Listen Now

"If you want to engage your audience and get them involved in security rather than having to force them to do it, you need to give them something worth their time and attention."Making trainings for any audience can be hard, especially when it's mandatory. Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) chats with Ian Murphy (Founder of Cyber Off, CISSP, FPCS, CITP) about his approach to making trainings more enjoyable.Listen to learnTips to make your trainings more enjoyableHow to have fun with boring topicsHow to respond to negative feedbackConnect with Ian on LinkedIn

Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA), Matthew Heffelfinger (Director of SIEM Operations, GSTRT, CyRP (Pepperdine), GRCP, SSAP, ITIL4-F, GISF, PECB), and Forrest Barth (SOC Analyst, CISSP, CMNO, Security+) wrap up this season with the TOP 10 breaches of 2021!Join us for SEASON 3 of SecurityMetrics Podcast this January!

Learn more at SecurityMetrics.com"That's one of the reasons why our audit team is so good, because we share the wing with forensics, and we're talking about what's happening out there. Our forensics consulting isn't theoretical. It isn't some monthly magazine saying 'look out for this... this might be happening,' this IS what's happening. This is the analysis of the very data we're collecting."It can be difficult to build cybersecurity into your budget and receive approval from senior decision makers. Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) speaks with Lee Pierce (Director of Sales Operations for Security Metrics) about the factors that affect costs of various cybersecurity services.Listen to learn:-How much cybersecurity services generally cost-What factors can affect pricing-How to reduce compliance assessment costs

"One thing that I learned from the circle was how to come out of my comfort zone and tell my story to other people. When it comes to something technical, I can talk for hours, but apart from that it's very hard for me. So this was one take away for me, apart from all the learnings - both technical and non-technical - that really helped me a lot."Making your way in cybersecurity is easier if you have a team supporting you. Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) speaks with Aastha Sahni (Lead CyberSecurity Instructor at Flatiron School | Founder & Global Lead - Breaking Barriers Lean in Circle), Shrutirupa Banerjiee (Web Application Security Analyst| Tech Lead at Breaking Barriers Lean in Circle), and Saman Fatima (Data Engineer at Macquarie Group | Management Lead at Breaking Barriers Lean in Circle) about the work they do to invite and support others on a cybersecurity career path.Listen to learn:-How a team can help support your cybersecurity journey-Strides being made at Breaking Barriers-What the future looks like for this supportive groupConnect with our guests:https://cyberpreserve.com/community/https://www.linkedin.com/company/breaking-barriers-women-in-cybersecurity-lean-in-circle/

Everybody has their own path to finding the job that's right for them. It's often easy to get discouraged when you're in the middle of the path to reach your desired goal. Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) speaks with Luana Pascu (Cybersecurity Researcher, GSEC) about her personal journey, and how you can find the path in data security that's right for you.Listen to learn:- How to find your passion within cybersecurity- Education steps to reach your desired role- How to track your journey into the workforceConnect with our guest: https://www.linkedin.com/in/luanapascu/

"With network segmentation, we really are looking for isolation. We want to get that 'thing' and put it into a safety deposit box where you have secure access to it. Nobody else has physical or logical access to it. That's really what we are trying to do with segmentation."Network segmentation is often used to reduce the scope of a PCI DSS compliance assessment, but it is even more important as a security strategy for your environment.  Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) speaks with Chris Skarda (PCI DSS QSA, CISSP, CISA, CCNA) about how network segmentation can support your compliance and security efforts.Listen to learn:-What “network segmentation” means-How network segmentation can reduce the scope of your compliance assessment-Why network segmentation can improve your security stanceSHOW LESS

"Zero Trust is essentially a security initiative saying that you are going to assume that attackers are present in any environment you're working in. The main goal of that is to remove implicit trust in the design and implementation of whatever you're doing."“Zero trust” is something we hear a lot about but in many cases it seems to be a buzzword used to sell us something. However, it can be an excellent approach to security when done well. Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) speaks with Geoffrey Sanders (Senior Member of the Technical Staff/Situational Awareness Team, Software Engineering Institute/CERT Division, Carnegie Mellon University) about the tenets of zero trust and where to get started in implementing zero trust in your environment.Listen to learn:How privacy and security are relatedWhere to start when you need to understand how laws and regulations apply to youWhat direction policy and legislation are taking to address cybercrimeConnect with our guest: https://www.linkedin.com/in/sandersgeoffreyLearn more:SEI Website: https://www.sei.cmu.edu/ Zero Trust Adoption: Managing Risk with Cybersecurity Engineering and Adaptive Risk Assessment (Blog): https://insights.sei.cmu.edu/blog/zero-trust-adoption-managing-risk-with-cybersecurity-engineering-and-adaptive-risk-assessmentZero Trust Adoption: Benefits, Applications, and Resources (Podcast): https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=737526

