Trust vs.

Cybercrime isn’t just evolving, it’s industrializing. In this explosive season finale, Trust vs. is joined by one of cybersecurity’s most respected voices: Tom Kellermann, HITRUST’s new VP of Cyber Risk. Drawing on decades of experience advising the Secret Service, the World Bank, and the White House, Tom unpacks how today’s cyber cartels have outgrown narco-trafficking empires, how AI is transforming attacker tactics, and what the “axis of evil” looks like in cyberspace. From ransomware with backdoors to island-hopping attacks and the myth of hackers simply walking away, Tom explains why security needs to be dynamic, threat-informed, and elevated to the C-suite now. Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Tom: https://www.linkedin.com/in/tomkellermann/

In this episode of Trust vs., cybersecurity law expert Cristin Flynn Goodwin joins the show to break down some of the most nuanced (and misunderstood) topics in cyber: active defense, regulation, and the legal implications of emerging tech like agentic AI. With over 17 years at Microsoft leading incident response and threat intel, Cristin shares what it really takes to disrupt nation-state actors, why “hacking back” is more emotional than practical, and how regulations like the EU Cyber Resilience Act are reshaping third-party risk. She also looks ahead to what may be the most complex challenge yet: governing AI agents in an identity-driven world. Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Cristin: linkedin.com/in/cristin-flynn-goodwin-24359b4Cristin’s Podcast "Advancing Cyber": https://advancingcyber.com/

Autonomous AI agents are no longer science fiction, they’re already reshaping how we work, build, and protect digital systems. In this episode, Jeremy Huval and Ryan Patrick are joined again by Richard Diver, Security and Identity Strategist at Microsoft, to break down what "agentic AI" really means and why it matters now. Richard unpacks the core building blocks of agent behavior (like entitlements, autonomy, and memory) and shares where the biggest risks lie as organizations rush to adopt agent-based systems. From identity sprawl to memory poisoning and the need for lifecycle management, this episode gives insights for security and GRC leaders who want to get ahead of the next wave of AI-driven innovation.Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Richard Diver: https://www.linkedin.com/in/rdiver/

Compliance shouldn’t come at the cost of security. In this episode, Leah McGrath (Executive Director, GovRAMP) and Brian Conrad (Director of Global Strategic Compliance Initiatives at Zscaler, formerly of FedRAMP) join the Trust vs. team to talk about multi-framework fatigue, the future of recognition and reciprocity, and why real cybersecurity progress depends on collaboration—not just more certifications. Hosted by HITRUST’s Ryan Patrick and Jeremy Huval, this episode dives deep into how public and private sectors can work together to reduce redundancy and get back to the real work: protecting critical systems and data.Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Leah: https://www.linkedin.com/in/leah-mcgrath-in/Meet Brian: https://www.linkedin.com/in/brianhconrad/

SOC 2 might be everywhere, but is it actually working?In this episode, the Trust vs. team welcomes cybersecurity leader, author, and GRC engineer AJ Yawn to break down the state of SOC 2 today and why its greatest strength may also be its biggest weakness. AJ brings years of hands-on experience in auditing, engineering, and startup leadership to explain how SOC 2 shifted from a signal of security to a sales checkbox and what that means for TPRM. We talk about flexibility vs. consistency, outdated frameworks, why some SOC 2s are nearly useless, and how organizations can move toward better assurance by asking better questions.Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet AJ: https://www.linkedin.com/in/ajyawn/Read AJ’s Book: https://www.amazon.com/GRC-ENGINEERING-AWS-Hands-Engineering/dp/B0FDLZX4BP

You can’t plan for everything, but you can build for resilience. In this episode, the Trust vs. team sits down with cybersecurity leader Wendy Nather to explore the human side of resilience. From real-world chaos and crisis response to succession planning, decision authority, and chaos engineering, Wendy shares hard-earned wisdom on what it takes to build organizations that can bend but not break.We talk about why most planning is too rigid, why psychological safety matters in cyber incidents, and how improvisation is  often a critical security skill. Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Robert: https://www.linkedin.com/in/robertbooker/Meet Wendy: https://www.linkedin.com/in/wendynath

If AI is already in your cybersecurity stack, are you managing the risk?In this episode, the Trust vs. team sits down with Donnie Wendt, a Cybersecurity Researcher, and author of The Cybersecurity Trinity to talk about the growing risk surface AI creates. From data poisoning and third-party ML vulnerabilities to the real-world limits of vendor questionnaires, Donnie breaks down why traditional security frameworks fall short in an AI-enabled world. He shares insights from his research, the dangers of skipping AI assurance, and the mindset shift organizations need to secure tomorrow’s tech today.Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Robert: https://www.linkedin.com/in/robertbooker/Meet Donnie: https://www.linkedin.com/in/dr-donnie-wendt/ 

What if the way we’ve been measuring cybersecurity risk is fundamentally flawed? Too often, organizations rely on color-coded charts and gut instinct to make critical risk decisions leading to a false sense of confidence and missed opportunities for real insight.In this episode, we’re joined by Douglas Hubbard, creator of the Applied Information Economics (AIE) method and founder of Hubbard Decision Research. Doug is also the author of How to Measure Anything in Cybersecurity Risk, and he breaks down why risk matrices fall short, how most people misunderstand measurement, and what organizations can start doing right now to make smarter, data-driven decisions (no math degree or massive data set required!).Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Robert: https://www.linkedin.com/in/robertbooker/Meet Doug: https://www.linkedin.com/in/dwhubbard/Get a copy of How To Measure Anything In Cybersecurity 

Is your third-party risk management process ready for the age of AI? In this episode of Trust vs., Jeremy, Robert, and Ryan sit down with industry leader Laz to unravel the complex (and often chaotic) intersection of artificial intelligence and third-party risk. They explore how AI is amplifying both risk and opportunity in vendor governance, what organizations get wrong about ownership and collaboration, and how to move from reactive defense to strategic offense. Packed with practical insights and bold commentary, this episode challenges listeners to rethink how they're managing risk in a world where AI is already deeply embedded- whether they know it or not.Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Robert: https://www.linkedin.com/in/robertbooker/Meet Laz: https://www.linkedin.com/in/iamlaz/

Kicking off Season 3 of Trust vs. with a bang, the team dives straight into one of the most pressing changes on the horizon for healthcare cybersecurity: the proposed updates to HIPAA. Hosts Jeremy Huval, Robert Booker, and new regular voice Ryan Patrick explore what the Notice of Proposed Rulemaking (NPRM) really means for covered entities and business associates. Is this HIPAA 2.0, or just long-overdue regulatory catch-up? The trio unpacks the implications of outdated safeguards, AI blind spots, and the broader need for industry-government collaboration to strengthen trust and assurance in the healthcare ecosystem.Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/Meet Jeremy: https://www.linkedin.com/in/jeremyhuvalMeet Robert: https://www.linkedin.com/in/robertbooker/