Listen Now

“The single biggest contributor to data breaches is a lack of testing. You have to be testing, you have to be reviewing, you have to have pentests.”After experiencing a data breach as a small business owner 20 years ago, SecurityMetrics CEO Brad Caldwell (CISSP, CISA, QSA, PFI) set out to provide affordable data breach prevention and remediation to businesses of all sizes. Since then, SecurityMetrics has tested over a million systems and provided cybersecurity services and audits for tens of thousands of businesses.   In a special episode of the podcast, Brad sits down with Host and Principal Security Analyst Jen Stone (MCIS, CCSFP, CISSP, CISA, QSA) to discuss how security complexity has evolved and what he’s learned from over 20 years in the cybersecurity and PCI compliance industry data breach investigations, and tips to keep a cool head in the wake of a data breachListen in to learn:Common mental roadblocks people face in making security a priorityThe number one problem with incident response plansTips to keep a cool head when experiencing a data breach

John Elliot has a knack for illuminating the relationship between security and compliance. With over ten years in information protection and compliance consulting, and as Director of Industry Standards at Mastercard, John helps explain the relevance of security and industry standards to customers and those in the wider payment ecosystem. Today he sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to reveal the three biggest myths about PCI DSS compliance and how they hinder security. Listen in to learn: How the PCI Security Standards Council and the major card brands work together.The areas of compliance that are most critical and timely to preventing data breaches. Tips for organizations to make PCI “business as usual,” maintain compliance controls, and stay compliant through major changes.Download our Guide to PCI Compliance!Download our Guide to HIPAA Compliance!

“If we think we’re fluent in security because we’re using the same words we’ve always used, we’re in danger.”With over 30 years in the FinTech industry, Dale Laszig has a long-range view of trends and technology that she has turned into a busy tech journalism career. Dale spoke with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) about the language of security: how the way we talk about it affects the way we approach it. Dale and Jen wax poetic to uncover the meta “matrix” that supports commerce and makes the world go ‘round. Listen in to learn: How payments security attitudes have changed and why it matters todayThe concept of “zero trust,” and the practical application of a security perimeterJen’s quick take as a Security Analyst on industry trends and myths Connect with Dale:LinkedInDSL Directdale@dsldirectllc.comNorthrop Grumman Fan

“Gaps in security are behavioral . . . find out what drives behavior at your company, and you will find your vulnerabilities.” As the Strategic Lead of Amazon Web Service’ Global Security Services Team, Dutch Schwartz talks with SecurityMetrics Podcast Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to define what CISOs need to understand about human motivation in order to strategize security programs, utilize company culture, and protect critical data.Listen in to learn: How the CISO position has changed in the last decade and how it’s currently defined. The surprising differences in intellectual property between companies and the role those differences play in security.Why culture and social strategy should be more important to a CISO than technology, and tips for facing company culture challenges. Resources:https://www.linkedin.com/in/dutchschwartz/https://twitter.com/dutch_26Download our Guide to PCI Compliance! - https://info.securitymetrics.com/pci-guideDownload our Guide to HIPAA Compliance! - https://info.securitymetrics.com/hipaa-guideAccess our free cybersecurity and compliance conference - www.securitymetrics.com/summit   [Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

When your organization has 300 Merchant IDs (MIDs) in a multi-modality environment, leading a PCI DSS compliance program is no easy task. This week, Host and Principal Security Analyst Jen Stone welcomes guest Robbyn Lennon, Senior Merchant Services Program Coordinator at the University of Arizona, along with SecurityMetrics Principal Analyst Michael Simpson to talk about large-scale PCI DSS compliance from both a QSA and a client perspective.Robbyn explains in detail how she established a PCI DSS compliance program at the University of Arizona. With over 10 years of experience, she shares her three-part strategy: “Engagement, leadership, and encouragement.” How to reduce scope in a large PCI DSS compliance program by organizing merchants into “pods.”Why a focus on leadership as opposed to management helps employees take accountability for their job processes.The tools, training, and documentation you need to empower merchants and improve your PCI program.Robbyn on LinkedInLearn more at SecurityMetrics.com

