What's The Problem?

Join us for an enlightening conversation with Theresa Jones, CEO and owner of Evolve IQ as we explore the realm of small businesses and discuss vital advice on selecting the right cyber insurance policy. Discover essential tips for assessing risks, determining coverage, and establishing incident response plans, all geared towards ensuring your business is well-prepared in the digital age.

Join us in an enlightening discussion with Ian L. Paterson, CEO of Plurilock, as we discover AI's impact on cybersecurity as it forges strategic illusions. This dynamic interplay blurs the boundary between illusion and innovation when it comes to cybersecurity and Artificial Intelligence.The integration of AI into platforms amplifies recognized security concerns in the evolving landscape.

Join us for an enlightening discussion with Yiyi Miao, Chief Product Officer of OPSWAT, as we explore proactive strategies to strengthen your defense against potential critical infrastructure incidents.

Ostendio offers a complimentary InfoSec Checklist that listeners can access here https://bit.ly/3YASmhy

Thomas Beavers of Sollensys joins the podcast to explain why he believes the future of cloud storage for both consumers and business will live on the blockchain.

Sure, Dropbox or Google Drive are convenient to use, simple and cheap.

But they are also extremely vulnerable. Criminals focus on cloud services they can attack into so they can encrypt and ransom it back to you.

Additionally, the consequences of ignoring the safety issues with services such as Dropbox include a loss of faith with customers, damage to reputation as well as loss of business as we saw with a commercial airline being compromised in January 2023.

Cybersecurity Specialist Selby LeBert of Textron Aviation joins us to discuss programs and curriculum for students to participate in real-world cybersecurity training.

This conversation includes a discussion about the lab environment that Selby is working to stand up over at Wichita State University in Wichita, KS.

Today, we are all set to share a conversation between Mike Krass and Shearyar Kahn about the topic of Mutually Assured Destruction (MAD) in the world of cybersecurity.

Shearyar poses a hypothetical scenario.

What if cyberweapons are not stored securely? What if one cyberweapon could be used as the basis for another?

It’s already happened.

The WannaCry ransomware attack spawned other cyberweapons.

Follow Shearyar down the conversational rabbit hole.

1️⃣ What do we need to do to secure and protect cyberweapons?

2️⃣ What should we do as a planet if cyberweapons get out?

There is hope at the end of this conversational tunnel. Don’t you worry.

Tune in to hear those messages of hope from Shearyar.

Today, Clark Barron, a Senior Demand Generation Strategist with Shippo joins the podcast.

In this episode, we’ll discuss a unicorn topic: the ethical cybersecurity marketer.

By tuning in today, you’ll hear Clark talk to some key points of an ethical cybersecurity marketer, such as:

1️⃣ Bringing heavy doses of empathy and self-awareness to the workplace

2️⃣ Big motor to HELP without the immediate promise of financial success. This is a scary, hard industry sometimes ... just help people dang it!

3️⃣ Recognize those bad actors and security marketers actually practice some of the same moves (spear phishing, anybody?). It's about the intention of the marketer versus the bad actor that sets them apart.

Tap that headphone icon to bring Clark’s thoughts from his brain to your ears. Let’s go!

Today, David Bacque, the VP of Strategic Development and OT/ICS Cybersecurity Leader at RED Group joins us to discuss the P word.

That’s right. PROCUREMENT.

In this episode, we dive into the key topic of procurement being involved in the security purchase process. Examples could be capital projects, ICS, OT,  or others.

When you tune in, you’ll hear a basic checklist that David recommends folks follow when evaluating an operational technology solution.

That checklist includes questions such as…

1️⃣ What questions should they ask of vendors. For example: how is cloud data stored?

2️⃣ How does this fit in with our current IT environment?

3️⃣ And what capabilities does this boast (is this considered modern? Can we patch it remotely?)

Tap that headphones button to hear more operational technology wisdom from David. 🎧

Today, Jacqueline Lundie joins us to share some of her experience working as a SOC Analyst with the US Department of Health and Human Services.

Lots of opportunities for discussion with someone who has this type of experience.

So, what did we cover?

The importance of training on a high functioning Security Operations Center (SOC).

Jacqueline mentions a number of advantages when it comes to training. Some include.

1️⃣ Reduced turnover in the Security Operations Center

2️⃣ Reduced burden on re-hiring and re-training, which is an issue because training can take up to 3-4 months (sometimes longer!) when someone joins.

3️⃣ Swift reactions to incidents as SOPs and IRPs are all well-known, documented and communicated/practiced.

Want to hear the rest? Tap that headphone icon below to hear from Jacqueline herself.

Today, cybersecurity specialist Selby LeBert of Textron Aviation joins us to discuss the rise of entry-level security personnel in the world of security operations for companies such as Textron.

More specifically, Selby is going to talk listeners through:

1️⃣ Four key issues he sees with bringing practitioners into the work of cyber security

2️⃣ Discussing the Skills Bridge program from the Military to Private Sector

3️⃣ How Textron Aviation thinks about security with regards to aerospace/supply chain

If you are ready to take off with this episode, tap that episode link to get started.

