Cultivating Security
Cultivating Security
Deep examinations of industry incidents, vendor risk, and operational security decisions from 25+ years in the field. AI-narrated episodes transform written analysis into practical insights for security professionals who need to understand what really happens when security meets operational reality. No certifications required, just real-world experience.
Author
Cultivating Security
Category
Podcast website
Latest episode
Apr 7, 2026
Where to listen?
Podcasts in the app Replaio Radio Coming soonPodcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts
Episodes
Week 14: What I Wish Someone Had Told Me 07.04.2026 24:25
Twelve weeks ago, we started this series talking about a gap in how people learn security work. You can get certified, read the frameworks, know the technical fundamentals—and still walk into your first real security role completely unprepared for how the work actually functions. Nobody teaches you the organizational part. The political part. The part where your technically perfect solution dies i...
Week 13: Learning from Incidents You Didn’t Have 31.03.2026 17:28
The security community has a gift that we don’t use effectively enough: every major breach becomes public eventually. Companies have to disclose incidents. Researchers analyze and publish findings. Post-mortems get written. We can learn from other organizations’ failures without having to experience them ourselves. But most people don’t extract meaningful lessons from public brea...
Week 12: Incident Response Is Half Politics 24.03.2026 21:23
You’ve planned for incidents. You have a documented incident response plan. You’ve done tabletop exercises. Your team knows their roles. You have runbooks for common scenarios. Then an actual incident happens, and you discover that the plan didn’t account for half of what actually matters. Because incident response isn’t just technical. It’s organizational, political,...
Week 11: When ‘Best Practices’ Don’t Apply 17.03.2026 19:43
Every security framework, every certification course, every vendor white paper tells you what you should do. Implement least privilege. Segment your network. Patch within 30 days. Enforce MFA everywhere. Use zero trust architecture. All of this is good advice. In theory. In practice, you’re working in an environment with legacy systems that can’t be easily changed, technical debt that...
Week 10: Compliance Is Not Security (But You Still Have to Care) 10.03.2026 17:13
Every security person eventually has this realization: passing the audit doesn’t mean you’re secure. You can check every box in the compliance framework. You can get your SOC 2 certification. You can satisfy your PCI audit. And still have significant security gaps that the auditor never looked at because they weren’t in scope. Compliance frameworks test for specific controls. The...
Week 9: Reading the Room: What Your CISO Actually Cares About 03.03.2026 17:56
If you’re trying to get security work done, you need to understand what your leadership cares about. And I mean actually cares about, not what they say in all-hands meetings or what’s in the security strategy document. Because there’s often a gap between the official priorities and the real priorities. Between what sounds good and what actually drives decisions. Between the aspir...
Week 8: Why Security Projects Fail (And It’s Usually Not Technical) 24.02.2026 20:42
You’ve probably seen this: a security initiative that makes perfect technical sense, that addresses real risk, that has clear value—and it dies anyway. Not because the technology doesn’t work. Not because the solution is flawed. It dies in a conference room during a budget meeting, or gets deprioritized when a business initiative takes precedence, or gets killed because nobody wants to...
Week 7: Reporting to IT: How to Build Security When You’re Not in Charge 17.02.2026 25:48
A lot of security people find themselves in this position: you’re the security person, or the security team, reporting up through IT leadership that didn’t come up through security. Maybe your boss is the CIO who built their career in infrastructure. Maybe it’s an IT Director who came up through application development or helpdesk management. Maybe it’s a VP of Technology w...
Week 6: Vendor Relationships Aren’t Partnerships (No Matter What the Sales Deck Says) 10.02.2026 28:14
Every vendor will tell you they’re committed to security. They take it very seriously. They’re a trusted partner in your security journey. They understand your challenges and they’re here to help. None of this means anything. I’m not saying vendors are malicious. Most aren’t. But they’re businesses with business objectives, and those objectives aren’t perf...
Week 5: The Identity Sprawl Problem 03.02.2026 31:11
Identity used to be simple. Users had accounts. Accounts had passwords. You managed them in Active Directory or LDAP. Authentication happened at the perimeter, and once you were inside, you were mostly trusted. That model is completely inadequate for how organizations actually work now. Identity is the perimeter now. Users authenticate to dozens of different services. Applications authenticate to...
