Cybersecurity Where You Are (video)

In episode 151 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager conclude their mid-year review of 12 Center for Internet Security® (CIS®) experts' cybersecurity predictions for 2025. Here are some highlights from our episode:01:12. The importance of consolidating security operations and using what already exists03:18. The promise of generative artificial intelligence (GenAI) in relieving grunt work08:26. The great responsibility and burden of integrating GenAI into business operations10:53. How control and inspection generate trust in systems17:57. Post-quantum cryptography, IoT in edge computing, and GenAI's sociopolitical risks30:21. The need for a more holistic understanding of compliance33:34. Why zero trust doesn't mean "no trust"36:56. The need for AI as an element of critical security control41:33. The dynamic challenge of protecting all assets with varying levels of securityResources12 CIS Experts' Cybersecurity Predictions for 2025Episode 145: 2025 Cybersecurity Predictions H2 Review — Pt 1Episode 135: Five Lightning Chats at RSAC Conference 2025Establishing Essential Cyber HygieneEpisode 95: AI Augmentation and Its Impact on Cyber DefenseGuide to Asset Classes: CIS Critical Security Controls v8.1An Examination of How Cyber Threat Actors Can Leverage Generative AI PlatformsAn Introduction to Artificial IntelligenceEpisode 120: How Contextual Awareness Drives AI GovernanceEpisode 118: Preparing for Post-Quantum CryptographyEpisode 63: Building Capability and Integration with SBOMsEpisode 99: How Cyber-Informed Engineering Builds ResilienceMapping and Compliance with the CIS ControlsMapping and Compliance with the CIS BenchmarksCIS Community Defense Model 2.0If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 150 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Chad Rogers, Sr. Manager, Digital Media Services, at the Center for Internet Security® (CIS®); Rudy Uhde, Video Editor at CIS; and David Bisson, Sr. Content Strategist at CIS. Together, they use a roundtable chat to celebrate 150 episodes of Cybersecurity Where You Are. Here are some highlights from our episode:01:33. How the cybersecurity landscape and podcast have changed since Episode 10005:40. The "labor of love" that goes into editing and preparing an episode for publication12:13. Memorable guests and moments that changed the team's thinking about cybersecurity25:45. How the larger podcast team drives continuous improvement and innovation30:13. Parting thoughts for the audienceResourcesEpisode 100: Celebrating 100 Episodes and Looking AheadEpisode 149: Human Error, AI Missteps, and Other VM RisksEpisode 9: Mitigating Risk: Information Security GovernanceEpisode 96: Making Continuous Compliance Actionable for SMBsEpisode 121: The Economics of Cybersecurity Decision-MakingEpisode 114: 3 Board Chairs Reflect on 25 Years of CommunityEpisode 136: How WiCyS Advances Women in CybersecurityEpisode 120: How Contextual Awareness Drives AI GovernanceEpisode 116: AI-Enhanced Ransomware and Defending Against ItEpisode 146: What Security Looks Like for a Security CompanyEpisode 110: How Security Culture and Corporate Culture MeshIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 149 of Cybersecurity Where You Are, Sean Atkinson is joined by Chris McCullar, Director of Sales, Cloud Security, at the Center for Internet Security® (CIS®); and Mishal Makshood, Sr. Cloud Security Account Executive at CIS. Together, they discuss how to navigate human error, artificial intelligence (AI) missteps, and other landmarks in a new frontier of virtual machine (VM) risks. Here are some highlights from our episode:00:50. Introductions with Chris and Mishal02:20. The ongoing need to address the risk of human error when configuring VMs04:55. The value of building trusted security into a VM image by design07:28. A reality check of what the shared responsibility model means to an organization13:06. How the integration of AI into DevOps accelerates both automation and mistakes15:21. The importance of a secure foundation in the cloud on which you can build with AI18:19. Automated enforcement and AI's role in complementing human judgment21:03. Two examples how CIS resources can drive governance and policy integration28:05. Cybersecurity as a community-driven team sport30:33. Lifecycle management as a way of addressing organizations' security needsResourcesKeep the Cloud Secure with CIS after Migrating to the CloudAutomated Compliance: The Byproduct of Holistic HardeningMeet the Shared Responsibility Model with New CIS ResourcesEpisode 135: Five Lightning Chats at RSAC Conference 20252025 Data Breach Investigations ReportIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 148 of