Cybersecurity Where You Are

In episode 98 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

Together, they embrace transparency as a vehicle for the cybersecurity industry to better defend against insider threats.

Here are some highlights from our episode:

• 01:28. How KnowBe4 detected an insider threat from North Korea
• 09:09. How the Center for Internet Security® (CIS®) responded to news of this incident
• 21:02. The role of technical controls in detecting these types of threats
• 23:56. Common signs you can use to detect fake employees in your hiring process
• 29:22. How cybersecurity companies can use this incident to improve their defenses

Resources

• How a North Korean Fake IT Worker Tried to Infiltrate Us
• North Korean Fake IT Worker FAQ
• Episode 77: Data's Value to Decision-Making in Cybersecurity
• Defense-in-Depth: A Necessary Approach to Cloud Security
• eBook: A CISO’s Guide to Bolstering Cybersecurity Posture

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 97 of Cybersecurity Where You Are, Tony Sager is joined by the following guests:

• Dr. Ramon Barquin, Board Member at the Center for Internet Security® (CIS®) and President and Chief Executive Officer at Barquin International
• Franklin Reeder, Director Emeritus and Founding Chair of CIS as well as Director of the National Cybersecurity Scholarship Foundation
• Clint Kreitner, Founding President/CEO and Former Board Member at CIS

Together, they look back at how much CIS has accomplished as an organization in the leadup to its 25th birthday.

Here are some highlights from our episode:

• 06:04. What brought everyone to CIS's founding meeting at the Cosmos Club
• 16:08. The first steps to operationalizing the takeaways of the Cosmos Club meeting
• 25:40. How CIS's business model came to be
• 34:24. The events that brought the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) into CIS
• 42:42. Tracing the past forward to where we are now

Resources

• 20 Years of Creating Confidence in the Connected World
• Episode 35: Remembering the Late Alan Paller
• Reasonable Cybersecurity Guide
• Episode 79: Advancing Common Good in Cybersecurity – Part 1
• MS-ISAC: 20 Years as Your Trusted Cyber Defense Community
• Dr. Ramon Barquin
• Franklin Reeder

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 96 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Tarah Wheeler, CEO of Red Queen Dynamics.

Together, they discuss ongoing efforts to translate continuous compliance into something actionable for small- to medium-sized businesses (SMBs).

Here are some highlights from our episode:

• 03:11. The philosophy behind a business model focused on continuous compliance for SMBs
• 17:44. How the Fog of More complicates security and compliance for the "cyber-underserved"
• 30:56. How the industry can navigate the multiple-framework issue and streamline compliance

Resources

• Follow Tarah on LinkedIn
• Episode 95: AI Augmentation and Its Impact on Cyber Defense
• Implementation Guide for Small- and Medium-Sized Enterprises CIS Controls IG1
• Build a Robust Continuous Audit Program in 10 Steps
• How Prioritized Security Controls Break Through the Fog of More

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 95 of Cybersecurity Where You Are, Sean Atkinson is joined by Randy Rose, VP of Security Operations & Intelligence at the Center for Internet Security® (CIS®).

Together, they discuss AI augmentation in terms of how cyber defenders are using generative artificial intelligence to enhance their capabilities.

Here are some highlights from our episode:

• 01:16. How artificial intelligence has changed the landscape for cybersecurity defenders
• 03:49. How AI is starting to augment threat detection
• 10:12. What security researchers are exploring around AI and cyber defense
• 20:54. Key challenges and limitations for AI-based cyber defense
• 30:54. Future trends and innovations for cybersecurity defenders' use of AI

Resources

• Episode 56: Cybersecurity Risks and Rewards of LLMs
• Episode 59: Probing the Modern Role of the Pentest
• SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
• fr0gger / Awesome-GPT-Agents
• The LLM Misinformation Problem I Was Not Expecting
• Separating FUD from Practical for Post-Quantum Cryptography

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 94 of Cybersecurity Where You Are, Tony Sager is joined by the following guests from the Center for Internet Security® (CIS®):

• Carlos Kizzee, SVP of Multi-State Information Sharing and Analysis Center® (MS-ISAC®) Strategy & Plans
• Karen Sorady, VP of MS-ISAC Strategy & Plans
• Greta Noble, Director of Community Engagement

Together, they discuss how the ISAC Annual Meeting supports the 24x7x365 community defense efforts of the MS-ISAC and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®).

Here are some highlights from our episode:

• 02:30. Background information on ISACs in general and the role of the MS-ISAC
• 04:17. Why it's an annual meeting and not a conference
• 06:40. What made the 2024 ISAC Annual Meeting the largest of its kind so far
• 08:43. How the human dimension drives our yearly meeting
• 15:44. The role of the MS- and EI-ISACs in CIS's broader strategy
• 19:42. How our yearly meeting improves what CIS does
• 29:57. What's next for the ISAC Annual Meeting

Resources

• MS-ISAC: 20 Years as Your Trusted Cyber Defense Community
• Episode 76: The Role of Thought Leadership in Cybersecurity
• Reasonable Cybersecurity Guide
• Cybersecurity at Scale: Piercing the Fog of More

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 93 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined once again by John Cohen, Executive Director of Countering Hybrid Threats at the Center for Internet Security® (CIS®).

Together, they discuss a whole-of-society approach to help make the U.S. public resilient against multidimensional threats in our connected world.

Here are some highlights from our episode:

• 01:52. What the U.S. public needs to consider in order to strengthen its resilience
• 06:04. How a national framework addresses the need for organizations to build resilience and intercommunication in the face of increasingly sophisticated threats
• 11:41. Identifying who key partners are in a complex, hybrid world
• 16:49. How people are responding to the national framework and where they are seeing value
• 21:50. Clarifying hopes for the national framework going forward

Resources

• John D. Cohen
• Enhancing Safety in the Connected World — A National Framework for Action
• Episode 92: A Framework to Counter Evolving Cyber Threats
• Why Whole-of-State Cybersecurity Is the Way Forward
• Public Water and Wastewater Sector Face Mounting Cyber Threat
• The National Cybersecurity Strategy

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 92 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by John Cohen, Executive Director of Countering Hybrid Threats at the Center for Internet Security® (CIS®).

Together, they discuss "Enhancing Safety in the Connected World — A National Framework for Action," a multi-year project to help law enforcement and security professionals better contextualize and respond to evolving cyber threats.

Here are some highlights from our episode:

• 02:01. Why the current threat environment necessitates a framework that accounts for "cyber physical," "cyber safety," and other considerations
• 08:48. How entities at the federal level and local law enforcement approach evolving cyber threats differently
• 16:34. The different types of threats that characterize the evolving cyber threat environment
• 22:05. How the Federalist Papers inform the Framework's "whole-of-society" approach

Resources

• John D. Cohen
• Enhancing Safety in the Connected World
• Episode 75: How GenAI Continues to Reshape Cybersecurity
• Why Whole-of-State Cybersecurity Is the Way Forward
• Establishing Essential Cyber Hygiene

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 91 of Cybersecurity Where You Are, Sean Atkinson is joined by Charity Otwell, Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®).

Together, they discuss what you need to know about the release of CIS Controls v8.1.

Here are some highlights from our episode:

• 01:17. What you can expect to see in version 8.1 of the Controls
• 06:19. How CIS Controls v8.1 helps you to integrate other governance structures
• 09:23. How version 8.0 and version 8.1 of the Controls differ
• 14:19. What goes into creating a new version of the Controls
• 21:06. Which resources you can use to guide your implementation plan
• 26:39. A sneak peek into the development of version 9.0

Resources

• Follow Charity on LinkedIn
• CIS Critical Security Controls v8.1
• CIS Critical Security Controls v8.1 Change Log
• How to Construct a Sustainable GRC Program in 8 Steps
• CIS Controls v8.1 Mapping to NIST CSF 2.0
• CIS Critical Security Controls Navigator
• Episode 87: Marking 11 Years as a Verizon DBIR Contributor
• Cybersecurity at Scale: Piercing the Fog of More

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 90 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by the following guests:

• Charity Otwell, Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®)
• Mia LaVada, Product Manager of CIS Benchmarks and Cloud at CIS
• Don Freeley, VP of IT Services at CIS

Together, they discuss how you can use CIS resources to ensure control continuity when migrating to the cloud.

Here are some highlights from our episode:

• 01:35. The biggest drivers for why organizations are moving to the cloud
• 02:42. Foundational factors to consider as part of your cloud migration
• 07:24. Resources from CIS designed to help you in your transition to the cloud
• 11:00. Common challenges of migrating to the cloud
• 14:37. The importance of three CIS Controls to your cloud security program
• 18:35. The value of partnerships and community in driving cloud security improvements
• 19:32. How you can use the CIS Foundations Benchmarks to get started in the cloud
• 23:06. Inside the human and process side of moving to the cloud

Resources

• Follow Charity, Mia, and Don on LinkedIn
• Keep the Cloud Secure with CIS after Migrating to the Cloud
• Cloud Security
• CIS Software Supply Chain Security Guide
• Cloud Security and the Shared Responsibility Model

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 89 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by the following guests:

• Rian Davis, Elections Cyber Threat Intelligence Intern at the Center for Internet Security® (CIS®)

• Timothy Davis, Sr. Elections Cyber Threat Intelligence Analyst at CIS

Together, they discuss how cyber threat actors (CTAs) are using generative artificial intelligence (GenAI) as an enabler of their attacks.

Here are some highlights from our episode:

• 01:04. Why it's important to raise awareness of how CTAs are using GenAI
• 01:59. How the CIS Cyber Threat Intelligence (CTI) team is seeing generative AI in CTAs' attack methodology
• 03:50. The types of attacks that are using this technology and how the frequency of those attacks is changing
• 05:46. Some notable attacks that have used GenAI in their methodology
• 16:10. The ways in which CTAs are incorporating generative AI into social engineering
• 24:17. What defenders can do in response to CTAs' use of GenAI

Resources

• An Examination of How Cyber Threat Actors Can Leverage Generative AI Platforms
• Episode 56: Cybersecurity Risks and Rewards of LLMs
• Election Security Spotlight – Generative AI and Elections
• MS-ISAC Security Primer – Spear Phishing
• Why Employee Cybersecurity Awareness Training Is Important

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 88 of Cybersecurity Where You Are, co-host Sean Atkinson discusses the evolving role of a chief information security officer (CISO).

