In this episode of the Distilled Security Podcast, we break down the Delve scandal—flawed SOC 2 reports, copy-pasted content, and oversight failures that expose deeper issues in compliance-as-a-service. Joined by Matthew J. Schiavone, we examine auditor accountability, quality review gaps, and key differences between SOC 2 and ISO 27001.

We also cover what companies should demand from auditors, the role of automation, and whether this scandal will drive real change in the industry.

Topics Covered

• The Delve scandal—leaked reports, copy-pasted audits & pervasive deficiencies
• The AICPA peer review process & AC Corp's adverse findings
• SOC 2 vs ISO 27001—oversight models, witness audits & accreditation
• The incentive structure driving compliance to the bottom
• Compliance automation — what works, what doesn't & AI's real role
• What to ask your auditor before signing anything
• Trust centers — done right vs. compliance theater
• Is SOC 2 dead? What needs to change & who has to change it

Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

Hosts

• Matthew J. Schiavone - (Sikich)

Connect with Us

• Website: distilledsecuritypodcast.com
• X: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

In this episode of the Distilled Security Podcast, we tackle four topics shaping the cybersecurity landscape — from AI's real impact on defense to a wave of regulatory and market changes every security team needs to be tracking.

🔹 Is AI Good for Security? — Anthropic's model finding hundreds of zero days, stock market panic after Claude Code's launch (CrowdStrike down 11%), the "hard things easy, easy things hard" reality of AI, why human-out-of-the-loop isn't ready yet, the coming spike in vulnerability disclosures, and how defenders should be using AI for better hygiene

🔹 CIRCIA Final Rule (May 2026) — The federal incident reporting law hitting critical infrastructure, 72-hour incident and 24-hour ransom payment notification clocks, how "substantial cyber incident" triggers differ from materiality, mid-market companies falling in scope, overlapping timelines with HIPAA/SEC/state breach laws, and building your incident response playbook now

🔹 Protecting Yourself Against a Changing Compliance Landscape — CMMC Phase 2, HIPAA overhaul, CCPA audits all converging, why a unified security program beats framework-by-framework chasing, evidence over policy in audits, engineering continuous compliance through automation, and the reality of doing this without dedicated staff

🔹 Cybersecurity M&A / Consolidation Problem — Google acquiring Wiz for $32B, 10% of the cybersecurity industry changing hands, operational benefits of fewer vendors vs. pricing pressure and talent drain, the OneTrust "sticker on the side" integration warning, Cisco's Startup Studios model, and why consolidation only works if they don't break what made the acquisition special

🥃 Spirit Review: WhistlePig 12 Year Old World Rye

PA Fine Wine & Good Spirits Select — Finished in Madeira, Sauternes & Port barrels, 86 proof

https://www.whistlepigwhiskey.com/

📬 Send Us Your Questions!

ask@distilledsecuritypodcast.com

🎙️ Hosts

Justin Leapline – @justinleapline

Joe Wynn – @wynnjoe

Rick Yocum – @rickyocum

🌐 Connect with Us

Website: distilledsecuritypodcast.com

X: @DisSecPod

Email: hello@distilledsecuritypodcast.com

👍 Like, comment, and subscribe for weekly security and compliance insights.

In this episode of the Distilled Security Podcast, we break down three converging forces reshaping how organizations manage AI risk — and what you need to do about it now.

🔹 BIPA + AI Notetakers — A class action lawsuit exposes unauthorized biometric data collection, why a single Illinois meeting participant creates liability, the Shopify wiretapping dismissal, and the steps you should take today to audit your AI tools
🔹 GRC Engineering Meets AI — Real AI compliance tools vs. vaporware, using LLMs for policy drafting and control mapping, the hallucination accountability problem, building AI guardrails as code, and the NIST RFI on AI Agent Security (comments due March 9, 2026)
🔹 ISO 42001 Deep Dive — The first AI Management System standard, how it differs from ISO 27001, AI Impact Assessments vs. traditional risk assessments, stakeholder engagement requirements, and why certification is becoming essential for EU AI Act compliance

🥃 Spirit Review: Redbreast 12 Cask Strength
https://www.redbreastwhiskey.com/en-us/whiskey-collections/redbreast-cask-strength-whiskey/

⏱️ Timestamps

0:00 Intro & Episode Overview
2:04 BIPA & AI Notetakers
25:08 GRC Engineering Meets AI
1:07:15 🥃 Spirit Review: Redbreast 12 Cask Strength (Irish Whiskey)
1:11:17 ISO 42001
1:49:30 Outro & wrap-up

🎙️ Hosts
Justin Leapline – @justinleapline
Joe Wynn – @wynnjoe
Rick Yocum – @rickyocum

🌐 Connect with Us
Website: distilledsecuritypodcast.com
X: @DisSecPod
Email: hello@distilledsecuritypodcast.com

👍 Like, comment, and subscribe for weekly security and compliance insights.

