Best Esrm Podcasts (2026)

1
Cyber Resilience, a National Solution with Herbert Fensury 30:01

Play Pause

22d ago30:01

30:01

Cyber crime is now a daily fact of life and a significant concern in both the private and public sectors but our response capabilities do not seem to be keeping up. This episode dives deep into one organization that is combatting this problem with a combination of academic research, industry expertise and hands-on training with the founder and CEO,…

1
Integrated Assurance with Patrick Hayes 34:02

2M ago34:02

34:02

20 years after their paths first crossed, three Canadian security professionals regroup to discuss a new risk management strategy book based on hard won field experience. Patrick Hayes was a security strategist before organizations knew this was success differentiator. For decades he has been guiding organizations large and small, public, private a…

1
The Summer Show - 2025, (pt 2) 27:32

4M ago27:32

27:32

Part 2 of this summer break episode takes a bit of a light hearted look at the cyber security industry predictions that become the norm in late December and early January. Eight or nine months later, how accurate where they? Take a listen, there are a couple surprises. The conversation uncovers a few ongoing challenges with the cyber security indus…

1
The Summer Show - 2025, (pt 1) 26:05

4M ago26:05

26:05

The summer show started with the light hearted goal of evaluating the top security predictions that fill the internet in late December each year. Forever unscripted, Tim and Doug wind up reflecting on the growing gap between physical and virtual information systems. While it is easy to lament, from a cognitive perspective there is little hope, the …

1
ESRM roots, revelations & resilience with John Petruzzi 35:49

5M ago35:49

35:49

Enterprise Security Risk Management (ESRM) principles appear in almost every episode and this one is a bit more overt because it features two of the three people responsible for promoting ESRM in the early days of it's reintroduction through ASIS. John Petruzzi is now the CEO of Unlimited Technology and leading them toward an expanded influence in …

1
Global Risk Management as Strategic Advantage with Dominic Bowen 35:50

7M ago35:50

35:50

The Caffeinated Risk hosts navigate time zones and catch up with Dominic Bowen traveling between meetings to discuss risk management with an international expert on the subject. Mr. Bowen is a partner and Head of Strategic Advisory at 2Secure, one of Europe's leading risk management consulting firms, as well as the host of the International Risk Po…

1
Simplifying risk analysis using FAIR and Wiley Coyote with Jack Freund 8:35

8M ago8:35

8:35

A while back we were fortunate enough to spend time with Jack Freund, coauthor and thought leader responsible for bring the FAIR methodology and practice into the main stream. A bonus from that original recording is now an espresso shot discussing how to fast track an assessment when the threat vectors are numerous. While the metaphor Jack used is …

1
SMB Resilience and lessons for larger organizations with Rochelle Clarke 30:44

9M ago30:44

30:44

At 45-50%, depending on your statistical source, there is no denying that small to medium sized businesses are a significant economic engine from both an employment and innovation perspective. In 1978 Microsoft numbered 11 people. Unfortunately small businesses are also the least likely to survive a major disruption, an experience that changed Roch…

1
Addressing Risk and Cyber Resilience, the Alberta Approach - with Rachel Hayward 36:13

11M ago36:13

36:13

A surprising number of digital innovations began in Alberta, be it the world's first public digital cellular network in 1985, the DNP3 industrial controls protocol and becoming the first Google international research lab in 2017. CyberAlberta is another innovative collaboration focused on strengthening the cyber resilience of Alberta organizations.…

1
Security Risk Management in an Open Data Environment with Michael Spaling 36:26

12M ago36:26

36:26

Ever wondered how top universities protect their cutting-edge research from prying eyes while ensuring seamless access for their scholars? Join us as Michael Spaling, Principal Security Architect at the University of Alberta, takes us behind the scenes of this high-stakes balancing act. Just like any other large organization, research universities …

1
Engineering, Risk Management for Cyber-Physical Systems with Andrew Ginter 29:25

1y ago29:25

29:25

The practice of engineering dates back thousands of years, incorporating science and mathematics to solve problems in the ancient world, and remains a key requirement for developing the complex digital systems controlling the physical systems core to our modern way of life. Unfortunately connectivity and complexity have created a vulnerability we m…

1
Deviance Normalization & Risk Management with Marco Ayala 34:05

1y ago34:05

34:05

Technological change is inevitable and often one of the aspects that attracts people toward careers in information and operational technology. Although risk management is a part of navigating advancement in any area, the fundamental flaw in any management system is our human tendencies. This episode explores how organizations can make slow, steady …

