This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: Josh. Thanks for stopping by BarCode, buddy.

Josh: Dude, happy to be here anytime, man.

Chris: Not many people know this, but you and I go way back.

Josh: Oh yeah. God, I’ll be honest, I don’t even remember when we met. It’s been so many years. Like I remember predating the beard. Okay, let’s put it that way for you.

Chris: Yeah, not many people have predated the beard, but I traced it back to about 2012.

Josh: Yeah, that sounds about right.

Chris: At probably my first BSides Delaware.

Josh: Yeah, that was our second. No, third. We started in 2010, so it would have been our third. I think we’re just giving our next Bsides. Delaware, November 8th and 9th and it’s going to be our good. Is that our. Is that our 14th? It’s. It’s insane. We were the 12th Bsides event ever and we’ve held one every year. Although it’s some years it’s been as small as a cookout for some of the staff and friends.

Chris: Yeah.

Josh: But it’s. Well, you know, come on. It was a bad few years there for conferences.

Chris: For a while it was, man, definitely during COVID I mean, I assume that there was no B sides, Delaware in 2020.

Josh: There was actually, it was a virtual. We did discord conferences for a couple of years.

Chris: Okay.

Josh: But God, they’re annoying. Like virtual conferences. You’re like, you know, people are like, ah, I’ll put it on one screen while I’m working on this screen. And you know, they’re not talking, they don’t hang out. We had some. Don’t get me wrong, the wireless village had a great time. You know, the wireless village actually figured out how to do wireless capture the flag remotely.

Chris: Really?

Josh: Yeah. Apparently There’s a testing 802-11T or something like that for testing and they will correct me and I’m sorry, I know I’m wrong. But there’s a way to simulate wireless setups. And so they built simulated wireless ranges so you don’t have to be on site to do wireless stuff. It’s really cool, huh?

Chris: And that was already in place.

Josh: Yeah, that was a protocol that was already there. They just figured like somebody went looking through the RFC because we’re weird like that. And one of the wireless guys went looking through the rfc, went, oh, there’s this testing. I wonder. Oh my God, I think we can. And they did it.

Chris: Yeah.

Josh: So interesting, man. The regular CTFs were running all through the time. Our Pros VJo CTF which started at BSides Delaware has been running forever all through Covid. Wireless ran through Covid once they figured out they could do remote wireless, which is mind bogglingly weird, but whatever. Lockpicking is tough remotely. I will be honest there. But you know, basically we tried to do as much as we could with as many people as we could during those weird years. And now we’re back, we’re coming, we’re coming back to do our first in person event since COVID as a full conference with tracks and everything. I just finished buying an entire set of av.

Josh: So we have two new cameras, two new ATEM minis, blackmagic ATEM minis, two new hard drives to record them on. We’re going to record all the talks, we’re going to stream all the talks, we’re going to have two tracks. We’re going to have wireless capture the flag, wired caps of the Flag, Pros, VJOs, Lockpick Village. Spawn Camp. BIA Science Lab is running spawn camp for us. She’s awesome. So our spawn camp has some fun features. We have Destruction Alley.

Josh: So we give everybody’s like, we bring all of your old E waste in. We give the kids number two Phillips screwdrivers and safety glasses and say, have at it. Yeah. We don’t allow CRTs, so we don’t risk them killing themselves with the capacitors. And we do check there’s adults there to watch over and check everything. But like, we let the kids actually get hands on the equipment. And it’s really fun because some of the kids start.

Josh: Do you know what nolling is? K N O L L I N G. No. Do you ever see one of those things where they lay out all of the item, all the pieces of something and it’s in very lovely sort of patterns. So when you take a laptop apart, you have the face plate and the display and the hard drive and the this. So some. What’s interesting is we see the kids doing noling, which is laying things out. And I find myself when I’m sitting at a desk that’s clean, unlike my current one, I will actually start like arranging things. And my wife looks at me and goes, ocd. I’m like, no, it really is just like, it looks nice, it looks pretty, it looks nice. And some of these kids do that and the parents go, oh, my kid’s neurodivergent. You’re like, this was your first clue, you know. Okay, cool.

Chris: Yeah. I mean, I’ve been there where I’ve had to do that to help with the reassembly process.

Josh: Right.

Chris: Just knowing where things are.

Josh: Oh, these are never going to be reassembled. These are. These are. They’re going to E waste afterwards.

Chris: Yeah, yeah. And you mentioned crt, man, I can’t even tell you the last time I saw a crt.

Josh: I saw one the last year we had B sides, Delaware in person. Somebody tried to bring in a CRT and we’re like, nope, put it back in your car.

Chris: Yeah, I did see one at defcon this year. It was like. But it was part of the retro tech village. Or do you know what I’m talking about? There was a village. There was just all retro tech. And that was really cool to see.

