In this episode, we take a practical look at how cyber insurance fits into the broader world of organizational risk. While we often talk about risk from a security and compliance perspective, insurance brings its own lens, which has become increasingly important as threats evolve, and claims grow more complex.

Today's guest, Mark Westcott, President & CEO of ACNB Insurance, breaks down the types of risks insurers care about most, how cyber policies are shaped and the key factors that influence underwriting decisions. We also explore how compliance frameworks and certifications play into premium pricing, risk scoring, and eligibility.

Learn about:

• The types of risks insurers prioritize—and why
• How insurers approach cyber insurance
• The connection between compliance standards, certifications and insurance rates
• Core benefits of cyber insurance beyond financial protection
• Whether regulations mandate cyber insurance and what drives adoption
• Key questions organizations should ask when evaluating cyber coverage

There's no shortage of cybersecurity tools, but most compromises don't happen because of technology failures, they happen because of a failure in organizational processes. In today's episode, we explore how penetration testing and red teaming expose the people, processes and operational weaknesses that technology alone cannot.

We discuss why security is ultimately a people problem, why organizations struggle to identify their own blind spots and how offensive testing reveals hidden vulnerabilities that technologies alone miss.

In today's broad ranging episode, we cover the following:

• Penetration testing vs. red team engagements
• What a real red team assessment looks like
• Attack vectors that still work surprisingly well
• Interesting "ins" from the real-world
• The ongoing role of social engineering
• Custom tooling vs. off-the-shelf frameworks
• Staying current with attacker techniques
• Finding business-logic flaws automated tools miss
• The hardest parts of offensive security work
• Common organizational mistakes that create risk
• Making findings actionable for engineering teams
• Skills the next generation of operators should build
• Soft skills that matter in offensive security
• How AI and cloud are changing modern red teaming
• Underestimated attack surfaces
• Whether offense will always outpace defense

In this episode, we dive into Zero Trust and how organizations can put it into practice. With the rise of cloud computing, traditional on-prem networking architectures began to fade. Yet the need for strong security never went away – it evolved. That's where Zero Trust comes in. At its core, Zero Trust isn't just about technology. It's about people, access, and trust – starting with the principle that no one is trusted by default.

Tune in to learn:

• Why Zero Trust is more of a mindset and not a technology or set of technologies
• The challenges organizations face when adopting it
• How Zero Trust technologies differ from traditional networking technologies

Reference material:

• NIST SP 800-207
• CISA Zero Trust Maturity Model

Waste, fraud, and abuse. These three words usually make headlines when government resources are misused on a massive scale. But the truth is, efforts to eliminate waste, fraud, and abuse extend far beyond the headline-grabbing cases.

In this episode, our experts explore how the government combats waste, fraud, and abuse, and why cybersecurity is now front and center in the conversation. Over the past 40 years, federal agencies have increasingly relied on contractors, which has in turn increased the need for enforcement mechanisms to combat waste, fraud, and abuse.

This episode goes over:

• The history and role of the False Claims Act
• How the Department of Justice's Civil Cyber-Fraud Initiative is using it to tackle cybersecurity-related fraud
• The unique role of whistleblowers, who gain both protections and incentives to report fraud
• A real-world use case that illustrates how enforcement plays out
• Practical strategies organizations can adopt to reduce their False Claims Act risk

If your organization works with the federal government, this conversation is a must-listen.

Resources:

• DOJ's False Claims Act website
• The False Claim Act (law)

Email remains the most common form of non-verbal communication in organizations worldwide. It's where our professional and personal lives often collide – making it a prime target for malicious actors. While the junk mail of the digital age – spam – has mostly faded into the background, the threats haven't gone away. In fact, they've grown far more sophisticated.

Our experts explore how email threats evolved from basic to spam to today's complex phishing campaigns, spear phishing, whaling, and business email compromise. These attacks target people first – exploiting human behavior, namely our desire to trust, be helpful, and be someone who comes through in a time of need. You will learn about:

• The history of email threats
• How phishing attacks weaknesses in human psychology
• Real-world examples of phishing and spear phishing
• Best practices organizations can adopt to reduce risk

The cyber workforce is as diverse as the challenges it faces. From process designers and behavioral analysts to business strategists and communicators, cybersecurity thrives on a diversity of skill sets. It's important to understand what it takes to join the field, especially given the current shortage of cybersecurity professionals.

