Cybersecurity Where You Are

In episode 85 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are live from Booth 4319 at RSA Conference (RSAC) 2024. Together, they discuss how events like RSAC 2024 reenergize collective action in the cybersecurity industry. They begin by noting how resources such as the CIS Community Defense Model (CDM) bring more data and transparency to security recommendations for the cybersecurity industry. They then look back on some of Tony's presentations at prior years of RSAC before looking at the interest surrounding supply chain security, zero trust, and artificial intelligence (AI). To address these developments, organizations must create a foundation for defense and scale rapid improvements, needs which Tony and Sean see as opportunities for collective action in the industry. Resources From Attacks to Action: An Open Community Model to Drive Defensive ChoicesThe "Fog of More" - A CyberSecurity Community ChallengeCIS Community Defense Model 2.0Episode 77: Data's Value to Decision-Making in CybersecurityFoundational Security for Your Software Supply ChainEpisode 44: A Zero Trust Framework Knows No EndCIS Critical Security Controls Implementation GroupsEpisode 75: How GenAI Continues to Reshape CybersecurityIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 84 of Cybersecurity Where You Are, co-host Tony Sager is joined by Brian de Vallance, Senior Advisor at Cambridge Global Advisors; and Phyllis Lee, VP of Security Best Practices (SBP) Content Development at the Center for Internet Security® (CIS®). Together, they discuss the notion of reasonable cybersecurity. They begin by providing some background about reasonableness in cybersecurity and identifying the problem we need to solve — namely, the lack of a definition of reasonableness around which organizations can build their cybersecurity program. They then discuss how a definition for reasonable cybersecurity needs to include security best practices that are doable. They conclude by exploring how CIS's work around this topic may influence its content development going forward. Resources BrianPhyllisReasonable Cybersecurity GuideReasonable CybersecurityCIS Critical Security ControlsCIS Critical Security Controls Implementation GroupsCIS Community Defense Model 2.0If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 83 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by nearly 20 employees at the Center for Internet Security® (CIS®). Together, they discuss the value of meeting in person to CIS workplace culture. With the company's 2024 Annual Full Staff Meeting in Orlando, FL, as their backdrop, they explore how personal relationships create a foundation for building effective teams, more agile workflows, and a sustainable sense of engagement and motivation at CIS. Along the way, they reflect on how much the company has changed since before the pandemic. Resources Episode 82: How CIS Leadership Values Team Building EventsEpisode 58: Inside CIS's Award-Winning Workplace CultureCenter for Internet Security Named Among 2024 Top WorkplacesIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 82 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by John Gilligan, President and CEO at the Center for Internet Security® (CIS®); and Gina Chapman, Chief Operating Officer at CIS. Together, they discuss the importance of in-person team building events. They use the pandemic as a frame to understand how events such as the 2024 Annual Full Staff Meeting preserve and cultivate CIS's workplace culture. They also look to other ongoing initiatives at the company, such as CIS Cares and the IDEA Alliance, as efforts to sustain employee engagement both in person and virtually. Resources JohnGinaCenter for Internet Security Named Among 2024 Best Companies to Work for in New YorkCIS Leadership PrinciplesEpisode 43: Giving Back Through CIS CARESIDEA AllianceIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 81 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Daniel McIntyre, Identity and Access Management (IAM) Manager at the Center for Internet Security® (CIS®). Together, they acknowledge Identity Management Day 2024 with a discussion of IAM. They begin by looking at how IAM as a concept has changed over the years. They then explore current challenges in the modern environment and strategies for IAM to keep up with emerging threats. After emphasizing the importance of training in an effective IAM program, they conclude their conversation by sharing best practices for getting started in IAM and cybersecurity more broadly. Resources Identity Management DayWhy Are Authentication and Authorization So Difficult?Tracing the Evolving Levels of Support for WebAuthnEpisode 44: A Zero Trust Framework Knows No EndElection Security Spotlight – Password AttacksIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 80 of Cybersecurity Where You Are, co-host Tony Sager is once again joined by Philip Reitinger, President and CEO of Global Cyber