Avsnitt
-
Edna Conway, an innovative executive and thought leader with over 30 years of experience leading cybersecurity, risk management, and value chain transformation at Fortune 10 technology companies, highlights how collaboration in cybersecurity is critical for the development of and adherence to policy and practice in this Kitecast episode. Edna is currently a Senior Fellow at the Carnegie Endowment for International Peace and CEO and Founder of EMC Advisors. She currently is an advisor or board member for a long list of technology and professional services startups and nonprofit organizations.
One theme from the discussion with Edna centered on the cybersecurity workforce shortage. She emphasized the need to look beyond traditional sources and backgrounds to find talent. This requires partnerships between companies, academia, and nonprofits focused on training and upskilling people from diverse backgrounds for cybersecurity roles. Apprenticeship and mentorship models were discussed as potential solutions.
The conversation then delved into cybersecurity policy and regulation. Edna provided her perspectives on the balance between driving security practices versus overregulation that hinders business. She noted that legislation often lags behind technology advancements, making public-private collaboration critical. Edna stressed the importance of the private sector proactively stepping up security rather than just reacting to new regulations.
Another key topic from the podcast touched on the crowded landscape of cybersecurity startups and the challenges they face. Beyond just having an innovative product, Edna emphasized the importance of serving a real customer need, providing a complete solution, and demonstrating value to multiple stakeholders in an organization beyond just the security team. Making customers’ lives easier is key to standing out.
Edna also touched on the need to embed security into business processes and objectives from the start, rather than bolting it on afterwards. She discussed the concept of “secure by design” and how leading organizations are building security into everything from their products to their supplier relationships. This proactive, holistic approach is critical to managing cyber risk in an increasingly interconnected business environment.
LinkedIn: https://www.linkedin.com/in/ednaconway
EMC Advisors: https://www.linkedin.com/company/emcadvisorsCheck out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Debra Farber, a globally recognized privacy, security, and ethical tech advisor with nearly two decades of experience, discusses data privacy, privacy by design, and the growing field of privacy engineering in this Kitecast episode. As the host of the Shifting Privacy Left podcast, Farber is dedicated to building a community of privacy engineers and bridging the silos between various industries and research areas.
In this Kitecast episode, Farber emphasized the importance of embedding privacy into product development from the outset. She highlighted the role of privacy engineers in assessing risks, minimizing data collection, and ensuring compliance with regulations such as GDPR. Farber also discussed the challenges organizations face in hiring privacy engineers due to the high demand and limited supply of qualified professionals in this relatively new field.
Farber explained the distinction between privacy by design and privacy-enhancing technologies (PETs). Privacy by design is a set of high-level principles focused on integrating privacy into systems from the beginning, while PETs are specific tools and techniques that help achieve compliance with data protection principles. Some examples of PETs include anonymization, homomorphic encryption, secure multi-party computing, and differential privacy.
The conversation also touched on the potential return on investment for organizations that prioritize privacy. By minimizing data collection and addressing privacy concerns early in the development process, companies can reduce downstream compliance costs, legal expenses, and the risk of fines associated with data breaches or privacy violations.
In addition to the above, Farber shared her thoughts on artificial intelligence and its impact on personal privacy. While acknowledging the potential risks, she emphasized that the real threat lies in the unchecked powers of those bringing AI to market without appropriate safety measures and testing. Farber advocates for the ethical development and deployment of AI technologies, ensuring that privacy standards are applied correctly to mitigate risks and protect individuals’ rights.
LinkedIn: https://www.linkedin.com/in/privacyguru
Shifting Privacy Left Media: https://shiftingprivacyleft.comCheck out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Saknas det avsnitt?
-
In the latest Kitecast episode, Lisa Plaggemier, the Executive Director of the National Cybersecurity Alliance, discusses what it takes to empower digital safety for all peoples and organizations. With an extensive background in marketing, operations, and cybersecurity, including a decade at Ford Motor Company and senior roles at CDK Global and InfoSec, Lisa brings a wealth of experience and lessons learned to the topic. Her focus is on helping businesses and individuals protect themselves in the digital world, which enables organizations to develop better cybersecurity risk management strategies.
Lisa emphasizes the importance of consistent and clear communications when it comes to cybersecurity awareness. She highlights the success of Cybersecurity Awareness Month, an initiative founded by the National Cybersecurity Alliance, attributing its effectiveness to the consistency of the message over time. Lisa also stresses the need to demystify cybersecurity for the average person, making it more attractive and less intimidating to adopt safe online practices.
One of the key challenges Lisa identifies is the knowledge gap between IT professionals and business owners, particularly in small businesses. To address this gap, the National Cybersecurity Alliance launched a training class tailored to educate business leaders on managing cybersecurity as a function of their business. The organization also recognizes the importance of early cybersecurity education, with plans to develop age-appropriate content for children in collaboration with PBS Kids.
