Kitecast

Aaron McCray: Ferrari Security: Speed With Guardrails

Wed, 11 Mar 2026 11:00:00 -0700

Can you drive a Ferrari at 150 miles per hour without its enhanced safety package? Sure. Should you? That's the question Aaron McCray, Field CISO at CDW and retired U.S. Navy Commander with 27+ years in information warfare, poses to every CISO still white knuckling their way through 2026 with a 2021 playbook. In this episode of Kitecast, host Patrick Spencer and McCray dig into why the old way of doing security isn't just outdated—it's dangerous.

McCray traces the CISO's evolution from post-COVID belt-tightener—the person whose job was to consolidate tools, justify every dollar, and basically serve as the "office of no"—to something far more consequential. Today's CISO needs to be a strategic risk executive who speaks the language of CFOs, not just firewalls. That means understanding EBITDA, financial risk quantification, and how a $350,000 investment in multi-factor authentication can translate into $35 million in reduced risk exposure. If you can't make that pitch, McCray argues, you're getting left behind.

The conversation takes a sharp turn into the AI landscape, and McCray doesn't hold back. He's seen PCs, the internet, and mobile technology reshape the world over his career, but nothing compares to what AI is doing right now. "I don't mean that to sound like hyperbole," he says. "I really don't." The speed, the capability, the risk—it's all unprecedented. And while organizations scramble to harness AI's potential, many are sleepwalking past the dangers. Shadow AI is McCray's particular concern. He describes employees accessing public AI tools through browsers, unknowingly opening backdoors that exfiltrate proprietary data and invite threats back in.

That leads to what might be the podcast's most important thread: ethics. McCray pulls no punches with real-world examples. One global organization trained AI to screen resumes and ended up systematically discriminating against qualified women. Another rushed self-driving technology to deployment before it was ready, resulting in a pedestrian's death. His message is blunt—just because you can doesn't mean you should. And without humans in the loop, governance frameworks, and genuine ethical guardrails, AI will optimize for whatever you point it at without ever asking whether it should.

McCray also makes a compelling case for data security posture management, arguing that data isn't just a cybersecurity problem—it's a business problem. His parting advice for CISOs? Stop leading with fear, uncertainty, and doubt. Stop blocking innovation. Start enabling the business to move fast—but safely. He compares it to buying a Ferrari that you can drive it stock, or you can invest in the enhanced safety package. When you're doing 150 down a two-lane road, you'll want those features.

LinkedIn: https://www.linkedin.com/in/awmccray/

Website: https://www.cdw.com/

Recommended Reading: Walt Powell, The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Justin Greis: AI Meets Cybersecurity

Mon, 27 Oct 2025 10:00:00 -0700

Most organizations are racing to adopt AI without considering the security implications. Justin Greis, former leader of McKinsey's cybersecurity practice and founder of an AI-powered consulting firm Acceligence, explains why this approach creates risk and how security leaders can change the conversation.

Companies are deploying AI at different maturity levels. Some distribute AI tools to business units and wait for use cases to emerge. Others push boundaries with advanced algorithms. Few consider the associated risks. The right stakeholders often aren't in the room when AI decisions are made, either because organizations want to move fast or because security teams are underfunded and focused on daily operations. Technology companies are making AI capabilities available at unprecedented speeds, leaving organizations uncertain about securing and deploying these tools responsibly.

Security should be the foundation of trust, not an afterthought. McKinsey research found that customers make buying decisions based on product security when companies can demonstrate testing and rigor. A secure, certified product materially influences purchasing choices compared to alternatives without visible security standards.

Greis emphasizes that compliance certifications like SOC 2 or ISO represent minimum requirements, not security maturity. Organizations secure enough to meet business objectives naturally achieve compliance. The goal is translating business initiatives into security requirements that exceed baseline standards.

The Chief Information Security Officer position has shifted from back-office administrator to business enabler. AI has accelerated this change by converging infrastructure, technology, and cybersecurity into unified platforms. CISOs now have opportunities to demonstrate how they understand business context and can help organizations move faster and safer.

The challenge for security leaders is communication and relationship building. Years of underfunding forced CISOs to focus on survival rather than strategy. As security functions reach parity with other departments, more leaders can engage at the executive and board level. This shift requires CISOs to develop storytelling skills that contextualize security metrics for business audiences rather than overwhelming boards with technical details.

As AI agents begin making decisions without human oversight, organizations face new risks. The push to remove humans from decision loops creates efficiency but introduces vulnerabilities, particularly when AI accesses data it shouldn't process or makes decisions affecting vulnerable populations. Companies need frameworks to identify where human oversight remains necessary and mechanisms to monitor those boundaries.

Organizations implementing AI successfully have thought through secure development lifecycles, DevSecOps, and product operating models. Those starting from scratch face larger organizational changes to incorporate security, privacy, and responsible AI practices into development workflows.

LinkedIn: https://www.linkedin.com/in/justingreis/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kevin Powers: From Academic to Practical Cybersecurity

Thu, 16 Oct 2025 15:00:00 -0700

Kevin Powers, Faculty Director of the Masters of Legal Studies in Cybersecurity Risk and Governance at Boston College Law School, began his professional and academic journey when he volunteered for a task force exploring cybersecurity education at Boston College. Rather than developing a purely technical curriculum, he advocated for an interdisciplinary approach that would integrate law, business, and risk management. "Cybersecurity is not just a technical issue," Powers explained during the podcast episode. Working with stakeholders from the White House, FBI, major financial institutions, and technology companies, the team built a curriculum designed to produce well-rounded cybersecurity professionals.

The program launched in 2015 and recently transitioned to BC Law School, offering 10 courses taught entirely by practitioners actively working in the field. Students include FBI agents, financial compliance officers, and executives from Fortune 50 companies, with an average age of 33.

A central theme of Powers' program is bridging the communication divide between technical teams and business leadership. With recent SEC regulations and requirements like New York's DFS Part 500 mandating board-level cybersecurity oversight, organizations need professionals who understand both technical controls and business implications.

"Boards are recognizing cybersecurity as a core business function," Powers noted, emphasizing that every company operating on networks faces operational risk when systems go down. The program prepares students to communicate cyber risk in business terms and develop governance frameworks aligned with regulatory requirements like CMMC 2.0, FedRAMP, and the NIST Cybersecurity Framework.

The program has evolved rapidly to address artificial intelligence governance. Powers redesigned his coursework after discovering AI tools could complete assignments in minutes, shifting 70% of grading to oral presentations that emphasize critical thinking over output.

Looking ahead, Powers identified cloud security and data sovereignty as critical concerns. Many organizations mistakenly believe SaaS platforms automatically back up their data, leaving them vulnerable during incidents. The CDK Global attack on car dealerships illustrated how unprepared businesses can be when cloud services fail.

Beyond academics, Powers emphasizes creating networks. Graduates maintain connections with government agencies, financial institutions, and technology companies, facilitating collaboration across sectors. The program hosts the annual Boston Conference on Cybersecurity, which draws hundreds of attendees including CISOs from major sports franchises and law enforcement leaders.

For organizations navigating increasingly complex regulatory landscapes, Powers' message is clear: cybersecurity expertise must extend beyond technical skills to encompass governance, compliance, and strategic business alignment. As cyber threats evolve, professionals need frameworks like NIST to demonstrate reasonable security practices to regulators while protecting operational continuity.

LinkedIn: https://www.linkedin.com/in/kevin-powers-54893a8/

Boston College School of Law: https://www.bc.edu/bc-web/schools/law.html

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

AI and Third-Party Security "Danger Zone": 2025 Annual Data Security and Compliance Risk Report

Thu, 04 Sep 2025 21:00:00 -0700

Cybersecurity experts Heather Noggle and Dr. Arun DeSouza discussed Kiteworks' Data Security and Compliance Risk: 2025 Annual Survey Report, which introduces the industry's first quantitative risk scoring algorithm. The comprehensive study of 461 organizations reveals that 46% now operate in high- to critical-risk territory, with the median enterprise scoring 4.84 on a 10-point scale—dangerously close to the high-risk threshold of 5.0.

The experts analyzed a counterintuitive finding about third-party risk management: Organizations managing 1,001-5,000 external partners face the highest security risk (average score 5.19), surpassing enterprises with over 5,000 third-party relationships. Dr. DeSouza explained this "danger zone" phenomenon: "By nature, managing over 5,000 means you're a much bigger organization with more resources ... Many times you've got a platform-based approach." These larger enterprises can monitor risks in real time, while mid-sized partner ecosystems struggle with enterprise-level complexity on mid-market budgets—resulting in 24% experiencing 7+ annual security incidents.

Industry-specific findings revealed surprising risk disparities. Energy topped the risk charts due to legacy IoT devices and 30-year-old technologies vulnerable to exploitation. Technology ranked second, which Noggle attributed to the "overconfidence factor" and rapid employee turnover. "Tech companies are losing people so fast, they want to implement things so fast. That to me is a perfect storm," DeSouza noted. Conversely, heavily regulated sectors like life sciences demonstrated lower risk scores due to compliance-driven security investments.

The report exposed a dangerous "confidence paradox" where organizations claiming to be "somewhat confident" in data governance showed 19% higher risk scores than those acknowledging uncertainty. "Without governance you can't manage," Noggle emphasized, adding that overconfidence breeds complacency in rapidly evolving threat landscapes.

AI governance emerged as a critical vulnerability. While 64% of enterprises track AI-generated content (up from 28% in 2024), only 17% have deployed technical governance frameworks. The stakes are high—the IBM Cost of a Data Breach Report found that 97% of AI-related breaches lacked proper controls, with AI breaches costing $670,000 more than average. DeSouza warned about inherited risks like "Echo Leak," a zero-click vulnerability exploiting AI's use of historical data, demonstrating that organizations must secure not just AI models but their entire operational environment.

Poor data visibility creates cascading failures: Organizations unable to count their third parties showed 46% correlation with unknown breach frequency, while 31% of those with 5,000+ partners take over 90 days to detect breaches. As Noggle noted, "If we're back at identify and we're at detect, detect should not be that difficult if identify is done well."

Heather Noggle LinkedIn: https://www.linkedin.com/in/heathernoggle/

Arun DeSouza LinkedIn: https://www.linkedin.com/in/arundesouza/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Rick Goud: Navigating Europe’s Data Sovereignty Challenges

Mon, 25 Aug 2025 14:00:00 -0700

Dr. Rick Goud brings a unique perspective to the data sovereignty conversation, combining medical informatics expertise with entrepreneurial technology innovation. As co-founder and Chief Innovation Officer of Zivver, a secure digital communications platform acquired by Kiteworks in 2025, Goud's journey began with an unexpected twist – missing out on medical school in the Netherlands' lottery system led him to medical informatics, where he discovered his passion for solving healthcare's data security challenges. His background as a strategy consultant in healthcare, where he witnessed firsthand the alarming frequency of sensitive patient data being shared through insecure channels, sparked his mission to create solutions that balance robust security with user-friendly functionality.

The podcast reveals a fundamental tension in European data sovereignty: While Europe boasts the world's strongest data protection laws like GDPR and the upcoming EU Data Act, organizations remain heavily dependent on foreign cloud infrastructure. Goud explains that the challenge extends beyond mere infrastructure – it's the absence of true European alternatives for essential software services that creates vulnerability. He highlights recent incidents, including a French Microsoft executive's court admission that Microsoft cannot prevent U.S. government access to data without customer notification, and the shocking case of a Dutch criminal court judge whose email was blocked by Microsoft at the behest of American authorities. These examples underscore how data sovereignty encompasses not just data protection, but also continuity of service and freedom from foreign interference.

When addressing the economic realities of data sovereignty, Goud advocates for a pragmatic, risk-based approach rather than wholesale abandonment of U.S. cloud services. He emphasizes that organizations should start by identifying their specific risks – whether it's human error (the leading cause of data breaches), email interception, weak passwords, or phishing attacks. The solution often lies in implementing encryption layers where organizations maintain control of their own keys, effectively rendering data unreadable even if accessed by unauthorized parties. This approach allows organizations to continue using familiar tools like Microsoft 365 and Gmail while adding crucial security layers for sensitive information, avoiding the massive costs and behavioral changes required by complete infrastructure migration.

