What's The Problem?
By Mike Krass
What's The Problem?Apr 04, 2024
Episode 48-Theresa Jones -Cybersecurity Insurance "Got Ya's" for Small Business Owners
Join us for an enlightening conversation with Theresa Jones, CEO and owner of Evolve IQ as we explore the realm of small businesses and discuss vital advice on selecting the right cyber insurance policy. Discover essential tips for assessing risks, determining coverage, and establishing incident response plans, all geared towards ensuring your business is well-prepared in the digital age.
Episode 47- Ian L. Paterson- Cybersecurity & AI with Plurilock founder Ian L. Paterson
Join us in an enlightening discussion with Ian L. Paterson, CEO of Plurilock, as we discover AI's impact on cybersecurity as it forges strategic illusions. This dynamic interplay blurs the boundary between illusion and innovation when it comes to cybersecurity and Artificial Intelligence.The integration of AI into platforms amplifies recognized security concerns in the evolving landscape.
Episode 46- Yiyi Miao- Discussing a Proactive Defense for Critical Infrastructure Incidents Across 16 Different Sectors
Join us for an enlightening discussion with Yiyi Miao, Chief Product Officer of OPSWAT, as we explore proactive strategies to strengthen your defense against potential critical infrastructure incidents.
Episode 45- Jen Moll - Cyber Risk Economics
Jen Moll, Vice President of Strategy & Alliances at Axio, stops by to discuss the economic Impact of Cyber Risks.
Episode 44- Chase Richardson - The Impending CMMC Compliance Deadline with Department of Defense (DoD)
Chase Richardson stops by to discuss the different levels of compliance required for contractors working with the Department of Defense (DoD)
Episode 43- Cody Barrow - Cybersecurity in the European Union Compared to the United States
Cody Barrow, Chief Strategy Officer at EclecticIQ, stops by to compare and contrast the climate of cyber and data security in Europe versus the United States.
Episode 42- Andres Andreu - How a Challenger Cybersecurity Company Can Navigate Their Product Into a Customers Hands
Andres Andreu, a 30-year veteran of the cybersecurity industry, joins us to discuss what CISOs truly care about during the purchasing cycle.
Episode 41- Derek Weeks - Today's Software Supply Chain Through the Eyes of the AppSecDev
Derek Weeks, a 30-year veteran of the cybersecurity industry, joins us to discuss open source networks, the importance of a software bill of materials, and much more!
Episode 40- Nick Hansen - How Cybersecurity Integration Partners Work Together
Nick Hansen joins us to discuss cybersecurity integration and how to minimize your attack surface.
Episode 39- Logan Wolfe - When Policy and Enforcement Converge
Logan Wolfe of ORNA.app joins us to discuss policy and enforcement in the global cybersecurity space
Episode 38- Salah Nassar - How to Work with Product Marketing at a Cybersecurity Company
Salah Nassar from ZScaler joins us to discuss product marketing and the importance of connecting with your customer.
Episode 37 - Lauren Malhoit - Overlay Architecture: What is It and Who Cares How It Works?
Lauren Malhoit from Men & Mice joins us to discuss Overlay Architecture
Episode 36- Seth Garske - Data Responsibility in the World of Cybersecurity
Seth Garske from F5 Networks joins us to discuss personalization and the responsible usage of customer data.
Episode 35- Grant Elliott - Effective CISOs: Technical vs Operational
Grant Elliott from Ostendio joins us to discuss how an effective CISO is an operational CISO. Your organization can have all the correct technical systems in place, but if you are missing proper administration, you'll always have vulnerabilities.
Ostendio offers a complimentary InfoSec Checklist that listeners can access here https://bit.ly/3YASmhy
Epsiode 34 - Thomas Beavers - The Future of Cloud Storage Is Blockchain
Thomas Beavers of Sollensys joins the podcast to explain why he believes the future of cloud storage for both consumers and business will live on the blockchain.
Sure, Dropbox or Google Drive are convenient to use, simple and cheap.
But they are also extremely vulnerable. Criminals focus on cloud services they can attack into so they can encrypt and ransom it back to you.
Additionally, the consequences of ignoring the safety issues with services such as Dropbox include a loss of faith with customers, damage to reputation as well as loss of business as we saw with a commercial airline being compromised in January 2023.
Episode 33 - Selby LeBert - Programs and Curriculum for Students to Participate in Real-World Cyber Training
Cybersecurity Specialist Selby LeBert of Textron Aviation joins us to discuss programs and curriculum for students to participate in real-world cybersecurity training.
This conversation includes a discussion about the lab environment that Selby is working to stand up over at Wichita State University in Wichita, KS.