1
Managing Supply Chain Risk Management - with Darren Gallop 32:34

1+ y ago32:34

32:34

Whether it's the NIST CSF, 8276 or the new European Cyber Resilience Act there is no denying the expectation that supply chain management (SCM) is a risk management area no organization can ignore. While SolarWinds is recent common reference in many SCM discussions, this episode's guest takes us back to Target's major data breach that resulted in s…

1
Metawar and Fostering Resilience with Winn Schwartau 34:51

1+ y ago34:51

34:51

Long before the Matrix captured peoples imaginations, Winn Schwartau was steadily offering red pills for those reading his many books on information warfare. A scholastic level researcher without the pretense, Mr. Schwartau has been recognized internationally as one of the leading security thinkers of our time and has a special capability for disti…

1
Resilience and I.R. Lessons Learned (the hard way) - with Adam McMath 34:31

1+ y ago34:31

34:31

Almost all incident response plans include a "lessons learned" step, and in the post adrenalin phase that follows many breaches, reviewing what worked and what needs improving doesn't excite a lot of people. Adam McMath is clearly the exception, leading incident response activities in both the cyber realm and physical. How do resilience and inciden…

1
ESRM a Transformation Catalyst with Radek Havlis 29:47

1+ y ago29:47

29:47

Amongst the industry verticals classified as critical infrastructure, few would argue that telecommunications belongs in the top that list, placing even more weight on a risk management program due to cascading impacts. Consequently, safe reliable operations are essential for success while continuing to grow in a highly competitive marketplace. A s…

1
Contingency Planning, Cyber Resilience and Incident Response 28:33

2y ago28:33

28:33

Regulatory frameworks from PCI-DSS to NERC-CIP to the newly minted NIST CSF 2.0 each require organizations of all sizes to have cyber incident response plans. Most of us who have spent any time in cubicle filled office towers are familiar with fire drills to clear the building and gather staff at muster points, and that is as close as we get to the…

1
The Business Context of Cyber Resilience with Steven J Ross 30:51

2y ago30:51

30:51

Those running a business today who have not experienced disruption due to cyber issues or attacks know it is only a matter of time. Even if their organization is not directly targeted, the modern marketplace comprised of multiple, interconnected supply chains, means impact is unavoidable but this episode's guest, Steven J Ross contends planning, de…

1
Building a Cyber Risk Management Program with Brian Allen 30:03

2y ago30:03

30:03

The U.S. Security Exchange Commission defined new rules for cyber risk matters facing publicly traded corporations in July of 2023. Although the SEC's mandate is limited to publicly traded companies in the United States, where one regulator goes others are apt to follow. Brian Allen is the co-author of a brand new book putting form, structure and t…

1
CyberPHA - OT Risk management With John Cusimano 31:59

2y ago31:59

31:59

The ISA 99 standards body is one of the most recognized authorities on cyber physical security covering many aspects of a cyber security management system for industrial control systems including risk management. This episode features John Cusimano, former chairman of the ISA subcommittee responsible for authoring the risk management portion of the…

1
Science, Crime and Workforce Development with Dr. Martin Gill 31:52

2y ago31:52

31:52

Security and crime are often in close proximity but not always studied together. This month's episode features Martin Gill a criminologist who made the study of crime and security his life's work. After a decade as a lecturing professor at the University of Leichester, Mr. Gill started Perpetuity Research in 2002 and continues to provide very high …

1
ESRM a Decade In and The Emergent Threat Landscape 29:52

2+ y ago29:52

29:52

Post GSX conference, which included an in-depth review of ESRM and an interview with former U.S. president George W Bush, this episode considers how enterprise security risk management has stood the test of time as well as how risk analysis will need to evolve . Financial receptors can be found in almost every organizational risk matrix but how do …

1
Business Enablement using Converged Risk Management with Michael Lashlee 36:20

2+ y ago36:20

36:20

The convergence buzzword has come and gone and some organizations have struggled to reap the benefits of physical and cyber security departments working in tandem toward common goals. Michael Lashlee, deputy Chief Security Officer at Mastercard, shares security insights from the US Marines, secret service and financial services tech giant Mastercar…

1
Interpreting Risk within a Regulatory Context with Terry Freestone 32:28

2+ y ago32:28

32:28

Calgary was an ICS cyber hub before most knew such measures were necessary, Terry Freestone was one of the ICT specialists from those early days who now applies his decades of hard-won knowledge in the offices of the Canadian Energy Regulator. Speaking as a private citizen and cyber security expert rather than a government representative, Terry and…

1
2023 Summer Show 30:56

2+ y ago30:56

30:56

Keeping up the accidental annual tradition Tim and Doug take a retrospective look at risk management as a mid-year pulse. The 10th annual Cyberthreat Defense report forms the underlying theme but digging under the statistics to analyze how these might pertain to ESRM. Communication also popped up as a topic, and Tim shares some lessons learned from…