Why Chat-Based AI Tools Fail in Operational Security: Building Capability vs. Productivity 28.01.2026 29:47
AI as Capability, Not Conversation: Why Chat-Based Tools Fail Operational Security Work In the last 18 months, every vendor has suddenly “integrated AI” into their products. Your SIEM has AI now. Your ticketing system has AI. Your monitoring platform has AI. I’ve even seen job schedulers get rebranded with AI features—automation that’s been running for years, now with a fre...
Week 4: The Logging and Visibility Problem No One Mentions 27.01.2026 22:00
You probably think you can see more than you actually can. That’s not a criticism—it’s just how modern environments work. The assumptions we built our mental models on (servers you own, networks you control, applications you can instrument however you want) don’t hold anymore. But we still operate like they do. SaaS applications don’t give you the same visibility you’...
Week 3: Fort Knox Isn’t the Goal: Learning to Live with Imperfect Security 20.01.2026 19:04
Here’s something nobody tells you when you’re starting out: your job is not to eliminate risk. I know that sounds wrong. You got into security because you care about protecting things. You see the threats, you understand the vulnerabilities, you know what could go wrong. Your instinct is to fix everything, lock everything down, make the organization as secure as possible. That instinct...
Week 2: Understanding Your Environment Before You Try to Secure It 13.01.2026 19:54
You can’t protect what you don’t know exists. That should be obvious. But based on how most security programs operate, it apparently isn’t. People want to jump straight to the interesting work. Threat hunting. Incident response. Penetration testing. Red team exercises. And sure, that stuff matters. But if you don’t have a solid grasp of what’s actually in your environ...
Week 1: Introduction: Foundations That Nobody Teaches 06.01.2026 8:49
There’s a gap in how people learn security work. Not a small one. You can get certified six ways from Sunday. You can read every framework document NIST ever published. You can know the OWASP Top 10 backwards and forwards. And you’ll still walk into your first real security role completely unprepared for how the work actually functions. Because nobody teaches you the organizational par...
When Your Vendor Drops a Security Layer (And Doesn’t Tell You) 24.12.2025 19:06
Back in November, there was a piece on KrebsOnSecurity about the Cloudflare outage — particularly companies that chose to bypass Cloudflare entirely to get their services back online. I wrote an internal analysis / lessons learned and sent it to my IT Peers on it at the time. Over the past month it’s come up in a few conversations, and this week while working on some blog posts for January,...
Security Third: Why “Security First” Makes Organizations Less Secure 13.12.2025 44:49
I heard something on a podcast the other day that’s been rattling around in my head ever since. The hosts were talking about Mike Rowe’s “Safety Third” concept — the idea that safety matters, sure, but treating it as the absolute top priority above everything else can actually make you less safe . Not because safety doesn’t matter, but because the “Safety First&...
The Marquis Breach: What Happens When Your Vendor’s Security is Worse Than You Think 08.12.2025 37:05
I was winding down my workday last week when one of my analysts posted a link in our team chat—another BleepingComputer article about a data breach. This one was different, though. Marquis Software Solutions, a vendor I’d never heard of, had just disclosed that attackers had compromised data from 74 financial institutions and over 780,000 customers. That evening, I started digging. Could thi...
Willful Ignorance as a Security Vulnerability 03.12.2025 15:59
Saturday evening. Long day of side projects and farm work. The corporate work week was done, but I’d been grinding through accounting, blog writing, development work—all the side-business stuff that fills weekend hours. I was contemplating just getting out of the house for a while. There was snow in the forecast, but maybe I could run out, grab a pizza at the local joint, have a beer, watch whatev...
Why Now? What 15 Years of Security Work Taught Me 02.12.2025 15:10
Why I’m Writing This For the past few months, I’ve been writing more formal internal analysis pieces – breaking down incidents I see in threat intel feeds, public breach notifications, security news that crosses my desk. Nothing fancy, just trying to make sense of what I’m seeing and share it with my management team, my immediate team, and IT peers. Maybe a few others who want to...
Similar podcasts
Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.