Reduce Cyber Risk Podcast - Cyber Security Made Simple

Shon Gerber, vCISO, CISSP, Cyber Security Consultant, Author and Entrepreneur
  • 0.0 (0)
  • TECHNOLOGY
  • UPDATED WEEKLY

Shon Gerber from the Reduce Cyber Risk podcast provides valuable insights, guidance, and training to you each week that only a senior cyber security expert and vCISO can perform.  Shon has over 23+ years of experience in cyber security from large corporations, government, and as a college professor.  Shon provides you the information, knowledge, and training needed to help protect your company from cyber security threats.  Shon weekly provides cyber security training topics covering: Insider Threat, Operational Technology (OT) Security, Cyber Security Awareness Training, Cyber Security Training for Employees, Cyber Security Courses for the CISSP, and much, much more.  You will receive immediate and actionable information that you can put into practice immediately to protect your business, no matter the size.  Need direct and immediate assistance, Shon can also provide you with his “high touch” consulting approach with his various cyber security services.

  1. FEB 2

    RCR 165: Security and Gap Assessments for SMBs

    A single phish can take down an entire business, and too many small teams only discover that truth after it’s too late. We unpack how security and gap assessments give SMBs a clear, practical path to defend revenue, earn trust, and meet compliance without chasing shiny tools or boiling the ocean. We start with a cautionary tale: a young intruder reused stolen credentials, posted proof online, and exposed how everyday weaknesses become public and painful. From there, we translate the chaos into structure. You’ll hear the difference between a security assessment and a gap assessment, how to map your environment to NIST CSF, SOC 2, ISO 27001, HIPAA, PCI, or CMMC, and why most organizations don’t need “gold standard” everything—just strong fundamentals executed well. We outline a seven-phase plan that scales to your size, covering the twelve core domains from governance and access control to backups, incident response, vendor risk, and physical security. Expect concrete fixes you can start today: enable MFA on Microsoft 365 or Google Workspace, remove excess admin rights, test a full restore, patch critical systems, and publish an incident contact list. Then build momentum with a 90‑day sprint featuring EDR rollout, DKIM/DMARC hardening, phishing simulations, and an acceptable use policy. Over six to twelve months, segment networks, centralize logs, formalize vendor reviews, and write incident response plans. If you’re aiming for certifications or federal contracts, we break down when to DIY and when to bring in a fractional CISO or third-party assessor, plus how to judge partners by methodology, deliverables, and business fluency. By the end, you’ll know how to measure progress with real metrics—critical findings closed, MTTD/MTTR, phishing fail rates, audit results—and how assessments can reduce insurance premiums, win deals, and prevent ruinous incidents. If you’ve failed a customer questionnaire, seen premiums jump, had a near miss, or are moving into regulated markets, this is your signal. Subscribe, share with your team, and leave a review telling us the first control you’ll implement this quarter.

    45 min

  2. JAN 27

    RCR 164: Fractional CISO, Real Results For SMBs - Part #2

    Boards aren’t asking whether security matters anymore—they’re asking who can lead it and show progress fast. We dig into why the CISO seat now belongs at the executive table and how SMBs can access that leadership through a pragmatic fractional model that drives measurable results without bloating headcount. We lay out the red flags that waste budget—claims of “unhackable” systems, tool-first thinking with no process, and leaders who can’t translate risk into business terms. Then we get tactical: how to structure scope and cadence, set escalation paths for incidents, and build trust with a 90-day plan that starts with discovery, moves to prioritization, and delivers quick wins. Expect concrete deliverables like policies, risk assessments, remediation roadmaps, incident response plans, vendor reviews, board-ready reporting, and a clear security awareness program. You’ll also hear which metrics actually matter: fewer critical vulnerabilities, faster detection and response, stronger audit outcomes, improved phishing resilience, and better vendor risk scores. We unpack engagement models—retainers, project-based work, and hybrid on-call—and show how a right-sized start can scale. A real-world case study ties it together: a mid-market manufacturer invested in a fractional CISO, earned compliance certification in nine months, won a multimillion-dollar contract, and cut cyber insurance premiums. We round out with triggers for transitioning to a full-time CISO—headcount, budget thresholds, team size, regulatory demands—and a simple checklist to evaluate readiness and candidate fit. If you’re ready to turn security into a growth lever, this conversation gives you the blueprint: structure the engagement, measure what matters, and give your security leader access to people and decisions. Subscribe, share with your team, and leave a review to tell us which metric you’ll track first.

