Podcasts about security controls

Kieron Allen speaks with Chris Pope, Chief Product Officer at AutomatePro, in an in-depth discussion that is part of a broader series of podcasts, articles, and reports on ServiceNow's evolving ecosystem. They explore how intelligent automation and agentic AI are reshaping DevOps and quality assurance. The conversation also highlights how AutomatePro's built-on approach enhances developer productivity, reduces risk, and ensures security, all within the ServiceNow environment.AutomatePro's AI EdgeThe Big ThemesAutomatePro's Core Mission: AutomatePro focuses on solving one of the most time-consuming parts of software delivery: testing and documentation. Pope explains that their goal isn't to replace humans but to augment their efforts through intelligent automation. By embedding deeply within the ServiceNow platform, AutomatePro allows developers and platform owners to automate repetitive tasks early in the development cycle, ensuring higher-quality releases and faster deployment.Human-AI Collaboration Wins: The myth of AI replacing people is outdated. Pope reframes the conversation: it's not about replacement, it's about enablement. The real winners will be those who know how to use AI effectively. Today's Copilots are context-aware, learning from human behavior and adapting to different personas — whether it's a developer, analyst, or HR owner. Prompt engineering is emerging as a vital skill, and the better the prompt, the better the AI-driven output.DevOps Innovation Without Compromise: AutomatePro and ServiceNow are reshaping DevOps by making speed and quality compatible. Historically, faster releases meant riskier ones. With AutomatePro's intelligent testing automation, that tradeoff no longer exists. Frequent, smaller releases — the “fixed forward” model — are now safer thanks to early automation, embedded security, and contextual AI. Pope argues that platform owners and developers are the new heroes in enterprise IT, and equipping them with Copilots, intelligent workflows, and instant feedback loops unlocks untapped value.The Big Quote: "You're not going to be replaced by AI per se, you're going to be replaced by someone that knows how to use AI effectively."More from ServiceNow and AutomatePro:Follow AutomatePro on LinkedIn or learn more about ServiceNow and intelligent automation. Visit Cloud Wars for more.

Send us a textDive into the critical world of software development security with Sean Gerber as he tackles Domain 8.3 in this knowledge-packed CISSP Question Thursday episode. We examine fifteen challenging questions that address the security controls essential for protecting code throughout the development lifecycle.Discover why static application security testing integrated directly into your CICD pipeline stands as the gold standard for catching vulnerabilities early, and why developer arguments about "unlikely" buffer overflow exploits should never persuade you to leave vulnerabilities unaddressed. The podcast breaks down the crucial difference between partial mitigations and proper vulnerability elimination, providing you with the decision-making framework you'll need both for the CISSP exam and real-world security leadership.The episode doesn't shy away from controversial topics, including the persistent myth of "security through obscurity" and why it fails as a protection strategy. You'll learn why security code reviews by senior developers remain irreplaceable for identifying business logic vulnerabilities, while generic security checklists prove ineffective against sophisticated threats. For those working with cloud platforms, open-source libraries, or outsourced development, Sean offers targeted guidance on the controls that matter most in each scenario.Beyond the technical content, Sean shares his passion for helping adoptive families through the nonprofit initiative supported by purchases at CISSPCyberTraining.com. Every training package purchased contributes to providing grants and low-interest loans to families looking to adopt children who need loving homes.Ready to strengthen your understanding of software security while preparing for your CISSP certification? This episode delivers actionable insights, exam-ready knowledge, and the confidence to tackle Domain 8.3 questions with expertise. Listen now and take another step toward mastering the crucial intersection of development and security that today's organizations desperately need.Support the showGain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Send us a textCheck us out at:  https://www.cisspcybertraining.com/Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkoutGet access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouvDive into the multifaceted world of data security controls with Sean Gerber as he unpacks CISSP Domain 2.6. The episode opens with a fascinating glimpse into the creative ingenuity of technology users—a student who managed to hack a TI-84 calculator to access ChatGPT during exams. This real-world example perfectly illustrates why robust data security controls are more crucial than ever in our interconnected world.Sean meticulously breaks down the three fundamental data states—data at rest, data in transit, and data in use—providing clear explanations of the unique protection mechanisms each requires. You'll discover why data is rarely truly "at rest" unless completely powered off and disconnected, and why this understanding is vital for comprehensive protection strategies. The discussion extends to emerging technologies like homomorphic encryption, which promises to keep data encrypted throughout all states, though it's still evolving.The heart of effective data protection lies in classification and labeling, and Sean offers practical advice on implementing these systems. Starting small with clearly defined data sets, standardizing nomenclature, and utilizing visual cues like color-coding are just a few of the actionable strategies shared. You'll gain insights into Digital Rights Management (DRM), Data Loss Prevention (DLP), and Cloud Access Security Brokers (CASBs)—three critical components of a comprehensive data security framework.Perhaps most valuable is Sean's emphasis on understanding organizational risk tolerance. As he eloquently puts it, "If you don't know the risk for your company, find out somebody who does." This perspective shift from pure protection to risk-aligned security can transform how security professionals approach their role and communicate with leadership.Whether you're studying for the CISSP exam or looking to enhance your organization's data protection strategy, this episode delivers practical wisdom drawn from real-world experience. Visit CISSP Cyber Training for additional resources, and remember—understanding data security isn't just about passing an exam; it's about becoming a more effective guardian of your organization's most valuable assets.Support the showGain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Protect your organization's data with Microsoft Purview. Gain complete visibility into potential data leaks, from AI applications to unmanaged cloud services, and take immediate action to prevent unwanted data sharing. Microsoft Purview unifies data security controls across Microsoft 365 apps, the Edge browser, Windows and macOS endpoints, and even network communications over HTTPS —all in one place. Take control of your data security with automated risk insights, real-time policy enforcement, and seamless management across apps and devices. Strengthen compliance, block unauthorized transfers, and streamline policy creation to stay ahead of evolving threats. Roberto Yglesias, Microsoft Purview Principal GPM, goes beyond Data Loss Prevention (DLP) and shows how to ensure your data stays protected no matter where it goes. ► QUICK LINKS: 00:00 - Data Loss Prevention in Microsoft Purview 01:33 - Assess DLP Policies with DSPM 03:10 - DLP across apps and endpoints 04:13 - Unmanaged cloud apps in Edge browser 04:39 - Block file transfers across endpoints 05:27 - Network capabilities 06:41 - Updates for policy creation 08:58 - New options 09:36 - Wrap up ► Link References Get started at https://aka.ms/PurviewDLPUpdates ► Unfamiliar with Microsoft Mechanics? As Microsoft's official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. • Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries • Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog • Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast ► Keep getting this insider knowledge, join us on social: • Follow us on Twitter: https://twitter.com/MSFTMechanics • Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ • Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ • Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics 

