Practical Cybersecurity with Jen Stone

SecurityMetrics
  • 5.0 (8)
  • EDUCATION
  • UPDATED SEMIMONTHLY

Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture. 

  1. 2D AGO

    Protecting the House: Why Asset Management and "Storytelling" are Keys to HITRUST. (ep. 5)

    Episode Summary In this episode of Practical Cybersecurity, we dive into the complex world of HITRUST certification. Often called the "gold standard" for healthcare security, HITRUST can be a daunting mountain to climb for small and large organizations alike. Jen Stone and experts Peter Briel (Privaxi) and Lee Pierce (SecurityMetrics) break down why scoping is your best friend, why screenshots aren't enough, and why you should never try to "button things down" before talking to an expert. Key Discussion Points: What is HITRUST? Unlike HIPAA, which lacks a formal certification, HITRUST integrates multiple standards (NIST, ISO, etc.) into a "beefy" framework. It provides a definitive answer to security and compliance inquiries in the healthcare space.The Three Levels of HITRUST:E1: The entry-level, static 44-control assessment.I1: The "leading practices" assessment with roughly 180+ controls.R2: The risk-based, "gold standard" that requires heavy factoring and scoping.The "House Alarm" Analogy: You can't protect a house if you don't know how many windows and doors it has. Asset management is the foundation of security; if you don't know what hardware and software you have, you can't secure the perimeter.Common Pitfalls in Certification:Overscoping: Fear often leads companies to include too much in their audit, driving up costs and timelines unnecessarily.Weak Evidence: Assessors need a "story," not just a screenshot. Evidence must be consistent, repeatable, and include clear date/time stamps.The "Never Happened" Trap: Even if you haven't fired anyone or had a breach in years, you must have a documented, tested process for how you would handle those events.The Importance of Readiness: The "separation of duties" means your auditor can’t also be your consultant. Engaging a readiness team early helps you build the foundation correctly the first time, rather than tearing down finished work to meet compliance standards later.Expert Tips for Success "Don't build it and then do readiness afterwards." — Lee Pierce Start the conversation while you are still building your solutions or migrating to the cloud to ensure encryption and segmentation meet the standard from day one. "Don't rush... it’s not a check-the-box exercise." — Peter Briel  Focus on building a solid foundation. HITRUST isn't just about the certificate; it's about actually protecting the environment. Resources Mentioned Security Metrics Website: Visit for a quick HITRUST cost assessment and to connect with the readiness and audit teams. https://www.securitymetrics.com/hitrustFactoring Tools: Resources to help determine whether you need an E1, I1, or R2 assessment.A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    11 min

  2. MAR 31

    Why Cyber Insurance Claims Get Denied: The $1.4M Reality Check.

    A single data breach now costs a business an average of $1.4 million, according to the annual IBM report. For a small or medium-sized business (SMB), this hit is often terminal—most companies that suffer a major breach struggle to stay in business longer than six months. In this episode, Matt "Heff" Heffelfinger, Director of SOC Operations at SecurityMetrics, joins us to discuss why many business owners are operating under a false sense of security. We dive into the "Insurance Trap," where carriers deny claims because basic security activities weren't performed, and outline the four critical areas where every small IT team should focus their limited resources. We’re moving past the technical jargon of Security Operations Centers (SOC) to give you a practical, budget-friendly roadmap for cyber hygiene that actually protects your bottom line. Key Takeaways: The Insurance Reality Check: Why having a policy isn't enough if you aren't doing the "basics".The 4 Pillars of SMB Focus: Matt breaks down the essential tasks for a team of one: Access Control, Network Scanning, Patch Management, and Basic Cyber Hygiene.Automating Your Defense: How to make one IT person feel like an entire "battalion" using inexpensive automation tools.The 10% Rule: Why allocating 10% of your IT budget to cybersecurity is the tipping point for graduating from "check-the-box" compliance to real security.Anatomy of a SOC: What happens when threat hunters find an "Event of Interest," such as unauthorized traffic heading to Russia at 3:00 AM.The AI Threat: How bad guys are upscaling and automating their attacks, making SMBs easier targets than ever before.About Our Guest: Matt Hessel is a Utah-based cybersecurity professional and the Director of SOC Operations at SecurityMetrics. With a career spanning over 20 years—starting at the helpdesk at TJ Maxx and Marshalls during their historic 2006 breach—Matt brings a unique "boots on the ground" perspective to protecting small businesses. Resources Mentioned: SecurityMetrics SOC Services: https://www.securitymetrics.com/pulseIBM Cost of a Data Breach Report 2025: https://www.ibm.com/think/insights/data-matters/cost-of-a-data-breachSecurityMetrics Certifications: PCI QSA | ASV | PFI | HITRUST | Forensic Investigator A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    13 min

