Practical Cybersecurity with Jen Stone

SecurityMetrics
  • 0.0 (0)
  • Education
  • Updated Semimonthly

Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture. 

  1. 1d ago

    Which PCI SAQ Do You Actually Need? (ep. 10)

    First time filling out a PCI SAQ? In this episode, two QSAs who've scoped hundreds of payment environments walk you through how to pick the right one—so you don't end up with the wrong form, the wrong security controls, and the wrong amount of risk. Choosing the right PCI DSS Self-Assessment Questionnaire (SAQ) isn't just a paperwork decision. Pick the wrong form and you can leave blind spots in your network security or lock yourself into compliance requirements you never needed. In this episode of the Practical Cybersecurity Podcast, SecurityMetrics experts Jen Stone (QSA) and Michael Simpson break down the complex, often misunderstood rules of PCI scoping. They translate confusing auditor-speak into a practical roadmap so you can identify your payment channels, reduce your data footprint, and satisfy your acquiring bank. In this episode: The e-commerce breakdown: the technical triggers that separate SAQ A, SAQ A-EP, and SAQ D—and the "iframe vs. direct post" buzzwords that decide which one is yoursHow to spot bad PCI advice, including the common Toast POS / SAQ A myth that sends merchants to the wrong formWhy validated Point-to-Point Encryption (P2PE) is the gold standard for in-person payments and how it eliminates local network scopeE2EE vs. P2PE: the critical difference between proprietary end-to-end encryption and a formally validated solution—and why you can't use the P2PE form for E2EEThe cellular terminal question: how to document network-connected mobile payment devicesVirtual terminals (SAQ C-VT): how to stress-test your network segmentation so a call center actually qualifiesThe SAQ roll-up: how to combine multiple payment environments into one master document without losing your mindService providers: the one unyielding rule for B2B vendors who handle downstream cardholder dataResources: Official PCI SSC PTS device search: https://listings.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true Talk to a SecurityMetrics QSA about scoping: https://www.securitymetrics.com/security-consulting A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    35 min

  2. Jun 9

    Passkeys: An Upgrade You Didn't Know You Needed (ep. 9)

    Passwords were built for a different era of the internet. It’s time to move past shared secrets to close your organization's largest threat vector for good. Traditional passwords and legacy Multi-Factor Authentication (MFA) are no longer enough to protect your business. Automated, scaling phishing toolkits easily intercept shared secrets, leaving small and medium businesses highly vulnerable to credential breaches. In this episode, Jen sits down with Nishant Kaushik, Chief Technology Officer at the FIDO Alliance, to translate complex cryptographic standards into an actionable, resource-light deployment plan. Learn how to transition away from legacy authentication and close the hidden operational loopholes that hackers actively exploit. What You Will Learn: The Flaw in Basic MFA: Why SMS codes and standard one-time passwords (OTPs) are failing, and what true "phishing-resistant" security means.The Account Recovery Trap: Why a weak "Forgot Password" workflow accidentally gives hackers their primary attack vector back—and how to fix it.The Bottom-Line Benefit: How moving to passkeys drastically reduces internal IT helpdesk tickets, manual password resets, and overhead costs.Right-Sizing Your Passkey Deployment: How to easily segment your workforce strategy:Standard Users: Synced passkeys via platform credential managers (Apple, Google, 1Password, Bitwarden).Privileged Users: Dedicated hardware keys (YubiKeys) for root admins and high-sensitivity infrastructure.The 1-Week Action Plan: How to leverage the identity infrastructure you already own (like Google Workspace or Microsoft Entra ID) to deploy passkeys today.Resources Mentioned: Learn more about modern identity standards: FIDO Alliance WebsiteReview baseline federal security recommendations: CISA Guidance on Phishing-Resistant MFADiscover SecurityMetrics compliance resources: SecurityMetrics Official SiteThreat Intelligence Data: Read the data behind credential exploitation in the latest Verizon Data Breach Investigations Report (DBIR). Federal Passkey Standards: Review the updated identity and passkey frameworks via the NIST SP 800-63 Digital Identity Guidelines. Enterprise Identity Platforms: Learn how modern stacks integrate passwordless via Okta Verify and Microsoft Entra ID. About the Guest: Nishant Kaushik is the Chief Technology Officer at the FIDO Alliance, bringing over 25 years of leadership in digital identity and access management (IAM). He holds nine patents, frequently serves on the advisory committees for the RSA Conference and Identiverse, and is a founding member of IDPro. A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    28 min

  3. May 26

    The Expert Guide to Defeating eSkimmers (ep. 8)