In the first episode of 2026, the Distilled Security team kicks off the year with a practical discussion on security priorities, key compliance dates to watch in 2026, and why misleading the government on cybersecurity compliance can have serious consequences.

The conversation focuses on simplifying security programs, returning to core fundamentals, and learning from real-world enforcement and regulatory cases. The episode closes with a holiday pour and a preview of format changes coming next.

⏱️ Timestamps

• 0:00 Intro & episode overview
• 0:33 2026 security resolutions: simplify & back to basics
• 5:45 “Science projects”: removing emotion from decisions
• 8:36 Justin’s goals: family, travel, business & AI workflows
• 17:52 EOS + Atomic Habits workbook (goal planning)
• 23:54 Key compliance dates to watch in 2026
• 31:45 California privacy updates & risk assessments (CCPA)
• 35:39 EU AI Act + NIS2 enforcement ramp-up
• 42:48 Drink break: High West “A Midwinter Night’s Dram.”
• 45:04 Don’t mislead the feds: FedRAMP, SolarWinds, CMMC—wrap-up to 1:20:12

🎙️ Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

🌐 Connect with Us

• Website: distilledsecuritypodcast.com
• X: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

🥃 Drink of the episode: High West A Midwinter Night’s Dram

In this episode, we break down a major Cloudflare outage, explore how a nation-state used AI agents to automate a cyberattack, and discuss the growing risks around MCP integrations. We also highlight why GRC Engineering is becoming essential to modern security programs and wrap up with key regulatory updates, including CMMC changes affecting thousands of contractors.

Topics covered:
• Cloudflare outage impact and root cause
• Nation-state attack using AI agents to automate intrusion steps
• MCP (Model Context Protocol): power, risks, and examples
• Why GRC Engineering is the future of compliance and automation
• Updates on GDPR, ISO 27701, California AB 5866, and SEC rules
• CMMC assessor shortages and what organizations must prepare for

Spirit of the Episode
• Knob Creek 21-Year Limited Release – rich caramel notes, heavy char, smooth for 100 proof

Timestamps

• 0:02- Cloudflare Outage Stories & Global Impact
• 3:07- Root Cause, Not a Cyberattack & Third-Party Risk Reality
• 10:38 - China Uses Anthropic’s Claude + MCP for Automated Cyberattacks
• 14:17 - Full AI Attack Lifecycle Explained
• 27:18 - MCP: The API for AI & Its Security Risks
• 44:05 - Bourbon Break: Knob Creek 21-Year Review
• 50:02 - GRC Engineering Deep Dive: Automation & Controls-as-Code
• 1:24:13 - Regulatory Roundup: GDPR, ISO 27701, California AB 566, SEC SP
• 1:44:27 - CMMC 2.0 Crisis: Auditor Shortages & DoD Contract Impact
• 2:11:20 - Closing Thoughts & Episode Wrap-Up

Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

Connect with Us

• Website: distilledsecuritypodcast.com
• X: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

In Episode 18 of the Distilled Security Podcast, Justin Leapline, Joe Wynn, and Rick Yokum recap their time at TRISS, share lessons on storytelling and women in tech, and break down the recent AWS us-east-1 DNS/DynamoDB outage, the Microsoft Front Door global disruption, and the F5 BIG-IP incident.

🔍 We discuss:
- TRISS highlights: panels, community & storytelling
- “Breaking the glass ceiling” and unintentional bias in meetings
- AWS & Microsoft outages: risk, resilience & when multicloud matters
- F5 BIG-IP incident and supply chain risk
- Launching a GRC SaaS: episki’s journey, lessons & tradeoffs

🥃 Spirit of the episode
Penelope Bourbon – Project X (sherry cask finish)

⏱️ Timestamps
00:00 – 🥃 Intro & TRISS Recap — Highlights from TRISS: panels, community, and a keynote with Edward Norton

02:40 – 📖 The Power of Storytelling — Why empathy and narrative matter in cybersecurity leadership

04:40 – 👩‍💻 Women in Tech & Bias in Meetings — Real talk about unintentional bias and everyday experiences

20:34 – ☁️ AWS & Microsoft Outages — What happened and what it says about cloud resilience

49:38 - 🥃 Bourbon Break — Enjoying a glass of Penelope Project X

53:30 – 🔥 F5 BIG-IP Vulnerability — Supply chain risk and patching lessons

1:09:50 – 🚀 Launching episki (GRC SaaS) — Building simply, shipping fast, and learning from users

1:52:22 – 🧭 Reflections & Closing Thoughts — Culture, resilience, and what’s next

🎧 Hosts
Justin Leapline
Joe Wynn
Rick Yocum

🌐 Connect with Us
Website: distilledsecuritypodcast.com
X : @DisSecPod
Email: hello@distilledsecuritypodcast.com

🎙️ Welcome back to the Distilled Security Podcast - Episode 17!