Cybersecurity Where You Are, Sean Atkinson is joined by Rob Reese, Cyber Incident Response Team Manager at the Center for Internet Security® (CIS®); Dustin Cox, Cyber Incident Response Team Analyst at CIS; and Cliff Moten, Manager, Cybersecurity Solutions Engineering at CIS. Together, they discuss how organizations can use Managed Detection and Response (MDR) tools to help defend against zero-day attacks. Here are some highlights from our episode:01.06. Demystifying zero-day vulnerabilities with a definition02:36. Why zero-day attacks are some of the most serious threats facing organizations today04:19. Examples of zero-day exploits and how these threats affect Incident Response (IR)10:06. The importance of understanding your environment and patch management13:58. How MDR assists with behavioral analysis, assembling holistic inventories, and IR20:02. The role of asset inventories in determining scope and containing a zero-day incident24:08. Why it's important to have humans managing and monitoring an MDR solution27:11. MDR as a means of centralizing evidence of a zero-day attack30:05. Parting thoughts for those concerned with their endpoint security postureResourcesCIS Managed Detection and Response™ (CIS MDR)Multi-State Information Sharing and Analysis Center®CIS Critical Security Control 1: Inventory and Control of Enterprise AssetsCIS Critical Security Control 2: Inventory and Control of Software AssetsThe CIS Security Operations Center (SOC): The Key to Growing Your SLTT's Cyber MaturityReal-Time Indicator FeedsIncident Response Policy Template for CIS Control 17If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 147 of Cybersecurity Where You Are, Sean Atkinson is joined by John Cohen, Executive Director of the Program for Countering Hybrid Threats at the Center for Internet Security® (CIS®); and Kaitlin Drape, Hybrid Threat Intelligence Analyst at CIS. Together, they discuss how to actualize threat intel for the purpose of building effective defense programs and operational response plans. Here are some highlights from our episode:01:27. Which two questions you want to answer when providing intelligence on a threat05:19. How to avoid underutilizing or misunderstanding the utility of threat intel13.18. A real-life story from John of when intelligence made a difference in a security incident17:05. The foundation and building blocks of maturing your threat intelligence program22:14. The value of working with non-intelligence groups to formulate effective response plans24:22. CIS's ongoing work to help organizations proactively ingest and use threat intel28:24. How cross-collaboration across an organization brings threat intel into a lifecycle31:01. Kaitlin's work as an exemplar of how to make threat intelligence operational36:20. The ongoing evolution of hybrid threat intel to inform meaningful operational responsesResourcesThreatWA™How Threat Modeling, Actor Attribution Grow Cyber DefensesCountering Multidimensional Threats: Lessons Learned from the 2024 ElectionEpisode 119: Multidimensional Threat Defense at Large EventsSinaloa cartel used phone data and surveillance cameras to find FBI informants, DOJ saysIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 146 of Cybersecurity Where You Are, Tony Sager is joined by Angelo Marcotullio, Chief Information Officer at the Center for Internet Security®(CIS®); and Stephanie Gass, Sr. Director of Information Security at CIS. Together, they look back on periods of transition at CIS to discuss what security looks like for a security company. Here are some highlights from our episode:00:58. Introductions with Angelo and Stephanie02:07. A pro and a con of IT consulting work04:12. The importance of soft skills in bringing the Multi-State Information Sharing and Analysis Center® into CIS06:12. Looking at security from a corporate perspective with the CIS Critical Security Controls07:08. How IT and IT security are essential to corporate strategy07:45. The use of governance to support merging three business units into an integrated security company12:04. The value of security champions in adapting to regulatory and business changes15:15. What IT and Security teams can accomplish when they work as partners17:18. The use of data to inform Board decisions and conversations around risk20:38. How getting a seat at the table helps with understanding a Board's risk appetite and communicating that out to teams25:01. How infrastructure built for growth, not the smallest business case, produced a smooth transition to work from home in March 202029:30. Advice for folks starting out in security31.28. The importance of collaboration and culture in implementing security as an organizationResourcesEpisode 144: Carrying on the MS-ISAC's