We also cover what companies should demand from auditors, the role of automation, and whether this scandal will drive real change in the industry.

 Topics Covered

• The Delve scandal—leaked reports, copy-pasted audits & pervasive deficiencies
• The AICPA peer review process & AC Corp's adverse findings
• SOC 2 vs ISO 27001—oversight models, witness audits & accreditation
• The incentive structure driving compliance to the bottom
• Compliance automation — what works, what doesn't & AI's real role
• What to ask your auditor before signing anything
• Trust centers — done right vs. compliance theater
• Is SOC 2 dead? What needs to change & who has to change it

Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

Hosts

• Matthew J. Schiavone - (Sikich) 

Connect with Us

• Website: distilledsecuritypodcast.com
• X:  @DisSecPod
• Email: hello@distilledsecuritypodcast.com

🔹 Is AI Good for Security? — Anthropic's model finding hundreds of zero days, stock market panic after Claude Code's launch (CrowdStrike down 11%), the "hard things easy, easy things hard" reality of AI, why human-out-of-the-loop isn't ready yet, the coming spike in vulnerability disclosures, and how defenders should be using AI for better hygiene

🔹 CIRCIA Final Rule (May 2026) — The federal incident reporting law hitting critical infrastructure, 72-hour incident and 24-hour ransom payment notification clocks, how "substantial cyber incident" triggers differ from materiality, mid-market companies falling in scope, overlapping timelines with HIPAA/SEC/state breach laws, and building your incident response playbook now

🔹 Protecting Yourself Against a Changing Compliance Landscape — CMMC Phase 2, HIPAA overhaul, CCPA audits all converging, why a unified security program beats framework-by-framework chasing, evidence over policy in audits, engineering continuous compliance through automation, and the reality of doing this without dedicated staff

🔹 Cybersecurity M&A / Consolidation Problem — Google acquiring Wiz for $32B, 10% of the cybersecurity industry changing hands, operational benefits of fewer vendors vs. pricing pressure and talent drain, the OneTrust "sticker on the side" integration warning, Cisco's Startup Studios model, and why consolidation only works if they don't break what made the acquisition special

🥃 Spirit Review: WhistlePig 12 Year Old World Rye

PA Fine Wine & Good Spirits Select — Finished in Madeira, Sauternes & Port barrels, 86 proof

https://www.whistlepigwhiskey.com/

📬 Send Us Your Questions!

ask@distilledsecuritypodcast.com

🎙️ Hosts

Justin Leapline – @justinleapline

Joe Wynn – @wynnjoe

Rick Yocum – @rickyocum

🌐 Connect with Us

Website: distilledsecuritypodcast.com

X: @DisSecPod

Email: hello@distilledsecuritypodcast.com

👍 Like, comment, and subscribe for weekly security and compliance insights.

🔹 BIPA + AI Notetakers — A class action lawsuit exposes unauthorized biometric data collection, why a single Illinois meeting participant creates liability, the Shopify wiretapping dismissal, and the steps you should take today to audit your AI tools
🔹 GRC Engineering Meets AI — Real AI compliance tools vs. vaporware, using LLMs for policy drafting and control mapping, the hallucination accountability problem, building AI guardrails as code, and the NIST RFI on AI Agent Security (comments due March 9, 2026)
🔹 ISO 42001 Deep Dive — The first AI Management System standard, how it differs from ISO 27001, AI Impact Assessments vs. traditional risk assessments, stakeholder engagement requirements, and why certification is becoming essential for EU AI Act compliance

🥃 Spirit Review: Redbreast 12 Cask Strength
https://www.redbreastwhiskey.com/en-us/whiskey-collections/redbreast-cask-strength-whiskey/

⏱️ Timestamps

0:00 Intro & Episode Overview
2:04 BIPA & AI Notetakers
25:08 GRC Engineering Meets AI
1:07:15 🥃 Spirit Review: Redbreast 12 Cask Strength (Irish Whiskey)
1:11:17 ISO 42001
1:49:30 Outro & wrap-up

🎙️ Hosts
Justin Leapline – @justinleapline
Joe Wynn – @wynnjoe
Rick Yocum – @rickyocum

🌐 Connect with Us
Website: distilledsecuritypodcast.com
X: @DisSecPod
Email: hello@distilledsecuritypodcast.com

👍 Like, comment, and subscribe for weekly security and compliance insights.

The conversation focuses on simplifying security programs, returning to core fundamentals, and learning from real-world enforcement and regulatory cases. The episode closes with a holiday pour and a preview of format changes coming next.

