Distilled Security Podcast

Justin Leapline, Joe Wynn, and Rick Yocum
  • 5.0 (1)
  • BUSINESS
  • UPDATED MONTHLY

Join us on Distilled Security as we delve into the fascinating world of cybersecurity. Each episode, we break down intriguing topics, analyze the latest news, and engage in in-depth conversations with our hosts and invited guests. Whether you're a seasoned professional or just curious about cybersecurity, our podcast offers valuable insights and thought-provoking discussions to keep you informed and entertained. Tune in and stay ahead of the curve in the ever-evolving landscape of cybersecurity.

  1. JAN 26

    Episode 20 : 2026 Kickoff: Security Resolutions, Key Deadlines, and Don’t Mislead the Feds

    In the first episode of 2026, the Distilled Security team kicks off the year with a practical discussion on security priorities, key compliance dates to watch in 2026, and why misleading the government on cybersecurity compliance can have serious consequences. The conversation focuses on simplifying security programs, returning to core fundamentals, and learning from real-world enforcement and regulatory cases. The episode closes with a holiday pour and a preview of format changes coming next. ⏱️ Timestamps 0:00 Intro & episode overview0:33 2026 security resolutions: simplify & back to basics5:45 “Science projects”: removing emotion from decisions8:36 Justin’s goals: family, travel, business & AI workflows17:52 EOS + Atomic Habits workbook (goal planning)23:54 Key compliance dates to watch in 202631:45 California privacy updates & risk assessments (CCPA)35:39 EU AI Act + NIS2 enforcement ramp-up42:48 Drink break: High West “A Midwinter Night’s Dram.”45:04 Don’t mislead the feds: FedRAMP, SolarWinds, CMMC—wrap-up to 1:20:12 🎙️ Hosts Justin Leapline – @justinleaplineJoe Wynn – @wynnjoeRick Yocum – @rickyocum🌐 Connect with Us Website: distilledsecuritypodcast.comX:  @DisSecPodEmail: hello@distilledsecuritypodcast.com🥃 Drink of the episode: High West A Midwinter Night’s Dram

    1h 20m

  2. 12/08/2025

    Episode 19: Cloudflare Outage, AI-Powered Attacks & The Rise of GRC Engineering | Distilled Security Podcast

    In this episode, we break down a major Cloudflare outage, explore how a nation-state used AI agents to automate a cyberattack, and discuss the growing risks around MCP integrations. We also highlight why GRC Engineering is becoming essential to modern security programs and wrap up with key regulatory updates, including CMMC changes affecting thousands of contractors. Topics covered: • Cloudflare outage impact and root cause• Nation-state attack using AI agents to automate intrusion steps• MCP (Model Context Protocol): power, risks, and examples• Why GRC Engineering is the future of compliance and automation• Updates on GDPR, ISO 27701, California AB 5866, and SEC rules• CMMC assessor shortages and what organizations must prepare for Spirit of the Episode• Knob Creek 21-Year Limited Release – rich caramel notes, heavy char, smooth for 100 proof Timestamps 0:02- Cloudflare Outage Stories & Global Impact3:07- Root Cause, Not a Cyberattack & Third-Party Risk Reality10:38 - China Uses Anthropic’s Claude + MCP for Automated Cyberattacks14:17 - Full AI Attack Lifecycle Explained27:18 - MCP: The API for AI & Its Security Risks44:05 - Bourbon Break: Knob Creek 21-Year Review50:02 - GRC Engineering Deep Dive: Automation & Controls-as-Code1:24:13 - Regulatory Roundup: GDPR, ISO 27701, California AB 566, SEC SP1:44:27 - CMMC 2.0 Crisis: Auditor Shortages & DoD Contract Impact2:11:20 - Closing Thoughts & Episode Wrap-UpHosts Justin Leapline – @justinleaplineJoe Wynn – @wynnjoeRick Yocum – @rickyocumConnect with Us Website: distilledsecuritypodcast.comX:  @DisSecPodEmail: hello@distilledsecuritypodcast.com

