Wed, 19 Oct 2016 15:42:45 GMTIn this podcast, Darrell Keeling, Vice President of Information Security and HIPAA Security Officer at Parkview Health, discusses the knowledge, skills, and abilities needed to become a CISO in today’s fast-paced cybersecurity field.
Mon, 18 Jul 2016 18:10:14 GMTIn this podcast, Edna Conway and John Haller discuss the global value chain for organizations and critical infrastructures and how this expanded view can be used to improve ICT supply chain management, including risks to the supply chain.
Tue, 21 Jun 2016 18:42:04 GMTIn this podcast, Douglas Gray, a member of the CERT Cyber Risk Management team, discusses how to operationalize intelligence products to build operational resilience of organizational assets and services using IPOR.
Wed, 03 Feb 2016 16:59:00 GMTIn this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations.
Wed, 23 Dec 2015 17:06:00 GMTIn this podcast, Nader Mehravari and Julia Allen, members of the CERT Cyber Risk Management team, discuss an effective approach for defining a CISO team structure and functions for large, diverse organizations.
Mon, 09 Nov 2015 14:53:00 GMTIn this podcast, Chip Block, Vice President at Evolver, discusses the growth of the cyber insurance industry and how it is beginning to drive the way that organizations manage risk and invest in technologies.
Thu, 01 Oct 2015 18:21:51 GMTIn this podcast, Sean Sweeney, Information Security Officer (ISO) for the University of Pittsburgh (PITT), discusses their use of the NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework).
Thu, 27 Aug 2015 19:31:54 GMTIn this podcast, Dr. Richard Young, a professor with CMU, and Sam Perl, a member of the CERT Division, discuss their research on how expert cybersecurity incident handlers react when faced with an incident.
Thu, 26 Mar 2015 14:16:28 GMTIn this podcast, Matt Butkovic and John Haller discuss approaches for more effectively managing supply chain risks, focusing on risks arising from “external entities that provide, sustain, or operate Information and Communications Technology (ICT)."
Fri, 20 Feb 2015 12:59:00 GMTThis podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences planning and executing the workshop and identifying improvements for future offerings.
Thu, 08 Jan 2015 20:20:00 GMTIn this podcast, Jim Cebula and David White discuss cyber insurance and its potential role in reducing operational and cybersecurity risk.
Tue, 07 Oct 2014 13:13:19 GMTIn this podcast, James Cebula describes how to use a taxonomy to increase confidence that your organization is identifying cyber security risks.
Thu, 29 May 2014 12:10:59 GMTIn this podcast, Jose Morales discusses how to prioritize malware samples, helping analysts to identify the most destructive malware to examine first.
Tue, 25 Mar 2014 13:25:00 GMTIn this podcast, the presenters discuss IT risk assessment and analysis, and comparison factors for selecting methods that are a good fit for your organization.
Tue, 11 Feb 2014 18:40:05 GMTES-C2M2 helps improve the operational resilience of the U.S. power grid.
Tue, 07 Jan 2014 17:45:00 GMTIn this podcast, Robert Seacord describes the CERT-led effort to publish an ISO/IEC technical specification for secure coding rules for compilers and analyzers.
Tue, 26 Nov 2013 17:12:01 GMTIn this podcast, the presenters explain how CRRs allow critical infrastructure owners to compare their cybersecurity performance with their peers.
Tue, 27 Aug 2013 19:05:08 GMTIn this podcast, Rich Caralli explains how maturity models provide measurable value in improving an organization's cybersecurity capabilities.
Tue, 30 Jul 2013 16:52:11 GMTIn this podcast, Gene Kim explains how the "release early, release often" approach significantly improves software performance, stability, and security.
Tue, 11 Jun 2013 16:14:37 GMTIn this podcast, the participants describe four experience reports that demonstrate how the CERT-RMM can be applied to manage operational risks.
Thu, 09 May 2013 17:42:57 GMTIn this podcast, Dave Mundie explains why a common language is essential to developing a shared understanding to better analyze malicious code.
Tue, 26 Mar 2013 18:08:03 GMTIn this podcast, Joe Mayes discusses how to ensure the security of personal mobile devices that have access to enterprise networks.
Thu, 28 Feb 2013 20:22:27 GMTIn this podcast, participants explain how 371 cases of insider attacks led to 4 new and 15 updated best practices for mitigating insider threats.
