The Job Security Cybersecurity Podcast

Expel MDR
  • 0.0 (0)
  • TECHNOLOGY

The Job Security Cybersecurity Podcast, brought to you by Expel Security, explores the unique perspectives and stories of the people who make the cybersecurity industry what it is—whether they realize it or not. Hosts Dave Johnson and Tyler Zito recognize that we're living in an enlightenment period of cybersecurity, where the industry has stabilized with established education systems, compliance frameworks, and documented methodologies. But it took a lot to get here. This podcast looks inward at our community and culture, sharing the stories of how we built this industry through DIY traditions, mythologies, and countless people figuring it out as they went. We explore not just the technical aspects of security, but the human elements—from current students and interns to seasoned professionals, and even those outside cybersecurity who offer valuable perspectives on risk, strategy, and innovation. Expect conversations about where we've been, where we are now, and where we're headed next. We'll talk to adjunct professors, threat hunters, entertainers at hacker conventions, and professionals from adjacent industries who can teach us something new. This isn't another podcast about threats and threat actors—it's about the people doing the work and the lessons we can learn by looking in slightly different directions. Join us for a mix of education, entertainment, and optimism as we celebrate how far cybersecurity has come while inspiring curiosity and innovation for the future. Whether you're taking a lunch break or winding down after incident response, we're here to help you relax with good stories and interesting discoveries.

Episodes

  1. DEC 2

    Episode 4: Making cybersecurity events findable

    Host Dave Johnson sits down with Walter Martín Villalba, founder of InfoSecMap, to explore how he's solving one of the cybersecurity community's most persistent challenges: finding and tracking the thousands of InfoSec events happening worldwide. This conversation covers the origin story of InfoSecMap, the mechanics of manually curating event data at scale, and the unique welcoming nature of the InfoSec community that keeps people coming back. Key topics & timestamps The problem InfoSecMap solves (3:37 - 5:16) Missing events after expensive travel, information scattered everywhereTurned frustration into action during early pandemic 2020Building InfoSecMap from scratch (5:54 - 9:45) Started as side project, realized one person couldn't maintain it aloneToday: 6-7 people handling operations, outreach, and developmentRecent explosive growth (10:40 - 12:55) Crossed 10,000 unique monthly visits two months agoNow at 23,000 monthly visits (120-130% growth)100% organic traffic—no paid promotionStrategic partnerships and credibility (12:55 - 15:47) Official partnership with OWASP Foundation provides credibilityPartnerships with BSides Security globallyPartnership opportunities (15:51 - 19:01) Flexible models: cross-promotion, highlighting CFPs, sponsor callsPowerful filtering by dates, regions, and topicsFirst conference and community passion (19:17 - 21:49) First major conference: OWASP Global AppSec USA 2013InfoSec community uniquely welcoming with knowledge sharing culturePlatform lists CTFs valuable for career developmentManual curation at scale (23:28 - 25:29) Everything manually curated to ensure accuracyPrevents spam and vendor pitchesExpecting 5,000+ listings by end of yearThe actual numbers (25:54 - 27:44) Conservative estimate: 7,000-10,000+ InfoSec events annually worldwideInfoSecMap has close to 5,000 events for 2024 aloneAutomation and AI exploration (27:44 - 30:50) Exploring AI for curation automation with mixed resultsHigher priority: making platform self-sustainable long-termFuture vision and new features (33:14 - 37:00) Key quotes "I simply got tired of wasting a lot of time searching online... spending a lot of time and finding only a handful of events and still missing a lot." - Walter Martín Villalba "The InfoSec community is very special in regards to certain aspects. It's very welcoming. There's a ton of knowledge sharing. There are a lot of people willing to give you a hand, not expecting anything in return." - Walter Martín Villalba "It doesn't really matter how big or small the event is. If it's a legit InfoSec event, we'll list it, even if it is five friends getting together every other Friday to try to do some Hack The Box machines." - Walter Martín Villalba Helpful links InfoSecMap.comProduction Credits Co-hosts: Dave JohnsonProducer: Ben BakerSponsor: Expel MDRConnect Follow Expel (follow us on LinkedIn, X, and YouTube)Rate and review on your favorite podcast platformThe Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.

