To do wide-scale business within the US federal government, cloud service providers (CSPs) need a FedRAMP ATO. The prospect can be daunting as few CSPs have federal cyber compliance expertise. Misconceptions and misinformation can create additional roadblocks. In this episode, your host John Verry, CBIZ Pivot Point Security Managing Director , sits down with Mike Craig, CEO at Vanaheim Security, who gives clear guidance with business and security leaders on what it takes to get a FedRAMP...

Whatever kind of software application a team is building, the identification and remediation of cybersecurity issues needs to be part of every stage of the software development lifecycle (SDLC). But making that happen takes a wealth of skills and approaches, as well as an eye on compliance and the ability to keep pace with the ever-changing online environment—microservices being a prime example. In this episode, your host John Verry, Pivot Point Security CISO and Managing Partner, sits down...

If you are ISO 27001 certified, or considering it, you are likely wondering how the transition from ISO 27001:2013 to ISO 27001:2022 affects you. With the notable changes, there are many uncertainties. For example, how soon can you get certified to ISO 27001:2022? Can you still get certified to 27001:2013? For anyone already certified, how soon can they transition to ISO 27001:2022? In this episode, your host John Verry, Pivot Point Security CISO and Managing Partner, sits down with Andrew...

In this week's episode of the Virtual CISO podcast, your host John Verry, Pivot Point Security CISO and Managing Partner, shares his valuable insights from the 2023 RSA conference. As the security industry evolves, with an increasing number of vendors and products, John advises against adopting a product-based security strategy. Instead, he recommends having a clear plan to address specific security challenges. Tune in to this episode to learn John's eight key takeaways, the latest...

With the release of President Biden’s Executive Order 14028 on “Improving the Nation’s Cybersecurity” from May 2021 the US public and private sectors have been alerted to the significant cybersecurity risks within our software supply chain. As of the March 2023 release of the National Cybersecurity Strategy, which will shift liability for software products and services to promote secure development practices, it’s evident that software security needs to be elevated across all organizations....

Asset management is a crucial aspect of information security. It refers to the processes and procedures involved in identifying, organizing, tracking, and protecting an organization's assets. The security of these assets is paramount, as you can’t protect what you don’t know about. To learn more about how to Fix Cyber Asset Management, your host John Verry, sits down with Huxley Barbee, Security Evangelist at runZero, to discuss the importance of Asset Management, how it’s a critical...

DevSecOps is the practice of integrating security testing at every stage of the software development process. With DevSecOps, training and educating all teams in risk, security, and mitigation at all stages of development is a top priority– traditionally, app developers don't pay much attention to security, which increases the risk of vulnerable code being deployed and the application being compromised. To learn more about DevSecOps in this episode, your host John Verry, sits down with...

Microsoft 365 was launched in 2011 in hopes of revolutionizing cloud-powered productivity platforms. Since then, Microsoft 365 has grown to the point where it is now one of the largest cloud-powered productivity platforms on the market, competing with the likes of Google and more. To give organizations a clear picture of their Microsoft 365 options, your host John Verry sits down with Conrad Agramont, CEO of Agile IT, a top Microsoft Cloud Service Provider focusing on Microsoft 365, to...

ISO 27001:2022 is the first update to the global "gold standard" for provable cybersecurity in ten years. Notable changes from the 2013 version will likely significantly impact most organizations' Information Security Management Systems (ISMS). In this episode, your host John Verry sits down with Ryan Mackie and Danny Manimbo from Schellman & Co. to explain the most significant changes in ISO 27001:2022 and their potential impacts. Join us as we discuss the following: How to...

The “buzz” in building more secure applications is “shift security left,” which means integrating security into and throughout the Software Development Lifecycle (SDLC). The Software Assurance Maturity Model (SAMM) is an excellent tool from OWASP that provides a framework for assessing and improving your development processes, resulting in more secure applications. In this episode, your host, John Verry, CISO and Managing Partner at Pivot Point Security, sits down with Sebastien...

Trusted Information Security Assessment Exchange (TISAX) is a vendor due diligence standard used in the automotive industry to verify that third-party suppliers’ cybersecurity programs provide adequate protection for the information the automotive supplier shares. In this episode, your host John Verry, CISO and Managing Partner at Pivot Point Security, sits down with Ed Chandler, Account Executive and Cybersecurity lead for TÜV SÜD America, who provides answers and explanations to what...

In today’s cyber landscape, business leaders and security professionals need every edge they can gain to better protect their organizations and plan their defense against attackers. . Why do hackers do what they do? What are they trying to steal from you? Who do they partner with to make money and avoid getting caught? In this episode, hosted by John Verry, CISO and Managing Partner at Pivot Point Security,  sits down with Raveed Laeb, Vice President of Product for KELA, who provides answers...

