Afleveringen

  • Jerod Brennen, VP of Cybersecurity Services at SideChannel, brings a unique perspective to cybersecurity leadership. Originally pursuing a career in music education, Brennen's journey led him through various IT roles before landing in cybersecurity at a public utility. Today, he serves as a vCISO for multiple organizations while also creating educational content for LinkedIn Learning, where he has developed over 40 courses covering topics from application security to ethics in technology. His unconventional path from music to technology has shaped his approach to security leadership, emphasizing the importance of both technical expertise and human understanding.

    As a vCISO, Brennen emphasizes the importance of tailored security approaches for small and medium-sized businesses. His work at SideChannel involves helping organizations across various sectors—from healthcare technology to manufacturing—build resilient security programs that align with their specific needs and capabilities. He highlights that while many of these businesses may not have the resources for a full-time CISO, they still require sophisticated security leadership to protect their digital assets and maintain compliance with industry standards. Brennen’s approach focuses on building security programs that enable business growth rather than simply implementing restrictions, ensuring that security measures support rather than hinder organizational objectives.

    A significant portion of the conversation focused on the challenges of data security in modern business environments. Brennen discusses the complexities of managing data access, particularly in cloud environments, and emphasizes the importance of proper tenant separation for different environments (development, testing, production). He notes that while cost often drives initial cloud decisions, mature organizations eventually shift their focus to building stable, secure infrastructure that aligns with their business goals. The discussion delved into the increasing importance of compliance frameworks such as SOC 2 and CMMC, with Brennen sharing insights on how organizations can effectively prepare for and maintain these certifications while avoiding common pitfalls.

    The discussion also touched on emerging technologies, particularly the challenges and opportunities presented by AI. Brennen addresses the growing concern among organizations about the secure use of generative AI tools, highlighting the need for clear policies around data sharing with these platforms. He emphasizes the importance of considering long-term implications of AI adoption, drawing parallels with recent events in the tech industry to illustrate the potential risks of data handling by emerging technology companies. His perspective on AI security is particularly relevant given the current landscape where many employees are already using these tools without formal organizational guidance.

    LinkedIn: https://www.linkedin.com/in/jerodbrennen/

    SideChannel: https://sidechannel.com/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Evgeniy Kharam is the founder of a cybersecurity consulting company and an industry veteran with extensive expertise in cybersecurity. He advises clients on navigating the complexities of the cybersecurity landscape and co-hosts two popular podcasts focused on cybersecurity architecture and business insights. Evgeniy is also a board advisor for the Canadian Cybersecurity Network, the largest technology group in Canada. Outside of his professional life, he is an active family man with four children, including twins, and enjoys organizing snowboarding events for networking in the cybersecurity community.

    Evgeniy joined the Kitecast podcast to discuss his new book, Architecting Success: The Art of Soft Skills in Technical Sales. It is a reflection on the evolution of sales engineering, especially in the cybersecurity field. Evgeniy draws from his personal experiences to address the increasingly complex nature of technical sales and the gap between technical knowledge and the ability to communicate it effectively in business terms. The book also serves as a personal challenge for Evgeniy, as he admits that writing is outside his comfort zone, and he believes that improving soft skills is often about doing what you dislike most.

    During the podcast interview, one of the key topics Evgeniy discusses is the importance of soft skills in cybersecurity sales. He emphasizes the need for adaptability, listening, and the ability to connect with clients. He points out that successful cybersecurity sales professionals must adjust their approach based on the client’s mood, energy, and current situation, moving from transactional interactions to building genuine relationships.

    Evgeniy also explores the dynamics between sales professionals and sales engineers. He suggests that the sales engineer’s role is not just to support the sales team but to engage in a more collaborative manner, asking the right questions to help the sales team qualify deals effectively. This dynamic allows for a smoother sales process, where both parties respect each other's expertise and play to their strengths, without crossing into each other's responsibilities.

    Another major point of discussion is the impact of virtual sales in a post-COVID world. Evgeniy stresses the importance of maintaining professionalism in virtual environments, from investing in proper equipment like cameras and microphones to ensuring a polished appearance. He also highlights the growing reliance on voice communication and the need to train one's voice for better delivery, as remote work has made verbal communication a primary tool for client interactions.

    LinkedIn: https://www.linkedin.com/in/ekharam/

    Architecting Success: https://www.softskillstech.ca/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Zijn er afleveringen die ontbreken?

    Klik hier om de feed te vernieuwen.

  • John Christly, VP of Services for Blue Team Alpha, and author of two cybersecurity books, brings his wealth of experience to this episode of Kitecast. With a background spanning roles such as CEO, CIO, CISO, and CTO, as well as military service, Christly offers unique insights into the world of cybersecurity compliance for Department of Defense (DoD) contractors.

    In this enlightening discussion, Christly demystifies the Cybersecurity Maturity Model Certification (CMMC) process. He explains how many organizations are surprised to find they’re further along in compliance than they initially thought, thanks to existing frameworks like DFARS and NIST 800-171. However, he cautions that self-attestation is no longer sufficient, emphasizing the need for third-party verification in the new CMMC landscape.

