The cyber workforce is as diverse as the challenges it faces. From process designers and behavioral analysts to business strategists and communicators, cybersecurity thrives on a diversity of skill sets. It’s important to understand what it takes to join the field, especially given the current shortage of cybersecurity professionals.

In today’s episode, we’re breaking down the misconception that cybersecurity is only for hackers and codebreakers. We’ll dive into why soft skills like communications and organizational collaboration are just as essential as technical skills. We’ll talk about how to break into the field. Spoiler alert: it’s not as hard as you might think.

On this episode, we discuss:

• Why the cyber workforce is broader than you might think
• How non-technical skills are critical in a technical field
• The importance of soft skills
• Why cybersecurity needs process thinkers, analysts, and business minds, too

Today’s guest is Mike Thompson. Mike brings a unique perspective to the table. Mike’s experience spans recruitment, compliance sales, and cybersecurity assessments. His journey through the field offers great insight into the many ways professionals can contribute to cybersecurity without fitting the traditional mold.

Links:

• FedRAMP’s R311 Requirements
• CMMC: Ecosystem Professionals > Assessing and Certification

Managing identities may be the most difficult and complex task facing any organization today. Often treated as an afterthought in system development, mishandling identity management can lead to serious consequences.

Because identities aren’t just people — they’re also systems and facilities, and managing them effectively requires more than just technology. From powerful service accounts to poorly defined access controls, identity management is the frontline of doing security right.

On this episode, we break down the following:

• Why identity is the most important security function
• The unique risks posed by non-human identities (service accounts)
• How to define and prioritize assets using a risk-based approach
• Practical strategies for managing identities and their privileges
• Why perfection isn’t required

Today’s guest is Terry McGraw. Terry is a retired Lieutenant Colonel from the United States Army and now serves the CEO of Cape Endeavors, Inc, with over 20 years of providing expertise in cyber security threat analysis, security architectural design, network operations and incident response across both commercial and government sectors.

Links:

• Fido-2 Alliance
• Kerberoasting Attack
• Microsoft’S Enterprise Access Model

What are the real costs of cybersecurity implementation? Spoiler alert: it’s far more complex than it appears on the surface. Cybersecurity is a people and process problem, not a technology problem. Most of implementation costs come in the form of time, effort and coordination throughout the organization. In this episode, we reach back to the classroom for a refresher on how to conduct effective risk analyses. Risk analyses –or risk assessments– are critical tools for guiding smart cybersecurity investments and decisions. They’re the best tool for successfully navigating the intersection of business and cybersecurity. Whether you’re a compliance professional, business leader or just curious about how cybersecurity aligns with real-world business needs, this episode is full of insights to help you think more strategically. A few highlights:

• Why the cost of cybersecurity is hard to measure – but why it’s necessary
• Why many organizations struggle to properly conduct risk analyses
• How risk analyses help bridge the gap between business goals and cybersecurity priorities
• The importance of gaining executive buy-in for cybersecurity initiatives
• How to conduct a risk analysis

Today’s guests are Dr. T. Selwyn Ellis and Dr. Jae Ung (Jake) Lee. Dr. Ellis is the Balsley-Whitmore Endowed Professor in the College of Business at Louisiana Tech University. He is the Chair of the Department of Computer Information Systems and the Director for the Center for Information Assurance. He earned a Bachelor of Science with a double major in Mathematics and Computer Science, as well as an MBA from Mississippi College and DBA in Quantitative Analysis and Management Information Systems from Louisiana Tech University. He has published over forty articles in various academic journals including Communication of the ACM, IEEE Transactions on Professional Communication, and European Journal of Information Systems. His research is mainly in data analytics and behavioral aspects of information technology.

Dr. Lee is an Associate Professor of Computer Information Systems in the College of Business, Louisiana Tech University. He earned a Ph.D. in Management Science and Systems from the State University of New York at Buffalo. His research interests include information security and privacy, emergency response, cloud computing, and telework. His research has appeared in European Journal of Information Systems, Information Systems Frontiers, and the International Journal of Information Management, among others.

Nothing introduces more complexity to an organization than access control as with access comes privileges. Privileges are needed for many activities within an organization. Couple the need for privileges with the complexity organizational structures and the usual personnel churn and an already complex problem becomes nearly unmanageable. Attackers target credentials for this very reason.