    38 min

  2. NOV 14

    Episode 3: Building an AI-powered security practice

    Host Dave Johnson and co-host Tyler Zito sit down with Peter Holcomb, founder and CEO of Optimo IT and self-described "AI Samurai," to explore how AI is reshaping cybersecurity—from automating compliance workflows to defending against emerging threats. Peter shares practical insights on shadow AI risks, AI observability, and how fractional CISOs are becoming essential for AI-native companies navigating security and governance challenges. Key topics & timestamps Peter's background and Optimo IT (2:31 - 4:26) Founder/CEO of AI security consulting specializing in fractional CISO servicesFocus: SOC 2 Type II, ISO 42001/27001, GDPR, HIPAAFormer CISO at DataVolo (acquired by Snowflake) and EMED Digital HealthcareOverlooked AI security challenges (4:26 - 7:35) Shadow AI becoming the new "shadow IT"—unsanctioned tools introducing riskAI observability must track: alert severity, user queries, token usage, cost, data lineageAutomated evidence tracking with platforms like Vanta, Drata, Risk 360Applying existing security principles to AI (7:35 - 9:02) Reapplying standard security practices to different use casesContinual education on appropriate tool usage and data stewardshipShared responsibility between security teams and businessThe fractional CISO model (9:02 - 14:24) AI-native companies need security expertise but want to focus on productBusiness owns the risk—CISO advises on treatment optionsThird-party perspective often carries more weight than internal recommendationsBuilding an AI-powered business (16:17 - 19:32) Email agent automates responses, saves drafts for reviewLead generation agents personalize outreach sequences~10 agents handling administrative tasks to focus on strategic workBuilding evidence collection agents for audit workflowsAI security use cases (19:32 - 24:21) Red team/blue team testing via TestSavant.aiMicrosoft Copilot integration risksRecommended tools: Petra Security, Cloud Capsule for pre-Copilot assessmentsAI's future in security operations (24:43 - 28:27) Near-term: Autonomous defense agents detecting/remediating faster than humansStill need human-in-the-loop for verificationZentra.ai: Building agents for level 1-2 IT operationsExample: 24-hour ticket resolved in 30 seconds with agent automationCareer advice (29:41 - 32:22) Get educated on AI—tinker with it, understand pitfallsAI governance is the "new GRC"Get hands-on: Build labs, use AWS free tier, experiment with toolsIdentify repetitive tasks and automate with agentsKey quotes "Shadow AI is becoming a huge thing right now... individuals want to be more productive, but they might install these vibe coded tools and now they're introducing more risk into the environment." - Peter Holcomb "There are only four things you can do with risk. You can accept the risk, mitigate the risk, transfer the risk, or ignore the risk." - Peter Holcomb "Back in the day, GRC was not looked at as a sexy thing, but now, with the ubiquity of AI, AI governance is top of mind for everybody." - Peter Holcomb Production Credits Co-hosts: Dave Johnson and Tyler ZitoProducer: Ben BakerSponsor: Expel MDRConnect Follow Expel (follow us on LinkedIn, X, and YouTube)Rate and review on your favorite podcast platform