Thu, 31 Jan 2013 16:47:53 GMTIn this podcast, Nader Mehravari describes how governments and markets are calling for the integration of plans for and responses to disruptive events.
Wed, 19 Dec 2012 19:54:13 GMTIn this podcast, Nader Mehravari describes how today's high-risk, global, fast, and very public business environment demands a more integrated approach.
Tue, 23 Oct 2012 14:25:44 GMTIn this podcast, participants discuss how a network profile can help identify unintended points of entry, misconfigurations, and other weaknesses.
Tue, 25 Sep 2012 14:27:00 GMTIn this podcast, Greg Crabb explains how CERT-RMM can be used to establish and meet resilience requirements for a wide range of business objectives.
Tue, 21 Aug 2012 18:57:30 GMTIn this podcast, Greg Crabb explains how CERT-RMM can be used to establish and meet resilience requirements for a wide range of business objectives.
Tue, 17 Jul 2012 18:59:46 GMTIn this podcast, Lisa Young explains that implementing CERT-RMM requires well-defined improvement objectives, sponsorship, and more.
Tue, 24 Apr 2012 18:51:57 GMTIn this podcast, participants discuss why security controls, including those for insider threat, are necessary to protect information and information systems.
Tue, 28 Feb 2012 20:03:23 GMTIn this podcast, Martin Sebor explains how implementing secure coding standards is a sound business decision.
Tue, 31 Jan 2012 19:14:45 GMTIn this podcast, Dennis Allen explains that protecting the internet and its users against cyber attacks requires more skilled cyber warriors.
Tue, 20 Dec 2011 18:27:16 GMTIn this podcast, participants discuss how using electronic health records bring many benefits along with security and privacy challenges.
Tue, 04 Oct 2011 16:51:48 GMTIn this podcast, Julia Allen explains that measures of operational resilience should answer key questions, inform decisions, and affect behavior.
Tue, 06 Sep 2011 14:28:38 GMTUse of Domain Name System security extensions can help prevent website hijacking attacks.
Tue, 02 Aug 2011 15:32:11 GMTIn this podcast, participants explain that it depends on the service model how cloud providers and customers can use controls to protect sensitive information.
Tue, 12 Jul 2011 19:44:49 GMTIn this podcast, Jeff Gennari explains that analyzing malware is essential to assessing the damage and reducing the impact associated with ongoing infection.
Thu, 05 May 2011 13:12:34 GMTIn this podcast, David White describes how over 100 electric power utilities are using the Smart Grid Maturity Model.
Tue, 29 Mar 2011 13:20:31 GMTIn this podcast, participants explain why and how business leaders must address risk at the enterprise, business process, and system levels.
Tue, 22 Feb 2011 14:50:31 GMTIn this podcast, participants discuss exercises that help organizations, governments, and nations prepare for, identify, and mitigate cyber risks.
Tue, 25 Jan 2011 14:22:24 GMTIn this podcast, Michael Hanley explains how technical controls can be effective in helping to prevent, detect, and respond to insider crimes.
Thu, 09 Dec 2010 14:56:51 GMTIn this podcast, Richard Caralli explains how CERT-RMM can ensure that critical assets and services perform as expected in the face of stress and disruption.
Tue, 30 Nov 2010 19:58:42 GMTIn this podcast, participants explain that knowledge of software assurance is essential to ensure that complex systems function as intended.
Tue, 26 Oct 2010 18:31:51 GMTIn this podcast, participants explain how knowledge about software assurance is essential to ensure that complex systems function as intended.
Tue, 28 Sep 2010 19:18:28 GMTIn this podcast, participants discuss how organizations can benchmark their software security practices against 109 observed activities from 30 organizations.
Tue, 31 Aug 2010 15:38:48 GMTIn this podcast, Jonathan Frederick explains how internet-connected mobile devices are becoming increasingly attractive targets.
Thu, 19 Aug 2010 19:08:56 GMTIn this podcast, participants discuss how essential a national CSIRT is for protecting national and economic security and continuity.
Tue, 27 Jul 2010 15:40:15 GMTIn this podcast, Julia Allen how critical it is to secure systems that control physical switches, valves, pumps, meters, and manufacturing lines.