“It’s our friends and family–our moms and dads–who shop online and are affected when a bad guy gains access. So we take it personally,” said SecurityMetrics SOC/SIEM Director, Heff. Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) continues this sentiment by saying “When businesses go down, people suffer. Every business we can protect helps elevate the quality of life for the people who are associated.”At SecurityMetrics, we monitor the threat landscape around the clock. And currently, that landscape is not only vast, it’s complex. Never have companies faced so many challenges, and hackers know it. Data protection measures need to be based on our new global landscape and the latest threats. Today, Heff, Jen, and SOC Analyst Forrest Barth discuss the threat landscape in depth and cover the five most important things you can do now to prevent an attack. Listen to this episode to learn:What the “Fujiwhara Effect” is and why it can make cybersecurity feel overwhelming.New terms and trends demystified: cyber empathy, vishing, endpoint definition, and Zero Trust architecture.Why bringing work computers home and social engineering make for a disastrous combination. Heff, SIEM Operations DirectorForrest Barth, AnalystLearn more at https://www.securitymetrics.com/

“A lot of people in the security world want to talk about security, not compliance. But you can’t help secure things if you don’t know what you’re supposed to be securing,” says host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA). In this episode, NuSkin Data Governance Analyst, Gabrielle Harris (CIPP/E, CIPM, MSML) explains how security and compliance are permanently entwined, “Even though ‘compliance’ has a negative connotation and ‘security’ has a positive one, the truth is that compliance builds brand reputation and trust with customers. Protecting data is an ethical thing, and we would all hope that whoever is protecting ours is taking it seriously.With experience in over 50 markets, Harris brings a big-picture understanding, a positive attitude, and a tireless work ethic to privacy programs. Listen to this episode to learn:Pervasive attitudes and pitfalls that can hinder GDPR, HIPAA, and CCPA compliance Critical points in your step-by-step compliance process that build rapport and respect, including whom to involve and whenWhat you need to understand about the differences between security standards and privacy lawGabrielle Harris LinkedInCIPP Certification

Subscribe to the SecurityMetrics Podcast“Something has happened.” Your company has experienced the worst: a data breach. You’ll need to answer questions. You’ll need to implement emergency operations and plans, run backup and talk to investigators. Not a convenient time to start your Incident Response Plan.According to Dave Ellis, SecurityMetrics VP of Investigations (GCIH, PFI, QSA, CISSP), an Incident Response Plan is, in short, “What you do ahead of time, in preparation for an event that you hope never happens.” Ellis sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss in detail the phases of an IRP, along with the circumstances, variables, and options surrounding this “worst case scenario.”Listen to learn:Emergency-Mode Operations, contingency planning, and the recovery phaseHow to get initial buy-in from your executives, C-suites, and decision makersCase studies and examples from the field: the practical realities involved in maintaining a current Incident Response PlanTips to avoid, handle, and learn from data breaches, ransomware, and other types of malwareLearn more2020 SecurityMetrics HIPAA Guide2020 SecurityMetrics PCI Guide

When Liberty Mutual offered Craig Olsen a lateral leap from Developer to Security Analyst, he took it–and hasn’t looked back since. Now a Cybersecurity Architect, Olsen reflects on the last fifteen years and his role in the transition from one-person internal security departments, to a full-blown industry with unique technologies, solutions, and issues.When it comes to the cloud, many companies are unsure or hesitant. Some may not even know for sure if they’re using it. Often, this is based on a lack of understanding or familiarity with cloud security.Olsen and Host Jen Stone sit down for an in-depth discussion about cloud solutions, including:What we can learn from companies who’ve experienced data breaches in the cloudHow to leverage the unique qualities of the cloud to improve security and support growthSimple steps anyone can take to build foundational layers of security–areas like passwords, policies, encryption, and complianceCraig Olsen on LinkedInLearn more

In today’s podcast, Dr. Eman El-Sheikh (Director of the Center for Cybersecurity at the University of West Florida) sits with Host and Principal Security Analyst Jen Stone to discuss how we can creatively approach cybersecurity careers from all perspectives.“We have over half a million open cybersecurity jobs as we speak. And, unfortunately that number is trending up.”Dr. Eman El-Sheikh is the Director of the Center for Cybersecurity at Western Florida and plays a vital role in recruiting future cybersecurity leaders. Today, she sits with Host and Principal Security Analyst Jen Stone to discuss how we can creatively approach cybersecurity careers from all perspectives.Listen in to learn:What is required for a career in cybersecurity. Do you need a degree? Certifications? Or neither?How a skills-based approach can compliment–not contradict–an educational approachHow we as a cybersecurity industry can foster innovation and diversity while continuing education and training“We take a multi-disciplinary approach, and our message is that regardless of what you’re interested in: programming, IT, engineering, policy, law, management, psychology, or criminal justice, there are pathways to gain cybersecurity knowledge and skills, and there are great jobs waiting for you on the other side.” You can learn more about Eman’s work at:Center for Cybersecurity at University at Western FloridaNIST National Initiative for Cybersecurity Education (NICE)Learn more at Securitymetrics.com