Lisa shares insights from the National Cybersecurity Alliance’s annual survey, revealing alarming trends such as the persistence of insecure password practices and the overconfidence of younger generations in their ability to navigate cybersecurity risks. She also discusses the need for widespread adoption of multi-factor authentication (MFA) and the role of social media companies in mandating more stringent security measures.
In addition to the above, Lisa emphasizes the National Cybersecurity Alliance’s commitment to promoting cybersecurity awareness through various initiatives, including the creation of a comedic series called Kubikle Series to engage a broader audience. With her expertise and dedication to the cause, Lisa—and the National Cybersecurity Alliance—continue to play a crucial role in empowering individuals and organizations to stay safe in the ever-evolving digital landscape.
LinkedIn: https://www.linkedin.com/in/lisaplaggemier/
National Cybersecurity Alliance: https://staysafeonline.org/
Kubikle Series: https://kubikleseries.com/Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Alan Shimel, a prominent figure in the cybersecurity industry, is the CEO and founder of Techstrong Group, a global platform that powers tech innovation and transformation across various media, research, and consulting brands. With over 25 years of experience in security, Shimel has been at the forefront of the industry, witnessing its evolution and the emergence of new technologies such as AI. In this Kitecast episode, he shares his insights on the impact of AI on cybersecurity, discussing its potential benefits and limitations while addressing the challenges faced by organizations in today’s rapidly changing landscape.
One of the key areas explored in the podcast is the influence of AI on application security (AppSec). Shimel notes that AI is making AppSec easier and faster, lowering the entry point for organizations to secure their applications. However, he also raises the question of whether AI is genuinely improving security or simply making it more accessible. Shimel suggests that while AI can help identify vulnerabilities in code more efficiently, it is essential to ensure that the quality of the generated code is high and that organizations do not become overly reliant on AI-driven solutions.
The conversation also delves into the role of cyber insurance companies in enforcing cybersecurity policies. Shimel explains that these companies are becoming the architects and auditors of security, establishing the lowest common denominator for organizations seeking coverage. While this can be beneficial in ensuring a baseline level of security, Shimel cautions that it may not always align with an organization’s specific needs or risk tolerance. He also highlights the importance of understanding the implications of cyber insurance, as insurers often have the power to make decisions on behalf of the insured organization in the event of a breach or ransomware attack.
Another critical topic addressed in the podcast is the cybersecurity skills gap. Shimel points out that despite the growing demand for cybersecurity professionals, many skilled individuals struggle to land their first job due to the industry’s preference for candidates with three to five years of experience. He emphasizes the need for organizations to provide opportunities for newcomers to gain practical experience and suggests that the skills gap will persist until the industry becomes more receptive to nurturing new talent.
Looking to the future, Shimel discusses the potential impact of quantum computing on cybersecurity. While he acknowledges that the development of stable quantum computers is still years away, he stresses the importance of preparing for the potential disruption they could bring. Shimel mentions that government agencies and regulatory bodies have already begun working on quantum-proof algorithms and certificates to ensure the continued security of encrypted data. However, he also notes that the adoption of these measures will largely depend on market demand and the willingness of organizations to invest in quantum-resistant technologies.LinkedIn: https://www.linkedin.com/in/alanshimel/
Techstrong Group: https://techstronggroup.com/
Techstrong Podcasts: https://techstrongpodcasts.com
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
runZero provides comprehensive visibility into an organization’s cyber assets and attack surface to empower risk and exposure management. By combining external scanning, internal asset discovery, cloud inventory, and API integrations, runZero maps all devices, software, vulnerabilities, owners, and other security attributes. This integrated view across IT, IoT, OT, mobile, and cloud contextualizes risk and priorities based on asset criticality and location inside or outside the network perimeter.
Barbee predicts major new vulnerabilities in 2024 that will catch security teams off guard as they remain overburdened dealing with patching and securing fundamental gaps. Additionally, more supply chain attacks will emerge from malware inserted through dependencies and software development pipelines over the last few years. He advises CISOs to focus on security fundamentals first, like comprehensive asset management, vulnerability management, and patching rather than getting distracted by the latest headlines on advanced persistent threats.
While compliance regulations provide helpful guardrails and budget for security programs, most organizations still struggle with basics like consistent vulnerability scanning, device monitoring, and patching. The smaller the company, the more they remain focused on backup, recovery, and threat detection rather than proactive security. Barbee highlights an energy company that resisted patching anything due to downtime risks, demonstrating the difficult trade-offs security teams face.
When submitting conference presentation proposals, clearly explain what you plan to discuss and why it matters to peers. Spend time refining the title and abstract from the selection committee’s perspective, rather than taking shortcuts. Ask colleagues or mentors to review and provide feedback to improve clarity and relevance before submitting.
For new security professionals, Barbee advises developing networking and communication skills instead of only focusing on individual skills development. He also encourages cementing core IT and networking fundamentals instead of only specializing in security too early in their career. He suggests considering complementary areas like risk management to broaden perspective beyond just vulnerabilities and controls.