The conversation concludes with practical advice for organizations beginning their data sovereignty journey. Goud recommends starting with "low-hanging fruit" – simple security measures that can be implemented quickly, such as activating DANE (DNS-based Authentication of Named Entities) for email encryption, which despite being available for a decade, sees adoption rates of only 15% to 20%. He stresses the importance of email and file security as the primary risk points where data leaves organizational boundaries. Rather than embarking on multi-year infrastructure overhauls, organizations should focus on immediate, achievable improvements while building partnerships with trusted vendors and peer organizations facing similar challenges. This collaborative approach ensures organizations aren't navigating the complex data sovereignty landscape alone.

LinkedIn: https://www.linkedin.com/in/rickgoud/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Scott McCrady: MSPs and Identity-first Security

Wed, 02 Jul 2025 13:00:00 -0700

Scott McCrady's path to becoming CEO of SolCyber started in the server rooms of the early 2000s. Back then, he was installing Nokia security appliances and building some of the first security operations centers for major corporations. McCrady spent years at companies like Symantec and FireEye, where he learned that keeping businesses safe requires more than just technical know-how. He built Symantec's security services across Asia Pacific, managing teams in multiple countries and learning how different businesses approach security challenges. Later at FireEye, he helped launch their partner strategy during the rise of nation-state attacks. Today, he runs SolCyber with a simple mission: help companies protect themselves from identity-based attacks that bypass traditional security tools.

McCrady explained something that might surprise you: hackers don't break into networks the way they used to. Twenty years ago, they looked for open ports and vulnerable servers. Ten years ago, they targeted employee laptops and phones. Today? They steal usernames and passwords, especially administrative accounts. Insurance companies tell McCrady that nine out of ten breaches happen because someone's login credentials got compromised. The problem gets worse because IT teams often give employees more system access than they need. Why? Because it's easier than figuring out the exact permissions each person requires. McCrady shared a real example: a company with 500 employees had over 70 administrative accounts. Some hadn't been used in nine months, then suddenly started browsing the internet—a clear sign that hackers had taken control.

McCrady works with organizations that can't answer simple questions like "Where are all our security logs stored?" or "Who can access our customer data?" These aren't startups or small businesses—these are established companies with IT departments and security budgets. They have data scattered across different systems, some going to one security vendor, some to another, and some not being monitored at all. While vendors push artificial intelligence and machine learning solutions, most businesses just need help organizing what they already have. As McCrady put it, they need to get their house in order before worrying about advanced threats.

So what actually works? McCrady keeps it simple with five must-haves. First, turn on multi-factor authentication everywhere, even though software companies charge extra for it. Second, add email security beyond what Microsoft or Google provides because business email compromise is how most attacks start. Third, install endpoint detection software that catches modern malware. Fourth, run security awareness training so employees recognize phishing emails (and to keep your cyber insurance valid). Fifth, buy cyber insurance now while it's affordable. McCrady's company, SolCyber, packages these essentials into what they call "foundational coverage"—basically, outsourced security for businesses that need protection but can't afford a full security team. For larger companies, they handle the complex stuff like managing security logs from dozens of systems and responding to attacks in real-time.

LinkedIn Profile: https://www.linkedin.com/in/scottmccrady/

SolCyber Website: https://solcyber.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Chris Pogue: Digital Forensics in the Modern Threat Landscape

Mon, 05 May 2025 06:00:00 -0700

This Kitecast episode features Chris Pogue, Director of Digital Forensics at CyberCX, a cybersecurity veteran with 25 years of experience. Chris brings unique insights from his extensive background spanning penetration testing, executive leadership, and military instruction. As an adjunct professor at Oklahoma State University, he teaches both international business and digital forensics, emphasizing the critical importance of communication between technical and non-technical stakeholders.

Chris introduces CyberCX as "the biggest cybersecurity company you've never heard of"—a pure-play security firm with 1,500 professionals globally. Founded in Australia through the acquisition of 24 boutique security firms, CyberCX stands apart by focusing exclusively on cybersecurity expertise without the distractions of hardware sales or software development. With specialized teams including 200 penetration testers and 40 incident responders, they offer comprehensive security solutions tailored to each client's unique risk profile.

The conversation reveals alarming trends in the threat landscape, including the surprising resurgence of SQL injection attacks targeting forgotten systems and unpatched vulnerabilities. Chris explains that once an exploit is announced, threat actors typically begin targeting it within 24 to 48 hours, yet organizations often take 60 to 90 days to implement patches. The podcast also explores how ransomware tactics are evolving from simple data encryption to targeting operational technology and critical infrastructure, creating more leverage by disrupting business continuity rather than just threatening data exposure.

Third-party risk management emerges as a critical concern, with Chris noting that the traditional "castle and moat" security model has become obsolete in today's interconnected business environment. He describes how Business Email Compromise attacks frequently move laterally across supply chains, with compromised trusted partners becoming vectors for invoice fraud and malware distribution. The conversation also touches on the emerging role of AI in creating more convincing phishing campaigns and voice synthesis attacks.

Drawing on decades of experience, Chris offers this compelling perspective on security investment: "In my career, I have yet to find an organization who under-invested in cybersecurity and was thankful that they did later." With data breach costs averaging $4.5 million globally and $9 million in the United States, the economic argument for proactive security becomes increasingly clear. Don't miss this eye-opening discussion on the frontlines of cybersecurity defense.

LinkedIn Profile: https://www.linkedin.com/in/christopher-pogue-msis-6148441/

CyberCX: https://cybercx.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Analysis and Lessons from Kiteworks Top 11 Data Breaches in 2024 Report

Tue, 15 Apr 2025 15:00:00 -0700

In this insightful episode, cybersecurity experts Mike Crandall and Arun DeSouza join host Patrick Spencer to analyze Kiteworks' Top 11 Data Breaches in 2024 Report. Rather than just focusing on the number of records breached, the report introduces a sophisticated algorithm with seven key factors to score breaches on a scale of 1-10. This method provides a more comprehensive understanding of breach severity by evaluating financial impact, data sensitivity, regulatory compliance implications, ransomware involvement, supply chain impact, and attack vector sophistication. National Public Data topped the list with a score of 8.93, followed by Change Healthcare and Ticketmaster, both scoring 8.7.

A significant finding discussed by the experts is the shift in industry targeting patterns, with financial services overtaking healthcare as the most breached sector. The conversation emphasizes how credential theft continues to plague organizations despite sophisticated controls. Five of the top 11 breaches resulted from credential compromises, including attacks that bypassed multifactor authentication. Arun highlights that despite years of security awareness training, approximately 25% of incidents remain attributable to human error. He warns of the growing sophistication of social engineering with AI-generated phishing that will soon include voice modulation and deepfakes, making attacks increasingly difficult to detect. Mike recommends leveraging AI defensively to detect anomalous behaviors that humans might miss.

Both experts stress the critical importance of data protection and classification. Arun advocates for AI-powered data characterization and governance platforms that can proactively identify sensitive information requiring protection. Mike emphasizes the need for proper data classification, noting that organizations often struggle to differentiate between critical and non-critical data. He recommends data minimization strategies including cold storage for inactive data to reduce the potential attack surface. The experts agree that building enterprise-wide risk awareness requires collaboration across departments rather than treating security as an isolated IT function.

The panel concludes that organizations must prioritize zero-trust architecture implementation, adopt data minimization strategies, and enhance incident response capabilities. Arun frames this as a comprehensive coalition of "people, process, and technology safeguards all working together." Mike adds a sobering perspective for businesses that might not see themselves as targets: "These weren't the 11 hacks of 2024. These were the top hacks... there are literally hundreds of thousands, if not millions more. And that's you."

Top 11 Data Breaches in 2024 Report: https://www.kiteworks.com/top-data-breaches-report

Arun DeSouza LinkedIn: https://www.linkedin.com/in/arundesouza/

Mike Crandall LinkedIn: https://www.linkedin.com/in/crandallmike/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Dominic Bowen: Geopolitical Risk Planning & Management

Fri, 04 Apr 2025 12:00:00 -0700

This insightful Kitecast episode features Dominic Bowen, Partner and Head of Strategic Advisory at 2Secure in Stockholm, Sweden. With over 20 years of experience supporting business leaders, boards, and executives, Dominic brings valuable perspective from his work across cybersecurity, generative AI, risk management, and crisis response. His background spans strategic leadership positions in humanitarian organizations, military service with Special Operations Command, and law enforcement—providing him unique insights into risk management across diverse environments.

Many risks facing organizations today are predictable, not "black swan" events. Dominic emphasizes that effective risk management begins with understanding the business environment before identifying, analyzing, and mitigating threats. Companies that neglect this approach face potential disruptions, as demonstrated by European and North American businesses that expanded into China without adequate risk assessment or those slow to withdraw from Russia after its invasion of Ukraine. Businesses must recognize that events like inflation spikes, terrorist attacks, or regional conflicts aren't unpredictable—proper planning and preparation can help organizations navigate these challenges.

Cybersecurity represents one of the most pressing concerns for business leaders globally. Dominic notes that cyber threats have evolved into warfare weapons, with European officials warning businesses and citizens to prepare for heightened threats. This reality is demonstrated by the Russian attacks on Ukrainian financial institutions before the 2022 invasion and ongoing attacks against energy infrastructure throughout Europe. For businesses, this necessitates not just regulatory compliance but leveraging security frameworks as competitive advantages that enable boards and executives to move forward confidently despite increasing threats.

Artificial intelligence offers transformative benefits for risk management—when properly implemented. Organizations can gain significant advantages through AI-powered predictive analytics, automated threat detection, improved decision-making capabilities, and scenario development. Those organizations leveraging AI for fraud detection, identifying insider threats, and recognizing suspicious transactions position themselves ahead of competitors who fail to adopt these tools.

Effective risk management requires methodical approaches regardless of organizational context. Whether operating in conflict zones, developing humanitarian responses, or expanding business operations, Dominic emphasizes that the process remains consistent: understand the environment before attempting to identify or mitigate risks. Organizations that invest time in thoroughly understanding cultural, linguistic, political, and historical contexts before implementing risk mitigation strategies achieve substantially better outcomes.

LinkedIn Profile: https://www.linkedin.com/in/dominic-bowen/

2Secure: https://2securecorp.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Arun DeSouza: Becoming a Transformation CISO

Thu, 27 Feb 2025 07:00:00 -0800

Arun DeSouza, the Managing Director at Profortis Solutions, brings over two decades of experience as a CISO, having developed and implemented award-winning programs in identity lifecycle management and IoT security. His impressive career includes induction into the CISO Hall of Fame by the Global Cyber Startup Observatory and recognition as a top CISO by Cyber Defense Magazine. Arun’s expertise, combined with his academic background—a Ph.D. in Chemical Engineering from Vanderbilt—offers listeners a unique perspective on navigating today’s complex cybersecurity landscape.

From Chemical Engineering to Cybersecurity Leadership
Arun’s journey into cybersecurity is as unconventional as it is inspiring. Initially trained as a chemical engineer, he transitioned to cybersecurity through hands-on experience and a fearless approach to problem-solving. Faced with the challenge of managing global security for a French company, Arun built a strategic plan that not only upgraded systems but also delivered significant savings. His approach, which he calls the “power of federation,” involved collaborating with partners for discounted pricing and consolidating resources.

Navigating Cybersecurity Threats: IoT, Ransomware, and AI
Arun sheds light on the evolving cybersecurity threat landscape, particularly the rapid proliferation of IoT devices. With an estimated 75 billion IoT devices by 2025, the risks associated with insecure software, vulnerable cloud communications, and expanded attack surfaces are more significant than ever. He highlights specific challenges in manufacturing and OT security, where ransomware and supply chain attacks can cripple operations. Arun also warns of the impending threat of AI-powered supply chain attacks, which could amplify the scale and sophistication of breaches. His insights reinforce the need for robust data governance and the adoption of Zero Trust security models to mitigate these risks effectively.

Critical Role of Identity Management and Leadership
Central to Arun’s security philosophy is the concept of identity access management (IAM) as a strategic cornerstone. He introduces the idea of the “identity coin,” which blends physical security (person, device, location) with logical security (attributes, behavior, context). Arun emphasizes that security is not just about technology but also about strong leadership and communication. He advises CISOs to build relationships with senior leaders, use storytelling to convey risks, and align security initiatives with business objectives. His analogy of the CISO as the “captain of the good ship cyber” encapsulates his forward-thinking approach to navigating cybersecurity challenges.