    28 min

  3. JAN 19

    RCR 163: Insider Risk, Rising Stakes and the Fractional CISO - Part #1

    Insider threats aren’t just moody employees swiping files anymore. Layoffs, job insecurity, remote work, and a new class of “machine insiders” powered by APIs and AI have rewritten the risk map for small and medium businesses. We unpack how human stress, compromised accounts, and over-permissive automation converge, why the old “rare rogue” model fails, and what practical guardrails actually move the needle when resources are tight. We share a clear blueprint for getting enterprise-grade leadership without hiring a full-time executive: the fractional CISO. You’ll hear how a part-time security leader creates a strategy you can execute, aligns controls to compliance and cyber insurance demands, and leads incident response when minutes matter. We draw on real-world experience across the Air Force red team, global enterprises, and hands-on consulting for startups to explain what a fractional CISO really does—roadmaps, vendor selection, board communication—and what they don’t do—patching, help desk, 24x7 coverage. Expect frank talk about zero trust, least privilege, behavioral analytics, and why visibility beats tool sprawl. Cost transparency is front and center. We compare breach math, downtime, and regulatory exposure against the price of leadership, then break down when a CISO becomes non-negotiable: handling sensitive data, facing NYDFS or HIPAA requirements, pursuing CMMC, or answering insurer questionnaires. We’ll also hand you the hiring playbook: the right questions to ask, the certifications that matter (CISSP, CISM, CRISC), and how to test a candidate’s ability to translate risk for non-technical executives. If your API has more access than your CFO and your IT team is underwater, this conversation shows a safer, saner path forward. If this helped you think differently about insider risk and leadership, subscribe, share with a colleague who wears too many hats, and leave a quick review—then tell us what you want covered next.

    29 min

  4. JAN 12

    RCR 162: Small and Medium Business the Prime Target for Cyber Criminals

    Think your company is too small to attract hackers? That misplaced confidence is exactly why SMBs are prime targets. We break down the real economics driving cybercrime—ease, scale, and profit—and show how default settings, fragile backups, and identity gaps create the perfect on-ramp for ransomware, credential theft, and supply chain abuse. We also dive into AI risk and intellectual property protection, exploring the new concept of poisoning models with plausible false data to deter theft, and the hidden risks if staff credentials are compromised. From knowledge graphs and RAG to email spoofing and business email compromise, we map how attackers exploit soft spots that leaders often overlook. Then we translate cyber into business language—revenue at risk per day, cost of downtime per department, and cash reserves versus recovery timelines—so decisions align with the realities of payroll, billing, and customer trust. You’ll come away with immediate, practical steps: enforce MFA everywhere, harden email with SPF, DKIM, and DMARC, deploy EDR, and maintain offline immutable backups you actually test. We share five essential monthly metrics—MFA coverage, phishing report versus click rate, critical patch age, EDR endpoint coverage, and backup restore success—that turn security from guessing into measurable progress. If you rely on uptime for revenue, we explain when MDR or a SOC makes financial sense by compressing detection time from weeks to hours. Subscribe for more straight-talk security guidance, share this with your leadership team, and leave a review to help other SMBs find the show. What control will you implement first to reduce your downtime risk?

    35 min

  5. 05/12/2025

    RCR 161: AI and Financial Security: The New Frontier - Vendor Focus (NextPeak.net)

    The digital landscape for financial institutions has forever changed with the rapid advancement of artificial intelligence and machine learning technologies. What started as simple robotic process automation has evolved into sophisticated AI systems capable of transforming everything from fraud detection to customer service - but at what security cost? Sean Gerber draws on his 20+ years of cybersecurity experience across military, corporate, and consulting roles to deliver a crucial message: AI implementation must follow a "secure by design" approach from day one. Organizations that rush to deploy AI solutions without proper security frameworks find themselves facing exponentially more difficult remediation challenges just 2-3 years later. Through clear, accessible explanations, Gerber demystifies the differences between artificial intelligence, machine learning, and large language models while highlighting their practical applications in financial services. From JP Morgan's AI-powered legal contract reviews to Bank of America's advanced security measures, real-world examples demonstrate both the transformative potential and inherent risks of these technologies. The episode provides a pragmatic roadmap for financial institutions navigating AI implementation, covering essential frameworks like the NIST AI Risk Management Framework and critical security considerations including data anonymization, network segmentation, and intellectual property protection. Gerber emphasizes that while robust security requires investment, the alternative - retrofitting security after problems emerge - proves far more costly in both financial and reputational terms. Whether your organization is just beginning to explore AI capabilities or already deploying advanced solutions, this episode delivers actionable guidance for building multidisciplinary teams, developing AI-specific security policies, and creating governance structures that balance innovation with protection. As Gerber notes, "AI in banking is here to stay. It's transformational, but not without risk" - and the time to implement proper safeguards is now. Ready to strengthen your organization's AI security posture? Connect with Sean through Reduce Cyber Risk, CISSP Cyber Training, or Next Peak for personalized guidance on your AI security journey.

