#audittuesday grc podcast by YouAttest

Identity data is everywhere — but turning it into actionable cyber risk insight?

Software supply chain risk is exploding — but most organizations still treat it as a code problem, not a control problem.

Identity is still the #1 control auditors and attackers look at first —

Thinking about a career in GRC—or trying to hire the right talent?

Identity has become the control plane for modern security — yet most organizations still don’t have a clear answer to one critical question:

DORA is no longer theoretical. The EU’s Digital Operational Resilience Act (Regulation (EU) 2022/2554) is in force.

AI adoption is accelerating — but governance, risk, and regulatory readiness are still lagging behind.

Shared Microsoft files are everywhere — but do you actually know who has access, what’s still exposed, and which links never expire?

Active Directory remains the backbone of enterprise identity — and one of the largest sources of audit findings, security gaps, and insider risk.

A critical discussion on cybersecurity in the wake of the BRICKSTORM attack—a sophisticated Chinese APT campaign targeting critical infrastructure. This live session will explore how organizations can pivot to identity-first security strategies to defend against nation-state threats.

Discussion on how sloppy identity practices made 2025 breaches worse

Are you an IT leader, auditor, or professional navigating the complexities of Sarbanes-Oxley (SOX) compliance? Join our upcoming webinar, "SOX Preparation: Mastering IT Controls for Seamless Compliance," where we'll dive deep into the IT-specific aspects of SOX to help you build robust systems and avoid costly pitfalls.

Join us for an engaging #AuditTuesday session on California’s CA SB 53 - America’s First AI Transparency Law.

In this dynamic #AuditTuesday webinar, cybersecurity expert Greg Kutzbach, Cybersecurity Expert, will dive into the critical topic of keeping SharePoint secure after recent hacks. 

In this dynamic #AuditTuesday webinar, cyber security expert Alan Sugano, President of ADS Consulting Group, we’ll dive into the escalating threat of AI-powered cyberattacks. He will be joined w/ Garret Grajek, CEO of YouAttest on how robust access governance can protect your business and Shannon Noonan, GRC and Cyber Expert.

Tune in for an engaging #AuditTuesday GRC podcast focused on mastering the complexities of PCI DSS 4.0. This live session, hosted by YouAttest, a premier identity governance solution, will feature Truvantis, a leading GRC consulting firm, sharing expert insights to guide you toward confident compliance.

Join us for an engaging #AuditTuesday webinar featuring renowned AI governance expert Ashley Robinson, hosted by YouAttest. This session will explore the critical elements of AI governance, addressing the risks, standards/frameworks/guidances, and actionable steps needed for responsible AI adoption.

Join us for an engaging #AuditTuesday webinar featuring renowned auditor Robert Berry, #ThatAuditGuy, hosted by YouAttest.  This session will explore the critical elements of conducting effective t user access reviews for identity security vulnerabilities and meeting compliance regulations SOX, GLBA, HIPAA, PCI-DSS, NYRR 500, CCPR/CCPA.

#AuditTuesday Presents: The CISO’s Playbook: Strengthening Security with Identity and Supply Chain Governance

As AI transforms industries, ensuring robust governance, risk, and compliance (GRC) is critical to building secure and ethical AI systems. In this dynamic #AuditTuesday GRC Podcast,welcomes Robert Hilliker, an AI project leader, to explore how GRC integrates into AI development.

With cyber threats escalating and compliance requirements tightening, organizations need flexible, expert-driven solutions to stay secure. Virtual CISOs (v-CISOs) are redefining governance, risk, and compliance (GRC) by delivering strategic expertise without the cost of a full-time CISO.

MSPs – it's time to expand your security service offerings with a critical, high-demand compliance function: User Access Reviews (UARs).

As identity risk rises across enterprises, CISOs are being called to lead the charge in governance and access oversight. But are they equipped for the challenge?

As artificial intelligence reshapes business, compliance, and security landscapes, organizations are under pressure to implement clear governance strategies. Yet, many lack a roadmap for ethical, secure, and compliant AI deployment.

Governance Risk and Compliance is a $45.6B market - a market the Managed Service Providers (MPSs) need to be in they want to grow.

Shared Signals - for those in the identity know - it’s a subject that time has come.

Privileged users are the source of most enterprise problems:  from outsider attacks, insider threads and compliance - the focus usually involves admin accounts.