A successful PCI DSS assessment requires a fair amount of preparation and scheduling far in advance. These activities may seem like a lot of work, but they are actually the best way to make your assessment less overwhelming, help you control time and cost, and avoid worst-case scenarios. With thousands of PCI DSS assessment hours between them, SecurityMetrics Principal Analysts George Mateaki (CISSP, CISA, CISM, QSA, PA-QSA) and Jen Stone (MCIS, CISSP, CISA, QSA) sit down to “talk shop” and share stories from the field. Listen in to learn:How remote assessments work and tips to make them go more smoothly.What you should do a year, 9 months, 6 months, and 3 months before your first assessment. Plus, what to do in between assessments to save time and resources.An overview of the PCI audit timeline–from initial contact to signing of the report on compliance (ROC).How to balance the need for functionality and access at organizations with the goal to protect data.Learn more*Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

Paul Poh (CISSP, CISM, CRISC, CIPP/US) has had an interest in cybersecurity since before the internet as we know it existed. From his first exposure to the “Morris Worm” in the early ‘90s as a software engineer at Tufts University, to his current role as Partner at Radical Security, Paul’s mixture of curiosity and wisdom have helped him maintain the perspective needed to be a successful penetration tester. He shares his insights with our Host Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) on why it’s the small things that can take down an organization’s security. “Your Software Development, Engineering, and DevOps can all be great. But a malicious actor can still break a password, attack your source code, and insert a backdoor that would then be pushed into production. You can do a great job protecting production, but if a hacker can find something small, they will.”Listen in to learnCase studies that compare typical security measures to actual threats and vulnerabilitiesPenetration testing requirements, preparation, tips, timing, timeline, and best practices Tips for choosing a penetration testing firm and the surprising qualities that make for a good penetration testerPaul Poh on LinkedIn2020 SecurityMetrics PCI Guide

As a former US Air Force Cyber-Warfare Technician, Vince Romney (CISSP) has been able to leverage his unique military experience in the private sector–most recently as CTO of SK2 Technology, developing high-security encryption applications. In this episode, he joins Host Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) to explore cloud security challenges in the corporate world, but also to share the valuable insights about risk analysis and mitigation which he gained during his military service. Listen in to learn: Common misconceptions about the security, implementation, and risk management required for cloud solutions.How decision makers in the corporate world can apply specific risk assessment principles and methods used in the military.Lessons learned in military operations that will help you increase the discipline, honesty, and problem-solving ability within your organization’s security program.“You can live a much calmer life if you accept that your work is never done. Readjust your mindset to see that if you want to succeed in cybersecurity, you should be constantly engaged in learning new concepts and trying new tactics.” –Vince RomneyVince Romney on LinkedInSecurityMetrics Guide to PCI DSS Compliance[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

“We need each other. Cybersecurity is a global event and we need all the brains,” says Noreen Njoroge. “Threat actors don’t care where you are from or what your social status is. They are there to attack everybody. As cybersecurity specialists, we should also have that mindset. It’s a community effort. I have to help my brother, my sister, my coworker, my friend, know how to better defend themselves against attacks.” Njoroge imbues that same philosophy into her cybersecurity mentoring projects. As a Security Threat Engineer at Cisco, President of North Carolina Women in Cybersecurity, and leader of the Mentors and Mentees Group for Women in Cybersecurity, she has a unique perspective on the humans who make up the cybersecurity industry. Today, she sits down with our Host and Principal Security Analyst, Jen Stone, to discuss:How making more “room at the table” for diverse thinking strengthens our defensive stance and improves cybersecurity around the globe. The qualities that make for a good cybersecurity analyst and how to get the most out of a mentor/mentee relationship.How the industry can recruit more security analysts with diverse skills, strengths, and backgrounds.Women in Cybersecurity (WiCyS)2020 SecurityMetrics HIPAA Guide2020 SecurityMetrics PCI Guide