Episode 32 - Shearyar Kahn - What If Cyberweapons Are Not Stored Securely?
Welcome to episode 32 of What’s the Problem #podcast.
Today, we are all set to share a conversation between Mike Krass and Shearyar Kahn about the topic of Mutually Assured Destruction (MAD) in the world of cybersecurity.
Shearyar poses a hypothetical scenario.
What if cyberweapons are not stored securely? What if one cyberweapon could be used as the basis for another?
It’s already happened.
The WannaCry ransomware attack spawned other cyberweapons.
Follow Shearyar down the conversational rabbit hole.
1️⃣ What do we need to do to secure and protect cyberweapons?
2️⃣ What should we do as a planet if cyberweapons get out?
There is hope at the end of this conversational tunnel. Don’t you worry.
Tune in to hear those messages of hope from Shearyar.
Episode 31 - Clark Barron - The Ethical Cybersecurity Marketer
Welcome to episode 31 of What’s the Problem #podcast.
Today, Clark Barron, a Senior Demand Generation Strategist with Shippo joins the podcast.
In this episode, we’ll discuss a unicorn topic: the ethical cybersecurity marketer.
By tuning in today, you’ll hear Clark talk to some key points of an ethical cybersecurity marketer, such as:
1️⃣ Bringing heavy doses of empathy and self-awareness to the workplace
2️⃣ Big motor to HELP without the immediate promise of financial success. This is a scary, hard industry sometimes ... just help people dang it!
3️⃣ Recognize those bad actors and security marketers actually practice some of the same moves (spear phishing, anybody?). It's about the intention of the marketer versus the bad actor that sets them apart.
Tap that headphone icon to bring Clark’s thoughts from his brain to your ears. Let’s go!
Episode 30 - David Bacque - Procurement Being Involved in The Security Purchase Process
Welcome to episode 30 of What’s the Problem #podcast.
Today, David Bacque, the VP of Strategic Development and OT/ICS Cybersecurity Leader at RED Group joins us to discuss the P word.
That’s right. PROCUREMENT.
In this episode, we dive into the key topic of procurement being involved in the security purchase process. Examples could be capital projects, ICS, OT, or others.
When you tune in, you’ll hear a basic checklist that David recommends folks follow when evaluating an operational technology solution.
That checklist includes questions such as…
1️⃣ What questions should they ask of vendors. For example: how is cloud data stored?
2️⃣ How does this fit in with our current IT environment?
3️⃣ And what capabilities does this boast (is this considered modern? Can we patch it remotely?)
Tap that headphones button to hear more operational technology wisdom from David. 🎧
Episode 29 - Jacqueline Lundie - The Importance of Training on A High Functioning Security Operations Center (SOC)
Welcome to episode 29 of What’s the Problem #podcast.
Today, Jacqueline Lundie joins us to share some of her experience working as a SOC Analyst with the US Department of Health and Human Services.
Lots of opportunities for discussion with someone who has this type of experience.
So, what did we cover?
The importance of training on a high functioning Security Operations Center (SOC).
Jacqueline mentions a number of advantages when it comes to training. Some include.
1️⃣ Reduced turnover in the Security Operations Center
2️⃣ Reduced burden on re-hiring and re-training, which is an issue because training can take up to 3-4 months (sometimes longer!) when someone joins.
3️⃣ Swift reactions to incidents as SOPs and IRPs are all well-known, documented and communicated/practiced.
Want to hear the rest? Tap that headphone icon below to hear from Jacqueline herself.
Episode 28 - Alex Titze - Questions to Ask Security Vendors to Purchase What you Need (and no more!)
Welcome to episode 28 of What’s the Problem #podcast.
Today, we are speaking with Alex Titze of Blue Team Alpha. Our discussion covers…
1️⃣ The education gap in security products or solutions, using the example of penetration testing versus vulnerability scanning.
2️⃣ Explore how to help customers search for a potential vendor, with a focus on sales enablement. Specifically, we are going to discuss ways to sniff out or ask the right questions in order to purchase the products/solutions that your organization truly needs.
Beyond the educational discussion, Alex gives away two gems to help separate truthful security statements compared to those that are … let’s say not so truthful.
One of those insights: any penetration test that takes less than 3 weeks but more than 2 months is probably overkill for a small to mid-size organization.
All this (and more!) are a tap of the finger away from hitting your ears. Tune in now to learn from Alex!
Episode 27 - Selby LeBert - Entry Level Security Roles for Companies such as Textron Aviation
Today, cybersecurity specialist Selby LeBert of Textron Aviation joins us to discuss the rise of entry-level security personnel in the world of security operations for companies such as Textron.