    30 min

  6. 04/01/2025

    RCR 160: Physical Meets Digital: Security's Evolving Frontier - Vendor Focus (Haystack.com)

    The boundary between physical and cybersecurity is rapidly disappearing, creating both challenges and opportunities for security professionals across domains. This eye-opening conversation with Casey Rash from Secure Passage explores how modern physical security devices have evolved into sophisticated IoT endpoints generating valuable security data that traditional teams often lack the expertise to fully leverage. Drawing from his diverse background spanning military intelligence, fintech, logistics, and cybersecurity, Casey offers unique insights into the convergence of physical and cyber domains. He introduces Secure Passage's innovative solutions: Haystacks for critical infrastructure monitoring and Truman for Physical Detection and Response (PDR), which applies familiar cybersecurity principles to physical security data streams. Through practical examples ranging from employee termination scenarios to school safety monitoring, we explore how the integration of physical and cyber domains addresses critical security gaps. Modern smoke detectors can now detect THC, gunshots, and calls for help, while surveillance systems incorporate advanced AI capabilities like object detection and crowd analysis – all generating data streams that most organizations aren't effectively monitoring. For CISSP candidates and security professionals, the conversation maps these solutions to relevant domains including Security Operations, Asset Security, and Identity and Access Management, providing valuable context on how theoretical security principles translate to real-world challenges. Casey offers a provocative perspective: "Most of the responsibility for unifying security systems lies on the cyber side, because we understand the data." Whether you're studying for certification or leading security strategy, this discussion will expand your understanding of converged security and the growing importance of holistic approaches that span both physical and digital realms. Connect with Casey at SecurePassage.com to learn more about bridging these traditionally siloed domains.

    37 min

  7. 02/04/2025

    RCR 159: Quick-Start Guide for Cybersecurity Supply Chain Risk Management (C-SCRM)

    Unlock the secrets to safeguarding your business in today's volatile supply chain landscape. On this episode of the Reduce Cyber Risk Podcast, hosted by Shon Gerber, we take you on a journey through the intricacies of cybersecurity in supply chains. With rapid technological advancements and the rise of AI models like DeepSeek, businesses must navigate data security challenges like never before. You'll discover why countries such as Italy are limiting these AI tools and learn how to balance innovation with caution to protect sensitive data from potential threats. Embark on a comprehensive guide to establishing a robust Cyber Supply Chain Risk Management (CSERM) program. Together, we'll explore strategies to secure stakeholder buy-in and cultivate organizational awareness through tailored training initiatives. By aligning your CSERM goals with your mission and compliance requirements, especially if you’re handling government contracts or operating within the financial sector, you can proactively guard against cyber threats. Prioritize critical assets and integrate CSERM into vendor selection to mitigate vulnerabilities across third-party relationships. For businesses lacking internal cybersecurity resources, resourceful strategies are at your fingertips. From harnessing the power of online tools like Google and ChatGPT to leveraging expert consulting services, we offer insights into fortifying your defenses. Dive into the wealth of resources available at ReduceCyberRisk.com, including free materials and training opportunities for IT teams. Whether you're taking your first steps or refining your existing measures, this episode equips you with the knowledge to strengthen your cybersecurity posture and safeguard your organization against evolving threats.

    30 min

  8. 01/28/2025

    RCR 158: Emerging Threats & Trends and the Future of Cybersecurity

    Is your business ready to tackle the hidden vulnerabilities lurking within your software supply chains? Discover the profound impact of President Biden's recent cybersecurity executive orders and learn why third-party software is a crucial focal point for safeguarding your organization. From real-world examples to actionable insights, I navigate the complex realm of cybersecurity, especially for small and medium-sized companies operating under the CMMC framework, while addressing the looming cyber threats posed by nation-states. Explore the intricate web of emerging threats challenging today's digital landscape. As software dependencies and hardware compromises become commonplace, I illuminate the critical need for a future-proof security strategy that addresses the burgeoning power of quantum computing. From the risks of data poisoning and the sophistications of deepfakes to the potent social engineering tactics manipulating political and market environments, this episode uncovers the multifaceted vulnerabilities businesses must contend with to ensure their cybersecurity. Unlock advanced strategies to build a cyber-resilient organization. By implementing a cybersecurity mesh and embracing identity-first security approaches, your company can stay ahead of sophisticated threats. As I discuss the transformative role of generative AI in both defensive measures and cyber threats, the importance of automated detection and response becomes evident. Cultivating a security-aware culture and ensuring robust supply chain security are essential, as these elements play a pivotal role in maintaining business continuity amidst a rapidly evolving cyber landscape. Join me for a deep dive into continuous improvement and proactive planning, equipping your business with the skills needed to fend off future attacks.

    32 min
See All (193)

About

Shon Gerber from the Reduce Cyber Risk podcast provides valuable insights, guidance, and training to you each week that only a senior cyber security expert and vCISO can perform.  Shon has over 23+ years of experience in cyber security from large corporations, government, and as a college professor.  Shon provides you the information, knowledge, and training needed to help protect your company from cyber security threats.  Shon weekly provides cyber security training topics covering: Insider Threat, Operational Technology (OT) Security, Cyber Security Awareness Training, Cyber Security Training for Employees, Cyber Security Courses for the CISSP, and much, much more.  You will receive immediate and actionable information that you can put into practice immediately to protect your business, no matter the size.  Need direct and immediate assistance, Shon can also provide you with his “high touch” consulting approach with his various cyber security services.

Information