Here are some highlights from our episode:

• 02:47. Why communication is a core competency for CISOs
• 08:35. How to take a balanced approach when evaluating an organization's implementation of artificial intelligence (AI) and machine learning (ML)
• 11:47. The role a CISO plays in integrating privacy requirements into the organization
• 15:35. Thoughts on how you can start preparing for or moving into a CISO position
• 19:12. A future outlook of the CISO role
• 26:40. Average longevity of CISOs in their roles and how this affects a security posture

Resources

• Episode 75: How GenAI Continues to Reshape Cybersecurity
• Reasonable Cybersecurity Guide
• Episode 74: The Nexus of Cybersecurity & Privacy Legislation
• CIS Critical Security Controls® (CIS Controls®)
• Cybersecurity at Scale: Piercing the Fog of More
• CIS Software Supply Chain Security Guide

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 87 of Cybersecurity Where You Are, co-host Tony Sager is joined by the following guests:

• Charity Otwell, Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®)
• Philippe Langlois, Senior Principal, Security Risk Management and Author of the Verizon Data Breach Investigations Report (DBIR)
• Theodore "TJ" Sayers, Director of Intelligence & Incident Response at CIS

Together, they celebrate 11 years of CIS and Verizon working together to contextualize the threat activity security teams are seeing and to help teams use the Controls as an improvement framework.

Here are some highlights from our episode:

• 02:00. How the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®) contribute anonymized data to the Verizon DBIR
• 07.27. The two types of data that Verizon uses as input for its report
• 13:50. The ways CIS uses the content of Verizon's DBIR to help people embrace programs of security improvement
• 24:48. A glimpse at what goes into producing the DBIR
• 28.33. The importance of leadership in guiding team dynamics and fun
• 32.07. Reception of the 2024 DBIR and exploration of what's next for the Verizon DBIR team

Resources

• 2024 DBIR Findings & How the CIS Critical Security Controls Can Help to Mitigate Risk to Your Organization
• CIS Controls Featured as Recommended Defenses in Verizon's 2024 Data Breach Investigations Report
• 2024 Data Breach Investigations Report
• The VERIS Framework
• CIS Community Defense Model 2.0

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 86 of Cybersecurity Where You Are, co-host Sean Atkinson is live once again from Booth 4319 at RSA Conference (RSAC) 2024. 

00:57. Sean chats with Mat Everman, Information Security Operations Manager, about his talk, "Shades of Purple: Getting Started and Making Purple Teaming Possible." They discuss some of the questions Mat received following his talk and how they can put purple teaming into practice at the Center for Internet Security® (CIS®).

Sean asks passersby what they're looking to get out of RSAC 2024 and what stood out to them at the conference.

• 13:56. José Mena, Founder of Digital Twin Networks
• 20:34. Jonathan Kern, CEO of Castile Defense
• 25:42. Ken Klestinec, Regional Sales Manager at Akamai

Finally, Sean talks to fellow team members about CIS's objective for RSAC 2024.

• 18:10. Aaron Perkins, Director of Communications
• 23:25. Nick Rust, Director of Reseller & Channel Partners
• 27:04. Jeff Sparks, CIS Services Sr. Account Executive
• 28:08. Mia LaVada, Product Manager of CIS Benchmarks and Cloud
• 30:01. Mishal Makshood, Sr. Cloud Security Account Executive

Resources

• Episode 85: Reenergizing Collective Action at RSAC 2024
• Episode 75: How GenAI Continues to Reshape Cybersecurity
• How to Construct a Sustainable GRC Program in 8 Steps
• Tabletop Exercises (TTX)
• CIS Critical Security Controls
• CIS Benchmarks

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 85 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are live from Booth 4319 at RSA Conference (RSAC) 2024. Together, they discuss how events like RSAC 2024 reenergize collective action in the cybersecurity industry. They begin by noting how resources such as the CIS Community Defense Model (CDM) bring more data and transparency to security recommendations for the cybersecurity industry. They then look back on some of Tony's presentations at prior years of RSAC before looking at the interest surrounding supply chain security, zero trust, and artificial intelligence (AI). To address these developments, organizations must create a foundation for defense and scale rapid improvements, needs which Tony and Sean see as opportunities for collective action in the industry.

Resources

• From Attacks to Action: An Open Community Model to Drive Defensive Choices
• The "Fog of More" - A CyberSecurity Community Challenge
• CIS Community Defense Model 2.0
• Episode 77: Data's Value to Decision-Making in Cybersecurity
• Foundational Security for Your Software Supply Chain
• Episode 44: A Zero Trust Framework Knows No End
• CIS Critical Security Controls Implementation Groups
• Episode 75: How GenAI Continues to Reshape Cybersecurity

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 84 of Cybersecurity Where You Are, co-host Tony Sager is joined by Brian de Vallance, Senior Advisor at Cambridge Global Advisors; and Phyllis Lee, VP of Security Best Practices (SBP) Content Development at the Center for Internet Security® (CIS®). Together, they discuss the notion of reasonable cybersecurity. They begin by providing some background about reasonableness in cybersecurity and identifying the problem we need to solve — namely, the lack of a definition of reasonableness around which organizations can build their cybersecurity program. They then discuss how a definition for reasonable cybersecurity needs to include security best practices that are doable. They conclude by exploring how CIS's work around this topic may influence its content development going forward.

Resources

• Follow Brian and Phyllis on LinkedIn
• Reasonable Cybersecurity Guide
• Reasonable Cybersecurity
• CIS Critical Security Controls
• CIS Critical Security Controls Implementation Groups
• CIS Community Defense Model 2.0

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 83 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by nearly 20 employees at the Center for Internet Security® (CIS®). Together, they discuss the value of meeting in person to CIS workplace culture. With the company's 2024 Annual Full Staff Meeting in Orlando, FL, as their backdrop, they explore how personal relationships create a foundation for building effective teams, more agile workflows, and a sustainable sense of engagement and motivation at CIS. Along the way, they reflect on how much the company has changed since before the pandemic.

Resources

• Episode 82: How CIS Leadership Values Team Building Events
• Episode 58: Inside CIS's Award-Winning Workplace Culture
• Center for Internet Security Named Among 2024 Top Workplaces

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 82 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by John Gilligan, President and CEO at the Center for Internet Security® (CIS®); and Gina Chapman, Chief Operating Officer at CIS. Together, they discuss the importance of in-person team building events. They use the pandemic as a frame to understand how events such as the 2024 Annual Full Staff Meeting preserve and cultivate CIS's workplace culture. They also look to other ongoing initiatives at the company, such as CIS Cares and the IDEA Alliance, as efforts to sustain employee engagement both in person and virtually.

Resources

• Follow John and Gina on LinkedIn
• Center for Internet Security Named Among 2024 Best Companies to Work for in New York
• CIS Leadership Principles
• Episode 43: Giving Back Through CIS CARES
• IDEA Alliance

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 81 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Daniel McIntyre, Identity and Access Management (IAM) Manager at the Center for Internet Security® (CIS®). Together, they acknowledge Identity Management Day 2024 with a discussion of IAM. They begin by looking at how IAM as a concept has changed over the years. They then explore current challenges in the modern environment and strategies for IAM to keep up with emerging threats. After emphasizing the importance of training in an effective IAM program, they conclude their conversation by sharing best practices for getting started in IAM and cybersecurity more broadly.

Resources

• Identity Management Day
• Why Are Authentication and Authorization So Difficult?
• Tracing the Evolving Levels of Support for WebAuthn
• Episode 44: A Zero Trust Framework Knows No End
• Election Security Spotlight – Password Attacks

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 80 of Cybersecurity Where You Are, co-host Tony Sager is once again joined by Philip Reitinger, President and CEO of Global Cyber Alliance. Together, they continue their discussion around Common Good Cyber. Tony and Philip begin by recapping the events of the Common Good Cyber Workshop on February 26–27, 2024. From there, they explore the perspective of IT companies and governments in supporting common good solutions for the cybersecurity industry. They conclude their conversation by looking to the future of Common Good Cyber and explaining how you can get involved. 

Resources

• Follow Philip on LinkedIn
• Common Good Cyber Workshop: February 26–27, 2024
• Episode 75: How GenAI Continues to Reshape Cybersecurity
• Episode 60: Guiding Vendors to IoT Security by Design
• Establishing Essential Cyber Hygiene

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 79 of Cybersecurity Where You Are, co-host Tony Sager is joined by Philip Reitinger, President and CEO of Global Cyber Alliance. Together, they discuss the Common Good Cyber cybersecurity initiative. Tony and Philip begin by sharing the paths that brought them to the nonprofit sector. From there, Philip recounts the events and needs that led to the formation of Common Good Cyber. They end the first part of their conversation by exploring the nature of "common good" in relation to internet technology. Both agree that common good efforts must include more than just money to produce meaningful change in the cybersecurity industry.

Resources

• Follow Philip on LinkedIn
• Episode 30: Solving Cybersecurity at Scale with Nonprofits
• Global Cyber Alliance
• Foundational Security for Your Software Supply Chain
• The Cost of Ignoring the Log4j Vulnerability

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 78 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Lisa Young, Senior Metrics Engineer at Netflix. Lisa is a long-time practitioner in the cybersecurity risk, risk quantification, and metrics field. She has a rich career and experience of putting resources towards practices that will protect, sustain, make organizations resilient over time. In her current role, Lisa helps Netflix measure what works, what doesn't work, and how to optimize practices and controls that help enhance coverage and efficacy of things that need to be done. Together, the three discuss the hurdles of harmonizing teams to determine acceptable risk in the cybersecurity ecosystem.

