GRC Academy

Do you use Android at work, but don't really understand it?

In this episode Hahna Kane Latonick teaches an Android cybersecurity masterclass for cyber GRC teams:

Here are a few highlights from this episode:

• How the Android project is managed
• How Android devices are compromised
• The many steps to update Android devices
• Most important steps to secure Android devices
• Is Apple more secure than Android?

Hahna is the Director of Security Research at Dark Wolf Solutions. Some of her focuses include Android reverse engineering and exploit development. She has been featured on national media outlets including Fox Business News, ABC News, and many others!

Too often companies integrate mobile devices at work without truly understanding how they work and the risks involved.

Hahna explained these concepts so well! And of course, we had some back and forth on what is more secure, Android or Apple.

I really enjoyed this episode and learned more about Android myself! What were your takeaways?

Follow Hahna on LinkedIn: https://www.linkedin.com/in/hahnakane/

Dark Wolf Solutions Website: https://darkwolfsolutions.com/

Android Security Research Playbook: https://asrp.darkwolf.io/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e38&utm_campaign=courses

#android #cybersecurity #informationsecurity

Introducing the Penn State Whistleblower.

In this episode, the whistleblower explains how he tried to stop Penn State from misrepresenting their NIST 800-171 compliance to the DoD and what he has faced since he blew the whistle!

Whistleblower attorney Julie Bracker also shares what the media got wrong in this case and the latest on the Georgia Tech FCA case!

Here are a few highlights from this episode:

- Hear directly from the whistleblower in this False Claims Act case

- What the media got wrong

- Recommendations to universities

- Advice for other whistleblowers

Matthew Decker was the Chief Information Officer at the Applied Research Laboratory at Penn State from 2015 until 2023 and the interim Vice Provost and CIO responsible for all of Penn State from January 2016 until September 2016. Matthew currently serves as the Chief Data and Information Officer at NASA’s Jet Propulsion Laboratory since 2023.

It was fascinating to learn that the university assumed compliance with their own AD95 security policy meant they were automatically compliant (at least to some measure) with NIST 800-171. This is a great reminder that the details always matter!

Special thanks to Matt for sharing his story with us, and to Julie Bracker for coordinating this interview!

Follow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/

Bracker & Marcus LLC Website: https://www.fcacounsel.com/

Connect with Matt on LinkedIn: https://www.linkedin.com/in/matt-decker-cio/

Whistleblower's Handbook: https://www.amazon.com/New-Whistleblowers-Handbook-Step-Step/dp/1493028812/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e37&utm_campaign=courses

#whistleblower #cmmc #cybersecurity

Confused about Microsoft 365 and DFARS/CMMC compliance?

In this episode, I speak with Richard Wakeman, Chief Architect for cybersecurity of Aerospace & Defense @ Microsoft!

We discuss the history of the government clouds, the need behind GCC and GCC High, and much more!

Here are some highlights:

• The origins of the Microsoft clouds
• Which clouds support DFARS 7012 compliance
• When will GCC High be FedRAMP authorized?
• CUI enclave considerations

Richard is a wealth of knowledge, and I have personally benefited from his compliance blog articles since at least 2020!

If you are currently operating in the Microsoft cloud or are trying to decide which Microsoft cloud to buy, you won't want to miss this!

Were you aware that GCC High isn't FedRAMP authorized yet? What about Microsoft 365 commercial not being compliant with DFARS 7012?

Whatever your thoughts are, let me know!

Follow Richard on LinkedIn: https://www.linkedin.com/in/wakeman/

Microsoft Cloud compliance article: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-dod-amp/ba-p/4225436

Microsoft 365 Roadmap: https://www.microsoft.com/en-us/microsoft-365/roadmap

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e36&utm_campaign=courses

Is your MSP a cybersecurity liability?

In this episode, I speak with Brian Hubbard, President of Evolved Cyber Solutions and the MSP Cybersecurity Exchange!

We discuss the state of MSP cybersecurity and how MSPCyberX is elevating the security posture of MSPs everywhere!