Tue, 29 Jun 2010 18:36:57 GMTIn this podcast, participants recount complex, distributed, multi-year investigations of computer crimes using sophisticated methods, techniques, and tools.
Tue, 25 May 2010 19:21:04 GMTIn this podcast, Will Dormann urges listeners to subject their software to fuzz testing to help identify and eliminate security vulnerabilities.
Tue, 27 Apr 2010 13:24:43 GMTOrganized criminals recruit unsuspecting intermediaries to help steal funds from small businesses.
Wed, 03 Mar 2010 14:58:30 GMTIn this podcast, Matthew Meyer explains that being able to respond effectively when faced with a disruptive event requires becoming more resilient.
Tue, 02 Mar 2010 20:22:52 GMTIn this podcast, Pravir Chandra warns that CISOs must leave no room for doubt that they understand what is expected of them when developing secure software.
Tue, 02 Feb 2010 19:42:37 GMTIn this podcast, Kris Rush describes how students learn to combine multiple facets of digital forensics and draw conclusions to support investigations.
Tue, 12 Jan 2010 15:00:56 GMTIn this podcast, Ray Jones explains how the SGMM provides a roadmap to guide an organization's transformation to the smart grid.
Sat, 09 Jan 2010 20:15:03 GMTIn this podcast, John Christiansen explains that effectively responding to e-discovery requests depends on well-defined policies, procedures, and processes.
Tue, 22 Dec 2009 19:23:33 GMTIn this podcast, participants explain that addressing privacy during software development is just as important as addressing security.
Tue, 01 Dec 2009 16:41:29 GMTIn this podcast, Timothy Shimeall describes how network defenders and business leaders can use NetSA measures to protect their networks.
Tue, 10 Nov 2009 15:02:57 GMTIn this podcast, Gary Daniels explains that providing critical services during times of stress depends on documented, tested business continuity plans.
Tue, 20 Oct 2009 14:19:36 GMTIn this podcast, David White explains why a defined, managed process for third party relationships is essential, particularly when business is disrupted.
Tue, 29 Sep 2009 13:51:21 GMTIn this podcast, James Stevens explains how using the smart grid comes with some new privacy and security challenges.
Tue, 08 Sep 2009 18:26:16 GMTIn this podcast, Robert Charette explains why electronic health records (EHRs) are possibly the most complicated area of IT today.
Tue, 18 Aug 2009 13:26:23 GMTTwo hundred and eighty-two cases of actual insider attacks suggest 16 best practices for preventing and detecting insider threat.
Tue, 07 Jul 2009 13:59:53 GMTIn this podcast, Christopher Alberts urges business leaders to adopt new approaches to addressing risks across the life cycle and supply chain.
Tue, 16 Jun 2009 15:48:16 GMTIn this podcast, Tim Mather advises business leaders considering cloud services to weigh the economic benefits against the security and privacy risks.
Tue, 26 May 2009 13:31:25 GMTIn this podcast, Martin Linder urges business leaders to take action to better mitigate sophisticated social engineering attacks.
Tue, 05 May 2009 19:25:50 GMTIn this podcast, Robert Charette suggests when to examine responsibilities when developing software with known, preventable errors.
Tue, 14 Apr 2009 13:47:07 GMTIn this podcast, Rodney Peterson explains why capitalizing on the cultural norms of the Net Generation is essential when developing security awareness programs.
Tue, 31 Mar 2009 19:27:49 GMTIn this podcast, participants discuss how observed practice, represented as a maturity model, can serve as a basis for developing more secure software.
Tue, 17 Mar 2009 19:31:09 GMTIn this podcast, Robert Seacord explains how requiring secure coding practices when building or buying software can dramatically reduce vulnerabilities.
Tue, 03 Mar 2009 15:01:15 GMTIn this podcast, participants describe how making security strategic to business innovation involves seven strategies.
Tue, 17 Feb 2009 19:37:47 GMTIn this podcast, Christopher May explains how teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine.
Tue, 03 Feb 2009 15:08:11 GMTIn this podcast, Brian Chess explain how standards, compliance, and process are better than risk management for ensuring information and software security.
Tue, 20 Jan 2009 14:49:58 GMTIn this podcast, Rich Pethia reflects on the CERT Division's 20-year history and discusses its future IT and security challenges.
Tue, 09 Dec 2008 14:51:14 GMTIn this podcast, Richard Power explains how climate change requires new strategies for dealing with traditional IT and information security risks.
