DrZeroTrust

Why are certs hurting the industry?  Are they really?  How much does it cost to get an entry certification?  Why so much?  Is the process for certifications fair for everyone?  Should companies have a fellowship track for non-manager technologists?  How do we get past this problem?  Is HR in the way of fixing the cyber security hiring crisis?  How hard is it to fix the problem with management and onboarding?  Could a CISO get their own job based on the HR filtering system?  Those questions and more on this episode.

Do buyers always configure vendor security solutions correctly?  Is there a magic button to push and then your organization is secure?  Do vendors have no risks or avenues of compromise?  How bad is the MSQL database security that is out there right now (think millions).  The DoD released it's strategy for Zero Trust, what should we take away from that?  Amazon is offering a security data lake recently, is that a good thing?  The White House and Starlink were hit by a threat group via a DDoS attack, so what?  And another attack on an island nation that is now working off of paper to run the government, super.  Those points and more on this episode.

A former Forrester analyst and a former Gartner analyst talk about the market and a variety of topics.  Is it a good idea for layoffs to be taking place right now in cyber as the economy takes a dive?  How will that affect our collective security?  What should you know about analyst reports like the Wave or the Magic Quadrant?  Does security product bloat actually hurt operational capabilities?  Should automation be everywhere?  How does strategy start, and where?  Why do customers still run towards point solutions, rather than broader strategic offerings?  What about the new book "The Art of Selling Cybersecurity"?  Those questions and more on this one.

Zscaler has come up with their own certification for Zero Trust.  Is that a good thing?  What else is up with Medibank and how bad is the security for the Australian government that is pushing the formation of these new "hack back" teams?  Is that even a thing?  China is using universities to plunder research and intellectual innovations from America, so what?  Why isn't that more of a problem?  Don't we have a means to address this insider threat activity?  Navigation systems for pilots were affected recently, did you hear about that on the news?  Why not?  How much financial impact can one tweet have on a major company?  It's a lot y'all.  Those questions and more on this episode.

A noted Russian "leader" openly admits to tampering with elections, does that close the book on whether or not that has happened?  An article on the Hill says that "ignorance" is the issue for legislators regarding cyber.  Is it "ignorance" or willful ignoring of the problem?  With the midterm elections going on surely I can't find potentially insecure and misconfigured election related systems?  Right?  And surely the company that has been tasked with securing those election networks isn't at risk, right?  The CIO of the US DoD will release their Zero Trust strategy in the coming weeks, what should we take away from that?  And a great article from Andy Ellis on some of the realities of being a CISO in today's business world.  Those points and more on this episode.

Banks have paid out a massive multi-billion dollar plus to ransomware operations, but where does all that money go?  Is crypto entirely to blame?  Dropbox had a compromise issue, but luckily it's never happened before?  Right?  And it's good that it wasn't related to any companies intellectual property.  Oh wait.  And then let's talk about Chegg.  They get the award for continued cyber negligence I think.  But the FTC is now suing them, even though this is the fourth breach in a few years.  Good thing they moved fast.  Why does this keep happening and how are such major companies getting away with ignoring basic best practices?  Those questions and more on this episode.

A major insurance provider for an millions of people is dealing with a compromise, surely they have buttoned up the easy stuff?  Right?  Wanna bet.  Can I find a misconfigured SSH server that pipes me directly into an adversary nations internal networks?  Maybe.  More problems with TikTok as it gets reported in Forbes that the company was working to access American citizens personal location data "without their knowledge".  Uh oh.  How about the new mandates from TSA for the rail companies?  Do those requirements really have teeth and will they help things?  How many standards for compliance and the legal requirements to do business via digital connections are there?  Guess.  FastCompany got hit via the use of really bad passwords, that must have been a really hard problem to solve.  Right?  Those questions and more on this episode.

How long does it take to find possible vulnerable assets online, about 21 minutes.  Yeah.  Is the OPM data breach "settlement" even worth it?  Surely I can't find admin usernames and passwords with 1234 on the internet, right?  Certainly not for a state or local system, right?  Is data security up to par after a breach?  Why aren't states and local governments willing to work through the paperwork to get a cyber security grant?  That's nuts!  Is the job market getting any better for staffing?  Do trends indicate that?  A free resource for ZT planning, really?  Well, some of it's free but the resources are great.  Do vendors sell "snake oil" or is more a factor of the market at large and are investors and VC's affecting the ability to execute?  Those questions and more on this episode!

Dell has setup a Zero Trust Center of Excellence, that's pretty cool.  Real investment into strategic technology alignment sounds like a good idea to me.  Disinformation around the hurricane Ian fiasco.  How can we defend democracy when folks buy into this stuff?  Are you using Reddit to gain insight into your customer experience, you should be.  How secure is the organization that is forcing me to renew my business and cyber insurance policy, wanna guess?  And what about the Uber CISO issue?  Does that scenario really affect us all?  Those questions and more on this episode.

How many VPN's are out there that might have a configuration issue?  Are there any major companies that might be piping threats into their networks (the answer is probably).  Has Uber fixed the low hanging fruit from it's recent issue?  More ICS and SCADA vulnerable systems aren't out there, right?  Research from ZScaler on the use and adoption of the VPN is interesting, has the tide shifted with this old technology?  Are users really the weakest link, or has the security industry misled that group?  Those questions and more on this one!