Here are some highlights:

• Why MSPs are so critical to our nation's security
• The inevitable regulations that will target MSPs
• MSPs involvement during CMMC assessments
• How MSPCyberX can help

GRC Academy partnered with MSPCyberX early on to provide CMMC training to its members at a discount! It was great to hear about MSPCyberX's origin story!

If your MSP is not a member of MSPCyberX, it is in your best interest that they join!

Follow Brian on LinkedIn: https://www.linkedin.com/in/brian-scott-hubbard/

Follow MSPCyberX on LinkedIn: https://www.linkedin.com/company/mspcyberx/

MSPCyberX Website: https://www.mspcyberx.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e35&utm_campaign=courses

FREE CMMC gap assessments!! FREE penetration tests!! FREE SOC & incident response!!

This is a hidden CMMC treasure that no one's talking about!

In this episode, I speak with Darren Mott about the FREE cybersecurity services offered to the DIB by the National Cybersecurity Operations Center!

Here are some of the FREE services they offer:

• CMMC gap assessments
• Penetration testing
• SOC & Incident response
• Forensic analysis
• Threat intelligence

I had no idea the National CSOC existed! This is an AMAZING opportunity that small defense contractors should take advantage of quickly before they reach capacity!

On another note, I actually listened to Darren's podcast when it first came out. I never thought I'd actually host a podcast let alone speak with him!

Follow Darren on LinkedIn: https://www.linkedin.com/in/darrenmott/

The CyBUr Guy Podcast: https://podcasts.apple.com/us/podcast/the-cybur-guy-podcast/id1526491250

National CSOC Website: https://nationalcsoc.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e34&utm_campaign=courses

Want a high paying job in GRC? Want to build a powerful GRC team?

In this episode, I spoke with Kenneth Moras, Security GRC Lead at Plaid.

Kenneth has worked in critical GRC roles in big tech companies like Adobe and Meta! He was heavily involved in the cyber response to international regulators after severe breaches.

Here are some highlights:

• What you need to do and know to get a job in GRC
• How to master GRC
• 3 critical skillsets you need in your cyber GRC team
• How regulatory incident response differs from traditional cyber incident response

Kenneth is a true GRC master! His advice for folks wanting to get into GRC is the best I've heard! His tips on building successful GRC teams were excellent as well!

What were your biggest takeaway? Do you agree that GRC teams need technical knowledge? Looking forward to your thoughts!

Follow Kenneth on LinkedIn: https://www.linkedin.com/in/kennethmoras/

Plaid Website: https://plaid.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e33&utm_campaign=courses

Throw away your plastic driver's license - digital IDs have entered the chat!

In this episode, I spoke with Dr. Paul Ashley, the CTO of Anonyome Labs.

Paul explains how widespread online surveillance is, the evolution of digital identity from centralized to decentralized models, how digital wallets work, and what big tech doesn't want you to know!

Here are a few highlights from this episode:

• Big tech's surveillance economy
• Evolution of digital identity
• Decentralized Identity
• Global adoption of digital ID wallets - including in the USA!

I had no idea this was happening. More than 20 states in the USA are adopting digital driver's licenses!

It's fascinating to think of how digital IDs could be used personally and at work!

It's also scary to think of how some governments could abuse this technology.

Whatever you think, I'm looking forward to hearing your thoughts!

Follow Paul on LinkedIn: https://www.linkedin.com/in/drpaulashley/

Anonyome Labs Website: https://anonyome.com/

My Sudo App: https://mysudo.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e32&utm_campaign=courses

Introducing the Georgia Tech Whistleblowers.

In this episode, the whistleblowers explain how they tried to stop Georgia Tech from allegedly LYING to the government about their NIST 800-171 compliance and what they have faced since they blew the whistle!

Whistleblower attorney Julie Bracker also shares what could come next and how much Georgia Tech may have to pay out!