Huge regulatory changes face the EU nations and the companies that work w/ the EU: Digital Operational Resilience ACT (DORA).  

AWS is the premier cloud vendor - AWS is the basis of most enterprises cloud strategy.   

The U.S. Department of Defense (DoD) on October 15th, 2024 published its long-anticipating first part of the final rule (32 CFR) for the Cybersecurity Maturity Model Certification (CMMC) program. 

 New administration - new attitude, regulations, priorities on cyber governance? No question.

Okta announced that they had a flaw in their authentication - where under “specific circumstances” a user could gain access w/o inputting the password associated with the account.

You can’t talk about cyber security with a professional today without the conversation turning to the topic of the next generation.

The U.S. Department of Defense (DoD) on October 15th, 2024 published its long-anticipating first part of the final rule (the Final Rule) for the Cybersecurity Maturity Model Ceritficat (CMMC) program.

Practically all enterprises are under some sort of IT compliance and regulations.   Holding any data that is classified as sensitive - puts the enterprise under the watchful eye of of the regulators.

Cyber Attacks are worldwide. Germany is not immune to these attacks.  In fact Deutsche Bank in September 2024, stated that “Cyber-attacks alone cost the German economy an enormous 148 billion euros every year.”

This YouAttest podcast highlights the YouAttest offering for Identity security and compliance for managed service providers (MSPs.)

HR systems for many enterprises is the identity store of record (ISoR). This is where identities are created, roles are assigned, and privileges are entitled.  

The U.S. Department of Defense (DoD) on October 15th, 2024 published its long-anticipating first part of the final rule (the Final Rule) for the Cybersecurity Maturity Model Ceritficat (CMMC) program.

Welcome to today’s AuditTuesday - this YouAttest podcast highlights the YouAttest offering for Identity security and compliance for managed service providers

Change Healthcare announced Thursday, Feb 29th  that a ransomware group that had claimed responsibility for the attack was at fault

AWS is the premier IAAS vendor - AWS is the basis of most enterprise cloud strategy.   

Practically all enterprises are under some sort of IT compliance and regulations.   Holding any data that is classified as sensitive - puts the enterprise under the watchful eye of of the regulators.

Cyber Attacks are world-wide.   Germany is not immune to these attacks.  In fact Deutsche Bank in Sept 2024, stated that “Cyber-attacks alone cost the German economy an enormous 148 billion euros every year.”

HR systems for many enterprises is the identity store of record (ISoR). This is where identities are created, roles are assigned, and privileges are entitled.  

Lots of products out there for MSPs to review and deploy - that’s why the market appreciates those that review the products for the consultants and managed service providers.

Most enterprises are under compliance, be it in healthcare, finance, insurance, government, education or defense.

AWS is the predominant cloud service for most enterprises w/ over $90B a year and growing.

In fiscal year 2023, the federal government spent around $759 billion on contracts with outside companies and organizations. In 2024 there are over 200,000 government contractor firms that generate $1.1 trillion in annual revenue.

The Managed Service Provider (MSP) space is experiencing significant growth, with the global market currently valued at around $299 billion and projected to expand at a compound annual growth rate (CAGR) of 13.6% through 2030, indicating a substantial increase in demand for MSP services across various industries.

More than 20,000 professionals will go to Black Hat 2024 this year. The who’s who of cyber security, hacking and prevention.    

The world is finally becoming aware of the danger of excess privileges and unmanaged users. These are the accounts that the attackers love to take over and then stay resident in our enterprises and exfiltrate data while going undetected.

Selecting a new vendor is wrought w/ problems and failed attempts.   The decision is crucial - but the input is flawed.  Relying on vendor-lead references leads to a lot of poor buying decisions.

One of the largest hacks of 2024 is shaping up as the CDK software hack that has affected over 15,000 US and beyond car dealerships. The impact of the attack is affecting the entire U.S. economy -with over  the loss could be between $4 billion and $16 billion in sales and depress total retail sales in the U.S. by 2.3 percent.

Artificial Intelligence (AI) has revolutionized various industries, and its application in online security is proving to be a game-changer. 

AWS is the predominant cloud service for most enterprises w/ over $90B a year and growing.

Risk Optimization - This session will help you understand the frameworks that assist in governance, and that help an enterprise identify, analyze, monitor, manage, communicate and mitigate IT-relevant business risk.