Josh: I didn’t go to DEF Con this year. I have small children.

Chris: That’s right. Yeah.

Josh: I have a six year old and two year old. So we actually Stopped going to DEFCON in 2019 and because my kid was, you know, born to 2018 actually. God. Yeah. Because my kid was my oldest. Was born 2018 and so we stopped going because my wife just had a baby. Yeah. And I’m like not going to defcon this year. And then after that it just, it was like the next year I still had a one year old and I. And my wife is in the business, you know, Janice runs besides Delaware. I pretend to.

Josh: And so we didn’t go because I couldn’t bring her and the little one. But we started going to conferences and. And we. I. My six year old has I think two shmoocon badges. A derbycon badge that’s hers, let’s be clear. And a derbycon badge from when she was in utero. So I’m not sure if that counts but like, you know, and a DEFCON badge or two. And so. But then Covid hit and it was like nevermind, you know. Oh no, not defcon Bad. Sorry, Shmoocon derbycon.

Josh: What else does she have? She has a few others. But then Covid hit so we stopped going and now I’ve got a six year old and a two year old. It’s like, it’s weird. How do you handle two children going to an infosec conference?

Chris: Yeah, there’s no DEFCON daycare.

Josh: Oh no, no, there is not. Well, actually, weirdly enough, there is at the last B sides, Delaware. Jenny. Jenny and Jocelyn Maresca. Jenny brought actually panels and built a daycare in our staff room and had like small children and she was so happy. She’s like, I’m like, do you want to see a talk or anything? She goes, no, I want to play with the kids.

Chris: Nice.

Josh: Okay, have at. And so I’m sincerely hoping she shows up again this year. She doesn’t have to bring the panel, she doesn’t have to do babysitting, but I want her to be able to hold some babies.

Chris: You mentioned shmoocon. I think the last shmoocon is getting ready to take place.

Josh: Yes, it is. And I’m miserable about that, but that’s exactly correct. As a matter of fact, I’ve got to send them some things. Some things. So thank you for reminding me. But yeah, this January is the last shmoocon and it’s a shame, but it is what it is. And there’s a new conference called DistrictCon that’s starting up in D.C. and there’s B sides D.C. which we’re trying to get ramped up again. For 2025, besides D.C. we lost our venue because they rebuilt all the hotels for, for, for Covid.

Josh: So instead of big sweeping ballrooms, they rebuilt them to little tiny conference rooms, lots of them. So they could hold little conferences or, or use them as zoom rooms, things like that. But not to have big huge events because they didn’t want to be super spreaders.

Chris: Yeah.

Josh: And so it’s really tough finding a venue in D.C. that is not like an, like a conference center, a monstrous conference center. You know, we’re looking for a thousand or two, not five or ten thousand. And that sort of mid grade conference center is just not viable anymore.

Chris: Yeah, yeah, it’s interesting. I, I don’t have tickets to go. I went to one Shmoocon when I first got into industry and I really enjoyed it. But the tickets just go so fast.

Josh: So show up anyway and just do hallwaycon. I swear to God.

Chris: Oh yeah, okay.

Josh: Just, just show up and sit at the bar and talk to people. You will see every friend you never knew you had as well as every friend you knew you had. You will have so much fun. We are. Janice and the kids and I were going to Shmoocon because we have to go. There’s no choice. And we’re going to go and we’re going to have some fun.

Chris: Nice. In that case, I’ll be there.

Josh: You really should. You really show up at the. Look, I don’t care if you take the train down for just the day and the night, because you’re going to be there all damn night and take the 3am train back. Okay? But show up for a day. You’re going to have a great time. I promise you.

Chris: I’ll be there then.

Josh: All right. Rock and roll.

Chris: All right, so Josh, if you don’t mind, just quickly give our listeners a rundown of your background and sort of what helped shaped you as a cyber security entrepreneur and industry guru.

Josh: Man, that is a long story. So I’ve been in computers since the 90s, 1990s to be clear. And it’s. Yes, I look like it’s the 1890s, but I promise it’s the 1990s and I literally started on the phone, like phone tech support. And my first corporate job was not just tech support for various groups and whatever. My first corporate job was actually in person. Tech support for a financial institution. And so not a specific financial institution. It was a tool at financial institutions.

Josh: And I’m not joking. It was a CD ROM workstation with SCSI CD ROM towers. Okay. And every workstation at every financial institution. They were buying reports off this thing. And there were 600 or so CDs, CDs. That when they’d say, I need report number 452, it’d go, okay, put CD number 200 in. And they’d pull it and they’d pop it into one of the towers and they’d get the report printed out. They paid per page.