Send us a textUnlock the secrets to acing your CISSP exam with insights that blend real-world cybersecurity wisdom and innovative study strategies. Ever wondered how a data breach, like the one at SuperDraft, can teach you crucial lessons about protecting your information? We'll explore how securing your data and freezing your credit are essential steps in the fight against password reuse risks. Join Sean Gerber as we unpack the vital role of asset owners in defining access control policies and delve into the challenges of managing virtual assets in cloud environments, where virtual machine sprawl poses significant threats. Plus, get excited about potential new tools and a gamified platform that could revolutionize your CISSP study experience.Prepare to navigate the complex realm of data security and asset management as we spotlight the critical need for security and compliance in handling both tangible and intangible assets. Discover the hidden risks of inadequate encryption and learn why regular audits of hardware and software inventories are non-negotiable. We'll emphasize the importance of tagging cloud resources for cost management and explore the secure disposal of sensitive data. With discussions on data classification schemes, configuration management systems, and the dangers of shadow IT, you'll gain the insights needed to maintain consistent configurations and ensure license compliance, all while reducing security vulnerabilities. Tune in to arm yourself with the knowledge that will propel your cybersecurity career forward.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every month for the next 12 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Send us a textUnlock the secrets of data security and asset management with Shon Gerber as your guide. Ever wondered how to navigate the intricate world of CISSP cyber training and protect your organization from data breaches? This episode promises to equip you with essential strategies to conduct security assessments, especially when third-party vendors like Gravy Analytics come into play. Learn why educating your employees on location tracking dangers is crucial and how mobile device control systems can fortify your data privacy defenses.Dive deep into the roles of information and asset owners within organizations, and discover how effective data classification and collaboration can safeguard your most sensitive information. Shon discusses the critical nature of aligning responsibilities and understanding data ownership for compliance with regulations such as GDPR and HIPAA. With a clear plan and defined roles, your organization will be better prepared for audits and risk management. Understand the distinction between data creation and usage responsibility, and transform your approach to asset lifecycle management.As we touch upon the challenges of managing virtual sprawl and cloud environments, Shon shares insights into tackling unchecked growth and escalating costs. Explore the nuances of cloud-based asset management across platforms like AWS, Azure, and Google Cloud. Learn the importance of resource visibility, cost management, and how to handle data residency and sovereignty issues. Finally, grasp the complexities of cloud environments, from encryption to rogue device identification, and forge a robust plan to mitigate vulnerabilities and compliance violations.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every month for the next 12 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

In this Brand Story episode, Sean Martin and Marco Ciappelli explore how Guardz is transforming cybersecurity for Managed Service Providers (MSPs) and small to medium-sized businesses (SMBs). The discussion features insights from Sarah Lampert, Customer Success Manager, and William Barr, Account Executive at Guardz, who shed light on the company's innovative approach to simplifying and optimizing cybersecurity solutions.Bridging the Gap for SMBsSmall to medium-sized businesses often lack dedicated IT or security teams, leaving them vulnerable to cyber threats. William Barr emphasizes how Guardz fills this gap by providing MSPs with tools tailored for SMBs. These tools simplify security management, offering MSPs a unified platform that addresses complex needs without requiring a patchwork of expensive, disparate solutions.Ease of Use and FlexibilityGuardz stands out by offering a user-friendly, AI-powered platform that integrates seamlessly into MSPs' existing workflows. Sarah Lampert highlights the platform's simplicity, enabling even small MSPs to onboard quickly and manage cybersecurity effectively. The product's flexibility allows MSPs to scale their offerings, catering to clients with varying security needs while keeping costs manageable.Key features include:Unified detection and response capabilities.Customizable security controls for different client environments.User-based pricing models that eliminate device-based cost complexities.Support Beyond TechnologyGuardz doesn't stop at providing a robust platform—it empowers MSPs through comprehensive support. Sarah Lampert explains how the Customer Success team aids MSPs with onboarding, marketing materials, and strategic advice, ensuring they position Guardz as a core component of their service stack. The company also facilitates continued learning through webinars, hands-on trials, and direct communication channels.Innovative AI IntegrationAI plays a pivotal role in Guardz's ability to streamline cybersecurity. By analyzing patterns and predicting risks, the platform helps MSPs preempt threats and respond efficiently. William Barr underscores AI's potential to reduce manual effort while enhancing security accuracy, making advanced protection accessible to smaller organizations.Cyber Insurance: A Competitive EdgeGuardz takes its commitment a step further by integrating cyber insurance into its offerings. Qualified clients can access affordable coverage directly through Guardz, ensuring SMBs meet evolving security and compliance standards. This feature not only protects businesses but also equips MSPs with a unique selling point.The Future of GuardzAs Guardz continues to evolve, its focus remains on simplifying cybersecurity for MSPs while providing scalable, cost-effective solutions for SMBs. The team's proactive approach, coupled with constant feedback integration, ensures the platform stays relevant in a dynamic cybersecurity landscape.MSPs looking to streamline their operations and enhance client security are encouraged to explore how Guardz can help achieve these goals. For more information, connect with the Guardz team or visit their platform for a trial.Learn more about Guardz: https://itspm.ag/guardzrgigNote: This story contains promotional content. Learn more.Guests:Sarah Lampert, Customer Success Manager, Guardz [@GuardzCyber]On LinkedIn | https://www.linkedin.com/in/sarlampert/William Barr, Account Executive, Guardz [@GuardzCyber]On LinkedIn | https://www.linkedin.com/in/william-barr-a447541ab/ResourcesLearn more and catch more stories from Guardz: https://www.itspmagazine.com/directory/guardzFor a free 14 day trial of Guardz's platform please visit https://itspm.ag/guardzgvu3 .Learn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

In this Episode, we dive deep into the concept of Layering Security Controls, one of the most effective strategies to enhance your cybersecurity defense. Whether you're an IT professional or a cybersecurity enthusiast, understanding how to layer security controls can greatly improve your organization's protection against cyber threats.

In this Episode, we dive deep into Security Controls, exploring what they are, why they're critical for cyber defense, and how they help safeguard sensitive information. Whether you're new to cybersecurity or looking to strengthen your understanding, this comprehensive guide covers all the essential security control types: preventive, detective, and corrective controls.

Fraudology is presented by Sardine.In this episode of Fraudology, host Karisse Hendrick is joined by Rajesh Melappalayam, former senior manager of digital fraud and compliance at Cisco, to delve into the intricate world of online fraud targeting Cisco's systems. They explore how fraudsters obtained Cisco serial numbers via social engineering and bot attacks, leading to significant financial losses through fraudulent RMAs (Return Merchandise Authorizations). Rajesh shares insights into the broader impacts of these frauds, including insider threats, the misuse of service contracts, and sophisticated operations involving fake user IDs. The conversation illuminates Cisco's challenges in fraud detection and the innovative strategies Rajesh implemented to bolster fraud prevention efforts.Fraudology is hosted by Karisse Hendrick, a fraud fighter with decades of experience advising hundreds of the biggest ecommerce companies in the world on fraud, chargebacks, and other forms of abuse impacting a company's bottom line. Connect with her on LinkedIn She brings her experience, expertise, and extensive network of experts to this podcast semi weekly, on Tuesdays and Thursdays.