⏱️ Timestamps

• 0:00 Intro & episode overview
• 0:33 2026 security resolutions: simplify & back to basics
• 5:45 “Science projects”: removing emotion from decisions
• 8:36 Justin’s goals: family, travel, business & AI workflows
• 17:52 EOS + Atomic Habits workbook (goal planning)
• 23:54 Key compliance dates to watch in 2026
• 31:45 California privacy updates & risk assessments (CCPA)
• 35:39 EU AI Act + NIS2 enforcement ramp-up
• 42:48 Drink break: High West “A Midwinter Night’s Dram.”
• 45:04 Don’t mislead the feds: FedRAMP, SolarWinds, CMMC—wrap-up to 1:20:12

 🎙️ Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

🌐 Connect with Us

• Website: distilledsecuritypodcast.com
• X:  @DisSecPod
• Email: hello@distilledsecuritypodcast.com

🥃 Drink of the episode: High West A Midwinter Night’s Dram

Topics covered:
• Cloudflare outage impact and root cause
• Nation-state attack using AI agents to automate intrusion steps
• MCP (Model Context Protocol): power, risks, and examples
• Why GRC Engineering is the future of compliance and automation
• Updates on GDPR, ISO 27701, California AB 5866, and SEC rules
• CMMC assessor shortages and what organizations must prepare for

Spirit of the Episode
• Knob Creek 21-Year Limited Release, rich caramel notes, heavy char, smooth for 100 proof

Timestamps

• 0:02—Cloudflare Outage Stories & Global Impact
• 3:07—Root Cause, Not a Cyberattack & Third-Party Risk Reality
• 10:38 - China Uses Anthropic’s Claude + MCP for Automated Cyberattacks
• 14:17 - Full AI Attack Lifecycle Explained
• 27:18 - MCP: The API for AI & Its Security Risks
• 44:05 - Bourbon Break: Knob Creek 21-Year Review
• 50:02 - GRC Engineering Deep Dive: Automation & Controls-as-Code
• 1:24:13 - Regulatory Roundup: GDPR, ISO 27701, California AB 566, SEC SP
• 1:44:27 - CMMC 2.0 Crisis: Auditor Shortages & DoD Contract Impact
• 2:11:20 - Closing Thoughts & Episode Wrap-Up

Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

Guest

• Matthew J. Schiavone - @Sikitch

Connect with Us

• Website: distilledsecuritypodcast.com
• X:  @DisSecPod
• Email: hello@distilledsecuritypodcast.com

🔍 We discuss:
- TRISS highlights: panels, community & storytelling
- “Breaking the glass ceiling” and unintentional bias in meetings
- AWS & Microsoft outages: risk, resilience & when multicloud matters
- F5 BIG-IP incident and supply chain risk
- Launching a GRC SaaS: episki’s journey, lessons & tradeoffs

🥃 Spirit of the episode
Penelope Bourbon – Project X (sherry cask finish)

⏱️ Timestamps
00:00 – 🥃 Intro & TRISS Recap — Highlights from TRISS: panels, community, and a keynote with Edward Norton

02:40 – 📖 The Power of Storytelling — Why empathy and narrative matter in cybersecurity leadership

04:40 – 👩‍💻 Women in Tech & Bias in Meetings — Real talk about unintentional bias and everyday experiences

20:34 – ☁️ AWS & Microsoft Outages — What happened and what it says about cloud resilience

49:38 - 🥃 Bourbon Break — Enjoying a glass of Penelope Project X

53:30 – 🔥 F5 BIG-IP Vulnerability — Supply chain risk and patching lessons

1:09:50 – 🚀 Launching episki (GRC SaaS) — Building simply, shipping fast, and learning from users

1:52:22 – 🧭 Reflections & Closing Thoughts — Culture, resilience, and what’s next

🎧 Hosts
Justin Leapline 
Joe Wynn 
Rick Yocum 

🌐 Connect with Us
Website: distilledsecuritypodcast.com
X : @DisSecPod
Email: hello@distilledsecuritypodcast.com

In this episode, Justin, Joe, and Rick break down several major cybersecurity and compliance updates shaping the landscape this fall. From regulatory deadlines to the futility of checkbox TPRM exercises, the crew dives deep into what actually matters for security leaders and business owners navigating today’s risk environment.

Also, join us at TRISS in Pittsburgh, PA, at the David this October 29,2025! We have our own booth and will be doing something fun there. Also, we are sponsoring the After Party! Please come say hi!

🔹 Topics Covered

NY DFS Part 500: Final Requirements Take Effect November 1

The hosts unpack the final phase of New York’s cybersecurity regulation, what’s changing, and what companies must have in place before the enforcement deadline.

Negotiating Security

How smaller companies can push back or reframe due diligence requirements—substituting a SOC 2 or ISO 27001 certification with custom questionnaires, summaries, or shared evidence that reflect real security maturity instead of checklists.