Character and CultureThe CIS Security Operations Center (SOC): The Key to Growing Your SLTT's Cyber MaturityGuide to Implementation Groups (IG): CIS Critical Security Controls v8.1CIS Controls v8.1 Mapping to ISO/IEC 27001:2022CIS Controls v8.1 Mapping to SOC2CIS Controls v8.1 Mapping to NIST SP 800-171 Rev 3Reasonable CybersecurityEpisode 110: How Security Culture and Corporate Culture MeshIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 145 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager begin their mid-year review of 12 Center for Internet Security® (CIS®) experts' cybersecurity predictions for 2025. Here are some highlights from our episode:01:14. Verizon's Data Breach Investigations Report as a source of enlightenment and humility02:28. The use of generative artificial intelligence (GenAI) to finely tune phishing emails06:31. Cyber threat actors' Darwinian efficiency in adopting new technology07:50. Policies, oversight, and compliance in slowing defenders' adoption of technology10:30. The two-sided, dynamic challenge of managing supply chain risk18:23. Cybersecurity as a strategic business investment in protecting revenue20:40. The value of partnerships in determining rational social expectations for cybersecurity26:45. Rapid recap of several of our 2025 cybersecurity predictions28:43. Designing technology with human awareness to create a culture of responsibility32:29. The need to rethink what "connected" means in our complex worldResources12 CIS Experts' Cybersecurity Predictions for 2025Episode 117: 2025 Cybersecurity Predictions from CIS Experts2025 Data Breach Investigations Report2024 DBIR Findings & How the CIS Critical Security Controls Can Help to Mitigate Risk to Your OrganizationEpisode 119: Multidimensional Threat Defense at Large EventsHow to Construct a Sustainable GRC Program in 8 StepsSociety of Information Risk AnalystsReasonable CybersecurityEpisode 135: Five Lightning Chats at RSAC Conference 2025If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 144 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Carlos Kizzee, Senior Vice President of Multi-State Information Sharing and Analysis Center® (MS-ISAC®) at the Center for Internet Security®(CIS®). Together, they discuss how the MS-ISAC's new funding model helps to carry on the character and culture of this collaborative cyber defense community. Here are some highlights from our episode:01:11. The unique mission, history, and value of building community at the MS-ISAC05:36. A new fee-based model to preserve services and support amid federal funding changes07:08. Service continuity as a commitment to U.S. State, Local, Tribal, and Territorial entities09:45. Initial feedback and considerations heard at the 2025 ISAC Annual Meeting11:40. The new membership funding model and how it preserves SLTT collaboration15:25. A cost-effective approach to securing the "cyber-underserved"19:31. The range of U.S. SLTT government organizations who can enroll as members now21:59. The illusion of "free" in helping U.S. SLTTs to strengthen their cyber defenses22:55. Why U.S. SLTTs need to enroll in paid MS-ISAC membership before October 1, 202528:03. Scale as the key to making MS-ISAC activities as cost-effective as possible30:05. The essential need for U.S. SLTT government organizations to invest in the MS-ISACResourcesMulti-State Information Sharing and Analysis Center®Episode 142: SLTTs and Their Nuanced Cybersecurity NeedsEpisode 137: National Cybersecurity Through SLTT ResilienceISAC Annual MeetingMS-ISAC Membership ResourcesBecome an MS-ISAC MemberEpisode 30: Solving Cybersecurity at Scale with NonprofitsIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 143 of Cybersecurity Where You Are, Sean Atkinson is joined by John Cohen, Executive Director of the Program for Countering Hybrid Threats at the Center for Internet Security®(CIS®). Together, they discuss Iran's evolving multidimensional threat activity following U.S. airstrikes on Iranian nuclear facilities in June 2025. Here are some highlights from our episode:00:49. Lessons from the past on how Iran might respond to the U.S. airstrikes in June 202504:56. The use of informed practice and continuous awareness to better prepare defenders06:41. Recap of Iranian multidimensional threat activity observed between 2024 and 202511:53. The impact of contextual intelligence and education in driving threat awareness19:17. Why understanding of impact is critical to addressing a business risk23:09. Three things you need to do to be an effective threat briefer25:07. The use of tabletop exercises (TTXs) to promote incident response26:56. The 2024 General Election as a case study of what threat preparedness can doResourcesThreatWA™US hits 3 Iranian