Alliance. Together, they continue their discussion around Common Good Cyber. Tony and Philip begin by recapping the events of the Common Good Cyber Workshop on February 26–27, 2024. From there, they explore the perspective of IT companies and governments in supporting common good solutions for the cybersecurity industry. They conclude their conversation by looking to the future of Common Good Cyber and explaining how you can get involved. Resources LinkedInCommon Good Cyber Workshop: February 26–27, 2024Episode 75: How GenAI Continues to Reshape CybersecurityEpisode 60: Guiding Vendors to IoT Security by DesignEstablishing Essential Cyber HygieneIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 79 of Cybersecurity Where You Are, co-host Tony Sager is joined by Philip Reitinger, President and CEO of Global Cyber Alliance. Together, they discuss the Common Good Cyber cybersecurity initiative. Tony and Philip begin by sharing the paths that brought them to the nonprofit sector. From there, Philip recounts the events and needs that led to the formation of Common Good Cyber. They end the first part of their conversation by exploring the nature of "common good" in relation to internet technology. Both agree that common good efforts must include more than just money to produce meaningful change in the cybersecurity industry. Resources LinkedInEpisode 30: Solving Cybersecurity at Scale with NonprofitsGlobal Cyber AllianceFoundational Security for Your Software Supply ChainThe Cost of Ignoring the Log4j VulnerabilityIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 78 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Lisa Young, Senior Metrics Engineer at Netflix. Lisa is a long-time practitioner in the cybersecurity risk, risk quantification, and metrics field. She has a rich career and experience of putting resources towards practices that will protect, sustain, make organizations resilient over time. In her current role, Lisa helps Netflix measure what works, what doesn't work, and how to optimize practices and controls that help enhance coverage and efficacy of things that need to be done. Together, the three discuss the hurdles of harmonizing teams to determine acceptable risk in the cybersecurity ecosystem. Resources: LinkedInQuantitative Risk Analysis: Its Importance and ImplicationsEpisode 65: Making Cyber Risk Analysis Practical with QRAFAIR: A Framework for Revolutionizing Your Risk AnalysisIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 77 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Roger Grimes, Data-Driven Defense Evangelist at KnowBe4. Together, they discuss how to use data to inform your decision-making in cybersecurity. They begin by discussing the cybersecurity industry's lack of maturity in its use of data. From there, they explore the risks of not using data to make cybersecurity decisions. In Tony's words, the cybersecurity industry doesn't have to accept "perfection is the enemy of the good" as its paradigm. When we understand the data with which we can work, we can frame the information in a way to strengthen the cybersecurity posture of our respective organizations. Resources LinkedInA Data-Driven Computer Security Defense: THE Computer Security Defense You Should Be UsingCybersecurity at Scale: Piercing the Fog of MoreKnown Exploited Vulnerabilities CatalogEpisode 60: Guiding Vendors to IoT Security by DesignEpisode 75: How GenAI Continues to Reshape CybersecurityFighting Phishing: Everything You Can Do to Fight Social Engineering and PhishingIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 76 of Cybersecurity Where You Are, co-host Tony Sager is joined by Julie Morris, CEO and Co-Founder of Persona Media. Together, they discuss the role of thought leadership in cybersecurity. They begin by discussing misconceptions surrounding the notion of thought leadership. Next, they explore what thought leadership looks like in the context of an industry like cybersecurity and a company like the Center for Internet Security® (CIS®). Their conversation concludes with some advice on how individuals, especially senior leaders, can get started with thought leadership. Resources LinkedInEpisode 30: Solving Cybersecurity at Scale with NonprofitsEpisode 75: How GenAI Continues to Reshape CybersecurityIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 75 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager discuss how generative artificial intelligence (GenAI) continues to reshape cybersecurity. They begin by using Episodes 48, 49, and 56 to consider the ongoing impact of GenAI on confidence, trust, and consistency as elements of a mature cybersecurity program. After reflecting on how confidence has shaped the work of the Center for Internet Security® (CIS®) more generally, Sean and Tony conclude by revisiting the verification challenge of GenAI. Resources Episode 48: 3 Trends to Watch in the Cybersecurity IndustryEpisode 49: Artificial Intelligence and CybersecurityEpisode 56: Cybersecurity