“TPRM Is Worthless”

A candid discussion on the state of third-party risk management: why it’s often broken, what needs to change, and how to make it meaningful rather than bureaucratic.

Department of War Announces New Cybersecurity Risk Management Construct

The team explores the DoD’s latest cybersecurity framework announcement—what it means for contractors, how it overlaps with CMMC and NIST 800-171, and whether it will actually simplify or complicate compliance.

🥃 Spirit Review

One of Us Mezcal — This small-batch mezcal impresses with its earthy smoke, hints of citrus, and smooth finish. The guys compare it to other craft agave spirits they’ve tried and debate whether it pairs better with a quiet evening or post-recording celebration.

Find it here:

https://oneofusmezcal.com/products/cuishe-mezcal-the-wild-one

⏱️ Timestamps

0:00 – Introduction & Travel Mishap

6:25 – New Laptop Twins & Backup Strategies

11:35 – NY DFS Part 500 Updates

27:30 – DFS Reporting & Organizational Accountability

33:30 – Negotiating Security Requirements

47:46 – Cultural Nuances in Negotiation

50:20 – Spirit Review: One of Us Mezcal

52:55 – TPRM Is Worthless?

57:50 – Fixing Broken Vendor Risk Workflows

1:08:21 – Vendor Resilience vs. Security

1:18:20 – New DoW/DoD Cybersecurity Risk Management Construct

1:35:06 - BSides Pittsburgh Planning & Sponsorship

1:38:35 - DSP at TRISS

1:39:51 – Closing Remarks & Outro

🎧 Hosts

Justin Leapline – @justinleapline

Joe Wynn – @wynnjoe

Rick Yocum – @rickyocum

🌐 Connect with Us

Website: distilledsecuritypodcast.com

🐦 Twitter: @DisSecPod

📧 Email: hello@distilledsecuritypodcast.com

Episode 16 of the Distilled Security Podcast is here!

In this episode, Justin, Joe, and Rick christen the new studio and dive into some of the trickiest challenges in measuring, reporting, and governing security programs. From maturity models to board reporting, the conversation unpacks how scoring systems can mislead, how to communicate bad news effectively, and why boards need more than just “checkbox” cyber expertise.

The team also explores the rise of vGRC (Virtual GRC) services—what they are, how they differ from vCISO offerings, and when organizations should consider fractional models. And of course, no episode would be complete without a pour: this week, a rich Woodford Reserve Double Double Oaked bourbon.

Topics Covered

• New Studio Upgrade: Behind-the-scenes on mics, cameras, and why the couch had to go.

• Measuring to the Score: The dangers of chasing maturity numbers instead of real security outcomes.

• Scoping, Rubrics & Auditor Whim: Why assessments are subjective and how leadership often misunderstands the results.

• Cultural Incentives: How bonuses, compliance checkboxes, and “auditor shopping” distort security reporting.

• Prepping for New Tools: Setting expectations with leadership when visibility spikes after deploying monitoring or vulnerability tools.

• Boards and Cybersecurity Expertise: Should cyber knowledge be mandated at the board level—or does it risk creating the illusion of safety?

• Virtual GRC vs. vCISO: What fractional GRC services really deliver, how they differ from vCISO roles, and why naming clarity matters.

• Bourbon Review: Woodford Reserve Double Double Oaked — syrupy, smooth, and perfect for a holiday pour.

Hosts

• Justin Leapline
• Joe Wynn
• Rick Yocum

Connect with Us
 🌐 Website: distilledsecuritypodcast.com
🐦 Twitter: @DisSecPod
📧 Email: hello@distilledsecuritypodcast.com

In this episode, hosts Justin Leapline, Joe Wynn, and Rick Yocum sit down with James Ringold (Senior Security Cloud Solution Architect at Microsoft and President of ISSA Pittsburgh) to talk all about building stronger cybersecurity communities.

From the behind-the-scenes of BSides Pittsburgh 2025 to engaging the next generation through mentorship and student-led talks, this episode offers practical insights on how to grow inclusive, vendor-neutral spaces that truly support people in security.

Topics Covered

• BSides Pittsburgh 2025 Highlights

What made this year’s event stand out — from arcade machines and pastries to great speakers and a welcoming atmosphere.

• Running an Inclusive Security Chapter

Insights into leading ISSA Pittsburgh, maintaining momentum, and building a vendor-neutral space that feels open to everyone.

• The Power of Consistency

Why showing up regularly and following through matters when growing a security community.

• Mentoring the Next Generation

The importance of mentorship chains, student-led initiatives, and creating low-pressure environments for future leaders.