Josh: Okay. And then. And it was running Windows 31 1. That’s. That’s how old this was. And from there I went on to do system administration. And I was flying every day. So I started the flying consultant life back in the 1990s. I was flying to Toronto two or three times a week. Not a joke.

Chris: Wow.

Josh: So because Toronto and New York were my two areas, and those are the two big financial centers, I covered the entire East Coast. But the two big financial centers on the east coast are Toronto and New York. So that’s what it is. When I say the East Coast, I don’t just mean the US East Coast. I covered the east coast of North America, okay? From Florida up to the top of Canada. So Toronto and New York.

Josh: From there. I moved into system administration. And I was doing that for a little while. And then 911 happened. 911 happened, and there was no money. Like, there were no jobs. When 911 happened, there was about 140,000 geeks that got laid off, which meant that there was no work up here. And it resonated very recently how many people were getting laid off in the tech industry and how bad it is job wise. Now it’s starting to get better, just to be clear. But it’s still. It’s been very bad for a while about jobs.

Josh: I actually moved and relocated from New Jersey at the time. That’s why I was in New York all the time to Louisiana, because my girlfriend at the time said, there’s work. I went, okay, let’s go. And there was work. I bounced on Bourbon Street. I worked at the New Orleans, the French Quarter wedding chapel. I did a lot of different stuff. I waited tables, I worked, I made money. I made the rent, I made the bills.

Josh: And that’s what counted. It was tight some months, but I made the bills. Then my neighbor was like, look, you’re hustling. I’m like, yeah. He goes, why don’t you just work with us? Who’s us? He turns around, points at the cop car in his driveway. I went, oh, okay. Good point. So I became a cop. I was with the Saint Tammany Parish Sheriff’s Office, not in technology. I was just in the jails. I worked as a corrections officer, as a deputy, and then as a corporal, went through just ridiculous amounts of craziness, including Katrina.

Josh: A few months after Katrina, I said, I’m done with this hurricane crap and moved back up north and moved back up to New Jersey.

Chris: Okay.

Josh: So I had done my disaster recovery time. So if you want to talk disaster recovery, been there, done that. All right.

Chris: Yeah.

Josh: Literally. If you ever want to hear the history of cell phones and the generators at cell phones, I can tell you all of it. I was literally there. I actually reported to some of those to take the. To take the incident reports for them.

Chris: Wow.

Josh: The reason that cell phone. That the generators are buried in vaults at cell phone towers. I was there when they decided to start doing that because they put generators at the base of cell phones after Katrina. Then they got stolen, then they replaced them. Then they got stolen, then they replaced them. Then they actually used some grave vaults because they were available, and they put generators in them and buried them and poured concrete around the suckers and they didn’t get stolen anymore.

Josh: Oh, my God. Okay. Then the diesel fuel got siphoned off from them, so they put in anti siphon measures for the diesel. It goes on from there, but you get the idea. Anyway, that’s.

Chris: Wow.

Josh: So I moved back up north and that’s when I actually got into security. Was about 2006. I’ve only been in security per se since about 2006, 2007. And it happened almost accidentally. I was working at a large company and a system administration. The guy next to me, pokes, gets introduced like, hey, I’m moving into this cubicle. Hey, how you doing? What do you do? He goes, I test security. Like, test security. Cool. What do you do? So he explains it to me.

Josh: Five minutes later, he goes, oh, crap. What’s the matter? He says, well, I told the SQL Server to shut down and it did. And I went, okay. He goes, yeah, it’s a problem because it meant that a lot of people weren’t getting paid. That was the payroll server. And so I said, okay, where’s your boss up there? I said, run. I yelled him, run. And he ran. And that’s when I got into security. I’m like, that is way too cool. I got to try this stuff. So I got into it.

Josh: And so I’ve been doing security ever since and compliance as well. And the reason that I’m now in compliance, I mean, I did a lot in security. I did a lot of forensics. I did a lot of incident response. I did a lot of expert witnessing. I did a little pen testing. Very little. I’m not a pen tester. I don’t claim to be. And that’s okay. That’s not my thing. But what I am is I’m interested in the cracks in the systems.

Josh: And that’s not necessarily pen testing, but that’s understanding people as well as systems. And so I realized that after a while, everything I did in security was great, but I couldn’t drive funding for security. I was having trouble getting the tools and the people and the headcount that I needed to make things work. So I moved to compliance for two reasons. I can drive funding from compliance like crazy. Like, I. Oh, we don’t need that. What’s the. And my favorite question? Insecurity.

Josh: What’s the actual chance we’re going to get hit because of that this year? Oh, you know, but in compliance, I just go, no, it’s mandated. You don’t have a choice. Like crap and the budget gets found, you know? And the other reason I left security and went into compliance is honestly, you very Rarely have a 3am GRC call.

Chris: Yeah, I don’t miss that.

