Episodes

  • Episode 6: Becoming a tech evangelist
    Feb 4 2026

    Hosts Dave Johnson and Ben Baker sit down with Tim Chase, Global Field CISO at Orca Security, to demystify one of cybersecurity's most intriguing and often misunderstood roles. With over 20 years in information security—from manual penetration testing in 2002 to leading cloud security programs and now evangelizing cutting-edge technology—Tim shares the real story of what tech evangelism means, how to break into the field, and why listening matters more than talking.

    Key topics & timestamps

    Defining tech evangelism (4:00 - 6:07)

    • Not just talking about products—educating on industry trends and challenges
    • Sitting at intersection of marketing, sales, and product teams

    The guiding philosophies of effective evangelism (8:03 - 11:21)

    • Drawing on personal CISO experience to stay authentic
    • Putting yourself in the audience's shoes before prescribing solutions
    • Listening as much as talking—learning never stops in cybersecurity

    Tim's journey from practitioner to evangelist (12:52 - 20:53)

    • Started in AppSec to cloud security to evangelist
    • The path was convoluted but intentional at each stage

    Why connections alone don't make good evangelists (21:25 - 25:16)

    • Hiring for rolodex depth is a short-term strategy that fails
    • Executive presence and communication skills matter more
    • Speaking CISO-to-CISO changes the entire conversation dynamic

    The art of adding value without being preachy (25:16 - 28:36)

    • Cybersecurity professionals don't want product pitches—they want help
    • Executives struggle with "Is this just me?" moments—evangelists provide perspective
    • Positioning your company as thought leaders, not just vendors

    Breaking into tech evangelism (33:10 - 35:48)

    • Find your preferred communication medium and start there
    • Stretch yourself in areas where you're uncomfortable
    • Learn how good sellers ask discovery questions

    What's happening at Orca Security (38:11 - 39:48)


    Key quotes

    "A tech evangelist to me is just someone that sees what's going on in the industry. They've got the history, they've been in it long enough that they can really kind of educate others... to tell them kind of what you're seeing and where they should be focused." - Tim Chase

    "One of the ways that you can get security leaders to pay attention is if they know that you've walked in their shoes before. I've literally seen the face and the conversation change when I introduce myself and they realize I'm not an SE or a seller—I'm a practitioner." - Tim Chase

    "Let the sellers sell, and let me evangelize. They've got their process and they're respected for what they do, but let me just talk about the problem." - Tim Chase


    Helpful links

    • Orca Security
    • (Blog) Where to start your cloud security program by Tim Chase
    • (LinkedIn) Tim's response to Tom Alcock

    Production Credits

    • Co-hosts: Dave Johnson and Ben Baker
    • Producer: Ben Baker
    • Sponsor: Expel Security

    Connect

    • Follow Expel (follow us on LinkedIn, X, and YouTube)
    • Rate and review on your favorite podcast platform
    Show More Show Less
    44 mins
  • Episode 5: Hackers helping hackers: Mental health in cybersecurity
    Jan 14 2026

    In this episode of The Job Security Podcast, host Dave Johnson sits down with Amanda Berlin, CEO and co-founder of Mental Health Hackers, to explore the mental health challenges facing cybersecurity professionals and what the community is doing to address them.

    This conversation covers the unique stressors in cybersecurity work, the prevalence of neurodivergence in tech, practical strategies for combating burnout, and how Mental Health Hackers is creating safe spaces at conferences worldwide where hackers can support other hackers.


    KEY TOPICS & TIMESTAMPS

    4:00 How Mental Health Hackers got started

    5:22 What Mental Health Hackers does

    7:52 The challenge of finding mental health professionals who understand cybersecurity

    8:32 Practical strategies for preventing burnout

    12:08 Why polymaths have an advantage in mental health

    13:35 The most common mental health issues in cybersecurity

    16:10 The pressure of leadership and C-level mental health

    18:52 Finding therapists who can follow technical conversations

    20:43 Connecting mental health professionals with InfoSec practitioners

    22:50 Mental Health First Aid training—what is it is and why it matters

    24:13 How to volunteer or sponsor Mental Health Hackers

    26:49 What businesses can do to support mental health

    29:17 The cultural evolution of the cybersecurity community

    32:05 How DEF CON has changed over the years

    35:26 The connection between physical and mental health


    KEY QUOTES

    "Do something that is not security related, something that's not your day job related. For a long time I did not do that and burnt out." - Amanda Berlin