LinkedIn Profile: https://www.linkedin.com/in/jhbarbee/
runZero: https://www.runzero.comCheck out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Patrick Garrity has over 15 years of experience spanning various marketing, sales, and product roles for high-growth cybersecurity companies. For this Kitecast episode, he delves into detail on his expertise in vulnerability management.
To start the podcast episode, Garrity discusses the rapid evolution of vulnerability management over the past few years. He notes that vulnerabilities are growing exponentially in both volume and complexity, with over 25,000 new vulnerabilities identified in 2022 compared to just 5,000 several years ago. Despite this growth, many organizations still struggle to patch even known critical vulnerabilities in a timely manner. In response, Garrity emphasizes that organizations need to focus first on addressing externally facing, actively exploited vulnerabilities before attempting to tackle everything at once with their limited resources.
The podcast episode also covers the role of AI and machine learning in vulnerability management. While emerging AI tools show promise for use cases like prioritization of vulnerabilities and automated reporting, Garrity cautions that the underlying data feeding these systems needs stringent accuracy and validation. He advocates leaning on trusted threat intelligence from established providers to help inform data-driven decisions around vulnerabilities and incident response.
Shifting gears, Garrity reflects on seminal lessons learned from his experience rapidly scaling Duo Security before its $2.35 billion acquisition by Cisco in 2018. When asked by the hosts to provide career guidance to others pursuing work in the cybersecurity field, Garrity highlights the outsized importance of continually assessing the market landscape with an eye for evolution. Similarly, he stresses that individuals should embrace openness to filling a variety of roles in early-stage companies as they grow. Finally, Garrity emphasizes the urgent need for sustainable business models in cybersecurity rather than overvalued fundraising built predominantly on hype. Underpinned by this sobering perspective, he still goes on to express optimism about the industry's overall trajectory thanks to the advent of various “secure-by-design” initiatives.
LinkedIn Profile: https://www.linkedin.com/in/patrickmgarrity/Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
As an author, podcaster, and field CISO focused on the public sector, Dan Lohrmann brings a wealth of experience spanning over two decades. This Kitecast episode includes a discussion of Lohrmann’s recent book, Cyber Mayday and the Day After, that he co-authored with cybersecurity expert Shamane Tan. The book shares ransomware stories and insights from executives who have faced major cyber incidents. It covers best practices for preparation, response, and recovery before, during, and after an attack. Lohrmann notes these firsthand stories reveal valuable lessons for organizations of all types.
The podcast discussion then turned to the inevitable disruption faced by today’s CISOs and cybersecurity teams. Lohrmann emphasizes the need for continuous training, tabletop exercises, and preparation for unexpected curveballs. Building an organizational culture focused on resilience rather than blame is also critical.
As conversation shifted to artificial intelligence, Lohrmann pointed out that governing and securing AI remains extremely challenging for most security teams. The proliferation of free AI tools creates substantial risk of data loss and intellectual property theft. Enterprises need much greater visibility and control over how end-users are interacting with these tools. Over the next few years, more organizations are expected to invest in enterprise-controlled AI systems focused on security and privacy.
In discussing predictions for 2024 and beyond, Lohrmann highlights his annual report compiling insights from leading cybersecurity vendors and researchers. With cyber threats growing in scale and sophistication, he emphasizes the importance of continuous learning for security leaders. At the same time, Lohrmann notes that while specific predictions should be taken with a grain of salt, the research reports paint an informative picture of what trends are unfolding.
LinkedIn Profile: https://www.linkedin.com/in/danlohrmann/
Presidio: https://www.presidio.com/
Cyber Mayday and the Day After: https://www.amazon.com/Cyber-Mayday-Day-After-Disruptions/dp/1119835305/ref=sr_1_2Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
In this Kitecast episode, Alexandre Blanc, a Cybersecurity Advisor and Consultant, brings his extensive 15-year background in cybersecurity and risk management into focus. With a significant online presence established since 2018, Blanc has become a prominent LinkedIn influencer for over 70,000 followers by offering critical insights aimed at bolstering organizational resilience.
During the podcast, Blanc delves into crucial cybersecurity and risk management topics, emphasizing the vital roles of data governance, robust access controls, and reliable backup solutions in risk mitigation and regulatory compliance. He points out a common oversight within many organizations—the underestimation of the business implications that outages and incidents can have.
Blanc sheds light on the predicaments that arise from the prevalent use of SaaS platforms, such as diminished control and limited visibility regarding updates. Moreover, he casts doubt on the extent of protection cyber insurance offers in the aftermath of cybersecurity events.
The discussion also ventures into the realm of emerging challenges. Blanc examines Canada’s new data privacy laws, noting how compliance is propelling security enhancements. He raises concerns about the unchecked proliferation of Internet of Things (IoT) devices and their security implications. Looking forward, he addresses the potential disruption quantum computing may pose to current encryption standards, suggesting that tighter governance and minimizing sensitive data transmissions are key to lessening future risks.
