Cyber Compliance & Beyond

There's no shortage of cybersecurity tools, but most compromises don't happen because of technology failures, they happen because of a failure in organizational processes. In today's episode, we explore how penetration testing and red teaming expose the people, processes and operational weaknesses that technology alone cannot.

We discuss why security is ultimately a people problem, why organizations struggle to identify their own blind spots and how offensive testing reveals hidden vulnerabilities that technologies alone miss.

In today's broad ranging episode, we cover the following:

In this episode, we dive into Zero Trust and how organizations can put it into practice. With the rise of cloud computing, traditional on-prem networking architectures began to fade. Yet the need for strong security never went away – it evolved. That's where Zero Trust comes in. At its core, Zero Trust isn't just about technology. It's about people, access, and trust – starting with the principle that no one is trusted by default.

Tune in to learn:

Waste, fraud, and abuse. These three words usually make headlines when government resources are misused on a massive scale. But the truth is, efforts to eliminate waste, fraud, and abuse extend far beyond the headline-grabbing cases.

In this episode, our experts explore how the government combats waste, fraud, and abuse, and why cybersecurity is now front and center in the conversation. Over the past 40 years, federal agencies have increasingly relied on contractors, which has in turn increased the need for enforcement mechanisms to combat waste, fraud, and abuse.

This episode goes over:

Email remains the most common form of non-verbal communication in organizations worldwide. It's where our professional and personal lives often collide – making it a prime target for malicious actors. While the junk mail of the digital age – spam – has mostly faded into the background, the threats haven't gone away. In fact, they've grown far more sophisticated.

Our experts explore how email threats evolved from basic to spam to today's complex phishing campaigns, spear phishing, whaling, and business email compromise. These attacks target people first – exploiting human behavior, namely our desire to trust, be helpful, and be someone who come...

The cyber workforce is as diverse as the challenges it faces. From process designers and behavioral analysts to business strategists and communicators, cybersecurity thrives on a diversity of skill sets. It's important to understand what it takes to join the field, especially given the current shortage of cybersecurity professionals.

In today's episode, we're breaking down the misconception that cybersecurity is only for hackers and codebreakers. We'll dive into why soft skills like communications and organizational collaboration are just as essential as technical skills. We'll talk about how to break into the field. Spoiler alert: it's not as...

Managing identities may be the most difficult and complex task facing any organization today. Often treated as an afterthought in system development, mishandling identity management can lead to serious consequences.

Because identities aren't just people — they're also systems and facilities, and managing them effectively requires more than just technology. From powerful service accounts to poorly defined access controls, identity management is the frontline of doing security right.

On this episode, we break down the following:

What are the real costs of cybersecurity implementation? Spoiler alert: it's far more complex than it appears on the surface. Cybersecurity is a people and process problem, not a technology problem. Most of implementation costs come in the form of time, effort and coordination throughout the organization. In this episode, we reach back to the classroom for a refresher on how to conduct effective risk analyses. Risk analyses –or risk assessments– are critical tools for guiding smart cybersecurity investments and decisions. They're the best tool for successfully navigating the intersection of business and cybersecurity. Whether you're a compliance professional, busin...

Nothing introduces more complexity to an organization than access control as with access comes privileges. Privileges are needed for many activities within an organization. Couple the need for privileges with the complexity organizational structures and the usual personnel churn and an already complex problem becomes nearly unmanageable. Attackers target credentials for this very reason.

Compromising an end-user with no privileges may seem trivial and unlikely to cause harm. However, as we discuss in this episode, if a privileged user logged in on that end-user's machine, their privileged credentials are now comprised, allowing the attackers to exploit other...

Mobile devices have become an extension of ourselves, seamlessly integrated into our daily lives like never before. But as we prioritize convenience—wanting our devices to "just work"—we often overlook security. This episode dives into the growing cybersecurity challenges that come with mobile adoption and what individuals and organizations can do to stay protected. We'll go over:

Link...

Rolling out a new program always comes with challenges and CMMC has been no exception. Fortunately, we've moved into the implementation phase, with assessments now underway. This milestone not only helps organizations see the real value of the program but also gives us the chance to address lingering questions and clarify uncertainties that could only be resolved through full implementation.

With this progress, we're encountering fresh challenges and questions we hadn't anticipated — while still fielding many of the same inquiries we've heard from the beginning. The good news? Full implementation means we can now provide more concrete, ex...