Preparing for a third-party security assessment or compliance audit can be a daunting experience -- especially if it’s your first time.  Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) speaks with Brian Gross (VP, Product & Technology, FISERV) about how he prepared his organization to respond successfully to a PCI DSS assessment, followed by a HIPAA audit.Listen to learn:How a third-party assessment can benefit your businessWhere to start to build your security programWhat elements support successful completion of an auditLearn more at SecurityMetrics.com

"Some security is better than no security. If you are a small business, and you don't have all the resources to invest in a huge cybersecurity program, that's ok! Start with the basics, such as strong passwords, the use of VPNs, and trainings on cyber threats like phishing and malware."Privacy and security considerations can be difficult to get your arms around; when laws and regulations come into play they add another layer of complexity. Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) speaks with Victoria E. Beckman (Lead Digital Crimes Unit Americas - Corporate, External, and Legal Affairs for Microsoft) about the relationship between privacy, security, and legal matters in our digital world.Listen to learn:How privacy and security are relatedWhere to start when you need to understand how laws and regulations apply to youWhat direction policy and legislation are taking to address cybercrimeConnect with our guest: https://www.linkedin.com/in/victoriabeckman

"We all rely on service providers to keep our businesses afloat. I get asked all the time,  'How do I know that this service provider is going to be careful with my data?' Service providers can elevate our risk, while at the same time giving us really important services that we need. "When using service providers, managing your 3rd party risk can be a challenge. Tune in this week as Jen Stone (MCIS | CISSP | CISA | QSA) talks with Paul Poh (CISSP, CISM, CRISC, CIPP/US) about how we can best manage and minimize that 3rd party risk that often comes with using these service providers.Listen to learn:-Things to look for when choosing a service provider.-Keeping your data secure with your service provider.-Things you need to know about your own security.Paul Poh on LinkedIn - https://www.linkedin.com/in/paulpoh/[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

"A lot of people don't realize, kids are smart! They know how to get around these controls that are in place. So the more informed you are as a caregiver, the more you can keep an eye on things that are going on with your kids and that they are getting the right information and aren't going to negative places."The internet is a vast and often dangerous place. With increasing threat actors prying to target these vulnerable young ones, protecting our kid's from harmful places online is crucial to keep them safe and secure. Tune in this week as Jen Stone (MCIS | CISSP | CISA | QSA) speaks with Teressa Gehrke (Founder and CEO of PopCykol) about how we can prevent our kids from finding out the hard way the dangers of the internet.Listen to learn:How to best communicate to kids about internet safety.How we can approach kids after an incident has occurred.Tools and resources for every age to learn about internet security.Visit https://www.popcykol.com/ to learn more.[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

"Security is hard, even for professionals. There are a ton of things to know. As a defender, you have to be right 100% of the time. As an attacker, you kinda just have to get lucky once. If you go out there and educate people (in your company) about security, then they can become an ally for you."Join us this week as Jen Stone(MCIS | CISSP | CISA | QSA) and Matt Halbleib (CISSP | CISA | QSA (P2PE) | PA-QSA (P2PE)) discuss all the things you can do to better prepare you and your company for a risk assessment. Listen to learn: How to better know your scope to be ready for your assessmentHow to teach security between departmentsHow to make PCI work for you[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

Subscribe to the Podcast!With so much ransomware stories in the news this year, one would think that ransomware is a new technique used by threat actors. In reality, ransomware has been around for almost a decade, and so have the basic principles on how to protect yourself from getting hit with it. Join Gary Glover (CISSP, CISA, QSA, PA-QSA) and Jen Stone (MCIS, CISSP, CISA, QSA) as they teach all you need to know about what ransomware is, and how to stay safe from it. Listen to learn: What is ransomware?Why does ransomware seem to be so effective?How can I protect my business from being vulnerable to ransomware?Resources:-https://www.cisa.gov/

"It's the nature of our team's roles that there's always going to be trade-offs. It's hardly ever a simple decision between A and B. So you need to lean into that and get more comfortable with ambiguity." Having clear and open communication with your IT or security team is essential to maintaining a secure business. Although, if the correct steps are not taken, working alongside these teams can be challenging. Tune in this week as Jen Stone (Principal Security Analyst MCIS, CISSP, CISA, QSA) and Dutch Schwartz (Strategic Lead of Amazon Web Service’ Global Security Services) talk about how to build a straight-forward, strong relationship with your IT and security teams.Listen to learn: Steps to improve interpersonal relationships within your IT departmentHow to maintain good communication between departmentsHow to approach problem solving tasks with multiple teamsResources:Dutch's LinkedIn: https://www.linkedin.com/in/dutchschwartz/Dutch's Twitter: https://twitter.com/dutch_26 Download our Guide to PCI Compliance! - https://info.securitymetrics.com/pci-guideDownload our Guide to HIPAA Compliance! - https://info.securitymetrics.com/hipaa-guideAccess our free cybersecurity and compliance conference - www.securitymetrics.com/summit[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