• Engaging Students Beyond Attendance

How to get students truly involved, from submitting talks to building long-term relationships that support career growth.

• Authenticity and Community Building

Why empathy, storytelling, and invitation—not pressure—are essential for creating lasting, supportive security ecosystems.

Timestamps:

00:00:00 – Intro & Guest Welcome
00:02:20 – BSides Pittsburgh 2025 Preview
00:24:10 – Building Inclusive Security Communities
00:41:20 – Mentorship & Student Talks
01:11:00 – Whiskey Tasting: Grand Traverse Distillery
01:33:00 – Growing Through Empathy & Local Leadership
01:48:30 – Final Reflections & Outro

Links

• ISSA Pittsburgh
• BSides Pittsburgh

Hosts

• Justin Leapline 
• Joe Wynn  
• Rick Yocum 

Guest 

• James Ringold

Connect with Us

• Website: distilledsecuritypodcast.com
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

This week, the team welcomes guest John Zeolla, a cybersecurity expert and AI enthusiast, for a deep dive into the risks, realities, and potential of artificial intelligence.

Topics include:

• Shadow AI in the Enterprise: Why business leaders are adopting AI faster than CISOs can assess the risks—and how features are outpacing controls.

• Third-Party AI Risk: Understanding vendor integrations with ChatGPT and others, and how contracts alone can’t guarantee security.

• Data Sprawl and Provenance: How uncontrolled data flows and poor identity scoping create dangerous exposure in generative AI platforms.

• Threat Modeling for AI: Why traditional frameworks like STRIDE still apply—and how techniques like “LLM as a judge” are reshaping modern risk analysis.

• Hallucinations, Misuse, and Insider Access: From AI-summarized HR documents to leaked board data, the team explores how improper permissions are amplified by intelligent agents.

• AI in Real Business Use: From customer support chatbots to code review tools, where AI adds value—and where it creates new points of failure.

• Governance and Culture: The role of CISOs, legal, and finance leaders in aligning AI ambition with responsible oversight.

• Bourbon Review – Elijah Craig Private Barrel Pick: A smooth 94-proof selection sponsored by Liberty Liquors (MD), bringing sweet caramel and balance to this week’s pour.

• BSides Pittsburgh Preview: With nearly 1,000 tickets sold, the team teases event highlights, panel interviews, and John's upcoming talk on "vibe coding."

Timestamps

00:00 – Welcome & Introductions
02:20 – What’s “Shadow AI”?
06:45 – Third-Party Risk & AI Integrations
11:10 – Contracts ≠ Security
14:00 – Data Sprawl & Identity Challenges
19:05 – Threat Modeling for AI
23:40 – “LLM as a Judge” in Risk Analysis
28:15 – Hallucinations & Misuse Scenarios
33:00 – Insider Access Amplified by AI
36:30 – Real-World Use Cases (Chatbots, Code Review, etc.)
41:55 – Governance, Culture & CISO Alignment
48:20 – Bourbon Review: Elijah Craig Private Barrel
52:30 – BSides PGH Preview & John’s “Vibe Coding” Talk
57:00 – Final Thoughts & Wrap-Up

Hosts

• Justin Leapline – LinkedIn
• Joe Wynn – LinkedIn
• Rick Yocum – LinkedIn
  
  

Guest

• John Zeolla – Zenable.io
  
  

Connect with Us

• Website: distilledsecuritypodcast.com
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Join us as we explore:

• The Coinbase Breach: A breakdown of Coinbase’s recent insider-driven breach, including social engineering, bribery of offshore contractors, and how the company responded publicly and operationally.
• Building Insider Threat Programs: The crew shares practical approaches to detecting insider misuse, behavioral monitoring, and the potential for "job descriptions as code."
• CISO Liability and Insurance: Discussion on the evolving legal exposure for CISOs, personal liability, and whether directors and officers (D&O) insurance is a must-have.
• Board-Level Cyber Risk: Should cybersecurity roll up to the audit committee or its own risk committee? The team explores where security leadership best fits in organizational governance.
• Communication and Legal Risk: How careless comments—public or internal—can be used against organizations, and why CISOs and leaders must strike a balance between transparency and caution.
• Modern Risk Management: Turning technical issues into business risk conversations, why documentation matters, and how strong risk communication can help CISOs avoid being scapegoated.
• BSides Pittsburgh Update: With over 600 tickets already sold, the team gives updates on ticket tiers, t-shirts, speaker schedules, and why you should register by June 13.
• Bourbon Review – Widow Jane Lucky 13: To celebrate episode 13, the crew samples Widow Jane Lucky 13—a smooth, toffee-forward bourbon aged 13 years.
• Reporting Lines: Where and how security should be structured within the organization, from effectiveness to liability and more.

Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

• One Year of Podcasting: The crew celebrates a full year of episodes, favorite topics, behind-the-scenes production, and where the show is headed next—including a new studio setup and future sponsors.
• Audit Quality and Risk: A deep dive into the evolution of cybersecurity audits, the growing influence of low-cost providers, and what actually makes an audit valuable and trustworthy.
• Third-Party Risk Management: How companies can assess vendor SOC 2 reports, triage risk among their vendors, and build defensible compliance practices.
• Operational vs. Commercial Risk: The importance of translating audit findings into business impact and strengthening vendor partnerships for long-term resilience.
• Bourbon Review – Jefferson’s Tropics: A tasting of a tropical-aged bourbon matured in Singapore’s climate, featuring notes of toffee and spice.
• BSides Pittsburgh Update: Details on ticket sales, sponsor opportunities, and how to get involved with the local security community’s flagship event.
• Entrepreneurship & Starting a Business: A thoughtful discussion on what it really takes to start your own business—when to consider it, how to prepare, and why it’s often more work (and growth) than expected.

Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Join us as we cover:

• Signal, Encrypted Messaging, and Corporate Policy: A deep dive into the use of Signal in sensitive discussions—including a political mishap—and the implications for corporate communication policies, discovery, and compliance.
• Oracle Cloud Breach Allegations: Evaluating breach claims, early response tactics, and the value of proactive key and credential rotation.
• DNA Data, 23andMe, and Privacy Concerns: With 23andMe filing for bankruptcy, the team explores risks associated with sharing genetic data and broader privacy implications when personal information changes hands.
• Hospital Data as Business Assets: A surprising look at how some companies are buying bankrupt hospitals—primarily for access to their medical datasets.
• Vulnerability Management in the Real World: Tips on building practical, risk-based vulnerability management programs, understanding scanner severity versus real-world risk, and developing responsive processes that scale.

Spirits: 

• Calumet Farm Small Batch Bourbon Whiskey https://www.calumetbourbon.com/smallbatch

Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Join us as we explore:

• Security in Times of Budget Cuts: How organizations can navigate layoffs and reduced funding while maintaining a strong security posture.
• The Cybersecurity Talent Shortage: Why security hiring remains challenging, the need for apprenticeship models, and how organizations can develop internal talent pipelines.
• BSides Pittsburgh: Put this on your calendar and submit talks.
• Cyber Crisis Readiness: The importance of C-suite participation in tabletop exercises and cyber incident planning.

References 

• Early Education by David Barton - https://www.youtube.com/watch?v=io-O59eakMk
• BSides Pittsburgh CFP - https://www.bsidespgh.com/cfp

Spirits: Lady of the Glen – A 10-year-old cask strength Scotch whisky finished in Oloroso sherry casks.

Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Join us as we explore:

• Security on a Budget: How teams can optimize tools, manage resource constraints, and build an effective security strategy with limited funding.
• AI and Efficiency: The impact of AI on job performance, along with the risks of AI-powered note-taking and data classification.
• Data Breaches & Industry Challenges: Lessons from Marriott’s data breaches, security concerns in the hospitality industry, and evolving consumer protection mandates.
• Regulatory Shifts & Compliance: A discussion on HIPAA’s 2023 overhaul, required vs. addressable regulations, and the role of dual audits in compliance assurance.
• Data Sovereignty & Government Oversight: How security teams navigate data sovereignty risks, government requests for information, and evolving security standards.
• Multi-Factor Authentication & Risk Mitigation: The importance of MFA and its role in strengthening security posture is increasing.

Spirits

• Heigold Single Barrel Cask Strength https://www.rabbitholedistillery.com/pages/single-barrel-release

Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn

References

2025 HIPAA Security Rule Guide and Compliance Checklist // https://www.seisollc.com/insights/2025-hipaa-rule-guide

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

🔎 Join us as we explore:

• The Whiskey Rebellion and Craft Distilling: A dive into the history of the Whiskey Rebellion and what it means for today’s distillers. Learn about Iron City Distilling, creating national brand-quality spirits, and the significance of the Bessemer brand name.
• Whiskey Craftsmanship: Insights into chamber still distillation, the balance of maturation versus aging, and premium craft whiskey production.
• Executive Protection and Privacy: Strategies for workplace safety, reducing online risks, and managing personal branding in crises.
• Quantum Computing Risks: A look at Google's Willow chip, the implications of quantum computing on cybersecurity, and the need for post-quantum cryptographic protocols.
• Modern Password Challenges: Discussing the future of passwordless login, phishing risks, dark web breaches, and the evolving standards of password compliance.

🌟 Spirit: Iron City Distilling Distillers Reserve – A 6-Year Craft Masterpiece!