Technical Acumen and Strategic Vision
Arun’s expertise and leadership offer actionable insights for anyone looking to strengthen their cybersecurity strategy. His forward-thinking approach to risk management, identity governance, and embracing change provides a valuable blueprint for both cybersecurity professionals and business leaders.

LinkedIn: https://www.linkedin.com/in/arundesouza/

Profotis Solutions: https://profortissolutions.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Chad Lorenc: Security as a Practice in the Cloud

Thu, 20 Feb 2025 21:00:00 -0800

With over two decades of experience in the cybersecurity domain, Chad Lorenc stands as a prominent voice in cloud security and enterprise security strategy. Currently serving as a security leader at Amazon Web Services (AWS), Chad has contributed significantly to advancing cloud architecture best practices and building robust security frameworks for some of the world’s most dynamic organizations. In this insightful Kitecast episode, Chad shares his expertise on cloud security, the evolving role of CISOs, and the integration of artificial intelligence (AI) into enterprise security strategies.

Evolution of Cloud Security: From Apprehension to Opportunity

In the early days of cloud adoption, organizations often hesitated to migrate their operations due to concerns over security and control. Chad reflects on this initial apprehension and explains how the cloud security paradigm has matured over the years. Many companies attempted to replicate on-premises security models in the cloud, often facing challenges with patching, incident management, and compliance. Cloud environments require unique security approaches, with a focus on building specific controls and aligning them with broader security operations and compliance requirements.

CISOs: Leading the Charge in Cloud and AI Adoption

A recurring theme in the podcast is the critical role of CISOs in driving cloud and AI strategies. Chad offers valuable advice to CISOs, encouraging them to lead cloud adoption initiatives rather than being pulled into projects at the last minute. He highlights the tangible security benefits of cloud environments, such as the ease of implementing encryption and other advanced security controls. By taking a proactive approach, CISOs can not only enhance security but also achieve cost savings and operational efficiencies.

Embracing AI and Navigating Regulatory Challenges

As organizations increasingly integrate AI into their operations, compliance and security become critical considerations. Chad discusses how the shift to data lakes and the acceleration of AI adoption have transformed cloud security conversations from traditional security measures to compliance and audit readiness. The conversation also touches on the complexities of shadow AI—where unsanctioned AI tools are used within companies—and how security leaders can address these challenges by aligning internal strategies with business demands. In addition, Chad sheds light on the regulatory landscape, including the growing importance of FedRAMP compliance for federal clients and the balance between rapid cloud innovation and regulatory adherence.

Charting the Future of Cloud Security with Chad Lorenc

The podcast concludes with Chad’s forward-looking perspective on the evolving cybersecurity landscape. He believes that while AI remains a dominant topic, true innovation lies in optimizing security operations and embracing technologies that drive business outcomes. Chad sees an emerging trend where CISOs are not only security experts but also strategic business leaders who contribute to overall organizational success. His parting advice to security professionals is clear: embrace new technologies like AI and cloud solutions with a strategic mindset to remain relevant and impactful.

LinkedIn: https://www.linkedin.com/in/chadlorenc/

Amazon Web Services: https://www.linkedin.com/company/amazon-web-services/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Howard Holton: Weighing AI Cyber Hype and Risks

Fri, 10 Jan 2025 08:00:00 -0800

Unveiling AI, Data Security, and Innovation

Howard Holton, the Chief Technology Officer of GigaOm, explores some of the most pressing topics in technology today. With over two decades of experience spanning roles as CTO, CISO, CIO, and consultant, Howard brings a wealth of knowledge to the conversation. His background includes leadership positions at Rheem Manufacturing, Hitachi Vantara, and Precision Discovery, where he honed his expertise in digital transformation, data science, and operational strategy. At GigaOm, Howard combines his technical acumen with a passion for helping organizations navigate the complexities of modern technology landscapes.

Generative AI: Hype vs. Reality

The conversation delves into the rapid rise of generative AI (GenAI) and the realities beyond the hype. Howard explains how businesses are grappling with this transformative technology, which, while promising, is rife with complexities. Many organizations rushed into adopting AI without fully understanding its implications, leading to inefficiencies and unexpected risks. He points out that generative AI is a powerful tool but cautions against treating it as a catch-all solution. The conversation highlights how improper use can lead to issues like misinformation, inaccurate outputs, and even legal challenges, underscoring the need for deliberate strategy in deploying AI tools.

Tackling AI Governance and Risks

Howard also provides an unvarnished look at AI governance and its associated risks. With generative AI being a relatively young technology, governance frameworks are still in their infancy. Organizations often lack cohesive tools to manage the risks associated with AI deployments. This leads to challenges in ensuring compliance with data privacy regulations and safeguarding sensitive information.

Shadow AI: The Hidden Risk

Shadow AI emerged as another critical topic in the discussion. Howard describes Shadow AI as the unauthorized use of AI tools by employees, often without the knowledge or approval of management. While employees leverage these tools to improve productivity or efficiency, this practice introduces significant risks to data security and compliance. Sensitive company data may unknowingly be exposed to public large language models (LLMs), creating vulnerabilities and potential regulatory breaches.

Advice for the Tech Community

Closing the episode, Howard offers invaluable advice for professionals navigating the ever-changing tech landscape. He underscores the importance of mentorship, curiosity, and collaboration in driving innovation. “It’s our job to help people,” he says, emphasizing the need for tech leaders to share their knowledge and foster growth within their communities. Howard also encourages organizations to adopt a mindset of continuous learning, particularly as emerging technologies like AI continue to evolve.

LinkedIn: https://www.linkedin.com/in/howardholton/

GigaOm: https://gigaom.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Luigi Lenguito: Getting Proactive About Your Cybersecurity

Wed, 18 Dec 2024 10:00:00 -0800

Luigi Lenguito, a pioneering figure in predictive cybersecurity, brings an extraordinary background to his role as founder and CEO of BforeAI. Before revolutionizing cyber threat prevention in 2018, Lenguito's 18-year tenure at Dell and Quest Software encompassed 26 diverse executive positions. His unconventional journey from Formula Three racing champion in Italy to tech industry innovator showcases his adaptability and vision. At Dell, Lenguito's entrepreneurial spirit shone through his creation of a groundbreaking program that bridged the gap between corporate employees and startups, demonstrating his talent for fostering innovation and maximizing human potential.

Building a Bridge Between Corporates and Startups

One of Lenguito’s most impactful achievements at Dell was creating an innovative entrepreneurship program that connected Dell employees with early-stage startups. The program grew to involve over 400 Dell employees mentoring 10 to 20 startups at any given time. Rather than following traditional corporate-startup engagement models, Lenguito’s program focused on unleashing the untapped potential of Dell employees, allowing them to utilize skills from their past experiences that weren’t being used in their current roles. This unique approach not only benefited the startups but also significantly improved employee satisfaction and retention.

From Intrapreneur to Entrepreneur

Lenguito’s exposure to entrepreneurs through the Dell program eventually inspired his own entrepreneurial journey. In 2018, he founded BforeAI after discovering research that aligned with his long-held vision of predictive cybersecurity. Inspired by the concept of “pre-crime” from the movie Minority Report, Lenguito saw the potential to transform cybersecurity from reactive to proactive that relies on continuous monitoring. His company now prevents an average of 20 million potential cyberattack victims daily, with the ability to predict threats up to nine months in advance.

Insights on Building Corporate Innovation Programs

Drawing from his experience, Lenguito shares three key principles for organizations looking to build successful corporate entrepreneurship programs. First, clearly define your purpose--understanding why you’re creating the program is crucial. Second, set clear boundaries and expectations upfront about what the program will and won't do to avoid frustration on both sides. Third, secure appropriate funding by identifying who benefits from the program’s secondary outcomes, as they should be the ones sponsoring it.

Future of Cybersecurity

Lenguito’s vision for the future of cybersecurity challenges the industry’s current “assume breach” mentality and zero trust security principles. His experience with cyber insurance providers has led to innovative hybrid models that combine traditional insurance with predictive security measures. This forward-thinking approach has earned recognition from industry leaders, with BforeAI recently being named a Gartner Cool Vendor in AI and GenAI for banking and financial services.

LinkedIn Profile: https://www.linkedin.com/in/llenguito/

BforeAI: https://bfore.ai/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

2025 Exposure Risk Report: Key Insights

Tue, 03 Dec 2024 12:00:00 -0800

The Kiteworks 2025 Forecast for Managing Private Content Exposure Risk Report offers a comprehensive analysis of emerging cybersecurity and compliance trends shaping the year ahead. The report identifies 12 pivotal trends affecting how organizations manage private content exposure risk, highlighting critical areas like data privacy regulations, software supply chain security, AI governance, and quantum computing threats. With 75% of the world's population expected to have their personal data protected under privacy laws by 2025, organizations must implement robust strategies to mitigate risks and ensure compliance.

During the Kitecast episode, cybersecurity experts Alexandre Blanc and Evgeniy Kharam discussed the alarming rise in software supply chain attacks. These attacks are projected to spiral and the associated cost. The experts emphasized that while compliance frameworks like SOC 2 and ISO 27000 standards provide baseline guidance, organizations must move beyond mere checkbox security compliance. "Alexandre explained, “Organizations often view SOC 2 or ISO certification as the end goal, but that's just the starting point. What matters is building a comprehensive security program that actually addresses real risks and maintains security posture over time."

The discussion delved deep into CMMC 2.0 compliance challenges facing defense contractors. While surveys indicate most organizations believe they're prepared for certification, the reality is starkly different: the actual number of organizations ready to pass certification requirements is quite low. Evgeniy noted, "Don't wait to start your CMMC preparation. This isn't just about checking boxes. Organizations need to understand their environment, document their processes, and implement required controls - all of which takes significant time and resources."

The Kitecast conversation highlighted growing concerns about employees inadvertently exposing sensitive data through public large language models (LLMs) and other AI tools. Rather than focusing solely on technical controls, the experts emphasized the need for comprehensive governance frameworks that include clear policies, regular training, and approved platforms for business use. You cannot just block ChatGPT and think you've solved the problem. New AI tools emerge constantly. Organizations need to educate employees about the risks and provide secure alternatives for legitimate business needs.

2025 Forecast Report

https://www.kiteworks.com/forecast-report/

LinkedIn Profile for Evgeniy Kharam

https://www.linkedin.com/in/ekharam/

LinkedIn Profile for Alexandre Blanc

https://www.linkedin.com/in/alexandre-blanc-cyber-security-88569022/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Jerod Brennen: From Music Educator to Cybersecurity Consultant and Mentor

Mon, 04 Nov 2024 13:00:00 -0800

Jerod Brennen, VP of Cybersecurity Services at SideChannel, brings a unique perspective to cybersecurity leadership. Originally pursuing a career in music education, Brennen's journey led him through various IT roles before landing in cybersecurity at a public utility. Today, he serves as a vCISO for multiple organizations while also creating educational content for LinkedIn Learning, where he has developed over 40 courses covering topics from application security to ethics in technology. His unconventional path from music to technology has shaped his approach to security leadership, emphasizing the importance of both technical expertise and human understanding.

As a vCISO, Brennen emphasizes the importance of tailored security approaches for small and medium-sized businesses. His work at SideChannel involves helping organizations across various sectors—from healthcare technology to manufacturing—build resilient security programs that align with their specific needs and capabilities. He highlights that while many of these businesses may not have the resources for a full-time CISO, they still require sophisticated security leadership to protect their digital assets and maintain compliance with industry standards. Brennen’s approach focuses on building security programs that enable business growth rather than simply implementing restrictions, ensuring that security measures support rather than hinder organizational objectives.

A significant portion of the conversation focused on the challenges of data security in modern business environments. Brennen discusses the complexities of managing data access, particularly in cloud environments, and emphasizes the importance of proper tenant separation for different environments (development, testing, production). He notes that while cost often drives initial cloud decisions, mature organizations eventually shift their focus to building stable, secure infrastructure that aligns with their business goals. The discussion delved into the increasing importance of compliance frameworks such as SOC 2 and CMMC, with Brennen sharing insights on how organizations can effectively prepare for and maintain these certifications while avoiding common pitfalls.