Risks and Rewards of LLMsThe LLM Misinformation Problem I Was Not ExpectingEpisode 44: A Zero Trust Framework Knows No EndDefining "Reasonable" Security with a Risk Assessment MethodIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 74 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Brian de Vallance, Senior Advisor at Cambridge Global Advisors; and Carlos Kizzee, Senior Vice President (SVP) for Multi-State Information Sharing and Analysis Center® (MS-ISAC®) Strategy & Plans at the Center for Internet Security® (CIS®). In recognition of Data Privacy Week on January 21-27, 2024, they discuss the nexus of cybersecurity and privacy legislation in the United States. They begin by reviewing how the privacy laws passed by U.S. states over the past several years all include a cybersecurity element – namely, the effort to implement "reasonable" cybersecurity around protecting consumers' data. They then look to the future and consider how the laws will lead to regulations and, in turn, enforcement actions that will help raise our understanding of consumer privacy rights and how they can be defended. Resources CIS Controls v8 Privacy Companion GuideWhat is Cyber Threat Intelligence?Defining "Reasonable" Security with a Risk Assessment MethodEpisode 49: Artificial Intelligence and CybersecurityCybersecurity at Scale: Piercing the Fog of MoreIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 73 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager use our 2023 cybersecurity predictions to understand how the industry changed last year. They discuss progress and challenges around Artificial Intelligence (AI), zero trust, and other key trends they and others brought up in our blog post, "Our Experts' Top Cybersecurity Predictions for 2023." They also promise a similar year in review (YIR) for our 2024 cybersecurity predictions, for which 17 experts at the Center for Internet Security® (CIS®) contributed their thoughts. Resources Episode 56: Cybersecurity Risks and Rewards of LLMsEpisode 44: A Zero Trust Framework Knows No EndEmbedded IoT Security: Helping Vendors in the Design ProcessCyber Insurance Price Increases Highlight Ransomware DefenseEpisode 63: Building Capability and Integration with SBOMsIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 72 of Cybersecurity Where You Are, co-host Tony Sager is joined by Phyllis Lee, VP of Security Best Practices (SBP) Content Development at the Center for Internet Security® (CIS®). Together, they discuss "Cybersecurity: Practice What, and While, We Teach," a keynote panel where they discussed cybersecurity in education during Tech Tactics in Education: Data and IT Security in the New Now. Throughout this episode, they pull in recorded snippets from their panel. They use those recordings to reflect on IT operational challenges and the need to balance different interests in education organizations, including K-12 schools and higher education institutions. They also highlight commonalities that present not only opportunities for collaboration in the education sector but also instances where CIS can help advance cybersecurity in education through the content it produces. Resources LinkedInCybersecurity for Educational InstitutionsEpisode 71: Advancing K-12 Cybersecurity Through CommunityThe Cost of Cyber Defense: CIS Controls IG1CIS Critical Security Controls Version 8U.S. Cyber ChallengeIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 71 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Carlos Kizzee, SVP for the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) Strategy & Plans at the Center for Internet Security® (CIS®); Dr. Bhargav Vyas, Assistant Superintendent for Compliance and Information Systems as well as Data Protection Officer at Monroe-Woodbury Central School District; and Terry Loftus, Assistant Superintendent & Chief Information Officer of Integrated Technology Services for the San Diego County Office of Education. Together, they discuss how our publication, "K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year," facilitates better decision-making around K-12 cybersecurity. They begin by considering some common cybersecurity challenges for K-12 organizations, most notably a lack of funding and skilled personnel. From there, they reflect on how entities in this sector have grown their cybersecurity maturity despite those obstacles over the past few years. Their conversation ends with guidance for getting started with a K-12 cybersecurity program. Resources CarlosBhargavTerryK-12 Report: A Cybersecurity Assessment of the 2021-2022 School YearMulti-State Information Sharing and Analysis Center®Episode 69: How the NCSR Assessment Sows SLTT Cyber MaturityHow the Foundational Assessment Makes Starting or Improving a Cybersecurity Program EasierEstablishing Essential Cyber HygieneRansomware Defense-in-DepthIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 70 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Mathew Schwartz, Executive Editor