    Christly also delves into the critical role of FedRAMP certification in doing business with the government. He highlights the importance of data sovereignty and security in protecting American interests. The conversation explores the challenges of achieving “FedRAMP-like” status and the expertise required to truly build secure systems to DoD specifications.

    The podcast doesn’t shy away from emerging threats, with Christly offering valuable insights on managing AI-related risks in the workplace. He stresses the importance of clear policies, employee education, and ongoing monitoring to harness the benefits of AI while protecting sensitive data. Christly’s practical advice on consolidating security tools and gaining visibility into cloud application usage provides actionable strategies for improving organizational cybersecurity posture.

    Whether you’re a DoD contractor or simply interested in elevating your cybersecurity practices, this episode of Kitecast is a must-listen. Tune in now and take the first step toward robust, compliant cybersecurity for your organization.

    LinkedIn

    https://www.linkedin.com/in/johnchristly/

    Blue Team Alpha

    https://www.blueteamalpha.com

    Book: NIST 800-171 Controls Made Simple: A Step by Step Guide

    https://www.udemy.com/course/nist-800-171-controls-made-simple

    Book: The Basics of Cybersecurity

    https://www.amazon.com/dp/B0CZY65DQC

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Kayne McGladrey, the Field CISO at hyperproof, is a renowned cybersecurity expert with an extensive background in enhancing security landscapes across various industries. His career is marked by significant contributions in developing robust security frameworks, managing complex risk scenarios, and driving comprehensive compliance initiatives. With a deep commitment to transforming the cybersecurity field, Kayne’s insights and strategies continue to influence how organizations approach security and regulatory compliance, making him a sought-after voice in the industry.

    In this Kitecast episode, Kayne McGladrey challenges the traditional view of cybersecurity as merely a cost center, proposing instead that it acts as a critical enabler of business. He eloquently explains how effective cybersecurity measures can unlock new market opportunities and help sustain revenue streams, thus fundamentally altering the narrative from a grudging investment into a strategic asset. By integrating robust cybersecurity practices, businesses can protect their operations from potential threats while enabling smooth and secure growth and innovation.

    Throughout the discussion, Kayne explores the evolving landscape of compliance tools, moving away from outdated methods like manual spreadsheets to more sophisticated, automated solutions. These advanced tools are designed to streamline and enhance the efficiency of compliance processes. However, Kayne points out the challenges businesses face, such as the lack of executive buy-in, which can hinder successful integration. He emphasizes the critical need for aligning security and compliance strategies with broader business objectives to ensure a cohesive and proactive approach to managing compliance.

    Kayne delves deeper into the practical challenges faced by cybersecurity teams, especially in the realms of evidence collection and risk assessment. He criticizes the persistence of outdated, manual processes that many organizations still use and advocates for a shift toward automated, more reliable methods. Such modern approaches not only save time but also improve the accuracy and effectiveness of cybersecurity measures, thereby enhancing an organization’s ability to manage and mitigate risks more efficiently.

    Looking toward the future, Kayne discusses the development of a GRC (Governance, Risk, and Compliance) maturity model that he is pioneering. This model is intended to provide organizations with a clear, actionable roadmap to enhance their governance structures and compliance strategies. By adopting this model, organizations can better navigate the complexities of regulatory environments, reduce risk, and cultivate a proactive, compliance-forward culture. Kayne’s vision for the future of GRC is aimed at making compliance a seamless part of business operations, thus fostering greater organizational resilience and adaptability.

    LinkedIn Profile

    https://www.linkedin.com/in/kaynemcgladrey/

    hyperproof

    https://hyperproof.io/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Jacqui Kernot, the Security Director at Accenture for Australia and New Zealand, boasts over two decades of extensive experience in cybersecurity, spanning multiple industries. Recognized for her authoritative voice on diversity and inclusion alongside cybersecurity risk management, Jacqui is a well-regarded speaker who frequently addresses these pressing issues. She is committed to pushing the boundaries of cybersecurity and focused on integrating cutting-edge AI and technological advancements into the security domain.

    In her recent appearance on the Kitecast episode, Jacqui illuminated the transformative impact of AI on cybersecurity. She pointed out that although AI technology is still emerging, the foundational steps taken today by organizations to build robust infrastructures will be pivotal. Jacqui stressed that companies poised to anticipate future technological needs and begin laying the groundwork for AI integration will likely lead the industry. This strategic foresight is crucial for fully realizing AI’s potential and maintaining a competitive edge in cybersecurity.

    A significant portion of Jacqui's discussion centered on the imperative of data sovereignty and stringent management practices. In an era increasingly dominated by large language models and cloud-based technologies, securing and responsibly managing data is paramount. Jacqui advocated for strict data governance frameworks that ensure data is accessible only by authorized personnel, emphasizing that responsible AI deployment is fundamental to future security architectures.

    Jacqui also delved deeply into the role of Zero Trust architecture in today’s cybersecurity landscape. She explained that as organizations increasingly migrate to cloud services and face more complex cyber threats, adopting a Zero Trust approach is crucial. This methodology is not only essential for blocking unauthorized access but also vital for building resilient security protocols that can robustly counteract potential breaches.