Concluding his insights, Blanc champions the cause for transparency and the cultivation of trust in the evolution of novel technologies like artificial intelligence. By recounting instances where companies concealed failures, resulting in costly long-term repercussions, he calls on technology leaders to acknowledge and communicate the potential adverse impacts of their innovations. His advocacy for informed public discourse stands as part of his broader commitment to providing a measured perspective amidst the swift pace of technological advancement.
LinkedIn: www.linkedin.com/in/alexandre-blanc-cyber-security-88569022
RCGT: www.rcgt.com
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
This Kitecast episode features Jason Rebholz who has an extensive background in cybersecurity. He is currently the CISO at Corvus Insurance, which he joined in 2021. He also serves as an advisor for NetDiligence and MOXFIVE. Previously, Jason served as the VP of Strategic Partnerships for ICEBRG, which was acquired by Gigamon, VP of Professional Services for The Crypsis Group, and Manager at Mandiant.
Jason founded the educational initiative, “Teach Me Cyber,” that is available on YouTube and LinkedIn with the objective of making cybersecurity topics more accessible to general audiences. This was motivated by often seeing technical news coverage using jargon and screenshots that average readers would struggle to comprehend. Through short daily lessons on platforms LinkedIn and YouTube, Jason breaks down cybersecurity topics in simple terms anyone can understand. His goal is to help even one more person gain practical knowledge to improve their organization’s security.
In the podcast interview, Jason discussed a recent high-profile ransomware attack and provided insight into the challenges of containing and remediating active attacks, noting that it is very difficult to fully kick attackers out of an environment within a short time frame. Jason emphasized the importance of having strong monitoring and rapid response capabilities in place.
Multi-factor authentication (MFA) was another topic Jason covered. He highlighted that while MFA is crucial, organizations must be thoughtful about which types they enable, as weaker forms can still be bypassed. He advocated for the adoption of the most secure MFA options available to get the full risk reduction benefit using zero-trust principles.
Managing third-party cyber risk was also discussed. Jason argued that current third-party assessments often provide a false sense of security. He recommended assuming vendors have poor security and mitigating the impact via actions like limiting data sharing, controlling where sensitive data goes, and ensuring you can revoke access.
LinkedIn: www.linkedin.com/in/jrebholz
YouTube: www.youtube.com/@teachmecyberCheck out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
This Kitecast episode features an interview with Chris Rose, a Partner at Ariento, a leading cybersecurity, IT, and compliance service provider. He has extensive experience in cybersecurity, having previously served as an instructor at UCLA where he taught cybersecurity and privacy courses. Chris holds an MBA and a master’s in computer science from UCLA, as well as a bachelor’s degree from Cal Poly.
During the podcast interview, Chris provides an overview of the Cybersecurity Maturity Model Certification (CMMC) framework and its origins within the defense industry. He explains that CMMC builds upon existing NIST 800-171 requirements for protecting controlled unclassified information that contractors already must comply with. However, CMMC adds a critical component—independent third-party assessments done by C3PAOs (Certified Third-party Assessment Organizations).
Chris believes CMMC will likely gain final approval in early 2024 based on the rulemaking process. He notes that reciprocity with frameworks like FedRAMP could help ease the compliance burden for contractors. For companies using cloud services, Chris strongly advises leveraging solutions that have achieved FedRAMP Moderate Authorization or above.
When asked about readiness across the Defense Industrial Base (DIB), Chris indicates that primes are pushing their subcontractors to get prepared. However, smaller companies are still in a wait-and-see mode in some cases, trying to weigh the costs versus risks. He emphasizes that companies should focus first on proper scoping of assets and information that will be in scope for CMMC assessments.
Chris also provides tips for selecting a C3PAO, noting that risk mitigation and technical competence are top evaluation criteria for most mid-market and enterprise clients. He also discusses Ariento’s experience with adjacent standards like FedRAMP, ISO, and ITAR that provide relevant expertise for CMMC advisory services.
LinkedIn: www.linkedin.com/in/cmmc
Ariento: www.ariento.comCheck out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Katie Arrington, former Chief Information Security Officer (CISO) for the U.S. Department of Defense and member of the US House of Representatives, discusses her experience as CISO, noting that the position was newly created in 2019 to address urgent cybersecurity threats. In the role, she aimed to establish consistent standards for cybersecurity across the Department of Defense, including weapons systems, critical infrastructure, and the defense industrial base. A key challenge was overcoming the different cybersecurity approaches between military branches and establishing a unified culture.
Regarding the Cybersecurity Maturity Model Certification (CMMC), Arrington explains it was initially conceived as a unified standard for defense contractors to demonstrate implementation of NIST 800-171 security controls. Hundreds of industry representatives helped develop CMMC 1.0. Arrington expresses that she regrets not fully eliminating the use of Controlled Unclassified Information (CUI) as an indicator of whether contractors needed certification, believing all defense contractors should adhere to CMMC standards given growing threats.