Today, we’re speaking with Elez Tupozovic with CyberConvoy.

Sharing experience in his current role as Security Operations Center (SOC) Analyst at an MSSP, Elez dives into two topics with us on the show.

1. The nooks & crannies that add up to a wider attack surface
2. Dissecting CISA’s Shields Up, specifically discussing how that affects SOC Analysts everywhere, the key question of ‘will companies actually listen and report breaches, as well as if Shields Up will assist the security community as a whole.

Strap in for a fantastic conversation with Elez Tupozovic.

Dereik Ireifej of CyberConvoy and I are going to discuss his journey of breaking into the world of cybersecurity as a Security Operations Center (SOC) Analyst.

There are four key pain points that Derek shared on his journey from line cook to IT manager to SOC analyst.

1. HR Job postings being disconnected from the actual requirements of the job. Case in point: a CISSP certification is required for a SOC Analyst role. Seriously?!
2. Speaking of certifications. Which ones actually matter? Do any of them matter? Security+ helped Derek academically … but not from a resume standpoint!
3. Too many applicants apply (especially for remote). Makes it hard for employers to screen and hire when they are overwhelmed.
4. Which makes it an issue for finding experienced employees. How do you get experience if no one takes a chance on you? The answer: you need to work on your own time.

In this episode,  Menekse Saglam, a Security Operations Analyst at CyberNow Labs, joins us today to talk about the life of a SOC analyst.

A few highlights include.

(1 emoji)  Defining the Security Operation Center (SOC) environment

(2 emoji)  Stepping into the mindset of a SOC analyst. They are puzzle makers. Which pieces go where?

This episode presents listeners with the opportunity to step into a SOC environment from the comfort of your own home.

In today’s episode,  Warner Moore from Gamma Force joins the podcast to discuss the art of building a cybersecurity program for your business.

First up: where do we start?

“Start with the security strategy,” says Moore.

Another question: How long will this take to build within our business?

“Plan for at least 12 months at a minimum,” advises Warner.

What’s the formula you follow?

“An asset, that has a vulnerability, and a threat has ABC amount of risk to manage.”

Enough messing about. Tap the play button above to hear from Warner.

Tune in as Accenture’s Oscar Ruiz tells listeners which global regions and industries are the leaders versus the laggards in the world of Operational Technology (OT).

Curious to learn from Oscar but don’t have the time to tune in? Well in that case…

The industries that  have more mature OT environments are:

1. Oil & Gas
2. Utility companies: In the USA, think meter readers for electricity as well as water supply controlled by a municipality.
3. Finance: focus on the markets. Wall St. ... what would happen if there was a critical infrastructure attack on the power grid?

Now, let's talk about regions. Are there any specific regions of the world more advanced in the OT space?

1. Western Europe/European Union leads the way
2. USA coming along in the middle of the pack.

In this episode of the What’s the Problem, we speak with Ambuj Kumar, the CEO of Fortanix, about how to secure data in use.

This opens the door to discuss the concept of confidential computing, or the act of securing data in use that is vulnerable/in an unencrypted state.

Join us to learn about the advances in protection for data in use as well as to hear Kumar tell us more about Fortanix’s solution to protect data in it’s most sensitive state.

Guest about: Paraphrasing Margaret Mead, "Never doubt that a small group of thoughtful committed technologists can change the world. Indeed, it is the only thing that ever has". Ambuj Kumar’s passion is to assemble and work with such a group. He’s a sucker for passionate people wanting to make a dent in spite of any challenges. At the moment, Ambuj is the CEO of Fortanix, a data-first multicloud security company.

Graham will talk us through what this looks like in the #Education #Cybersecurity space, referencing the CJIS Security Policy that is enforced by the FBI, as well as HIPAA compliance out of the box in the healthcare security space.

Join Graham Smith of IBM as he talks through the Summit program.

• 6 months of training.
• No client contact allowed.
• Broken into regional cohorts of new IBM employees who have to be able to sell to senior leaders/managers to graduate the program.

So … does it work? Supposedly yes!  Graham was ready to sell in month 5 of the program.

Tune in to learn more about the effectiveness (or lack of!) of training programs that security companies are putting into place.

Incident Response Plans (IRPs). The good, the bad, the ugly. Learn about IRP's from the perspective of someone with James Williams's cybersecurity background.

In this episode, James shares his experience working in the federal space (helped secure the 2020 census), discusses MSSPs with private businesses, and also dives into how he got into security as a cryptography analyst in the US Air Force.

In this episode, Chandra Pandey of Seceon joins Mike to discuss ransomware with respect to Intellectual Property (IP). Specifically, they discuss that bad actor have two choices. To demand a ransomware payment … or to lurk in your network or other confidential systems to siphon off Intellectual Property over time?

Chandra goes in-depth on the topic using the Nvidia hack as well as the Microsoft source code hack to highlight his points.

If you’re in the #healtchare #IT space, Tom Johnson provides an excellent example of what this looks like for a 5,000-person hospital system. Tune in now to hear that one!