Josh: Oh, man, I don’t miss that at all. And I totally hand that. That, by the way, is credit of Alex Hammerstone, because that’s his joke, but it’s a very, very true joke. And I was like, oh, I’m stealing that. And he said, go for it.

Chris: I used to be in tech support too, and we literally had a red cell phone that would be distributed for whoever’s on call.

Josh: Like, seriously, a red cell phone, Red flip phone. You have to hook up a red handset to it, you know, with one of the ones plug in or Bluetooth, just to make it look like the bat phone, you know?

Chris: Yeah, yeah.

Josh: And you called it the bat phone, didn’t you? You know you did.

Chris: We called it the bat.

Josh: I know you did. Everybody freaking did, dude. Everybody freaking did.

Chris: Yeah. Yeah. But the ringtone is still in my head. Like, it would just be like, I know exactly what that felt like at 2am in the morning.

Josh: Do you ever wake up, like, still. Do you ever wake up once in a while, like, like almost sweating with the ringtone just flashing through your skull? And you’re like, oh, thank God, I don’t do that anymore. Poom. Back to sleep.

Chris: Yes, I’m still recovering.

Josh: So I’ve been doing compliance now for quite a few years now. I’m. I’m an idiot and a masochist. And I write standards. I helped write CMMC and spdx, and I’m working on risk quantification and bill of material stuff. And. And it’s fun, but it’s incredibly difficult to write standards to where. And nobody can get confused as to what you’re saying, but you’re being flexible enough to make people let people have the judgment to do the job they need to do.

Josh: So I’ve gone through everything in compliance, and now I’m. I’m a Nines faculty member. I run two conferences or I’m on the board of two conferences, technically three at this point. Sky talks as well. I have two kids and I have two jobs because I’m a Nines faculty member and I’m chief strategy officer for Cyturis, which is a GRC product company. So life is busy.

Chris: You’re busy. So you mentioned CMMC and spdx. I know a lot of folks are familiar with cmmc, but could you explain what SPDX is?

Josh: So software bill of materials, which you’ve heard, oh my God, so much about ever since Executive Order 14028, which was May 12, 2021. Don’t quote me on that. But yeah, it’s burned in my head to a certain extent, which is terrifying. Software bill of materials have been mandated from anybody providing software to the federal government. And a lot more big companies and down to medium companies now are requiring SBoM, software bill of materials, so that they will find out what’s going on with the software you’re providing them.

Josh: Software bill of materials, a manifest. It’s everything in your software. So software these days is legos, let’s be honest. Very rarely will you find software that’s actually written line by line by one person, five people, whatever. Normally it’s, oh, I need something, I need to do this. Well, if I break that down, it’s this process. Each of these steps in that process is a library for. There’s a library for. There’s a library for. You’ll grab a half a dozen libraries and glue them together.

Josh: And the only code you write as a coder is the glue code and maybe the user interface, if you’re a full stack. And. But everything else is libraries that I took from other developers, open source projects, something I licensed, whatever. Right. Okay, so what happens if Library 16 has a vulnerability? Okay, well, if it’s got a vulnerability, does it have a patch? Yes, it does. Okay, great. So I’ll go get the patch and I’ll install it. What’s the big deal?

Josh: Well, you’ve got to, you know, you’ve got to decompile your code, go back to your source code, run the patch on library, what I say 16, 16. Run the patch on Library 16, then recompile and then run all your testing. It’s not fun. Plus, how did you get notified that Library 16 has a vulnerability? Do you actually check? Because most companies don’t, let’s be honest here. And so if you have a software bill of material for the, for this piece of software that, that I bought from that supplier from that development house, I go, hey, library 16 that you’re using has a vulnerability.

Josh: They go, oh, crap, we didn’t even know it’s your software. How do you not know? Well, we didn’t write that library, we just glued it in. Okay, well, there’s a patch. Can you please install the patch, recompile and get me a new version and. Oh, sure, no problem. And that’s if they’re a good development house. That’s if they haven’t abandoned the software. That’s if they haven’t gone away, you know, that kind of thing. And so, and by the way, that’s also if they haven’t taken all those libraries and glued them together into their own library. So they can obscure the fact that there’s 16 or 20 other different libraries that they’re not telling you about because they’re massively outdated, massively vulnerable. They don’t want to put the effort in, whatever.

Josh: So there’s a whole set of, what is a base atomic unit of software? How do you version control it so you know which version you’re getting? Well, it’s version 15. Yeah, but I used it in mine. So now it’s version 16. You know, I added a commit consisting of a space bar in the title of it. So now it’s version 16. And version 16 doesn’t have a vulnerability.

Chris: Yeah.

Josh: So where’s the. And you’re going to hate me, but discussing the serialization and canonicalization of software is something that I have to do all the time. And it’s really fascinating.