nuclear sites, Trump says, plunging America into conflictAre national security threats a concern after U.S. military strike on Iranian nuclear sites?New report: Hacker for El Chapo helped boss hunt and kill FBI informantsMS-ISAC Guide to DDoS AttacksWith July 4 just days away, US law enforcement on high alert for Iran retaliationIran-linked hackers threaten to release Trump aides' emailsIranian-aligned hackers claim responsibility for Truth Social cyberattackIranian-Aligned Hackers Claim Responsibility for Attack on Trump’s Truth Social PlatformStates and Congress wrestle with cybersecurity after Iran attacks small town water utilitiesNYPD deploying additional resources across city following US strikes on IranCIS Critical Security Controls v8.1 Industrial Control Systems (ICS) GuideEnhancing Safety in the Connected World — A National Framework for ActionEpisode 138: The Use of GenAI to Refine Your TTX DevelopmentCountering Multidimensional Threats: Lessons Learned from the 2024 ElectionIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 142 of Cybersecurity Where You Are, Sean Atkinson is joined by Anthony Essmaker, former Product Marketing Manager at the Center for Internet Security®(CIS®); and Randy Rose, VP of Security Operations & Intelligence at CIS. Together, they discuss the nuanced, empathetic approach that's required to help U.S. State, Local, Tribal, and Territorial (SLTT) government organizations to address their cybersecurity needs. Here are some highlights from our episode:01.10. What the acronym "SLTT" means to CIS's operational mission05:39. Using a flexible approach to support the different cybersecurity needs of the 50 states09:43. How different resources and experiences contextualize "best practices" at the local level11:49. Trivia question: Which two U.S. states don't have counties?13:20. The complexity of cybersecurity challenges and resources for U.S. tribal entities20:11. A 20-year history of working with U.S. SLTTs to meet them where they are21:30. Relationships as the bedrock for a community model of SLTT cyber defense26:29. Geographical isolation and other factors affecting U.S. territories' cybersecurity needs32:42. A closing fun fact about the first U.S. fire districtResourcesEpisode 123: An Operational Playbook for Security ImpactThe CIS Security Operations Center (SOC): The Key to Growing Your SLTT's Cyber Maturity2024 MS-ISAC Tribal Sector Cybersecurity ReportMulti-State Information Sharing and Analysis Center®Nationwide Cybersecurity Review (NCSR)If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 141 of Cybersecurity Where You Are, Tony Sager is joined by Phyllis Lee, VP of SBP Content Development at the Center for Internet Security®(CIS®); and Julie Haney, Computer Scientist & Human-Centered Cybersecurity Researcher at the National Institute of Standards and Technology (NIST). Together, they use a human-centered understanding of security to discuss password policies, including their benefits, drawbacks, and efficacy. Here are some highlights from our episode:01:03. Introductions to Phyllis and Julie03:34. How "human-centered cybersecurity" goes beyond just usability05:35. The use of NIST and other authoritative sources to dispel confusion in cybersecurity09:09. How password policies positively and negatively impact human behavior15:06. Three anecdotes that showcase the importance of context when enacting security policy21:49. The process of using NIST SP 800-63 to recommend password security best practices27:11. Our changing understanding of "the human element"29:23. The need to do cybersecurity awareness training "right" and measure its effectiveness31:30. Recognition of the absence of natural systems thinking in cybersecurity33:14. Psychological safety, feedback, and trust as foundations of security culture39:03. Human touchpoints as a starting point to help usability and security work togetherResourcesCIS Password Policy GuideNIST SP 800-63 Digital Identity GuidelinesEpisode 98: Transparency as a Tool to Combat Insider ThreatsEpisode 110: How Security Culture and Corporate Culture MeshWhy Employee Cybersecurity Awareness Training Is ImportantIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 140 of Cybersecurity Where You Are, Sean Atkinson is joined by John Cohen, Executive Director of the Program for Countering Hybrid Threats at the Center for Internet Security®(CIS®). Together, they discuss travel safety tips informed by today's evolving multidimensional threat environment. Here are some highlights from our episode:01:30. The most overlooked security risks we need to take seriously whenever we travel03:42. How threat actors can exploit our tendency to overshare online07:25. Top security practices you can use to safely