Resources:

• Follow Lisa on LinkedIn
• Quantitative Risk Analysis: Its Importance and Implications
• Episode 65: Making Cyber Risk Analysis Practical with QRA
• FAIR: A Framework for Revolutionizing Your Risk Analysis

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 77 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Roger Grimes, Data-Driven Defense Evangelist at KnowBe4. Together, they discuss how to use data to inform your decision-making in cybersecurity. They begin by discussing the cybersecurity industry's lack of maturity in its use of data. From there, they explore the risks of not using data to make cybersecurity decisions. In Tony's words, the cybersecurity industry doesn't have to accept "perfection is the enemy of the good" as its paradigm. When we understand the data with which we can work, we can frame the information in a way to strengthen the cybersecurity posture of our respective organizations.

Resources

• Follow Roger on LinkedIn
• A Data-Driven Computer Security Defense: THE Computer Security Defense You Should Be Using
• Cybersecurity at Scale: Piercing the Fog of More
• Known Exploited Vulnerabilities Catalog
• Episode 60: Guiding Vendors to IoT Security by Design
• Episode 75: How GenAI Continues to Reshape Cybersecurity
• Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 76 of Cybersecurity Where You Are, co-host Tony Sager is joined by Julie Morris, CEO and Co-Founder of Persona Media. Together, they discuss the role of thought leadership in cybersecurity. They begin by discussing misconceptions surrounding the notion of thought leadership. Next, they explore what thought leadership looks like in the context of an industry like cybersecurity and a company like the Center for Internet Security® (CIS®). Their conversation concludes with some advice on how individuals, especially senior leaders, can get started with thought leadership.

Resources

• Follow Julie on LinkedIn
• Episode 30: Solving Cybersecurity at Scale with Nonprofits
• Episode 75: How GenAI Continues to Reshape Cybersecurity

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 75 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager discuss how generative artificial intelligence (GenAI) continues to reshape cybersecurity. They begin by using Episodes 48, 49, and 56 to consider the ongoing impact of GenAI on confidence, trust, and consistency as elements of a mature cybersecurity program. After reflecting on how confidence has shaped the work of the Center for Internet Security® (CIS®) more generally, Sean and Tony conclude by revisiting the verification challenge of GenAI.

Resources

• Episode 48: 3 Trends to Watch in the Cybersecurity Industry
• Episode 49: Artificial Intelligence and Cybersecurity = Minutes 26:00 and 31:00
• Episode 56: Cybersecurity Risks and Rewards of LLMs = Minute 8:00
• The LLM Misinformation Problem I Was Not Expecting
• Episode 44: A Zero Trust Framework Knows No End
• Defining "Reasonable" Security with a Risk Assessment Method

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 74 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Brian de Vallance, Senior Advisor at Cambridge Global Advisors; and Carlos Kizzee, Senior Vice President (SVP) for Multi-State Information Sharing and Analysis Center® (MS-ISAC®) Strategy & Plans at the Center for Internet Security® (CIS®). In recognition of Data Privacy Week on January 21-27, 2024, they discuss the nexus of cybersecurity and privacy legislation in the United States. They begin by reviewing how the privacy laws passed by U.S. states over the past several years all include a cybersecurity element – namely, the effort to implement "reasonable" cybersecurity around protecting consumers' data. They then look to the future and consider how the laws will lead to regulations and, in turn, enforcement actions that will help raise our understanding of consumer privacy rights and how they can be defended.

Resources

• CIS Controls v8 Privacy Companion Guide
• What is Cyber Threat Intelligence?
• Defining "Reasonable" Security with a Risk Assessment Method
• Episode 49: Artificial Intelligence and Cybersecurity
• Cybersecurity at Scale: Piercing the Fog of More

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 73 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager use our 2023 cybersecurity predictions to understand how the industry changed last year. They discuss progress and challenges around Artificial Intelligence (AI), zero trust, and other key trends they and others brought up in our blog post, "Our Experts' Top Cybersecurity Predictions for 2023." They also promise a similar year in review (YIR) for our 2024 cybersecurity predictions, for which 17 experts at the Center for Internet Security® (CIS®) contributed their thoughts.

Resources

• Episode 56: Cybersecurity Risks and Rewards of LLMs
• Episode 44: A Zero Trust Framework Knows No End
• Embedded IoT Security: Helping Vendors in the Design Process
• Cyber Insurance Price Increases Highlight Ransomware Defense
• Episode 63: Building Capability and Integration with SBOMs

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 72 of Cybersecurity Where You Are, co-host Tony Sager is joined by Phyllis Lee, VP of Security Best Practices (SBP) Content Development at the Center for Internet Security® (CIS®). Together, they discuss "Cybersecurity: Practice What, and While, We Teach," a keynote panel where they discussed cybersecurity in education during Tech Tactics in Education: Data and IT Security in the New Now. Throughout this episode, they pull in recorded snippets from their panel. They use those recordings to reflect on IT operational challenges and the need to balance different interests in education organizations, including K-12 schools and higher education institutions. They also highlight commonalities that present not only opportunities for collaboration in the education sector but also instances where CIS can help advance cybersecurity in education through the content it produces.

Resources

• Follow Phyllis on LinkedIn
• Cybersecurity for Educational Institutions
• Episode 71: Advancing K-12 Cybersecurity Through Community
• The Cost of Cyber Defense: CIS Controls IG1
• CIS Critical Security Controls Version 8
• U.S. Cyber Challenge

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 71 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Carlos Kizzee, SVP for the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) Strategy & Plans at the Center for Internet Security® (CIS®); Dr. Bhargav Vyas, Assistant Superintendent for Compliance and Information Systems as well as Data Protection Officer at Monroe-Woodbury Central School District; and Terry Loftus, Assistant Superintendent & Chief Information Officer of Integrated Technology Services for the San Diego County Office of Education.

Together, they discuss how our publication, "K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year," facilitates better decision-making around K-12 cybersecurity. They begin by considering some common cybersecurity challenges for K-12 organizations, most notably a lack of funding and skilled personnel. From there, they reflect on how entities in this sector have grown their cybersecurity maturity despite those obstacles over the past few years. Their conversation ends with guidance for getting started with a K-12 cybersecurity program.

Resources

• Follow Carlos, Bhargav, and Terry on LinkedIn
• K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year
• Multi-State Information Sharing and Analysis Center®
• Episode 69: How the NCSR Assessment Sows SLTT Cyber Maturity
• How the Foundational Assessment Makes Starting or Improving a Cybersecurity Program Easier
• Establishing Essential Cyber Hygiene
• Ransomware Defense-in-Depth

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 70 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Mathew Schwartz, Executive Editor for DataBreachToday & Europe at the Information Security Media Group (ISMG). Together, they discuss the media's role in shaping public understanding and perception of infosec. They begin by considering the idea of media channels helping to educate the public about cybersecurity matters, including data breaches and digital threats. From there, they go on to talk about how the language that the media uses to report on cybersecurity affects its ability to build trust with the public. Their conversation ends by reviewing tips for how members of the public can find trustworthy media channels in the infosec space.

Resources

• Follow Mathew on LinkedIn
• DataBreachToday.com
• Killnet Group Targeting Ukraine Supporters with DDoS Attacks
• Protecting Against Potential Russian Cyber Attacks
• Episode 68: Designing Cyber Defense as a Partnership Effort

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 69 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Tyler Scarlotta, Manager of Member Programs at the Center for Internet Security (CIS). Together, they discuss how the Nationwide Cybersecurity Review (NCSR) helps U.S. State, Local, Tribal, and Territorial (SLTT) government organizations evaluate their cyber maturity. They begin by reviewing what the NCSR assessment program entails and identifying trends from previous years. They then explore the lessons learned by SLTTs through participating in the NCSR, the steps to getting involved with the program, as well as the resources from CIS and the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISACs) that a participant can use to strengthen their cyber maturity.

Resources

• Follow Tyler on LinkedIn
• Nationwide Cybersecurity Review (NCSR)
• MS-ISAC Services
• Establishing Essential Cyber Hygiene
• Episode 61: Overcoming Pre-Audit Scaries Through Governance

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 68 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by James Yeager, VP of Public Sector and Healthcare at CrowdStrike. Together, they discuss designing cyber defense as a partnership effort. They begin by reflecting on the ongoing work of CIS and CrowdStrike to advance cyber defense together. After touching on some of the biggest trends they've seen in the threat landscape, they note how giving advice to customers around cyber defense requires partnership activity. They observe that cybersecurity companies like CIS and CrowdStrike must continue to work together, and they highlight the importance of working with customers directly to identify new angles, new challenges, and new ways of providing help.

Resources

• Follow James on LinkedIn
• CrowdStrike Partner Page
• Expanded Cybersecurity Partnership with CrowdStrike Further Protects the Public Against Potential Attacks
• Endpoint Security: The Key to Combatting Sophisticated CTAs
• Episode 56: Cybersecurity Risks and Rewards of LLMs
• CrowdStrike 2023 Global Threat Report
• SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 67 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Stephanie Gass, Director of Governance, Risk, and Compliance at the Center for Internet Security (CIS). Together, they discuss how to seize the moment once you've completed a cybersecurity audit. They explore the types of questions that you need to think about and the challenges you might encounter when acting upon a cybersecurity audit's findings. Additionally, they walk through a few examples of how you might consider responding to certain audit findings within your organization. Throughout the entire episode, they cite the importance of using business context to determine your priorities and a way for achieving them.

Resources

• Follow Stephanie on LinkedIn
• 6 Mitigation Strategies to Make the Most of Audit Results
• Build a Robust Continuous Audit Program in 10 Steps
• Episode 65: Making Cyber Risk Analysis Practical with QRA
• Episode 61: Overcoming Pre-Audit Scaries Through Governance
• How to Navigate the Cybersecurity Audit Cycle with CIS SecureSuite

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 66 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Mike Garcia, Senior Cybersecurity Advisor at the Center for Internet Security (CIS), and Jared Dearing, Sr. Director of Elections Best Practices at CIS. Together, they discuss the Rapid Architecture-Based Election Technology Verification (RABET-V) program. They begin by noting how the lack of a standardized verification process for non-voting election systems warranted the creation of a holistic testing approach for these technologies. From there, they explain how RABET-V differs from traditional testing methodologies by verifying non-voting election systems using a three-pronged approach. They conclude by sharing their ongoing work to improve RABET-V.