The CMMC training and certification ecosystem is ambitious as it aims to support training material development and certification of both instructors and assessors. It is currently on a path to providing a strong foundation for CMMC as a whole. In this episode our cybersecurity experts dive into the details and nuances of the training and certification requirements in the CMMC ecosystem. Hear them define the terms, discuss the requirements, contrast CMMC training and certification with other compliance frameworks, grapple with challenges and finally address what lies ahead. Joining host Cole French is Joe Lissenden, CEO of Precision Execution, provider...

The news about cybercrime is overwhelming to those who fight to secure our organizations. Cybercrime organizations are sophisticated and constantly changing. But there's a hidden truth in cybercrime attacks: cybercriminals exploit the same weaknesses they've been exploiting for years. This should give us some hope; we know where our organizations are weakest, which gives us a good place to start. But these weaknesses are often hard to address. They require not just technical solutions, but a lot of thought, coordination, planning, and continual re-evaluation. Most often thought of as technical problems, compliance frameworks provide a solid starting point for...

CMMC's security requirements are not new. What is new about CMMC is the level of rigor. With the recent publication of the CMMC rule, DoD is ever closer to requiring contractors to comply with CMMC security requirements and back them up with an assessment. The CMMC Rule, like any new regulation, is packed with details. Details that have been rumored, speculated, and drafted. Now that they're known and final, we're here to help you see clearer.

In today's episode, our host, Cole French becomes the expert guest. As Director of Cybersecurity Services and CMMC Capability Lead at...

AI is bringing speed and velocity never seen before. Some studies show that the output is the equivalent to what 35-40 humans can produce. This speed and velocity is applied to countless use cases across just about every economic sector. Cybersecurity compliance is laden with repetitive, redundant, and time-consuming manual tasks. While humans bring nuanced ingenuity and problem-solving capabilities, we are prone to errors, especially across such repetitive, redundant, and time-consuming tasks. Worse, cybersecurity compliance requirements are far from standardized, though there is a tremendous amount of overlap. In these circumstances, humans take short cuts. It's not a matter...

Supply chain security is not new, though it certainly feels as though it is. Thanks to globalization, supply chains are ever growing in their depth, complexity, and interconnectedness. Unfortunately, like so many other systems, security of supply chains hasn't been at the top of the list of things to consider when evaluating supply chains. Understandably, economics led the way. A supply chain exists to foster economic growth and profit-making. None of these are bad but there's a painful irony: the less security is considered, the greater the costs, which drives down growth and profit-making. Costs aren't just financial, either...

IT support is tricky for most businesses, especially for those not in the IT business. Thus, IT is a cost of doing business and a high cost at that. High costs drive down profits. Less profit makes it harder for businesses to invest in the products or services that they're making and selling. Retaining IT staff is even more difficult. This is due to the extremely low unemployment rate and the higher-than-average annual salary. These two factors almost guarantee that IT staff hired by non-IT businesses will eventually get a better offer some place else. To mitigate the problem...

Vulnerabilities are everywhere and on every IT asset within an organization. This makes vulnerability management one of the most important – if not the most important – risk mitigation activities an organization undertakes. But, the complexities inherent in many organizations combined with the sheer number of vulnerabilities leaves many not knowing where to even begin when it comes to vulnerability management. On today's episode, we'll demystify vulnerability management by defining some context, outlining an effective vulnerabilities management program, discussing potential challenges, tying it all to compliance, and decoupling vulnerability management from the inherent complexities.

Today's guest is Andrew Overmyer, Secu...

The number of compliance frameworks is seemingly endless. The lack of standards is problematic enough. Even more problematic, however, is how the compliance frameworks overlaps with one another. When it comes to International Trade and Export Compliance, the problem is overlap is accentuated by the fact that there is not a definitive 'framework' for export compliance. Nearly everything is determined on a case-by-case basis.

Today's guest is Sara Hougland, Director of Trade Compliance here at Kratos. During our conversation, we cover export compliance at a high level, discuss the concept of "due diligence", distinguish ITAR from EAR...

Some recent estimates have postulated that data is now the world's most valuable asset. Unlike other assets, like oil, for example, data proliferates on a staggering scale. In other words, it doesn't seem to be finite, subject the law of scarcity. This hammers home the importance of answering the question that each of you are wrestling with: how do I protect all this data? A simple answer to this question is encryption. But any simple answer has you immediately asking more questions: what encryption should I use? How should I configure it? How can I be sure it is...