🎙️ Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn
  
  

🤝 Guest

• Eddie Kubit - LinkedIn 

📲 Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

🕐 Time Stamps

[00:00:00] Introduction
[00:00:09] Eddie’s Career Transition
[00:03:00] Whiskey Rebellion and Craft Distilling
[00:06:00] Joining Iron City Distilling
[00:10:00] Unique Approach at Iron City Distilling
[00:19:00] Traditional Whiskey Making Process
[00:28:30] Executive Protection and Privacy
[00:39:00] Practical Security Measures for Executives
[00:50:00] Google’s Quantum Computing and Cybersecurity Risks
[00:57:00] Post-Quantum Cryptography
[01:06:00] Modern Password Practices
[01:20:00] Closing Thoughts

In this episode, hosts Justin, Rick, and Joe are joined by special guest Brandon Eckert to explore his fascinating journey in cybersecurity, share industry insights, and enjoy a fun debate on Thanksgiving favorites. Here’s what’s in store:

Topics Covered: 

🔹 Navigating a Career in Cybersecurity
Reflections on starting out in cybersecurity, overcoming challenges in small-town IT careers, and the role of certifications in shaping career success.

🔹 The Value of Certifications
How certifications like OSCP contribute to career growth, practical knowledge, and their relationship with networking and formal education.

🔹 Mentorship and the Pittsburgh Cybersecurity Community
The importance of fostering growth, mentoring local talent, and giving back to the Pittsburgh security community.

🔹 Networking vs. Certifications
A discussion on what matters more for career advancement and the unique benefits of each.

🔹 Auditor Stories and Lessons Learned
Hear hilarious and insightful tales from hospital audits, ethical dilemmas, and tips for managing challenging auditor experiences.

🔹 Business Continuity Challenges
How organizations can prepare for rare but impactful events, like solar flares, while building strong auditor relationships.

🔹 Thanksgiving Favorites
A lighthearted wrap-up featuring turkey tips, stuffing recipes, and the ultimate leftover turkey sandwich.

🔸 Links
Widow Jane Black Opal: https://widowjane.com/

🔸 Spirits
Widow Jane Black Opal
A rare blend of bourbons, each aged for at least 20 years and finished in Japanese Mizunara oak. Notes of toffee, plum, and tobacco make this whiskey an extraordinary treat.

🔸Hosts

• Justin Leapline 
• Joe Wynn
• Rick Yocum

🔸 Guest
🙋🏻‍♂️ Brandon Eckert

🎙 Connect with Us
Website: Distilled Security Podcast
X: @DisSecPod
Email: hello@distilledsecuritypodcast.com

Welcome back to the Distilled Security Podcast! In this episode, hosts Justin, Rick, and Joe dive into the latest in cybersecurity, from regulatory challenges to pop culture:

Topics Covered

1. SEC Penalties for Cybersecurity Disclosures
   Discussing recent SEC penalties due to lapses in cybersecurity disclosure, the implications for companies, and how organizations can stay compliant.
2. Cybersecurity Materiality and Disclosure Practices
   Tips on navigating the materiality assessment of cybersecurity incidents and ensuring compliance with auditors' disclosure requirements.
3. Preparedness Through Tabletop Exercises
   Exploring tabletop exercises as a method to enhance readiness for cybersecurity disclosures.
4. Security in Mergers & Acquisitions
   The importance of aligning security philosophies, protecting supply chain integrity, and fast decision-making in M&A processes.
5. Pre-Mortem Analyses for Risk Mitigation
   Utilizing pre-mortem analyses to identify risks in acquisitions and ensure security compatibility before a merger.
6. Best Practices for Selling a Company with Strong Security
   Tips on audit readiness, maintaining a secure posture, and what security leaders should prioritize to avoid penalties or discounts during acquisitions.
7. Information Control in Modern Warfare
   How controlling information plays a strategic role, with examples from cyberpunk themes to illustrate the power of data control.
8. Favorite Cybersecurity Movies
   A fun review of iconic cybersecurity movies, highlighting elements like data movement, IP address inaccuracies, and common movie hacking tropes.
9. Due Diligence Strategies for Small Businesses
   Key steps for conducting effective due diligence, including using a risk-based approach to compliance and managing contracts efficiently.

Links

• Cyber Scoop

Spirits

• Barrell Seagrass - A unique blend of American and Canadian rye whiskeys, each carefully selected and finished in Martinique Rhum, Madeira, and apricot brandy barrels.