Resources

• RABET-V
• RABET-V Launch Event
• RABET-V Final Pilot Summary and Next Steps
• Episode 63: Building Capability and Integration with SBOMs
• CIS Software Supply Chain Security Guide

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 65 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Christopher Painter, Board Member of the Center for Internet Security (CIS) and President of the Global Forum on Cyber Expertise Foundation. Together, they discuss cybersecurity risk management. They begin by discussing how cyber risk analysis fits into a business risk management program in general. From there, they explore quantitative risk analysis (QRA), including its benefits for understanding cyber risk and the challenges of getting started. Their conversation then gets into how the CIS Board of Directors, specifically the Risk Committee, is using different methods of QRA to achieve CIS's business goals and objectives.

Resources

• Follow Christopher on LinkedIn.
• Quantitative Risk Analysis: Its Importance and Implications
• FAIR: A Framework for Revolutionizing Your Risk Analysis
• CIS RAM v2.1: A Way to Demonstrate Reasonable Security
• Episode 61: Overcoming Pre-Audit Scaries Through Governance

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 64 of Cybersecurity Where You Are, co-host Sean Atkinson initiates a series around establishing an underlying policy for your organization's cybersecurity program. He begins by discussing how a policy provides an overview of the business rules, or standards, that will feature in the program. With each standard, he clarifies that you can take a procedural approach to upholding supporting elements. He then narrows his focus to managing data and information, including different types of data management considerations for your organization. Along the way, he points out how you can use resources from the Center for Internet Security (CIS) to drive continuous improvement in this space.

Resources

• Data Management Policy Template for CIS Control 3
• The Cost of Cyber Defense: CIS Controls IG1
• Prioritizing a Zero Trust Journey Using CIS Controls v8
• Episode 61: Overcoming Pre-Audit Scaries Through Governance
• How to Navigate the Cybersecurity Audit Cycle with CIS SecureSuite

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 63 of Cybersecurity Where You Are, co-host Sean Atkinson discusses software bills of materials (SBOMs). He uses CISA and other resources to contextualize key considerations of an SBOM, including how you can use one to understand your organization's underlying risks. From there, Sean explores how to build capability in the SBOM space. He urges a judicious approach that follows practice and builds on resiliency.

Resources

• Episode 22: CIS Behind the Veil: Log4j
• CIS Software Supply Chain Security Guide
• Episode 56: Cybersecurity Risks and Rewards of LLMs
• Software Bill of Materials (SBOM)
• Executive Order on Improving the Nation’s Cybersecurity

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 62 of Cybersecurity Where You Are, co-host Sean Atkinson sits down with Chris Elgee, Senior Security Analyst at Counter Hack; and Erik Pursley, Technical Engineer at Counter Hack. Together, they discuss the "spidey sense" that goes into being a penetration tester. They reflect on key skills and certifications that help to make a successful pentester, review some of the methodologies that go into pentesting, and consider how specialization might be inevitable in an evolving technology landscape. They conclude by offering advice to organizations that are looking to engage in a pentest.

Resources

• Follow Chris and Erik on LinkedIn
• Counter Hack
• A CISO's Best Friend: The Pentester
• Episode 59: Probing the Modern Role of the Pentest
• Episode 49: Artificial Intelligence and Cybersecurity
• Episode 55: Live at RSA Conference 2023

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 61 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Stephanie Gass, Director of Governance, Risk, and Compliance. Together, they discuss the components of an effective cybersecurity risk governance program. They explore how to represent technical security questions to others, how to overcome challenges associated with changing the way a company makes decisions related to risk, and how culture plays into these types of shifts. They also reflect on how quantification, supply chain security, and other issues factor into a modern-day approach to governance.

Resources

• Follow Stephanie on LinkedIn
• How to Navigate the Cybersecurity Audit Cycle with CIS SecureSuite
• Episode 9: Mitigating Risk – Information Security Governance
• Remote Attestation Enabling Posture Assessment for Automated GRC
• CIS Software Supply Chain Security Guide
• Service Provider Management Policy Template for CIS Control 15

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 60 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Kathleen Moriarty, CTO at the Center for Internet Security (CIS); Ben Carter, Internet of Things (IoT) specialist at CIS; and Kaitlin Drape, Research and Innovation Process Lead at CIS. Together, they discuss a white paper they recently released that guides IoT vendors on how to build security into their products by default and by design. Kathleen, Ben, and Kaitlin begin by reflecting on why they created such a document in the first place. After explaining some of what went into drafting the white paper, they look to the future and note how IoT frameworks such as theirs helps to shift left IoT security toward purchasing decisions.

Resources

• Follow Kathleen and Ben on LinkedIn
• Embedded IoT Security: Helping Vendors in the Design Process
• Episode 33: The Shift-Left of IoT Security to Vendors
• CIS Controls v8 Internet of Things & Mobile Companion Guides
• Making Security Simpler for Organizations Big and Small

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 59 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Ed Skoudis, founder of the SANS Penetration Testing Curriculum and Counter Hack. Together, they discuss the value of penetration testing – all while CIS as an organization is undergoing a pentest! They begin by considering the historical perspective of pentests. (In Tony's words, "the foundational perspective for testing back then was to create drama.") They then reflect on how penetration tests excel when they prioritize education using a process of feedback. During the course of the conversation, Sean and Ed draw upon their years of collaboration to explain what this process can look like. They conclude by providing advice on how less mature organizations can get value from a penetration test.

Resources

• Follow Ed on LinkedIn
• Counter Hack
• CIS Critical Security Control 18: Penetration Testing
• Penetration Testing
• Episode 35: Remembering the Late Alan Paller

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 58 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by more than a dozen Center for Internet Security (CIS) employees during the company's 2023 Full Staff Meeting at the Sagamore Resort. Together, they discuss the collaborative nature of CIS's award-winning workplace culture. Using the Full Staff Meeting as a lens, each employee reflects on the importance of an annual in-person meeting for all employees. Their responses highlight how colleagues, teams, and business units alike focus on building relationships. Doing so empowers CIS to engage with partners, members, and the cybersecurity community writ large as a cohesive whole.

Resources

• Center for Internet Security Earns 2023 Top Workplace Awards
• Decision Mojo
• Toister Solutions
• Our Ability, Inc.

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 57 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by the following guests: William Pelgrin, Founder and Former Chair of the MS-ISAC; Thomas Duffy, Former Senior VP Of Operations and Services at the MS-ISAC; and Karen Sorady, VP of MS-ISAC Stakeholder Engagement Division. Together, they celebrate the 20th anniversary of the Multi-State Information Sharing and Analysis Center (MS-ISAC). They look back on the past two decades and reminisce on pivotal moments in the MS-ISAC's history, including when it became a division of the Center for Internet Security (CIS). After discussing how much it's grown in that time, they turn their eyes to the future and explore the MS-ISAC's plans to continue to serve its membership.

Resources

• Episode 49: Artificial Intelligence and Cybersecurity
• Episode 48: 3 Trends to Watch in the Cybersecurity Industry
• Episode 35: Remembering the Late Alan Paller
• Episode 31: To Achieve ICS Security Today, Look to Yesterday
• 8 Cyber Thought Leaders Share Security Trends for the New Year

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 56 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Dr. Paulo Shakarian, Associate Professor at the School of Computing, Informatics, and Decision Systems Engineering (CIDSE) at Arizona State University. Together, they discuss the cybersecurity implications of large language models (LLMs) like ChatGPT-3. They first look back on how deep learning has enabled machine learning (ML) and artificial intelligence (AI) to reach new levels of accuracy. Next, they discuss how ChatGPT-3 and other new AI models, which are designed to mimic human language, may have inaccuracies. This possibility opens up new vulnerabilities, such as the ability to scale information operations, along with new challenges from a cybersecurity perspective. They conclude by sharing their thoughts about the future of the AI and LLM space.

Resources

• Follow Dr. Shakarian on LinkedIn
• Neuro Symbolic YouTube Channel
• Neuro Symbolic AI
• MITRE ATLAS™
• Episode 49: Artificial Intelligence and Cybersecurity
• Episode 48: 3 Trends to Watch in the Cybersecurity Industry
• Episode 33: The Shift-Left of IoT Security to Vendors

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 55 of Cybersecurity Where You Are, co-host Sean Atkinson speaks with experts in attendance at RSA Conference 2023. He asks nearly a dozen different attendees to share their impressions of the event. They explain how someone can get the most out of being at RSA and what made this year's conference stand out compared to previous years. (Spoiler alert: "AI" as a buzzword was everywhere.) They also discuss just some of the different topics you can learn about at RSA, such as the opportunity for partnerships between red teams and blue teams as well as the cybersecurity impact of AI on the music industry.

Resources

• Episode 49: Artificial Intelligence and Cybersecurity
• Episode 48: 3 Trends to Watch in the Cybersecurity Industry
• Episode 52: Back in the Buzz of RSA Conference
• Episode 34: A Survey of Hacking in Hollywood
• Episode 42: Advocacy for the Underserved

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 54 of Cybersecurity Where You Are, co-host Sean Atkinson addresses how to get started in cybersecurity. He begins by looking at the different types of hard skills and soft skills that form the foundation of any cybersecurity career. Next, he draws upon his expertise to offer advice around certifications, learning a programming language, using a training provider, and building a portfolio. He also shares key insights into how you can make cybersecurity a rewarding career choice for years to come.

Resources

• Why Consider a Career in Cybersecurity?
• 7 Women in Tech Share Career Advice
• Pursuing a Career in Cybersecurity? Three Tips from an Industry Veteran
• Cybersecurity Career Q&A with CIS’ CISO
• Episode 24: How Do I Start a Career in Cybersecurity?
• Episode 45: The Importance of Mentorship

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 53 of Cybersecurity Where You Are, co-host Tony Sager is joined by Ron Gula, President and Co-Founder of Gula Tech Foundation. Together, they acknowledge Autism and Neurodiversity Awareness Month by discussing the need to create more opportunities in cybersecurity for neurodiverse individuals. They point out that there's no one way for all employers and supervisors to support employees with different abilities. It's up to the employers and supervisors to decide where those efforts fit into their culture and what each victory looks like.