The discussion also touched on emerging technologies, particularly the challenges and opportunities presented by AI. Brennen addresses the growing concern among organizations about the secure use of generative AI tools, highlighting the need for clear policies around data sharing with these platforms. He emphasizes the importance of considering long-term implications of AI adoption, drawing parallels with recent events in the tech industry to illustrate the potential risks of data handling by emerging technology companies. His perspective on AI security is particularly relevant given the current landscape where many employees are already using these tools without formal organizational guidance.

LinkedIn: https://www.linkedin.com/in/jerodbrennen/

SideChannel: https://sidechannel.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Evgeniy Kharam: Architecting Success With Soft Skills

Mon, 16 Sep 2024 15:00:00 -0700

Evgeniy Kharam is the founder of a cybersecurity consulting company and an industry veteran with extensive expertise in cybersecurity. He advises clients on navigating the complexities of the cybersecurity landscape and co-hosts two popular podcasts focused on cybersecurity architecture and business insights. Evgeniy is also a board advisor for the Canadian Cybersecurity Network, the largest technology group in Canada. Outside of his professional life, he is an active family man with four children, including twins, and enjoys organizing snowboarding events for networking in the cybersecurity community.

Evgeniy joined the Kitecast podcast to discuss his new book, Architecting Success: The Art of Soft Skills in Technical Sales. It is a reflection on the evolution of sales engineering, especially in the cybersecurity field. Evgeniy draws from his personal experiences to address the increasingly complex nature of technical sales and the gap between technical knowledge and the ability to communicate it effectively in business terms. The book also serves as a personal challenge for Evgeniy, as he admits that writing is outside his comfort zone, and he believes that improving soft skills is often about doing what you dislike most.

During the podcast interview, one of the key topics Evgeniy discusses is the importance of soft skills in cybersecurity sales. He emphasizes the need for adaptability, listening, and the ability to connect with clients. He points out that successful cybersecurity sales professionals must adjust their approach based on the client’s mood, energy, and current situation, moving from transactional interactions to building genuine relationships.

Evgeniy also explores the dynamics between sales professionals and sales engineers. He suggests that the sales engineer’s role is not just to support the sales team but to engage in a more collaborative manner, asking the right questions to help the sales team qualify deals effectively. This dynamic allows for a smoother sales process, where both parties respect each other's expertise and play to their strengths, without crossing into each other's responsibilities.

Another major point of discussion is the impact of virtual sales in a post-COVID world. Evgeniy stresses the importance of maintaining professionalism in virtual environments, from investing in proper equipment like cameras and microphones to ensuring a polished appearance. He also highlights the growing reliance on voice communication and the need to train one's voice for better delivery, as remote work has made verbal communication a primary tool for client interactions.

LinkedIn: https://www.linkedin.com/in/ekharam/

Architecting Success: https://www.softskillstech.ca/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

John Christly: Demystifying CMMC to Protect the DIB

Mon, 19 Aug 2024 22:00:00 -0700

John Christly, VP of Services for Blue Team Alpha, and author of two cybersecurity books, brings his wealth of experience to this episode of Kitecast. With a background spanning roles such as CEO, CIO, CISO, and CTO, as well as military service, Christly offers unique insights into the world of cybersecurity compliance for Department of Defense (DoD) contractors.

In this enlightening discussion, Christly demystifies the Cybersecurity Maturity Model Certification (CMMC) process. He explains how many organizations are surprised to find they’re further along in compliance than they initially thought, thanks to existing frameworks like DFARS and NIST 800-171. However, he cautions that self-attestation is no longer sufficient, emphasizing the need for third-party verification in the new CMMC landscape.

Christly also delves into the critical role of FedRAMP certification in doing business with the government. He highlights the importance of data sovereignty and security in protecting American interests. The conversation explores the challenges of achieving “FedRAMP-like” status and the expertise required to truly build secure systems to DoD specifications.

The podcast doesn’t shy away from emerging threats, with Christly offering valuable insights on managing AI-related risks in the workplace. He stresses the importance of clear policies, employee education, and ongoing monitoring to harness the benefits of AI while protecting sensitive data. Christly’s practical advice on consolidating security tools and gaining visibility into cloud application usage provides actionable strategies for improving organizational cybersecurity posture.

Whether you’re a DoD contractor or simply interested in elevating your cybersecurity practices, this episode of Kitecast is a must-listen. Tune in now and take the first step toward robust, compliant cybersecurity for your organization.

LinkedIn

https://www.linkedin.com/in/johnchristly/

Blue Team Alpha

https://www.blueteamalpha.com

Book: NIST 800-171 Controls Made Simple: A Step by Step Guide

https://www.udemy.com/course/nist-800-171-controls-made-simple

Book: The Basics of Cybersecurity

https://www.amazon.com/dp/B0CZY65DQC

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kayne McGladrey: Compliance as a Critical Business Enabler

Tue, 23 Jul 2024 09:00:00 -0700

Kayne McGladrey, the Field CISO at hyperproof, is a renowned cybersecurity expert with an extensive background in enhancing security landscapes across various industries. His career is marked by significant contributions in developing robust security frameworks, managing complex risk scenarios, and driving comprehensive compliance initiatives. With a deep commitment to transforming the cybersecurity field, Kayne’s insights and strategies continue to influence how organizations approach security and regulatory compliance, making him a sought-after voice in the industry.

In this Kitecast episode, Kayne McGladrey challenges the traditional view of cybersecurity as merely a cost center, proposing instead that it acts as a critical enabler of business. He eloquently explains how effective cybersecurity measures can unlock new market opportunities and help sustain revenue streams, thus fundamentally altering the narrative from a grudging investment into a strategic asset. By integrating robust cybersecurity practices, businesses can protect their operations from potential threats while enabling smooth and secure growth and innovation.

Throughout the discussion, Kayne explores the evolving landscape of compliance tools, moving away from outdated methods like manual spreadsheets to more sophisticated, automated solutions. These advanced tools are designed to streamline and enhance the efficiency of compliance processes. However, Kayne points out the challenges businesses face, such as the lack of executive buy-in, which can hinder successful integration. He emphasizes the critical need for aligning security and compliance strategies with broader business objectives to ensure a cohesive and proactive approach to managing compliance.

Kayne delves deeper into the practical challenges faced by cybersecurity teams, especially in the realms of evidence collection and risk assessment. He criticizes the persistence of outdated, manual processes that many organizations still use and advocates for a shift toward automated, more reliable methods. Such modern approaches not only save time but also improve the accuracy and effectiveness of cybersecurity measures, thereby enhancing an organization’s ability to manage and mitigate risks more efficiently.

Looking toward the future, Kayne discusses the development of a GRC (Governance, Risk, and Compliance) maturity model that he is pioneering. This model is intended to provide organizations with a clear, actionable roadmap to enhance their governance structures and compliance strategies. By adopting this model, organizations can better navigate the complexities of regulatory environments, reduce risk, and cultivate a proactive, compliance-forward culture. Kayne’s vision for the future of GRC is aimed at making compliance a seamless part of business operations, thus fostering greater organizational resilience and adaptability.

LinkedIn Profile

https://www.linkedin.com/in/kaynemcgladrey/

hyperproof

https://hyperproof.io/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Jacqui Kernot: When AI, Security, and Compliance Collide

Wed, 10 Jul 2024 11:00:00 -0700

Jacqui Kernot, the Security Director at Accenture for Australia and New Zealand, boasts over two decades of extensive experience in cybersecurity, spanning multiple industries. Recognized for her authoritative voice on diversity and inclusion alongside cybersecurity risk management, Jacqui is a well-regarded speaker who frequently addresses these pressing issues. She is committed to pushing the boundaries of cybersecurity and focused on integrating cutting-edge AI and technological advancements into the security domain.

In her recent appearance on the Kitecast episode, Jacqui illuminated the transformative impact of AI on cybersecurity. She pointed out that although AI technology is still emerging, the foundational steps taken today by organizations to build robust infrastructures will be pivotal. Jacqui stressed that companies poised to anticipate future technological needs and begin laying the groundwork for AI integration will likely lead the industry. This strategic foresight is crucial for fully realizing AI’s potential and maintaining a competitive edge in cybersecurity.

A significant portion of Jacqui's discussion centered on the imperative of data sovereignty and stringent management practices. In an era increasingly dominated by large language models and cloud-based technologies, securing and responsibly managing data is paramount. Jacqui advocated for strict data governance frameworks that ensure data is accessible only by authorized personnel, emphasizing that responsible AI deployment is fundamental to future security architectures.

Jacqui also delved deeply into the role of Zero Trust architecture in today’s cybersecurity landscape. She explained that as organizations increasingly migrate to cloud services and face more complex cyber threats, adopting a Zero Trust approach is crucial. This methodology is not only essential for blocking unauthorized access but also vital for building resilient security protocols that can robustly counteract potential breaches.

Looking forward, Jacqui shared insights on the evolving challenges and opportunities within cybersecurity. She highlighted the necessity for security strategies to remain adaptive and vigilant against new threats while also leveraging emerging technologies. The discussion touched on the need for more sophisticated security measures that can effectively safeguard against the evolving landscape of cyber threats, ensuring that organizations can protect their critical assets in an increasingly digital world.

LinkedIn Profile
www.linkedin.com/in/jkernot/

Accenture
www.accenture.com/us-en

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kiteworks 2024 Survey Report: Expert Panel on Data Privacy and Security

Thu, 27 Jun 2024 05:00:00 -0700

The Kiteworks Sensitive Content Communications Privacy and Compliance Report is an annual survey designed to delve into the pressing issues of data privacy, compliance, and cybersecurity. This comprehensive report gathers insights from IT, cybersecurity, risk, and compliance leaders around the globe, with the latest survey capturing responses from 572 leaders across 10 different countries. The report is meticulously divided into five sections: cyberattacks and data breaches, data types and classification, compliance and risk, cybersecurity and risk management, and operational procedures. These insights provide organizations with actionable intelligence to navigate the complex landscape of data security and compliance.

This Kitecast episode features a panel discussion, with Kitecast Co-host Patrick Spencer addressing key findings in the report and soliciting feedback from Co-host Tim Freestone and two guest panelists, Alexandre Blanc and Ranbir Bhutani. Alexandre pointed out that while the frequency of cyber incidents has decreased, the scale of each incident has grown significantly. Threat actors have become more organized, targeting larger organizations with higher impact, particularly in specific verticals like healthcare and finance. This shift is likely influenced by geopolitical tensions, using cyberattacks to disrupt trust in systems and organizations. Ranbir echoed these observations, adding that the sophistication of phishing attacks has increased, often leveraging unethical AI to create highly convincing fraudulent communications.

The conversation also explored the persistent challenge of human error in cybersecurity. Despite numerous training initiatives and advanced technologies, the human element remains a significant vulnerability. Tim, Alexandre, and Ranbir emphasized that until organizations can effectively abstract human errors from business processes, this will continue to be a weak link. Ranbir shared an anecdote about a near-miss phishing attempt, underscoring the difficulty even seasoned professionals face in recognizing sophisticated attacks.

Another critical insight from the discussion involved the disparity in cybersecurity maturity across industries. The podcast revealed that higher education and state government sectors are particularly vulnerable, with a high number of reported breaches. This is attributed to underfunding and a lack of stringent cybersecurity measures. In contrast, the federal government has shown better compliance due to regulatory pressures like CMMC 2.0. The panelists agreed that while regulations are a step in the right direction, the enforcement and practical implementation of these regulations remain a challenge, particularly for smaller organizations.

Finally, the podcast touched on the issue of litigation costs associated with data breaches. The long-term financial impact of breaches extends beyond immediate operational disruptions and ransom payments. Ongoing litigation can drain resources and affect an organization’s reputation and client trust.

Kiteworks 2024 Sensitive Content Communications Privacy and Compliance Report: https://www.kiteworks.com/sensitive-content-communications-report/

Alexandre Blanc:

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Betania Allo: Using Cyber Policy to Mitigate Risk

Mon, 17 Jun 2024 11:00:00 -0700

Betania Allo is a distinguished expert in cybersecurity law and public policy and frequently presents at international forums and events. She boasts an impressive academic background with advanced degrees from Harvard University and Syracuse University. Currently, she is pursuing a doctorate in engineering with a focus on analytics at George Washington University. Her extensive experience includes serving as a Program Management Specialist and Senior Officer at the United Nations, where she addressed complex issues related to counterterrorism and technology.