    "There's actually a really high occurrence of general mental health issues in STEM fields, as well as neurodivergence. We see it all the time." - Amanda Berlin

    "When my kids tell people what my nonprofit does, they describe it as sort of like a daycare for adults that are geeks. And it's pretty close to that." - Amanda Berlin


    HELPFUL LINKS

    Mental Health Hackers - https://mentalhealthhackers.org


    CREDITS

    Host: Dave Johnson

    Producer: Ben Baker

    Sponsor: Expel Security


    Connect

    • Follow Expel (follow us on LinkedIn, X, and YouTube)
    • Rate and review on your favorite podcast platform

    The Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.

    Show More Show Less
    38 mins
  • Episode 4: Making cybersecurity events findable
    Dec 2 2025

    Host Dave Johnson sits down with Walter Martín Villalba, founder of InfoSecMap, to explore how he's solving one of the cybersecurity community's most persistent challenges: finding and tracking the thousands of InfoSec events happening worldwide. This conversation covers the origin story of InfoSecMap, the mechanics of manually curating event data at scale, and the unique welcoming nature of the InfoSec community that keeps people coming back.

    Key topics & timestamps

    The problem InfoSecMap solves (3:37 - 5:16)

    • Missing events after expensive travel, information scattered everywhere
    • Turned frustration into action during early pandemic 2020

    Building InfoSecMap from scratch (5:54 - 9:45)

    • Started as side project, realized one person couldn't maintain it alone
    • Today: 6-7 people handling operations, outreach, and development

    Recent explosive growth (10:40 - 12:55)

    • Crossed 10,000 unique monthly visits two months ago
    • Now at 23,000 monthly visits (120-130% growth)
    • 100% organic traffic—no paid promotion

    Strategic partnerships and credibility (12:55 - 15:47)

    • Official partnership with OWASP Foundation provides credibility
    • Partnerships with BSides Security globally

    Partnership opportunities (15:51 - 19:01)

    • Flexible models: cross-promotion, highlighting CFPs, sponsor calls
    • Powerful filtering by dates, regions, and topics

    First conference and community passion (19:17 - 21:49)

    • First major conference: OWASP Global AppSec USA 2013
    • InfoSec community uniquely welcoming with knowledge sharing culture
    • Platform lists CTFs valuable for career development

    Manual curation at scale (23:28 - 25:29)

    • Everything manually curated to ensure accuracy
    • Prevents spam and vendor pitches
    • Expecting 5,000+ listings by end of year

    The actual numbers (25:54 - 27:44)

    • Conservative estimate: 7,000-10,000+ InfoSec events annually worldwide
    • InfoSecMap has close to 5,000 events for 2024 alone

    Automation and AI exploration (27:44 - 30:50)

    • Exploring AI for curation automation with mixed results
    • Higher priority: making platform self-sustainable long-term

    Future vision and new features (33:14 - 37:00)

    Key quotes

    "I simply got tired of wasting a lot of time searching online... spending a lot of time and finding only a handful of events and still missing a lot." - Walter Martín Villalba

    "The InfoSec community is very special in regards to certain aspects. It's very welcoming. There's a ton of knowledge sharing. There are a lot of people willing to give you a hand, not expecting anything in return." - Walter Martín Villalba

    "It doesn't really matter how big or small the event is. If it's a legit InfoSec event, we'll list it, even if it is five friends getting together every other Friday to try to do some Hack The Box machines." - Walter Martín Villalba

    Helpful links

    • InfoSecMap.com

    Production Credits

    • Co-hosts: Dave Johnson
    • Producer: Ben Baker
    • Sponsor: Expel MDR

    Connect

    • Follow Expel (follow us on LinkedIn, X, and YouTube)
    • Rate and review on your favorite podcast platform

    The Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.