More specifically, Selby is going to talk listeners through:
1️⃣ Four key issues he sees with bringing practitioners into the work of cyber security
2️⃣ Discussing the Skills Bridge program from the Military to Private Sector
3️⃣ How Textron Aviation thinks about security with regards to aerospace/supply chain
If you are ready to take off with this episode, tap that episode link to get started.
Episode 26 - Elez Topuzovic - A SOC Analysts Point of View on CISA’s Shields Up Directive
Welcome to episode 26 of What’s the Problem podcast.
Today, we’re speaking with Elez Tupozovic with CyberConvoy.
Sharing experience in his current role as Security Operations Center (SOC) Analyst at an MSSP, Elez dives into two topics with us on the show.
- The nooks & crannies that add up to a wider attack surface
- Dissecting CISA’s Shields Up, specifically discussing how that affects SOC Analysts everywhere, the key question of ‘will companies actually listen and report breaches, as well as if Shields Up will assist the security community as a whole.
Strap in for a fantastic conversation with Elez Tupozovic.
Episode 25 - Derek Ireifej - The Journey from Line Cook to the Security Operations Center
Dereik Ireifej of CyberConvoy and I are going to discuss his journey of breaking into the world of cybersecurity as a Security Operations Center (SOC) Analyst.
There are four key pain points that Derek shared on his journey from line cook to IT manager to SOC analyst.
- HR Job postings being disconnected from the actual requirements of the job. Case in point: a CISSP certification is required for a SOC Analyst role. Seriously?!
- Speaking of certifications. Which ones actually matter? Do any of them matter? Security+ helped Derek academically … but not from a resume standpoint!
- Too many applicants apply (especially for remote). Makes it hard for employers to screen and hire when they are overwhelmed.
- Which makes it an issue for finding experienced employees. How do you get experience if no one takes a chance on you? The answer: you need to work on your own time.
Episode 24 - Menekse Saglam - Security Operation Center (SOC) Analysts = Puzzle Makers
In this episode, Menekse Saglam, a Security Operations Analyst at CyberNow Labs, joins us today to talk about the life of a SOC analyst.
A few highlights include.
(1 emoji) Defining the Security Operation Center (SOC) environment
(2 emoji) Stepping into the mindset of a SOC analyst. They are puzzle makers. Which pieces go where?
This episode presents listeners with the opportunity to step into a SOC environment from the comfort of your own home.
Episode 23 Warner Moore - The Year(s) Long Process of Building a Security Program for your Business
Welcome to episode 23 of What’s the Problem #podcast.
In today’s episode, Warner Moore from Gamma Force joins the podcast to discuss the art of building a cybersecurity program for your business.
First up: where do we start?
“Start with the security strategy,” says Moore.
Another question: How long will this take to build within our business?
“Plan for at least 12 months at a minimum,” advises Warner.
What’s the formula you follow?
“An asset, that has a vulnerability, and a threat has ABC amount of risk to manage.”
Enough messing about. Tap the play button above to hear from Warner.
Episode 22 - Oscar Ruiz - Operational Technology (OT): Which Industries & Regions Lead the Way
Tune in as Accenture’s Oscar Ruiz tells listeners which global regions and industries are the leaders versus the laggards in the world of Operational Technology (OT).
Curious to learn from Oscar but don’t have the time to tune in? Well in that case…
The industries that have more mature OT environments are:
- Oil & Gas
- Utility companies: In the USA, think meter readers for electricity as well as water supply controlled by a municipality.
- Finance: focus on the markets. Wall St. ... what would happen if there was a critical infrastructure attack on the power grid?
Now, let's talk about regions. Are there any specific regions of the world more advanced in the OT space?
- Western Europe/European Union leads the way
- USA coming along in the middle of the pack.
Episode 21 - Ambuj Kumar - 3 States Of Data: In use, In Motion, At Rest
Data comes in 3 states: data in use, data in motion, data at rest
In this episode of the What’s the Problem, we speak with Ambuj Kumar, the CEO of Fortanix, about how to secure data in use.
This opens the door to discuss the concept of confidential computing, or the act of securing data in use that is vulnerable/in an unencrypted state.
Join us to learn about the advances in protection for data in use as well as to hear Kumar tell us more about Fortanix’s solution to protect data in it’s most sensitive state.
Guest about: Paraphrasing Margaret Mead, "Never doubt that a small group of thoughtful committed technologists can change the world. Indeed, it is the only thing that ever has". Ambuj Kumar’s passion is to assemble and work with such a group. He’s a sucker for passionate people wanting to make a dent in spite of any challenges. At the moment, Ambuj is the CEO of Fortanix, a data-first multicloud security company.