    Looking forward, Jacqui shared insights on the evolving challenges and opportunities within cybersecurity. She highlighted the necessity for security strategies to remain adaptive and vigilant against new threats while also leveraging emerging technologies. The discussion touched on the need for more sophisticated security measures that can effectively safeguard against the evolving landscape of cyber threats, ensuring that organizations can protect their critical assets in an increasingly digital world.

    LinkedIn Profile
    www.linkedin.com/in/jkernot/

    Accenture
    www.accenture.com/us-en

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • The Kiteworks Sensitive Content Communications Privacy and Compliance Report is an annual survey designed to delve into the pressing issues of data privacy, compliance, and cybersecurity. This comprehensive report gathers insights from IT, cybersecurity, risk, and compliance leaders around the globe, with the latest survey capturing responses from 572 leaders across 10 different countries. The report is meticulously divided into five sections: cyberattacks and data breaches, data types and classification, compliance and risk, cybersecurity and risk management, and operational procedures. These insights provide organizations with actionable intelligence to navigate the complex landscape of data security and compliance.

    This Kitecast episode features a panel discussion, with Kitecast Co-host Patrick Spencer addressing key findings in the report and soliciting feedback from Co-host Tim Freestone and two guest panelists, Alexandre Blanc and Ranbir Bhutani. Alexandre pointed out that while the frequency of cyber incidents has decreased, the scale of each incident has grown significantly. Threat actors have become more organized, targeting larger organizations with higher impact, particularly in specific verticals like healthcare and finance. This shift is likely influenced by geopolitical tensions, using cyberattacks to disrupt trust in systems and organizations. Ranbir echoed these observations, adding that the sophistication of phishing attacks has increased, often leveraging unethical AI to create highly convincing fraudulent communications.

    The conversation also explored the persistent challenge of human error in cybersecurity. Despite numerous training initiatives and advanced technologies, the human element remains a significant vulnerability. Tim, Alexandre, and Ranbir emphasized that until organizations can effectively abstract human errors from business processes, this will continue to be a weak link. Ranbir shared an anecdote about a near-miss phishing attempt, underscoring the difficulty even seasoned professionals face in recognizing sophisticated attacks.

    Another critical insight from the discussion involved the disparity in cybersecurity maturity across industries. The podcast revealed that higher education and state government sectors are particularly vulnerable, with a high number of reported breaches. This is attributed to underfunding and a lack of stringent cybersecurity measures. In contrast, the federal government has shown better compliance due to regulatory pressures like CMMC 2.0. The panelists agreed that while regulations are a step in the right direction, the enforcement and practical implementation of these regulations remain a challenge, particularly for smaller organizations.

    Finally, the podcast touched on the issue of litigation costs associated with data breaches. The long-term financial impact of breaches extends beyond immediate operational disruptions and ransom payments. Ongoing litigation can drain resources and affect an organization’s reputation and client trust.

    Kiteworks 2024 Sensitive Content Communications Privacy and Compliance Report: https://www.kiteworks.com/sensitive-content-communications-report/

    Alexandre Blanc:

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Betania Allo is a distinguished expert in cybersecurity law and public policy and frequently presents at international forums and events. She boasts an impressive academic background with advanced degrees from Harvard University and Syracuse University. Currently, she is pursuing a doctorate in engineering with a focus on analytics at George Washington University. Her extensive experience includes serving as a Program Management Specialist and Senior Officer at the United Nations, where she addressed complex issues related to counterterrorism and technology.

    This Kitecast episode delves into Betania Allo’s multifaceted career journey, highlighting her transition from law and public policy to the specialized field of cybersecurity. Her decision to move from Argentina to the U.S. for graduate studies, combined with her background in international relations and law, set the stage for her focus on cybersecurity. Betania’s efforts to bridge the gap between legal experts and technologists are emphasized, underscoring the importance of understanding both domains to effectively tackle global cyber threats.

    The podcast discussion covers Betania’s tenure at the United Nations, where she worked on counterterrorism and technology. Insights are provided on how terrorist groups exploit digital platforms for recruitment, communication, and fundraising. The challenges of safeguarding these platforms and the importance of a multi-stakeholder approach involving private sector companies, NGOs, and academia are examined. Betania’s experiences during the pandemic revealed the increased vulnerability and exploitation of digital spaces by terrorist organizations.

    Betania also discusses the rehabilitation and reintegration of terrorists through technology. The significance of using technology in the initial screening of individuals for accurate assessments and tailored rehabilitation programs is outlined. Despite the challenges, Betania advocates for incorporating artificial intelligence (AI) and other technologies to enhance rehabilitation efforts. Her innovative approach aims to create unified systems for better data synchronization and resource allocation, particularly in regions with limited infrastructure.

    Finally, Betania argues that political decision-making needs to be tapped in prioritizing technological advancements and cybersecurity investments. Continuous collaboration between governments, tech companies, and security experts is deemed essential to stay ahead of emerging threats. As such, she points out the need for engaging training programs to build a robust cyber culture within organizations and beyond.

