Redefining CyberSecurity podcast | Listen online for free

Available Episodes

5 of 584

Beg Bounty: The New Wave of Unrequested Bug Claims and What They Mean | A Conversation with Casey Ellis | Redefining CyberSecurity with Sean Martin
⬥EPISODE NOTES⬥Understanding Beg Bounties and Their Growing ImpactThis episode examines an issue that many organizations have begun to notice, yet often do not know how to interpret. Sean Martin is joined by Casey Ellis, Founder of Bugcrowd and Co-Founder of disclose.io, to break down what a “beg bounty” is, why it is increasing, and how security leaders should think about it in the context of responsible vulnerability handling.Bug Bounty vs. Beg BountyCasey explains the core principles of a traditional bug bounty program. At its core, a bug bounty is a structured engagement in which an organization invites security researchers to identify vulnerabilities and pays rewards based on severity and impact. It is scoped, governed, and linked to an established policy. The process is predictable, defensible, and aligned with responsible disclosure norms.A beg bounty is something entirely different. It occurs when an unsolicited researcher claims to have found a vulnerability and immediately asks whether the organization offers incentives or rewards. In many cases, the claim is vague or unsupported and is often based on automated scanner output rather than meaningful research. Casey notes that these interactions can feel like unsolicited street windshield washing, where the person provides an unrequested service and then asks for payment.Why It Matters for CISOs and Security TeamsSecurity leaders face a difficult challenge. These messages appear serious on the surface, yet most offer no actionable details. Responding to each one triggers incident response workflows, consumes time, and raises unnecessary internal concern. Casey warns that these interactions can create confusion about legality, expectations, and even the risk of extortion.At the same time, ignoring every inbound message is not a realistic long-term strategy. Some communications may contain legitimate findings from well-intentioned researchers who lack guidance. Casey emphasizes the importance of process, clarity, and policy.How Organizations Can PrepareAccording to Casey, the most effective approach is to establish a clear vulnerability disclosure policy. This becomes a lightning rod for inbound security information. By directing researchers to a defined path, organizations reduce noise, set boundaries, and reinforce safe communication practices.The episode highlights the need for community norms, internal readiness, and a shared understanding between researchers and defenders. Casey stresses that good-faith researchers should never introduce payment into the first contact. Organizations should likewise be prepared to distinguish between noise and meaningful security input.This conversation offers valuable context for CISOs, security leaders, and business owners navigating the growing wave of unsolicited bug claims and seeking practical ways to address them.⬥GUEST⬥Casey Ellis, Founder and Advisor at Bugcrowd | On LinkedIn: https://www.linkedin.com/in/caseyjohnellis/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥RESOURCES⬥Inspiring Post: https://www.linkedin.com/posts/caseyjohnellis_im-thinking-we-should-start-charging-bug-activity-7383974061464453120-caEWDisclose.io: https://disclose.io/⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcastRedefining CyberSecurity Podcast on YouTube:📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact⬥KEYWORDS⬥cybersecurity, bug bounty, vulnerability disclosure, beg bounty, hacking, researcher, ciso, security teams, risk management, web security, security policy, vulnerability reporting, cyber risk, bugcrowd, discloseio Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
--------
36:25
--------
36:25
Building a Real Security Culture: Why Most AppSec Champion Programs Fall Short | AppSec Contradictions: 7 Truths We Keep Ignoring — Episode 5 | A Musing On the Future of Cybersecurity with Sean Martin and TAPE9 | Read by TAPE9
Most organizations have security champions. Few have a real security culture.In this episode of AppSec Contradictions, Sean Martin explores why AppSec awareness efforts stall, why champion programs struggle to gain traction, and what leaders can do to turn intent into impact.🔍 In this episode:Why compliance training doesn’t build cultureThe data showing champion programs lack leadership and incentive alignmentHow developers, AppSec teams, and business leaders each contribute to the gapInsights from OWASP, ENISA, and Forrester on what’s missingSean’s Take:When security culture is treated as a checkbox, nothing changes. When it’s connected to ownership, incentives, and everyday work — everything does.Catch the full companion article in the Future of Cybersecurity newsletter for deeper analysis and more research.For developers: Has your security-champion program helped ship safer code—or just added meetings?For application security professionals: Are your metrics tied to risk reduction or participation counts?For business leaders: Can you connect your “security culture” investment to measurable resilience?📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/building-real-security-culture-why-most-appsec-fall-martin-cissp-eab7e🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_________This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecuritySincerely, Sean Martin and TAPE9________Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-locationTo learn more about Sean, visit his personal website. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