Attending RSA Conference 2023? Make sure you visit the main conference hall at 12:00 P.M. PT on Wednesday, April 26. At that time and place, Gula Tech Foundation will announce the four winners of its Spring 2023 grant campaign, "Expanding Opportunities in Cyber for the Neurodivergent." As part of the ceremony, you'll have a chance to speak with the winners about engaging neurodiverse individuals in your organization.

Resources

• Follow Ron Gula on LinkedIn.
• Gula Tech Foundation
• Episode 30: Solving Cybersecurity at Scale with Nonprofits
• Episode 52: Back in the Buzz of RSA Conference
• TikTok: Influence Ops, Data Practices Threaten U.S. Security

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 52 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager discuss RSA Conference 2023. Together, they point out that the annual conference is more than just a trade show. They use that lens to identify some tips and tricks that attendees can use to get the most out of their time there. Additionally, they discuss what themes and activities you can expect to see at RSA Conference 2023. Their conversation ends with a teaser of Sean's talk at the event.

Resources

• A CISO's Best Friend: The Pentester
• Episode 49: Artificial Intelligence and Cybersecurity
• Episode 48: 3 Trends to Watch in the Cybersecurity Industry
• Episode 34: A Survey of Hacking in Hollywood
• Episode 30: Solving Cybersecurity at Scale with Nonprofits

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 51 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager discuss the strategic importance of using a roadmap to navigate your cybersecurity journey. Together, they point out that this journey is like many others. You need to know how to get packing, plan your route, hit the road, and take a snapshot of how far you've come and where you're going next. Sean and Tony identify some important considerations to keep in mind for each leg of your trip, and they note that the Center for Internet Security shares your journey and supports you along it.

One of the ways it does this is through CIS SecureSuite. Members gain access to benefits, tools, and resources that help them, their clients, and their customers navigate the different stages of their respective cybersecurity journeys. Now through April 30, you can save up to 20% on a new CIS SecureSuite Membership using promo code CYBER2023. 

Resources

• Why Your Organization Needs a Cybersecurity Roadmap
• Episode 49: Artificial Intelligence and Cybersecurity
• Separating FUD from Practical for Post-Quantum Cryptography
• Episode 47: How Security and Compliance Support Each Other
• Episode 22: CIS Behind the Veil: Log4j
• CIS SecureSuite® Promo Terms

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected]. 

In episode 50 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Randy Rose, Sr. Director of Security Operations & Intel for the MS-ISAC, and Kathleen Moriarty, Chief Technology Officer at CIS. Together, they celebrate Cybersecurity Where You Are reaching Episode 50. To mark this milestone, they look back on some of their favorite moments in the podcast's history. They also share how those moments tie back not only to the maturation of the podcast but also to CIS's ethos as a "platform for activism." (Thanks, Tony.)

Thank you to all our listeners for helping us reach Episode 50. We couldn't have done it without you. More laughter and learning to come!

Resources

• Episode 11: Remote Attestation Helps Zero Trust
• Episode 18: Top 5 Scariest Malware
• Episode 22: CIS Behind the Veil: Log4j
• Episode 29: Conceptualizing Reasonableness for Risk Analysis
• Episode 44: A Zero Trust Framework Knows No End

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 49 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson discuss artificial intelligence (AI) and cybersecurity. The two review the relationship, specifically how AI and cybersecurity meet, enhance each other, and ways AI could be a detriment.

Resources:

• Episode 48: 3 Trends to Watch in the Cybersecurity Industry
• LinkedIn Poll: What topic are you interested in learning more about?

In episode 48 of Cybersecurity Where You Are, co-host Sean Atkinson introduces three trends within the cybersecurity industry that we'll discuss in upcoming episodes. He first touches on how new developments in artificial intelligence, particularly ChatGPT, might affect cybersecurity processes like incident response. Next, Sean reflects on what widespread layoffs in big tech mean for cybersecurity, especially when set against an ongoing cybersecurity skills gap. Finally, he provides an overview of the legislation and preparations for securing a post-quantum world.

Resources

• 5 Big Pros And Cons Of ChatGPT For Cybersecurity
• The Real Reasons For Big Tech Layoffs At Google, Microsoft, Meta, And Amazon
• Biden Signs Post-Quantum Cybersecurity Guidelines Into Law
• Did China Break The Quantum Barrier?
• Breaking RSA with a Quantum Computer
• Episode 25 - Building an Internal Incident Response Team
• Election Security Spotlight – Encryption

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

In episode 47 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Sawyer Miller, Senior Manager of Cyber Risk at risk3sixty LLC. Together, they discuss security and compliance. Their discussion explores various ways that security and compliance can align even though they are different business considerations. (Spoiler alert: risk and balance are key.) Sean and Sawyer also touch on how evolving technologies and threats are changing our understanding of security and compliance. They conclude with some recommendations on how your business and security leaders can begin to navigate these developments.

Resources

• Follow Sawyer on LinkedIn
• Security Best Practices: Cybersecurity & Compliance at Scale
• How to Build Cybersecurity Compliance with Free CIS Resources
• The Risk Conversation
• Mapping and Compliance

In episode 46 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager discuss their cybersecurity predictions for 2023 along with those from a few other CIS experts. "Integration" is the word of the day for their conversation. Sean and Tony feel that this concept will shape how we measure the progress of cybersecurity in a number of areas, from managing vendor risk management in the open-source landscape to promoting meaningful discussions about security.

Resources

• Our Experts' Top Cybersecurity Predictions for 2023
• Making Security Simpler for Organizations Big and Small
• Log4j Zero-Day Vulnerability Response
• Episode 44: A Zero Trust Framework Knows No End
• Where Risks Meet Controls

In episode 45 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Valecia Stocchetti who is a Sr. Cybersecurity Engineer on the CIS Critical Security Controls team here at CIS. Valecia and Sean discuss how their mentorship took shape and how it worked as a partnership from the very beginning. Together with Tony, they go over mentorship vs. career counseling and note that a vetting process can help you spot the difference. They conclude by exploring why it's important to pay it forward whether you're a mentor or mentee.

Resources:

• Security Pros Need a Mentor: Here’s Why and How
• MS-ISAC Members: The Most Valuable MS-ISAC Resource
• CIS Leadership Principles

In episode 44 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Scott Hall, Security Architect at the Center for Internet Security (CIS). Together, they identify resources and buy-in as some of the key elements for implementing a zero trust framework. So begins a journey that evolves with your organization's changing business processes and functions. To be successful, it's important to accept that you'll always be tweaking things to fit your needs. It's also invaluable to take a business-centered approach. This includes maintaining an inventory of what you have so that your zero trust journey can drive, not inhibit, business growth.

Resources

• Follow Scott on LinkedIn
• Prioritizing a Zero Trust Journey Using CIS Controls v8
• Where Does Zero Trust Begin and Why is it Important?
• Episode 11: Remote Attestation Helps Zero Trust
• Simplifying Security

In episode 43 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Amanda Flynn, Manager of Admin Services and Board Relations at the Center for Internet Security (CIS), and Elijah Cedeno, Sr. Account Management Specialist at CIS. Together, they discuss the work of CIS CARES, a CIS program that gives back to the community every year through campaigns focused on community, animals, resource conservation, and education. Their conversation looks back at the evolution of CIS CARES over the past 11 years, explores the program's focus for Q4 2022, and teases what's to come next year and beyond.

Resources

• Help CIS CARES support Middle Earth in Q4 2022
• Follow Amanda and Elijah on LinkedIn
• Learn more about CIS CARES
• CIS Cares Helps 15 Organizations in 2021, With More to Come
• A push for cybersecurity philanthropic giving launches
• CIS, Partners Donate Emergency Kits to Children in Need

In episode 42 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Mat Everman, Information Security Operations Manager at the Center for Internet Security (CIS). Together, they discuss the topic of advocating for the underserved. Both agree that there's no silver bullet that a person or business can use to minimize all cyber risk. In the absence of a cure-all solution, however, there are opportunities for improving the security maturity of the underserved more broadly. This process begins with a discussion of where the underserved are. It then focuses on security measures that they can use to establish a baseline and create a foundation for an ever-evolving security journey.

Resources

• Protect Your Identity This Cybersecurity Awareness Month
• Making Time for Ongoing Security Awareness Training
• Election Security Spotlight – Common Cyber Hoax Scams
• CIS Critical Security Controls Implementation Group 1
• CIS Software Supply Chain Security Guide

In episode 41 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Valecia Stocchetti, Sr. Cybersecurity Engineer of the CIS Critical Security Controls (CIS Controls); Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology; and Davis Hake, Co-Founder and Vice President of Policy at Resilience Insurance. Together, they discuss their collaboration as members of the Ransomware Task Force to create the "Blueprint for Ransomware Defense." After situating this effort within the evolving ransomware landscape, they explain how organizations can best use the Blueprint as an internal and external resource to minimize their ransomware risk. They also offer insight into how the Blueprint stands apart from other anti-ransomware guides that are currently available.

Resources

• Follow Megan on LinkedIn

• Follow Davis on LinkedIn
• Register for the webinar: Foundational Safeguards: Building Your Cybersecurity Foundation
• A Blueprint for Ransomware Defense Using the CIS Controls
• Cybersecurity at Scale: Piercing the Fog of More
• CIS Software Supply Chain Security Guide
• CIS Community Defense Model 2.0

In episode 40 of Cybersecurity Where You Are, co-host Tony Sager is joined by Murray Kenyon, Vice Cybersecurity Partnerships Executive at U.S. Bank. Together, they discuss the human dimension of cybersecurity, that is, bringing people with different talents together to understand common problems and help both organizations and individuals make informed choices. This is the philosophy behind Cybersecurity Awareness Month, an initiative which Kenyon helps organize as a Board member of the National Cybersecurity Alliance. The purpose of this year's theme, "See Yourself in Cyber," is not to make users into cybersecurity experts, as Sager and Kenyon point out. It's to create resources and lines of communication for sharing basic steps that everyone can take to better protect themselves online.