Send us a textEver wondered about the real difference between a data leak and a data breach? Join me, Sean Gerber, on the latest episode of the CISSP Cyber Training Podcast as we unpack the nuances between these two critical cybersecurity concepts. Learn how data leaks often result from human mistakes like weak passwords, while data breaches involve deliberate cyber attacks. We'll walk through different types of sensitive data—including PII, financial information, PHI, and intellectual property—and emphasize the need for precise language to help cybersecurity leaders communicate more effectively and avoid unnecessary panic. Plus, get a sneak peek into a CISSP exam question focusing on the stringent security controls required for data in use.Choosing the right Data Loss Prevention (DLP) solution doesn't have to be a headache. In this episode, we tackle cost-effectiveness and real-world challenges that come with selecting DLP solutions. Hear about the compatibility hurdles of Digital Rights Management (DRM) solutions, including the struggles between Adobe and Microsoft's products. Discover how DLP and DRM technologies sometimes clash, and learn what to look for to ensure seamless integration. Don't miss these invaluable insights designed to sharpen your cybersecurity acumen and prep you for the CISSP exam.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Send us a textEver wondered how a TI-84 calculator can be transformed into a powerful tool for ChatGPT? Join me, Sean Gerber, on this thrilling episode of the CISSP Cyber Training Podcast as we uncover this fascinating tale and explore the evolving landscape of data security. We'll dissect the crucial elements of Domain 2.6 of the CISSP exam, from protecting data-at-rest to data-in-motion, and delve into the significance of Digital Rights Management (DRM) and Data Loss Prevention (DLP). This episode promises to enlighten you on the challenges and solutions of safeguarding data in today's tech-driven world.Next, we'll explore the meticulous process of establishing a robust labeling schema for data within an organization. Learn how to effectively implement physical and digital labels—such as unclassified, secret, top secret, and confidential—using color coding for easy identification. We'll stress the importance of consistent terminology, well-documented procedures, and controlled access to data classification changes. Discover how to tailor security controls to fit various organizational needs and the pivotal role of IT security leaders in guiding departments to enhance their security measures.Finally, we address the critical task of aligning IT security controls with an organization's risk tolerance and operational needs. Understand how focusing on critical assets can optimize data protection without spreading resources too thin. We'll highlight the importance of adhering to security frameworks like NIST, GDPR, or PCI DSS, and the role DRM and DLP play in preventing unauthorized data exfiltration. Plus, we'll introduce Cloud Access Security Brokers (CASBs) and discuss their crucial function in enforcing security policies between organizational networks and cloud service providers. This episode is packed with invaluable insights to prepare you for the CISSP exam and elevate your cybersecurity knowledge.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Guest: Dr. Kostas Papapanagiotou, Advisory Services Director, Census S.A.On LinkedIn | https://www.linkedin.com/in/kpapapan/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesCybersecurity practices for medical devices are crucial, touching on compliance, patient safety, and the rigorous demands of various sectors such as automotive and financial services. In an insightful conversation between Sean Martin, host of the Redefining CyberSecurity Podcast, and Kostas Papapanagiotou, leader of the advisory service division at Census, several key takeaways emerge. Kostas, who has over 20 years of experience in cybersecurity and application security, underscores the complexity of medical devices.No longer confined to standalone units, modern medical devices may encompass hardware components, software, connectivity to hospital networks or cloud services, and more. Thus, they require a comprehensive security approach.Kostas notes that the FDA views these devices holistically, requiring all components to be evaluated for security risks. One of the most significant points highlighted is the concept of shared responsibility. According to Kostas, it is essential for medical device manufacturers to consider how their products integrate with existing hospital networks and what security measures are necessary to protect patient information. This extends to issuing guidelines and documentation for secure network integration, an effort that underscores the necessity of thorough and clear documentation in maintaining cybersecurity standards.Furthermore, Kostas points out that regulations like the FDA's post-market plan necessitate that manufacturers prepare for the entire lifecycle of a device, including potential vulnerabilities that may arise years after deployment. He shares real-world examples, such as the challenge of outdated Android versions in medical devices, which can no longer receive security updates and thus present vulnerabilities. In addition to compliance, the podcast discusses the shift left security paradigm, which emphasizes integrating security measures early in the software development lifecycle to prevent costly and challenging fixes later.Kostas advocates for proactive threat modeling as a tool to foresee potential risks and implement security controls right from the design phase. This approach aligns with the FDA's emphasis on mitigating patient harm as the ultimate priority.The conversation also touches on how these rigorous requirements from the medical device sector can inform cybersecurity practices in other critical areas like automotive manufacturing. Kostas remarks that the automotive industry is yet to reach the maturity seen in medical device regulations, often grappling with interoperability and supply chain complexities.This podcast episode offers vital insights and actionable advice for cybersecurity professionals and organizations involved with critical, life-impacting technologies. Engaging discussions such as these underline the importance of regulatory compliance, thorough documentation, and proactive security measures in safeguarding both technology and human lives.___________________________SponsorsImperva: https://itspm.ag/imperva277117988LevelBlue: https://itspm.ag/attcybersecurity-3jdk3___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Guest: Dr. Kostas Papapanagiotou, Advisory Services Director, Census S.A.On LinkedIn | https://www.linkedin.com/in/kpapapan/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesCybersecurity practices for medical devices are crucial, touching on compliance, patient safety, and the rigorous demands of various sectors such as automotive and financial services. In an insightful conversation between Sean Martin, host of the Redefining CyberSecurity Podcast, and Kostas Papapanagiotou, leader of the advisory service division at Census, several key takeaways emerge. Kostas, who has over 20 years of experience in cybersecurity and application security, underscores the complexity of medical devices.No longer confined to standalone units, modern medical devices may encompass hardware components, software, connectivity to hospital networks or cloud services, and more. Thus, they require a comprehensive security approach.Kostas notes that the FDA views these devices holistically, requiring all components to be evaluated for security risks. One of the most significant points highlighted is the concept of shared responsibility. According to Kostas, it is essential for medical device manufacturers to consider how their products integrate with existing hospital networks and what security measures are necessary to protect patient information. This extends to issuing guidelines and documentation for secure network integration, an effort that underscores the necessity of thorough and clear documentation in maintaining cybersecurity standards.Furthermore, Kostas points out that regulations like the FDA's post-market plan necessitate that manufacturers prepare for the entire lifecycle of a device, including potential vulnerabilities that may arise years after deployment. He shares real-world examples, such as the challenge of outdated Android versions in medical devices, which can no longer receive security updates and thus present vulnerabilities. In addition to compliance, the podcast discusses the shift left security paradigm, which emphasizes integrating security measures early in the software development lifecycle to prevent costly and challenging fixes later.Kostas advocates for proactive threat modeling as a tool to foresee potential risks and implement security controls right from the design phase. This approach aligns with the FDA's emphasis on mitigating patient harm as the ultimate priority.The conversation also touches on how these rigorous requirements from the medical device sector can inform cybersecurity practices in other critical areas like automotive manufacturing. Kostas remarks that the automotive industry is yet to reach the maturity seen in medical device regulations, often grappling with interoperability and supply chain complexities.This podcast episode offers vital insights and actionable advice for cybersecurity professionals and organizations involved with critical, life-impacting technologies. Engaging discussions such as these underline the importance of regulatory compliance, thorough documentation, and proactive security measures in safeguarding both technology and human lives.___________________________SponsorsImperva: https://itspm.ag/imperva277117988LevelBlue: https://itspm.ag/attcybersecurity-3jdk3___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

