Cybersecurity Where You Are

In episode 110 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Lee Noriega, Executive Director of the Cybersecurity Services Organization and Acting General Manager of Sales and Business Services at the Center for Internet Security® (CIS®); and Jerry Gitchel, founder of Leverage Unlimited and listener to Cybersecurity Where You Are. Together, they examine a question sent in by Jerry: if a corporate culture is lacking, can a security culture exist?Here are some highlights from our episode:01:33. What security culture is and how it differs from corporate culture05:30. What elements factor into a strategy to drive corporate culture09:30. The importance of a feedback loop for culture15:43. How to cultivate "institutional ownership" in an organization's workforce19:03. What goes into fostering security consciousness in support of security champions25:14. The challenges of engaging corporate culture to think about security culture29:13. Examples and takeaways for listenersResourcesWhy Employee Cybersecurity Awareness Training Is ImportantEpisode 107: Continuous Improvement via Secure by DesignSeth Godin | Why People Like Us Do ThisThe Cuckoo's Egg: Tracking a Spy Through the Maze of Computer EspionageIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 109 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Randy Rose, VP of Security Operations & Intelligence at the Center for Internet Security® (CIS®); and Theodore "TJ" Sayers, Director of Intelligence & Incident Response at CIS. Together, they examine the scariest malware of 2024 and share some recommendations for how organizations can keep up with the changing cyber threat landscape.Here are some highlights from our episode:01:32. What makes certain malware strains "scarier" than others05:37. What trends shaped the cyber threat landscape in 202414:25. The most terrifying cyber threat actor sphere in 202419:41. How malware tactics and techniques from 2024 will continue to evolve25:04. How individuals and organizations can proactively defend themselves29:52. National strategies that are shaping malware defense and incident responseResourcesTop 10 Malware Q3 2024Election Security Spotlight – What Is Misinformation?Salt Typhoon Hacks of Telecommunications Companies and Federal Response ImplicationsEpisode 107: Continuous Improvement via Secure by DesignIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 108 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Ed Skoudis, CEO of Counter Hack Challenges and President of SANS Technology Institute. Together, they discuss the evolution of gaming and competition in cybersecurity and how these activities help to make the industry stronger.Here are some highlights from our episode:02:04. What goes into creating a game environment that attracts all kinds of skill levels04:43. A multi-disciplinary approach to creating a game environment16:14. How gaming and competition help to spot people with talent and potential23:32. The challenges of keeping pace with new technology32:03. The biggest challenges of putting a game environment together36:47. How to keep track of characters, situations, and story elements of a gameResourcesSANS Cyber RangesSANS Holiday Hack ChallengeEpisode 59: Probing the Modern Role of the PentestEpisode 95: AI Augmentation and Its Impact on Cyber DefenseLockBit 3.0 RaaS Gang Incorporates BlackMatter CapabilitiesIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 107 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Steve Lipner, Executive Director of SAFECode. Together, they discuss how software development organizations can use principles of "secure by design" to get on a track of continuous improvement.Here are some highlights from our episode:01:38. Steve's background and thoughts on the emergence of secure by design14:04. Three guiding principles of secure software development16:13. The impact of security awareness from a developer's perspective22:22. How threat modeling helps to address security as a system problem25:37. The effect of modern software development methodologies like Agile and DevSecOps30:29. What CISA's activity around secure by design means for the industryResourcesSAFECodeSecure Software Development Framework (SSDF)Embedded IoT Security: Helping Vendors in the Design ProcessEpisode 95: AI Augmentation and Its Impact on Cyber DefenseIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 106 of Cybersecurity Where You Are, Sean Atkinson is joined by Chris Smith, Social Media Specialist at the Center for Internet Security® (CIS®).Together, they use a donation scam about a natural disaster to advise how you can stay safe against this type of cyber threat.Here are some highlights from our episode:00:49. Why it's important to talk about donation scams and why they're so prevalent05:13. Recounting a real-world example of a donation scam10:43. Common tactics leveraged by online scammers13:27. Guidance for defending against a donation scam16:48. The rise of checks and balances to defend against crowdfunding scams20:59. How research can help you to verify before you donate29:11. What to do if you have fallen for a scamResourcesEpisode 27: Cyber ScamsOctober: Cybersecurity Awareness MonthIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 105 of Cybersecurity Where You Are, Sean Atkinson discusses