Future of Cyber Risk

In this week's episode of the Future of Cyber Risk podcast, David speaks with Joshua Brown, VP and Global CISO at H&R Block, who explains the importance of not being alarmist when raising risk concerns and avoiding leading a conversation with "no." 
Joshua also discusses why storytelling is such a huge part of his role and shares some advice for cybersecurity professionals, including a reminder that technology is the enforcement mechanism for our solutions, not the solution itself.
 
Topics discussed:
How Joshua started in philosophy and ended up at a tech desk, then building a security team.
Signs that it's time to discard the old way of doing things for something better.
How Joshua knows he's getting his ideas across during his meetings with board members and how that affects their desire to take risks.
How being a good storyteller can help a CISO communicate with their team and the company.
The importance of listening, building relationships, and understanding motivations within your team.
Advice for cybersecurity professionals on communication, planning, and maintaining transparency.
 
Key Takeaways: 
Craft compelling cybersecurity narratives that resonate with stakeholders, illustrating the risks and solutions in a context that matters to them, not just from a technical perspective.
Engage with your team regularly to understand their needs. Effective leadership in cybersecurity involves continuous learning and adaptation.
Watch for signs that something isn’t working and see if you can try something new.
Listen to the questions you’re being asked: they can tell you about how well you’re being understood. 

In this week's episode of the Future of Cyber Risk podcast, David speaks with David Lingenfelter, Chief Information Security Officer at PENN Entertainment. They discuss the challenge of securing assets that you did not create yourself and how evolving regulations have affected the gaming industry's risk appetite. 
 
David also offers his insight on the critical skills a successful security practitioner should have. He also explains his approach to educating employees on security when they might have varying degrees of knowledge on staying secure.
 
Topics discussed:
The challenges of securing assets, such as slot machines, that you did not create yourself.
What it's like to balance both physical and cyber security responsibilities: luckily you only have to worry about one or the other.
Critical skills for security practitioners to succeed in today's landscape.
What education looks like at an organization where employees might have diverse levels of knowledge on security.
How ransomware has affected the gaming industry, even as it has transitioned from brick and mortar to digital.
Whether the industry practices direct collaboration to help each other prevent and overcome threats even when they're competitors.
How evolving regulations have affected the industry, especially regarding risk appetite.

In this week's episode of the Future of Cyber Risk podcast, David speaks to Chris Copeland, Associate Professor & Director of the Institute of Homeland Security and Cybercrime at Tarleton State University, about the misconceptions of cybersecurity and how he prepares his students for a full career of learning. 
Chris also predicts the trends of cybercrimes that will likely be around for good, for example how fraud has evolved into the data breaches and cryptocurrency scams of today. He also talks about the work he does as Executive Director of the Juno Initiative, which uses data mining and machine learning to help stop human trafficking.
 
Topics discussed:
Chris's journey from working a help desk to directing the Institute of Homeland Security and Cybercrime.
How the Juno Initiative uses technology such as data mining and machine learning to help stop human trafficking.
What Chris puts on the curriculum for his courses at Tarleton State University and how it is constantly changing with the landscape.
The misconceptions of cybersecurity: it's not just a guy in a ski mask typing on a computer underneath a headlamp.
The trends of cybercrimes and what will likely stick around, namely fraud.
Chris's top four pieces of advice, including give back and create a portfolio.

In this week's episode of the Future of Cyber Risk podcast, David speaks to Eric Adams, CEO/CISO at Federal Cyber Defense Solutions. They discuss what FedRAMP and FISMA are, how to use NIST as a roadmap to federal compliance, and what controls you need to implement for those requirements. They also talk about the need for vulnerability context and continuous monitoring, the importance of having leadership support behind your compliance efforts, and how AI will impact the future of security — but only if it's used for good.
 
Topics discussed:
How to understand the differences in NIST, FISMA, and FedRAMP and how NIST is the roadmap that can lead you to federal compliance.
How to better understand the controls you need to apply for something like FedRAMP compliance.
Why you need to have leadership commitment and support behind your security compliance efforts.
Why you can be compliant but not secure and what questions and suggestions can guide your efforts to increase security.
Why vulnerability prioritization based on context and continuous monitoring needs to be part of your compliance approach.
How the future of security will include more automation and AI — but only if it's used properly.
 

In this week's episode of the Future of Cyber Risk podcast, David speaks to Nat Prakongpan, VP of Product at Cyberbit (formerly of IBM at the time of recording). They discuss the need for business resiliency in security programs, and why you shouldn't just focus on preventing an attack but on recovery after an attack as well. They also talk about why security teams need to practice their incident response so it becomes muscle memory, the importance of making backups quantum-safe, and the growing need for detection and response in storage systems.
 
Topics discussed:
How Nat's career in cybersecurity began after being the target of an attack, and what he learned from 18 years at IBM.
The importance of business resiliency and the blind spots that many organizations have when it comes to attack surface management and knowing their assets.
Why security teams need to be like firefighters and develop their muscle memory for incident response.
How IBM approaches internal training on security, including annual training and role-based education.
Why organizations need to have a plan for both preventing attacks and for recovery after an attack.
The importance of keeping your backups quantum-safe for the future of computing.
The need for detection and response capabilities in storage systems to prevent compromise or attack.