--------
2:24
--------
2:24
Bridging the Cybersecurity Divide Between the Haves and Have-Nots: Lessons from Australia’s CISO Community | A Conversation with Andrew Morgan | Redefining CyberSecurity with Sean Martin
⬥GUEST⬥Andrew Morgan, Chief Information Security Officer | On LinkedIn: https://www.linkedin.com/in/andrewmorgancism/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥EPISODE NOTES⬥The cybersecurity community has long recognized an uncomfortable truth: the gap between well-resourced enterprises and underfunded organizations keeps widening. This divide isn’t just about money; it’s about survivability. When a small business, school, or healthcare provider is hit with a major breach, the likelihood of permanent closure is exponentially higher than for a large enterprise.As host of the Redefining CyberSecurity Podcast, I’ve seen this imbalance repeatedly — and the conversation with Andrew Morgan underscores why it persists and what can be done about it.The Problem: Structural ImbalanceLarge enterprises operate with defined budgets, mature governance, and integrated security operations centers. They can afford redundancy, talent, and tooling. Meanwhile, small and mid-sized organizations are often left with fragmented controls, minimal staff, and reliance on external vendors or managed providers.The result is a “have and have not” world. The “haves” can detect, contain, and recover. The “have nots” often cannot. When they are compromised, the impact isn’t just reputational — it can mean financial collapse or service disruption that directly affects communities.The Hidden Costs of ComplexityEven when smaller organizations invest in technology, they often fall into the trap of overtooling without strategy. Multiple, overlapping systems create noise, false confidence, and operational fatigue. Morgan describes this as a symptom of viewing cybersecurity as a subset of IT rather than as a business enabler.Simplification is key. A rationalized platform approach — even if not best-of-breed — can deliver better visibility and sustainability than a patchwork of disconnected tools. The goal should not be perfection; it should be proportionate protection aligned with business risk.The Solution: Culture, Collaboration, and ContinuityCyber resilience starts with people and culture. As Morgan puts it, programs must be driven by culture, informed by risk, and delivered through people, process, and technology. Security can’t succeed in isolation from the organization’s purpose or its people.The Australian CISO Tribe provides a real-world model for collaboration. Its members share threat intelligence, peer validation, and practical experiences — a living example of collective defense in action. Whether formalized or ad-hoc, these networks give security leaders context, community, and shared strength.Getting Back to BasicsPractical resilience isn’t glamorous. It’s about getting the basics right — consistent patching, logging, phishing-resistant authentication, verified backups, and tested recovery plans. It’s about ensuring that, if everything fails, you can still get back up.When security becomes a business-as-usual practice rather than a project, organizations begin to move from reactive defense to proactive resilience.The TakeawayBridging the cybersecurity divide doesn’t require endless budgets. It requires prioritization, simplification, and partnership. The “have nots” may never mirror enterprise scale, but they can adopt enterprise discipline — and that can make all the difference between temporary disruption and permanent failure.⬥RESOURCES⬥Inspiring Post: https://www.linkedin.com/posts/andrewmorgancism_last-night-i-was-fortunate-enough-to-spend-activity-7383972144507994112-V3Zr/⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcastRedefining CyberSecurity Podcast on YouTube:📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact⬥KEYWORDS⬥sean martin, andrew morgan, australia, ciso, risk, resilience, cybersecurity, business continuity, governance, compliance, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
--------
52:14
--------
52:14
How to Stay Resilient When Cybercrime Becomes Your Competition | A Conversation with Author and Former FBI Agent, Eric O'Niell | Redefining CyberSecurity with Sean Martin