In this episode, Justin, Joe, and Rick break down several major cybersecurity and compliance updates shaping the landscape this fall. From regulatory deadlines to the futility of checkbox TPRM exercises, the crew dives deep into what actually matters for security leaders and business owners navigating today’s risk environment.

Also, join us at TRISS in Pittsburgh, PA, at the David this October 29,2025! We have our own booth and will be doing something fun there. Also, we are sponsoring the After Party! Please come say hi!

🔹 Topics Covered

NY DFS Part 500: Final Requirements Take Effect November 1

The hosts unpack the final phase of New York’s cybersecurity regulation, what’s changing, and what companies must have in place before the enforcement deadline.

Negotiating Security

How smaller companies can push back or reframe due diligence requirements—substituting a SOC 2 or ISO 27001 certification with custom questionnaires, summaries, or shared evidence that reflect real security maturity instead of checklists.

“TPRM Is Worthless”

A candid discussion on the state of third-party risk management: why it’s often broken, what needs to change, and how to make it meaningful rather than bureaucratic.

Department of War Announces New Cybersecurity Risk Management Construct

The team explores the DoD’s latest cybersecurity framework announcement—what it means for contractors, how it overlaps with CMMC and NIST 800-171, and whether it will actually simplify or complicate compliance.

🥃 Spirit Review

One of Us Mezcal — This small-batch mezcal impresses with its earthy smoke, hints of citrus, and smooth finish. The guys compare it to other craft agave spirits they’ve tried and debate whether it pairs better with a quiet evening or post-recording celebration.

Find it here:

https://oneofusmezcal.com/products/cuishe-mezcal-the-wild-one

⏱️ Timestamps

0:00 – Introduction & Travel Mishap

6:25 – New Laptop Twins & Backup Strategies

11:35 – NY DFS Part 500 Updates

27:30 – DFS Reporting & Organizational Accountability

33:30 – Negotiating Security Requirements

47:46 – Cultural Nuances in Negotiation

50:20 – Spirit Review: One of Us Mezcal

52:55 – TPRM Is Worthless?

57:50 – Fixing Broken Vendor Risk Workflows

1:08:21 – Vendor Resilience vs. Security

1:18:20 – New DoW/DoD Cybersecurity Risk Management Construct

1:35:06 - BSides Pittsburgh Planning & Sponsorship

1:38:35 - DSP at TRISS

1:39:51 – Closing Remarks & Outro

🎧 Hosts

Justin Leapline – @justinleapline

Joe Wynn – @wynnjoe

Rick Yocum – @rickyocum

🌐 Connect with Us

Website: distilledsecuritypodcast.com

🐦 Twitter: @DisSecPod

📧 Email: hello@distilledsecuritypodcast.com

Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC

Episode 16 of the Distilled Security Podcast is here!

In this episode, Justin, Joe, and Rick christen the new studio and dive into some of the trickiest challenges in measuring, reporting, and governing security programs. From maturity models to board reporting, the conversation unpacks how scoring systems can mislead, how to communicate bad news effectively, and why boards need more than just “checkbox” cyber expertise.

The team also explores the rise of vGRC (Virtual GRC) services—what they are, how they differ from vCISO offerings, and when organizations should consider fractional models. And of course, no episode would be complete without a pour: this week, a rich Woodford Reserve Double Double Oaked bourbon.

Topics Covered

• New Studio Upgrade: Behind-the-scenes on mics, cameras, and why the couch had to go.

• Measuring to the Score: The dangers of chasing maturity numbers instead of real security outcomes.

• Scoping, Rubrics & Auditor Whim: Why assessments are subjective and how leadership often misunderstands the results.

• Cultural Incentives: How bonuses, compliance checkboxes, and “auditor shopping” distort security reporting.

• Prepping for New Tools: Setting expectations with leadership when visibility spikes after deploying monitoring or vulnerability tools.

• Boards and Cybersecurity Expertise: Should cyber knowledge be mandated at the board level—or does it risk creating the illusion of safety?

• Virtual GRC vs. vCISO: What fractional GRC services really deliver, how they differ from vCISO roles, and why naming clarity matters.

• Bourbon Review: Woodford Reserve Double Double Oaked — syrupy, smooth, and perfect for a holiday pour.

Hosts

• Justin Leapline
• Joe Wynn
• Rick Yocum

Connect with Us
🌐 Website: distilledsecuritypodcast.com
🐦 Twitter: @DisSecPod
📧 Email: hello@distilledsecuritypodcast.com