Summary

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) solves an important problem in the EU financial regulation. DORA mandates that enterprises augment their protection, detection, containment, recovery and repair capabilities against ICT-related incidents. 

The 80/20 rule is crucial to many enterprise and life activities - but what about cybersecurity?

A 5-part series is helping managers become better managers - starting with learning the basis of the CGEIT certification. (Certified in the Governance of Enterprise IT®)

Attack surface is the rage of cyber security today - we hear we have to reduce our attack surface. But how about the biggest vulnerability - our identities - and thus shouldn’t we be reducing our IDENTITY attack surface.

A 5-part series is helping managers become better managers - starting with learning the basis of the CGEIT certification. (Certified in the Governance of Enterprise IT®)  

Breaches happen - especially for enterprises who hold sensitive data: PHI for healthcare, PII for financial institutions and CUI for defense contractors.

This YouAttest Educational  #AuditTuesday podcast highlights YouAttest in healthcare. Healthcare is under attack by ransomware groups  and other hackers. In response, healthcare enterprises are under new regulations for the holding of identities and other personal healthcare information (PHI).

This YouAttest Educational  #AuditTuesday podcast discussed the updates known about the biggest hack in the history of U.S. healthcare-  the Change Healthcare ransomware attack.

Breaches are not new - they affect every industry from A to Z - Advertising to Zoos. What’s new? Now the hacks of the services that manage the IT infrastructure and services are being compromised. 

Cases like the SEC claims against SolarWinds and Tim Brown have made the general public aware that IT has governance and a legal responsibility to identify data. But SolarWinds isn’t the only case in the news - there were 246 class action lawsuits on data breaches in 2023 - and the SEC ruling on 4 day notification is predicted to make this number skyrocket.

Everyone loves the start-up - but no one loves the ego of the start-up entrepreneurs. It’s not a myth, it’s real and it hurts the endeavor.

Who: Greg Kutzbach, Digital Forensic Expert, Exhibit A Cyber

IGA has been seen as a failure in many enterprises.  Why is this? 

Cybersecurity is on everyone’s mind - but did you know cybersecurity starts w/ change control?

Given the amazing rash of hacks and ransomware attacks over the years - many enterprises are now either considering or beefing up their security audits.   But are we getting full value out of these audits - what are we missing? 

Segregation of Duties (S.o.D) is a KEY requirement for identity security and compliance. It is a principal requirement for a secure enterprise to fight against insider theft and to combat fraud.

“Insider Threat” is always a topic - and it became even more of a topic with the recent hacks.

The past months have brought us more than just the infamous MGM identity hack - unfortunately much more. Identities themselves are no longer the target now it’s the entire identity infrastructure.

AWS is the premier IAAS vendor - AWS is the basis of most enterprise cloud strategy.   

Enterprises of all sectors are at the end of their ropes dealing with cyber attacks, ransomware and data breaches. Their only recourse is to hand off more of the cyber duties to outside services.

Search has been big business for 30 years - and no one is bigger in the search industry than Google.    

Data security is foremost on everyone minds w/ ransomware and data attacks occurring daily.

The world is finally becoming aware of the danger of excess privileges and unmanaged users. These are the accounts that the attackers love to take over and then stay resident in our enterprises and exfiltrate data while going undetected.

Identities are the #1 cause and mechanisms for hacks - malware insertion, ransomware and data exfiltration.

Everyone is racing to AI.  And in the race a lot of data is being collected and not all of it w/ the proper security, controls and governance on these models.

First there was the MGM/Caesar’s hacks involving Okta. Then it broke that Okta support session tokens were hacked to break into Cloudflare, BeyondTrust and 1Password.   

A milestone action occurred on October 30th, in the history of cyber and legislation. The U.S. Security Exchange Commission (SEC), moved to prosecute SolarWinds, the software company that was the root cause of major breaches including the  infamous 2021 Colonial Pipeline shutdown.

The “SEC Final Ruling” on cybersecurity and cybersecurity messages in law.   The changes include mandatory documentation of cybersecurity practices in their annual 10-K filings.  These include details on an adoption of the Risk Management Framework the enterprise utilizes.   

2024 looks to  be the year of GRC - w/ multiple forces merging.    Companies like SolarWinds being criminally charged for falsifying their identity and security filings - including their CISO.   And Zero Trust looming on the horizon and CMMC finally rearing its hedging to formality.