    2h 12m

  3. 11/10/2025

    Episode 18: TRISS Highlights, Cloud Chaos & SaaS Lessons Learned

    In Episode 18 of the Distilled Security Podcast, Justin Leapline, Joe Wynn, and Rick Yokum recap their time at TRISS, share lessons on storytelling and women in tech, and break down the recent AWS us-east-1 DNS/DynamoDB outage, the Microsoft Front Door global disruption, and the F5 BIG-IP incident.  🔍 We discuss:- TRISS highlights: panels, community & storytelling- “Breaking the glass ceiling” and unintentional bias in meetings- AWS & Microsoft outages: risk, resilience & when multicloud matters- F5 BIG-IP incident and supply chain risk- Launching a GRC SaaS: episki’s journey, lessons & tradeoffs 🥃 Spirit of the episodePenelope Bourbon – Project X (sherry cask finish) ⏱️ Timestamps00:00 – 🥃 Intro & TRISS Recap — Highlights from TRISS: panels, community, and a keynote with Edward Norton 02:40 – 📖 The Power of Storytelling — Why empathy and narrative matter in cybersecurity leadership 04:40 – 👩‍💻 Women in Tech & Bias in Meetings — Real talk about unintentional bias and everyday experiences 20:34 – ☁️ AWS & Microsoft Outages — What happened and what it says about cloud resilience 49:38 - 🥃 Bourbon Break — Enjoying a glass of Penelope Project X 53:30 – 🔥 F5 BIG-IP Vulnerability — Supply chain risk and patching lessons 1:09:50 – 🚀 Launching episki (GRC SaaS) — Building simply, shipping fast, and learning from users 1:52:22 – 🧭 Reflections & Closing Thoughts — Culture, resilience, and what’s next 🎧 HostsJustin Leapline Joe Wynn Rick Yocum  🌐 Connect with UsWebsite: distilledsecuritypodcast.comX : @DisSecPodEmail: hello@distilledsecuritypodcast.com

    1h 53m

  4. 10/13/2025

    Episode 17: TPRM Is Worthless?! NY DFS Part 500, Security Negotiation Tips & Mezcal

    🎙️ Welcome back to the Distilled Security Podcast - Episode 17! In this episode, Justin, Joe, and Rick break down several major cybersecurity and compliance updates shaping the landscape this fall. From regulatory deadlines to the futility of checkbox TPRM exercises, the crew dives deep into what actually matters for security leaders and business owners navigating today’s risk environment. Also, join us at TRISS in Pittsburgh, PA, at the David this October 29,2025! We have our own booth and will be doing something fun there. Also, we are sponsoring the After Party! Please come say hi! 🔹 Topics Covered NY DFS Part 500: Final Requirements Take Effect November 1 The hosts unpack the final phase of New York’s cybersecurity regulation, what’s changing, and what companies must have in place before the enforcement deadline. Negotiating Security How smaller companies can push back or reframe due diligence requirements—substituting a SOC 2 or ISO 27001 certification with custom questionnaires, summaries, or shared evidence that reflect real security maturity instead of checklists. “TPRM Is Worthless” A candid discussion on the state of third-party risk management: why it’s often broken, what needs to change, and how to make it meaningful rather than bureaucratic. Department of War Announces New Cybersecurity Risk Management Construct The team explores the DoD’s latest cybersecurity framework announcement—what it means for contractors, how it overlaps with CMMC and NIST 800-171, and whether it will actually simplify or complicate compliance. 🥃 Spirit Review One of Us Mezcal — This small-batch mezcal impresses with its earthy smoke, hints of citrus, and smooth finish. The guys compare it to other craft agave spirits they’ve tried and debate whether it pairs better with a quiet evening or post-recording celebration. Find it here: https://oneofusmezcal.com/products/cuishe-mezcal-the-wild-one ⏱️ Timestamps 0:00 – Introduction & Travel Mishap 6:25 – New Laptop Twins & Backup Strategies 11:35 – NY DFS Part 500 Updates 27:30 – DFS Reporting & Organizational Accountability 33:30 – Negotiating Security Requirements 47:46 – Cultural Nuances in Negotiation 50:20 – Spirit Review: One of Us Mezcal 52:55 – TPRM Is Worthless? 57:50 – Fixing Broken Vendor Risk Workflows 1:08:21 – Vendor Resilience vs. Security 1:18:20 – New DoW/DoD Cybersecurity Risk Management Construct 1:35:06 - BSides Pittsburgh Planning & Sponsorship 1:38:35 - DSP at TRISS 1:39:51 – Closing Remarks & Outro 🎧 Hosts Justin Leapline – @justinleapline Joe Wynn – @wynnjoe Rick Yocum – @rickyocum 🌐 Connect with Us Website: distilledsecuritypodcast.com 🐦 Twitter: @DisSecPod 📧 Email: hello@distilledsecuritypodcast.com

