From Paul's Security Weekly
Jump to: navigation, search

Recorded on November 12, 2019, @G-Unit Studios in Rhode Island!

Episode Audio


  • Jeff Man
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist,
    Tribe of Hackers, & InfoSec Curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Scott Lyons
    CEO at Red Lion
    MISTI Instructor
    Patent Holder
  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit and click the register button to register with our discount code!
    • Attend RSA Conference 2020, February 24-28 and join thousands of security professionals, forward-thinking innovators and solution providers for five days of actionable learning, inspiring conversation and breakthrough ideas. Register before January 24 and save $900 on a Full Conference Pass. Save an extra $150 by going to and use our code to register!
    • Our next webcast is February 13th with Sri Sundaralingam, Vice President, Product and Solutions Marketing at ExtraHop where we will discuss Cloud Native Network Detection and Response! Register for our upcoming webcasts by visiting, selecting the webcast drop down from the top menu bar and clicking registration.

    Topic: Building a Security/Compliance Program 12:00-12:30PM

    First question - what is a security program and what is a compliance program? (What is the appropriate Boolean syntax?)

        - Aren't they the same thing?
        - What are some differences?
        - Where do they overlap or how should they work together?
        - Do they compete for the same budget?

    Where should these programs fall within the org chart? If they are separate functions, should they share reporting structure or should they be separate? What are some characteristics or building blocks of each type of program? How do you measure the success (or need) for either/or of the programs?

    Security & Compliance News 12:30-1:00PM

    Jeff's Stories

    1. Payment Security Compliance Declines – 1 in 3 Companies Make the Grade Why does this matter? Or does it Matter?
    2. ‘Robust’ security foils cyber attack on Labour Party Who says we never report on good news – but then it was just a DDOS attack
    3. Why CFOs Must be Involved in Cybersecurity #FacePalm that this is the topic of an article. The serious question is, “what is the appropriate place for cybersecurity in an organization?”
    4. The password reuse problem is a ticking time bomb Love the conclusion: “stop looking at [password management] as a compliance task and start looking at it as a layer of protection”
    5. URMC Agrees to $3M HIPAA Settlement Over Mobile Device Encryption Does HIPAA require encryption?

    Matt's Stories

    Josh's Stories

    Scott's Stories

    1. Project Nightingale: Google accesses trove of US patient data