This is a sponsored Soap Box edition of the Risky Business podcast. Abhishek Agrawal is the CEO and co-founder of Material Security, an email security company that locks down cloud email archives. Attackers have been raiding mailspools since hacking has existed, and with those mailspools now in the cloud with services like o365 and Google Workspace, guess where the attackers are going? Material built a product that helps you lock up your email data, to archive and redact sensitive information. The idea is to really just limit what an attacker can do with email data if they pop an account. Abhishek joined me to talk about a few things, like how non phishing resistant MFA is basically dead, how email content is very useful to security programs, and about how the gen AI won't really change much on the defensive control side.

Understanding Security Controls for Cyber Insurance with Experts Joe and AbeJoin us for a special podcast episode where we delve into the critical security controls for cyber insurance. Featuring expert guests Joe from C3 Insurance and Abe Gibson, this discussion helps businesses understand the essential controls needed for obtaining cyber insurance and how to leverage managed security service providers. Learn about the importance of MFA, backups, EDR/MDR, and email security, and discover how you can get the best insurance rates. This insightful conversation is a must-watch for anyone looking to protect their organization from cyber threats.00:00 Introduction to Cyber Insurance Podcast00:16 Meet the Experts: Joe and Abe01:35 Joe's Insight: Real-Life Cyber Insurance Case04:04 Abe's Perspective: Understanding Cyber Insurance04:53 Key Security Controls for Cyber Insurance08:40 Trends and Challenges in Cyber Insurance15:20 The Role of MSPs in Cyber Insurance19:31 Exclusive Programs for MSPs24:42 Final Thoughts and Contact InformationThis podcast runs on listener support and funding. Consider supporting this podcast:https://breaking-into-cybersecurity.captivate.fm/supportCheck out our books: Develop Your Cybersecurity Career Path: How to Break into Cybersecurity at Any Level https://amzn.to/3443AUIHack the Cybersecurity Interview: A complete interview preparation guide for jumpstarting your cybersecurity career https://www.amazon.com/dp/1801816638/_________________________________________About the hosts: Renee Small is the CEO of Cyber Human Capital, one of the leading human resources business partners in the field of cybersecurity, and author of the Amazon #1 best-selling book, Magnetic Hiring: Your Company's Secret Weapon to Attracting Top Cyber Security Talent. She is committed to helping leaders close the cybersecurity talent gap by hiring from within and helping more people get into the lucrative cybersecurity profession. https://www.linkedin.com/in/reneebrownsmall/Download a free copy of her book at [magnetichiring.com/book](http://magnetichiring.com/book)Christophe Foulon focuses on helping to secure people and processes with a solid understanding of the technology involved. He has over ten years of experience as an experienced Information Security Manager and Cybersecurity Strategist with a passion for customer service, process improvement, and information security. He has significant experience in optimizing the use of technology while balancing the implications to people, processes, and information security by using a consultative approach.https://www.linkedin.com/in/christophefoulon/Find out more about CPF-Coaching at https://www.cpf-coaching.com- Website: https://www.cyberhubpodcast.com/breakingintocybersecurity- Podcast: https://feeds.captivate.fm/breaking-into-cybersecurity/- YouTube: https://www.youtube.com/c/BreakingIntoCybersecurity- Linkedin: https://www.linkedin.com/company/breaking-into-cybersecurity/- Twitter: https://twitter.com/BreakintoCyber- Twitch: https://www.twitch.tv/breakingintocybersecurityMentioned in this episode:Thank you to CPF Coaching for SponsoringThank you to CPF Coaching for Sponsoring

Guests: Jim Reavis, CEO at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/jimreavis/Illena Armstrong, President at at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/illenaarmstrong/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesJoin Sean Martin as he hosts an in-depth discussion with Illena Armstrong, President of Cloud Security Alliance, and Jim Reavis, CEO and Founder. Illena shares her excitement for celebrating the 15th anniversary of the organization while highlighting the industry's shift towards cloud adoption and AI technology. She emphasizes the importance of maintaining security controls, especially in the context of regulatory compliance and cloud provider obligations. The conversation also touches on the rising trend of zero trust security frameworks and the global perspective on AI integration in cybersecurity practices.Jim Reavis adds valuable insights into the intersection of AI and cloud security, highlighting the need for a holistic approach that combines human intelligence with AI capabilities. He emphasizes the role of security as a catalyst for innovation and business transformation, citing examples of innovative approaches taken by European banks. The discussion also covers thesignificance of shared responsibility in cybersecurity and the collaborative efforts required to address evolving threats.The CSA AI Summit promises an engaging lineup of speakers, including industry leaders from Google, Microsoft, and Zscaler, who will shed light on key topics such as incident response, secure development, and business transformation. The full-day event, which kicks off the week at RSA Conference, aims to bring together a diverse audience, ranging from C-suite executives to developers and compliance professionals, fostering meaningful discussions and knowledge sharing. Attendees can expect thought-provoking sessions that explore the intersection of AI and cybersecurity, providing valuable insights for enhancing security practices in the digital age.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:

Guests: Jim Reavis, CEO at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/jimreavis/Illena Armstrong, President at at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/illenaarmstrong/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesJoin Sean Martin as he hosts an in-depth discussion with Illena Armstrong, President of Cloud Security Alliance, and Jim Reavis, CEO and Founder. Illena shares her excitement for celebrating the 15th anniversary of the organization while highlighting the industry's shift towards cloud adoption and AI technology. She emphasizes the importance of maintaining security controls, especially in the context of regulatory compliance and cloud provider obligations. The conversation also touches on the rising trend of zero trust security frameworks and the global perspective on AI integration in cybersecurity practices.Jim Reavis adds valuable insights into the intersection of AI and cloud security, highlighting the need for a holistic approach that combines human intelligence with AI capabilities. He emphasizes the role of security as a catalyst for innovation and business transformation, citing examples of innovative approaches taken by European banks. The discussion also covers thesignificance of shared responsibility in cybersecurity and the collaborative efforts required to address evolving threats.The CSA AI Summit promises an engaging lineup of speakers, including industry leaders from Google, Microsoft, and Zscaler, who will shed light on key topics such as incident response, secure development, and business transformation. The full-day event, which kicks off the week at RSA Conference, aims to bring together a diverse audience, ranging from C-suite executives to developers and compliance professionals, fostering meaningful discussions and knowledge sharing. Attendees can expect thought-provoking sessions that explore the intersection of AI and cybersecurity, providing valuable insights for enhancing security practices in the digital age.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:

Sometimes organizations know they need to do something to improve their cybersecurity posture … or, in some cases, something more, something different. They know there is a disconnect between cybersecurity and the business — they just don't know how to get started or transition to get the best results, given their unique environments and operating processes. What's truly innovative about RockCyber's cybersecurity assessments is how they intertwine cybersecurity strategies directly with business alignment and outcomes. This is not just about securing IT assets; it's about shaping cybersecurity as a strategic advantage that supports overall business goals. The service is tailored for organizations that need a cybersecurity approach that is not only robust but also aligned with their business objectives, enhancing both security and business performance.This approach solves the key problem of the disconnect between cybersecurity practices and business objectives, which many companies struggle with. The RockCyber vCISO and cybersecurity assessment services are particularly valuable for organizations where security must be a driver of cyber resiliency and growth, not just a protective measure.Let's talk about how this changes the future for our customers. Traditionally, cybersecurity has often been a siloed IT function, reactive and disconnected from core business functions. RockCyber's assessments transform this by integrating cybersecurity with business strategy, making it a cornerstone of business planning and execution.Imagine a before scenario where a company's cybersecurity efforts are technically adequate but not aligned with the strategic business initiatives, leading to inefficiencies and missed opportunities. After a RockCyber assessment, this company strengthens its security and aligns its cybersecurity strategy with business objectives, ensuring that every security investment directly supports business growth and resilience.With the assessment in place, RockCyber clients typically lean in on the virtual CISO services where the RockCyber team can take the knowledge we have in the field — both figuratively and literally — to establish a strategy that will begin the process of maturity and lead the organization down a path of cyber sustainability.For example, with one recent oil and gas client, the cybersecurity program the RockCyber created not only reduces cyber risk and improves the ability of the organization to handle and manage a potential cyber incident, but it aligns directly with the organization's key objectives:Maintain operating reliabilityDrive positive impact on revenue and profitEnsure digital and physical safetyTo achieve this, the team at RockCyber kept the big business picture in mind while focusing on breaking down the problem into smaller projects that be accomplished successfully, building on the past to continue to improve the future.The RockCyber cybersecurity assessment and vCISO services provide the following benefits:Establish a business-aligned strategic vision while bringing the skills, experience, and technology needed to execute tactically.Helping the organization to identify key challenges in security operations, staffing, training, execution, and communication and to help them overcome these challenges with confidence, giving them peace of mind to know we are there by their side every step of the way.Rock invites you all to connect with him via LinkedIn where you can find some of his musings on this topic and so many more. If you have questions about getting started and/or transforming your program in a meaningful way, you can reach out to Rock and the team directly at info@rockcyber.com.Learn more about RockCyber: https://itspm.ag/rockcyber-3gq7Note: This story contains promotional content. Learn more.Guest: Rock LambrosCEO and founder of RockCyber [@RockCyberLLC]On LinkedIn | https://www.linkedin.com/in/rocklambros/On Twitter | https://twitter.com/rocklambrosResourcesLearn more and catch more stories from RockCyber: https://www.itspmagazine.com/directory/rockcyberLearn more about 7 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Sometimes organizations know they need to do something to improve their cybersecurity posture … or, in some cases, something more, something different. They know there is a disconnect between cybersecurity and the business — they just don't know how to get started or transition to get the best results, given their unique environments and operating processes. What's truly innovative about RockCyber's cybersecurity assessments is how they intertwine cybersecurity strategies directly with business alignment and outcomes. This is not just about securing IT assets; it's about shaping cybersecurity as a strategic advantage that supports overall business goals. The service is tailored for organizations that need a cybersecurity approach that is not only robust but also aligned with their business objectives, enhancing both security and business performance.This approach solves the key problem of the disconnect between cybersecurity practices and business objectives, which many companies struggle with. The RockCyber vCISO and cybersecurity assessment services are particularly valuable for organizations where security must be a driver of cyber resiliency and growth, not just a protective measure.Let's talk about how this changes the future for our customers. Traditionally, cybersecurity has often been a siloed IT function, reactive and disconnected from core business functions. RockCyber's assessments transform this by integrating cybersecurity with business strategy, making it a cornerstone of business planning and execution.Imagine a before scenario where a company's cybersecurity efforts are technically adequate but not aligned with the strategic business initiatives, leading to inefficiencies and missed opportunities. After a RockCyber assessment, this company strengthens its security and aligns its cybersecurity strategy with business objectives, ensuring that every security investment directly supports business growth and resilience.With the assessment in place, RockCyber clients typically lean in on the virtual CISO services where the RockCyber team can take the knowledge we have in the field — both figuratively and literally — to establish a strategy that will begin the process of maturity and lead the organization down a path of cyber sustainability.For example, with one recent oil and gas client, the cybersecurity program the RockCyber created not only reduces cyber risk and improves the ability of the organization to handle and manage a potential cyber incident, but it aligns directly with the organization's key objectives:Maintain operating reliabilityDrive positive impact on revenue and profitEnsure digital and physical safetyTo achieve this, the team at RockCyber kept the big business picture in mind while focusing on breaking down the problem into smaller projects that be accomplished successfully, building on the past to continue to improve the future.The RockCyber cybersecurity assessment and vCISO services provide the following benefits:Establish a business-aligned strategic vision while bringing the skills, experience, and technology needed to execute tactically.Helping the organization to identify key challenges in security operations, staffing, training, execution, and communication and to help them overcome these challenges with confidence, giving them peace of mind to know we are there by their side every step of the way.Rock invites you all to connect with him via LinkedIn where you can find some of his musings on this topic and so many more. If you have questions about getting started and/or transforming your program in a meaningful way, you can reach out to Rock and the team directly at info@rockcyber.com.Learn more about RockCyber: https://itspm.ag/rockcyber-3gq7Note: This story contains promotional content. Learn more.Guest: Rock LambrosCEO and founder of RockCyber [@RockCyberLLC]On LinkedIn | https://www.linkedin.com/in/rocklambros/On Twitter | https://twitter.com/rocklambrosResourcesLearn more and catch more stories from RockCyber: https://www.itspmagazine.com/directory/rockcyberLearn more about 7 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Confront the cyber siege that has the healthcare industry on high alert; this episode sees me, Sean Gerber, dissecting the harrowing United Healthcare ransomware crisis that's rocked our nation. We're not just crunching numbers here—$22 million in ransom to Black Cat hackers signifies more than a hefty payout, it's a stark reminder of our critical infrastructure's fragility in the face of cyber threats. The recent episodes have armed us with knowledge, and now, it's time to put that to the test with CISSP Question Thursday, giving you the tactical edge to conquer the CISSP exam and fortify your cybersecurity defenses.As we navigate the Cybersecurity Concepts and Questions segment, prepare for a thorough breakdown of the digital security toolkit—from honeypots that dupe attackers to the emerging realm of Post-Quantum Cryptography. We'll unravel the essentials of digital signatures with RSA, scrutinize the steadfastness of SIEM systems, and demystify access control models that stand guard over our data. By the end of our journey, you'll not only be versed in preventing cross-site scripting catastrophes but also equipped with a CISSP Blueprint for Success, your very own strategic study companion stocked with invaluable resources to guide you through the certification labyrinth. Join me, and together let's transform these insights into an unbreachable cybersecurity stronghold.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Welcome to another episode of "Reimagining Cyber." In this session, Rob and Stan dive into the critical role of IT auditors, a perspective rarely explored on the show. Their guest, Veronica Rose, brings extensive experience in shaping risk-based information security audit programs. She emphasizes the evolving nature of the IT audit environment and urges IT auditors to prioritize upskilling as technology and controls advance.Veronica highlights the significance of professional communities, recommending affiliation with bodies like NACD and ISACA. Engaging in these communities not only provides access to valuable resources but also fosters global connections with like-minded professionals.The discussion shifts to well-being, a crucial aspect often overlooked in the demanding field of IT audit. Veronica stresses the importance of mental health, exercise, and unplugging to maintain a clear mindset.The conversation wraps up by addressing the career paths of IT auditors. Veronica encourages a mindset shift for those considering a transition, emphasizing the value of certifications and continuous upskilling.Tune in to gain insights into the evolving world of IT audit, professional development, and holistic well-being.Follow or subscribe to the show on your preferred podcast platform.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com