    Show More Show Less
    38 mins
  • Episode 3: Building an AI-powered security practice
    Nov 14 2025

    Host Dave Johnson and co-host Tyler Zito sit down with Peter Holcomb, founder and CEO of Optimo IT and self-described "AI Samurai," to explore how AI is reshaping cybersecurity—from automating compliance workflows to defending against emerging threats. Peter shares practical insights on shadow AI risks, AI observability, and how fractional CISOs are becoming essential for AI-native companies navigating security and governance challenges.

    Key topics & timestamps

    Peter's background and Optimo IT (2:31 - 4:26)

    • Founder/CEO of AI security consulting specializing in fractional CISO services
    • Focus: SOC 2 Type II, ISO 42001/27001, GDPR, HIPAA
    • Former CISO at DataVolo (acquired by Snowflake) and EMED Digital Healthcare

    Overlooked AI security challenges (4:26 - 7:35)

    • Shadow AI becoming the new "shadow IT"—unsanctioned tools introducing risk
    • AI observability must track: alert severity, user queries, token usage, cost, data lineage
    • Automated evidence tracking with platforms like Vanta, Drata, Risk 360

    Applying existing security principles to AI (7:35 - 9:02)

    • Reapplying standard security practices to different use cases
    • Continual education on appropriate tool usage and data stewardship
    • Shared responsibility between security teams and business

    The fractional CISO model (9:02 - 14:24)

    • AI-native companies need security expertise but want to focus on product
    • Business owns the risk—CISO advises on treatment options
    • Third-party perspective often carries more weight than internal recommendations

    Building an AI-powered business (16:17 - 19:32)

    • Email agent automates responses, saves drafts for review
    • Lead generation agents personalize outreach sequences
    • ~10 agents handling administrative tasks to focus on strategic work
    • Building evidence collection agents for audit workflows

    AI security use cases (19:32 - 24:21)

    • Red team/blue team testing via TestSavant.ai
    • Microsoft Copilot integration risks
    • Recommended tools: Petra Security, Cloud Capsule for pre-Copilot assessments

    AI's future in security operations (24:43 - 28:27)

    • Near-term: Autonomous defense agents detecting/remediating faster than humans
    • Still need human-in-the-loop for verification
    • Zentra.ai: Building agents for level 1-2 IT operations
    • Example: 24-hour ticket resolved in 30 seconds with agent automation

    Career advice (29:41 - 32:22)

    • Get educated on AI—tinker with it, understand pitfalls
    • AI governance is the "new GRC"
    • Get hands-on: Build labs, use AWS free tier, experiment with tools
    • Identify repetitive tasks and automate with agents

    Key quotes

    "Shadow AI is becoming a huge thing right now... individuals want to be more productive, but they might install these vibe coded tools and now they're introducing more risk into the environment." - Peter Holcomb

    "There are only four things you can do with risk. You can accept the risk, mitigate the risk, transfer the risk, or ignore the risk." - Peter Holcomb

    "Back in the day, GRC was not looked at as a sexy thing, but now, with the ubiquity of AI, AI governance is top of mind for everybody." - Peter Holcomb

    Production Credits

    • Co-hosts: Dave Johnson and Tyler Zito
    • Producer: Ben Baker
    • Sponsor: Expel MDR

    Connect

    • Follow Expel (follow us on LinkedIn, X, and YouTube)
    • Rate and review on your favorite podcast platform
    Show More Show Less
    35 mins
  • Episode 2: THOR: Love and Thrunder
    Oct 16 2025

    Host Dave Johnson and co-host Tyler Zito sit down with Sydney Marrone and Lauren Proehl, co-founders of the THOR Collective, to explore the evolving world of threat hunting. This conversation covers the fundamentals of building a threat hunting program, how AI is transforming both offensive and defensive security, and the importance of community collaboration in advancing the practice of "thrunting."