⬥GUEST⬥Eric O'Neill, Keynote Speaker, Cybersecurity Expert, Spy Hunter, Bestselling Author. Attorney | On Linkedin: https://www.linkedin.com/in/eric-m-oneill/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥EPISODE NOTES⬥In this episode of the Redefining CyberSecurity Podcast, host Sean Martin reconnects with Eric O’Neill, National Security Strategist at NeXasure and former FBI counterintelligence operative. Together, they explore how cybercrime has matured into a global economy—and why organizations of every size must learn to compete, not just defend.O’Neill draws from decades of undercover work and corporate investigation to reveal that cybercriminals now operate like modern businesses: they innovate, specialize, and scale. The difference? Their product is your data. He argues that resilience—not prevention—is the true marker of readiness. Companies can’t assume they’re too small or too obscure to be targeted. “It’s just a matter of numbers,” he says. “At some point, you will get struck. You need to be able to take the punch and keep moving.”The discussion covers the practical realities facing small and midsize businesses: limited budgets, fragmented tools, and misplaced confidence. O’Neill explains why so many organizations over-invest in overlapping technologies while under-investing in strategy. His firm helps clients identify these inefficiencies and replace tool sprawl with coordinated defense.Preparation, O’Neill says, should follow his PAID methodology—Prepare, Assess, Investigate, Decide. The goal is to plan ahead, detect fast, and act decisively. Those that do not prepare spend ten times more responding after an incident than they would have spent preventing it.Martin and O’Neill also examine how storytelling bridges the gap between security teams and executive boards. Using relatable analogies—like house fires and insurance—O’Neill makes cybersecurity human. His message is simple: security is not a technical decision; it’s a business one.Listen to hear how the business of cybercrime mirrors legitimate enterprise—and why understanding that truth might be your best defense.⬥RESOURCES⬥Book: Spies, Lies, and Cybercrime by Eric O’Neill – Book linkBook: Gray Day by Eric O’Neill – Book linkFree, Weekly Newsletter: spies-lies-cybercrime.ericoneill.netPodcast: Former FBI Spy Hunter Eric O'Neill Explains How Cybercriminals Use Espionage techniques to Attack Us: https://redefiningsocietyandtechnologypodcast.com/episodes/new-book-spies-lies-and-cyber-crime-former-fbi-spy-hunter-eric-oneill-explains-how-cybercriminals-use-espionage-techniques-to-attack-us-redefining-society-and-technology-podcast-with-marco-ciappelli⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 🎧 https://www.seanmartin.com/redefining-cybersecurity-podcastRedefining CyberSecurity Podcast on YouTube:📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact⬥KEYWORDS⬥eric oneill, sean martin, nexasure, fbi, cybercrime, ransomware, resilience, cybersecurity, business, risk, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
--------
40:24
--------
40:24
CI/CD Pipeline Security: Why Attackers Breach Your Software Pipeline and Own Your Build Before Production | AppSec Contradictions: 7 Truths We Keep Ignoring — Episode 4 | A Musing On the Future of Cybersecurity with Sean Martin and TAPE9 | Read by TAPE9
Organizations pour millions into protecting running applications—yet attackers are targeting the delivery path itself.This episode of AppSec Contradictions reveals why CI/CD and cloud pipelines are becoming the new frontline in cybersecurity.🔍 In this episode:A 188% surge in malicious open-source packages (Sonatype 2025)30% of 2024 cyberattacks traced to suppliers (Financial Times 2025)47% of organizations unable to assess pipeline risk (ENISA 2023)CISA labels build systems “high-value targets” (2025)Sean’s Take:The pipeline is production. Integrity beats visibility. Security must flow through delivery.Catch the full companion article in the Future of Cybersecurity newsletter for deeper analysis and more research.👉 Have you made CI/CD security measurable—or does it still feel like an endless patchwork of scripts, secrets, and trust? Are your pipelines part of your threat model—or an afterthought? How confident are you in the integrity of every artifact you release? Share your take—we’d love to hear your story—whether your team has succeeded in securing the software delivery pipeline from build to deploy, or whether attackers and complexity keep finding the cracks between your tools.📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/cicd-pipeline-security-why-attackers-breach-your-own-martin-cissp-eqdxe/🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_________This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecuritySincerely, Sean Martin and TAPE9________Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-locationTo learn more about Sean, visit his personal website. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
--------
3:38
--------
3:38

More Business podcasts

Trending Business podcasts

About Redefining CyberSecurity

Redefining CyberSecurity Podcast Hosted by Sean Martin, CISSP Have you ever thought that we are selling cybersecurity insincerely, buying it indiscriminately, and deploying it ineffectively? For cybersecurity to be genuinely effective, we must make it consumable and usable. We must also bring transparency and honesty to the conversations surrounding the methods, services, and technologies upon which businesses rely. If we are going to protect what matters and bring value to our companies, our communities, and our society, in a secure and safe way, we must begin by operationalizing security. Executives are recognizing the importance of their investments in information security and the value it can have on business growth, brand value, partner trust, and customer loyalty. Together with executives, lines of business owners, and practitioners, we are Redefining CyberSecurity.

Podcast website

Business Education Technology