ransomware demands.

Ever wondered why there's such a massive gap in cyber skills, particularly in this era of economic slowdowns? As we juggle an increasing number of job roles, budget cuts, and layoffs, now is the time to polish off your cybersecurity skills. We tackle the Biden administration's latest push for knowledge on security gaps, the increasing insider threats, and the surprising dearth of AI skills in the industry.Navigating the cybersecurity landscape has never been more crucial. We demystify the role of a data owner and the responsibilities it entails - data classification, setting access controls, and managing the data life cycle. The conversation doesn't stop there. We also delve into the roles of data controllers, processors, custodians, and administrators, all crucial players in data protection. We also take a deep dive into the NIST Cybersecurity Framework and its implications for these roles.It's not all about the professionals. Users also play a pivotal role in data protection, and we shed light on the various responsibilities that come with it. We explore topics from authentication and authorization to awareness and training. We also touch on key regulations and laws that apply to data owners, custodians, and users. Wrapping up this insightful conversation, we discuss the significance of specialized cybersecurity coaching and mentorship programs. Whether you're a seasoned professional or a novice in the cybersecurity world, this episode promises to equip you with valuable insights to help you thrive. Tune in for a riveting exploration of the cybersecurity landscape.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

The SEC cyber rules take effect in December, but what have been the developments and impacts since they were announced at the beginning of the year?Up for discussion:-       The row back on having a cyber security expert on the board.“You may have one or more board members that have a high-level understanding of cybersecurity but how much true awareness do they have of what the organization's doing? They may be able to understand the context of an incident better, but they may not have true insight.”-       The 4-day disclosure period to confirm a breach, understand its impact and coordinate notifications.‘It's a very, very tight window to get all that set of detail included. They are looking for details around what the actual scope is of this breach to the other, the actual timing interval. That's a very, very difficult task.”-       The Clorox cyberattack and how it relates to the SEC cyber rules.“One of the things I think is really interesting to see is Clorox and the security incident that occurred there and the approach that they've taken as it relates to the SEC cyber ruling there. They're almost a test case at this point. Clorox actually has released three separate 8-K filings.”-       Do private companies also need to be wary of the SEC cyber rules?“What the SEC has responsibility for is directly impacting public companies. All private companies though need to have their ears up here because the SEC does have a willingness to stretch their regulatory perimeter over to include private companies.”  -       The significance of the How Material is That Hack website (https://howmaterialisthathack.org/)“They're trying to show what the actual estimated loss would equate to based on the information that they've seen. They do things in a way, which is kind of interesting. They do like a primary and a secondary cost model.”Follow or subscribe to the show on your preferred podcast platform.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com

Podcast: Cyber Risk Management Podcast (LS 33 · TOP 5% what is this?)Episode: EP 141: What's New in NIST CSF v2Pub date: 2023-09-26What's going to be in version 2 of the NIST Cybersecurity Framework? Let's find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.The podcast and artwork embedded on this page are from Kip Boyle, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

What's going to be in version 2 of the NIST Cybersecurity Framework? Let's find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

In this episode of the TechTank Podcast, co-Host Nicol Turner Lee discusses what is new in the more recently updated Cybersecurity Framework 2.0. Joining the podcast to discuss those changes is Cherilyn Pascoe, Director of the National Cybersecurity Center of Excellence, National Institute of Standards and Technology (NIST), who also shares resources and tools that all organizations of any size and sector can access. Hosted on Acast. See acast.com/privacy for more information.

Show Notes

In this episode of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal share a healthy serving of privacy popcorn featuring India's new law, Georgia's new law, Meta news, Argentina and Kenya and Worldcoin, China, NIST Cybersecurity Framework call for comments, and more, including California's adequacy decision from the Dubai International Financial Center. If you have comments or questions, find us on LinkedIn, Twitter @podcastprivacy @euroPaulB @heartofprivacy and email podcast@seriousprivacy.eu. Rate and Review us! Proudly sponsored by TrustArc. Learn more about the TRUSTe Data Privacy Framework verification. upcoming webinars.#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary but highly effective in helping businesses of every size understand how to improve their security posture.  In Episode 5, NIST Research Team Supervisor, Apostol Vassilev will talk at a very high level about NIST standards, how following these standards can help protect your business, and what's new in the criminal world that should keep you up at night. It's sure to be an informative discussion. Learn more about your ad choices. Visit podcastchoices.com/adchoices