Here are a few highlights from this episode:

• Hear directly from the whistleblowers in this False Claims Act case
• Details on the "Fictitious" NIST 800-171 SPRS Score
• How much money Georgia Tech might have to pay
• Recommendations to universities
• Advice for other whistleblowers

Both of the whistleblowers have a long history with Georgia Tech and truly care for the institution.

Christopher Craig has worked at Georgia Tech for more than 20 years. He was the Associate Director of Cybersecurity where he managed all central cyber security personnel and built the GRC team until Georgia Tech demoted him to an Enterprise Security Architect.

Kyle Koza worked at Georgia Tech for more than 15 years until he left his role as a Principal Information Security Engineer in 2022. He got his bachelor’s and master's degrees from Georgia Tech and also co-wrote and still teaches a security incident response master's degree course at the university.

I thought Christopher's recommendation (24:37) for universities to centralize their labs was excellent!

How can a university expect to maintain its NIST / CMMC compliance if multiple labs are built and managed by different teams who may not even be familiar with the NIST 800-171 security controls?

I also loved hearing Chris tell us about the support he has received from the cyber community (38:00)! Who in cyber doesn't want to do the right thing? I would like to think those with bad intent are an extremely small percentage.

Special thanks to Christopher and Kyle for sharing their stories with us, and to Julie Bracker for coordinating this interview!

Follow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/

Bracker & Marcus LLC Website: https://www.fcacounsel.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e31&utm_campaign=courses

Zero Trust is NOT complicated!

Don't believe me? Let me introduce you to its creator!

In this episode, Jacob speaks with John Kindervag, the creator of Zero Trust.

John is the Chief Evangelist at Illumio where he accelerates awareness and adoption of Zero Trust Segmentation.

In the episode he shares the origin story of Zero Trust starting with his time at Forrester Research. He explains the fundamental principles of Zero Trust, debunks common misconceptions, and how you can implement Zero Trust using a 5-step model.

Here are a few highlights from this episode:

• The broken trust model that has allowed the largest data breaches
• Defining Zero Trust and misconceptions about it
• How to implement zero trust in 5 steps
• "Things Run Amok" poem - if Dr. Seuss wrote about the Internet of Things

John's elevator pitch for Zero Trust is a masterclass in itself.

If you want to convince business leaders to invest in cybersecurity, you have to focus on how that investment will benefit the business. John does exactly that here and we should all take note.

Illumio is a Zero Trust Segmentation company that prevents breaches and ransomware from spreading across hybrid environments. Their platform visualizes traffic flows, automatically sets granular segmentation policies, and isolates critical assets and compromised systems. Founded in 2013, Illumio protects organizations of all sizes, from Fortune 100 to small businesses.

Follow John on LinkedIn: https://www.linkedin.com/in/john-kindervag-40572b1/

Illumio Website: https://www.illumio.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e30&utm_campaign=courses

Introducing the Cisco Whistleblower.

In this episode, Jacob speaks with lawyer Hamsa Mahendranathan about the FIRST cybersecurity False Claims Act (FCA) lawsuit that reached a settlement!

This goes all the way back to 2008 believe it or not… The lawsuit was FINALLY settled in 2019!

As we all know, the DoJ has intervened in the Georgia Tech NIST 800-171 FCA whistleblower complaint.

Wonder what the whistleblowers may be dealing with? Maybe you want to blow the whistle yourself and don't know what to expect?

Here are a few highlights from this episode:

• How Hamsa's client unwittingly became a whistleblower
• The fallout he experienced for doing the right thing
• Mitigations for career consequences of blowing the whistle
• The complexity of working with federal, state, and local False Claim Act laws

And so much more!

If you are interested in the False Claims Act and cyber compliance, you won't want to miss this one! This episode is truly one for the history books!

Read the whistleblower complaint: https://cdn.grcacademy.io/web/20240824091900/us-ex-rel-glenn-vs-cisco-fca-complaint.pdf

Follow Hamsa on LinkedIn: https://www.linkedin.com/in/hamsa-mahendranathan/

Whistleblower Partners Website: https://www.whistleblower.law/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e29&utm_campaign=courses