"I have a passion to keep people safe online, especially young ones. I don't expect kids to pick up this book and understand the concepts right away, but I want to empower the adults to teach. " Teaching data security and internet safety to the next generation can prove to be challenging. From the complex tools to the vast vocabulary, it's no simple thing to learn. Today, Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) sits down with Curtis Brazzell as they discuss his recent endeavor to better help children learn, and parents teach about data security.Listen to learn: Curtis's cybersecurity ABC book, "M is for Malware" How to better teach our young ones how to be safe onlineHelping to teach those just entering the data security fieldGet your copy of "M is for Malware" at https://misformalware.com/

“What is managed security? It’s about trusting your business to someone else.”Whether you call it outsourcing, partnering, or hiring, choosing an MSSP is a decision that can seriously affect a business. SecurityMetrics Director of SIEM Operations and SecurityMetrics News Host, Matt “Heff” Heffelfinger, talked with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) about the many factors that go into choosing the right security firm for your business. With experience at General Electric, NBC, and TJ Maxx, Heff’s breadth of knowledge and experience allow him to see threats in the long term and help you avoid problems down the road.Listen to learn:Types of managed security (MDR versus MSSP) and what they doHow to determine the security services your business needsResources to help you ask the right questions, create better contracts, maintain or end relationships, and get the most from your MSSPHow to Choose the Right MSSP for Your Small to Medium BusinessSecurityMetrics Threat Intelligence Center

Subscribe to the SecurityMetrics Podcast“Is there really a shortage of skills in cybersecurity? Or are we just looking at it the wrong way?”Director of Information Security and IT at BEEM Technologies, Naomi Buckwalter (CISSP, CISM) discovered hacking at Vanguard, where she joined a class and learned to hack from scratch. Her experiences as a software security architecture, security engineer, career advisor, mentor, and speaker have given her a broad spectrum of insight about the so-called cybersecurity “skills shortage.” In this episode, Naomi talks with Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) about why mythology and gatekeeping in cybersecurity are holding the industry back and creating an uncertain future.Listen to learn:Why new professionals see barriers in cybersecurity and what industry veterans need to do to paint a better pictureHow improving emotional intelligence and culture in the cybersecurity community can help us better fight cybercrimeTips for people who want to get started in cybersecurity

“What is our responsibility as leaders of security teams? It’s doing security right from the beginning; from the design. It has to be there.” Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) welcomes Vandana Verma: Security Architect IBM, Vice Chair of the Global Board of Directors at OWASP, leader at InfosecGirls, and founder of Infosec Kids. As a prolific speaker and thought leader in the cybersecurity space, Vandana is vocal in the efforts to help women and youth build their communities in cybersecurity. She has trained over 10,000 diverse candidates and brings an undeniable enthusiasm and passion to security research. Listen to learn more about:The role of cyber threat intelligence in application development.Ways to gamify security to avoid a checkbox mentality and prevent costly security issues.How machine learning, AI, and adaptive access are rapidly changing access security. Vandana on LinkedinInfosec GirlsOWASP

Dr. Oren Eytan joins Jen Stone (Principal Security Analyst, MCIS, CISSP, CISA, QSA) to discuss his experiences as a cybersecurity leader in both the military and civilian realms. After serving in the Israeli defense forces, two degrees in Electrical Engineering, and time at Motorola, Dr. Oren Eytan continues the fight against malware as the CEO of Odix. Today he helps protect businesses in all sectors, including utilities and technology.Listen to Learn:Why creative thinking is crucial to cyber securityLessons learned from protecting critical infrastructure The relationship between connectivity and vulnerability Connect with Dr. Eytan on LinkedInOdix

Subscribe to the SecurityMetrics PodcastThere’s been a lot of chatter and anticipation about the release of PCI DSS v4.0. In this episode, SecurityMetrics VP of Assessments, Gary Glover (CISSP, CISA, QSA, PA-QSA), talks with Host Jen Stone (MCIS, CISSP, CISA, QSA) about what merchants can expect and how they should prepare right now. As part of the PCI DSS assessor community, Gary has worked with the council in special groups and on committees to develop the new PCI Data Security Standard. He has been in payment security for over 16 years and has a background in both rocket science and software development.Listen to learn:How the PCI Data Security Standard started and where it’s goingWhat the Customized Approach is and how it differs from the current approachWhat role you and your security assessor will play as PCI DSS 4.0 is rolling outConnect with Gary on LinkedInDownload our Guide to PCI Compliance!Download our Guide to HIPAA Compliance![Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.