Arrington highlights the massive cyber threats posed by nation states like China, Russia, Iran, and North Korea, which she says are targeting U.S. defense contractors to steal key technologies and intellectual property. She points out that China has a dedicated cyber army aimed at making China the world’s economic superpower. Russia has shown its cyber capabilities already in interfering with elections. These adversaries are relentless in exploiting vulnerabilities across the entire supply chain.
For defense contractors bidding on DoD projects, Arrington authored a white paper that estimates per-employee costs for cybersecurity based on company size. She believes contractors should build these costs into project bidding. Arrington argues CMMC is now just about verifying NIST 800-171 compliance, not evaluating maturity, so she anticipates the name changing in the future. In preparation for CMMC 2.0 Level 2 compliance audits, she recommends that contractors proactively get audits now rather than waiting until CMMC becomes a DIB mandate to address urgent threats.
Regarding supply chain risks, Arrington indicates primes cannot fully see risks beyond tier-one suppliers. She urges primes to contractually require CMMC certification from all subcontractors to improve security against threats that can enter anywhere in the supply chain.
Arrington stresses that cyberattacks are constant and rapidly evolving. No organization can be 100% secure. However, by implementing standards like NIST 800-171, organizations can mitigate these risks. Adherence to cybersecurity frameworks is critical today, an important focus for national security as cyber threats continue escalating.
LinkedIn Profile: https://www.linkedin.com/in/katie-arrington-a6949425/Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
CEO and Entrepreneur Jean Phillip Bernier, the CEO of AnniQ and Spin Quantum Tech, shares his enthusiasm for AI and Quantum Computing technology advances. Bernier tracks the progress of Quantum Computing, especially IBM’s rapid development from a 5-qubit machine in 2017 to a prediction of a 100,000-qubit machine by 2033. The staggering quantum processing power, he believes, could unlock problem-solving potential beyond our current imagination.
Bernier spotlights the role of cloud computing in democratizing technology. He reminisces about the early computing era when Sun Microsystems’ technologies were out of reach for many due to high costs. Cloud computing has flipped this narrative, transforming sophisticated, expensive technology tools to something affordable to organizations of virtually any size. Anyone with a credit card can delve into Quantum Computing capabilities. This, in turn, fosters a thriving community of quantum algorithm enthusiasts and learners.
Bernier explores three real-world applications of Quantum Computing: 1) business operations optimization, 2) AI algorithm acceleration, and 3) most significantly, a unique encryption method known as “entropic encryption.” This approach is a game-changer for data security. Traditional encryption relies on the secrecy of a single key, which is under threat with quantum technology’s ability to consider all possible solutions simultaneously. Entropic encryption offers a fresh perspective by harnessing the inherent chaos and entropy of quantum states, hiding data in a sea of what appears to be random noise. The data is unreadable without the correct pattern, providing a new layer of security and a multiplicity of decryption avenues.
To make sense of the complex Quantum Computing world, Bernier draws parallels between Newton’s concept of gravity and the superposition principle in quantum mechanics. Just as gravity influenced falling objects before Newton quantified it, Quantum Computing uncovers existing, yet previously unexplored data patterns. At the same time, Bernier acknowledges the nascent state of Quantum Computing, referring to recent incidents of broken algorithms as a part of the technology’s learning curve.
When it comes to cybersecurity, Bernier predicts a convergence of AI and Quantum Computing. He shares about an ongoing project Spin Quantum Tech is managing with a U.S. company, where they are leveraging both Quantum Computing and AI to develop a novel anti-ransomware solution. The team is capitalizing on the power of Quantum Computing to rapidly explore a multitude of decryption keys, paired with AI’s predictive and learning capabilities, to swiftly identify and implement the correct decryption pattern. This fusion of technologies is expected to create a dynamic solution, capable of not only recovering information held ransom but doing so in a manner that eliminates the necessity for victims to negotiate with cybercriminals. The project is pioneering in its approach and could radically reshape the cybersecurity landscape, providing robust defenses against the ever-evolving threat of ransomware.
LinkedIn: https://www.linkedin.com/in/jean-phillip-bernier-artificial-intelligenge-marketing-analytics-quantum-computing/
AnniQ: https://www.anniq.ai
Spin Quantum Tech: https://spinqtech.com/Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Billy Spears, Teradata’s CISO since 2021, stresses reciprocal learning and community in cybersecurity in a Kitecast episode. He believes each interaction offers learning potential and guides his volunteering decisions based on potential mutual benefits.
Spears discusses the evolution of cybersecurity standards since his time at the Department of Homeland Security. Initial efforts focused on creating policies and frameworks, while today's challenge is managing an overabundance of inconsistent frameworks. Companies need to navigate from the least to most restrictive frameworks, factoring in their needs, risk tolerance, global economic influences, regional regulations, and data handling practices. Spears highlights that compliance, while important, is not the sole determinant of strong security.