Free, ungated access to all 300+ episodes of “It's 5:05!” on your favorite podcast platforms: https://bit.ly/505-updates. You're welcome to

In this Brand Story episode, hosts Marco Ciappelli and Sean Martin engage in a thought-provoking conversation with Ben Fitzpatrick from Cymulate. The discussion explores the innovative approaches to cybersecurity that can help regions advance beyond their current situation.Fitzpatrick shares his insights on the lifecycle of security and technology, emphasizing the critical role of continuous monitoring and understanding the attack path for staying ahead of potential threats. He elaborates on Cymulate's use of cutting-edge tools and methods like automation, AI, and TTP to simulate high-level intrusion attacks without causing damage, providing a non-disruptive method for businesses to validate their security controls.An important aspect of the conversation revolves around risk prioritization. Fitzpatrick expresses the necessity for businesses, particularly CISOs, to conduct regular—even continuous—testing of all components of their infrastructure and applications. This approach allows for a comprehensive understanding of potential risks and the ability to prioritize their mitigation.Fitzpatrick also digs into the concept of response. He asserts that many companies are only at the cusp of realizing its significance in their cybersecurity strategy. He underscores the need to stay ahead of the curve, tackling the most important threats and adversaries, and minimizing the risk window.The episode concludes with Fitzpatrick discussing Cymulate's role in helping businesses understand their most critical threats and adversaries, and how they can best respond to them. He emphasizes that Cymulate is not just about ticking boxes; it's about understanding the business, managing risks, and staying ahead of the curve. This episode promises to offer listeners a unique perspective on proactive, intelligent cybersecurity strategies and their role in business resilience.Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-storyGuest: Ben Fitzpatrick, VP of Sales, Asia Pacific (APAC)On LinkedIn | https://www.linkedin.com/in/befitzpatrick/ResourcesCymulate Expands Sales Leadership Team to Drive Growth in EMEA & APAC Global Markets: https://cymulate.com/news/cymulate-expands-sales-leadership-team-to-drive-growth-in-emea-apac-global-markets/Security Analytics for Continuous Threat Exposure Management: Making Better IT Decisions Through the Lens of an Attacker | A Brand Story from Infosecurity Europe 2023, London, England | A Cymulate Story with Nir Loya: https://redefining-cybersecurity.simplecast.com/episodes/security-analytics-for-continuous-threat-exposure-management-making-better-it-decisions-through-the-lens-of-an-attacker-a-company-briefing-from-infosecurity-europe-2023-london-england-a-cymulate-company-briefing-story-with-nir-loya____________________________Catch more stories from Cymulate: https://itspm.ag/cymulate-ltd--s2k4Are you interested in telling your story?https://www.itspmagazine.com/telling-your-storyTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-cybersecurity-podcast

In this Brand Story episode, hosts Marco Ciappelli and Sean Martin engage in a thought-provoking conversation with Ben Fitzpatrick from Cymulate. The discussion explores the innovative approaches to cybersecurity that can help regions advance beyond their current situation.Fitzpatrick shares his insights on the lifecycle of security and technology, emphasizing the critical role of continuous monitoring and understanding the attack path for staying ahead of potential threats. He elaborates on Cymulate's use of cutting-edge tools and methods like automation, AI, and TTP to simulate high-level intrusion attacks without causing damage, providing a non-disruptive method for businesses to validate their security controls.An important aspect of the conversation revolves around risk prioritization. Fitzpatrick expresses the necessity for businesses, particularly CISOs, to conduct regular—even continuous—testing of all components of their infrastructure and applications. This approach allows for a comprehensive understanding of potential risks and the ability to prioritize their mitigation.Fitzpatrick also digs into the concept of response. He asserts that many companies are only at the cusp of realizing its significance in their cybersecurity strategy. He underscores the need to stay ahead of the curve, tackling the most important threats and adversaries, and minimizing the risk window.The episode concludes with Fitzpatrick discussing Cymulate's role in helping businesses understand their most critical threats and adversaries, and how they can best respond to them. He emphasizes that Cymulate is not just about ticking boxes; it's about understanding the business, managing risks, and staying ahead of the curve. This episode promises to offer listeners a unique perspective on proactive, intelligent cybersecurity strategies and their role in business resilience.Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-storyGuest: Ben Fitzpatrick, VP of Sales, Asia Pacific (APAC)On LinkedIn | https://www.linkedin.com/in/befitzpatrick/ResourcesCymulate Expands Sales Leadership Team to Drive Growth in EMEA & APAC Global Markets: https://cymulate.com/news/cymulate-expands-sales-leadership-team-to-drive-growth-in-emea-apac-global-markets/Security Analytics for Continuous Threat Exposure Management: Making Better IT Decisions Through the Lens of an Attacker | A Brand Story from Infosecurity Europe 2023, London, England | A Cymulate Story with Nir Loya: https://redefining-cybersecurity.simplecast.com/episodes/security-analytics-for-continuous-threat-exposure-management-making-better-it-decisions-through-the-lens-of-an-attacker-a-company-briefing-from-infosecurity-europe-2023-london-england-a-cymulate-company-briefing-story-with-nir-loya____________________________Catch more stories from Cymulate: https://itspm.ag/cymulate-ltd--s2k4Are you interested in telling your story?https://www.itspmagazine.com/telling-your-storyTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-cybersecurity-podcast