the importance of context in maturing how you use cyber risk quantification to build cases for risk treatment strategies.Here are some highlights from our episode:01:56. The inspiration for an episode on cyber risk quantification02:38. How to situate risk quantification in your business processes08:56. Traps to avoid when quantifying cyber risks12:12. How the quantification process relates to controls implementation16:50. Why the right people and data can help you build something sustainable23:19. Three lenses for examining cyber risk26:50. Different means for communicating risk to stakeholdersResourcesQuantitative Risk Analysis: Its Importance and ImplicationsFAIR: A Framework for Revolutionizing Your Risk AnalysisCIS Critical Security Controls®CIS Risk Assessment Method6 Truths of Cyber Risk QuantificationSociety of Information Risk AnalystsIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 104 of Cybersecurity Where You Are, Sean Atkinson is joined by Kennidi Ortega, Information Security Analyst at the Center for Internet Security® (CIS®).Together, they explore the experience of a first-year analyst and how they might make the most of getting started in a cybersecurity career.Here are some highlights from our episode:01:07. How Kennidi got started in cybersecurity and what led her to the field03:44. What the beginning of Sean's cybersecurity career looked like04:23. The biggest challenges a first-year analyst may face07:56. Helpful resources for getting started in the cybersecurity industry11:58. Which technical skills Kennidi sharpened the quickest in her role16:05. The most important business skills for planning a future in cybersecurity20:13. How an agile mindset in cybersecurity supports career growth23:00. Recommendations on career mapping for first-year analysts28:13. The value of mentorships in cybersecurityResourcesEpisode 103: Education vs. Experience in CybersecurityEpisode 54: How to Get Started in CybersecurityEpisode 15: Cybersecurity Success Takes Soft SkillsEpisode 45: The Importance of MentorshipTryHackMeSANS Cyber Security SummitsPancakesConTrace LabsBackdoors & BreachesRaices CyberCyberWarriorCyber.orgWomen in CyberSecurityIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 103 of Cybersecurity Where You Are, Sean Atkinson examines education and experience as pathways for new professionals to enter the cybersecurity industry.Here are some highlights from our episode:01:42. What's motivating Sean to talk about this topic03:32. The value of cybersecurity degrees05:17. The pros and cons of degree programs in cybersecurity07:47. How a cybersecurity certification compares to a degree10:57. Considerations for pursuing a certification in cybersecurity14:00. Using certifications to learn new technology paradigms16:54. Why a breadth of practical experience is important22:49. Pathways for gaining experience in cybersecurityResourcesEpisode 75: How GenAI Continues to Reshape CybersecurityEpisode 59: Probing the Modern Role of the PentestOutliers: The Story of SuccessHack The BoxTryHackMeDavid BombalIppSecPortSwiggerJohn HammondIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 102 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by the following guests:Charity Otwell, Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®)Lawrence Cruciana, President of Corporate Information Technologies (CorpInfoTech)Together, they discuss the "sporty" rigor underlying the process and value of achieving CIS Controls Accreditation.Here are some highlights from our episode:01:36. What is meant by CIS Controls Accreditation, as certified by CREST03:32. What motivated CorpInfoTech to pursue accreditation07:47. The importance of CIS Controls Accreditation to the cybersecurity ecosystem20:07. The business value of accreditation for recipientsResourcesCIS Controls AccreditationCorpInfoTech Receives First CIS Controls AccreditationCorpInfoTechTop Hurdles for MSSPs and One Shining SolutionCIS Community Defense Model 2.0Episode 44: A Zero Trust Framework Knows No EndIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 101 of Cybersecurity Where You Are, Sean Atkinson is joined by Justin Kohler, Vice President of Products at SpecterOps, and Jonathan Parfait, Technical Account Manager at SpecterOps.Together, they discuss how the visualization of attack paths in Active Directory helps organizations to better contextualize risks to their enterprise security.Here are some highlights from our episode:01:54. What Bloodhound is and how it assists organizations in assessing risks in their Active Directory environments05:08. Why have organizations look at their Active Directory environments11:15. Common vulnerabilities and misconfigurations identified by Bloodhound21:21. How organizations can best use Bloodhound as part of their cyber defensive strategy29:18. How Bloodhound is adapting to keep up with evolving Active Directory environmentsResourcesBloodhound Community EditionEpisode 62: Inside the 'Spidey Sense' of a PentesterWhat You Need to Know About Hybrid Cloud EnvironmentsVulnerability Management Policy Template for CIS Control 7CIS Benchmarks ListIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 100 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by David Bisson, Sr. Content Marketing Strategist at the Center for Internet Security® (CIS®).Together, they