Resources

• Follow Murray Kenyon on LinkedIn.
• Cybersecurity Awareness Month – National Cybersecurity Alliance
• Jumpstart Your Security Program with Essential Cyber Hygiene
• CIS Communities

In episode 39 of Cybersecurity Where You Are, CIS's Chief Information Security Officer Sean Atkinson discusses the importance of scaling in relation to cybersecurity. A business needs to be able to manage growth without risking security, while also managing security without hindering growth. Atkinson offers guidance on how to go about this and highlights the benefits organizations will see when scaling their cybersecurity strategy.

Resources

• How to Scale Cybersecurity for Your Business
• Jumpstart Your Security Program with Essential Cyber Hygiene
• How to Implement & Assess Your Cyber Hygiene
• CIS Critical Security Controls Implementation Group 1

In episode 38 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Theodore "TJ" Sayers, Manager of the Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC), and Aaron Zaleski, Sr. Cyber Incident Response Team Analyst at the MS-ISAC. Together, they discuss how the cyber threat landscape is changing. Some cyber threat actors (CTAs) are now writing their payloads in different programming languages, for instance, while others are employing new types of delivery vectors. Their conversation wraps up by identifying steps that organizations can take to defend themselves against these and other developments going forward.

Resources

• What is Cyber Threat Intelligence?
• Breaking Down the BlackCat Ransomware Operation
• Brute Ratel: The New Red Teaming Tool Coopted by CTAs
• The Conti Leaks: A Case of Cybercrime’s Commercialization
• Real-Time Indicator Feeds
• Report an Incident

In episode 37 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Carlos Kizzee, SVP of CIS Stakeholder Engagement Operations at the Multi-State Information Sharing and Analysis Center (MS-ISAC). Together, they discuss how the 15th Annual ISAC Meeting – held recently in Baltimore – gives an opportunity for representatives of U.S. State, Local, Tribal, and Territorial (SLTT) government organizations to network, share best practices, and learn from one another's experiences. Tony then takes us to the ISAC Meeting, connects with a couple of attendees on the floor, and explores what the event means to them.

Resources

• Follow Carlos on LinkedIn
• Follow the MS-ISAC on LinkedIn
• MS-ISAC Charter
• MS-ISAC Members
• Join the MS-ISAC

In episode 36 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Marci Andino, Sr. Director of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), and Trevor Timmons, EI-ISAC Executive Committee Chair and Chief Information Officer at Colorado Department of State. Together, they discuss Cyber STRONG, a campaign launched by the EI-ISAC that encourages election officials to take decisive and deliberate steps towards improving their cybersecurity posture. Cyber STRONG provides officials with actionable guidance that they can use to further protect the security and integrity of their elections.

Resources

• Follow Marci and Trevor on LinkedIn
• Strong Elections Are Cyber STRONG…Are You?
• The 2020 Elections Year in Review
• Best practices for election systems security
• Episode 20: The State of Election Cybersecurity
• How to Improve Election Technology Verification

In episode 35 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Bobbie Stempfley, Board Chair at the Center for Internet Security (CIS). Together, they remember the late Alan Paller, a CIS co-founder and former Board member. Each of them recalls when they first met Alan, and exchange stories of how his passion for bringing people together and solving big challenges helped change their lives, drive CIS's mission, and reshape the cybersecurity industry.

Resources

• Follow Bobbie on LinkedIn
• Remembering Alan Paller, CIS Co-Founder and Board Member
• At Long Last, CIS Will Be Back at RSA Conference in 2022
• CIS Controls Volunteer Spotlight: James and Kelli Tarala
• CIS Board of Directors

In episode 34 of Cybersecurity Where You Are, co-host Sean Atkinson and Chris Elgee, a senior security analyst and Core NetWars Tournament design lead for Counter Hack, look back at how Hollywood has portrayed hacking over the years. They cover long-standing crowd favorites like Hackers, Sneakers, and Mr. Robot along with some lesser-known gems. The overarching trend? Viewers are getting more computer-literate, so the way in which Hollywood portrays hacking is evolving in a way that not only satisfies audiences but also raises their awareness of cybersecurity.

Resources

• Follow Chris on LinkedIn.
• Election Security Spotlight – Black, Gray, & White Hat Hackers
• CIS Critical Security Control 18: Penetration Testing
• Election Security Spotlight – Social Engineering
• Hack the Human: End-User Training and Tips to Combat Social Engineering
• MS-ISAC Security Primer – Spear Phishing

In episode 33 of Cybersecurity Where You Are, co-host Sean Atkinson and Ben Carter, IoT Specialist for CIS’s Chief Technology Officer, discuss the need to secure IoT devices at the vendor level. This is impossible without taking a high-level view and ensuring that all protocols used by IoT devices and vendors are taken into account. Only by ensuring security by design can organizations in healthcare, manufacturing, government, and other sectors accomplish security at scale for IoT management – all while preserving interoperability between their connected devices.

Resources

• Follow Ben Carter on LinkedIn
• CIS Controls v8 Internet of Things Companion Guide
• 6 Simple Tips for Securing IoT Devices
• Smart Devices, Smart Users – How to Stay Secure in an IoT World
• “Internet of Things” Needs to be More Secure

In episode 32 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager discuss RSA 2022 — which is always a highlight of our conference calendar. Tony gives a preview of three sessions in which he'll present on cybersecurity nonprofits, incentivizing the adoption of cybersecurity best practices, and securing the supply chain. He also provides tips and best practices that can help RSA newbies, individual teams, and general attendees make the most of the conference.

Resources

• Complete your registration for RSA Conference 2022
• At Long Last, CIS Will Be Back at RSA Conference in 2022
• Episode 30: Solving Cybersecurity at Scale with Nonprofits
• Making Security Simpler for Organizations Big and Small

In episode 31 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Karen Sorady, VP for Multi-State Information Sharing and Analysis Center (MS-ISAC) Member Engagement at the Center for Internet Security (CIS). Their discussion focuses on industrial control system (ICS) security, some of the threats they're susceptible to, and what goes into making a good operational technology (OT) security program. Looking back over the past 20 years, the security community has learned some valuable lessons on the information technology (IT) side of things. But we won't be able to apply those lessons to OT and ICS without communication and collaboration. This isn't just about fostering conversations between OT and IT teams. It's also a call to action for organizations to work with public-private partnerships and communities like the MS-ISAC so that they don't have to go it alone.

In episode 30 of Cybersecurity Where You Are, co-host Tony Sager is joined by Philip Reitinger, President and CEO of the Global Cyber Alliance. Their discussion focuses on the role that nonprofits play in solving cybersecurity problems at scale. In today's mutually dependent technology landscape, nonprofits' resources and expertise remove the need for enterprises to solve cybersecurity issues on their own. This is especially true given initiatives like Nonprofit Cyber, a "collective effort of equals" for which Philip and Tony are Executive Committee Co-chairs.

Resources

• Follow Philip Reitinger on Twitter
• How to Protect Your Nonprofit from Phishing Cyber-Attacks
• The Cybersecurity 202: A Nonprofit is Providing Free Ransomware Protection to Private U.S. Hospitals
• Faith-based Nonprofit Uses CIS Controls as the Baseline Framework
• Modern CTO Podcast | The Role of Nonprofits in Cyber Defense
• Maximizing Our Cyber Non-Profits

In episode 29 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on "reasonableness" as it relates to cybersecurity risk management. This topic isn't just about proving to regulators, litigators, and others that security controls were in place prior to an incident. It also considers how to implement safeguards without overburdening users and executives.

Resources

• Follow Chris Cronin on LinkedIn
• The Risk Conversation
• Manage Cybersecurity Risk with the CIS Controls
• Third-party Risk Management – Beyond the Questionnaire
• 3 Things You’ll Learn Conducting a Cyber Risk Assessment with CIS RAM

In episode 28 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Brian Ray, Director of the Center for Cybersecurity and Privacy Protection, and Leon and Gloria Professor of Law at the Cleveland-Marshall College of Law at Cleveland State University. Together, the three discuss the convergence of cybersecurity and public policy with an emphasis on the concept of 'reasonable' security measures affording a data breach safe harbor for businesses.  

In this episode of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Stacey Wright, former CIS employee and current Vice President of Cyber Resiliency Services at the Cybercrime Support Network. The discussion focuses on the common cyber scams malicious actors have been using for decades and offer advice for dealing with them.

Resources

• Cybercrime Support Network
• How to Protect Seniors Against Cybercrimes and Scams
• Common Cyber Hoax Scams
• Tech Support Call Scams

Resources

• Follow Brian Hajost on LinkedIn
• Prioritizing a Zero Trust Journey Using CIS Controls v8
• Webinar | Align and Achieve CMMC Compliance Utilizing CIS Best Practices
• Episode 11: Remote Attestation Helps Zero Trust
• CIS Critical Security Controls v8 Cybersecurity Maturity Model Certification Mapping
• Where Does Zero Trust Begin and Why is it Important?

In episode 26 of Cybersecurity Where You Are, co-host Tony Sager is joined by Brian Hajost, Chief Operating Officer at SteelCloud. They discuss some of the common issues around secure configuration management, the struggles that organizations face, and ways to overcome those challenges. 

In this episode of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Lou Smith, a Senior Information Security Intrusion Analyst at the Center for Internet Security. Smith has a background in Digital Forensics and previously worked for New York State's Cyber Command Center. The two discuss building digital forensics and incident response capabilities in-house. Tune in to learn about the skills you need and the tactics you can use to successfully implement an incident response plan at your organization.

Resources

• Six Tabletop Exercises to Help Prepare Your Cybersecurity Team
• Tabletop Exercises (TTX)
• 7 Reasons Tabletop Exercises Are A Must
• Incident Response Tabletop: Working with Law Enforcement and Insurers
• SANS Training via CIS CyberMarket

Resources

• Follow Guest Linnie Meehan on Twitter and Twitch
• US Cyber Challenge (USCC)
• CyberStart America
• Career Opportunities at CIS
• 11 of the Coolest Technical Jobs at CIS

In episode 24 of Cybersecurity Where You Are, co-host Tony Sager poses the question that many people interested in the industry ask: How do I start a career in cybersecurity?