    We can't keep turning a blind eye to e-commerce skimming. It's a real threat that demands real attention—regardless of how compliance checklists evolve. Eighteen months ago, our panel met to break down the rollout of PCI DSS requirements 6.4.3 and 11.6.1. Now, one year after PCI v4.0, we're looking at the data-backed reality of how these requirements are actually playing out in the field. With the recent industry transitions to PCI DSS v4.0.1, clarifications surrounding the boundaries between parent web pages and third-party iframes have created a dangerous side effect: "Checkbox Blindness." Many organizations are misinterpreting these adjustments to mean that script monitoring is effectively optional if a payment iframe is in place. But treating client-side security as a text-only compliance loophole ignores a harsh forensic reality—attackers don't care about scoping boundaries. In this follow-up episode, host Jen Stone sits down with a full house of SecurityMetrics experts—Gary Glover (VP of Assessment), Chad Horton (VP of Technology), and Aaron Willis (VP of Forensic Investigation)—to cut through the regulatory noise. Backed by data from over six years of payment page monitoring, they translate the latest auditor fine print into practical guidance on why your parent page remains a prime target, and how to protect it without drowning your team in alert fatigue. Key Takeaways From This Episode: The v4.0.1 Scoping Misconception: Why thinking an embedded iframe completely offloads your client-side security obligations is a critical business risk.Bypassing the Safe: How attackers manipulate the parent page environment to intercept credit card data before it ever reaches a secure iframe or redirect link.The Reality of "Checkbox Compliance": Why tracking down fourth- and fifth-party scripts matters to your baseline security, even if your SAQ criteria makes it look elective.Inside a "Zero-Malware" Exploit: A forensic breakdown of how threat actors turn legitimate, approved analytics scripts against online checkout flows.Managing the Responsibility Matrix: How to handle iframe providers who are quietly altering their security liability terms in their public documentation. Resources & Links Mentioned: Stop Checkbox Blindness: Automate your script inventory with SecurityMetrics Shopping Cart Monitor Get a Forensic MRI of Your Checkout: Schedule a deep-dive review with SecurityMetrics Shopping Cart Inspect Read the Research: Download the QSA White Paper on E-Commerce Skimmer Attacks  Connect With Our Team: SecurityMetrics Website: securitymetrics.comFollow Us on LinkedIn: linkedin.com/company/securitymetricsA note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    30 min

  4. May 12

    Cybersecurity Priorities for 2026: The Two Vulnerabilities to Focus on in the AI Era (ep. 7)

    Is your organization prepared for an autonomous AI bot? Roger Grimes joins Jen Stone to discuss the shifting landscape of cybersecurity. This episode moves past the hype to look at the hard data: AI scams are yielding 4.5x more value for attackers, and traditional MFA is no longer enough to stop them. In this episode, we translate complex "vulnerability fatigue" into a clear, two-step priority list. We strip away the jargon to show you exactly how autonomous bots are bypassing firewalls by targeting the human element.  Key Takeaways: Focus on the "Big Two": Social engineering and unpatched software account for nearly 90% of business risk.Phishing Resistance: Why you should move toward YubiKeys or passkeys to avoid "man-in-the-middle" code interception.Patch Management: Why you should ignore "shiny" new vulnerabilities and follow the CISA Known Exploited Vulnerabilities catalog.The Negotiator's Trap: What happens when a CEO claims they have backups, but the hackers have already deleted them.Featured Resources: CISA Known Exploited Vulnerabilities (KEV) Catalog: Use this to prioritize patching based on real-world attacker behavior. Phishing-Resistant MFA:YubiKey: A hardware security key requiring physical touch to prevent remote account takeovers. FIDO Passkeys: A cryptographically secure alternative to SMS codes. Password Management: Tools like 1Password or LastPass are essential for creating long, random, and unique credentials that AI can't easily crack. The 3-2-1 Backup Rule: Maintain three copies of data, on two different media types, with one copy kept strictly offline. Connect with Roger Grimes KnowBe4: Access security awareness training and social engineering defense resources at knowbe4.com. Free Book Offer: Roger is offering a free PDF copy of his latest book, How AI and Quantum Impact Cyber Threats and Defenses, to all listeners. Email him directly at rogerg@knowbe4.com. A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    10 min

  5. Apr 28

    The SAQ A Deep Dive: Two QSAs Set the Record Straight (ep. 6)