As technology rapidly innovates, it is essential we talk about technology policy. What better way to get in the know than to have an expert break it down for us? Meet Ross Nodurft, the Executive Director of the Alliance for Digital Innovation. Ross dives in, explaining the evolution of FedRAMP controls and the recent, giant, AI Executive Order (EO) from the White House. Listen in to find out what this EO means for the government, the industry and the workforce as the U.S. attempts to implement policy ahead of AI innovation.Key Topics04:25 Increasing security controls for cloud migration07:51 Discussion about customer feedback and cloud migration.12:17 Encouraging commercial solutions into federal government securely.15:39 Artificial intelligence shaping policy for future technology.16:54 AI EO covers critical infrastructure, AI, data, immigration.22:34 Guidance on AI impact assessment and testing.27:02 AI tools adoption must not be delayed.30:03 Ensure AI technologies have fail-safe mechanisms.32:08 Concern over rapid pace of technological advances.34:29 AI and technology advancing, policy aims control.39:37 Fascinating book on technology and chip history.The Future of Government Technology: Shifting to FedRAMP High and Accelerating Cloud AdoptionShift from FedRAMP Moderate to High for Sensitive WorkloadsWhen FedRAMP was established over a decade ago, the focus was on managing the accreditation of emerging cloud infrastructure providers to support the initial migration of workloads. The baseline standard was FedRAMP Moderate, which addressed a "good amount" of security controls for less risky systems. However, Ross explains that increasing volumes of more sensitive workloads have moved to the cloud over time - including mission-critical systems and personal data. Consequently, agencies want to step up from moderate to the more stringent requirements of FedRAMP High to protect higher-risk systems. This includes only allowing High-cloud services to interact with other High-cloud applications.The Evolution of Cloud Computing: "So right now, we're at the point where people are existing in thin clients that have access to targeted applications, but the back end compute power is kept somewhere else. It's just a completely different world that we're in architecturally." — Ross NodurftThe Future of Government Technology: Streamlining FedRAMP for the SaaS-Powered EnterpriseAccording to Ross, the COVID-19 pandemic massively accelerated enterprise cloud adoption and consumption of SaaS applications. With the abrupt shift to remote work, organizations rapidly deployed commercial solutions to meet new demands. In the federal government, this hastened the transition from earlier focus on cloud platforms to widespread use of SaaS. Ross argues that FedRAMP has not evolved at pace to address the volume and type of SaaS solutions now prevalent across agencies. There is a need to streamline authorization pathways attuned to this expanding ecosystem of applications relying on standardized baseline security controls.High-level Security Controls for Sensitive Data in the CloudAddressing Data Related to Students and ConstituentsRoss states that as agencies move more sensitive workloads to the cloud, they are stepping up security controls from FedRAMP Moderate to FedRAMP High. Sensitive data includes things like personal HR data or data that could impact markets, as with some of the work USDA does. Willie gives the example of the Department of Education or Federal Student Aid, which may have sensitive data on students that could warrant higher security controls when moved to the cloud.Ross confirms that is absolutely the case - the trend is for agencies to increase security as they shift more...

In this episode I talk with Lloyd 'Lucky' Guyot and Alex O'Meera about The Center for Internet Security's Critical Security Controls. Lloyd is a Security Advisor for Optiv and President of the Grand Rapids ISSA Chapter. Alex is a Security Analyst for Stack Overflow and Secretary of the Grand Rapids ISSA Chapter.Talking Points:How can the CIS 18 help an SMB build your security program?How can the CIS 18 help mature a security program?Which controls should a company start with?And many more!Episode Sponsor:Grand Rapids ISSA Chapter (with special thanks to Optiv). The GR-ISSA is the local chapter of the Information Systems Security Association.Episode Charity:The charity for the month of November is the Corewell Health Foundation. More specifically, the money will be going to assist children with various mental health challenges.

Guest: Laura Robinson, ESAF Program Director at RSA Conference [@RSAConference]On Linkedin | https://www.linkedin.com/in/laurarobinsoninsight/At RSA | https://www.rsaconference.com/experts/laura-robinson____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this episode of Redefining CyberSecurity Podcast, host Sean Martin engages in a conversation with Laura Robinson, the ESAF Program Director at RSA Conference, about the changing landscape of third-party risk management. They explore the need for organizations to shift their approach in assessing third-party risk and the limitations of relying solely on questionnaires. Laura emphasizes the importance of more detailed assessments and manageable requirements for suppliers.The conversation touches on the significance of fostering a culture of security and collaboration between organizations and their third-party partners. They discuss the challenges faced by small businesses in meeting complex regulatory requirements and the difficulties in finding the right cybersecurity services and talent. The episode showcases case studies that highlight successful third-party risk management programs and their positive impact, including significant reductions in incidents and quantifiable risk reduction.The discussion also delves into the potential benefits of standardization in the industry, such as shared assessments, resources, and frameworks such as NIST CSF and HITRUST. Sean and Laura underscore the importance of collaboration, community, and a change in mindset to effectively address third-party risk in the evolving cybersecurity landscape. Throughout the conversation, practical insights and success stories are shared, providing listeners with a deeper understanding of the progress being made in third-party risk management while acknowledging that there is still work to be done.The episode offers a thoughtful exploration of the topic, focusing on the need for collaboration, cultural shifts, and the development of more effective assessment approaches in order to mitigate third-party risk effectively.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Guest: Laura Robinson, ESAF Program Director at RSA Conference [@RSAConference]On Linkedin | https://www.linkedin.com/in/laurarobinsoninsight/At RSA | https://www.rsaconference.com/experts/laura-robinson____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this episode of Redefining CyberSecurity Podcast, host Sean Martin engages in a conversation with Laura Robinson, the ESAF Program Director at RSA Conference, about the changing landscape of third-party risk management. They explore the need for organizations to shift their approach in assessing third-party risk and the limitations of relying solely on questionnaires. Laura emphasizes the importance of more detailed assessments and manageable requirements for suppliers.The conversation touches on the significance of fostering a culture of security and collaboration between organizations and their third-party partners. They discuss the challenges faced by small businesses in meeting complex regulatory requirements and the difficulties in finding the right cybersecurity services and talent. The episode showcases case studies that highlight successful third-party risk management programs and their positive impact, including significant reductions in incidents and quantifiable risk reduction.The discussion also delves into the potential benefits of standardization in the industry, such as shared assessments, resources, and frameworks such as NIST CSF and HITRUST. Sean and Laura underscore the importance of collaboration, community, and a change in mindset to effectively address third-party risk in the evolving cybersecurity landscape. Throughout the conversation, practical insights and success stories are shared, providing listeners with a deeper understanding of the progress being made in third-party risk management while acknowledging that there is still work to be done.The episode offers a thoughtful exploration of the topic, focusing on the need for collaboration, cultural shifts, and the development of more effective assessment approaches in order to mitigate third-party risk effectively.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Guest: Ryan Leirvik, CEO of Neuvik [@Neuvik]On LinkedIn | https://www.linkedin.com/in/leirvik/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this episode of Redefining Cybersecurity podcast, host Sean Martin discusses the fundamentals of risk management in cybersecurity with Ryan Leirvik, author of "Understand, Manage and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program." The conversation centers around the importance of understanding risk management in cybersecurity, categorizing assets, and identifying what's important to the business versus what's important to the individual. They also discuss the need to use frameworks like NIST-CSF to define and categorize risks and the importance of responding quickly to active threats and having a plan in place for recovery. Sean and Ryan provide practical advice for creating a sustainable cyber program that prioritizes risk management and explain how to set the stage for conversations about cybersecurity with stakeholders. Overall, the episode provides valuable insights into risk management in cybersecurity and how to prioritize and protect critical assets.ABOUT THE BOOKWhen it comes to managing cybersecurity in an organization, most organizations tussle with basic foundational components. This practitioner's guide lays down those foundational components, with real client examples and pitfalls to avoid.A plethora of cybersecurity management resources are available―many with sound advice, management approaches, and technical solutions―but few with one common theme that pulls together management and technology, with a focus on executive oversight. Author Ryan Leirvik helps solve these common problems by providing a clear, easy-to-understand, and easy-to-deploy "playbook" for a cyber risk management approach applicable to your entire organization.This second edition provides tools and methods in a straight-forward, practical manner to guide the management of a cybersecurity program. Expanded sections include the critical integration of cyber risk management into enterprise risk management, the important connection between a Software Bill of Materials and Third-party Risk Programs, and additional "how to" tools and material for mapping frameworks to controls.Who This Book Is ForCISOs, CROs, CIOs, directors of risk management, and anyone struggling to pull together frameworks or basic metrics to quantify uncertainty and address risk____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