This Kitecast episode delves into Betania Allo’s multifaceted career journey, highlighting her transition from law and public policy to the specialized field of cybersecurity. Her decision to move from Argentina to the U.S. for graduate studies, combined with her background in international relations and law, set the stage for her focus on cybersecurity. Betania’s efforts to bridge the gap between legal experts and technologists are emphasized, underscoring the importance of understanding both domains to effectively tackle global cyber threats.

The podcast discussion covers Betania’s tenure at the United Nations, where she worked on counterterrorism and technology. Insights are provided on how terrorist groups exploit digital platforms for recruitment, communication, and fundraising. The challenges of safeguarding these platforms and the importance of a multi-stakeholder approach involving private sector companies, NGOs, and academia are examined. Betania’s experiences during the pandemic revealed the increased vulnerability and exploitation of digital spaces by terrorist organizations.

Betania also discusses the rehabilitation and reintegration of terrorists through technology. The significance of using technology in the initial screening of individuals for accurate assessments and tailored rehabilitation programs is outlined. Despite the challenges, Betania advocates for incorporating artificial intelligence (AI) and other technologies to enhance rehabilitation efforts. Her innovative approach aims to create unified systems for better data synchronization and resource allocation, particularly in regions with limited infrastructure.

Finally, Betania argues that political decision-making needs to be tapped in prioritizing technological advancements and cybersecurity investments. Continuous collaboration between governments, tech companies, and security experts is deemed essential to stay ahead of emerging threats. As such, she points out the need for engaging training programs to build a robust cyber culture within organizations and beyond.

LinkedIn: https://www.linkedin.com/in/betaniaallo/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Edna Conway: Collaboration in Cybersecurity Policy and Practice

Mon, 15 Apr 2024 12:00:00 -0700

Edna Conway, an innovative executive and thought leader with over 30 years of experience leading cybersecurity, risk management, and value chain transformation at Fortune 10 technology companies, highlights how collaboration in cybersecurity is critical for the development of and adherence to policy and practice in this Kitecast episode. Edna is currently a Senior Fellow at the Carnegie Endowment for International Peace and CEO and Founder of EMC Advisors. She currently is an advisor or board member for a long list of technology and professional services startups and nonprofit organizations.

One theme from the discussion with Edna centered on the cybersecurity workforce shortage. She emphasized the need to look beyond traditional sources and backgrounds to find talent. This requires partnerships between companies, academia, and nonprofits focused on training and upskilling people from diverse backgrounds for cybersecurity roles. Apprenticeship and mentorship models were discussed as potential solutions.

The conversation then delved into cybersecurity policy and regulation. Edna provided her perspectives on the balance between driving security practices versus overregulation that hinders business. She noted that legislation often lags behind technology advancements, making public-private collaboration critical. Edna stressed the importance of the private sector proactively stepping up security rather than just reacting to new regulations.

Another key topic from the podcast touched on the crowded landscape of cybersecurity startups and the challenges they face. Beyond just having an innovative product, Edna emphasized the importance of serving a real customer need, providing a complete solution, and demonstrating value to multiple stakeholders in an organization beyond just the security team. Making customers’ lives easier is key to standing out.

Edna also touched on the need to embed security into business processes and objectives from the start, rather than bolting it on afterwards. She discussed the concept of “secure by design” and how leading organizations are building security into everything from their products to their supplier relationships. This proactive, holistic approach is critical to managing cyber risk in an increasingly interconnected business environment.

LinkedIn: https://www.linkedin.com/in/ednaconway

EMC Advisors: https://www.linkedin.com/company/emcadvisors

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Debra Farber: Shifting Privacy Left With Privacy by Design

Mon, 08 Apr 2024 07:00:00 -0700

Debra Farber, a globally recognized privacy, security, and ethical tech advisor with nearly two decades of experience, discusses data privacy, privacy by design, and the growing field of privacy engineering in this Kitecast episode. As the host of the Shifting Privacy Left podcast, Farber is dedicated to building a community of privacy engineers and bridging the silos between various industries and research areas.

In this Kitecast episode, Farber emphasized the importance of embedding privacy into product development from the outset. She highlighted the role of privacy engineers in assessing risks, minimizing data collection, and ensuring compliance with regulations such as GDPR. Farber also discussed the challenges organizations face in hiring privacy engineers due to the high demand and limited supply of qualified professionals in this relatively new field.

Farber explained the distinction between privacy by design and privacy-enhancing technologies (PETs). Privacy by design is a set of high-level principles focused on integrating privacy into systems from the beginning, while PETs are specific tools and techniques that help achieve compliance with data protection principles. Some examples of PETs include anonymization, homomorphic encryption, secure multi-party computing, and differential privacy.

The conversation also touched on the potential return on investment for organizations that prioritize privacy. By minimizing data collection and addressing privacy concerns early in the development process, companies can reduce downstream compliance costs, legal expenses, and the risk of fines associated with data breaches or privacy violations.

In addition to the above, Farber shared her thoughts on artificial intelligence and its impact on personal privacy. While acknowledging the potential risks, she emphasized that the real threat lies in the unchecked powers of those bringing AI to market without appropriate safety measures and testing. Farber advocates for the ethical development and deployment of AI technologies, ensuring that privacy standards are applied correctly to mitigate risks and protect individuals’ rights.

LinkedIn: https://www.linkedin.com/in/privacyguru

Shifting Privacy Left Media: https://shiftingprivacyleft.com

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Lisa Plaggemier: Empowering Digital Safety for All

Tue, 02 Apr 2024 23:00:00 -0700

In the latest Kitecast episode, Lisa Plaggemier, the Executive Director of the National Cybersecurity Alliance, discusses what it takes to empower digital safety for all peoples and organizations. With an extensive background in marketing, operations, and cybersecurity, including a decade at Ford Motor Company and senior roles at CDK Global and InfoSec, Lisa brings a wealth of experience and lessons learned to the topic. Her focus is on helping businesses and individuals protect themselves in the digital world, which enables organizations to develop better cybersecurity risk management strategies.

Lisa emphasizes the importance of consistent and clear communications when it comes to cybersecurity awareness. She highlights the success of Cybersecurity Awareness Month, an initiative founded by the National Cybersecurity Alliance, attributing its effectiveness to the consistency of the message over time. Lisa also stresses the need to demystify cybersecurity for the average person, making it more attractive and less intimidating to adopt safe online practices.

One of the key challenges Lisa identifies is the knowledge gap between IT professionals and business owners, particularly in small businesses. To address this gap, the National Cybersecurity Alliance launched a training class tailored to educate business leaders on managing cybersecurity as a function of their business. The organization also recognizes the importance of early cybersecurity education, with plans to develop age-appropriate content for children in collaboration with PBS Kids.

Lisa shares insights from the National Cybersecurity Alliance’s annual survey, revealing alarming trends such as the persistence of insecure password practices and the overconfidence of younger generations in their ability to navigate cybersecurity risks. She also discusses the need for widespread adoption of multi-factor authentication (MFA) and the role of social media companies in mandating more stringent security measures.

In addition to the above, Lisa emphasizes the National Cybersecurity Alliance’s commitment to promoting cybersecurity awareness through various initiatives, including the creation of a comedic series called Kubikle Series to engage a broader audience. With her expertise and dedication to the cause, Lisa—and the National Cybersecurity Alliance—continue to play a crucial role in empowering individuals and organizations to stay safe in the ever-evolving digital landscape.

LinkedIn: https://www.linkedin.com/in/lisaplaggemier/

National Cybersecurity Alliance: https://staysafeonline.org/

Kubikle Series: https://kubikleseries.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Alan Shimel: Separating AI Hype From Reality in Cybersecurity

Tue, 26 Mar 2024 17:00:00 -0700

Alan Shimel, a prominent figure in the cybersecurity industry, is the CEO and founder of Techstrong Group, a global platform that powers tech innovation and transformation across various media, research, and consulting brands. With over 25 years of experience in security, Shimel has been at the forefront of the industry, witnessing its evolution and the emergence of new technologies such as AI. In this Kitecast episode, he shares his insights on the impact of AI on cybersecurity, discussing its potential benefits and limitations while addressing the challenges faced by organizations in today’s rapidly changing landscape.

One of the key areas explored in the podcast is the influence of AI on application security (AppSec). Shimel notes that AI is making AppSec easier and faster, lowering the entry point for organizations to secure their applications. However, he also raises the question of whether AI is genuinely improving security or simply making it more accessible. Shimel suggests that while AI can help identify vulnerabilities in code more efficiently, it is essential to ensure that the quality of the generated code is high and that organizations do not become overly reliant on AI-driven solutions.

The conversation also delves into the role of cyber insurance companies in enforcing cybersecurity policies. Shimel explains that these companies are becoming the architects and auditors of security, establishing the lowest common denominator for organizations seeking coverage. While this can be beneficial in ensuring a baseline level of security, Shimel cautions that it may not always align with an organization’s specific needs or risk tolerance. He also highlights the importance of understanding the implications of cyber insurance, as insurers often have the power to make decisions on behalf of the insured organization in the event of a breach or ransomware attack.

Another critical topic addressed in the podcast is the cybersecurity skills gap. Shimel points out that despite the growing demand for cybersecurity professionals, many skilled individuals struggle to land their first job due to the industry’s preference for candidates with three to five years of experience. He emphasizes the need for organizations to provide opportunities for newcomers to gain practical experience and suggests that the skills gap will persist until the industry becomes more receptive to nurturing new talent.

Looking to the future, Shimel discusses the potential impact of quantum computing on cybersecurity. While he acknowledges that the development of stable quantum computers is still years away, he stresses the importance of preparing for the potential disruption they could bring. Shimel mentions that government agencies and regulatory bodies have already begun working on quantum-proof algorithms and certificates to ensure the continued security of encrypted data. However, he also notes that the adoption of these measures will largely depend on market demand and the willingness of organizations to invest in quantum-resistant technologies.

LinkedIn: https://www.linkedin.com/in/alanshimel/

Techstrong Group: https://techstronggroup.com/

Techstrong Podcasts: https://techstrongpodcasts.com

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Huxley Barbee: Cyber Asset Inventory Risk Management

Tue, 27 Feb 2024 09:00:00 -0800

runZero provides comprehensive visibility into an organization’s cyber assets and attack surface to empower risk and exposure management. By combining external scanning, internal asset discovery, cloud inventory, and API integrations, runZero maps all devices, software, vulnerabilities, owners, and other security attributes. This integrated view across IT, IoT, OT, mobile, and cloud contextualizes risk and priorities based on asset criticality and location inside or outside the network perimeter.

Barbee predicts major new vulnerabilities in 2024 that will catch security teams off guard as they remain overburdened dealing with patching and securing fundamental gaps. Additionally, more supply chain attacks will emerge from malware inserted through dependencies and software development pipelines over the last few years. He advises CISOs to focus on security fundamentals first, like comprehensive asset management, vulnerability management, and patching rather than getting distracted by the latest headlines on advanced persistent threats.

While compliance regulations provide helpful guardrails and budget for security programs, most organizations still struggle with basics like consistent vulnerability scanning, device monitoring, and patching. The smaller the company, the more they remain focused on backup, recovery, and threat detection rather than proactive security. Barbee highlights an energy company that resisted patching anything due to downtime risks, demonstrating the difficult trade-offs security teams face.

When submitting conference presentation proposals, clearly explain what you plan to discuss and why it matters to peers. Spend time refining the title and abstract from the selection committee’s perspective, rather than taking shortcuts. Ask colleagues or mentors to review and provide feedback to improve clarity and relevance before submitting.

For new security professionals, Barbee advises developing networking and communication skills instead of only focusing on individual skills development. He also encourages cementing core IT and networking fundamentals instead of only specializing in security too early in their career. He suggests considering complementary areas like risk management to broaden perspective beyond just vulnerabilities and controls.

LinkedIn Profile: https://www.linkedin.com/in/jhbarbee/

runZero: https://www.runzero.com

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Garrity: Safeguarding Vulnerabilities

Tue, 20 Feb 2024 13:00:00 -0800

Patrick Garrity has over 15 years of experience spanning various marketing, sales, and product roles for high-growth cybersecurity companies. For this Kitecast episode, he delves into detail on his expertise in vulnerability management.

To start the podcast episode, Garrity discusses the rapid evolution of vulnerability management over the past few years. He notes that vulnerabilities are growing exponentially in both volume and complexity, with over 25,000 new vulnerabilities identified in 2022 compared to just 5,000 several years ago. Despite this growth, many organizations still struggle to patch even known critical vulnerabilities in a timely manner. In response, Garrity emphasizes that organizations need to focus first on addressing externally facing, actively exploited vulnerabilities before attempting to tackle everything at once with their limited resources.