    This episode of Practical Cybersecurity moves past the standard PCI checklist to focus on the operational realities, common misconceptions, and "stealth" requirements that define SAQ A in the PCI DSS v4.0.1 era.  The Eligibility Foundation Most merchants skip the Eligibility Criteria, which is the actual foundation of the assessment. Total Data Outsourcing: To qualify, a merchant must not store, process, or transmit any electronic account data on their own systems or premises. Call Center Exception: Merchants can still qualify for SAQ A if you use a third-party call center to handle payments on your behalf.Paper Ghosts: While the standard includes criteria for paper records, our experts have virtually never seen a modern SAQ A merchant that actually handles card data on paper in 15 years of assessments.The Iframe Paradox A significant "stealth" requirement exists for merchants using iframes to capture payments. Susceptibility by Design: Iframes are "by definition" susceptible to scripting attacks, where malicious code scrapes data directly from the customer's browser."Hidden" Controls: To prove you aren't susceptible, the Council essentially requires you to meet requirements 6.4.3 and 11.6.1—technical controls for script inventory and integrity that are not technically listed in the body of the SAQ A document.Tips for Completing Your SAQ A: The SNMP Trap: When hardening servers (Requirement 2.2.2), administrators frequently overlook SNMP community strings, which often serve as easily searchable default "passwords" for attackers.Break-Glass Strategy: Requirement 8 now accommodates emergency "break-glass" accounts. If your lead admin ("Lisa") wins the lottery and disappears, your organization needs a documented, management-approved protocol to get the new hire ("Bob") into the system securely.The Staff Turnover Gap: Quarterly ASV scans often fail because the one person responsible for them leaves the company, and the new hire is unaware the scans are even occurring. Redundancy—where management also receives scan results—is a critical operational fix.Compliance is Not Inherited: Just because AWS is compliant does not mean your implementation of it is.Responsibility Matrix: You must utilize your provider's Security Responsibility Matrix to identify exactly which controls are managed by the vendor, which are shared, and which are your sole responsibility.And More!Resources: Download the SAQ A: Official PCI SSC SAQ A 4.0.1 PDF  List of PCI ASVs: Approved Scanning Vendors  AWS Responsibility Matrix Azure Responsibility Matrix A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    21 min

  6. Apr 14

    Protecting the House: Why Asset Management and "Storytelling" are Keys to HITRUST (ep.5)

    Episode Summary In this episode of Practical Cybersecurity, we dive into the complex world of HITRUST certification. Often called the "gold standard" for healthcare security, HITRUST can be a daunting mountain to climb for small and large organizations alike. Jen Stone and experts Peter Briel (Privaxi) and Lee Pierce (SecurityMetrics) break down why scoping is your best friend, why screenshots aren't enough, and why you should never try to "button things down" before talking to an expert. Key Discussion Points: What is HITRUST? Unlike HIPAA, which lacks a formal certification, HITRUST integrates multiple standards (NIST, ISO, etc.) into a "beefy" framework. It provides a definitive answer to security and compliance inquiries in the healthcare space.The Three Levels of HITRUST:E1: The entry-level, static 44-control assessment.I1: The "leading practices" assessment with roughly 180+ controls.R2: The risk-based, "gold standard" that requires heavy factoring and scoping.The "House Alarm" Analogy: You can't protect a house if you don't know how many windows and doors it has. Asset management is the foundation of security; if you don't know what hardware and software you have, you can't secure the perimeter.Common Pitfalls in Certification:Overscoping: Fear often leads companies to include too much in their audit, driving up costs and timelines unnecessarily.Weak Evidence: Assessors need a "story," not just a screenshot. Evidence must be consistent, repeatable, and include clear date/time stamps.The "Never Happened" Trap: Even if you haven't fired anyone or had a breach in years, you must have a documented, tested process for how you would handle those events.The Importance of Readiness: The "separation of duties" means your auditor can’t also be your consultant. Engaging a readiness team early helps you build the foundation correctly the first time, rather than tearing down finished work to meet compliance standards later.Expert Tips for Success "Don't build it and then do readiness afterwards." — Lee Pierce Start the conversation while you are still building your solutions or migrating to the cloud to ensure encryption and segmentation meet the standard from day one. "Don't rush... it’s not a check-the-box exercise." — Peter Briel  Focus on building a solid foundation. HITRUST isn't just about the certificate; it's about actually protecting the environment. Resources Mentioned Security Metrics Website: Visit for a quick HITRUST cost assessment and to connect with the readiness and audit teams. https://www.securitymetrics.com/hitrustFactoring Tools: Resources to help determine whether you need an E1, I1, or R2 assessment.A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    11 min