Episode 20 - Graham Smith - Endpoint Security's Biggest Issue: Claiming Compliance "Out Of The Box"
In EPISODE 20, we dive into one of Endpoint Security's biggest problems: claiming compliance "out of the box" (or, as out of the box as possible with a dash of professional services on top).
Graham will talk us through what this looks like in the #Education #Cybersecurity space, referencing the CJIS Security Policy that is enforced by the FBI, as well as HIPAA compliance out of the box in the healthcare security space.
Episode 19 - Graham Smith - How Long Does it Take to Train a Cybersecurity Salesperson?
How do you take someone brand new to the world of cybersecurity and turn them into a knowledgeable seller with practical, hands-on experience?
Answer: training.
In this episode: the IBM Summit program.
Join Graham Smith of IBM as he talks through the Summit program.
- 6 months of training.
- No client contact allowed.
- Broken into regional cohorts of new IBM employees who have to be able to sell to senior leaders/managers to graduate the program.
So … does it work? Supposedly yes! Graham was ready to sell in month 5 of the program.
Tune in to learn more about the effectiveness (or lack of!) of training programs that security companies are putting into place.
Episode 18 - James Williams - Incident Response Plans (IRPs). The good, the bad, the ugly.
Incident Response Plans (IRPs). The good, the bad, the ugly. Learn about IRP's from the perspective of someone with James Williams's cybersecurity background.
In this episode, James shares his experience working in the federal space (helped secure the 2020 census), discusses MSSPs with private businesses, and also dives into how he got into security as a cryptography analyst in the US Air Force.
Episode 17 - Chandra Pandey - To Demand a Ransomware Payment Or Siphon Off Your Intellectual Property?
In this episode, Chandra Pandey of Seceon joins Mike to discuss ransomware with respect to Intellectual Property (IP). Specifically, they discuss that bad actor have two choices. To demand a ransomware payment … or to lurk in your network or other confidential systems to siphon off Intellectual Property over time?
Chandra goes in-depth on the topic using the Nvidia hack as well as the Microsoft source code hack to highlight his points.
Episode 16 - Tom Johnson - Deploy and De-provision Identity/Access Management Controls for a 5,000 Employee Hospital Group
In this episode, we are going to focus on the topics of Identity and Access Management. Specifically, how do you deploy and de-provision identity/access management controls without it being painful. Or as painless as possible :)
If you’re in the #healtchare #IT space, Tom Johnson provides an excellent example of what this looks like for a 5,000-person hospital system. Tune in now to hear that one!
Episode 15 - Aaron Rosenmund - Where Are All the People to Staff your Security Operations Center (SOC)?
Join Aaron Rosenmund from PluralSight to discuss a critical cybersecurity topic: The people involved in Security Operations Centers (SOC).
We cover three specific angles on this topic.
First: There is a shortage of qualified cybersecurity professionals in the job marketplace here in 2022. No duh, I think we all know that :)
Second: While there is a shortage, we need MORE professionals entering the field. Can't be gatekeeping to keep interested folks out! Need to empower people to feel confident entering the field as a complete novice in order to work their way up the industry ladder.
And third: On the note of bringing *more* folks into the world of security. There is a need for a set of standards for cyber security professionals to refer to in order to evaluate someone's capabilities (similar to GAAP accounting for accountants). What do those standards look like? Who establishes and enforces them? Those questions - and more - are discussed.
Episode 14 - Bob Zinga - When Will Quantum Computing Break 256-bit Encryption?
According to Bob Zinga, vCISO and Head of Information Security at Directly, we are less than 5 years away from quantum computing being able to crack 256-bit encryption in 20 seconds (or less!). So, where does that leave us? What can we do about this? How will the public and private sectors work together to create the next standard of encryption? Tune in to this episode to hear Bob share his expert opinion.
Episode 13 - Ravina Joshi - Ransomware Threat Vectors: The Danger of Open Ports
In this episode, Ravina Joshi explores the importance of closing up port access to both internal as well as external ports on your network. Additionally, Ravina tells us not just about the technical damage of leaving ports open. She goes deeper into the economic consequences associated with open ports, citing the WannaCry ransomware attack that grossed ”$100 billion USD” in ransomware payments according to Ravina.
Episode 12 - David Cornish - Identity Breaches: It’s Your Partners, Customers or Vendors Leaking Your Information!
In this episode, David Cornish of Upguard explores the topic of identity breaches.