The podcast episode also covers the role of AI and machine learning in vulnerability management. While emerging AI tools show promise for use cases like prioritization of vulnerabilities and automated reporting, Garrity cautions that the underlying data feeding these systems needs stringent accuracy and validation. He advocates leaning on trusted threat intelligence from established providers to help inform data-driven decisions around vulnerabilities and incident response.

Shifting gears, Garrity reflects on seminal lessons learned from his experience rapidly scaling Duo Security before its $2.35 billion acquisition by Cisco in 2018. When asked by the hosts to provide career guidance to others pursuing work in the cybersecurity field, Garrity highlights the outsized importance of continually assessing the market landscape with an eye for evolution. Similarly, he stresses that individuals should embrace openness to filling a variety of roles in early-stage companies as they grow. Finally, Garrity emphasizes the urgent need for sustainable business models in cybersecurity rather than overvalued fundraising built predominantly on hype. Underpinned by this sobering perspective, he still goes on to express optimism about the industry's overall trajectory thanks to the advent of various “secure-by-design” initiatives.

LinkedIn Profile: https://www.linkedin.com/in/patrickmgarrity/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Dan Lorhmann: Cybersecurity and Incident Response in the Face of GenAI

Tue, 30 Jan 2024 17:00:00 -0800

As an author, podcaster, and field CISO focused on the public sector, Dan Lohrmann brings a wealth of experience spanning over two decades. This Kitecast episode includes a discussion of Lohrmann’s recent book, Cyber Mayday and the Day After, that he co-authored with cybersecurity expert Shamane Tan. The book shares ransomware stories and insights from executives who have faced major cyber incidents. It covers best practices for preparation, response, and recovery before, during, and after an attack. Lohrmann notes these firsthand stories reveal valuable lessons for organizations of all types.

The podcast discussion then turned to the inevitable disruption faced by today’s CISOs and cybersecurity teams. Lohrmann emphasizes the need for continuous training, tabletop exercises, and preparation for unexpected curveballs. Building an organizational culture focused on resilience rather than blame is also critical.

As conversation shifted to artificial intelligence, Lohrmann pointed out that governing and securing AI remains extremely challenging for most security teams. The proliferation of free AI tools creates substantial risk of data loss and intellectual property theft. Enterprises need much greater visibility and control over how end-users are interacting with these tools. Over the next few years, more organizations are expected to invest in enterprise-controlled AI systems focused on security and privacy.

In discussing predictions for 2024 and beyond, Lohrmann highlights his annual report compiling insights from leading cybersecurity vendors and researchers. With cyber threats growing in scale and sophistication, he emphasizes the importance of continuous learning for security leaders. At the same time, Lohrmann notes that while specific predictions should be taken with a grain of salt, the research reports paint an informative picture of what trends are unfolding.

LinkedIn Profile: https://www.linkedin.com/in/danlohrmann/

Presidio: https://www.presidio.com/

Cyber Mayday and the Day After: https://www.amazon.com/Cyber-Mayday-Day-After-Disruptions/dp/1119835305/ref=sr_1_2

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Alexandre Blanc: Assessing Cyber Risks in the Cloud and AI Era

Tue, 05 Dec 2023 16:00:00 -0800

In this Kitecast episode, Alexandre Blanc, a Cybersecurity Advisor and Consultant, brings his extensive 15-year background in cybersecurity and risk management into focus. With a significant online presence established since 2018, Blanc has become a prominent LinkedIn influencer for over 70,000 followers by offering critical insights aimed at bolstering organizational resilience.

During the podcast, Blanc delves into crucial cybersecurity and risk management topics, emphasizing the vital roles of data governance, robust access controls, and reliable backup solutions in risk mitigation and regulatory compliance. He points out a common oversight within many organizations—the underestimation of the business implications that outages and incidents can have.

Blanc sheds light on the predicaments that arise from the prevalent use of SaaS platforms, such as diminished control and limited visibility regarding updates. Moreover, he casts doubt on the extent of protection cyber insurance offers in the aftermath of cybersecurity events.

The discussion also ventures into the realm of emerging challenges. Blanc examines Canada’s new data privacy laws, noting how compliance is propelling security enhancements. He raises concerns about the unchecked proliferation of Internet of Things (IoT) devices and their security implications. Looking forward, he addresses the potential disruption quantum computing may pose to current encryption standards, suggesting that tighter governance and minimizing sensitive data transmissions are key to lessening future risks.

Concluding his insights, Blanc champions the cause for transparency and the cultivation of trust in the evolution of novel technologies like artificial intelligence. By recounting instances where companies concealed failures, resulting in costly long-term repercussions, he calls on technology leaders to acknowledge and communicate the potential adverse impacts of their innovations. His advocacy for informed public discourse stands as part of his broader commitment to providing a measured perspective amidst the swift pace of technological advancement.

LinkedIn: www.linkedin.com/in/alexandre-blanc-cyber-security-88569022

RCGT: www.rcgt.com

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Jason Rebholz: Evolution of Ransomware and Other Cyber Topics

Mon, 09 Oct 2023 16:00:00 -0700

This Kitecast episode features Jason Rebholz who has an extensive background in cybersecurity. He is currently the CISO at Corvus Insurance, which he joined in 2021. He also serves as an advisor for NetDiligence and MOXFIVE. Previously, Jason served as the VP of Strategic Partnerships for ICEBRG, which was acquired by Gigamon, VP of Professional Services for The Crypsis Group, and Manager at Mandiant.

Jason founded the educational initiative, “Teach Me Cyber,” that is available on YouTube and LinkedIn with the objective of making cybersecurity topics more accessible to general audiences. This was motivated by often seeing technical news coverage using jargon and screenshots that average readers would struggle to comprehend. Through short daily lessons on platforms LinkedIn and YouTube, Jason breaks down cybersecurity topics in simple terms anyone can understand. His goal is to help even one more person gain practical knowledge to improve their organization’s security.

In the podcast interview, Jason discussed a recent high-profile ransomware attack and provided insight into the challenges of containing and remediating active attacks, noting that it is very difficult to fully kick attackers out of an environment within a short time frame. Jason emphasized the importance of having strong monitoring and rapid response capabilities in place.

Multi-factor authentication (MFA) was another topic Jason covered. He highlighted that while MFA is crucial, organizations must be thoughtful about which types they enable, as weaker forms can still be bypassed. He advocated for the adoption of the most secure MFA options available to get the full risk reduction benefit using zero-trust principles.

Managing third-party cyber risk was also discussed. Jason argued that current third-party assessments often provide a false sense of security. He recommended assuming vendors have poor security and mitigating the impact via actions like limiting data sharing, controlling where sensitive data goes, and ensuring you can revoke access.

LinkedIn: www.linkedin.com/in/jrebholz

YouTube: www.youtube.com/@teachmecyber

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Chris Rose: Getting CMMC Ready: A C3PAO’s Perspective

Thu, 21 Sep 2023 20:00:00 -0700

This Kitecast episode features an interview with Chris Rose, a Partner at Ariento, a leading cybersecurity, IT, and compliance service provider. He has extensive experience in cybersecurity, having previously served as an instructor at UCLA where he taught cybersecurity and privacy courses. Chris holds an MBA and a master’s in computer science from UCLA, as well as a bachelor’s degree from Cal Poly.

During the podcast interview, Chris provides an overview of the Cybersecurity Maturity Model Certification (CMMC) framework and its origins within the defense industry. He explains that CMMC builds upon existing NIST 800-171 requirements for protecting controlled unclassified information that contractors already must comply with. However, CMMC adds a critical component—independent third-party assessments done by C3PAOs (Certified Third-party Assessment Organizations).

Chris believes CMMC will likely gain final approval in early 2024 based on the rulemaking process. He notes that reciprocity with frameworks like FedRAMP could help ease the compliance burden for contractors. For companies using cloud services, Chris strongly advises leveraging solutions that have achieved FedRAMP Moderate Authorization or above.

When asked about readiness across the Defense Industrial Base (DIB), Chris indicates that primes are pushing their subcontractors to get prepared. However, smaller companies are still in a wait-and-see mode in some cases, trying to weigh the costs versus risks. He emphasizes that companies should focus first on proper scoping of assets and information that will be in scope for CMMC assessments.

Chris also provides tips for selecting a C3PAO, noting that risk mitigation and technical competence are top evaluation criteria for most mid-market and enterprise clients. He also discusses Ariento’s experience with adjacent standards like FedRAMP, ISO, and ITAR that provide relevant expertise for CMMC advisory services.

LinkedIn: www.linkedin.com/in/cmmc

Ariento: www.ariento.com

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Katie Arrington: Cybersecurity in an Era of National Adversaries

Mon, 28 Aug 2023 11:00:00 -0700

Katie Arrington, former Chief Information Security Officer (CISO) for the U.S. Department of Defense and member of the US House of Representatives, discusses her experience as CISO, noting that the position was newly created in 2019 to address urgent cybersecurity threats. In the role, she aimed to establish consistent standards for cybersecurity across the Department of Defense, including weapons systems, critical infrastructure, and the defense industrial base. A key challenge was overcoming the different cybersecurity approaches between military branches and establishing a unified culture.

Regarding the Cybersecurity Maturity Model Certification (CMMC), Arrington explains it was initially conceived as a unified standard for defense contractors to demonstrate implementation of NIST 800-171 security controls. Hundreds of industry representatives helped develop CMMC 1.0. Arrington expresses that she regrets not fully eliminating the use of Controlled Unclassified Information (CUI) as an indicator of whether contractors needed certification, believing all defense contractors should adhere to CMMC standards given growing threats.

Arrington highlights the massive cyber threats posed by nation-states like China, Russia, Iran, and North Korea, which she says are targeting U.S. defense contractors to steal key technologies and intellectual property. She points out that China has a dedicated cyber army aimed at making China the world’s economic superpower. Russia has shown its cyber capabilities already in interfering with elections. These adversaries are relentless in exploiting vulnerabilities across the entire supply chain.

For defense contractors bidding on DoD projects, Arrington authored a white paper that estimates per-employee costs for cybersecurity based on company size. She believes contractors should build these costs into project bidding. Arrington argues CMMC is now just about verifying NIST 800-171 compliance, not evaluating maturity, so she anticipates the name changing in the future. In preparation for CMMC 2.0 Level 2 compliance audits, she recommends that contractors proactively get audits now rather than waiting until CMMC becomes a DIB mandate to address urgent threats.

Regarding supply chain risks, Arrington indicates primes cannot fully see risks beyond tier-one suppliers. She urges primes to contractually require CMMC certification from all subcontractors to improve security against threats that can enter anywhere in the supply chain.

Arrington stresses that cyberattacks are constant and rapidly evolving. No organization can be 100% secure. However, by implementing standards like NIST 800-171, organizations can mitigate these risks. Adherence to cybersecurity frameworks is critical today, an important focus for national security as cyber threats continue escalating.

LinkedIn Profile: https://www.linkedin.com/in/katie-arrington-a6949425/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Jean Bernier: Quantum AI: The Future of Cybersecurity

Wed, 26 Jul 2023 08:00:00 -0700

CEO and Entrepreneur Jean Phillip Bernier, the CEO of AnniQ and Spin Quantum Tech, shares his enthusiasm for AI and Quantum Computing technology advances. Bernier tracks the progress of Quantum Computing, especially IBM’s rapid development from a 5-qubit machine in 2017 to a prediction of a 100,000-qubit machine by 2033. The staggering quantum processing power, he believes, could unlock problem-solving potential beyond our current imagination.

Bernier spotlights the role of cloud computing in democratizing technology. He reminisces about the early computing era when Sun Microsystems’ technologies were out of reach for many due to high costs. Cloud computing has flipped this narrative, transforming sophisticated, expensive technology tools to something affordable to organizations of virtually any size. Anyone with a credit card can delve into Quantum Computing capabilities. This, in turn, fosters a thriving community of quantum algorithm enthusiasts and learners.