Imagine a world where your organization is constantly at the risk of a cyber-attack, yet no solution seems fully secure. In this episode of Innovation In Compliance, host Tom Fox and guest Steve Horvath explore the complex landscape of supply chain cyber risk management. They explore the high-profile breaches of Home Depot and Target, as well as the critical importance of frameworks like the NIST Cybersecurity Framework. Steve delves into the challenges faced by organizations, the need for effective risk management strategies, and the evolving landscape of cybersecurity in public and private sectors.  Steve Horvath is a seasoned cybersecurity expert who has spent nearly two decades at Telos, a prominent cybersecurity firm focused on protecting government and industry networks. Since joining Telos in 2006, Steve has been instrumental in developing cybersecurity strategies and services for various elements of the U.S. federal government, including the intelligence community and the Department of Defense. Today, he leads the way in driving compliance and risk management initiatives with a focus on innovative solutions like Xacta. You'll hear Tom and Steve discuss: Telos' platform, Xacta, began as a web-based application focused on facilitating the rigorous compliance activities of federal standards, and has since evolved into a sophisticated platform for managing cybersecurity risks. Cybersecurity risk is unique and highly challenging, and unlike other forms of risk, it doesn't lend itself to transference. Insurance policies won't save an organization from a devastating cyber attack. Many organizations, particularly public ones, need to shift their mentality from accepting some level of risk to striving for robust cybersecurity operations that minimize risk as much as possible. Education at the board level about the threats and implications of cybersecurity is a crucial yet often overlooked factor. The conversation around this is gaining traction, with initiatives such as the SEC's rule about having a board member with a cybersecurity background. The Home Depot and Target hacks brought widespread attention to cybersecurity risks, highlighting the need for organizations to be proactive in managing threats and vulnerabilities. The NIST Cybersecurity Framework provides a practical and easily understood framework for organizations to assess and improve their cybersecurity posture. It enables effective communication between security operators and the board, fostering a common language and understanding. Supply chain cybersecurity is a critical concern, particularly for software and IT hardware sourcing. Having a software bill of materials and understanding the ingredients within the software helps organizations assess their exposure and potential vulnerabilities. Network attack services refer to understanding an organization's attack surface and identifying potential points of ingress or exfiltration of data. Mitigating risks, such as phishing attacks, requires robust security education programs for users. Creating an actionable cyber intelligence strategy involves having the right stakeholders and roles within the organization, selecting a suitable framework (such as NIST or ISO standards), and ensuring continuous validation and improvement of cybersecurity measures. KEY QUOTE: “You really have to do exceptional cybersecurity operations, and the best way to influence cybersecurity operations… is having some teeth behind a set of conditions and compliance requirements that guide you toward making the best decision…" - Steve Horvath Resources: Steve Horvath on LinkedIn | Twitter Telos | Telos Corporation on Twitter

In this episode, Niko O'Hara, the Head of Engineering at AVANT, and Derek Siler, the Solutions Architect at Flexential, dive into the NIST cybersecurity framework, focusing specifically on how we can use it to protect critical IT workloads. They talk through the details of the framework itself, as well as each individual category. Lastly, they hit on how you can use this as the foundation for a complete cybersecurity strategy. Click the “play” button to get started!

https://www.yourcyberpath.com/95/ In the beginning, our hosts Jason Dion and Kip Boyle talk a little bit about their new company Akylade, which is going to provide affordable cybersecurity training. They discuss their initial motivations to start the company, what the plan for the company is, and what's the road map for Akylade. Then, we get into the topic of our episode, introducing our guest, Samuel Bodine, a cybersecurity sophomore, and the leader of the cyber defense team at Liberty University in Virginia. Sam discusses the different aspects of the competitions they get into, where they simulate a business environment and bring in hackers to test their cyber defense team's abilities to protect said environments. Sam also mentions that one of the hugest benefits that he finds in college is networking and that you can make lots of connections that could really help you down the road. On the other hand, sometimes you just have to start from nothing as he tells the story of how he walked into Lockheed Martin with a resume asking for an internship and how he got it a week later. Jason then goes over internships, how they work, and how they can be very useful for both the company and the intern. In the end, Sam mentions his trifecta for the perfect cybersecurity advancement, which is certifications, hands on practice, and real-life job experience. When you combine these three, you can have a great holistic understanding of cybersecurity. To cap it off, Jason highlights that it is crucial to show initiative and how you need to show how much you want something and how it can help you achieve it. What You'll Learn ●   What is Akylade? ●   What is it like to be on a collegiate cyber defense team? ●   How to build your network? ●    How useful is an internship? ●    What is the trifecta of cybersecurity education? Other Relevant Episodes ●   Episode 80 - Risk Management Framework with Drew Church ●   Episode 54 - New Cohost Jason Dion ●   Episode 62 - The NIST Cybersecurity Framework

In this episode of Wiley Connected, we are joined by Elham Tabassi, Chief of Staff in the Information Technology Laboratory at NIST, who leads NIST's efforts to create an Artificial Intelligence Risk Management Framework (the “AI RMF”). We discuss the overall goals of the AI RMF (1:31), the use of a risk-based approach to AI (6:02), different categories of risks in AI (10:24), approaches to fairness, bias, and explainability in AI (15:09), core risk management functions for organizations (with a nod to the NIST Cybersecurity Framework)(25:18), how broadly the AI RMF applies and how to define “AI” (30:39); and how the AI RMF fits into international efforts on AI (35:20). Programming note: This interview was recorded prior to NIST's March 30, 2023 official announcement of the Trustworthy and Responsible AI Resource Center, including the first complete version of the companion AI RMF Playbook.

Renita Rhodes, CyberSecurity Specialist discusses why compliance alone is not enough for effective security.