    LinkedIn: https://www.linkedin.com/in/betaniaallo/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Edna Conway, an innovative executive and thought leader with over 30 years of experience leading cybersecurity, risk management, and value chain transformation at Fortune 10 technology companies, highlights how collaboration in cybersecurity is critical for the development of and adherence to policy and practice in this Kitecast episode. Edna is currently a Senior Fellow at the Carnegie Endowment for International Peace and CEO and Founder of EMC Advisors. She currently is an advisor or board member for a long list of technology and professional services startups and nonprofit organizations.

    One theme from the discussion with Edna centered on the cybersecurity workforce shortage. She emphasized the need to look beyond traditional sources and backgrounds to find talent. This requires partnerships between companies, academia, and nonprofits focused on training and upskilling people from diverse backgrounds for cybersecurity roles. Apprenticeship and mentorship models were discussed as potential solutions.

    The conversation then delved into cybersecurity policy and regulation. Edna provided her perspectives on the balance between driving security practices versus overregulation that hinders business. She noted that legislation often lags behind technology advancements, making public-private collaboration critical. Edna stressed the importance of the private sector proactively stepping up security rather than just reacting to new regulations.

    Another key topic from the podcast touched on the crowded landscape of cybersecurity startups and the challenges they face. Beyond just having an innovative product, Edna emphasized the importance of serving a real customer need, providing a complete solution, and demonstrating value to multiple stakeholders in an organization beyond just the security team. Making customers’ lives easier is key to standing out.

    Edna also touched on the need to embed security into business processes and objectives from the start, rather than bolting it on afterwards. She discussed the concept of “secure by design” and how leading organizations are building security into everything from their products to their supplier relationships. This proactive, holistic approach is critical to managing cyber risk in an increasingly interconnected business environment.

    LinkedIn: https://www.linkedin.com/in/ednaconway

    EMC Advisors: https://www.linkedin.com/company/emcadvisors

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Debra Farber, a globally recognized privacy, security, and ethical tech advisor with nearly two decades of experience, discusses data privacy, privacy by design, and the growing field of privacy engineering in this Kitecast episode. As the host of the Shifting Privacy Left podcast, Farber is dedicated to building a community of privacy engineers and bridging the silos between various industries and research areas.

    In this Kitecast episode, Farber emphasized the importance of embedding privacy into product development from the outset. She highlighted the role of privacy engineers in assessing risks, minimizing data collection, and ensuring compliance with regulations such as GDPR. Farber also discussed the challenges organizations face in hiring privacy engineers due to the high demand and limited supply of qualified professionals in this relatively new field.

    Farber explained the distinction between privacy by design and privacy-enhancing technologies (PETs). Privacy by design is a set of high-level principles focused on integrating privacy into systems from the beginning, while PETs are specific tools and techniques that help achieve compliance with data protection principles. Some examples of PETs include anonymization, homomorphic encryption, secure multi-party computing, and differential privacy.

    The conversation also touched on the potential return on investment for organizations that prioritize privacy. By minimizing data collection and addressing privacy concerns early in the development process, companies can reduce downstream compliance costs, legal expenses, and the risk of fines associated with data breaches or privacy violations.

    In addition to the above, Farber shared her thoughts on artificial intelligence and its impact on personal privacy. While acknowledging the potential risks, she emphasized that the real threat lies in the unchecked powers of those bringing AI to market without appropriate safety measures and testing. Farber advocates for the ethical development and deployment of AI technologies, ensuring that privacy standards are applied correctly to mitigate risks and protect individuals’ rights.

    LinkedIn: https://www.linkedin.com/in/privacyguru

    Shifting Privacy Left Media: https://shiftingprivacyleft.com

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • In the latest Kitecast episode, Lisa Plaggemier, the Executive Director of the National Cybersecurity Alliance, discusses what it takes to empower digital safety for all peoples and organizations. With an extensive background in marketing, operations, and cybersecurity, including a decade at Ford Motor Company and senior roles at CDK Global and InfoSec, Lisa brings a wealth of experience and lessons learned to the topic. Her focus is on helping businesses and individuals protect themselves in the digital world, which enables organizations to develop better cybersecurity risk management strategies.

    Lisa emphasizes the importance of consistent and clear communications when it comes to cybersecurity awareness. She highlights the success of Cybersecurity Awareness Month, an initiative founded by the National Cybersecurity Alliance, attributing its effectiveness to the consistency of the message over time. Lisa also stresses the need to demystify cybersecurity for the average person, making it more attractive and less intimidating to adopt safe online practices.

    One of the key challenges Lisa identifies is the knowledge gap between IT professionals and business owners, particularly in small businesses. To address this gap, the National Cybersecurity Alliance launched a training class tailored to educate business leaders on managing cybersecurity as a function of their business. The organization also recognizes the importance of early cybersecurity education, with plans to develop age-appropriate content for children in collaboration with PBS Kids.

    Lisa shares insights from the National Cybersecurity Alliance’s annual survey, revealing alarming trends such as the persistence of insecure password practices and the overconfidence of younger generations in their ability to navigate cybersecurity risks. She also discusses the need for widespread adoption of multi-factor authentication (MFA) and the role of social media companies in mandating more stringent security measures.