A few fun bits from the episode include:
- More often than not, an identity breach is the result of a partner, customer, or vendor breach. Your identity information becomes a casualty of someone else's breach.
- “If you are doing business with somebody, you are doing data with them."
Episode 11 - Steve Fisher - Cybersecurity in the Education System
In this episode, Steve Fisher of IMS goes into great detail around the security concerns that school systems have to face in the world of cybersecurity. Specifically, Steve explains how high turnover environments produce opportunities for bad actors as schools onboard or offboard both full-time as well as part-time or contract staff. If you’re interested in keeping the data safe at your own child's school, this episode will outline areas that you can help shore up to protect that data.
Episode 10 - Jack Borchgrevink - How to Secure Your Organization During Employee Turnover
In this episode, Jack Borchgrevink of VMware joins Mike Krass to discuss two important issues: vendor responsibility to provide support in advance of a breach (service partners, playbooks, tabletop games) as well as how to secure your organization during times of employee turnover (both in and out of the organization). If these topics are of interest to you, get those ears ready to listen!
Episode 9 - Fares Mohammed - Case Study: An 85% Compromise Rate through Social Engineering
In this episode, Fares Mohammed joins What’s the Problem to discuss social engineering in the world of #cybersecurity. Based on his experience, Fares discusses email phishing scams about bitcoin or NFT projects all the way down to dropping flash drives in random places in corporate offices to see who would plug them into company networked devices. Which oh, by the way, 17 out of 20 dropped USB flash drives were plugged into a networked device. Whoa!
Episode 8 - Christopher Gibbons - Creating A New Cybersecurity Category: Phishing Detection & Response (PDR)
In this episode, Mike Krass chats with Christopher Gibbons to discuss the fact that in 2022 secure email gateways (SEG’s) don’t statistically provide any more protection than you already receive with Microsoft Office 365 or Google Business applications. So, what other options are out there on the market? There’s a new category of them: Phishing Detection & Response (PDR).
Episode 7 - Fatma Candas - Speaking to “Technical” versus "Manager" cybersecurity buyers
This episode explores a key topic for security vendors to consider: how do I speak to a person in a Technical role versus a Business Manager role? Based on her years of experience on the buyer side of security vendor pitches, Fatma Candas details why the concept of 'less is more' is important to avoid overloading buyers with unnecessary information. Additionally, Fatma makes it crystal clear that when entering her office sellers need to focus on buyer problems by function, role, or department. "Don't waste my time."
Episode 6 - Adil Ahmed - Unwrap the Layers of Password Cracking Attacks
Passwords, passwords, passwords being used everywhere and still we have breaches. Join security specialist Adil Ahmed as he discusses the issues with insecure passwords (did you know people still use 123456 for passwords these days?). Specific password cracking attacks such as brute force, password spraying as well as spear phishing when a hacker has gained access to 1 (or more) of your systems and are using these as hop points to jump around your network are discussed in today’s episode.
Episode 5 - Dani Woolf - How to Avoid Pressure to Achieve Short Term Results at the Sacrifice of Long Term Strategy in Cyber Security
In this episode, Dani Woolf and Mike Krass dive into the big H word: Honesty. More specifically, Dani explores how honesty and transparency around what your security product can or cannot do for the buyer's organization should be a mandatory requirement for all security sales or marketing leaders.
Episode 4 - Matt Buhler - Open Source Cyber Security to Support Finding Missing Persons
Join our host Mike Krass as he brings Matt Buhler on to the What’s the Problem podcast. During this episode, they discuss Matthew’s participation in open source security analysis competitions such as Trace Labs CTF and MetaCTF. Learn how these open source competitions locate data for law enforcement to find missing persons across the "Clear" and "Dark" web as well as remove CSAM (Child Sexual Abuse Material) from the Internet using Project Haydes.
Note: Matthew advises to never, ever view CSAM material. Instead, use tools like Project Haydes to identify the material.
Episode 3 - Marcela Denniston - Cyber Security for SMBs
Marcela Denniston joins What’s the Problem to discuss how Small-to-Mid sized businesses (SMBs) are low-hanging fruit targets for bad actors as well as what they can do to protect their organizations on a budget.
Episode 2 - Ebony Hall - Phishing
Join our conversation with Ebony Hall, a Systems Engineer with Cambium Learning who also has an IT background in the military (U.S. Army), as we discussed phishing attacks in the public sector.
Episode 1 - Andy Smith - The Convergence of Cloud and Data
Andy Smith the Chief Marketing Officer at Laminar joins to discuss the problems of security buyers: the convergence of cloud transformation and data democratization.