Chris: No, I get it, man. And I think it’s critical, especially when you look at supply chain security. Right. And just being able to trace that.

Josh: Well, supply chain attacks have become much more common and much more sort of front of mind for people. And I just did a story yesterday on Paul Security Weekly. We just did a story about Shadow Logic, which is a supply chain vulnerability for AI. Okay. And it’s codeless, it’s in the actual model. So Shadow Logic is terrifying for people that are Doing AI and actually I’m trying to work with Helen Oakley who’s doing an AI bomb. I need to get back to her. Oh God. I’m sorry Helen, please don’t kill me.

Josh: But it’s been busy the last few days, man, it’s been crazy. But she’s trying to do an AI bill of materials which is brilliant and needs to be done, desperately needs to be done. Spdx, by the way, was for the Linux Foundation. They actually have a full ISO standard on how to do a software bill of materials, which is really cool. But CycloneDx is actually built to be integrated into more systems. So if you want a CI CD process that integrates all these things and builds an S bom for you automatically, CycloneDx is probably the way you’re going.

Josh: But if you want something that’s ISO certified, you want spdx. So it’s which way you going, man? It’s a trade off.

If you want something that's ISO certified, you want SPDX. Share on X

Chris: So you’ve worked in compliance now for a while and you worked for both U.S. and foreign government agencies?

Josh: Oh yeah.

Chris: So in your experience, how do you feel the regulatory landscape differs globally? And what do you think the US could learn from other countries when it comes to security, regulation and enforcement?

Josh: You know, that’s a big loaded question. I think that the US is to a certain extent the Wild west. Our regulatory frameworks are significantly less advanced and significantly less mandated and enforced. That’s the big one. Than other countries and other areas, other regions, whatever. I mean we have how many 50 some odd state breach notification laws and we have yet to have a single federal one. Okay? It’s crazy. It’s absolutely crazy.

Josh: GDPR came out in the EU and as much of a pain in the ass as GDPR is, there’s some really good ideas in there, okay? And ccpa, California went, that’s ours. We’re gonna take it, we’re good, you know, and like Nebraska I think took GDPR and did their own thing, but, but now you’ve got state laws that are, that are technically extra jurisdictional. If you have a California resident in your database, you’re under ccpa. And I don’t care if you’re in New Jersey or California or Florida or wherever, you’re under CCPA and people like no, no we’re not. Yes, yes you are. And trust me, it’s the truth.

Josh: So I don’t like that. I like things that are understandable and federal so that we can just be under the same thing across the board. However, there’s something to be said for the Wild West. If you will. Every place that an AI regulatory framework was put in place, the AI creators left. They all came here. So we are benefiting from the fact that we haven’t had an AI regulatory framework because the AI creators all came here and are generating billions of dollars of investment and ridiculous amounts of productivity gains and such because they’re not under a regulatory framework here.

Josh: On the other hand, there’s a massive danger of people’s data being released, of inappropriate models being used, of tainted data being used, whatever, because of the lack of regulatory frameworks. So financial advantages versus regulatory terrifyingness, which is better? I don’t know. What should we be doing? Well, I mean, the fact is, is that China has an AI regulatory risk management framework, the EU has the EU AI act, and we’re just starting to see some AI regulation here, just barely. And it’s mostly advisory, not mandated.

Josh: Okay. But it’s starting to show that we’re the AI creators. Even though they got a solid foothold here, some of the newer companies are going other place. So we’re going to see where it goes and what the, the, the ramifications and consequences of having AI regulatory framework as well as others. I’m picking NA because it’s a recent topic, but what that’s going to do to us as a country and as a productivity generator.

Chris: Yeah. From your experience, how many organizations would you say are truly using or truly leveraging an AI framework like the NIST AI rmf?

Josh: The organizations that are buying AI are asking, do you meet the NIST AI Risk Management framework or the Bear or the Singapore or the whatever, the organizations building it? I’ll tell you a really quick story. I once did a thing for HIPAA and it was a panel discussion for HIPAA for lawyers. And I think I may have told you the story, but I love it, so I’m going to do it anyway. And so as a continuing legal education for lawyers about HIPAA and explaining that as personal injury lawyers, if you are one, you’re under hipaa, you need to have a baa, a business associate agreement with the hospitals you’re working with to get the medical records to go to court with them. I’m like, it’s fairly simple, it’s not a big deal, you just have to follow it. And some lawyers like, I don’t have to do that. And I’m like, you want to see the law? And they read the law like, ah, crap, I do. And some lawyers are like, okay, how do I do it? Oh cool, let’s talk about the process. Blah. Blah, blah. One of the lawyers goes, can I have one of my clients call you?