Tom Hatch, Co-founder and CTO of Salt Stack, Inc and host of "The Hacks" sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss:    How cybercriminal activity has become automated and widespread    How to use automation to help close your security gaps and reduce infrastructure management challenges    The need for maintaining your applications and having different types of IT individuals address security issues"We live in the era of continual cyber warfare, and that warfare isn't just between nation states. It's between crime syndicates, crime groups, and hacker groups that seemingly spawn from nowhere. Even a handful of folks–or even a single person–can have a very big impact when they perform these attacks." Thomas Hatch"As an assessor, I'm seeing a gap between the people that knows there's a problem, the people who have to fix the problem, and then the people who have to approve that there was a problem and that the problem has been fixed." Jen StoneResources:Download our 2020 Guide to HIPAA Compliance! - https://info.securitymetrics.com/hipaa-guide-2020Download our 2020 Guide to PCI Compliance! - https://info.securitymetrics.com/pci-guide-2020Check out Tom's "The Hacks" podcast! - https://www.saltstack.com/the-hacks/

In healthcare, it’s common to encounter the attitude that “HIPAA is complicated.” Naturally, this leads to people finding ways to make HIPAA seem irrelevant or useless. However, this belief couldn’t be further from the truth and leads to increased risk for patients, especially during times of crisis. Donna Grindle of the “Help Me with HIPAA” Podcast, sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss:How to address the gaps in understanding and myths about HIPAA that hinder healthcare providersVarious approaches to administrative safeguards like Business Contingency Plans and Disaster Recovery PlansWays to leverage the requirements of HIPAA to better protect individuals and organizations2020 SecurityMetrics HIPAA Guide - https://info.securitymetrics.com/hipaa-guide-20202020 SecurityMetrics PCI Guide - https://info.securitymetrics.com/pci-guide-2020Learn more at SecurityMetrics.comCheck out Donna's "Help Me with HIPAA" podcast! - https://www.youtube.com/channel/UCut7RuWxal0925CS2yEpSHw*Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

Of all the types of malware, ransomware is one of most dangerous. In this episode, Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) sits down with Dave Ellis (VP Forensic Investigation, GCIH, CISSP, QSA, PFI) to discuss:-What you should do before, during, and after a ransomware attack-Stories from the field about ransomware attacks and responses -The “compliance versus security” debate in the effort to prevent ransomware“When it comes to your cybersecurity, don’t trust anything. Games, quizzes, and other fun apps seem harmless, but may very be collecting personal data or installing backdoors on systems,” says Ellis.2020 SecurityMetrics HIPAA Guide: https://info.securitymetrics.com/hipa...2020 SecurityMetrics PCI Guide: https://info.securitymetrics.com/pci-...Learn more at https://www.securitymetrics.com/Resources: https://www.securitymetrics.com/blog/...*Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

In this episode, Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) sits down with Matt Heffelfinger (Director of SIEM Operations, GSTRT, CyRP (Pepperdine), GRCP, SSAP, ITIL4-F, GISF,  PECB) and Forrest Barth (SOC Analyst, CISSP, CMNO, Security+) to discuss:How threat actors are leveraging the COVID-19 crisis climate to prey on businesses and individualsCurrent phishing and social engineering scams to watch out for and how to avoid them Security awareness tips you can share with those most vulnerable to cyber scams and attacksResources: https://www.securitymetrics.com/blog/covid-19-cyber-attacks-threat-report-and-best-practices2020 SecurityMetrics HIPAA Guide: https://info.securitymetrics.com/hipa...2020 SecurityMetrics PCI Guide: https://info.securitymetrics.com/pci-...Learn more at https://www.securitymetrics.com/*Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

SecurityMetrics Podcast | 3How to Prevent Formjacking and Ecommerce SkimmingIn this episode, Aaron Willis (Forensic Analyst, CISSP, PFI) sits down with Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) to discuss:What is formjacking/ecommerce skimming?Tools to use to prevent and avoid formjacking/ecommerce skimmingSolutions on how to detect and track skimmersWhat to do if your data is being skimmedLearn more at SecurityMetrics.com/webpage-integrity-monitoringDownload our Guide to PCI Compliance! - https://info.securitymetrics.com/pci-guide-2020Download our Guide to HIPAA Compliance! - https://info.securitymetrics.com/hipaa-guide-2020[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

In this episode, Meagan Elguera (Corporate Communications Managers) sits down with Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) to discuss:Added pressure and stress covered entities may face during times of crisisHow using telehealth for treatment affects privacy and security amid COVID-19Review of the recent bulletin from the OCR on Civil Rights, HIPAA, and Coronavirushttps://www.securitymetrics.com/PCI Guide: https://info.securitymetrics.com/pci-guide-2020HIPAA Guide: https://info.securitymetrics.com/hipaa-guide-2020Get a quote: https://www.securitymetrics.com/pciResources: https://www.hhs.gov/sites/default/files/ocr-bulletin-3-28-20.pdf