Practical Cybersecurity Tips with Vince Romney

by | May 21, 2025 | Podcast

Practical Cybersecurity Tips with Vince Romney

Cybersecurity executive Vince Romney — partner at Digital Defense Security and author of the forthcoming *How to Not Suck at Cybersecurity* — sits down with Squeeze CTO Brett Evanson and host Carson Poppenger to translate complex threat intelligence into moves any business can make today.

Listen wherever you get your podcasts

Key takeaways

  • Attackers rarely need zero-days — most successful breaches exploit years-old vulnerabilities against unpatched systems, so basic hygiene closes the majority of risk.
  • Credential stuffing from indexed dark-web breach databases is one of the most common attack vectors; a password manager or secure physical log book defeats it.
  • Backup systems must be tested end-to-end — knowing your recovery time is 12 days only after an attack is not a plan.
  • Supply chain and open-source dependencies are a leading source of inherited compromise; Software Composition Analysis (SCA) should be standard practice.
  • Cyber insurance is now driving vendor due diligence rigor, requiring verified artifacts — not just self-attestation — from all third parties.
  • Threat modeling with a likelihood-vs.-impact matrix lets businesses allocate limited security budgets to the highest-priority risks first.
  • Building a culture of security — where secure practices are the default, not an afterthought — is more effective than any single tool or policy.

The Cybersecurity Arms Race Is Real — and Most Businesses Are Losing

Vince Romney opens with a blunt truth: the threat landscape never pauses, and anyone who stops learning gets left behind fast. Whether it’s AI-enhanced botnets probing every internet-facing IP or a searchable dark-web database of billions of stolen credentials, attackers are getting smarter without inventing anything fundamentally new. As Vince explains, the MITRE ATT&CK framework catalogs only a few hundred tactics, and there have been no truly novel attack classes in years — just smarter executions of old ones.

AI: Enabling Technology With a Caveat

Vince and Brett align on AI as an enabling technology — one that defenders must embrace with clear-eyed understanding. Attackers are already leveraging the same tools. Brett points to continuous learning (including auditing free Stanford AI courses on Coursera and Udemy) as a practical first step. On the product side, Squeeze’s AI-driven tools communicate server-to-server rather than over public connections, reducing the exposure surface considerably.

Password Hygiene: Simple Fixes That Actually Work

Credential stuffing — matching leaked email/password pairs from the dark web’s now-indexed breach databases — accounts for a huge share of successful intrusions. The fix doesn’t require exotic tooling:

  • Password managers (e.g., 1Password) let you remember one long passphrase while generating unique, complex credentials for every account.
  • A physical log book stored securely beats an unprotected spreadsheet in Google Drive for your most critical credentials.
  • After the LastPass breach, migrating to a new manager and resetting all imported passwords is straightforward — the tool even flags which entries came from the compromised vault.

Resiliency Over Perfection

No budget buys 100% security. The MGM Resorts ransomware incident — where social-engineered executive credentials brought down systems across an entire Las Vegas property — illustrates what happens when resilience planning lags. Vince’s prescription: build a tested, step-by-step recovery playbook. Many organizations have robust backups they’ve never actually restored; discovering a 12-day recovery window during an active attack is not a strategy.

Vendor & Supply Chain Risk Is Underestimated

Some of the most damaging breaches of the past three years originated with a trusted supplier, not a direct attack. Brett flags third-party AI providers (Anthropic, OpenAI) as a key consideration: what data are you sending, what comes back, and what do your contracts actually obligate them to do? Vince adds Software Composition Analysis (SCA) as an essential practice for any team pulling open-source images or packages — knowing what’s inside a Docker image before deploying it is basic hygiene that most teams skip.

Cyber Insurance Is Reshaping Vendor Management

Insurance carriers are now mandating detailed vendor questionnaires — sometimes 200+ questions deep — and demanding verifiable artifacts, not just signed attestations. Companies that build a genuine culture of security are finding these audits straightforward; those that don’t are getting dropped from coverage or locked out of enterprise deals.

Inside How to Not Suck at Cybersecurity

Vince’s book, expected to publish in August, is structured around four personas: the individual user, the side-hustler, the mid-cap manager, and the enterprise CEO. Each chapter maps practical controls drawn from the CIS Top 18 to the specific threat surface of that persona — prescriptive checklists, not regulatory recitations. An opening story from his Air Force days — involving a neglected Windows Server 2000 box, an IoT ecosystem, and a chemical plant — sets the tone for the whole book.

The only 100% secure thing you can do is turn it off. If you have an offline system that isn't on, it's secure. Not useful, but secure.

— Vince Romney

The number of attacks that are actually successful that use zero days is less than 1%. So many opportunities exist without zero days — why would you blow a zero day when you can use a 12-year-old attack and it's successful?

— Vince Romney

A lot of people build a very robust backup, but they've never actually tested taking that and turning it back into a production system. They find out it takes them 12 days to bring that back. That's not real effective.

— Vince Romney

The bar's so low. Just meet this and you're going to be so much better off.

— Vince Romney

Episode chapters

Frequently asked questions

What is the MITRE ATT&CK framework?

It's a government-backed catalog of the tactics, techniques, and procedures (TTPs) used in cyberattacks. According to Vince Romney, only a few hundred TTPs exist and attackers haven't needed to add new ones — they just execute existing ones more efficiently.

Are password managers safe to use after the LastPass breach?

Vince Romney recommends still using a reputable password manager such as 1Password, especially because migrating away from a compromised vault and resetting all affected passwords is straightforward. For the most critical credentials, a physical log book stored securely is a reasonable complement.

What is a zero-day attack and how common are they?

A zero-day exploits a vulnerability unknown to defenders. Vince Romney states that fewer than 1% of successful attacks actually use zero-days — attackers prefer cheaper, proven methods against unpatched systems.

What is Software Composition Analysis (SCA)?

SCA is the practice of analyzing the open-source components, libraries, and container images your software depends on to identify hidden vulnerabilities or backdoors before they reach production.

What does Vince Romney's book 'How to Not Suck at Cybersecurity' cover?

The book is structured around four personas — individual user, side-hustler, mid-cap manager, and enterprise CEO — and maps the CIS Top 18 security controls to each, with prescriptive checklists rather than regulatory jargon. It was expected to publish in August.

How should businesses approach cyber risk assessment?

Vince recommends a threat-modeling matrix that scores potential threats by likelihood (low/medium/high) and business impact (low/medium/high), then prioritizes spending on the highest-risk quadrant first.