    In addition to the above, Lisa emphasizes the National Cybersecurity Alliance’s commitment to promoting cybersecurity awareness through various initiatives, including the creation of a comedic series called Kubikle Series to engage a broader audience. With her expertise and dedication to the cause, Lisa—and the National Cybersecurity Alliance—continue to play a crucial role in empowering individuals and organizations to stay safe in the ever-evolving digital landscape.

    LinkedIn: https://www.linkedin.com/in/lisaplaggemier/

    National Cybersecurity Alliance: https://staysafeonline.org/

    Kubikle Series: https://kubikleseries.com/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Alan Shimel, a prominent figure in the cybersecurity industry, is the CEO and founder of Techstrong Group, a global platform that powers tech innovation and transformation across various media, research, and consulting brands. With over 25 years of experience in security, Shimel has been at the forefront of the industry, witnessing its evolution and the emergence of new technologies such as AI. In this Kitecast episode, he shares his insights on the impact of AI on cybersecurity, discussing its potential benefits and limitations while addressing the challenges faced by organizations in today’s rapidly changing landscape.

    One of the key areas explored in the podcast is the influence of AI on application security (AppSec). Shimel notes that AI is making AppSec easier and faster, lowering the entry point for organizations to secure their applications. However, he also raises the question of whether AI is genuinely improving security or simply making it more accessible. Shimel suggests that while AI can help identify vulnerabilities in code more efficiently, it is essential to ensure that the quality of the generated code is high and that organizations do not become overly reliant on AI-driven solutions.

    The conversation also delves into the role of cyber insurance companies in enforcing cybersecurity policies. Shimel explains that these companies are becoming the architects and auditors of security, establishing the lowest common denominator for organizations seeking coverage. While this can be beneficial in ensuring a baseline level of security, Shimel cautions that it may not always align with an organization’s specific needs or risk tolerance. He also highlights the importance of understanding the implications of cyber insurance, as insurers often have the power to make decisions on behalf of the insured organization in the event of a breach or ransomware attack.

    Another critical topic addressed in the podcast is the cybersecurity skills gap. Shimel points out that despite the growing demand for cybersecurity professionals, many skilled individuals struggle to land their first job due to the industry’s preference for candidates with three to five years of experience. He emphasizes the need for organizations to provide opportunities for newcomers to gain practical experience and suggests that the skills gap will persist until the industry becomes more receptive to nurturing new talent.

    Looking to the future, Shimel discusses the potential impact of quantum computing on cybersecurity. While he acknowledges that the development of stable quantum computers is still years away, he stresses the importance of preparing for the potential disruption they could bring. Shimel mentions that government agencies and regulatory bodies have already begun working on quantum-proof algorithms and certificates to ensure the continued security of encrypted data. However, he also notes that the adoption of these measures will largely depend on market demand and the willingness of organizations to invest in quantum-resistant technologies.

    LinkedIn: https://www.linkedin.com/in/alanshimel/

    Techstrong Group: https://techstronggroup.com/

    Techstrong Podcasts: https://techstrongpodcasts.com

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • runZero provides comprehensive visibility into an organization’s cyber assets and attack surface to empower risk and exposure management. By combining external scanning, internal asset discovery, cloud inventory, and API integrations, runZero maps all devices, software, vulnerabilities, owners, and other security attributes. This integrated view across IT, IoT, OT, mobile, and cloud contextualizes risk and priorities based on asset criticality and location inside or outside the network perimeter.

    Barbee predicts major new vulnerabilities in 2024 that will catch security teams off guard as they remain overburdened dealing with patching and securing fundamental gaps. Additionally, more supply chain attacks will emerge from malware inserted through dependencies and software development pipelines over the last few years. He advises CISOs to focus on security fundamentals first, like comprehensive asset management, vulnerability management, and patching rather than getting distracted by the latest headlines on advanced persistent threats.

    While compliance regulations provide helpful guardrails and budget for security programs, most organizations still struggle with basics like consistent vulnerability scanning, device monitoring, and patching. The smaller the company, the more they remain focused on backup, recovery, and threat detection rather than proactive security. Barbee highlights an energy company that resisted patching anything due to downtime risks, demonstrating the difficult trade-offs security teams face.

    When submitting conference presentation proposals, clearly explain what you plan to discuss and why it matters to peers. Spend time refining the title and abstract from the selection committee’s perspective, rather than taking shortcuts. Ask colleagues or mentors to review and provide feedback to improve clarity and relevance before submitting.

    For new security professionals, Barbee advises developing networking and communication skills instead of only focusing on individual skills development. He also encourages cementing core IT and networking fundamentals instead of only specializing in security too early in their career. He suggests considering complementary areas like risk management to broaden perspective beyond just vulnerabilities and controls.

    LinkedIn Profile: https://www.linkedin.com/in/jhbarbee/

    runZero: https://www.runzero.com

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Patrick Garrity has over 15 years of experience spanning various marketing, sales, and product roles for high-growth cybersecurity companies. For this Kitecast episode, he delves into detail on his expertise in vulnerability management.