  7. Mar 31

    4 Critical Tasks for Small IT Teams (ep.4)

    A single data breach now costs a business an average of $1.4 million, according to the annual IBM report. For a small or medium-sized business (SMB), this hit is often terminal—most companies that suffer a major breach struggle to stay in business longer than six months. In this episode, Matt "Heff" Heffelfinger, Director of SOC Operations at SecurityMetrics, joins us to discuss why many business owners are operating under a false sense of security. We dive into the "Insurance Trap," where carriers deny claims because basic security activities weren't performed, and outline the four critical areas where every small IT team should focus their limited resources. We’re moving past the technical jargon of Security Operations Centers (SOC) to give you a practical, budget-friendly roadmap for cyber hygiene that actually protects your bottom line. Key Takeaways: The Insurance Reality Check: Why having a policy isn't enough if you aren't doing the "basics".The 4 Pillars of SMB Focus: Matt breaks down the essential tasks for a team of one: Access Control, Network Scanning, Patch Management, and Basic Cyber Hygiene.Automating Your Defense: How to make one IT person feel like an entire "battalion" using inexpensive automation tools.The 10% Rule: Why allocating 10% of your IT budget to cybersecurity is the tipping point for graduating from "check-the-box" compliance to real security.Anatomy of a SOC: What happens when threat hunters find an "Event of Interest," such as unauthorized traffic heading to Russia at 3:00 AM.The AI Threat: How bad guys are upscaling and automating their attacks, making SMBs easier targets than ever before.About Our Guest: Matt Hessel is a Utah-based cybersecurity professional and the Director of SOC Operations at SecurityMetrics. With a career spanning over 20 years—starting at the helpdesk at TJ Maxx and Marshalls during their historic 2006 breach—Matt brings a unique "boots on the ground" perspective to protecting small businesses. Resources Mentioned: SecurityMetrics SOC Services: https://www.securitymetrics.com/pulseIBM Cost of a Data Breach Report 2025: https://www.ibm.com/think/insights/data-matters/cost-of-a-data-breachSecurityMetrics Certifications: PCI QSA | ASV | PFI | HITRUST | Forensic Investigator A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    13 min

  8. Mar 17 ·  Bonus

    Pressure Testing Your IRP: Why "Calling IT" Isn't a Plan (ep. 3 Part 2)

    What happens when the news cameras show up and your business grinds to a halt? Donna Grindle, CEO of Kardon, returns to discuss the "hair on fire" reality of a data breach. We move past the paperwork to explore why "calling IT" isn't a plan, the hidden costs of notification letters, and how insurance mazes can complicate your recovery. Key Takeaways "Call IT" is Not a Plan: During a breach, IT will be busy containing the threat; you need an operational plan for when systems and phones go dark.The Paperwork Trap: Reverting to paper records stops cash flow because you aren't sending claims or bills—plus, you eventually have to manually re-enter all that data.Media & Legal Circus: If 500+ records are hit, you must notify the press. This often triggers immediate "ambulance chaser" lawsuits on social media.Tabletop Exercises: Don't find gaps in your plan during a crisis. Run practice drills to know who is authorized to speak for the company and what vendors to call.Insurance Realities: Open claims immediately to protect legal privilege, but be ready for insurance-mandated vendors that may span several time zones. "Take ownership of it. Don't assume that somebody else in your office is handling it... You will likely lose your business or be on the verge of it if you are not prepared in some way." — Donna Grindle  Key Concepts: Security Incident vs. Data Breach - A security incident is a panic-inducing event that requires investigation, but it may or may not officially escalate into a data breach that requires regulatory reporting. Incident Response Plan (IRP) - A comprehensive strategy that covers far more than just IT recovery; it must dictate how you communicate with employees, vendors, and clients during a crisis. Tabletop Exercise - A low-stakes practice run of your Incident Response Plan to poke holes in it before an actual emergency. It helps you figure out exactly who is in charge, who you are calling, and who is authorized to speak publicly. Links: Kardon: https://kardonhq.com/ Help Me With HIPAA Podcast: https://helpmewithhipaa.com/ Timestamps 00:00 – Intro 00:54 – Cyber Incidents vs Breaches in a HIPAA Context 01:26 – Why Operational Continuity Cannot be an IT Responsibility 03:02 – Questions to Ask During a Tabletop Exercise 03:50 – Talking to Patients on Facebook 04:06 – More Questions to Ask During a Cyber Incident 05:13 – Even "Calling My MSP" Isn't an Incident Response Plan 05:37 – When a Cyber Incident Becomes a Breach 06:09 – "Can't We Just Send a Postcard?" 06:32 – Steps to Respond to a HIPAA Breach 09:03 – Final Summary: Shifting to Active Security Ownership 09:59 – Where to Find Donna Grindle & Kardon A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    11 min
See All (117)

About

Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture. 

Information

You Might Also Like