Join Aaron Rosenmund from PluralSight to discuss a critical cybersecurity topic: The people involved in Security Operations Centers (SOC).

We cover three specific angles on this topic.

First: There is a shortage of qualified cybersecurity professionals in the job marketplace here in 2022. No duh, I think we all know that :)

Second: While there is a shortage, we need MORE professionals entering the field. Can't be gatekeeping to keep interested folks out! Need to empower people to feel confident entering the field as a complete novice in order to work their way up the industry ladder.

And third: On the note of bringing *more* folks into the world of security. There is a need for a set of standards for cyber security professionals to refer to in order to evaluate someone's capabilities (similar to GAAP accounting for accountants). What do those standards look like? Who establishes and enforces them? Those questions - and more - are discussed.

According to Bob Zinga, vCISO and Head of Information Security at Directly, we are less than 5 years away from quantum computing being able to crack 256-bit encryption in 20 seconds (or less!). So, where does that leave us? What can we do about this? How will the public and private sectors work together to create the next standard of encryption? Tune in to this episode to hear Bob share his expert opinion.

In this episode, Ravina Joshi explores the importance of closing up port access to both internal as well as external ports on your network. Additionally, Ravina tells us not just about the technical damage of leaving ports open. She goes deeper into the economic consequences associated with open ports, citing the WannaCry ransomware attack that grossed ”$100 billion USD” in ransomware payments according to Ravina.

In this episode, David Cornish of Upguard explores the topic of identity breaches.

A few fun bits from the episode include:

1. More often than not, an identity breach is the result of a partner, customer, or vendor breach. Your identity information becomes a casualty of someone else's breach.
2. “If you are doing business with somebody, you are doing data with them."

In this episode, Steve Fisher of IMS goes into great detail around the security concerns that school systems have to face in the world of cybersecurity. Specifically, Steve explains how high turnover environments produce opportunities for bad actors as schools onboard or offboard both full-time as well as part-time or contract staff. If you’re interested in keeping the data safe at your own child's school, this episode will outline areas that you can help shore up to protect that data.

In this episode, Jack Borchgrevink of VMware joins Mike Krass to discuss two important issues: vendor responsibility to provide support in advance of a breach (service partners, playbooks, tabletop games) as well as how to secure your organization during times of employee turnover (both in and out of the organization). If these topics are of interest to you, get those ears ready to listen!

In this episode, Fares Mohammed joins What’s the Problem to discuss social engineering in the world of #cybersecurity. Based on his experience, Fares discusses email phishing scams about bitcoin or NFT projects all the way down to dropping flash drives in random places in corporate offices to see who would plug them into company networked devices. Which oh, by the way, 17 out of 20 dropped USB flash drives were plugged into a networked device. Whoa!

In this episode, Mike Krass chats with Christopher Gibbons to discuss the fact that in 2022 secure email gateways (SEG’s) don’t statistically provide any more protection than you already receive with Microsoft Office 365 or Google Business applications. So, what other options are out there on the market? There’s a new category of them: Phishing Detection & Response (PDR).

This episode explores a key topic for security vendors to consider: how do I speak to a person in a Technical role versus a Business Manager role? Based on her years of experience on the buyer side of security vendor pitches, Fatma Candas details why the concept of 'less is more' is important to avoid overloading buyers with unnecessary information. Additionally, Fatma makes it crystal clear that when entering her office sellers need to focus on buyer problems by function, role, or department. "Don't waste my time."

Passwords, passwords, passwords being used everywhere and still we have breaches. Join security specialist Adil Ahmed as he discusses the issues with insecure passwords (did you know people still use 123456 for passwords these days?). Specific password  cracking attacks such as brute force, password spraying as well as spear phishing when a hacker has gained access to 1 (or more) of your systems and are using these as hop points to jump around your network are discussed in today’s episode.

In this episode, Dani Woolf and Mike Krass dive into the big H word: Honesty. More specifically, Dani explores how honesty and transparency around what your security product can or cannot do for the buyer's organization should be a mandatory requirement for all security sales or marketing leaders.

Join our host Mike Krass as he brings Matt Buhler on to the What’s the Problem podcast. During this episode, they discuss Matthew’s participation in open source security analysis competitions such as Trace Labs CTF and MetaCTF. Learn how these open source competitions locate data for law enforcement to find missing persons across the "Clear" and "Dark" web as well as remove CSAM (Child Sexual Abuse Material) from the Internet using Project Haydes. 

Note: Matthew advises to never, ever view CSAM material. Instead, use tools like Project Haydes to identify the material.

Marcela Denniston joins What’s the Problem to discuss how Small-to-Mid sized businesses (SMBs) are low-hanging fruit targets for bad actors as well as what they can do to protect their organizations on a budget.

Join our conversation with Ebony Hall, a Systems Engineer with Cambium Learning who also has an IT background in the military (U.S. Army), as we discussed phishing attacks in the public sector.

Andy Smith the Chief Marketing Officer at Laminar joins to discuss the problems of security buyers: the convergence of cloud transformation and data democratization.