for DataBreachToday & Europe at the Information Security Media Group (ISMG). Together, they discuss the media's role in shaping public understanding and perception of infosec. They begin by considering the idea of media channels helping to educate the public about cybersecurity matters, including data breaches and digital threats. From there, they go on to talk about how the language that the media uses to report on cybersecurity affects its ability to build trust with the public. Their conversation ends by reviewing tips for how members of the public can find trustworthy media channels in the infosec space. Resources LinkedInDataBreachToday.comKillnet Group Targeting Ukraine Supporters with DDoS AttacksProtecting Against Potential Russian Cyber AttacksEpisode 68: Designing Cyber Defense as a Partnership EffortIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 69 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Tyler Scarlotta, Manager of Member Programs at the Center for Internet Security (CIS). Together, they discuss how the Nationwide Cybersecurity Review (NCSR) helps U.S. State, Local, Tribal, and Territorial (SLTT) government organizations evaluate their cyber maturity. They begin by reviewing what the NCSR assessment program entails and identifying trends from previous years. They then explore the lessons learned by SLTTs through participating in the NCSR, the steps to getting involved with the program, as well as the resources from CIS and the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISACs) that a participant can use to strengthen their cyber maturity. Resources LinkedInNationwide Cybersecurity Review (NCSR)MS-ISAC ServicesEstablishing Essential Cyber HygieneEpisode 61: Overcoming Pre-Audit Scaries Through GovernanceIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 68 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by James Yeager, VP of Public Sector and Healthcare at CrowdStrike. Together, they discuss designing cyber defense as a partnership effort. They begin by reflecting on the ongoing work of CIS and CrowdStrike to advance cyber defense together. After touching on some of the biggest trends they've seen in the threat landscape, they note how giving advice to customers around cyber defense requires partnership activity. They observe that cybersecurity companies like CIS and CrowdStrike must continue to work together, and they highlight the importance of working with customers directly to identify new angles, new challenges, and new ways of providing help. Resources LinkedInCrowdStrike Partner PageExpanded Cybersecurity Partnership with CrowdStrike Further Protects the Public Against Potential AttacksEndpoint Security: The Key to Combatting Sophisticated CTAsEpisode 56: Cybersecurity Risks and Rewards of LLMsCrowdStrike 2023 Global Threat ReportSEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public CompaniesIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 67 of Cybersecurity Where You Are, co-host Sean Atkinson is joined by Stephanie Gass, Director of Governance, Risk, and Compliance at the Center for Internet Security (CIS). Together, they discuss how to seize the moment once you've completed a cybersecurity audit. They explore the types of questions that you need to think about and the challenges you might encounter when acting upon a cybersecurity audit's findings. Additionally, they walk through a few examples of how you might consider responding to certain audit findings within your organization. Throughout the entire episode, they cite the importance of using business context to determine your priorities and a way for achieving them. Resources LinkedIn6 Mitigation Strategies to Make the Most of Audit ResultsBuild a Robust Continuous Audit Program in 10 StepsEpisode 65: Making Cyber Risk Analysis Practical with QRAEpisode 61: Overcoming Pre-Audit Scaries Through GovernanceHow to Navigate the Cybersecurity Audit Cycle with CIS SecureSuiteIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

In episode 66 of Cybersecurity Where You Are, co-hosts Sean Atkinson and Tony Sager are joined by Mike Garcia, Senior Cybersecurity Advisor at the Center for Internet Security (CIS), and Jared Dearing, Sr. Director of Elections Best Practices at CIS. Together, they discuss the Rapid Architecture-Based Election Technology Verification (RABET-V) program. They begin by noting how the lack of a standardized verification process for non-voting election systems warranted the creation of a holistic testing approach for these technologies. From there, they explain how RABET-V differs from traditional testing methodologies by verifying non-voting election systems using a three-pronged approach. They conclude by sharing their ongoing work to improve RABET-V. Resources RABET-VRABET-V Launch EventRABET-V Final Pilot Summary and Next StepsEpisode 63: Building Capability and Integration with SBOMsCIS Software Supply Chain Security GuideIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.