  3. MAR 17 ·  BONUS

    Pressure Testing Your IRP: Why "Calling IT" Isn't a Plan (Part 2)

    What happens when the news cameras show up and your business grinds to a halt? Donna Grindle, CEO of Kardon, returns to discuss the "hair on fire" reality of a data breach. We move past the paperwork to explore why "calling IT" isn't a plan, the hidden costs of notification letters, and how insurance mazes can complicate your recovery. Key Takeaways "Call IT" is Not a Plan: During a breach, IT will be busy containing the threat; you need an operational plan for when systems and phones go dark.The Paperwork Trap: Reverting to paper records stops cash flow because you aren't sending claims or bills—plus, you eventually have to manually re-enter all that data.Media & Legal Circus: If 500+ records are hit, you must notify the press. This often triggers immediate "ambulance chaser" lawsuits on social media.Tabletop Exercises: Don't find gaps in your plan during a crisis. Run practice drills to know who is authorized to speak for the company and what vendors to call.Insurance Realities: Open claims immediately to protect legal privilege, but be ready for insurance-mandated vendors that may span several time zones. "Take ownership of it. Don't assume that somebody else in your office is handling it... You will likely lose your business or be on the verge of it if you are not prepared in some way." — Donna Grindle  Key Concepts: Security Incident vs. Data Breach - A security incident is a panic-inducing event that requires investigation, but it may or may not officially escalate into a data breach that requires regulatory reporting. Incident Response Plan (IRP) - A comprehensive strategy that covers far more than just IT recovery; it must dictate how you communicate with employees, vendors, and clients during a crisis. Tabletop Exercise - A low-stakes practice run of your Incident Response Plan to poke holes in it before an actual emergency. It helps you figure out exactly who is in charge, who you are calling, and who is authorized to speak publicly. Links: Kardon: https://kardonhq.com/ Help Me With HIPAA Podcast: https://helpmewithhipaa.com/ Timestamps 00:00 – Intro 00:54 – Cyber Incidents vs Breaches in a HIPAA Context 01:26 – Why Operational Continuity Cannot be an IT Responsibility 03:02 – Questions to Ask During a Tabletop Exercise 03:50 – Talking to Patients on Facebook 04:06 – More Questions to Ask During a Cyber Incident 05:13 – Even "Calling My MSP" Isn't an Incident Response Plan 05:37 – When a Cyber Incident Becomes a Breach 06:09 – "Can't We Just Send a Postcard?" 06:32 – Steps to Respond to a HIPAA Breach 09:03 – Final Summary: Shifting to Active Security Ownership 09:59 – Where to Find Donna Grindle & Kardon A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    11 min

  4. MAR 17

    Why Your Security Risk Analysis is Probably Wrong (Part 1)