1
ESRM and Data Science with Rachelle Loyear 31:28

2+ y ago31:28

31:28

One of the original authors of the ESRM framework, now in it's tenth year, and Caffeinated Risk's first guest returns to discuss how data science is changing security and risk management. While alchemy may be a bit of a stretch, Ms. Loyear ongoing focus of including human behaviour in the risk equation is leading to the development of data science …

1
Attack Tree Calibration with Terry Ingoldsby 7:30

3y ago7:30

7:30

Threat modeling expert and inventor of one of the world's first attack tree modeling products talks about how to integrate subject matter expertise into the risk equation, the answer may be surprising. Bonus content not included in the original interview with Terry which dove deep into the history of attack trees, modern applications and exploring …

1
FAIR and ESRM, exploring common ground with Jack Freund 38:12

3y ago38:12

38:12

Factor Analysis of Information Risk (FAIR) and Enterprise Security Risk Management (ESRM) took different evolutionary paths yet share a lot more commonality than catchy 4 letter acronyms and mainstream adoption by notable organizations like NIST, The Open Group and ASIS international. Jack Freund personifies the term "risk management thought leader…

1
Cyber-Physical Convergence Revisited 34:40

3y ago34:40

34:40

In addition to hybrid work and regular time in the office being the new normal, 2023 marks the year Caffeinated Risk's co-host Tim McCreight serves as the president of ASIS international. ASIS has long been a proponent of both physical and cyber security professionalism and one of the first organizations to explore and embrace Enterprise Security R…

1
ESRM Enablement via Location Intelligence with Alex Martonik 31:55

3y ago31:55

31:55

Realtors have long advocated "location, location, location" as a path to investment success. Fast forwarding a few generations, location intelligence applied to risk management is paying dividends well beyond real-estate and Esri is a world leader in this fascinating application of geo-spatial information. Esri business solutions leader Alex Marton…

1
Privacy & Toxic Data with Michelle Finneran Dennedy 6:00

3y ago6:00

6:00

A great discussion point that didn't make it to air from the original 2021. Not all data is of equal value to the organization and the viable shelf life is seldom tracked or even discussed. This espresso shot takes a humorous look at a serious question about privacy considerations during the development cycle and check out the original full episode…

1
Classifying and effectively communicating enterprise security risk with Paul Mercer 31:15

3y ago31:15

31:15

Communication isn't effective until the receiver understands the message well enough to take action. That pretty much sums up the challenge facing many risk professionals today, something Paul Mercer resolved, out of necessity, by building risk management software that is proving to be a welcome solution for many notable customers. Mr. Mercer is no…

1
Redefining the risk management business partnership with Rachelle Loyear 6:50

3+ y ago6:50

6:50

Co-author of the original book on Enterprise Security Risk Management, it only made sense to have Rachelle be the first Caffeinated Risk guest. Like many guests, there was just too much material for a 30 minute episode. This espresso shot encore digs into that nuanced topic of truly partnering with business stakeholders.…

1
Resilience as a Risk Management Strategy 32:57

3+ y ago32:57

32:57

Anyone with a bit of time in the security industry is well acquainted with Murphy's law but crisis management specialists are who you call when things suddenly get very real. While common security guidance advocates protection, readying your organization to weather the inevitable failure in prevention measures starts with resilience. international …

1
Infrastructure Resilience and Ethical Considerations 31:48

3+ y ago31:48

31:48

Recorded two days after the July 2022 nationwide telecom outage, co-hosts Tim and Doug explore the deeper ramifications of losing access to the very services that are so tightly integrated into our lifestyle. While the complete root cause of the Rogers' outage may never be publicly shared, most organizations face similar constraints, leading to a d…

1
GRC Program Development and Implementation with Josh Sokol 31:10

3+ y ago31:10

31:10

Sooner or later every risk management professional faces the hard reality that comprehensive risk management programs can't be implemented on spreadsheets. A corporate vice president mandate, minus the funding, started Josh Sokol on a journey that turned his initial platform solution into an opensource project that morphed into a commercial venture…

1
Strategies for meeting the cyber skill set challenge with Martin Dinel 32:26

3+ y ago32:26

32:26

Chief Information Security Officer Martin Dinel has all the same technology challenges of every other large organization. Placing Alberta in front of that CISO title brings the additional requirements of protecting government secrets, interfacing with national security, protecting financial and health information of more than 4 million people as we…