Spears emphasizes resource and cost management in implementing new cybersecurity technologies. As a CISO, he believes in cross-functional thinking across IT systems, including product, engineering, and marketing. The impact of technology solutions on business decisions must be considered holistically, assessing financial aspects with procurement teams for a comprehensive impact evaluation.
The cybersecurity skills shortage continues, and Spears suggests three mitigation strategies. First, avoid bias in recruitment towards candidates who reflect hiring managers. Second, dispel the misconception that cybersecurity is solely technical and hire non-technical roles like auditors, project managers, and governance professionals. Finally, combat the retirement of senior leaders by thinking creatively in recruitment, promoting cross-training, community engagement, university partnerships, and succession planning.
Spears emphasizes understanding the variety in AI. It’s not a single product but an array of algorithms and models used for different outcomes. Awareness of these differences is critical in cybersecurity to discern the benefits and risks of each AI model, like understanding blockchain. He advocates for education as key to navigating AI’s advantages and potential hazards.
LinkedIn: www.linkedin.com/in/billyjspears/Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Eddie Doyle, a renowned Security Strategist and Speaker at Check Point Software, has a fascinating career journey in the fast-paced field of cybersecurity. Doyle first understood the importance of cybersecurity in 2007 when he joined Check Point Software. Back then, it was a transformative phase; IT departments were just beginning to comprehend the concept of data centers to deal with the data influx post the dot-com era.
Interestingly, Doyle noticed that while these data centers were physically half-empty, they consumed immense power and cooling resources. Doyle navigated the rapidly evolving cybersecurity landscape, witnessing the rise of threat actors who managed to bypass physical security measures by infiltrating systems virtually—a phenomenon triggered by data outsourcing. This necessitated the introduction of network security, a critical aspect in the digital world today.
As technology advances at an unprecedented pace today, so does the acceleration of cyber threats and associated risks. Doyle is a firm believer in the effectiveness of defensive strategies over offensive ones. He points to the legal and reputational hazards of aggressive cybersecurity measures and emphasizes the need to maintain a defensive stand. Despite the challenges of the Digital Age, Doyle is very optimistic about cybersecurity’s future, especially considering the emerging industry trends. He believes that security measures, if comprehensible and straightforward, are more likely to be implemented.
Doyle uses various anecdotes from his career to illustrate his points and provide more context. Innovation can be inherently insecure, despite cybersecurity’s primary goal to protect and secure. He shares a valuable insight from a military representative who advocated for the concept of “failing forward.” This idea implies that once a cybersecurity threat has been identified and contained, it’s essential to continue looking forward and adapt, a perspective different from the typical commercial response that halts after containment.
Doyle highlights the complexity of legal issues arising from offensive cybersecurity measures, such as retaliation against a cyberattack. He also provides insight into the Dark Web’s reality, discussing the proactive measures taken by his team to stay a step ahead of potential threats. Discussing the role of private industries and citizens in cybersecurity, Doyle notes that while industries aim to defend against cyberattacks through their products and services, they generally avoid an offensive stance due to legal implications.
Doyle paints a grim picture for cybersecurity professionals. Expanding upon the methodology of cybercrime syndicates who exploit system vulnerabilities, he highlights the diabolical precision of their operations, frequently helmed by psychopathic individuals launching phishing emails and targeting victims.
Doyle reiterates the expansive global reach of such cybercrime syndicates, pushing for the creation and implementation of strategic cybersecurity tools to fend off such sophisticated attacks. He additionally emphasizes the potential of blockchain and artificial intelligence in fortifying cybersecurity measures. Acknowledging the current crisis of misinformation and declining trust in media and leadership, Doyle identifies blockchain technology—with its transparent, decentralized system for verifying authenticity and securing personal information—as a groundbreaking solution and the benefits of safeguarding personal data.
LinkedIn: https://www.linkedin.com/in/edwinCheck out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Dr. Rebecca Wynn is the Global Chief Security Strategist and CISO at Click Solutions Group and Podcast Host for Soulful CXO and Threat Watch. In this Kitecast episode, Dr. Wynn discusses professional motivation, the importance of mentorship, and her unique approach to cybersecurity based on her diverse experience, including time in the U.S. military.
Dr. Wynn underscores the crucial role of mentors in professional development. She emphasizes that finding the right mentor depends on individual needs and suggests having multiple mentors for different aspects of one’s career. She differentiates mentors from sponsors within an organization where one works. A sponsor actively opens new opportunities for you and typically initially starts as a mentor. A sponsor is someone within your organization, whereas a mentor may or may not be a member of your same organization. When it comes to selecting mentors, Dr. Wynn states they should be individuals whose values resonate with those of the mentees.
For women in the cybersecurity field, Dr. Wynn encourages them to apply for positions, even if they have doubts about meeting all qualifications. She emphasizes that she personally ensures that all female applicants are reviewed, despite what HR algorithms might suggest. Dr. Wynn believes in conducting one-on-one discussions to identify the best position for the applicant, highlighting a recent success story where she helped an underselling candidate secure a managerial role in GRC (governance, risk, , and compliance).