    Are your IT or cloud providers handling your security? Does your site claim you're "HIPAA Compliant"? Donna Grindle, CEO of Kardon and co-host of Help Me With HIPAA, delivers a massive reality check for small business owners. We break down the difference between gap analysis and a true SRA, why IT speaks a different language, and how the "CREMATE" method finds your data. Key Takeaways Responsibility Can't Be Outsourced: Cloud apps and IT companies don't make you secure; you outsource liability, not responsibility.Real SRA vs. Gap Analysis: If your risk analysis lacks likelihood, impact, and strategy, it’s just a gap analysis—and you're exposed.CREMATE Your Data: Map PHI by tracking where you Create, Receive, Maintain, and Transmit itBusiness Associates (BA): If unauthorized access by a vendor would count as a breach, they are a BA.Documentation & AI: Use AI to draft policies from your bullets, but treat it like a fallible assistant and always verify the output.Frameworks: Use HICP 405(d) to get IT and management speaking the same security language."If you put on your website that you're HIPAA compliant, immediately I'm concerned." — Donna Grindle Links: Kardon: https://kardonhq.com Help Me With HIPAA Podcast: https://helpmewithhipaa.com/ HHS Website: https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-awareness-training/index.html HICP 405(d) Guidelines: https://405d.hhs.gov/ Timestamps 0:00 – Why a "HIPAA Compliant" Badge is a Red Flag 1:26 – Understanding HIPAA Covered Entities & Obligations 2:14 – The Difference Between Awareness Training and Security 3:18 – Why Your SRA Might Just Be a Gap Analysis 4:40 – Building an Inventory: You Can’t Protect What You Don’t Find 6:22 – Using the "CREMATE" Method for Data Mapping 8:21 – Why IT Cannot Be the "Department of No" 9:40 – Standardizing Communication with the HICP 405(d) Framework 10:41 – How to Document Your Policies (and Use AI to Help) 12:39 – The Easy Way to Tell if a Partner is a Business Associate 13:50 – Business Associate Red Flags A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    15 min
  5. Is NIST Too Complex for Small Businesses? Daniel Eliot Weighs In

    MAR 3

    Is NIST Too Complex for Small Businesses? Daniel Eliot Weighs In

    "I can’t think about cybersecurity this week; I’m thinking about 1099s." You’re not alone. Many SMBs see the NIST Cybersecurity Framework (CSF) as an overwhelming manual for government contractors, not a local shop or startup.  Jen Stone sits down with Daniel Eliot, NIST’s lead for small business engagement. We break down the new NIST CSF 2.0 Small Business Quick Start Guide —a "small-chunk" resource designed for under-resourced organizations to move from chaos to a structured program.  In this episode: Why having "everyone" responsible means "nobody" is.How to build a "reasonable" security program while managing payroll and daily operations.Why taking security seriously helps you win bigger contracts and scale safely.The exact steps (MFA, patching, backups, and more) that even large orgs get wrong.NIST Resources NIST (National Institute of Standards and Technology): https://www.nist.gov/Small Business Cybersecurity Corner: https://www.nist.gov/itl/smallbusinesscyberNIST CSF 2.0 (Cybersecurity Framework): https://www.nist.gov/cyberframeworkSmall Business Quick Start Guide: https://www.nist.gov/publications/nist-cybersecurity-framework-20-small-business-quick-start-guideContact Daniel and his team: smallbizsecurity@nist.govKey Term Definitions The 6 Functions: Govern, Identify, Protect, Detect, Respond, and RecoverMFA: Multi-Factor Authentication—essential for account access. Patching: Updating software to fix security "holes." MSP/MSSP: Local experts you can hire to manage IT security. Timestamps 00:00 – Many hats of small business owners00:26 – Daniel Eliot and NIST’s Mission02:25 – Exploring the Small Business Cybersecurity Corner03:20 – What is the NIST CSF?04:26 – The Small Business Quick Start Guide for CSF 2.006:52 – How to Identify Your Most Critical Assets09:56 – When to Seek Help: Engaging MSPs and Local Resources10:52 – Defining a "Successful" Cybersecurity Program13:21 – Essential Fundamentals: MFA, Patching, and Backups15:35 – How to Engage Directly with NIST Jen Stone (MCIS, CISSP, CISA, QSA) is a Principal Security Analyst at SecurityMetrics. With 25+ years in IT and 100+ high-level assessments, Jen specializes in making complex compliance actionable for businesses of all sizes. Outside of security, she is an aerial arts enthusiast and motorcycle rider.  A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    17 min
  6. "Good Enough" Security for Small Business Budgets