Orgs in the DIB need to protect CUI in alignment with the NIST 800-171 cybersecurity standard—and soon the Cybersecurity Maturity Model Certification (CMMC) requirements—or face legal and compliance penalties as well as potential lost business. To clarify the biggest questions and reveal the most dangerous unknowns in the convoluted realm of CUI, your host John Verry, Pivot Point Security CISO and Managing Partner, sits down with Stephanie Siegmann, Partner and Chair at Hinckley Allen to...

Over 90% of security breaches in the public cloud stem from user error, and not the cloud service provider. Today, your host John Verry sat down with one of Amazon Web Services (AWS) own Temi Adebambo, to understand what is going wrong with public cloud security, and how you can eliminate your biggest risks. This episode features Temi Adebambo, Head of Security Solutions Architecture at Amazon Web Services (AWS), to explain exactly what’s going wrong with public cloud security, how users can...

Managing Cybersecurity through an Economic downturn is no easy task. With increasing concerns on how to stay secure and compliant in a down economy, John Verry tackles this podcast himself giving you his ten best fundamental practices. This episode features your host John Verry, CISO & Managing Partner, from Pivot Point Security, who provides answers and explanations to a variety of questions regarding how to stay compliant, secure, and budget in a down economy. Join us as we...

Building Cloud Native Applications can bring about many operational and security problems. Today, we sat down with an expert in this field to talk about building cloud native applications, and deploying applications that are secure in the cloud. This episode features Fausto Lendeborg, Co-Founder & CCO, from Secberus, who provides answers and explanations to a variety of questions regarding Building applications in the cloud, deploying applications securely in the cloud, and much...

Digital Business Risk Management helps companies track and disrupt the most advanced bad actors.  Team Crymu specializes in Digital Business Risk Management & Attack Surface Management, giving clients insight and help relating to cyber threats. This episode features David Monnier, Chief Evangelist and Team Cymru Fellow, from Team Cymru, who provides answers and explanations to a variety of questions regarding Business Risk Management, ASM (attack surface management), and much more. Join...

Governance, Risk, and Compliance (GRC) platforms can be tricky to construct.  Today, we sat down with an expert in this field to talk about building and deploying secure applications in the cloud. This episode features Jeff Schlauder, Information Security Executive, from Catalina Worldwide, who provides answers and explanations to a variety of questions regarding deploying applications securely in the cloud, using AWS (amazon web services), and much more. Join us as we discuss: · Building...

You cannot have privacy without security. While they once existed quite distinct from one another, they are now so delicately woven that they are nearly indistinguishable. Over time, the GDPR has cemented the relationship between physical security and information security, and now, it’s incorporating data privacy. This compliance triad has become the new normal for businesses everywhere– but what does it mean? Rosemary Martorana, Chief Privacy Officer at Corning, joined me to discuss the...

CMMC (Cybersecurity Maturity Model Certification) can raise many red flags and concerns - As CMMC rulemaking approaches in 2023, we take a break from our normal podcast and answer the most asked CMMC questions to date to help ease the unknown. This episode features George Perezdiaz, FedRisk Practice Lead, with Pivot Point Security, who provides answers and explanations to a variety of questions we have received regarding CMMC. George is extremely knowledgeable on CMMC topics while being...

This marks our 100th episode of The Virtual CISO and an insightful journey into having the opportunity to have frank discussions with thought leaders that provide the very best information security advice and insights.  I am happy to have invited Dimitri Sirota, CEO & CoFounder of BigID, to walk through BigID’s approach to privacy, security, and data governance on this momentous episodic occasion.  Join us as we discuss: The merits of gathering data beyond the usual locations Why...

Supply chain risk management can prove to be a slippery slope—why should you take pains to conduct a proper risk assessment, and how do they impact IT and business continuity?  From international restrictions to balancing generic and specific risk assessments, any guidance is welcome in the world of supply chain management. I invited Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance at SGS, onto the show to provide insights into supply chain...

What are the merits of the Software Assurance Maturity Model (SAMM), and how does it differ from the Application Security Verification Standard (ASVS) model? And why should you care? From design to operations, there are several crucial considerations to hold regarding business functions and use cases. I invited Taylor Smith, Application Penetration Testing Lead at Pivot Point Security, onto the show to provide insights into SAMM. Including definitions, the differences between SAMM, ASVS,...

Application development is moving from a web-centric world to an API-centric world. If you’re wondering what that looks like, what the security implications are and what an API is, you’re in the right place. There is no shortage of new application security strategies to familiarize ourselves with as cybersecurity adapts to changing times. That’s why I invited Rob Dickinson, CTO at Resurface Labs, to explain APIs, continuous API operation observability, and prevalent challenges in the API...

Most recognize the value preservation in cybersecurity. But forward thinking professionals also see the value creation in having a secure information posture. Cybersecurity is the foundation of preserving sensitive data and providing peace of mind but does it create value for the organization and if so, how do we measure that value? Tracking the return on investment on cyber security can be challenging. Much like auto insurance, you gain the most obvious value when something goes...