First, I’m a career auditor, and have spent the last 8+ in IT Audit with multiple related credentials (CISA, CySA+, CDPSE) and several more in progress(Security+, Cloud+, CASP+), and focus on a holistic view of IT Risks encompassing GRC, Cybersecurity, and Data Privacy. I’ve executed audits, reviews, and assessments (including the use of various tools and products, such as Kali) in many different industries and environments and at multiple levels of infrastructure (NW, DB, OS) and across many different out of the box, proprietary, and industry specific Applications and tools. I’ve done work across public and private sector orgs as well.
So, first I’m a big fan of this podcast. From the variety of topics, to the structure. Some episodes are short, and some are long, but the length and content generally compliment each other pretty well. Solid job speaking to topics in very real ways, and addressing things in an way that helps quantify the cybersecurity issues we are facing in a very real way. I tend to operate more in the technical details, while this podcast does a great job of making the risks and issues easier for senior execs to understand.
My twos criticisms
- the general use of the term “Hackers”. Hackers are GOOD. Cybercriminals, Threat actors, Nationstate Attackers, Script Kiddies, black hats, etc. are BAD. We must stop referring to these Cybercriminals as HACKERS, and start using the appropriate terms instead of generalizing. Hackers help organizations and companies address vulnerabilities, and defend against the criminals. Hackers respond to incidents, and help implement defense in-depth. I could go on here, but you get the idea.
- The focus here seems to be on enabling companies to protect themselves, even when they have completely failed to do their job, and exert due care to identify and respond to risks. We need attorneys who will not simply try to help negligent orgs, but those who want to see individuals protected, and their interest taking precedence over these negligent organizations. I hope there will be topics addressing how individuals can use cybersecurity law to hold organizations accountable, and push for laws that are based on what is moral and ethical and constitutional. I’d also hope for information on this podcast on around why it’s unethical for the government to break the law, such as with the NSA and the recent ruling by a judge that it’s behavior was illegal.
Keep the podcast coming Spencer.