Tue, 25 Nov 2008 19:39:11 GMTIn this podcast, Jim Wrubel explains how virtual training environments can deliver high quality content to security professionals on-demand, anywhere, anytime.
Tue, 11 Nov 2008 14:52:57 GMTIn this podcast, Julia Allen explains how responding to an e-discovery request involves many of the same steps and roles as responding to a security incident.
Tue, 28 Oct 2008 15:57:54 GMTIn this podcast, Jennifer Bayuk explains how successful security programs are based on strategy, policy, awareness, implementation, monitoring, and remediation.
Tue, 14 Oct 2008 13:56:12 GMTIn this podcast, Jan Wolynski advises business leaders to evaluate risks and opportunities when considering conducting business in online, virtual communities.
Tue, 30 Sep 2008 19:33:20 GMTIn this podcast, Mary Ann Davidson explains how integrating security into university curricula is a key solution to developing more secure software.
Tue, 16 Sep 2008 14:11:36 GMTIn this podcast, Lisa Young describes OCTAVE Allegro, a streamlined assessment method that focuses on risks to information used by critical business services.
Tue, 02 Sep 2008 16:54:02 GMTWell-defined metrics are essential to determine which security practices are worth the investment.
Wed, 20 Aug 2008 19:36:34 GMTIn this podcast, Gary McGraw explains how to achieve software security by thinking like an attacker and integrating practices into the development lifecycle.
Tue, 05 Aug 2008 19:22:40 GMTIn this podcast, Bradford Willke explain how protecting critical infrastructures and the information they use are essential for preserving our way of life.
Mon, 28 Jul 2008 15:45:59 GMTIn this podcast, Derek Gabbard discusses automation, innovation, reaction, and expansion as the foundation for meaningful network traffic intelligence.
Tue, 22 Jul 2008 15:59:45 GMTIn this podcast, Art Manion explains that determining which security vulnerabilities to address should be based on the importance of the information asset.
Tue, 08 Jul 2008 19:37:57 GMTIn this podcast, Nancy Mead explains that during requirements engineering, software engineers need to think about how software should behave when under attack.
Tue, 24 Jun 2008 19:52:48 GMTIn this podcast, Paul Love argues that targeted, innovative communications and a robust lifecycle are keys for security policy success.
Tue, 10 Jun 2008 19:54:58 GMTManaging software that is developed by an outside organization can be more challenging than building it yourself.
Tue, 27 May 2008 19:39:08 GMTIn this podcast, Julia Allen explains how software security is about building more defect-free software to reduce vulnerabilities targeted by attackers.
Tue, 13 May 2008 16:01:22 GMTIn this podcast, Gene Kim describes how high performing organizations must integrate information security controls into their IT operational processes.
Tue, 29 Apr 2008 13:34:20 GMTIn this podcast, Betsy Nichols tells us how benchmark results can compare results with peers, drive performance, and help determine how much security is enough.
Tue, 15 Apr 2008 16:56:51 GMTIn this podcast, Betsy Nichols describes how benchmark results can be used to help determine how much security is enough.
Tue, 01 Apr 2008 18:31:34 GMTIn this podcast, Kim Hargraves describes three keys to ensuring information privacy in an organization.
Tue, 18 Mar 2008 17:11:32 GMTIn this podcast, Samuel Merrell explains that a sound security metrics program should select data relevant to consumers from repeatable processes.
Tue, 04 Mar 2008 14:37:26 GMTIn this podcast, Dawn Cappelli explains how insider threat vulnerabilities can be introduced during all phases of the software development lifecycle.
Tue, 19 Feb 2008 14:38:47 GMTIn this podcast, Nicholas Ianelli cautions business leaders to understand the risks to their organizations caused by the proliferation of botnets.
Tue, 05 Feb 2008 18:24:20 GMTIn this podcast, Betsy Nichols explains that reporting meaningful security metrics depends on topic selection, context definition, and data access.
Tue, 22 Jan 2008 14:41:16 GMTIn this podcast, participants discuss how peer-to-peer networks are being used to unintentionally disclose government, commercial, and personal information.
Tue, 08 Jan 2008 15:14:15 GMTIn this podcast, Tom Smedinghoff reminds directors and executives that they are personally accountable for protecting information entrusted to their care.