    1h 41m

  5. 09/08/2025

    Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC

    Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC Episode 16 of the Distilled Security Podcast is here! In this episode, Justin, Joe, and Rick christen the new studio and dive into some of the trickiest challenges in measuring, reporting, and governing security programs. From maturity models to board reporting, the conversation unpacks how scoring systems can mislead, how to communicate bad news effectively, and why boards need more than just “checkbox” cyber expertise. The team also explores the rise of vGRC (Virtual GRC) services—what they are, how they differ from vCISO offerings, and when organizations should consider fractional models. And of course, no episode would be complete without a pour: this week, a rich Woodford Reserve Double Double Oaked bourbon. Topics Covered New Studio Upgrade: Behind-the-scenes on mics, cameras, and why the couch had to go. Measuring to the Score: The dangers of chasing maturity numbers instead of real security outcomes. Scoping, Rubrics & Auditor Whim: Why assessments are subjective and how leadership often misunderstands the results. Cultural Incentives: How bonuses, compliance checkboxes, and “auditor shopping” distort security reporting. Prepping for New Tools: Setting expectations with leadership when visibility spikes after deploying monitoring or vulnerability tools. Boards and Cybersecurity Expertise: Should cyber knowledge be mandated at the board level—or does it risk creating the illusion of safety? Virtual GRC vs. vCISO: What fractional GRC services really deliver, how they differ from vCISO roles, and why naming clarity matters. Bourbon Review: Woodford Reserve Double Double Oaked — syrupy, smooth, and perfect for a holiday pour. Hosts Justin LeaplineJoe WynnRick Yocum Connect with Us 🌐 Website: distilledsecuritypodcast.com 🐦 Twitter: @DisSecPod 📧 Email: hello@distilledsecuritypodcast.com

    1h 54m

  6. 08/06/2025

    Episode 15: Community Building, Art of Convincing, and GTD Strategies

    🎙️ Welcome back to the Distilled Security Podcast! In this episode, hosts Justin Leapline, Joe Wynn, and Rick Yocum sit down with James Ringold (Senior Security Cloud Solution Architect at Microsoft and President of ISSA Pittsburgh) to talk all about building stronger cybersecurity communities. From the behind-the-scenes of BSides Pittsburgh 2025 to engaging the next generation through mentorship and student-led talks, this episode offers practical insights on how to grow inclusive, vendor-neutral spaces that truly support people in security. Topics Covered BSides Pittsburgh 2025 HighlightsWhat made this year’s event stand out — from arcade machines and pastries to great speakers and a welcoming atmosphere. Running an Inclusive Security ChapterInsights into leading ISSA Pittsburgh, maintaining momentum, and building a vendor-neutral space that feels open to everyone. The Power of ConsistencyWhy showing up regularly and following through matters when growing a security community. Mentoring the Next GenerationThe importance of mentorship chains, student-led initiatives, and creating low-pressure environments for future leaders. Engaging Students Beyond AttendanceHow to get students truly involved, from submitting talks to building long-term relationships that support career growth. Authenticity and Community BuildingWhy empathy, storytelling, and invitation—not pressure—are essential for creating lasting, supportive security ecosystems. Timestamps: 00:00:00 – Intro & Guest Welcome 00:02:20 – BSides Pittsburgh 2025 Preview 00:24:10 – Building Inclusive Security Communities 00:41:20 – Mentorship & Student Talks 01:11:00 – Whiskey Tasting: Grand Traverse Distillery 01:33:00 – Growing Through Empathy & Local Leadership 01:48:30 – Final Reflections & Outro Links ISSA PittsburghBSides PittsburghHosts Justin Leapline Joe Wynn  Rick Yocum Guest  James RingoldConnect with Us Website: distilledsecuritypodcast.comTwitter: @DisSecPodEmail: hello@distilledsecuritypodcast.com