To offer some insight, co-host Sean Atkinson joins cybersecurity professionals Linnie Meehan and Thomas Sager. Together, the three share their personal experiences, offer advice to those interested in a cybersecurity career, and remind listeners that persistence is key. 

In Episode 23 of Cybersecurity Where You Are, hosts Tony Sager and Sean Atkinson are joined by our Vice President of Operations and Security Services, Josh Moulin. Together, the three share their thoughts on some of the topics that were discussed in our recent blog post, 2022 Cybersecurity Predictions to Watch Out For.

Resources

• 2022 Cybersecurity Predictions to Watch Out For
• Log4j Zero-Day Vulnerability Response
• Sign up for the MS-ISAC
• Establishing Basic Cyber Hygiene Through a Managed Service Provider

Resources:

• Information on Log4j
• CIS Critical Security Controls
• Essential Cyber Hygiene 

In early January, the cybersecurity world was introduced to a new foe when researchers discovered a vulnerability in the code of a software library called Log4j. In the latest episode of Cybersecurity Where You Are, CIS CISO, Sean Atkinson, and CIS Chief Evangelist, Tony Sager, were joined by two colleagues who walked them through the steps CIS took to address the Log4j vulnerability.

In this edition of Cybersecurity Where You Are, CIS CISO, Sean Atkinson, and CIS Senior VP and Chief Evangelist, Tony Sager are joined by two members of the CIS podcast production team, Jason Forget, VP of Communications, and Chad Rogers, Digital Media Program Manager. Together they discuss this past year in cybersecurity, creating this podcast, and their favorite episodes.

Resources:

• Learn more about the EI-ISAC
• Election security tools and resources

In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes Kathy Boockvar, Vice President of Election Operations and Support and Marci Andino, Director of the Elections Infrastructure Information Sharing and Analysis Center, or EI-ISAC. Together, they discuss the state of election security for state and local governments.

Resources:

• CIS Critical Security Controls
• About Panaseer

In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes Thordis Stella Thorsteins, Senior Data Scientist at Panaseer. Panaseer provides a controls monitoring platform and has played a valuable role in the development of the CIS Critical Security Controls, as well as the implementation of the CIS Controls Assessment Specification. Together, Tony and Thordis discuss the role that data collection and automation play in cybersecurity.

Resources:

• Monthly Top 10 Malware
• CIS Critical Security Controls
• About the MS-ISAC

In this edition of Cybersecurity Where You Are, CIS Chief Information Security Officer (CISO), Sean Atkinson welcomes Randy Rose, CIS Sr. Director of Cyber Threat Intelligence. In the spirit of Halloween, they list the top five3 (and some honorable mentions) malware of all time – so far!

Resources

• Cybersecurity Awareness Month
• CIS Community Defense Model 2.0
• Verizon Data Breach Investigations Report
• SANS Security Awareness Training
• MITRE ATT&CK

Discussed in this podcast:

• Cybersecurity Awareness Month
• Psychology of cybersecurity
• Evolution of common cyber threats
• "Big picture" resources

In this edition of Cybersecurity Where You Are, CIS Chief Information Security Officer (CISO), Sean Atkinson welcomes Philippe Langlois of the Verizon Business Group and co-author of the Verizon Data Breach Investigations Report (DBIR). In celebration of Cybersecurity Awareness Month, the duo discuss the DBIR and version 2.0 of the CIS Critical Security Controls (CIS Controls) Community Defense Model (CDM). Both reports pull data from a community of experts and many different resources to provide a more holistic picture of cybersecurity.

Resources:

• About Kathleen Moriarty
• CIS Benchmarks
• CIS Critical Security Controls
• Tools for Vendors and Consultants

In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes back Kathleen Moriarty, Chief Technology Officer for CIS. Together they discuss the role service providers play in the future of cybersecurity.

Episode Highlights:

• Why soft skills are important
• Top soft skills
• Building a company culture

Resources:

• CIS Careers

• Publication: Cybersecurity Quarterly

In this edition of Cybersecurity Where You Are, CIS Chief Information Security Officer (CISO), Sean Atkinson, and CIS Senior VP and Chief Evangelist, Tony Sager discuss soft skills and how they pertain to the the cybersecurity industry. Whether it is an an employee wanting to expand their career or an employer seeking a new hire, soft skills are just as important as technical knowledge.

Resources:

• Useapassphrase.com
• Password Policy Guide
• Related Blog: Password Policy Guide: Passphrases, Monitoring and More
• National Cybersecurity Awareness Month: MS-ISAC Tool Kit and Poster Contest
• Free to download: MS-ISAC 2021 Kids Safe Online Activity Book

In this edition of Cybersecurity Where You Are, CIS Chief Information Security Officer (CISO), Sean Atkinson counts down the top five ways families can be cyber smart. CIS Content Marketing Manager, Danielle Koonce, stops by to talk about what she does as a parent to keep her child safe from cyber-attackers.

Resources:

• CIS Twitter
• CIS LinkedIn
• CIS Critical Security Controls
• Related podcast: RC Manager at Frame.io, Mosi Platt answers the Atkinson 9

In this edition of Cybersecurity Where You Are, CIS Chief Information Security Officer (CISO), Sean Atkinson, and CIS Senior VP and Chief Evangelist, Tony Sager share part of themselves in this intimate episode. Taking a guest-free moment of asking them the 'Atkison 9', hosts turn the questions on themselves. Listen to them discuss their favorite CIS Critical Security Controls, the biggest waste of time in cybersecurity, and how they want to be remembered in the industry.

This week’s Cybersecurity Where You Are podcast highlights:

• The problem regulating cybersecurity
• Cybersecurity is currently the "Wild West"
• What makes cybersecurity different than other industries
• What roles different levels of government are taking
• Dispelling the mystery behind cybersecurity

Episode Resources

• CIS Controls
• Basic Cyber Hygiene
• Press Release

It can appear that cybersecurity practices are being built on the creative wizardry of technical experts rather than referential universal policy that everyone can abide by. In this edition of Cybersecurity Where You Are, host and Senior Vice President and Chief Evangelist Tony Sager for CIS welcomes guest Brian de Vallance, Alliance Outreach Coordinator for CIS. Together, they discuss the role government and technology experts play in the building of universal cybersecurity best practices and policy.

This week’s Cybersecurity Where You Are podcast highlights:

• Automated attestation processes
• Vendor attestation capabilities
• Root of trust via Trusted Platform Module (TPM)
• Method of verification for zero trust

Episode Resources

• Visit the CIS Website
• CIS Controls List
• About Kathleen Moriarty, Chief Technology Officer, CIS
• Related Blog on Zero Trust: Where Does Zero Trust Begin and Why is it Important?

In this edition of Cybersecurity Where You Are, host and CIS Chief Information Security Officer (CISO), Sean Atkinson welcomes guest Kathleen Moriarty, Chief Technology Officer (CTO) at CIS. Together, the duo discuss attestation in terms of hardware and software, and the process of performing a posture assessment.

This week’s Cybersecurity Where You Are podcast highlights:

• Why the medical industry is so appealing to attackers
• The challenges of protecting medical facilities
• How a defense-in-depth strategy plays a role in a hospital’s cybersecurity plan
• Malicious Domain Blocking and Reporting (MDBR) for hospitals

Episode Resources

• Visit the CIS Website
• The American Hospital Association
• Learn more about MDBR for hospitals

In this edition of Cybersecurity Where You Are, host and CIS Chief Information Security Officer (CISO), Sean Atkinson welcomes guests John Riggi and Ed Mattison. Riggi is the Senior Advisor for Cybersecurity for the American Hospital Association (AHA) and Mattison is the Executive Vice President of Operations and Security Services at CIS. Together they discuss how hospitals and other medical facilities can protect themselves against cyber-attacks.

Resources:

• Visit the CIS Website

Highlights:

• The importance of information security governance
• Security vs. compliance
• Data – determining what you need and where to find it
• Understanding risk from a decision-basis
• Critical elements to fulfill business requirements
• Producing value in a compliance program
• Applying agility for continuous improvement

Good compliance = good security

Security is the practice of implementing effective technical controls to protect an organization’s digital assets. Compliance, on the other hand, is the application of that practice to meet regulatory or contractual requirements. Unfortunately, more often than not, organizations focus on compliance once a year when it’s time to certify that their “security is good.” The process of being compliant and secure should be a continuous process.

Resources:

• Visit the CIS Website
• Download the CIS Controls v8
• Download CIS Controls v8 Change Log
• Join a CIS Controls Community

Highlights:

• Everything has to be measurable
• Everything has to be achievable
• CIS Controls v8 must have a peaceful coexistence with cybersecurity frameworks
• The Controls need to be backed by data and able to defend against real-world threats

First Impressions Matter

The CIS Controls team and volunteers pretty much rewrote every word of v8 in an effort to modernize and consolidate the document. CIS Controls v8 is a lot more focused and less redundant than previous versions. Find out what people are saying about this new Version!

Feedback: Request, Manage, Gather, & Use for the Greater Good

Organizations big and small rely on the CIS Controls to defend against the most prevalent cyber-attacks against systems and networks. And, they count on the Controls team to do the best job they can for the greater good of the cybersecurity community.

Resources:

• What are the CIS Controls
• Learn more about CIS Controls v8
• Free Webinar | May 18, 2021: Sign up to hear about all the changes to the CIS Controls
• Frequently Asked Questions

In this edition of Cybersecurity Where You Are, host and CIS Senior Vice President and Chief Evangelist, Tony Sager welcomes guests Randy Marchany and Phyllis Lee. Marchany is the Chief Information Security Officer (CISO) at Virginia Tech, and Lee serves as Senior Director of the CIS Controls. The connection between the two guests is the CIS Controls – a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks.

Highlights:

• History of the CIS Controls
• Guiding principles for CIS Controls v8
• CIS Controls ecosystem
• Practical implications for the Controls and real-world applications
• CIS Controls life cycle

Remember to subscribe to get the latest cybersecurity news and updates to Start Secure and Stay Secure.