celebrate the first 100 episodes of Cybersecurity Where You Are and discuss where the podcast might go in the future.Here are some highlights from our episode:01:14. How the podcast's approach and content have changed since the first episode04:19. What surprised the team about the "machinery" of putting on a cybersecurity podcast07:53. A look back at some of our favorite guests and types of podcast episodes27:20. How the podcast can continue to support the cybersecurity industry going forwardResourcesEpisode 1: Welcome to the BasicsEpisode 7: CIS Controls v8…It’s Not About the ListEpisode 9: Mitigating Risk: Information Security GovernanceEpisode 24: How Do I Start a Career in Cybersecurity?Episode 59: Probing the Modern Role of the PentestEpisode 96: Making Continuous Compliance Actionable for SMBsEpisode 97: How Far We've Come preceding CIS's 25th BirthdayIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 99 of Cybersecurity Where You Are, Sean Atkinson is joined by Marcus Sachs, SVP and Chief Engineer at the Center for Internet Security® (CIS®).Together, they discuss how cyber-informed engineering builds resilience to the potential failure of a digital system into new and existing engineering products.Here are some highlights from our episode:03:51. What cyber-informed engineering is and how this paradigm has emerged11:39. What CIS is doing to emphasize cyber-informed engineering among U.S. State, Local, Tribal, and Territorial (SLTT) government organizations16:25. Why resilience requires everyone to be "cyber-informed"20:50. The need for boards of directors and C-Suite leaders to understand cybersecurity risk25:30. What preparations help to lay the foundation for cyber-informed engineeringResourcesCyber-Informed EngineeringNational Cyber-Informed Engineering StrategyCyber-Informed Engineering Implementation GuideEpisode 75: How GenAI Continues to Reshape CybersecuritySmart Cities Need Smarter SecurityIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 98 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.Together, they embrace transparency as a vehicle for the cybersecurity industry to better defend against insider threats.Here are some highlights from our episode:01:28. How KnowBe4 detected an insider threat from North Korea09:09. How the Center for Internet Security® (CIS®) responded to news of this incident21:02. The role of technical controls in detecting these types of threats23:56. Common signs you can use to detect fake employees in your hiring process29:22. How cybersecurity companies can use this incident to improve their defensesResourcesHow a North Korean Fake IT Worker Tried to Infiltrate UsNorth Korean Fake IT Worker FAQEpisode 77: Data's Value to Decision-Making in CybersecurityDefense-in-Depth: A Necessary Approach to Cloud SecurityeBook: A CISO’s Guide to Bolstering Cybersecurity PostureIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 97 of Cybersecurity Where You Are, Tony Sager is joined by the following guests:Dr. Ramon Barquin, Board Member at the Center for Internet Security® (CIS®) and President and Chief Executive Officer at Barquin InternationalFranklin Reeder, Director Emeritus and Founding Chair of CIS as well as Director of the National Cybersecurity Scholarship FoundationClint Kreitner, Founding President/CEO and Former Board Member at CISTogether, they look back at how much CIS has accomplished as an organization in the leadup to its 25th birthday.Here are some highlights from our episode:06:04. What brought everyone to CIS's founding meeting at the Cosmos Club16:08. The first steps to operationalizing the takeaways of the Cosmos Club meeting25:40. How CIS's business model came to be34:24. The events that brought the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) into CIS42:42. Tracing the past forward to where we are nowResources20 Years of Creating Confidence in the Connected WorldEpisode 35: Remembering the Late Alan PallerReasonable Cybersecurity GuideEpisode 79: Advancing Common Good in Cybersecurity – Part 1MS-ISAC: 20 Years as Your Trusted Cyber Defense CommunityDr. Ramon BarquinFranklin ReederIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 96 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Tarah Wheeler, CEO of Red Queen Dynamics.Together, they discuss ongoing efforts to translate continuous compliance into something actionable for small- to medium-sized businesses (SMBs).Here are some highlights from our episode:03:11. The philosophy behind a business model focused on continuous compliance for SMBs17:44. How the Fog of More complicates security and compliance for the "cyber-underserved"30:56. How the industry can navigate the multiple-framework issue and streamline complianceResourcesFollow Tarah on LinkedInEpisode 95: AI Augmentation and Its Impact on Cyber DefenseImplementation Guide for Small- and Medium-Sized Enterprises CIS Controls IG1Build a Robust Continuous Audit Program in 10 StepsHow Prioritized Security Controls Break Through the Fog of MoreIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 95 of Cybersecurity Where You Are, Sean Atkinson is joined by Randy Rose, VP of Security Operations & Intelligence at the Center for Internet Security® (CIS®).Together, they discuss AI augmentation in terms of how cyber defenders are using generative artificial intelligence to enhance