Throughout the podcast, Dr. Wynn shares her personal experiences, including her time caring for her elderly parents, which made her reflect on her core values and approach to work. She stresses the importance of maintaining authenticity and staying true to oneself. She also speaks about how her military background influenced her approach to cybersecurity, particularly her emphasis on GRC frameworks. According to Dr. Wynn, these frameworks allow for the fast mitigation, detection, and resolution of attacks.
When it comes to data privacy, Dr. Wynn champions the concept of Privacy by Design, which advocates for privacy measures to be built into products and systems from their inception, rather than added on afterwards. She emphasizes the idea of data having an expiration date, arguing that companies should not be allowed to keep personal data indefinitely without explicit consent. She suggests that tagging data upon creation with an expiration date could serve as a practical solution. This aligns closely with Kiteworks’ approach using digital rights management in concert with advanced security and compliance.
LinkedIn Profile: https://www.linkedin.com/in/rebeccawynncissp/
The Soulful CXO Podcast: https://soulfulcxo.com/Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Albert E. Whale is a serial entrepreneur with over 30 years of experience in cybersecurity and risk management. He is the Founder and CEO of IT Security Solutions, which helps businesses secure their environments using ITS Safe™, an appliance that delivers real-time continuous protection of networks, printers, servers, clouds, modems and routers, and other equipment. Albert is a Global Ambassador at the Napoleon Hill Institute where he supports other professionals in their personal development. He also is a Startup Mentor at the Founder Institute, guiding entrepreneurs as they build their businesses. He is the author and coauthor of two award-winning books: #HACKED and #HACKED2.
In this Kitecast episode, Albert asserts that organizations must be more vigilant about third-party risk. He also argues that compliance regulations aren’t the panacea many believe them to be when it comes to thwarting cyber threats and minimizing cyber risk. Going against the grain, he argues that overemphasis on compliance regulations may leave organizations more vulnerable to cyber threats. Point-in-time security measures, which are reflective of compliance regulations, need to be replaced with continuous monitoring and scanning. Finally, Albert recommends that CISOs and CSOs abandon their efforts to adopt business speak when articulating cyber risk to executives and boards of directors. Instead, Albert contends they need to retain their specialist language to ensure conveyance of cyber risk.
LinkedIn Profile: www.linkedin.com/in/albertwhale
IT Security Solutions: http://www.it-security-solutions.com/
Published Books:
#HACKED: 10 Practice Cybersecurity Tips to Help Protect Personal or Business Information
#HACKED2: Practice Guidance for Dealing with Threats to Your Business and Privacy
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Mark Lynd is a former CEO, CIO, CTO, and CISO and currently serves as the Head of Digital Business at Netsync that employs a consultative and collaborative approach to help organizations architect innovative technology solutions that meet business needs. He is an author, frequent speaker on topics related to AI, IoT, and cybersecurity, is ranked in the Top 1 Globally for Security by Thinkers360, was named an Ernst & Young Entrepreneur of the Year for the Southwest Region, and is frequently interviewed by and quoted in publications such as The Wall Street Journal, InformationWeek, and others. Before his time in the private sector, Mark served in the U.S. Army’s 3rd Ranger Battalion and 82nd Airborne Division.
In this Kitecast episode, Mark discusses the significance of GRC (Governance, Risk Management, and Compliance) in today’s technology landscape, which is being propelled by accelerated evolution in cyber threats, third-party risks, and data security issues in the cloud. One outcome is that organizations must prioritize GRC strategies rather than making them an afterthought. In addition, Mark argues that Digital Rights Management (DRM) is critical when implementing a GRC strategy that addresses a zero-trust model focused on protecting sensitive content.
Beyond connecting GRC with DRM, Mark also speaks about artificial intelligence (AI), why it is important to teach cybersecurity life skills to teenagers, what he will be covering in his next book, how lack of DRM governance in the higher education sector is exposing national secrets, and more. This is an insightful discussion for anyone interested in learning from a proven leader who is dedicated to digital transformation and cybersecurity.LinkedIn Profile: www.linkedin.com/in/marklynd
Netsync: www.netsync.com
Published Book: Cyber Security Life Skills for Teens: Life Skills for the Digital Age
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Richard Stiennon, a cybersecurity pioneer, author, and industry executive, spoke about the hottest trending topic of our day in this Kitecast episode: artificial intelligence (AI). He currently serves as the Chief Research Analyst at IT-Harvest, a research organization he founded in 2017, which provides access to data on more than 3,318 cybersecurity vendors. To streamline and automate the compilation of data, Stiennon explains how IT-Harvest is using ChatGPT 4.0. On that note, Stiennon discusses how AI is transforming cybersecurity—both for the good and the bad.