    To start the podcast episode, Garrity discusses the rapid evolution of vulnerability management over the past few years. He notes that vulnerabilities are growing exponentially in both volume and complexity, with over 25,000 new vulnerabilities identified in 2022 compared to just 5,000 several years ago. Despite this growth, many organizations still struggle to patch even known critical vulnerabilities in a timely manner. In response, Garrity emphasizes that organizations need to focus first on addressing externally facing, actively exploited vulnerabilities before attempting to tackle everything at once with their limited resources.

    The podcast episode also covers the role of AI and machine learning in vulnerability management. While emerging AI tools show promise for use cases like prioritization of vulnerabilities and automated reporting, Garrity cautions that the underlying data feeding these systems needs stringent accuracy and validation. He advocates leaning on trusted threat intelligence from established providers to help inform data-driven decisions around vulnerabilities and incident response.

    Shifting gears, Garrity reflects on seminal lessons learned from his experience rapidly scaling Duo Security before its $2.35 billion acquisition by Cisco in 2018. When asked by the hosts to provide career guidance to others pursuing work in the cybersecurity field, Garrity highlights the outsized importance of continually assessing the market landscape with an eye for evolution. Similarly, he stresses that individuals should embrace openness to filling a variety of roles in early-stage companies as they grow. Finally, Garrity emphasizes the urgent need for sustainable business models in cybersecurity rather than overvalued fundraising built predominantly on hype. Underpinned by this sobering perspective, he still goes on to express optimism about the industry's overall trajectory thanks to the advent of various “secure-by-design” initiatives.

    LinkedIn Profile: https://www.linkedin.com/in/patrickmgarrity/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • As an author, podcaster, and field CISO focused on the public sector, Dan Lohrmann brings a wealth of experience spanning over two decades. This Kitecast episode includes a discussion of Lohrmann’s recent book, Cyber Mayday and the Day After, that he co-authored with cybersecurity expert Shamane Tan. The book shares ransomware stories and insights from executives who have faced major cyber incidents. It covers best practices for preparation, response, and recovery before, during, and after an attack. Lohrmann notes these firsthand stories reveal valuable lessons for organizations of all types.

    The podcast discussion then turned to the inevitable disruption faced by today’s CISOs and cybersecurity teams. Lohrmann emphasizes the need for continuous training, tabletop exercises, and preparation for unexpected curveballs. Building an organizational culture focused on resilience rather than blame is also critical.

    As conversation shifted to artificial intelligence, Lohrmann pointed out that governing and securing AI remains extremely challenging for most security teams. The proliferation of free AI tools creates substantial risk of data loss and intellectual property theft. Enterprises need much greater visibility and control over how end-users are interacting with these tools. Over the next few years, more organizations are expected to invest in enterprise-controlled AI systems focused on security and privacy.

    In discussing predictions for 2024 and beyond, Lohrmann highlights his annual report compiling insights from leading cybersecurity vendors and researchers. With cyber threats growing in scale and sophistication, he emphasizes the importance of continuous learning for security leaders. At the same time, Lohrmann notes that while specific predictions should be taken with a grain of salt, the research reports paint an informative picture of what trends are unfolding.

    LinkedIn Profile: https://www.linkedin.com/in/danlohrmann/

    Presidio: https://www.presidio.com/

    Cyber Mayday and the Day After: https://www.amazon.com/Cyber-Mayday-Day-After-Disruptions/dp/1119835305/ref=sr_1_2

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • In this Kitecast episode, Alexandre Blanc, a Cybersecurity Advisor and Consultant, brings his extensive 15-year background in cybersecurity and risk management into focus. With a significant online presence established since 2018, Blanc has become a prominent LinkedIn influencer for over 70,000 followers by offering critical insights aimed at bolstering organizational resilience.

    During the podcast, Blanc delves into crucial cybersecurity and risk management topics, emphasizing the vital roles of data governance, robust access controls, and reliable backup solutions in risk mitigation and regulatory compliance. He points out a common oversight within many organizations—the underestimation of the business implications that outages and incidents can have.

    Blanc sheds light on the predicaments that arise from the prevalent use of SaaS platforms, such as diminished control and limited visibility regarding updates. Moreover, he casts doubt on the extent of protection cyber insurance offers in the aftermath of cybersecurity events.

    The discussion also ventures into the realm of emerging challenges. Blanc examines Canada’s new data privacy laws, noting how compliance is propelling security enhancements. He raises concerns about the unchecked proliferation of Internet of Things (IoT) devices and their security implications. Looking forward, he addresses the potential disruption quantum computing may pose to current encryption standards, suggesting that tighter governance and minimizing sensitive data transmissions are key to lessening future risks.

    Concluding his insights, Blanc champions the cause for transparency and the cultivation of trust in the evolution of novel technologies like artificial intelligence. By recounting instances where companies concealed failures, resulting in costly long-term repercussions, he calls on technology leaders to acknowledge and communicate the potential adverse impacts of their innovations. His advocacy for informed public discourse stands as part of his broader commitment to providing a measured perspective amidst the swift pace of technological advancement.