their capabilities.Here are some highlights from our episode:01:16. How artificial intelligence has changed the landscape for cybersecurity defenders03:49. How AI is starting to augment threat detection10:12. What security researchers are exploring around AI and cyber defense20:54. Key challenges and limitations for AI-based cyber defense30:54. Future trends and innovations for cybersecurity defenders' use of AIResourcesEpisode 56: Cybersecurity Risks and Rewards of LLMsEpisode 59: Probing the Modern Role of the PentestSEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionalsfr0gger / Awesome-GPT-AgentsThe LLM Misinformation Problem I Was Not ExpectingSeparating FUD from Practical for Post-Quantum CryptographyIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 94 of Cybersecurity Where You Are, Tony Sager is joined by the following guests from the Center for Internet Security® (CIS®):Carlos Kizzee, SVP of Multi-State Information Sharing and Analysis Center® (MS-ISAC®) Strategy & PlansKaren Sorady, VP of MS-ISAC Strategy & PlansGreta Noble, Director of Community EngagementTogether, they discuss how the ISAC Annual Meeting supports the 24x7x365 community defense efforts of the MS-ISAC and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®).Here are some highlights from our episode:02:30. Background information on ISACs in general and the role of the MS-ISAC04:17. Why it's an annual meeting and not a conference06:40. What made the 2024 ISAC Annual Meeting the largest of its kind so far08:43. How the human dimension drives our yearly meeting15:44. The role of the MS- and EI-ISACs in CIS's broader strategy19:42. How our yearly meeting improves what CIS does29:57. What's next for the ISAC Annual MeetingResourcesMS-ISAC: 20 Years as Your Trusted Cyber Defense CommunityEpisode 76: The Role of Thought Leadership in CybersecurityReasonable Cybersecurity GuideCybersecurity at Scale: Piercing the Fog of MoreIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 93 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined once again by John Cohen, Executive Director of Countering Hybrid Threats at the Center for Internet Security® (CIS®).Together, they discuss a whole-of-society approach to help make the U.S. public resilient against multidimensional threats in our connected world.Here are some highlights from our episode:01:52. What the U.S. public needs to consider in order to strengthen its resilience06:04. How a national framework addresses the need for organizations to build resilience and intercommunication in the face of increasingly sophisticated threats11:41. Identifying who key partners are in a complex, hybrid world16:49. How people are responding to the national framework and where they are seeing value21:50. Clarifying hopes for the national framework going forwardResourcesJohn D. CohenEnhancing Safety in the Connected World — A National Framework for ActionEpisode 92: A Framework to Counter Evolving Cyber ThreatsWhy Whole-of-State Cybersecurity Is the Way ForwardPublic Water and Wastewater Sector Face Mounting Cyber ThreatThe National Cybersecurity StrategyIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 92 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by John Cohen, Executive Director of Countering Hybrid Threats at the Center for Internet Security® (CIS®). Together, they discuss "Enhancing Safety in the Connected World — A National Framework for Action," a multi-year project to help law enforcement and security professionals better contextualize and respond to evolving cyber threats.Here are some highlights from our episode:02:01. Why the current threat environment necessitates a framework that accounts for "cyber physical," "cyber safety," and other considerations08:48. How entities at the federal level and local law enforcement approach evolving cyber threats differently16:34. The different types of threats that characterize the evolving cyber threat environment22:05. How the Federalist Papers inform the Framework's "whole-of-society" approachResourcesJohn D. CohenEnhancing Safety in the Connected WorldEpisode 75: How GenAI Continues to Reshape CybersecurityWhy Whole-of-State Cybersecurity Is the Way ForwardEstablishing Essential Cyber HygieneIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 91 of Cybersecurity Where You Are, Sean Atkinson is joined by Charity Otwell, Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®).Together, they discuss what you need to know about the release of CIS Controls v8.1.Here are some highlights from our episode:01:17. What you can expect to see in version 8.1 of the Controls06:19. How CIS Controls v8.1 helps you to integrate other governance structures09:23. How version 8.0 and version 8.1 of the Controls differ14:19. What goes into creating a new version of the Controls21:06. Which resources you can use to guide your implementation plan26:39. A sneak peek into the development of version 9.0ResourcesFollow Charity on LinkedInCIS Critical Security Controls v8.1CIS Critical Security Controls v8.1 Change LogHow to Construct a Sustainable GRC Program in 8 StepsCIS Controls v8.1 Mapping to NIST CSF 2.0CIS Critical Security Controls NavigatorEpisode 87: Marking 11 Years as a Verizon DBIR ContributorCybersecurity at Scale: Piercing the Fog of MoreIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.