    Key topics & timestamps

    What is the THOR Collective? (5:27 - 9:29)

    Evolution of threat hunting (9:38 - 11:55)

    • Early days: Hypothesis-driven, minimal scope, "running queries and hoping for the best"
    • Today: Machine learning, advanced statistics, AI integration
    • Expanding beyond internal networks to cyber threat intelligence

    AI's impact on threat hunting (12:07 - 15:44)

    • Threat side: Perfect phishing emails, AI-generated malware, reduced red flags
    • Defense side: Lower barrier to entry, query translation, threat intel summarization
    • Lauren: "Certified AI hater" but acknowledges augmentation potential
    • Sydney: Amazed by AI capabilities but warns against over-reliance

    How to start a threat hunting program (15:44 - 21:15)

    • Start small, don't overcomplicate
    • Adopt a framework (PEAK, SQRRL, Tahiti, or custom)
    • Ensure the basics: Automate IOCs, focus on top of pyramid of pain
    • Critical requirement: Dedicated time (not "downtime hunting")
    • Essential tools + use what you have

    Proving value and storytelling (24:05 - 28:14)

    • Every hunt should have an output—you can't fail at threat hunting
    • Findings include misconfigurations, missing logs, undocumented processes
    • Turn yourself into a marketer for your program
    • Use metrics, readouts, presentations tailored to executive preferences
    • Hunt relevancy factors: Focus on what matters to YOUR organization

    Documentation and process (31:33 - 36:14)

    • Tyler's mountain rescue analogy: Document everything, even "negative" findings
    • Create maps of searched areas and techniques used
    • If it's not documented, it didn't happen
    • Another hunter should be able to replicate your work entirely
    • Baseline and map to frameworks like MITRE ATT&CK

    Key quotes

    "If you ask three people what threat hunting is, you'll get three different answers." - Dave Johnson

    "The barrier to entry [to threat hunting] is going to be a lot lower, which is great, as long as people aren't relying on [AI] way too much." - Sydney Marrone

    "Every single hunt should have an output... It's very hard to fail at threat hunting—you always find something." - Lauren Proehl

    "If it isn't documented, it didn't happen." - Lauren Proehl

    "The only way we win this is doing this together." - Lauren Proehl

    Helpful links

    • THOR Collective
    • The Threat Hunters Cookbook by Sydney Marrone
    • Blue Team Village at DEF CON

    Production Credits

    • Co-hosts: Dave Johnson and Tyler Zito
    • Producer: Ben Baker
    • Sponsor: Expel MDR

    Connect

    • Follow Expel (follow us on LinkedIn, X, and YouTube)
    • Rate and review on your favorite podcast platform

    The Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.

    Show More Show Less
    39 mins
  • Episode 1: The cyber kids are alright
    Sep 25 2025

    Host Dave Johnson sits down with Matthew Gracie and Brandon Levene, two longtime security practitioners who have transitioned into teaching the next generation of cybersecurity professionals. This conversation explores their educational journeys, teaching philosophies, and what makes today's cybersecurity students different from previous generations.

    Key topics & timestamps

    Educational backgrounds (2:45 - 6:17)

    • Brandon: Psychology degree, early Palm Pilot hacking, LAN party SubSeven pranks
    • Matt: English degree, desktop support, voluntold into security by CIO in 2005
    • Both learned security before formal education programs existed

    Path to teaching (8:01 - 14:24)

    • Matt negotiated teaching cybersecurity in exchange for hosting BSides Buffalo
    • Brandon pitched cybercrime course at Johns Hopkins after conference conversation

    Teaching challenges (10:00 - 21:39)

    • Diverse graduate student backgrounds: accounting majors to IT veterans
    • Balancing content for newcomers vs. experienced students
    • Brandon's classes: majority female in 2 of 4 semesters, policy-focused
    • Matt's program: technically-oriented under computer science department

    The "Wild West" of cyber education (21:40 - 25:01)

    • No standardized curricula across institutions
    • Programs emerging from different departments (criminal justice, accounting, CS)
    • Difficult to evaluate cybersecurity degrees from unknown schools

    Industry challenges (25:02 - 35:45)

    • Warning against bootcamp promises without technical fundamentals
    • Communication skills as crucial as technical abilities
    • Reality check: High stress, long hours, constant learning required

    Industry recommendations (36:00 - 39:12)