1
Risk management in the cloud with Illena Armstrong 32:32

3+ y ago32:32

32:32

Very few organizations, from three letter agencies to the local brew pub are not using cloud services to some degree and those previously resistant had no choice once Covid 19 hit. In 2022, with global conflict, organized crime, multiple supply chain and service concerns, what is required of a security professional responsible for navigating risk f…

1
Cyber Crime and Risk Management Strategies with Cara Wolf 32:31

4y ago32:31

32:31

Acknowledged by IT World Canada as one of the top 20 women in cyber, Cara Wolf shares insights into the Canadian tech industry , the need for innovation and tactics for drawing senior leadership's attention to cyber security issues during a candid discussion on the changing aspects of cyber crime . Long before cyber crime was a mainstream concept M…

1
Continuous Authentication and Risk Management with Ian Paterson 32:34

4y ago32:34

32:34

The threat landscape is evolving, if your security controls are not, the outcome is all but assured. In this episode Tim and Doug are joined by Canadian cyber security serial entrepreneur Ian Paterson, CEO of Plurilock. Mr. Paterson shares hard won insights from extensive data science research and development , how this intelligence enables continu…

1
Castles and Network Management with Winn Schwartau 5:33

4y ago5:33

5:33

A light hearted espresso shot with renowned information security writer Winn Schwartau and Tim McCreight discussing the serious and all too common problem of uncontrolled ingress and egress. While the first electronic firewalls may have come into vogue in the late 80's, Winn and Tim uncover parallels with perimeter security developed in the middles…

1
Unpacking the Security Value Chain - Dave Tyson 7:21

4y ago7:21

7:21

An espresso shot covering a great idea Dave Tyson originally shared in his book and discussed during our 2021 interview on identifying where security can contribute to the business value chain and some strategies for selling the benefits. With thought leaders like Dave there are many more insights than time in each monthly episode, so in 2022 we'll…

1
Innovation and Influence 34:09

4y ago34:09

34:09

The year end episode does some comparing and contrasting of risk management in different areas, including things outside of cyber. Ironically, recorded just a couple days before most of the world learned about a module design choice in Java that suddenly makes logging dangerous, it brings home the point that our cyber threat landscape is complex . …

1
Applying Scientific Principles to Risk Management - With Doug Millward 33:12

4y ago33:12

33:12

While many in risk management or cyber security reference standards and leading practices, it can often be based on tacit acceptance, rather than deep research. There is an argument that that research is too slow compared to commercial solutions, especially considering our current threat landscape and resource constraints. This episode explores the…

1
Risk and Kinetic Consequences - with Paul Smith 31:08

4y ago31:08

31:08

Skilled penetration testers are some of the more specialized people within the information security industry. When it comes to safely testing kinetic systems the pool of talented ethical hackers shrinks again but does include Paul Smith who has written a brand new book on the subject. An ICS security specialist before it was a recognized specialty,…

1
Privacy Engineering, Manifesto & Beyond with Michelle Finneran Dennedy 31:10

4+ y ago31:10

31:10

Formerly vice president and chief privacy office at Cisco, CEO of Drumwave and a licensed attorney, Michelle Finneran Dennedy is recognized as a visionary leader in information systems privacy. Currently the co-founder of Privatus Consulting supporting clients working through the wicked problem of privacy in this digital age. Much to the benefit of…

1
Following the Money in Cybersecurity with Larry Whiteside Jr. 35:46

4+ y ago35:46

35:46

A business without cash flow isn't a business for long and security solutions are seldom free yet cyber security is a line item that business owners ignore at their peril. Cost management and risk management come together in this lively podcast with special guest Larry Whiteside Jr. a former US Air Force division chief who has held a number of seni…

1
Back to work, just in time for summer 28:01

4+ y ago28:01

28:01

Cohosts Tim and Doug explore the security implications of workers returning to the corporate networks after over a year working remotely. Is there a new art of the possible to be considered based on the changes most organizations needed to make to networks and applications to get through the pandemic lockdown? Is this now more important than ever s…

1
A Business First Security Focus with Dave Tyson 30:04

4+ y ago30:04

30:04

Dave Tyson literally wrote the book on Managing Enterprise Security Risk through converged security while serving as the CSO for the City of Vancouver during the winter Olympic games. A practitioner rather than a theorist, Tyson has held senior security leadership positions at multiple major organizations including eBay, Pacific Gas and Electric an…

1
Security risk analysis using attack trees with Terry Ingoldsby 34:42

4+ y ago34:42

34:42

"We need more science in Cyber Security" David Hechler, TAG Cyber Law Journal Threat modeling should be step 0 of any security architecture but often goes completely unconsidered. This episode features Terry Ingoldsby, a veteran cyber risk professional, physicist, computer scientist and inventor of Securitree. Ingoldsby created the attack tree deve…