Hosts

• Justin Leapline
• Joe Wynn 
• Rick Yocum 

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Time Stamps

• [00:01:25] SEC penalties for cybersecurity disclosure lapses
• [00:05:16] Working with external auditors on cybersecurity disclosures
• [00:09:30] Assessing cybersecurity materiality in disclosures
• [00:11:45] Tabletop exercises to improve disclosure preparedness
• [00:14:36] Cybersecurity considerations in M&A
• [00:19:12] Making fast, informed security decisions
• [00:23:06] Pre-mortems for assessing acquisition risks
• [00:25:12] Compatibility of security philosophies in M&A
• [00:30:20] Securing supply chains in acquisitions
• [00:34:23] Steps to sell a company securely
• [00:37:06] Preparing for audits in the sale process
• [00:42:07] Hosts discuss favorite cybersecurity movies
• [00:45:57] The strategic role of information in warfare
• [00:48:49] Data transport themes in cyberpunk films
• [00:52:36] The infamous fake IP addresses in movies
• [00:56:01] Due diligence for small businesses and startups
• [01:00:47] Centralized vs. decentralized security strategies
• [01:02:20] Adopting a risk-based approach for security questionnaires
• [01:06:05] Negotiating buyer risk assessments
• [01:10:11] Leveraging compliance automation tools
• [01:12:55] Managing contract risks effectively
• [01:16:10] Ensuring alignment between contract terms and security questionnaires

• Resume Review Insights: Joe offers valuable tips on resume writing, focusing on showcasing accomplishments and using metrics to stand out.
• Passion Projects and Hobbies: The team discusses how personal projects and volunteer work can make resumes more compelling by demonstrating a passion for the field.
• Community Engagement at TRISS: The hosts invite listeners to their booth at the upcoming Three Rivers Information Security Symposium (TRISS), where they will be offering resume reviews and engaging with attendees.
• Counter-Espionage and Pagers: A fascinating look at the use of pagers in recent counter-espionage operations, analyzing their effectiveness and ethical concerns.
• Supply Chain Security Concerns: A discussion on the risks tied to supply chain vulnerabilities, focusing on hardware inspections.
• Tabletop Exercises in Cybersecurity: The hosts highlight the importance of tabletop exercises to prepare organizations for security incidents, contrasting them with current trends in incident response training.
• School Violence Threats: An examination of the rise in school violence threats and the challenges schools face in managing these situations.

Links

• Three Rivers Information Security Symposium (TRISS)
• US Maritime Trade and Port Cybersecurity

Spirits

• Boone 1833 12-Year-Old, Snyder's Flask (discontinued) - https://boonedistilling.com/

Hosts

• Justin Leapline - LinkedIn
• Joe Wynn - LinkedIn
• Rick Yocum - LinkedIn

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

In Episode 4, we are joined by Doug Salah to explore some critical topics in cybersecurity and career growth.

Key Topics

• Doug Salah’s Cybersecurity Journey: His transition into cybersecurity and current role in the industry.
• Networking in Cybersecurity: The value of building connections at cybersecurity conferences.
• TRISS (Three Rivers Information Security Symposium): Insights into TRISS, its scholarships, and its impact on the community.
• Mid-Career Development: Doug’s thoughts on transitioning mid-career, setting goals, and maintaining integrity.
• Cybersecurity Ethics: A deep dive into ethics in the industry, ethical decision-making, and creating a Cyber Code of Honor.
• The Four Agreements: How Doug relates his personal ethics to the principles in The Four Agreements.
• Featured Spirit – Compass Box Spice Tree Scotch: A review of this week’s featured Scotch.
• National Public Data Background Check Breach: Discussion of the recent breach and its implications for data protection.
• Data Protection Tips: Tips on freezing credit and using services like Delete Me to protect personal data.

Links

• Three Rivers Information Security Symposium (TRISS) - https://www.threeriversinfosec.com/
• The Four Agreements - https://www.amazon.com/Four-Agreements-Practical-Personal-Freedom/dp/1878424319
• Delete Me Service - https://joindeleteme.com/
• The Code Of Honor - Embracing Ethics in Cybersecurity

Spirits

• Compass Box Spice Tree Scotch - https://www.compassboxwhisky.com/products/the-spice-tree

Hosts

• Justin Leapline - https://www.linkedin.com/in/justinleapline/
• Joe Wynn - https://www.linkedin.com/in/wynnjoe/
• Rick Yocum - https://www.linkedin.com/in/rickyocum/

Guest

• Doug Salah - https://www.linkedin.com/in/dougsalah/

Connect with Us

• Website: Distilled Security Podcast
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Join us this week as we jump into: 