Cybercriminals are finding ways around guardrails instituted in commercially available AI solutions like ChatGPT and Bard or simply developing their own to accelerate the development of malware, automate advanced persistent threats, and generate human-like phishing and spear-phishing attacks. At the same time, cybersecurity vendors are rapidly adding new AI capabilities to their product portfolios that improve the efficacy and efficiency of threat prevention, incident response, threat correlation and analysis, and more. Beyond the topic of AI, Stiennon addressed his thoughts on the role of cybersecurity leaders and subject-matter experts when it comes to serving as a board member or advisor. As a board member and advisor for a number of cybersecurity and compliance companies, he argues that organizations need to rethink how cybersecurity is discussed at the business level. Rather than teaching CISOs to speak the language of the business, they need to speak the language of cybersecurity and teach boards to understand cybersecurity risk through the lens of cybersecurity.
LinkedIn Profile: www.linkedin.com/in/stiennon/
IT-Harvest: www.it-harvest.com
Published Books:Net Zeros and Ones: How Data Erasure Promotes Sustainability, Privacy, and Security
https://www.amazon.com/Net-Zeros-Ones-Promotes-Sustainability-ebook/dp/B0BN72M57X/ref=sr_1_3
Secure Cloud Transformation: The CIO's Journey
https://www.amazon.com/Secure-Cloud-Transformation-CIOS-Journey/dp/1945254203
UP and to the RIGHT: Strategy and Tactics of Analyst Influence
https://www.amazon.com/UP-RIGHT-Strategy-Influence-influence/dp/0985460709
There Will Be Cyberware: How the Move to Network-centric War Fighting Has Set the Stage for Cyberwar
https://www.amazon.com/There-Will-Be-Cyberwar-Network-Centric/dp/0985460784/
Surviving Cyber War
https://www.amazon.com/Surviving-Cyberwar-Richard-Stiennon/dp/1605906883/
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
In this Kitecast episode, Michael Redman, who is a Knowledge & Learning Management Instructor at Schellman and is a subject-matter expert in various cybersecurity and compliance standards, spoke at length about Cybersecurity Maturity Model Certification (CMMC), the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and other topics that are pressing concerns for the Defense Industrial base (DIB). Redman asserts that businesses must approach cybersecurity as a risk management issue, just like any other business risk. Organizations must take proactive measures to mitigate cybersecurity risks and ensure they have a robust cybersecurity program in place.
Part of the podcast discussion with Redman involved the role of Certified Third Party Assessor Organizations (C3PAOs) and CMMC compliance. He explains that C3PAOs are an interesting entity and are being asked to shoulder a whole lot of responsibility with not a lot of reward. C3PAOs are swimming in murky water and need to be patient. As we proceed closer to CMMC implementation, the good, better, and best 3CPAOs will rise to the top, and the ones that aren’t fully invested will focus their energies elsewhere.
Midway through the podcast, Redman spoke about the CMMC Standards Council, of which he is a part. He explains that the Standards Council is working to create an objective matrix that can be used to rate C3PAOs objectively. He believes this will help organizations choose the right C3PAO based on their needs and budget. The alpha version of the objective matrix was just completed and is circulating among subject-matter experts for feedback.
Redman also talks about the importance of having a risk-based approach to cybersecurity. He suggests that organizations need to identify their high-value assets and focus on protecting them. He believes a risk-based approach is more effective than a compliance-based approach, as it helps organizations focus on what really matters. He emphasizes the importance of having a cybersecurity program aligned with the business objectives of the organization and one that accounts for third-party risk management (TPRM).\
Digital transformation is driving dramatic changes in cybersecurity. The confluence of cybersecurity and compliance demands a risk management model, and one focused on keeping private data private. Organizations can no longer view cybersecurity and compliance in separate silos but rather as intertwined and predictors of risk. Kiteworks’ content-defined zero-trust approach, which relies on the Kiteworks Private Content Network, is used by thousands of organizations around the world to unify security and compliance approaches to sensitive content communications while wrapping them in a hardened virtual appliance.
For more on Schellman, visit www.schellman.com/.Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
-
Vertosoft's CTO Chet Hayes is a technologist at heart and has kept his finger on the pulse of the public sector for much of his career. Early on in his career, he cut his teeth in technical software architecture roles in organizations such as Sun Microsystems, Hughes Information Technology, and BEA Systems. Based in Virginia, much of his customer-facing work was with the federal government. For the past 15 years, Hayes has worked in various senior leadership positions serving the public sector.
While government organizations face many of the same technology challenges as private sector organizations, they also have unique requirements. Federal government agencies and their supply chains, in particular, tend to be ahead of the private sector when it comes to the use of cybersecurity frameworks. In this Kitecast episode, Hayes discusses how the NIST CSF, CMMC 2.0, FedRAMP Authorization, and other federal cybersecurity standards are driving the adoption of zero trust and other security best practices. Discover what he thinks are some of the biggest security opportunities and challenges facing the government sector today and how data privacy exposure risks play into both components by listening to this podcast.
For more on Vertosoft, visit www.vertosoft.com.
For more on Chet Hayes, visit www.linkedin.com/in/chetdhayes.Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
- Visa fler