In today's episode, we're breaking down the misconception that cybersecurity is only for hackers and codebreakers. We'll dive into why soft skills like communications and organizational collaboration are just as essential as technical skills. We'll talk about how to break into the field. Spoiler alert: it's not as hard as you might think.

On this episode, we discuss:

• Why the cyber workforce is broader than you might think
• How non-technical skills are critical in a technical field
• The importance of soft skills
• Why cybersecurity needs process thinkers, analysts, and business minds, too

Today's guest is Mike Thompson. Mike brings a unique perspective to the table. Mike's experience spans recruitment, compliance sales, and cybersecurity assessments. His journey through the field offers great insight into the many ways professionals can contribute to cybersecurity without fitting the traditional mold.

Links:

• FedRAMP's R311 Requirements
• CMMC: Ecosystem Professionals > Assessing and Certification

Managing identities may be the most difficult and complex task facing any organization today. Often treated as an afterthought in system development, mishandling identity management can lead to serious consequences.

Because identities aren't just people — they're also systems and facilities, and managing them effectively requires more than just technology. From powerful service accounts to poorly defined access controls, identity management is the frontline of doing security right.

On this episode, we break down the following:

• Why identity is the most important security function
• The unique risks posed by non-human identities (service accounts)
• How to define and prioritize assets using a risk-based approach
• Practical strategies for managing identities and their privileges
• Why perfection isn't required

Today's guest is Terry McGraw. Terry is a retired Lieutenant Colonel from the United States Army and now serves the CEO of Cape Endeavors, Inc, with over 20 years of providing expertise in cyber security threat analysis, security architectural design, network operations and incident response across both commercial and government sectors.

Links:

• Fido-2 Alliance
• Kerberoasting Attack
• Microsoft'S Enterprise Access Model

What are the real costs of cybersecurity implementation? Spoiler alert: it's far more complex than it appears on the surface. Cybersecurity is a people and process problem, not a technology problem. Most of implementation costs come in the form of time, effort and coordination throughout the organization. In this episode, we reach back to the classroom for a refresher on how to conduct effective risk analyses. Risk analyses –or risk assessments– are critical tools for guiding smart cybersecurity investments and decisions. They're the best tool for successfully navigating the intersection of business and cybersecurity. Whether you're a compliance professional, business leader or just curious about how cybersecurity aligns with real-world business needs, this episode is full of insights to help you think more strategically. A few highlights:

• Why the cost of cybersecurity is hard to measure – but why it's necessary
• Why many organizations struggle to properly conduct risk analyses
• How risk analyses help bridge the gap between business goals and cybersecurity priorities
• The importance of gaining executive buy-in for cybersecurity initiatives
• How to conduct a risk analysis

Today's guests are Dr. T. Selwyn Ellis and Dr. Jae Ung (Jake) Lee. Dr. Ellis is the Balsley-Whitmore Endowed Professor in the College of Business at Louisiana Tech University. He is the Chair of the Department of Computer Information Systems and the Director for the Center for Information Assurance. He earned a Bachelor of Science with a double major in Mathematics and Computer Science, as well as an MBA from Mississippi College and DBA in Quantitative Analysis and Management Information Systems from Louisiana Tech University. He has published over forty articles in various academic journals including Communication of the ACM, IEEE Transactions on Professional Communication, and European Journal of Information Systems. His research is mainly in data analytics and behavioral aspects of information technology.

Dr. Lee is an Associate Professor of Computer Information Systems in the College of Business, Louisiana Tech University. He earned a Ph.D. in Management Science and Systems from the State University of New York at Buffalo. His research interests include information security and privacy, emergency response, cloud computing, and telework. His research has appeared in European Journal of Information Systems, Information Systems Frontiers, and the International Journal of Information Management, among others.