Josh: Okay, so it’s a startup. They call me and they’re like, hey. The next day they call me. They’re like freaked out, like, hey, we got a question for you. Sure, what’s up? We do ephemeral medical messaging. So ephemeral medical messaging is messaging between a doctor and a patient. That’s their definition of it. That goes away. So the messages disappear, like Snapchat or signal or whatever, after I forget what it was. But let’s call it eight hours, something like that.

Josh: Messages just poof, goodbye, gone. Okay. Like, because we make the messages disappear, we’re good, right? I’m like, well, what do you mean? Is there medical information in those messages? Does a patient go, hey, this mole, what is it? And the doctor goes, oh, it’s cancer. You know, whatever. Like, does that happen in these messages? Yeah, absolutely. That’s the reason for this to happen. This whole product is about medical information going back and forth and questions between doctors and patients. I’m like, then you’re under hipaa. Are you following hipaa? And they’re like, we have to.

Josh: Yes, you bloody well have to. Are you serious? And they were like, well, we didn’t know. Nobody told us that. Well, sorry, you know. So the point is, is that with regulatory frameworks, companies aren’t going to do it unless somebody makes them. Okay, rarely, they’ll do it as a revenue generator. Hey, you want to bank with us? Because we follow XYZ frameworks and so your money and your data is SAF with us. Okay, cool.

Josh: That’s what I always try to do with frameworks I try to point out as a revenue generator. But realistically, unless you know, the whole reason behind cmmc, which is the Department of Defense for all the contractors, the dib, the defense industrial base was because for decades they were all supposed to be absolutely compliant with 800 NIST 800 171. By December 31, 2018, they were required by law to be compliant with NIST 800 171. Before that it was, you really need to do this. It’s in your contract. But we don’t check.

Josh: Well, the we don’t check part really bit the DOD in the ass because they found out the companies were using foreign nationals to do DoD projects. The DoD found out that, you know, nobody was compliant or very, very like, let’s put it this way, single digit percentages, in my opinion, were compliant as of 2018. So that’s why they came about with CMMC, which is you’re going to have to be checked, you’ve got to be certified that you’re CMMC compliant by an independent third party system, a company and people like, oh my God, it’s going to cost so much money. Well then you should have been doing something a lot cheaper all along.

Chris: Yeah, sorry, I want to go back real quick to that HIPAA story. You said something very interesting, which was, you know, they’re not going to be HIPAA compliant. Maybe because they don’t know or because no one’s told them yet.

Josh: Yep.

Chris: I think this comes back to sort of what you’re doing now at Cytorus, right. Like you guys are focusing on dynamic risk monitoring. I do want to have you explain sort of what dynamic risk monitoring is and how it could prevent something like that use case that you mentioned by, you know, absolutely taking like a next gen level perspective.

Josh: So I’m not going to be too salesy, but I mean I am the chief strategy officer there. But here’s the deal. Risk changes over time. Look, if you’re a pen tester, you know that old code gets new vulns because we discover new vulnerabilities, okay? And new code has new vulns and old vulns because sometimes the developer doesn’t remember that that’s that Lego, that library, that code, whatever had a vulnerability that you didn’t use the patched version, so now it’s vulnerable again or whatever.

Josh: Risk changes over time. What you’re doing about risk changes over time. Your corporate processes change over time. Everything that changes. Look, the only constant is change is the old truism, right? And so as you develop your organization, as you develop your company, the risks that you are providing or producing, rather the risk that you’re operating under is changing on a regular basis.

Risk changes over time. Share on X

Josh: We are doing this on a basis that we are continuously monitoring what you are doing in order to understand the risk that you are under and the quantification of that risk and in order to also understand the compliance efforts that you’re making and match them up against the risk, match them up against the quantification of the risk and to help you determine what choices to make as an organization so that you can make intelligent, informed choices rather than, you know, we had a pen test eight months ago and we fixed everything, so we should be fine, right?

Josh: No, no, not necessarily true. Okay, so we want to use all the tools that you already have. We want to take the inputs from those tools or the outputs from those tools rather as inputs to your risk program. And then say, look, you know, you fixed everything on your pen test from eight months ago, but your vuln scan, your exploitability scanner, your next pen test coming up, the evidence you’re showing for compliance, all of this put together is just saying that there’s a gap here and a gap here and a gap here. Do you want to fix those gaps now before your next pen test? Because that would make sense to us.

Josh: Okay, that would be a good choice. And so at Cyturis, we’re here to help people understand that compliance leadership and compliance maturity, leadership is a huge, huge advantage not only for the compliance department and the security department, but for the company as a whole to be able to say, hey, this is a revenue driver. We are showing leadership in our field, leadership in the compliance in our field, leadership in the security of our customer data in our field.