    35 min

  3. OCT 16

    Episode 2: THOR: Love and Thrunder

    Host Dave Johnson and co-host Tyler Zito sit down with Sydney Marrone and Lauren Proehl, co-founders of the THOR Collective, to explore the evolving world of threat hunting. This conversation covers the fundamentals of building a threat hunting program, how AI is transforming both offensive and defensive security, and the importance of community collaboration in advancing the practice of "thrunting." Key topics & timestamps What is the THOR Collective? (5:27 - 9:29) Evolution of threat hunting (9:38 - 11:55) Early days: Hypothesis-driven, minimal scope, "running queries and hoping for the best"Today: Machine learning, advanced statistics, AI integrationExpanding beyond internal networks to cyber threat intelligenceAI's impact on threat hunting (12:07 - 15:44) Threat side: Perfect phishing emails, AI-generated malware, reduced red flagsDefense side: Lower barrier to entry, query translation, threat intel summarizationLauren: "Certified AI hater" but acknowledges augmentation potentialSydney: Amazed by AI capabilities but warns against over-relianceHow to start a threat hunting program (15:44 - 21:15) Start small, don't overcomplicateAdopt a framework (PEAK, SQRRL, Tahiti, or custom)Ensure the basics: Automate IOCs, focus on top of pyramid of painCritical requirement: Dedicated time (not "downtime hunting")Essential tools + use what you haveProving value and storytelling (24:05 - 28:14) Every hunt should have an output—you can't fail at threat huntingFindings include misconfigurations, missing logs, undocumented processesTurn yourself into a marketer for your programUse metrics, readouts, presentations tailored to executive preferencesHunt relevancy factors: Focus on what matters to YOUR organizationDocumentation and process (31:33 - 36:14) Tyler's mountain rescue analogy: Document everything, even "negative" findingsCreate maps of searched areas and techniques usedIf it's not documented, it didn't happenAnother hunter should be able to replicate your work entirelyBaseline and map to frameworks like MITRE ATT&CKKey quotes "If you ask three people what threat hunting is, you'll get three different answers." - Dave Johnson "The barrier to entry [to threat hunting] is going to be a lot lower, which is great, as long as people aren't relying on [AI] way too much." - Sydney Marrone "Every single hunt should have an output... It's very hard to fail at threat hunting—you always find something." - Lauren Proehl "If it isn't documented, it didn't happen." - Lauren Proehl "The only way we win this is doing this together." - Lauren Proehl Helpful links THOR CollectiveThe Threat Hunters Cookbook by Sydney MarroneBlue Team Village at DEF CONProduction Credits Co-hosts: Dave Johnson and Tyler ZitoProducer: Ben BakerSponsor: Expel MDRConnect Follow Expel (follow us on LinkedIn, X, and YouTube)Rate and review on your favorite podcast platformThe Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.

    39 min

  4. SEP 25

    Episode 1: The cyber kids are alright

    Host Dave Johnson sits down with Matthew Gracie and Brandon Levene, two longtime security practitioners who have transitioned into teaching the next generation of cybersecurity professionals. This conversation explores their educational journeys, teaching philosophies, and what makes today's cybersecurity students different from previous generations. Key topics & timestamps Educational backgrounds (2:45 - 6:17) Brandon: Psychology degree, early Palm Pilot hacking, LAN party SubSeven pranksMatt: English degree, desktop support, voluntold into security by CIO in 2005Both learned security before formal education programs existedPath to teaching (8:01 - 14:24) Matt negotiated teaching cybersecurity in exchange for hosting BSides BuffaloBrandon pitched cybercrime course at Johns Hopkins after conference conversationTeaching challenges (10:00 - 21:39) Diverse graduate student backgrounds: accounting majors to IT veteransBalancing content for newcomers vs. experienced studentsBrandon's classes: majority female in 2 of 4 semesters, policy-focusedMatt's program: technically-oriented under computer science departmentThe "Wild West" of cyber education (21:40 - 25:01) No standardized curricula across institutionsPrograms emerging from different departments (criminal justice, accounting, CS)Difficult to evaluate cybersecurity degrees from unknown schoolsIndustry challenges (25:02 - 35:45) Warning against bootcamp promises without technical fundamentalsCommunication skills as crucial as technical abilitiesReality check: High stress, long hours, constant learning requiredIndustry recommendations (36:00 - 39:12) Better support systems for junior professionalsFocus on communication skills alongside technical trainingSustainable career progression from junior to senior rolesKey quotes "We're kind of in that same stage that computer science was back in the 60s and 70s, when it was still mostly math professors who just happened to be teaching computer science stuff." - Matt Gracie "What if we train them and they don't stay, and the counter is, what if we don't train them and they do? I would much rather train them and have competence and they don't stay but incentivize them to actually grow and stay." - Brandon Levene "Security works best as a dual class... You come up as desktop support or help desk or network engineering, and then transfer into a more security focused role." - Matt Gracie Helpful links B-Sides Buffalo (on X)The Rural Tech FundKC7 CyberProduction Credits Co-hosts: Dave JohnsonProducer: Ben BakerSponsor: Expel MDRConnect Follow Expel (follow us on LinkedIn, X, and YouTube)Rate and review on your favorite podcast platformThe Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.