    1h 54m

  7. 07/08/2025

    Episode 14: AI Risks, Threat Modeling, and The Future of Vibe Coding

    Episode 14 of the Distilled Security Podcast is here! This week, the team welcomes guest John Zeolla, a cybersecurity expert and AI enthusiast, for a deep dive into the risks, realities, and potential of artificial intelligence. Topics include: Shadow AI in the Enterprise: Why business leaders are adopting AI faster than CISOs can assess the risks—and how features are outpacing controls. Third-Party AI Risk: Understanding vendor integrations with ChatGPT and others, and how contracts alone can’t guarantee security. Data Sprawl and Provenance: How uncontrolled data flows and poor identity scoping create dangerous exposure in generative AI platforms. Threat Modeling for AI: Why traditional frameworks like STRIDE still apply—and how techniques like “LLM as a judge” are reshaping modern risk analysis. Hallucinations, Misuse, and Insider Access: From AI-summarized HR documents to leaked board data, the team explores how improper permissions are amplified by intelligent agents. AI in Real Business Use: From customer support chatbots to code review tools, where AI adds value—and where it creates new points of failure. Governance and Culture: The role of CISOs, legal, and finance leaders in aligning AI ambition with responsible oversight. Bourbon Review – Elijah Craig Private Barrel Pick: A smooth 94-proof selection sponsored by Liberty Liquors (MD), bringing sweet caramel and balance to this week’s pour. BSides Pittsburgh Preview: With nearly 1,000 tickets sold, the team teases event highlights, panel interviews, and John's upcoming talk on "vibe coding."Timestamps 00:00 – Welcome & Introductions02:20 – What’s “Shadow AI”?06:45 – Third-Party Risk & AI Integrations11:10 – Contracts ≠ Security14:00 – Data Sprawl & Identity Challenges19:05 – Threat Modeling for AI23:40 – “LLM as a Judge” in Risk Analysis28:15 – Hallucinations & Misuse Scenarios33:00 – Insider Access Amplified by AI36:30 – Real-World Use Cases (Chatbots, Code Review, etc.)41:55 – Governance, Culture & CISO Alignment48:20 – Bourbon Review: Elijah Craig Private Barrel52:30 – BSides PGH Preview & John’s “Vibe Coding” Talk57:00 – Final Thoughts & Wrap-Up Hosts Justin Leapline – LinkedInJoe Wynn – LinkedInRick Yocum – LinkedInGuest John Zeolla – Zenable.ioConnect with Us Website: distilledsecuritypodcast.comTwitter: @DisSecPodEmail: hello@distilledsecuritypodcast.com

    1h 23m

  8. 06/13/2025

    Episode 13: Insider Threats, the CISO's Role, and Reporting Lines

    Episode 13 of the Distilled Security Podcast is here! Join us as we explore: The Coinbase Breach: A breakdown of Coinbase’s recent insider-driven breach, including social engineering, bribery of offshore contractors, and how the company responded publicly and operationally.Building Insider Threat Programs: The crew shares practical approaches to detecting insider misuse, behavioral monitoring, and the potential for "job descriptions as code."CISO Liability and Insurance: Discussion on the evolving legal exposure for CISOs, personal liability, and whether directors and officers (D&O) insurance is a must-have.Board-Level Cyber Risk: Should cybersecurity roll up to the audit committee or its own risk committee? The team explores where security leadership best fits in organizational governance.Communication and Legal Risk: How careless comments—public or internal—can be used against organizations, and why CISOs and leaders must strike a balance between transparency and caution.Modern Risk Management: Turning technical issues into business risk conversations, why documentation matters, and how strong risk communication can help CISOs avoid being scapegoated.BSides Pittsburgh Update: With over 600 tickets already sold, the team gives updates on ticket tiers, t-shirts, speaker schedules, and why you should register by June 13.Bourbon Review – Widow Jane Lucky 13: To celebrate episode 13, the crew samples Widow Jane Lucky 13—a smooth, toffee-forward bourbon aged 13 years.Reporting Lines: Where and how security should be structured within the organization, from effectiveness to liability and more.Hosts Justin Leapline - LinkedInJoe Wynn - LinkedInRick Yocum - LinkedInConnect with Us Website: Distilled Security PodcastTwitter: @DisSecPodEmail: hello@distilledsecuritypodcast.com

    1h 23m
See All (21)

Trailer

About

Join us on Distilled Security as we delve into the fascinating world of cybersecurity. Each episode, we break down intriguing topics, analyze the latest news, and engage in in-depth conversations with our hosts and invited guests. Whether you're a seasoned professional or just curious about cybersecurity, our podcast offers valuable insights and thought-provoking discussions to keep you informed and entertained. Tune in and stay ahead of the curve in the ever-evolving landscape of cybersecurity.

Information

  • Creator
    Justin Leapline, Joe Wynn, and Rick Yocum
  • Years Active
    2024 - 2026
  • Episodes
    21
  • Rating
    Clean
  • Copyright
    © 2025 Distilled Security Podcast
  • Show Website
    Distilled Security Podcast