    FEB 17

    "Good Enough" Security for Small Business Budgets

    In this episode of Practical Cybersecurity, host Jen Stone talks with Curt Dukes, EVP and GM of Security Best Practices at the Center for Internet Security (CIS). Drawing on his 30-year career at the NSA, Dukes breaks down how small and medium businesses (SMBs) can implement "good enough" security without unlimited resources. The conversation focuses on Implementation Group 1 (IG1)—a prioritized set of safeguards that provide essential "cyber hygiene". Dukes introduces free resources like the CSAT (Controls Self-Assessment Tool) and CIS Workbench to help leaders move past the intimidation of technical jargon and establish a "standard of reasonableness" for their organization's defense. CIS Resources CIS (Center for Internet Security): The nonprofit organization that creates the global standards discussed in this episode.NSA (National Security Agency): The U.S. intelligence agency where Curt Dukes led defensive security efforts for 30+ years.IG1 (Implementation Group 1): The essential "Cyber Hygiene" tier of the CIS Controls designed for small businesses.CSAT (Controls Self-Assessment Tool): A free web-based application to track and measure your security progress.CIS Workbench: A collaborative platform to ask technical questions and get help from the security community.CIS RAM (Risk Assessment Method): A free methodology to identify security gaps and prioritize investments based on risk.CIS Benchmarks: Free, consensus-based configuration recommendations for OS and network devices.MS-ISAC (Multi-State Information Sharing and Analysis Center): The division of CIS providing threat intelligence for state and local governments.EI-ISAC (Elections Infrastructure ISAC): A dedicated team at CIS focused on securing election-related systems.The Community Defense Model (CDM): A data-driven report proving the effectiveness of the Controls against top cyber attacks.The Cost of Cyber Defense: A breakdown of the financial investment needed for various security models.A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    16 min

  7. 04/17/2025 ·  BONUS

    [Webinar] What You Can Expect from a HITRUST Assessment

    In this webinar, Matt Halbleib (Director of Assessments) and Lee Pierce (Director of HITRUST Sales) will discuss: How to determine which HITRUST Assessment type to chooseHow to prepare for a HITRUST Validation AssessmentWhat to expect from a SecurityMetrics HITRUST AssessmentReady to discuss your HITRUST needs? Request a quote here. Read our new HITRUST 101 White Paper here. A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    40 min

  8. 12/02/2024

    New to PCI Compliance? Get the Support You Need | SecurityMetrics Podcast 106

    Learn more about cyber risks for small businesses:  Are you a small-medium business owner? Did you just get a message from your bank telling you to call SecurityMetrics? Are you worried about having a bad experience? Do you know what PCI even means? This episode is for you. Learn how SecurityMetrics can help you navigate this regulatory landscape. We'll discuss: Why your processor is making you do PCI compliance: Did you know that nearly half of all cyberattacks target small businesses?What calling into SecurityMetrics looks like. Learn what information you need handy so you can get your compliance done as quickly as possible, and the questions you should ask to get the best service.Support Stories: Discover how other small businesses have successfully leveraged SecurityMetrics to achieve compliance.Tips and Tricks: Get practical advice on how to optimize your PCI compliance efforts and minimize risks, keeping your business and your customers more secure. Whether you're just starting your PCI compliance journey or looking to improve your existing processes, this video will provide valuable insights and actionable advice. A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place  But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/

    44 min
See All (112)

5
out of 5
8 Ratings

About

Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture. 

Information

You Might Also Like