    43 min

  5. TRAILER

    Episode 0: What are we doing here?

    Welcome to the inaugural episode of the Job Security Podcast! In this introductory episode, co-hosts Dave Johnson and Ben Baker (filling in for the vacationing Tyler Zito) share the vision behind this new podcast. Dave Johnson, Principal Solutions Architect at Expel and co-host, and Ben Baker, producer and co-host, discuss what listeners can expect in the coming episodes. Episode highlights: An "enlightenment period" in cybersecurity: Dave describes the current state of cybersecurity as an "enlightenment period," where the industry has stabilized with established education systems, compliance policies, and documented methods. He emphasizes the importance of understanding the industry's history to predict its future. Learning from beyond cybersecurity: The podcast aims to explore unique perspectives from people who have shaped the industry, "whether they realize it or not." Dave highlights that cybersecurity concepts, like risk and strategy, are often thousands of years old and borrowed from other industries, such as finance. Diverse guest perspectives: Ben shares examples of potential guests from outside cybersecurity, including semi-pro poker players and former underwater welders, who can offer valuable insights into principles relevant to cybersecurity. A shift in focus: Dave explains that unlike many cybersecurity podcasts that focus on threats and adversaries, "Job Security" will concentrate on the people who perform the work, including those not typically in the spotlight. The goal is to explore the intrinsic parts of the industry, delve into its history, and foster conversations about career paths and practical applications. Optimism and self-care: The podcast seeks to project optimism, reflecting the significant progress made in the cybersecurity field. The hosts hope the podcast can be a form of "self-care," encouraging listeners to relax, learn something new, and gain fresh perspectives to combat the intensity of their daily work. A welcoming community: Dave notes the positive evolution of the cybersecurity community, highlighting a reduction in "egos" that previously hindered innovation. The podcast aims to inspire curiosity and innovation by encouraging listeners to step away from their immediate tasks and explore different areas. Quotes from the episode: "We're here to explore the unique perspectives and stories of the people who make this industry what it is, whether they realize it or not." "We're in what I generally refer to as an enlightenment period of cybersecurity, where we've kind of stabilized where we are." "The concepts that we use are thousands of years old. It's just security, but what we're doing with it, what we're protecting, and what tools we're using, that's the different part." "This podcast can be a vehicle to help explore our culture, but maybe identify some ways for improvement." "If nothing else, if people listen to this podcast with a nice, cool drink in their hand with their feet up for a little while, maybe it's just your lunch break, that's fine. Take that 30 minutes, take that hour and just relax with a good story and some interesting discoveries from us." "The community is the healthiest I've ever seen it." Stay tuned: Tyler Zito will be back from his European vacation in a couple of weeks to share his unique perspectives in cybersecurity. Expect great episodes with fascinating guests!  Subscribe and connect! Don't miss out on future episodes! Subscribe to the Job Security Podcast wherever you get your podcasts, and follow us on YouTube: youtube.com/@expelsecurity

    17 min

Trailer

About

The Job Security Cybersecurity Podcast, brought to you by Expel Security, explores the unique perspectives and stories of the people who make the cybersecurity industry what it is—whether they realize it or not. Hosts Dave Johnson and Tyler Zito recognize that we're living in an enlightenment period of cybersecurity, where the industry has stabilized with established education systems, compliance frameworks, and documented methodologies. But it took a lot to get here. This podcast looks inward at our community and culture, sharing the stories of how we built this industry through DIY traditions, mythologies, and countless people figuring it out as they went. We explore not just the technical aspects of security, but the human elements—from current students and interns to seasoned professionals, and even those outside cybersecurity who offer valuable perspectives on risk, strategy, and innovation. Expect conversations about where we've been, where we are now, and where we're headed next. We'll talk to adjunct professors, threat hunters, entertainers at hacker conventions, and professionals from adjacent industries who can teach us something new. This isn't another podcast about threats and threat actors—it's about the people doing the work and the lessons we can learn by looking in slightly different directions. Join us for a mix of education, entertainment, and optimism as we celebrate how far cybersecurity has come while inspiring curiosity and innovation for the future. Whether you're taking a lunch break or winding down after incident response, we're here to help you relax with good stories and interesting discoveries.

Information