    • Better support systems for junior professionals
    • Focus on communication skills alongside technical training
    • Sustainable career progression from junior to senior roles

    Key quotes

    "We're kind of in that same stage that computer science was back in the 60s and 70s, when it was still mostly math professors who just happened to be teaching computer science stuff." - Matt Gracie

    "What if we train them and they don't stay, and the counter is, what if we don't train them and they do? I would much rather train them and have competence and they don't stay but incentivize them to actually grow and stay." - Brandon Levene

    "Security works best as a dual class... You come up as desktop support or help desk or network engineering, and then transfer into a more security focused role." - Matt Gracie

    Helpful links

    • B-Sides Buffalo (on X)
    • The Rural Tech Fund
    • KC7 Cyber

    Production Credits

    • Co-hosts: Dave Johnson
    • Producer: Ben Baker
    • Sponsor: Expel MDR

    Connect

    • Follow Expel (follow us on LinkedIn, X, and YouTube)
    • Rate and review on your favorite podcast platform

    The Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.

    Show More Show Less
    43 mins
  • Episode 0: What are we doing here?
    Jul 31 2025

    Welcome to the inaugural episode of the Job Security Podcast! In this introductory episode, co-hosts Dave Johnson and Ben Baker (filling in for the vacationing Tyler Zito) share the vision behind this new podcast.

    Dave Johnson, Principal Solutions Architect at Expel and co-host, and Ben Baker, producer and co-host, discuss what listeners can expect in the coming episodes.

    Episode highlights:

    • An "enlightenment period" in cybersecurity: Dave describes the current state of cybersecurity as an "enlightenment period," where the industry has stabilized with established education systems, compliance policies, and documented methods. He emphasizes the importance of understanding the industry's history to predict its future.
    • Learning from beyond cybersecurity: The podcast aims to explore unique perspectives from people who have shaped the industry, "whether they realize it or not." Dave highlights that cybersecurity concepts, like risk and strategy, are often thousands of years old and borrowed from other industries, such as finance.
    • Diverse guest perspectives: Ben shares examples of potential guests from outside cybersecurity, including semi-pro poker players and former underwater welders, who can offer valuable insights into principles relevant to cybersecurity.
    • A shift in focus: Dave explains that unlike many cybersecurity podcasts that focus on threats and adversaries, "Job Security" will concentrate on the people who perform the work, including those not typically in the spotlight. The goal is to explore the intrinsic parts of the industry, delve into its history, and foster conversations about career paths and practical applications.
    • Optimism and self-care: The podcast seeks to project optimism, reflecting the significant progress made in the cybersecurity field. The hosts hope the podcast can be a form of "self-care," encouraging listeners to relax, learn something new, and gain fresh perspectives to combat the intensity of their daily work.
    • A welcoming community: Dave notes the positive evolution of the cybersecurity community, highlighting a reduction in "egos" that previously hindered innovation. The podcast aims to inspire curiosity and innovation by encouraging listeners to step away from their immediate tasks and explore different areas.

    Quotes from the episode:

    • "We're here to explore the unique perspectives and stories of the people who make this industry what it is, whether they realize it or not."
    • "We're in what I generally refer to as an enlightenment period of cybersecurity, where we've kind of stabilized where we are."
    • "The concepts that we use are thousands of years old. It's just security, but what we're doing with it, what we're protecting, and what tools we're using, that's the different part."
    • "This podcast can be a vehicle to help explore our culture, but maybe identify some ways for improvement."
    • "If nothing else, if people listen to this podcast with a nice, cool drink in their hand with their feet up for a little while, maybe it's just your lunch break, that's fine. Take that 30 minutes, take that hour and just relax with a good story and some interesting discoveries from us."
    • "The community is the healthiest I've ever seen it."

    Stay tuned:

    Tyler Zito will be back from his European vacation in a couple of weeks to share his unique perspectives in cybersecurity. Expect great episodes with fascinating guests!

    Subscribe and connect!

    Don't miss out on future episodes! Subscribe to the Job Security Podcast wherever you get your podcasts, and follow us on YouTube: youtube.com/@expelsecurity

    Show More Show Less
    17 mins