Dynamic Risk Monitoring is about making intelligent, informed choices. Share on X

Chris: Where can we find more information on sitetrust? Because again, I believe it is a differentiator when it comes to the the compliance solution space.

Josh: Thank you. Cyturous.com that’s C Y T U R U S dot com. Feel free to email me joshua.marpetit.com if you need any advice or any help, yell. We’re here to help. Okay. Even if you don’t buy from us, that’s fine, we don’t mind, I promise. Just yell. We’ll help you out. Okay?

Chris: Definitely. Before you go, I do want to talk to you about content creation.

Josh: Oh, God.

Chris: Because you are the co host of Paul Security Weekly.

Josh: Yep.

Chris: Which is one of the top cybersecurity podcasts in existence. From your perspective, what role do you think media and platforms like podcasts play in keeping the security community informed, educated, and also prepared for emerging threats?

Josh: You know, it’s. That’s actually a really good, that’s a really good question, man. Twitter was where we all lived for a long time. Okay? And yes, I know it’s now. X. Shut up. It was Twitter then and infosec Twitter was an incredibly valid and huge benefit because I could subscribe to a list of people and get almost real time events. What’s going on? Who’s getting hacked? What’s happening? What’s the IOCs for this? It was links to website. It was, it was an aggregator. That was amazing.

Josh: Okay? But Infosec Twitter has not fallen apart. There’s a lot of still value in X now, but it’s not nearly as held together as it were. So we’re fragmented. We’ve got Mastodon and X and a Lot of private signal groups, and there’s a lot of. Hell, there’s even Facebook groups that I’m on. There’s so many different places to get information that these kinds of broadcast aggregators that Twitter used to be broadcast, meaning you don’t have to talk. You don’t have to be part of the discussion. You just want to listen. That’s cool. We’re here.

Josh: Just listen to us. You want to interact. We love it. Don’t get me wrong, okay? Interaction is amazing, but realistically, it’s no big deal. We can broadcast ideas, opinions, news, whatever. So when we go through the news stories and on Paul’s Security Weekly for, Jesus, two and a half hours sometimes. All right, Some of these stories I’ve never seen before. Like, I just went and bought way too many M5 stack devices last night because of Paul’s stories on those.

Josh: And the Lily go S3, that. That is like props to Hak5 for the bash bunny. But you can turn a $12 Lilligo S3 into a damn close to a Bash Bunny. And because they’re so cheap, you can just leave them there, you know, and let them broadcast to you forever. Life is good. That’s really cool. You know, that’s the ultimate new Dropbox these days. So I don’t want to leave $150 bash bunny. You know what I mean?

Josh: So, like, there’s a lot of value in a broadcast news podcast. And what’s going on and where am I? What am I. What’s going on in my field? What’s going on in specific news stories, these kinds of podcasts as broadcast media sources. All right? And I’m sort of Marshall McGlooing it. You know, the medium is the message. But, yeah, it is incredibly valuable to the people that have 10 minutes, 30 minutes, 2 hours to listen. They pick the podcast that fits their time, their interest, their world, and boom, it’s incredibly useful to them, and it also brings our community closer. I love interviewing people that have never been on a podcast. I love going, hey, you want to be on a podcast? Like, I’m not that interesting. Yes, you are.

Josh: People have no idea how fascinating what they do is. And I love getting people on the podcast that have never been on one before because it’s just so cool to have them go. I don’t. I don’t think it’s interesting. Like, really? You’re doing this? Yeah, but that’s. I do it every day. It’s still cool, man. You know? Yeah. I’ve interviewed ladies and guys and Everything, Every type of person about all kinds of different topics. And some people, I swear to you, every topic I interview somebody on, we get texts or messages and like, wow, that was really cool. I didn’t know anybody else was interested. I’m going to have to call them and start talking to them.

Josh: Awesome. We bring community together, just like the conferences do. We bring community together. And that’s why I love podcasts like yours, Barcode. I love podcasts like Paul Security Weekly. I love these podcasts that get fascinating stuff out there. It’s fun.

Chris: Yeah, completely agree, man. For those that are listening to this, where can they find you on Paul Security Weekly online?

Josh: You can go to securityweekly.com and you can pick up the episodes there for Security Weekly News, which I’m on on Tuesdays with Doug White. Dr. Doug. And you can see Paul Security Weekly on Wednesday nights. I think it comes out Thursday every week. We used to do live streaming. We don’t do live streaming anymore, which is, I liked live streaming, but it is kind of freeing to be able to record and then they can do a little post on us.

Josh: I’m also speaking at pumpcon this Saturday. I’m speaking at Westchester University on Monday, but that’s not open. That’s for the college students in the criminal justice division because they’ve never talked about cybercrime before. I’m speaking on an EINS webinar about pen testing next Thursday. Don’t quote me on that. No, no, sorry. Two weeks, November 6th or 7th. And if you’re an EINS, if your company’s an EINS member, you can see these podcasts, the webinars. They’re great.