plan your next trip12:28. The value of playing out your travels' worst-case scenario before you leave16:02. The benefits and drawbacks of using electronic navigations systems while traveling18:00. Videos as a means of attuning to the "flow" of a different place and/or culture24:10. Which types of people make attractive targets for foreign intelligence services25:05. Honeypot operations in the physical and digital worlds27:24. Opportunities to protect the technology on which we relyResourcesThreatWA™Travel.State.GovA Short Guide for Spotting Phishing Attempts8 Security Essentials for Managing Your Online PresenceElection Security Spotlight – Social EngineeringIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 139 of Cybersecurity Where You Are, Tony Sager is joined by Amelia Gifford, Sr. Manager, Administration, at the Center for Internet Security®(CIS®); and George Bailey, Director of Purdue cyberTAP. Together, they discuss how the 2025 grant from the Alan Paller Laureate Program will support Purdue cyberTAP's mission of community building for the cyber-underserved. Here are some highlights from our episode:01:02. Honoring a legacy of making cybersecurity practical and accessible03:34. The business of giving products away to benefit the cybersecurity community05:00. The use of the CIS Critical Security Controls (CIS Controls) to help rural electricity cooperatives in Indiana11:00. Methodology, tooling, and repeatability as part of a lifecycle of realizing a good idea11:56. Cross-Mapping as a means to help people live with so many security frameworks12:59. Accountability and re-assessment as methods for measuring program success14:59. The power of community in prioritizing the CIS Controls16:38. Community building as a way to navigate the cybersecurity business together17:42. A controlled Controls experiment to generate data, learn lessons, and create feedback19:03. Progress reporting as a way to foster connections24:39. Feedback on the Alan Paller Laureate Program application process26:30. Focus on cybersecurity community impact as a consideration for future applicants30:31. Parting thoughts about the grant program and an invitation to reach out to GeorgeResourcesCenter for Internet Security Awards Nearly $250,000 to Purdue University’s Technical Assistance ProgramEpisode 114: 3 Board Chairs Reflect on 25 Years of CommunityEpisode 97: How Far We've Come preceding CIS's 25th BirthdayCIS Critical Security Controls v8.1 Industrial Control Systems (ICS) GuideSEC366: CIS Implementation Group 1™How to Plan a Cybersecurity Roadmap in 4 StepsCIS SecureSuite® MembershipMapping and Compliance with the CIS ControlsReasonable Cybersecurity GuideIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 138 of Cybersecurity Where You Are, Sean Atkinson is joined by Timothy Davis, Lead Cyber Threat Intelligence (CTI) Analyst at the Center for Internet Security®(CIS®). Together, they discuss how organizations can use Generative Artificial Intelligence (GenAI) to refine how they develop Tabletop Exercises (TTXs). Here are some highlights from our episode:01:49. Why TTXs function as a "blue sky" opportunity for crisis management and preparedness04:33. A quick recap of how GenAI stands apart from traditional AI06:19. The direct relationship between input and output when measuring GenAI content quality07:36. TTXs as a use case for GenAI to help the "cyber-underserved"10:14. How GenAI can quickly customize TTXs for different organizations and threat models13:56. The use of GenAI to improve TTX facilitation, regularity, and cost17:22. GenAI as an inspiration to act on the findings of a simulation18:26. Risks and ethical concerns to keep in mind for GenAI-enhanced TTX development24:46. Where humans can still play a part in augmented exercises30:08. Closing thoughts about the future of GenAIResourcesLeveraging Generative Artificial Intelligence for Tabletop Exercise DevelopmentEpisode 134: How GenAI Lowers Bar for Cyber Threat ActorsEpisode 89: How Threat Actors Are Using GenAI as an EnablerDeepSeek: A New Player in the Global AI RaceMulti-State Information Sharing and Analysis Center®If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 137 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Terry Loftus, Assistant Superintendent (Chief Information Officer) of Integrated Technology Services at the San Diego County Office of Education (SDCOE); and Netta Squires, President of Government Affairs, Cybersecurity, & Resilience at Open District Solutions (ODS). Together, they discuss how the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) functions as a space for U.S. State, Local, Tribal, and Territorial (SLTT) entities to collectively strengthen their cyber resilience in support of