Bernier explores three real-world applications of Quantum Computing: 1) business operations optimization, 2) AI algorithm acceleration, and 3) most significantly, a unique encryption method known as “entropic encryption.” This approach is a game-changer for data security. Traditional encryption relies on the secrecy of a single key, which is under threat with quantum technology’s ability to consider all possible solutions simultaneously. Entropic encryption offers a fresh perspective by harnessing the inherent chaos and entropy of quantum states, hiding data in a sea of what appears to be random noise. The data is unreadable without the correct pattern, providing a new layer of security and a multiplicity of decryption avenues.

To make sense of the complex Quantum Computing world, Bernier draws parallels between Newton’s concept of gravity and the superposition principle in quantum mechanics. Just as gravity influenced falling objects before Newton quantified it, Quantum Computing uncovers existing, yet previously unexplored data patterns. At the same time, Bernier acknowledges the nascent state of Quantum Computing, referring to recent incidents of broken algorithms as a part of the technology’s learning curve.

When it comes to cybersecurity, Bernier predicts a convergence of AI and Quantum Computing. He shares about an ongoing project Spin Quantum Tech is managing with a U.S. company, where they are leveraging both Quantum Computing and AI to develop a novel anti-ransomware solution. The team is capitalizing on the power of Quantum Computing to rapidly explore a multitude of decryption keys, paired with AI’s predictive and learning capabilities, to swiftly identify and implement the correct decryption pattern. This fusion of technologies is expected to create a dynamic solution, capable of not only recovering information held ransom but doing so in a manner that eliminates the necessity for victims to negotiate with cybercriminals. The project is pioneering in its approach and could radically reshape the cybersecurity landscape, providing robust defenses against the ever-evolving threat of ransomware.

LinkedIn: https://www.linkedin.com/in/jean-phillip-bernier-artificial-intelligenge-marketing-analytics-quantum-computing/

AnniQ: https://www.anniq.ai

Spin Quantum Tech: https://spinqtech.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Billy Spears: Reciprocal and Cross-functional Cybersecurity Learning and Engagement

Thu, 20 Jul 2023 16:00:00 -0700

Billy Spears, Teradata’s CISO since 2021, stresses reciprocal learning and community in cybersecurity in a Kitecast episode. He believes each interaction offers learning potential and guides his volunteering decisions based on potential mutual benefits.

Spears discusses the evolution of cybersecurity standards since his time at the Department of Homeland Security. Initial efforts focused on creating policies and frameworks, while today's challenge is managing an overabundance of inconsistent frameworks. Companies need to navigate from the least to most restrictive frameworks, factoring in their needs, risk tolerance, global economic influences, regional regulations, and data handling practices. Spears highlights that compliance, while important, is not the sole determinant of strong security.

Spears emphasizes resource and cost management in implementing new cybersecurity technologies. As a CISO, he believes in cross-functional thinking across IT systems, including product, engineering, and marketing. The impact of technology solutions on business decisions must be considered holistically, assessing financial aspects with procurement teams for a comprehensive impact evaluation.

The cybersecurity skills shortage continues, and Spears suggests three mitigation strategies. First, avoid bias in recruitment towards candidates who reflect hiring managers. Second, dispel the misconception that cybersecurity is solely technical and hire non-technical roles like auditors, project managers, and governance professionals. Finally, combat the retirement of senior leaders by thinking creatively in recruitment, promoting cross-training, community engagement, university partnerships, and succession planning.

Spears emphasizes understanding the variety in AI. It’s not a single product but an array of algorithms and models used for different outcomes. Awareness of these differences is critical in cybersecurity to discern the benefits and risks of each AI model, like understanding blockchain. He advocates for education as key to navigating AI’s advantages and potential hazards.

LinkedIn: www.linkedin.com/in/billyjspears/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Eddie Doyle: Cybersecurity Evolutions: From the Network to Blockchains

Tue, 18 Jul 2023 16:00:00 -0700

Eddie Doyle, a renowned Security Strategist and Speaker at Check Point Software, has a fascinating career journey in the fast-paced field of cybersecurity. Doyle first understood the importance of cybersecurity in 2007 when he joined Check Point Software. Back then, it was a transformative phase; IT departments were just beginning to comprehend the concept of data centers to deal with the data influx post the dot-com era.

Interestingly, Doyle noticed that while these data centers were physically half-empty, they consumed immense power and cooling resources. Doyle navigated the rapidly evolving cybersecurity landscape, witnessing the rise of threat actors who managed to bypass physical security measures by infiltrating systems virtually—a phenomenon triggered by data outsourcing. This necessitated the introduction of network security, a critical aspect in the digital world today.

As technology advances at an unprecedented pace today, so does the acceleration of cyber threats and associated risks. Doyle is a firm believer in the effectiveness of defensive strategies over offensive ones. He points to the legal and reputational hazards of aggressive cybersecurity measures and emphasizes the need to maintain a defensive stand. Despite the challenges of the Digital Age, Doyle is very optimistic about cybersecurity’s future, especially considering the emerging industry trends. He believes that security measures, if comprehensible and straightforward, are more likely to be implemented.

Doyle uses various anecdotes from his career to illustrate his points and provide more context. Innovation can be inherently insecure, despite cybersecurity’s primary goal to protect and secure. He shares a valuable insight from a military representative who advocated for the concept of “failing forward.” This idea implies that once a cybersecurity threat has been identified and contained, it’s essential to continue looking forward and adapt, a perspective different from the typical commercial response that halts after containment.

Doyle highlights the complexity of legal issues arising from offensive cybersecurity measures, such as retaliation against a cyberattack. He also provides insight into the Dark Web’s reality, discussing the proactive measures taken by his team to stay a step ahead of potential threats. Discussing the role of private industries and citizens in cybersecurity, Doyle notes that while industries aim to defend against cyberattacks through their products and services, they generally avoid an offensive stance due to legal implications.

Doyle paints a grim picture for cybersecurity professionals. Expanding upon the methodology of cybercrime syndicates who exploit system vulnerabilities, he highlights the diabolical precision of their operations, frequently helmed by psychopathic individuals launching phishing emails and targeting victims.

Doyle reiterates the expansive global reach of such cybercrime syndicates, pushing for the creation and implementation of strategic cybersecurity tools to fend off such sophisticated attacks. He additionally emphasizes the potential of blockchain and artificial intelligence in fortifying cybersecurity measures. Acknowledging the current crisis of misinformation and declining trust in media and leadership, Doyle identifies blockchain technology—with its transparent, decentralized system for verifying authenticity and securing personal information—as a groundbreaking solution and the benefits of safeguarding personal data.

LinkedIn:

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Dr. Rebecca Wynn: Cybersecurity Mentoring Promotes Risk Management

Mon, 17 Jul 2023 10:00:00 -0700

Dr. Rebecca Wynn is the Global Chief Security Strategist and CISO at Click Solutions Group and Podcast Host for Soulful CXO and Threat Watch. In this Kitecast episode, Dr. Wynn discusses professional motivation, the importance of mentorship, and her unique approach to cybersecurity based on her diverse experience, including time in the U.S. military.

Dr. Wynn underscores the crucial role of mentors in professional development. She emphasizes that finding the right mentor depends on individual needs and suggests having multiple mentors for different aspects of one’s career. She differentiates mentors from sponsors within an organization where one works. A sponsor actively opens new opportunities for you and typically initially starts as a mentor. A sponsor is someone within your organization, whereas a mentor may or may not be a member of your same organization. When it comes to selecting mentors, Dr. Wynn states they should be individuals whose values resonate with those of the mentees.

For women in the cybersecurity field, Dr. Wynn encourages them to apply for positions, even if they have doubts about meeting all qualifications. She emphasizes that she personally ensures that all female applicants are reviewed, despite what HR algorithms might suggest. Dr. Wynn believes in conducting one-on-one discussions to identify the best position for the applicant, highlighting a recent success story where she helped an underselling candidate secure a managerial role in GRC (governance, risk, and compliance).

Throughout the podcast, Dr. Wynn shares her personal experiences, including her time caring for her elderly parents, which made her reflect on her core values and approach to work. She stresses the importance of maintaining authenticity and staying true to oneself. She also speaks about how her military background influenced her approach to cybersecurity, particularly her emphasis on GRC frameworks. According to Dr. Wynn, these frameworks allow for the fast mitigation, detection, and resolution of attacks.

When it comes to data privacy, Dr. Wynn champions the concept of Privacy by Design, which advocates for privacy measures to be built into products and systems from their inception, rather than added on afterwards. She emphasizes the idea of data having an expiration date, arguing that companies should not be allowed to keep personal data indefinitely without explicit consent. She suggests that tagging data upon creation with an expiration date could serve as a practical solution. This aligns closely with Kiteworks’ approach using digital rights management in concert with advanced security and compliance.

LinkedIn Profile: https://www.linkedin.com/in/rebeccawynncissp/

The Soulful CXO Podcast: https://soulfulcxo.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Albert E. Whale: Against-the-Grain Cybersecurity for Managing Cyber Risk

Wed, 07 Jun 2023 21:00:00 -0700

Albert E. Whale is a serial entrepreneur with over 30 years of experience in cybersecurity and risk management. He is the Founder and CEO of IT Security Solutions, which helps businesses secure their environments using ITS Safe™, an appliance that delivers real-time continuous protection of networks, printers, servers, clouds, modems and routers, and other equipment. Albert is a Global Ambassador at the Napoleon Hill Institute where he supports other professionals in their personal development. He also is a Startup Mentor at the Founder Institute, guiding entrepreneurs as they build their businesses. He is the author and coauthor of two award-winning books: #HACKED and #HACKED2.

In this Kitecast episode, Albert asserts that organizations must be more vigilant about third-party risk. He also argues that compliance regulations aren’t the panacea many believe them to be when it comes to thwarting cyber threats and minimizing cyber risk. Going against the grain, he argues that overemphasis on compliance regulations may leave organizations more vulnerable to cyber threats. Point-in-time security measures, which are reflective of compliance regulations, need to be replaced with continuous monitoring and scanning. Finally, Albert recommends that CISOs and CSOs abandon their efforts to adopt business speak when articulating cyber risk to executives and boards of directors. Instead, Albert contends they need to retain their specialist language to ensure conveyance of cyber risk.

LinkedIn Profile: www.linkedin.com/in/albertwhale

IT Security Solutions: http://www.it-security-solutions.com/

Published Books:

#HACKED: 10 Practice Cybersecurity Tips to Help Protect Personal or Business Information

#HACKED2: Practice Guidance for Dealing with Threats to Your Business and Privacy

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Mark Lynd: Connecting GRC With DRM

Fri, 26 May 2023 15:00:00 -0700

Mark Lynd is a former CEO, CIO, CTO, and CISO and currently serves as the Head of Digital Business at Netsync that employs a consultative and collaborative approach to help organizations architect innovative technology solutions that meet business needs. He is an author, frequent speaker on topics related to AI, IoT, and cybersecurity, is ranked in the Top 1 Globally for Security by Thinkers360, was named an Ernst & Young Entrepreneur of the Year for the Southwest Region, and is frequently interviewed by and quoted in publications such as The Wall Street Journal, InformationWeek, and others. Before his time in the private sector, Mark served in the U.S. Army’s 3rd Ranger Battalion and 82nd Airborne Division.

In this Kitecast episode, Mark discusses the significance of GRC (Governance, Risk Management, and Compliance) in today’s technology landscape, which is being propelled by accelerated evolution in cyber threats, third-party risks, and data security issues in the cloud. One outcome is that organizations must prioritize GRC strategies rather than making them an afterthought. In addition, Mark argues that Digital Rights Management (DRM) is critical when implementing a GRC strategy that addresses a zero-trust model focused on protecting sensitive content.

Beyond connecting GRC with DRM, Mark also speaks about artificial intelligence (AI), why it is important to teach cybersecurity life skills to teenagers, what he will be covering in his next book, how lack of DRM governance in the higher education sector is exposing national secrets, and more. This is an insightful discussion for anyone interested in learning from a proven leader who is dedicated to digital transformation and cybersecurity.

LinkedIn Profile: www.linkedin.com/in/marklynd

Netsync: www.netsync.com

Published Book: Cyber Security Life Skills for Teens: Life Skills for the Digital Age

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Richard Stiennon: The Good, Bad, and Ugly About AI Cybersecurity

Tue, 02 May 2023 21:00:00 -0700

Richard Stiennon, a cybersecurity pioneer, author, and industry executive, spoke about the hottest trending topic of our day in this Kitecast episode: artificial intelligence (AI). He currently serves as the Chief Research Analyst at IT-Harvest, a research organization he founded in 2017, which provides access to data on more than 3,318 cybersecurity vendors. To streamline and automate the compilation of data, Stiennon explains how IT-Harvest is using ChatGPT 4.0. On that note, Stiennon discusses how AI is transforming cybersecurity—both for the good and the bad.