    LinkedIn: www.linkedin.com/in/alexandre-blanc-cyber-security-88569022

    RCGT: www.rcgt.com

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • This Kitecast episode features Jason Rebholz who has an extensive background in cybersecurity. He is currently the CISO at Corvus Insurance, which he joined in 2021. He also serves as an advisor for NetDiligence and MOXFIVE. Previously, Jason served as the VP of Strategic Partnerships for ICEBRG, which was acquired by Gigamon, VP of Professional Services for The Crypsis Group, and Manager at Mandiant.

    Jason founded the educational initiative, “Teach Me Cyber,” that is available on YouTube and LinkedIn with the objective of making cybersecurity topics more accessible to general audiences. This was motivated by often seeing technical news coverage using jargon and screenshots that average readers would struggle to comprehend. Through short daily lessons on platforms LinkedIn and YouTube, Jason breaks down cybersecurity topics in simple terms anyone can understand. His goal is to help even one more person gain practical knowledge to improve their organization’s security.

    In the podcast interview, Jason discussed a recent high-profile ransomware attack and provided insight into the challenges of containing and remediating active attacks, noting that it is very difficult to fully kick attackers out of an environment within a short time frame. Jason emphasized the importance of having strong monitoring and rapid response capabilities in place.

    Multi-factor authentication (MFA) was another topic Jason covered. He highlighted that while MFA is crucial, organizations must be thoughtful about which types they enable, as weaker forms can still be bypassed. He advocated for the adoption of the most secure MFA options available to get the full risk reduction benefit using zero-trust principles.

    Managing third-party cyber risk was also discussed. Jason argued that current third-party assessments often provide a false sense of security. He recommended assuming vendors have poor security and mitigating the impact via actions like limiting data sharing, controlling where sensitive data goes, and ensuring you can revoke access.

    LinkedIn: www.linkedin.com/in/jrebholz

    YouTube: www.youtube.com/@teachmecyber

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • This Kitecast episode features an interview with Chris Rose, a Partner at Ariento, a leading cybersecurity, IT, and compliance service provider. He has extensive experience in cybersecurity, having previously served as an instructor at UCLA where he taught cybersecurity and privacy courses. Chris holds an MBA and a master’s in computer science from UCLA, as well as a bachelor’s degree from Cal Poly.

    During the podcast interview, Chris provides an overview of the Cybersecurity Maturity Model Certification (CMMC) framework and its origins within the defense industry. He explains that CMMC builds upon existing NIST 800-171 requirements for protecting controlled unclassified information that contractors already must comply with. However, CMMC adds a critical component—independent third-party assessments done by C3PAOs (Certified Third-party Assessment Organizations).

    Chris believes CMMC will likely gain final approval in early 2024 based on the rulemaking process. He notes that reciprocity with frameworks like FedRAMP could help ease the compliance burden for contractors. For companies using cloud services, Chris strongly advises leveraging solutions that have achieved FedRAMP Moderate Authorization or above.

    When asked about readiness across the Defense Industrial Base (DIB), Chris indicates that primes are pushing their subcontractors to get prepared. However, smaller companies are still in a wait-and-see mode in some cases, trying to weigh the costs versus risks. He emphasizes that companies should focus first on proper scoping of assets and information that will be in scope for CMMC assessments.

    Chris also provides tips for selecting a C3PAO, noting that risk mitigation and technical competence are top evaluation criteria for most mid-market and enterprise clients. He also discusses Ariento’s experience with adjacent standards like FedRAMP, ISO, and ITAR that provide relevant expertise for CMMC advisory services.

    LinkedIn: www.linkedin.com/in/cmmc

    Ariento: www.ariento.com

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Katie Arrington, former Chief Information Security Officer (CISO) for the U.S. Department of Defense and member of the US House of Representatives, discusses her experience as CISO, noting that the position was newly created in 2019 to address urgent cybersecurity threats. In the role, she aimed to establish consistent standards for cybersecurity across the Department of Defense, including weapons systems, critical infrastructure, and the defense industrial base. A key challenge was overcoming the different cybersecurity approaches between military branches and establishing a unified culture.

    Regarding the Cybersecurity Maturity Model Certification (CMMC), Arrington explains it was initially conceived as a unified standard for defense contractors to demonstrate implementation of NIST 800-171 security controls. Hundreds of industry representatives helped develop CMMC 1.0. Arrington expresses that she regrets not fully eliminating the use of Controlled Unclassified Information (CUI) as an indicator of whether contractors needed certification, believing all defense contractors should adhere to CMMC standards given growing threats.

    Arrington highlights the massive cyber threats posed by nation-states like China, Russia, Iran, and North Korea, which she says are targeting U.S. defense contractors to steal key technologies and intellectual property. She points out that China has a dedicated cyber army aimed at making China the world’s economic superpower. Russia has shown its cyber capabilities already in interfering with elections. These adversaries are relentless in exploiting vulnerabilities across the entire supply chain.

    For defense contractors bidding on DoD projects, Arrington authored a white paper that estimates per-employee costs for cybersecurity based on company size. She believes contractors should build these costs into project bidding. Arrington argues CMMC is now just about verifying NIST 800-171 compliance, not evaluating maturity, so she anticipates the name changing in the future. In preparation for CMMC 2.0 Level 2 compliance audits, she recommends that contractors proactively get audits now rather than waiting until CMMC becomes a DIB mandate to address urgent threats.