Compromising an end-user with no privileges may seem trivial and unlikely to cause harm. However, as we discuss in this episode, if a privileged user logged in on that end-user’s machine, their privileged credentials are now comprised, allowing the attackers to exploit other parts of the organization’s network. While the problem can reach a place of being unmanageable, there are methods and solutions available to tackle this problem.

Links:

• Enterprise Access Model
• Credential Harvesting and Mitigations (PDF)
• Point of Entry: Why Hackers Target Stolen Credentials for Initial Access
• The Growing Threat from Infostealers

Mobile devices have become an extension of ourselves, seamlessly integrated into our daily lives like never before. But as we prioritize convenience—wanting our devices to “just work”—we often overlook security. This episode dives into the growing cybersecurity challenges that come with mobile adoption and what individuals and organizations can do to stay protected. We’ll go over:

• Why reliance on convenience creates security vulnerabilities (hint: it isn’t primarily vulnerabilities in the technical sense, more in the human sense)
• Key technical and compliance components driving mobile device security
• Technologies organizations can leverage to balance security and usability

Links:

• https://www.hypori.com/use-cases

Rolling out a new program always comes with challenges and CMMC has been no exception. Fortunately, we’ve moved into the implementation phase, with assessments now underway. This milestone not only helps organizations see the real value of the program but also gives us the chance to address lingering questions and clarify uncertainties that could only be resolved through full implementation.

With this progress, we’re encountering fresh challenges and questions we hadn’t anticipated — while still fielding many of the same inquiries we’ve heard from the beginning. The good news? Full implementation means we can now provide more concrete, experience-backed answers to both new and long-standing concerns.

The CMMC training and certification ecosystem is ambitious as it aims to support training material development and certification of both instructors and assessors. It is currently on a path to providing a strong foundation for CMMC as a whole. In this episode our cybersecurity experts dive into the details and nuances of the training and certification requirements in the CMMC ecosystem. Hear them define the terms, discuss the requirements, contrast CMMC training and certification with other compliance frameworks, grapple with challenges and finally address what lies ahead. Joining host Cole French is Joe Lissenden, CEO of Precision Execution, provider of CMMC training and certification services. Joe has more than 25 years of consulting, training, and auditing experience over a wide range of systems and standards.

Reference material:

Acronyms:

• APP: Approved Publishing Partner (formerly Licensed Publishing Partner)
• ATP: Approved Training Provider (formerly Licensed Training Provider)
• CCI: CMMC Certified Instructor (formerly Provisional Instructor)
• CAICO: Cybersecurity Assessor & Instructor Certification Organization
• CAP: CMMC Assessment Process
• CATM: CAICO Approved Training Material
• CCP: CMMC Certified Professional
• CCA: CMMC Certified Assessor
• OSC: Organization Seeking Certification
• RPO: Registered Provider Organization

Links:

• Cybersecurity Assessor & Instructor Certification Organization (CAICO)
• CMMC Assessment Process (CAP)

The news about cybercrime is overwhelming to those who fight to secure our organizations. Cybercrime organizations are sophisticated and constantly changing. But there’s a hidden truth in cybercrime attacks: cybercriminals exploit the same weaknesses they’ve been exploiting for years. This should give us some hope; we know where our organizations are weakest, which gives us a good place to start. But these weaknesses are often hard to address. They require not just technical solutions, but a lot of thought, coordination, planning, and continual re-evaluation. Most often thought of as technical problems, compliance frameworks provide a solid starting point for properly framing the thought, coordination, planning, and continual re-evaluation that is necessary.

Our guest, Terry McGraw will walk us through these solutions and the support that compliance frameworks provide to ensure continued success. Terry is a retired Lieutenant Colonel from the United States Army and now serves the CEO of Cape Endeavors, Inc, with over 20 years of providing expertise in cyber security threat analysis, security architectural design, network operations and incident response for both commercial and government sectors.

Links:

• Ransomware Stages of Grief
• 2024 State of the Threat – A Year in Review
• Detecting Top Initial Attack Vectors in 2024
• 3 Common Initial Attack Vectors Account for Most Ransomware Campaigns
• Meeting a Greater Demand for Cybersecurity