Episode 17: TPRM Is Worthless?! NY DFS Part 500, Security Negotiation Tips & Mezcal

🎙️ Welcome back to the Distilled Security Podcast - Episode 17!In this episode, Justin, Joe, and Rick break down several major cybersecurity and compliance updates shaping the landscape this fall. From regulatory deadlines to the futility of checkbox TPRM exercises, the crew dives deep into what actually matters for security leaders and business owners navigating today’s risk environment.Also, join us at TRISS in Pittsburgh, PA, at the David this October 29,2025! We have our own booth and will be doing something fun there. Also, we are sponsoring the After Party! Please come say hi!🔹 Topics CoveredNY DFS Part 500: Final Requirements Take Effect November 1The hosts unpack the final phase of New York’s cybersecurity regulation, what’s changing, and what companies must have in place before the enforcement deadline.Negotiating SecurityHow smaller companies can push back or reframe due diligence requirements—substituting a SOC 2 or ISO 27001 certification with custom questionnaires, summaries, or shared evidence that reflect real security maturity instead of checklists.“TPRM Is Worthless”A candid discussion on the state of third-party risk management: why it’s often broken, what needs to change, and how to make it meaningful rather than bureaucratic.Department of War Announces New Cybersecurity Risk Management ConstructThe team explores the DoD’s latest cybersecurity framework announcement—what it means for contractors, how it overlaps with CMMC and NIST 800-171, and whether it will actually simplify or complicate compliance.🥃 Spirit ReviewOne of Us Mezcal — This small-batch mezcal impresses with its earthy smoke, hints of citrus, and smooth finish. The guys compare it to other craft agave spirits they’ve tried and debate whether it pairs better with a quiet evening or post-recording celebration.Find it here:https://oneofusmezcal.com/products/cuishe-mezcal-the-wild-one⏱️ Timestamps0:00 – Introduction & Travel Mishap6:25 – New Laptop Twins & Backup Strategies11:35 – NY DFS Part 500 Updates27:30 – DFS Reporting & Organizational Accountability33:30 – Negotiating Security Requirements47:46 – Cultural Nuances in Negotiation50:20 – Spirit Review: One of Us Mezcal52:55 – TPRM Is Worthless?57:50 – Fixing Broken Vendor Risk Workflows1:08:21 – Vendor Resilience vs. Security1:18:20 – New DoW/DoD Cybersecurity Risk Management Construct1:35:06 - BSides Pittsburgh Planning & Sponsorship1:38:35 - DSP at TRISS1:39:51 – Closing Remarks & Outro🎧 HostsJustin Leapline – @justinleaplineJoe Wynn – @wynnjoeRick Yocum – @rickyocum🌐 Connect with UsWebsite: distilledsecuritypodcast.com🐦 Twitter: @DisSecPod📧 Email: hello@distilledsecuritypodcast.com