Josh: I do some Josh Moore, Jake Williams, some great people. I, I. There’s plenty of places to find me and you can always just hit me up Quadling on Twitter. Josh Joshua marpett@saiturist.com, whatever you need, yell, I’m here.

Chris: Awesome, man. So where in the Northeast would you recommend as an awesome or unique bar or bar type venue for security professionals that are listening to checkout?

Josh: Oh, wow. So nysexec is in New York City. They changed their bars, but they’re amazing. Danny Daisovi, and I’m probably screwing his name up, is always there. There was Philisec in Philadelphia. We stopped doing it during COVID but I’d really love to get that going again. I would tell you, John Con that just Happened is a fantastic conference with a local Philly community. You know, between New York and Philadelphia, you have so many infosec Professionals.

Josh: Alex Weintraub runs firesides every month at a cigar bar. Typically, they’re smoking cigars, drinking amazing whiskey.

Chris: Nice.

Josh: There. There’s. I’ll happily introduce anybody that wants to to him. He loves meeting new people. Tom Brennan, who’s the Crest representative for the US he runs Crest Us, which is the pen test certifier. He runs OWASP and various other meetups in New York and New Jersey. Honestly, go find the meetups, find the events that are going on. Like, there’s wonderful bars. Don’t get me wrong, I can go to Philly and spend so much time in bars.

Josh: Dirty Frank’s 13 steps down. There’s so many good bars in Philly, it’s not even funny. If you really want to know the best bars in Philly, go talk to narfi. He knows every bar in Philly.

Chris: Really?

Josh: Okay, if you can’t find narfi, yell, I’ll introduce you. Okay. And narfi, if you see this, yes, I’m sorry, I just made you 500 new friends and like. But the meetups that happen in these cities, in these towns, in these areas are amazing. They are supportive. They are wonderful. They are lovely. It is some of the best things you could possibly go to if you’re new to the industry or if you just want to make new friends.

Chris: Okay, I just heard last call, so do you have time for one more?

Josh: Go for it.

Chris: If you decided to open a cybersecurity theme bar, what would the name be and what would your signature drink be called?

Josh: What would the name be and what would my signature drink be called? Cybersecurity themed bar. Shit, I don’t know. That’s a good question. So a cybersecurity themed bar would have to be sort of shadowrunner style retro Jep in Japan, and it would have to be. But you also have to bring in some Constantine vibes, some anime. You have to. You have to. You have to. You know, there’s got to be a PDP 11 in the corner. That’s the bar robot. You know, Now I have to make a PDP 11 bar robot. Oh, that’s cool. Okay, what would it be named?

Josh: Consequences. Because if you don’t do your security, you got some big fucking consequences.

Chris: Damn, I like that.

Josh: And what would the signature drink be?

Chris: Yeah.

Josh: I really need to talk to Alan Friedman. He is my signature drink guy.

Chris: Okay.

Josh: He’s one of the heads of sza and he’s amazing. And he, like, he teaches me about drinks. Like, he’s amazing. Oh, you know What? I know what it would be. Grilled lemons. So you grill them lightly to pull a lot of the sugar and flavor out. Caramelize the sugar in them with gin and rosemary simple syrup. It’s one of my favorite things. My wife taught me about this. It’s amazing. So you do rosemary simple syrup.

Josh: You know how you make simple syrup over heat? You put rosemary in it and then strain it out. So the rosemary gets extracted into the sugar water. Basically, that’s what simple syrup is. Well, it’s thicker, so it’s a syrup, but you get the idea. And so it’s a rosemary flavored simple syrup. A really good gin. Okay. And grilled lemon slices. So you slice the lemon into slices. Grill each slice on each side just lightly. Not like charred black, just lightly. Okay.

Josh: You ever grill a peach? Same idea. Okay. Just lightly. And you put that together and it is amazing. It is tasty. It’s a little sweet. Just a little sweet. It has wonderful flavors that just burst in your mouth and then you fall over. Because your legs don’t work when you stand up. If you have enough of them and they don’t taste evil. They don’t at all taste evil. But you have, you know, two or three, because you’re sitting and chatting and talking and having a great time.

Josh: And then you go to stand up, your floor meets your face and you’re like, wow. Consequences. Yeah.

Chris: Thus the consequence. I love it, man. All right, well, listen, thanks for. For stopping by. Thanks for sharing the knowledge. It was great seeing you. As always, everyone listening. Follow and connect with Josh online. And if you’re in the tri State area, get to Bsides, Delaware, please, and we will see you then. Thanks, Josh. Appreciate it.

Josh: Thank you.