Secure Talk Podcast

Considering Security, Compliance and Revenue with David Grazer

Most companies chase certifications to win deals — but what actually keeps customers is something no audit can measure. In this episode, vCISO David Grazer makes the case that trust is a measurable economic asset hiding in plain sight: your customer retention rate. Drawing on 15+ years inside high-growth tech companies, David explains why compliance frameworks are customer acquisition tools, not retention strategies — and how the gap between the two is costing businesses more than they realize. This episode is for founders, security leaders, and C-suite executives who want to connect their security and privacy programs to real business outcomes. You'll learn: → Why a SOC 2 or ISO 27001 certification is only the beginning of earning customer trust → How customer churn functions as one of the most honest security metrics available → Why MFA and common security controls often fail the users who need them most → What "Trust by Design" looks like in product development and AI programs → How to translate security risk into language that resonates with your CFO Chapters 00:00 Introduction to Secure Talk and Trust 03:42 David Grazer's Journey into Security and Privacy 08:09 Navigating Compliance and Customer Trust 12:49 The Role of Consulting in Security 18:07 Trust as a Measurable Economic Asset 23:42 Identity Management in the Entertainment Industry 26:09 The VC SO Model and Its Impact 29:13 The Evolution of Compliance Conversations 33:17 Exploring the Intersection of Technology and Society 🔔 Subscribe to SecureTalk for weekly conversations at the intersection of cybersecurity, compliance, and business strategy. #cybersecurity #compliance #CISO #trustbydesign #vciso #informationsecurity #GRC #dataprivacy

Why you could fail your CMMC Level 2 C3PAO audit | Secure Talk with Logan Therrien

You did your self assessment and received a perfect 110 score, congratulations! You met with your C3PAO and scored less than 0. What happened! How can two CMMC assessors examine the same defense contractor and arrive at completely different scores? A lack of rigor in assessment methodology could mean the entire certification system is measuring the assessor — not your security. Logan Therrien, Chief Strategy Officer at Kieri Solutions and one of the original C3PAO lead assessors in the U.S., joins Justin Beals to expose a critical flaw in how CMMC Level 2 assessments are conducted today: no standardized evidence sampling methodology. This episode is for DoD contractors, compliance consultants, and defense industry executives who want to understand what's at stake — and how to navigate assessments before the rules tighten further. What you'll learn: * Why NIST 800-171 was intentionally vague — and how that backfired for assessors * How one assessor might review a single evidence point while another reviews 100% * What ISO 17020 accreditation will require of C3PAOs and why it matters now * What the 48 CFR expansion means for 118,000+ contractors in the supply chain * How to prepare for an assessment so it feels like an open-book test Logan also co-authored the peer-reviewed paper "The Need for Standardized Evidence Sampling in CMMC Assessments: A Survey-Based Analysis of Assessor Practices" (with John Hastings) — one of the first data-driven studies of assessment methodology in the CMMC ecosystem. Chapters 00:00 Introduction to Secure Talk and Psychometrics 01:45 Understanding CMMC and Its Implications 05:32 Logan Therian's Background and Insights 09:16 The Challenges of Assessment Methodologies 16:10 The Scale and Impact of CMMC Assessments 20:31 Navigating Standards in Cybersecurity 23:53 Evidence Testing in CMMC Assessments 27:43 The Importance of Reliable and Accurate Assessments 36:22 Building Trust Between Industry and Defense 41:46 Future Directions in CMMC Research Resources: Therrien, Logan and Hastings, John. (2026, February 10). The need for standardized evidence sampling in CMMC assessments: A survey-based analysis of assessor practices. arXiv. https://arxiv.org/abs/2602.09905 [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqblZMOGVCeWg0cXZidEw4eS1pdC1BZ1ZQNnFCZ3xBQ3Jtc0tuOGtpa09qNzhhOXVhWHdVcmMwNHFkQ0hsbVdmUGhoU0p0OHd6UXJ5UUszMDdCdWZ4bFJWVjFBcGdya3E3VjV5eFVnMG9yZFZIRnY5NGhhMk9Vek1sWHRoTGRVUkxLbk1FcnRlR3hFaTQyenBVMWk1dw&q=https%3A%2F%2Farxiv.org%2Fabs%2F2602.09905&v=RqPHxN86kWY]

Mark Zuckerberg has an AI twin. Who Is Mark Zuckerberg?