U.S. national cybersecurity. Here are some highlights from our episode:01:15. A study to understand the cybersecurity perspectives of the MS-ISAC community03:24. The need for sustained cyber defense accelerators to drive U.S. SLTT resilience07:31. How surveys and focus groups uncovered U.S. SLTT cybersecurity funding, staffing, and governance challenges13:06. The superpower of cyber threat intelligence driven, tailored, and provided via community17:41. Trust as a foundation for building relationships among MS-ISAC members and partners21:26. How the MS-ISAC moved community cyber defense from conversational to operational22:22. The role of trust in making membership affordable and solutions at scale possible25:00. Opportunities for relationship building, training, and access to services in the MS-ISAC30:00. Examples of MS-ISAC success stories and the need to share them33:40. The MS-ISAC as a space to craft a strategic path for national cybersecurity36:29. Closing thoughts on how members value and can get involved in the MS-ISACResourcesStrengthening Critical Infrastructure: SLTT Progress & PrioritiesMalicious Domain Blocking and Reporting (MDBR)Episode 126: A Day in the Life of a CTI AnalystWhy Whole-of-State Cybersecurity Is the Way ForwardMS-ISAC: Defending America’s Critical InfrastructureIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 136 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined live by Lynn Dohm, Executive Director of Women in CyberSecurity (WiCyS). Together, they discuss how WiCyS works to advance women in cybersecurity. Here are some highlights from our episode:01:03. A mission of recruiting, retaining, and advancing women in cybersecurity05:38. How community-focused conferences and scholarships promote community growth06:25. The need to celebrate the work of and encourage support among cyber defenders08:52. Four strategic pillars as a foundation for navigating COVID, societal change, and more13:50. The importance of laying out cybersecurity career paths outside of individual companies15:15. How a foundation of inclusion enables diversity to expand19:45. The use of strategic partners to anticipate changing cybersecurity and hiring needs22:38. Inside the successes of the mentorships and other WiCyS programs28:22. The impact of Alan Paller on opening doors for WiCyS32:35. How volunteerism supports retention in cybersecurity through inclusion and satisfactionResourcesEpisode 77: Data's Value to Decision-Making in CybersecurityEpisode 120: How Contextual Awareness Drives AI GovernanceAlan Paller Laureate ProgramEpisode 30: Solving Cybersecurity at Scale with NonprofitsIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 135 of Cybersecurity Where You Are, Sean Atkinson is joined live at RSAC Conference 2025 by five attendees, including two Center for Internet Security® (CIS®) employees. He conducts a lightning chat with each attendee to get their thoughts about the conference, how it reflects the changing cybersecurity industry, and the role CIS plays in this ongoing evolution. Here are some highlights from our episode:00:40. Stephanie Gass, Sr. Director of Information Security at CISHow to start creating a policy and make it effective through implementation processesA transition to an approach integrating mappings for CIS security best practicesThe use of GenAI and security champions to make this transition04:08. Brad Bock, Director of Product Management at ChainguardBuilding and compiling security from the ground up in open-source container imagesTrusting pre-packaged software in an increasingly complex worldSupport of customer compliance with attestation, SBOMs, and vulnerability remediation07:43. Stephane Auger, Vice President Technologies and CISO at Équipe MicrofixCustomer awareness and other top challenges for MSPs and MSSPsThe use of case studies and referrals to communicate the importance of cybersecurityA growing emphasis on cyber risk insurance as media attention around breaches grows11:36. Brent Holt, Director of Cybersecurity Technology at Edge Solutions LLCHow the CIS Critical Security Controls facilitates a consultative approach to customersThe importance of knowing where each company is in their use of GenAIMapping elements of a portfolio to CIS security best practices17:23. Mishal Makshood, Sr. Cloud Security Account Executive at CISThe use of learning and research to investigate GenAI's utility for CISAn aspiration to scale efficiency and drive improvements with GenAI trainingA reminder to augment human thought, not replace it, with GenAIResourcesEpisode 63: Building Capability and Integration with SBOMsMapping and ComplianceCybersecurity for MSPs, MSSPs, & ConsultantsEpisode 130: The Story and Future of CIS Thought LeadershipIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 134 of Cybersecurity Where You Are, Sean Atkinson is joined by Randy Rose, VP of Security Operations & Intelligence at the Center for Internet Security® (CIS®); and Timothy Davis, Lead Cyber Threat Intelligence (CTI) Analyst at CIS. Together, they discuss how generative artificial intelligence (GenAI) lowers the barrier of entry for cyber threat actors (CTAs). Here are some highlights from our episode:01:37. CTAs' use of GenAI to improve their existing campaigns03:38. The need for CTI teams to look beyond language in analyzing GenAI-enabled threats07:22. The evolving impact of GenAI on phishing campaigns, malware development, deepfakes, and malicious Artificial Intelligence as a Service (AIaaS) offerings12:28. How GenAI increases the the speed at which CTAs can scale their efforts17:29. Technical barriers and other limitations that shape CTAs' use of GenAI22:46. A historical perspective of AI-enabled cybersecurity and how GenAI can support cybersecurity awareness training26:50. The cybersecurity benefits of AI and machine learning (ML) capabilities for clustering data29:05. What the future might hold for GenAI from an offensive and defensive perspectiveResourcesThe Evolving Role of Generative Artificial Intelligence in the Cyber Threat LandscapeEpisode 89: How Threat Actors Are Using GenAI as an EnablerEpisode 95: AI Augmentation and Its Impact on Cyber Defense12 CIS Experts' Cybersecurity Predictions for 2025CIS Critical Security Controls®Multi-State Information Sharing and Analysis Center®If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 133 of Cybersecurity Where You Are, Sean Atkinson is joined by Lauren McFayden, Threat Intelligence Analyst at the Center for Internet Security® (CIS®). Together, they discuss the Distributed Denial of Service (DDoS) hacktivism of DieNet and how the group continues to evolve its Tactics, Techniques, and Procedures (TTPs). Here are some highlights from our episode:01:22. An overview of DieNet and its emergence on Telegram01:55. DDoS attacks and the potential for service disruptions02:55. DieNet's pro-Palestinian ideology and opposition to the 47th U.S. Presidential Administration05:00. U.S. and foreign targets claimed by the group06:30. DieNet's history of claiming attacks against U.S. critical national infrastructure (CNI)10:33. Two pieces of evidence used to partially assess the credibility of a claimed attack15:16. How DieNet v2 suggests an escalation of attack strategies20:43. How the DDoS hacktivist group may continue to evolve its TTPs in subsequent versions23:48. The use of the CIS Critical Security Controls (CIS Controls) to reduce an attack surface25:56. How ThreatWA stands out in keeping you informed about emerging threatsResourcesHacktivist Group DieNet Claims DDoS Attacks against U.S. CNIMS-ISAC Guide to DDoS AttacksThreatWACIS Critical Security Control 1: Inventory and Control of Enterprise AssetsCIS Critical Security Control 2: Inventory and Control of Software AssetsCIS Critical Security Control 3: Data ProtectionEpisode 44: A Zero Trust Framework Knows No EndIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 132 of Cybersecurity Where You Are, Sean Atkinson is joined by Valecia Stocchetti, Sr. Cybersecurity Engineer of the CIS Critical Security Controls (CIS Controls) at the Center for Internet Security® (CIS®). Together, they discuss what the first day, step, and dollar of implementing a controls framework look like for organizations stepping into their cybersecurity journey. Here are some highlights from our episode:01:54. Building and improving a cybersecurity program through the power of consensus04:55. The use of an assessment to determine where you are and where you're going09:15. How cross-mapping to multiple frameworks simplifies regulatory compliance efforts12:00. The use of governance to secure leadership buy-in for your cybersecurity program13:33. Continuous auditing and monitoring as tools for adapting to change15:10. How Controls prioritization flows through the Implementation Groups (IGs)19:39. Leadership as the backbone for getting any business program off the ground22:59. Calculating the cost of cyber defense as a preventative action24:55. Tradeoffs with security tools to keep in mind so that you can budget efficiently30:00. Qualifications when using security offerings of MSPs and CSPsResourcesCIS Community Defense Model 2.0How Risk Quantification Tests Your Reasonable Cyber DefenseCIS Controls Self Assessment Tool (CIS CSAT)Guide to Implementation Groups (IG): CIS Critical Security Controls v8.1How to Plan a Cybersecurity Roadmap in 4 StepsThe Cost of Cyber Defense: CIS Controls IG1If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.