    Regarding supply chain risks, Arrington indicates primes cannot fully see risks beyond tier-one suppliers. She urges primes to contractually require CMMC certification from all subcontractors to improve security against threats that can enter anywhere in the supply chain.

    Arrington stresses that cyberattacks are constant and rapidly evolving. No organization can be 100% secure. However, by implementing standards like NIST 800-171, organizations can mitigate these risks. Adherence to cybersecurity frameworks is critical today, an important focus for national security as cyber threats continue escalating.

    LinkedIn Profile: https://www.linkedin.com/in/katie-arrington-a6949425/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • CEO and Entrepreneur Jean Phillip Bernier, the CEO of AnniQ and Spin Quantum Tech, shares his enthusiasm for AI and Quantum Computing technology advances. Bernier tracks the progress of Quantum Computing, especially IBM’s rapid development from a 5-qubit machine in 2017 to a prediction of a 100,000-qubit machine by 2033. The staggering quantum processing power, he believes, could unlock problem-solving potential beyond our current imagination.

    Bernier spotlights the role of cloud computing in democratizing technology. He reminisces about the early computing era when Sun Microsystems’ technologies were out of reach for many due to high costs. Cloud computing has flipped this narrative, transforming sophisticated, expensive technology tools to something affordable to organizations of virtually any size. Anyone with a credit card can delve into Quantum Computing capabilities. This, in turn, fosters a thriving community of quantum algorithm enthusiasts and learners.

    Bernier explores three real-world applications of Quantum Computing: 1) business operations optimization, 2) AI algorithm acceleration, and 3) most significantly, a unique encryption method known as “entropic encryption.” This approach is a game-changer for data security. Traditional encryption relies on the secrecy of a single key, which is under threat with quantum technology’s ability to consider all possible solutions simultaneously. Entropic encryption offers a fresh perspective by harnessing the inherent chaos and entropy of quantum states, hiding data in a sea of what appears to be random noise. The data is unreadable without the correct pattern, providing a new layer of security and a multiplicity of decryption avenues.

    To make sense of the complex Quantum Computing world, Bernier draws parallels between Newton’s concept of gravity and the superposition principle in quantum mechanics. Just as gravity influenced falling objects before Newton quantified it, Quantum Computing uncovers existing, yet previously unexplored data patterns. At the same time, Bernier acknowledges the nascent state of Quantum Computing, referring to recent incidents of broken algorithms as a part of the technology’s learning curve.

    When it comes to cybersecurity, Bernier predicts a convergence of AI and Quantum Computing. He shares about an ongoing project Spin Quantum Tech is managing with a U.S. company, where they are leveraging both Quantum Computing and AI to develop a novel anti-ransomware solution. The team is capitalizing on the power of Quantum Computing to rapidly explore a multitude of decryption keys, paired with AI’s predictive and learning capabilities, to swiftly identify and implement the correct decryption pattern. This fusion of technologies is expected to create a dynamic solution, capable of not only recovering information held ransom but doing so in a manner that eliminates the necessity for victims to negotiate with cybercriminals. The project is pioneering in its approach and could radically reshape the cybersecurity landscape, providing robust defenses against the ever-evolving threat of ransomware.

    LinkedIn: https://www.linkedin.com/in/jean-phillip-bernier-artificial-intelligenge-marketing-analytics-quantum-computing/

    AnniQ: https://www.anniq.ai

    Spin Quantum Tech: https://spinqtech.com/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

  • Billy Spears, Teradata’s CISO since 2021, stresses reciprocal learning and community in cybersecurity in a Kitecast episode. He believes each interaction offers learning potential and guides his volunteering decisions based on potential mutual benefits.

    Spears discusses the evolution of cybersecurity standards since his time at the Department of Homeland Security. Initial efforts focused on creating policies and frameworks, while today's challenge is managing an overabundance of inconsistent frameworks. Companies need to navigate from the least to most restrictive frameworks, factoring in their needs, risk tolerance, global economic influences, regional regulations, and data handling practices. Spears highlights that compliance, while important, is not the sole determinant of strong security.

    Spears emphasizes resource and cost management in implementing new cybersecurity technologies. As a CISO, he believes in cross-functional thinking across IT systems, including product, engineering, and marketing. The impact of technology solutions on business decisions must be considered holistically, assessing financial aspects with procurement teams for a comprehensive impact evaluation.

    The cybersecurity skills shortage continues, and Spears suggests three mitigation strategies. First, avoid bias in recruitment towards candidates who reflect hiring managers. Second, dispel the misconception that cybersecurity is solely technical and hire non-technical roles like auditors, project managers, and governance professionals. Finally, combat the retirement of senior leaders by thinking creatively in recruitment, promoting cross-training, community engagement, university partnerships, and succession planning.

    Spears emphasizes understanding the variety in AI. It’s not a single product but an array of algorithms and models used for different outcomes. Awareness of these differences is critical in cybersecurity to discern the benefits and risks of each AI model, like understanding blockchain. He advocates for education as key to navigating AI’s advantages and potential hazards.

    LinkedIn: www.linkedin.com/in/billyjspears/

    Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.