Resources:

• EI-ISAC
• Elections Security Tools & Resources
• #PROTECT2020

In this edition of Cybersecurity Where You Are, host and CISO at the Center for Internet Security (CIS), Sean Atkinson welcomes guests Geoff Hale and Lew Robinson. Hale leads the Election Security Initiative at the Cybersecurity and Infrastructure Security Agency (CISA), while Robinson serves as CIS Vice President of Election Operations. Both agencies and both men, respectively, played a big role in the success of the 2020 General Election, which has been deemed the most secure election in American history.

Highlights:

• Elections...A Critical Infrastructure
• Strong Partnerships Make for Strong Collaborative Efforts
• Technical and physical controls that contributed to the 2020 General Election being the most secure election in history
• Steps taken to enhance communications and provide threat intelligence to state and local entities
• Collaborative process to provide stakeholder input to influence the approach to election security
• Strategies and techniques used to manage mis- and disinformation
• Efforts made to assist state and local election offices with best practice guidance
• Lessons learned from the 2020 General Election

Remember to subscribe to get the latest cybersecurity news and updates to Start Secure and Stay Secure.

Part 2 of a 2-part series

Resources:

• Listen to Part 1
• CIS website
• CIS SecureSuite Tools and Resources
• CIS Benchmarks
• CIS Controls (v8 coming Spring 2021)
• CIS CSAT (CIS Controls Self Assessment Tool)
• Community Defense Model (v2 coming Spring 2021)

In this week’s Cybersecurity Where You Are podcast, hosts Tony Sager and Sean Atkinson continue their conversation on cyber defense as a risk-based process. They discuss the actions and resources that help build and implement “defensive machinery” that support an organization’s current cyber defense plan and help it mature.

Highlights:

• A CISO’s First 90 days
• The Importance of a Strong Foundation
• Knowing Your Lineage
• Mapping to Regulatory Frameworks
• Tools: From Spreadsheets to CIS CSAT
• Sharing with the Group

Remember to subscribe to get the latest cybersecurity news and updates to Start Secure and Stay Secure.

Episode Resources:

• Blog: Assess, Remediate, and Implement with CIS SecureSuite: https://www.cisecurity.org/blog/assess-remediate-and-implement-with-cis-securesuite/
• Free Webinar: CIS Benchmarks and CIS-CAT Pro Tool Demo: https://www.cisecurity.org/webinar/cis-benchmarks-demo/

Part 1 of a 2-part series

Technology is ever-changing AND ever-evolving, creating an uncertainty amongst cybersecurity professionals – the defenders – in their pursuit of an effective cyber defense strategy. The uncertainty of the defender can justifiably be attributed to the uncertainty of the attacker. In this week’s Cybersecurity Where You Are podcast, hosts Tony Sager and Sean Atkinson introduce cyber defense as a risk-based process to reduce the overall probability and impact that a cyber-attack will have on an organization.

Cyber defense never ends

Cyber defense refers to the ability to prevent cyber-attacks from infecting a computer system or device; it involves anticipating adversarial cyber actions and countering intrusions. There’s no “one-size-fits-all” when it comes to cyber defense protocol or strategy. However, a good cyber defense strategy should aim to protect, prevent, detect, respond to, and recover from external and internal attacks. As technology expands, the complexity of cyber-attacks also evolves, forcing cyber defense initiatives and defenders of such, to do whatever they can to keep up.

OODA loop process

The OODA (Observe, Orient, Decide, Act) loop is a repetitive four-step decision-making process that focuses on gathering information, putting that information into context, making the most appropriate decision while also understanding that changes can be made as more data becomes available, and then taking action. The OODA loop is especially applicable to cybersecurity and cyber defense where agility and repetition (by the defender) potentially overcomes that of the attacker.

Fog of More

While cyber defense is an abstract model, cybersecurity defenders have to actually do concrete things. It initially comes down to having a plan in place and asking the right questions: What data do we have? Where is it? What do we do with it?

Asking the right questions (for clarity) eliminates the Fog of More (coined by Tony Sager, of all people) – the overload of defensive support (i.e., more options, more tools, more knowledge, more advice, and more requirements, but not always more security).

An effective cyber defense program requires defenders to gather information and data, put that data into context, make decisions, take action, and then REPEAT, REPEAT, REPEAT.

Resources:

• Find us at https://www.cisecurity.org/
• Third-party Risk Association: https://www.tprassociation.org/
• National Institute of Standards and Technology (NIST): https://www.nist.gov/
• CIS Controls: https://www.cisecurity.org/controls/

Can a risk assessment questionnaire be the catalyst for true change to the entire vendor cybersecurity ecosystem? Cybersecurity Where You Are podcast host Sean Atkinson welcomes guest Ryan Spelman, former CIS employee, and now Managing Director at Duff & Phelps on their CYBERCLARITY360 team. Together, Sean and Ryan discuss tactics companies can use to better understand their cyber-risk posture and how stronger relationships between companies and their third parties impact the industry as a whole.

Better use of the third-party risk assessment questionnaire

The go-to “third-party risk assessment questionnaire” being used as a one-and-done exercise is an all too common practice. While completing these questionnaires meets certain regulatory requirements, truly managing risk is about acting on the data collected - not just collecting it.

There is a misconception that the questionnaire is for general information collection and that the same questions can apply to all vendors. Some questions, such as those about overseas relations or services, may be applicable to all vendors. But to more accurately assess a third party’s risk it is important to customize the questions to match the vendor's use case and scope.

This episode shares how an organization can start drafting these inquiries.

Once the questionnaire is crafted, completed, and returned, a plan should also be in place for how to address the issues that arise from the submitted answers.

Beyond the questionnaire – communication is key

The issue of third-party management rests in the hands of both the company and the vendor. Clear, accurate, and truthful communication between both parties makes both entities ultimately stronger.

Building a stronger security ecosystem

This is an “area where the common good can happen,” says Ryan. If a company can make the third party’s security posture better, then everyone else who uses this third party is made better. It ultimately makes a measurable difference in the entire vendor ecosystem.

The Atkinson 9

In the vein of another famous interviewer, Sean asked Ryan his “Atkinson 9,” a quick Q&A about security. Listen now to find out what our guest said!

Resources

• Find us at https://www.cisecurity.org/
• Blog: 2021 Cybersecurity Trends to Prepare For: https://www.cisecurity.org/blog/2021-cybersecurity-trends-to-prepare-for/
• Blog: Where Does Zero Trust Begin and Why is it Important?: https://www.cisecurity.org/blog/where-does-zero-trust-begin-and-why-is-it-important/
• CIS Controls: https://www.cisecurity.org/controls/
• Cybercrime Support Network (CSN: https://cybercrimesupport.org/

2020 was considered “the year like no other”. The industry saw a mass convergence of social issues with cyber issues due to the pandemic, the elections, and the SolarWinds supply chain issue. Cybersecurity resilience was tested and it was crucial that the industry adapt quickly.

With the onset of the COVID-19 pandemic in March of 2020 many organizations went fully remote, including CIS. CIS had to be agile and the cybersecurity industry had to adapt to new challenges with a growing remote workforce.

The Trends

Risk management strategies such as ways to identify gaps, how to best implement the CIS Controls, data management, and privacy requirements were the foundations for crisis management.

Ransomware is here to stay as a top cyber threat. It moved from the lone hacker to a capitalist business structure where the software just needs to be purchased and used as opposed to needing to build it yourself.

Zero Trust: Sean uses the analogy of “the castle and the moat”. Today the drawbridge is always open and things are going in and out without the ability to monitor it all. Zero Trust is setting the new tone for security practices.

What the Future (May) Hold

Small Businesses need support: The weight of responsibility to small businesses to accommodate the assessment evaluations for risk management is a huge burden.

A Diminishing Cyber Workforce: There is a growing concern about the shortage of cybersecurity professionals.

The Role of Government: With the change in government, like we have in 2021, there is a change in the way government thinks about priorities.

Co-hosts Sean Atkinson and Tony Sager welcome you to the CIS podcast Cybersecurity Where you Are.

This episode gives you an overview of what the Center for Internet Security is, how the co-hosts grew with the industry, and the importance of basic cyber hygiene.

• Find us at www.cisecurity.org
• Check out the CIS Controls: https://www.cisecurity.org/controls/cis-controls-list/
• Learn more about Basic Cyber Hygiene: https://www.cisecurity.org/blog/cleaning-up-a-definition-of-basic-cyber-hygiene/

The Center for Internet Security is a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards to proactively safeguard against emerging threats.

CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. elections offices.

Meet co-host Tony Sager - Tony has over 43 years of experience in the industry most of which was with the National Security Agency (NSA). With a background as a mathematician, he worked at the NSA in the Communications Security Interim Program focusing on the security of U.S. systems. He worked mostly on cryptography and confidentiality in the interest of the country’s defense. He then moved to Computer Science when computers began to move from large systems in buildings to at home workstations (do you remember the Apple2+?). Tony witnessed the transition of cybersecurity from mathematics to information and communications and found himself in great company helping to develop CIS over the passed 20 years.

Meet co-host Sean Atkinson – Sean lived in England for about 20 years before moving back to the U.S. His background was not actually in computer science but carried an MBA in Business but with a concentration in Technology Management. He credit the book “A Business Data Networks and Telecommunications” by Raymond Panko for getting him into Network and Technology Specialization. He then worked as a IT Auditor and in 2004 found himself working on Section 404 projects. He then worked in State Government moving his way up to security Manager implementing PeopleSoft when adding security to the software lifecycle was in its infancy. He then moved to the Dept of Defense and now has worked with CIS as CISO to frame best practices and implementation.

Basic Cyber Hygiene - We know cybersecurity is an issue for any business, but where do you start? By looking at your data, networks, and systems from a risk perspective you can then implement means to protect it. There are foundational best practices that everyone can do and should do. Tony and Sean will touch on the CIS Controls – the prioritized set of actions to protect your organization and data from known cyberattack vectors – and what actions to take first.