• CrowdStrike Incident Analysis: A deep dive into a recent mishap by CrowdStrike that led to significant financial losses and operational disruptions, including 5.4 billion in estimated losses.
• Vendor Accountability: Exploring the legal and financial repercussions of security vendor failures.
• Business Continuity Planning: The importance of preparing for security vendor failures, including considering alternate vendors and the complexities of implementing such strategies.
• Kernel-Level Security Risks: A discussion surrounding kernel-level operations in security software, focusing on the controversy between CrowdStrike and SentinelOne.
• Manual Workarounds and Legacy Systems: The challenges of maintaining business operations during security incidents.
• Ransomware Recovery vs. Vendor Failures: Comparing ransomware attacks' impact and recovery processes with security vendor-induced failures.
• Password Management Vulnerabilities: The risks associated with dependency on password management systems like Thycotic/Delinea and LastPass, and the potential fallout if these systems experience downtime.
• BSides Pittsburgh Recap: the biggest BSidesPGH event yet. Hear the notes and highlights from the conference.
• North Korean Spy Hired By KnowBe4: Hear how a spy for N. Korea got by the defenses of KnowBe4, how they caught them, and steps they implemented to avoid this in the future.
• CISOs as Scapegoats: Are CISOs being pegged as scapegoats unfairly?

Links

• Crowdstrike Incident - https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
• SentinelOne Response to Crowdstrike - SentinalOne on Crowdstrike Outage - https://www.crn.com/news/security/2024/sentinelone-ceo-on-crowdstrike-outage-not-just-an-honest-mistake
• BSidesPGH - https://www.bsidespgh.com/
• TRISS - https://www.threeriversinfosec.com/
• KnowBe4 // N. Korean Spy - https://blog.knowbe4.com/cyberheistnews-vol-14-31-how-the-whole-world-now-knows-about-fake-north-korean-it-workers
• CISO as Scapegoats - https://www.thestack.technology/were-becoming-scapegoats-how-have-cisos-responded-to-sec-cyber-risk-disclosure-rules/

Spirits

• Rabbit Hole Cavehill // Four Grain Tripple Malt - https://www.rabbitholedistillery.com/pages/cavehill/

Hosts

• Justin Leapline - https://www.linkedin.com/in/justinleapline/
• Joe Wynn - https://www.linkedin.com/in/wynnjoe/
• Rick Yocum - https://www.linkedin.com/in/rickyocum/

Connect with Us

• Website: https://distilledsecuritypodcast.com
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Join us this week as we jump into: 

• Exploring the critical importance of tailoring security frameworks: Aligning with an organization's specific goals and objectives
• Highlighting frameworks like NIST CSF and CIS to advance security programs effectively
• Insights on aligning KPIs with the NIST CSF framework
• Complementary use of frameworks like CIS to enhance security control measurement
• Perspective on compliance and regulatory requirements
• The role of AI in security programs
• Threats posed by deepfakes: Incorporating safeguards to protect organizations from deepfake risks and effectively leverage AI within security programs

Chapters
00:00:00 - Introduction and Episode Overview
00:00:44 - Discussion on Security Frameworks
00:05:43 - Tailoring Frameworks
00:08:19 - Mapping and Compliance Challenges
00:17:16 - Tailoring for Small Organizations
00:19:15 - Upcoming Conferences
00:21:30 - Bourbon Review
00:25:00 - Audit Preparation Tips
00:27:02 - AI in Security
00:35:09 - Privacy Concerns with AI Toys
00:41:22 - Deepfakes in Security
01:05:59 - Closing Remarks

Links and references
https://securecontrolsframework.com

https://www.nist.gov/cyberframework

https://csrc.nist.gov/pubs/sp/1300/final

https://www.cisecurity.org/insights/white-papers/cis-controls-sme-guide

Drink
Whiskey Thief Door Knocker

Hosts

• Justin Leapline - https://www.linkedin.com/in/justinleapline/
• Joe Wynn - https://www.linkedin.com/in/wynnjoe/
• Rick Yocum - https://www.linkedin.com/in/rickyocum/

Connect with Us

• Website: https://distilledsecuritypodcast.com
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

Join us as we dive into a variety of exciting topics, including:

• Is College Worth It?: We explore the value of higher education in today's world.
• Microsoft and Executive Compensation: Analyzing cybersecurity in executive pay at Microsoft.
• BSides Pittsburgh: Exciting talks are coming to BSidesPGH.
• Starting as a New CISO: Things to do first coming into a new company.

Grab your favorite cocktail and tune in for an engaging and fun-filled discussion!

Hosts

• Justin Leapline - https://www.linkedin.com/in/justinleapline/
• Joe Wynn - https://www.linkedin.com/in/wynnjoe/
• Rick Yocum - https://www.linkedin.com/in/rickyocum/

Connect with Us

• Website: https://distilledsecuritypodcast.com
• Twitter: @DisSecPod
• Email: hello@distilledsecuritypodcast.com