Cybercriminals are finding ways around guardrails instituted in commercially available AI solutions like ChatGPT and Bard or simply developing their own to accelerate the development of malware, automate advanced persistent threats, and generate human-like phishing and spear-phishing attacks. At the same time, cybersecurity vendors are rapidly adding new AI capabilities to their product portfolios that improve the efficacy and efficiency of threat prevention, incident response, threat correlation and analysis, and more. Beyond the topic of AI, Stiennon addressed his thoughts on the role of cybersecurity leaders and subject-matter experts when it comes to serving as a board member or advisor. As a board member and advisor for a number of cybersecurity and compliance companies, he argues that organizations need to rethink how cybersecurity is discussed at the business level. Rather than teaching CISOs to speak the language of the business, they need to speak the language of cybersecurity and teach boards to understand cybersecurity risk through the lens of cybersecurity.

LinkedIn Profile: www.linkedin.com/in/stiennon/

IT-Harvest: www.it-harvest.com

Published Books:

Net Zeros and Ones: How Data Erasure Promotes Sustainability, Privacy, and Security

https://www.amazon.com/Net-Zeros-Ones-Promotes-Sustainability-ebook/dp/B0BN72M57X/ref=sr_1_3

Secure Cloud Transformation: The CIO's Journey

https://www.amazon.com/Secure-Cloud-Transformation-CIOS-Journey/dp/1945254203

UP and to the RIGHT: Strategy and Tactics of Analyst Influence

https://www.amazon.com/UP-RIGHT-Strategy-Influence-influence/dp/0985460709

There Will Be Cyberware: How the Move to Network-centric War Fighting Has Set the Stage for Cyberwar

https://www.amazon.com/There-Will-Be-Cyberwar-Network-Centric/dp/0985460784/

Surviving Cyber War

https://www.amazon.com/Surviving-Cyberwar-Richard-Stiennon/dp/1605906883/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Michael Redman: Mapping Out Your CMMC Roadmap: Insights & Tips

Fri, 24 Mar 2023 14:00:00 -0700

In this Kitecast episode, Michael Redman, who is a Knowledge & Learning Management Instructor at Schellman and is a subject-matter expert in various cybersecurity and compliance standards, spoke at length about Cybersecurity Maturity Model Certification (CMMC), the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and other topics that are pressing concerns for the Defense Industrial base (DIB). Redman asserts that businesses must approach cybersecurity as a risk management issue, just like any other business risk. Organizations must take proactive measures to mitigate cybersecurity risks and ensure they have a robust cybersecurity program in place.

Part of the podcast discussion with Redman involved the role of Certified Third Party Assessor Organizations (C3PAOs) and CMMC compliance. He explains that C3PAOs are an interesting entity and are being asked to shoulder a whole lot of responsibility with not a lot of reward. C3PAOs are swimming in murky water and need to be patient. As we proceed closer to CMMC implementation, the good, better, and best 3CPAOs will rise to the top, and the ones that aren’t fully invested will focus their energies elsewhere.

Midway through the podcast, Redman spoke about the CMMC Standards Council, of which he is a part. He explains that the Standards Council is working to create an objective matrix that can be used to rate C3PAOs objectively. He believes this will help organizations choose the right C3PAO based on their needs and budget. The alpha version of the objective matrix was just completed and is circulating among subject-matter experts for feedback.

Redman also talks about the importance of having a risk-based approach to cybersecurity. He suggests that organizations need to identify their high-value assets and focus on protecting them. He believes a risk-based approach is more effective than a compliance-based approach, as it helps organizations focus on what really matters. He emphasizes the importance of having a cybersecurity program aligned with the business objectives of the organization and one that accounts for third-party risk management (TPRM).\

Digital transformation is driving dramatic changes in cybersecurity. The confluence of cybersecurity and compliance demands a risk management model, and one focused on keeping private data private. Organizations can no longer view cybersecurity and compliance in separate silos but rather as intertwined and predictors of risk. Kiteworks’ content-defined zero-trust approach, which relies on the Kiteworks Private Content Network, is used by thousands of organizations around the world to unify security and compliance approaches to sensitive content communications while wrapping them in a hardened virtual appliance.

For more on Schellman, visit www.schellman.com/.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Chet Hayes: Data Privacy and Governance in the Public Sector

Mon, 13 Feb 2023 18:00:00 -0800

Vertosoft's CTO Chet Hayes is a technologist at heart and has kept his finger on the pulse of the public sector for much of his career. Early on in his career, he cut his teeth in technical software architecture roles in organizations such as Sun Microsystems, Hughes Information Technology, and BEA Systems. Based in Virginia, much of his customer-facing work was with the federal government. For the past 15 years, Hayes has worked in various senior leadership positions serving the public sector.

While government organizations face many of the same technology challenges as private sector organizations, they also have unique requirements. Federal government agencies and their supply chains, in particular, tend to be ahead of the private sector when it comes to the use of cybersecurity frameworks. In this Kitecast episode, Hayes discusses how the NIST CSF, CMMC 2.0, FedRAMP Authorization, and other federal cybersecurity standards are driving the adoption of zero trust and other security best practices. Discover what he thinks are some of the biggest security opportunities and challenges facing the government sector today and how data privacy exposure risks play into both components by listening to this podcast.

For more on Vertosoft, visit www.vertosoft.com.

For more on Chet Hayes, visit www.linkedin.com/in/chetdhayes.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Taiye Lambo: Managing Risk Using Cybersecurity Frameworks

Fri, 27 Jan 2023 15:00:00 -0800

Serial Entrepreneur and Cybersecurity and Risk Management Pioneer Taiye Lambo has worn a lot of different hats over the course of his career. He has led cybersecurity at the Federal Reserve Bank of Atlanta, the City of Atlanta, and Harland Clarke, among others. He founded or co-founded organizations such as eFortresses (a Gartner Cool Vendor), CloudeAssurance, and the Holistic Information Security Practitioner Institute (HISPI).

In this Kitecast episode, Lambo discusses a range of topics related to cybersecurity and risk management. He argues that cybersecurity frameworks like NIST CSF, ISO 27001, and SOC 2 empower organizations to measure their risk and institute technologies and processes to manage that risk. He also overviews the HISPI Certification Program and how cybersecurity and risk management professionals can get certified.

https://www.hispi.org

https://www.cloudeassurance.com

https://efortresses.com

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Evgeniy Kharam: Pushing the Boundaries of Private Content Governance

Sat, 21 Jan 2023 21:00:00 -0800

Over 20 years ago, Evgeniy Kharam launched his career on the “high seas” as a cybersecurity engineer for the Israeli Navy and in his subsequent professional career spent over 40,000 hours in pre- and post-sales support as a cybersecurity architect and consultant working with private and public sector organizations across the spectrum—from those with 500 employees to those with more than 100,000 employees.

Kharam sees Zero Trust as a critical ingredient for any cybersecurity approach and argues in this podcast interview that protecting sensitive content requires appropriate governance tracking and controls. As part of this process, least-privilege access and employing zero trust when it comes to governance policies are crucial in managing security and compliance risks.

Check out Evgeniy's podcasts at https://linktr.ee/ekcyber.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Bryan Hadzik: The Intertwining of Cybersecurity and Compliance

Wed, 21 Dec 2022 12:00:00 -0800

NCSi CTO Bryan Hadzik has spent over two decades with the Utah-based security and operations service provider. As cybercriminals and rogue nation-states focus their attention on hacking critical information, government and industry groups have responded by passing different compliance regulations, such as GDPR, FERPA, GBLA, PIPEDA, and others, and cybersecurity frameworks that include NIST CSF, ISO 27001, and SOC 2. Hadzik discusses how this has led to an intertwining of cybersecurity and compliance that organizations must address in order to manage private content and compliance risks effectively. He points out that insurance companies rate insurance policies based on an organization's adherence to these cybersecurity frameworks and ability to ensure compliance with data privacy regulations.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Sylvain Hirsch: Cyber Forensics and Incident Response Through the Lens of Rugby

Fri, 18 Nov 2022 21:00:00 -0800

While Sylvain Hirsch played on the Swiss National Rugby Team over a period of eight years, he learned much about the importance of collective collaboration and response. This prepared him for a career in cyber forensics and incident response that has taken him on an interesting journey from Europe to the Asia-Pacific region. He's worked for international organizations such as Credit Suisse in threat detection and response and has spent the past two years as an incident responder at Mandiant. His academic endeavors include serving as a guest speaker at different conferences and guest lecturer and researcher at Interpol, University College Dublin, University of Lausanne, and Berner Fachhochschule. This Kitecast episode explores various aspects of cyber forensics and incident response and what Sylvain sees as best practices and anticipates will be key advances in the field.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Josh Horwitz: A Deep Dive Into the Dark Web

Thu, 03 Nov 2022 17:00:00 -0700

Software Entrepreneur and Executive Josh Horwitz built a highly successful customer engagement software company and sold it. What was his next move? He dived into the Dark Web and—working with a couple other entrepreneurs—launched a fast-growth cybersecurity startup called Enzoic. Their focus is on stopping bad actors from exploiting compromised passwords. This frequently is a point of entry when cybercriminals and rogue nation-states gain access to networks, applications, and sensitive content. Watch or listen to this Kitecast episode to learn how Josh and the team at Enzoic are transforming password security by mining the Dark Web, empowering organizations and users to use passwords that have not been compromised and, when they are compromised, letting them know they have been.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

André Tehrani: How CISOs Can Raise Their Game Against Cybersecurity Threats

Mon, 31 Oct 2022 19:00:00 -0700

What organizations seek in terms of experience, certifications, and skillsets when it comes to their next senior cybersecurity leaders reflects their current and future priorities. Today's CISOs must understand the business and be able to articulate cyber risks in terms of financial and compliance impact. Simply being an expert in network perimeter and workload security is no longer sufficient. In this Kitecast episode, Cybersecurity Recruiter André Tehrani talks about what matters most for his clients when they vet senior cybersecurity candidates. When it comes to CISOs, they must be able to articulate cyber risk through the lens of business impact: operational disruption, damaged brand, negative sales, and compliance fines and penalties.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Joan Ross: The Intersection of Cybersecurity and AI

Tue, 11 Oct 2022 12:00:00 -0700

AI seems to be a "dime a dozen" if you trust the cybersecurity vendors. What does meaningful cybersecurity AI look like? What is on the horizon when it comes to the potential of cybersecurity and AI? And what does this mean when it comes to risk management? Chief Intelligence and Security Officer and Cybersecurity Professor Joan Ross discusses these and other cyber-related topics in this episode of Kitecast. She explains how AI can be used to detect and stop cyberattacks as well as rapidly respond to breaches when they happen. The conversation also touched on how cybercriminals and rogue nation-states are leveraging AI to create attacks that are more complex and harder to detect and stop.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Michael Daniel: Combatting Cyber Attacks and Incidents

Fri, 07 Oct 2022 14:00:00 -0700

Cyber Threat Alliance President and CEO Michael Daniel, who served four-plus years as Cybersecurity Coordinator for the U.S. Government, discusses what cyber-threat trends you know about and which ones pose the greatest risk. Michael explains how the Cyber Threat Alliance enables organizations to prioritize risk management based on aggregated threat intelligence from numerous vendors. The interview with Michael also covers cyber incidents and risk during the Russian-Ukraine War, lessons learned when he served as the U.S. Cybersecurity Coordinator, how the federal government is evolving to address rogue nation-state bad actors, and adoption of zero-trust security.

For more information on the Cyber Threat Alliance, visit https://www.cyberthreatalliance.org.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Andreas Wuchner: Cybersecurity Through the Lens of Risk Management

Fri, 07 Oct 2022 14:00:00 -0700

Cybersecurity and Risk Management Investor and Advisor Andreas Wuchner discusses how cybersecurity is all about risk management and how security and compliance are now intertwined. Learn how the complexity of managing all the dimensions, such as migration to the cloud and digital exchange of private data with thousands of third parties, makes it increasingly difficult for organizations to manage risk and what you can do about it.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.