In this week's episode of the Future of Cyber Risk podcast, David speaks to Alexander Seger, Head of Cybercrime Division at the Council of Europe. They discuss how the Council of Europe is building capacity worldwide around cybercrime awareness, legislation, and enforcement, and how they're doing that through increased training. They also talk about new provisions making cybercrime prosecution easier, the nuances of the Budapest Convention, and advice learned from a career in cybercrime.
 
Topics discussed:
How the Council of Europe is building capacity around cybercrime awareness, laws, and training across the globe.
What Alexander's month looks like, including consulting in various countries, organizing conferences, and implementing the Budapest Convention.
The actions the Council of Europe takes to train experts and provide them opportunities to learn from each other.
How new provisions, like video conferencing for expert witnesses, are making cybercrime prosecution easier.
The implications of the Russian Federation's treaty adjustment requests around governmental control of cyber spaces.
The challenges of prosecuting hate speech and fake news online across various global jurisdictions.
Three lessons learned from a career combating cybercrime.

In this week's episode of the Future of Cyber Risk podcast, David speaks to Joshua Scott, Head of Information Security & IT at Postman. They discuss the importance of security as more companies use APIs, and how better security improves reputation and trust with customers. They also talk about how practitioners can communicate more simply when dealing with other teams, why inventory is the biggest challenge to API security today, and the role of AI in the future of cyber risk.
 
Topics discussed:
Why security has become a priority as APIs become more of a critical component for businesses.
Why increasing their empathy and focusing on simplicity will help practitioners improve their approach to security.
The key skills a security practitioner should possess, including passion and the ability to automate.
How Postman raises security awareness internally to maintain their security posture organization-wide.
The biggest challenges to API security today, like knowing your inventory and managing credentials.
The role AI will play in the future of cyber risk management.
Advice on how to be a partner and enabler of business growth in your organization.

In this week's episode of the Future of Cyber Risk podcast, David speaks to Craig Jones, Director of Cybercrime at INTERPOL. They discuss the mission and purpose of INTERPOL to reduce cybercrime worldwide, and how they go about doing that on a daily basis through data aggregation, creating frameworks, and sharing intel with nations and locales worldwide. They also discuss the hurdles of varied cybercrime legislation, how criminals may use AI to exploit, and advice for law enforcement and policy makers on how to better combat cybercrime.
 
Topics discussed:
The role that INTERPOL plays in stopping global cybercrime, and how they do that on an operational level each day.
The misconceptions individuals may have around what INTERPOL does, and how they focus heavily on aggregating data sets and sharing information with local governments and law enforcement around the world.
The models and frameworks they've put in place to create a unified global approach to combating cybercrime.
Why cybercrime legislation is different in various countries and how sometimes borders can be a constraint to effective security.
The role of AI in global cybercrime, and how criminals will use it to present themselves as more authentic and realistic.
Advice for law enforcement and policy makers on how to create more opportunities for information sharing and cybercrime prevention.

In this week's episode of the Future of Cyber Risk podcast, David speaks to Bob Carver, Principal Cybersecurity Threat Intelligence and Analytics at Verizon. They discuss the importance of looking for subtle issues no one else may see, why security practitioners should gain more awareness in network and sysadmin activities, and how to build a culture of security. They also talk about how to train staff about phishing and social engineering, what the future of cyber will look like, and advice for improving risk management programs.
 
Topics discussed:
What a day-in-the-life looks like, starting with scanning packet captures for anomalous activity and looking for risk no one else sees.
Why more security practitioners should increase their knowledge of network and sysadmin activity for a more well-rounded approach to security.
What types of training leaders can take to increase their staff's security awareness, including phishing and responsible downloading.
What the future of cybersecurity will look like, including more AI and ML influence in risk assessments, more automation, and fewer silos.
How to write more secure code, and how LLMs will help.
Advice for security leaders for a better risk management program, including proper visibility and context, and building a culture of security.

In this week's episode of the Future of Cyber Risk podcast, David speaks to Evan Blicker, Sr. Cyber Threat Investigator - Dark Web Lead at LinkedIn. They discuss what the dark web is, what you can find there, and the biggest misconceptions about the dark web — like why it should be viewed more as a community of people rather than a dangerous arena. They also talk about how to get started with dark web investigations securely, why the biggest challenge is communicating about dark web threats, and what the future of the dark web will look like.
 
Topics discussed:
A day-in-the-life of a cyber threat investigator which includes building out the dark web vision for LinkedIn, that involves knowing what's out there and finding leads.
The biggest misconceptions about the dark web, what you typically find there, and why it should be viewed more as a community of individuals who want to interact through private means.
The skills security practitioners will need in order to be successful with dark web investigations.
Why being able to communicate the threat found on the dark web is the biggest challenge for security practitioners.
What the future of the dark web will look like and why there's going to be a "Great Migration" off of Tor.
Advice for where to begin with dark web investigations, including how to access the dark web securely.