This audit determined whether selected state agencies and school districts adequately complied with certain IT security standards and best practices. State agencies must follow state IT security standards to protect sensitive information against data loss and theft. Local entities are not required to follow the state's policies. 9 of 15 entities we audited did not substantively comply with IT standards and best practices in at least 2 of 3 subject areas we evaluated. Specifically, 8 of 15 entities did not substantively comply with selected security awareness training controls. 10 of 15 entities did not substantively comply with selected account security controls. Lastly, 8 of 15 did not substantively comply with selected incident response controls. The findings demonstrate a poor "tone at the top" at many entities--meaning lack of top management oversight and supervision.

In this Their Story podcast on ITSPmagazine, Huxley Barbee delves into the world of InfoSec and asset management, discussing the importance of having a full asset inventory and how his company, RunZero, addresses this challenge with a cyber asset management solution.Founders HG Moore and Chris Kirsch identified the need for better tooling as security teams' scopes expanded beyond managing traditional IT devices to securing IoT and OT devices across various environments. RunZero helps organizations understand gaps in security controls coverage, identify potentially vulnerable devices in the face of zero-day threats, and more.Huxley Barbee explains that a full asset inventory, including asset details like location within the network, device function, and business context, can assist in determining which vulnerabilities or misconfigurations need immediate attention. Huxley highlights the delicate process of gathering information on devices and the importance of incremental fingerprinting, particularly in OT environments and those with often-unmanaged IoT devices.The trio also cover the business side, discussing the typical clients for RunZero and the mindset shift required to realize that existing asset discovery tools may not be sufficient. They discuss the collaboration between IT, OT, and security teams, emphasizing that having a full cyber asset inventory beyond the traditional IT asset inventory can help reduce remediation time and improve overall business decision-making.Tune in to this episode to learn more about RunZero's modern approach to asset management, the crucial role of visibility in addressing security challenges, and how a robust asset inventory by RunZero can help businesses leaders and security practitioners make better decisions.Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-storyGuest: Huxley Barbee, Security Evangelist at RunZero [@runZeroInc] and lead organizer for BSides NYC [@bsidesnyc]On LinkedIn | https://www.linkedin.com/in/jhbarbee/On Twitter | https://twitter.com/huxley_barbeeOn Mastodon | https://infosec.exchange/@huxleyResourcesLearn more about RunZero and their offering: https://itspm.ag/runzervvyhCatch the video and podcast version of this conversation: https://itspmagazine.com/their-stories/its-difficult-to-secure-the-invisible-reinventing-asset-management-for-modern-challenges-in-it-iot-and-ot-a-runzero-story-with-huxley-barbeeBSides NYC Podcast: https://itsprad.io/event-coverage-1388Are you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Episode 33 of Barclay Damon Live: Cyber Sip™, with host Kevin Szczepanski, looks at five security controls you need to know about. Kevin talks with guest Dean Mechlowitz of TEKRiSQ about the importance and challenges of establishing security controls within your company, regardless of size or sector. TEKRiSQ is in the business of examining cyber wellness, and as co-founder, Dean has a good handle on the issue. Especially for smaller companies, but also for companies of other sizes, he and Kevin review what can be done to avoid cyber criminals' crosshairs—and to become insurable. Hot topics include data privacy, passwords, multifactor authentication (Kevin's favorite!), and everyone's worry, employee vulnerability. Listen in for more.

We completed 21 audits on 16 agencies and 4 school districts between CY 2020 and 2022 (1 entity was audited twice during this time period). This summary report shows 10 of the 21 entities did not substantially comply with applicable IT security standards and best practices. Entities struggled with properly scanning and patching their computers. Entities also had compliance problems because they did not create, maintain, or test incident response plans or continuity of operations plans. Other significant issues included poor security awareness training or failed social engineering tests. Almost half the entities had significant management, contract, or policy-related weaknesses. Additional security weaknesses included inadequate account security controls, poor encryption, back up, or destruction processes of sensitive data. We also noted several entities had inadequate network boundary protection or had poor access or environmental controls for their data centers. Lastly, we identified significant security issues within agencies' specific IT systems. The findings in this report are similar to those in previous summary IT reports. The main reasons for compliance problems across the 20 entities included insufficient top management attention and inadequate resources.

This joint cybersecurity advisory was coauthored by the cybersecurity authorities of the US, Canada, New Zealand, the Netherlands, and the UK. Cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim's system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices, and includes best practices to mitigate these risks. AA22-137A Alert, Technical Details, and Mitigations White House Executive Order on Improving the Nation's Cybersecurity NCSC-NL Factsheet: Prepare for Zero Trust NCSC-NL Guide to Cyber Security Measures N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based NCSC-NL Guide to Cyber Security Measures National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured NCSC-UK Guidance – Phishing Attacks: Defending Your Organisation  Open Web Application Security Project (OWASP) Proactive Controls: Enforce Access Controls All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.