Mark Zuckerberg built an AI version of himself that attends meetings and approves budgets while he's elsewhere. That's not science fiction — it's happening now. But when an AI replica makes a consequential decision, who's legally responsible? Who owns it when you die? Dr. Candi Cann, Thanatologist and professor at Baylor University, joins SecureTalk host Justin Beals to explore the uncomfortable intersection of technology, mortality, and identity — and what it means for data governance, digital rights, and the future of enterprise accountability. In this episode: Key topics: digital identity, AI accountability, data governance, CMMC compliance, death technology, digital ethics, AI agents, enterprise security If your organization is deploying AI agents that act on behalf of humans — approving transactions, attending meetings, representing employees — this episode raises the governance questions your security and legal teams need to be asking right now. Subscribe to SecureTalk for weekly conversations at the edge of cybersecurity, compliance, and technology culture. Resources:  Book: Augmented: Life and Death as a Cyborg by Candy Cann, MIT Press, 2026. Link: https://mitpress.mit.edu/9780262051118/augmented/

CMMC Is an HR Problem, Not an Enclave Problem — Here's the Proof

The biggest cybersecurity failures in recent memory — Raytheon, Penn State, Georgia Tech — weren't caused by missing software. They were caused by the wrong people being assigned the wrong tasks, with no shared language to connect the rules to the work. This SecureTalk episode with Dorian Cougias (MoxyWolf, former Unified Compliance Framework CEO) is one of the most systems-level conversations we've had on the show. Dorian spent decades building the infrastructure that compliance programs run on — and he's now rebuilding it from scratch, in the open. What you'll hear: → Why the compliance industry is structurally fragmented across three authority domains that don't communicate → How Bloom's Taxonomy — a tool from education — maps directly to which compliance tasks belong to which roles → Why the Oxford English Dictionary doesn't have "personal data" in it, and what that tells us about regulatory language → The O*NET framework and why the Department of Labor might be the most underused tool in cybersecurity → Shannon's entropy theory, applied to compliance and cognitive load → A new open-source STIG API infrastructure that StrikeGraph is integrating as a launch partner Whether you're deep in the compliance trenches or just fascinated by how complex systems fail — and how to redesign them — this is worth your time. 🔗 strikegraph.com | stigviewer.com Chapters: 00:00 Introduction and Background 02:43 Exploring Compliance and Natural Language Processing 05:15 Military Experience and Signal Intelligence 08:01 Cognitive Load and Compliance Frameworks 10:49 The Importance of Language in Compliance 13:39 The Evolution of Dictionaries and Lexicons 16:16 Bridging Gaps in Compliance Communication 18:47 Innovations at MoxieWolf and Future Directions 22:04 Mapping Skills and Regulatory Guidelines 25:05 Job Applicability and Knowledge Requirements 28:02 The Importance of O*NET in Cybersecurity 29:21 Challenges in CMMC Compliance 33:23 The Role of Technology in Compliance 35:38 Horizontal Practices in Compliance 38:15 Building Effective Teams for Compliance 42:21 Introduction to Compliance Failures 45:19 The Human Element in Compliance 48:10 Navigating Compliance Complexity with Technology 48:57 Introduction to Cybersecurity Compliance Challenges 54:09 The Role of People in Compliance Success 56:01 Guest Introduction: Dorian Cougas 01:00:48 Exploring Bloom's Taxonomy in Compliance 01:05:48 The Importance of Shared Lexicons 01:09:32 Navigating Compliance with Technology 01:15:11 MoxieWolf's Approach to Compliance 01:20:49 The Interconnectedness of Compliance Tasks 01:27:51 Real-World Compliance Challenges 01:33:57 Building Effective Teams for Compliance #Cybersecurity #ComplianceCulture #CMMC #HumanFactors #GRC #TechPolicy #SecureTalk

The ROI of Security Tested: What a new paper reveals about security value | Secure Talk with Minh Nguyen and Thi Tran

Why do most cybersecurity investments feel impossible to justify? Because the measurement tools are broken — built on gut instinct, not research. Researchers Minh Nguyen (Florida Atlantic University) and Thi Tran (Binghamton University) set out to fix that. In this episode, they break down their landmark paper "Effects of Cybersecurity Readiness on Firm Performance: Evidence from Conference Calls" — the first study to systematically measure cybersecurity readiness at the firm level and link it directly to financial performance. What they found will change how you think about security budgets: → Outsider mentions of cybersecurity in earnings calls are 100x more predictive of firm performance than insider mentions → Even a single co-occurrence of security-related language drives measurable returns on assets the following year → Companies that act proactively - not reactively - earn greater market trust This is the episode for CISOs who need real data to justify investment, security leaders tired of folklore-based decision-making, and anyone curious about how AI, NLP, and causal inference are reshaping the business case for cybersecurity. Chapters 00:00 Introduction to the Guests and Their Backgrounds 02:34 The Intersection of AI, Business, and Cybersecurity 05:32 Understanding Cybersecurity Readiness 08:31 The Importance of Measurement in Cybersecurity 11:16 Developing a Cybersecurity Dictionary 14:16 The Impact of Outsider Perspectives on Firm Performance 16:51 The Role of Transparency in Cybersecurity 19:40 Future Research Directions in Cybersecurity 22:37 Conclusion and Final Thoughts 🔗 Paper: "Effects of Cybersecurity Readiness on Firm Performance: Evidence from Conference Calls"  https://scholarspace.manoa.hawaii.edu/server/api/core/bitstreams/b098c310-db83-42cc-8932-852ef7ebcc86/content #Cybersecurity #CyberROI #CISO #FirmPerformance #CybersecurityResearch #NLP #CausalInference #InfoSec #SecurityLeadership #ConferenceCall``