A survey of cybersecurity professionals would likely result in a few different things as #1 on their ranked list of fun things to do. It is very unlikely, though, that configuring, reviewing and actioning audit log findings would be #1 on anyone’s list. Configuring auditing and logging isn’t too bad, but actually reviewing the logs…
Sometimes a picture is worth a thousand words, and sometimes there are 209 words in a picture. In the middle of that riddle lies a helpful infographic about the dangers of the insider threat. As always, feel free to use it as part of your cybersecurity awareness program.
When someone asks what I do, I generally just say, “I work in cybersecurity.” What they envision I do invariably differs from what I actually do. In their minds, I must be managing a bank of monitors, filled with a multitude of active windows, and fighting off hackers. That is what some cybersecurity professionals do, but alas, that’s not my preferred area of focus. While I’ve filled almost every role at some point in my career, my current specialty is actually very cool, too. It’s called Governance, Risk and Compliance (GRC). I know. Even the title is exciting, right? While it may be something I enjoy, it’s definitely not every cybersecurity professional’s dream role.
For cybersecurity professionals, there are a handful of common security frameworks (CSFs) that can be utilized to categorize risk, identify applicable controls, assess current compliance, and provide a roadmap to implement and sustain a healthy program. Commonly used frameworks include NIST, SOC2, HITRUST, and ISO 27001 just to name a few. For U.S. Federal agencies,…
Let’s be honest. When it comes to cybersecurity awareness training, users generally do one of two things, try to click through it as quickly as possible or avoid it altogether. As cybersecurity professionals, we know their awareness of the threats and commonly used tactics to infiltrate networks and exfiltrate data is a critical element in our program. Generally, though, the everyday user doesn’t appreciate the importance of their role. It might seem futile to convince them of the added value in being cyber-savvy, but it’s not. As with anything in life, knowledge is power.
When it comes to cybersecurity frameworks, there are a handful to choose from. The choice of which and the granularity of its implementation can be mandated or voluntary. This sums up the general subject of the two National Institute for Standards and Technology (NIST) flavors discussed herein: NIST Risk Management Framework (RMF) vs. NIST Cyber Security Framework (CSF)
Too often, people don’t realize the importance of knowing the history and evolution of something. More specifically, many technology professionals don’t realize the rich history of cybersecurity and the leaps and bounds of its evolution during a relatively short period of time. Instead of boring you with a long, written piece, I created an infographic that depicts it clearly and concisely. If you like it, feel free to save and use it in your own cybersecurity awareness (aka marketing) tools.
This week, hundreds of thousands of spearphishing campaigns were launched. This week’s targets were anyone and everyone. Disseminated messages were configured with requests to visit links to malicious websites, provide Docusign signatures, and initiate bitcoin transfers for astronomically priced antivirus solutions. Summarily, it was business as usual.
Spearphishing as a malicious technique has been around since the early to mid-200’s. What new and innovative method is being used in 2025? None. That’s right. The method of attack is exactly the same as always: Compose email message. Insert evil content. Hit send. At this point, it’s very unlikely that there is anyone who hasn’t received an email (or a thousand of them) attempting to lure them into clicking, paying or providing personally identifiable information.
I understand many things. Angles aren’t among them. When I say angles in the current context, I’m not referring to geometry where angles make sense and can be definitively measured and used to calculate finite outcomes. I’m talking about the angles some people seem intent upon identifying and leveraging to their personal or professional benefit. We could call them Anglers, but that would be insulting to fishing aficionados. For ease of understanding, I’ll add the Latin root “mal” (bad), and we’ll henceforth refer to them as “Malanglers”. (Yes, I just made up a word.)
Just over a decade ago, I went through a particularly challenging cybersecurity audit. It was the first of a new iteration of ultra-comprehensive assessments that seem to look at every single policy, setting, and practice. While the organization “passed”, I was disappointed from my perspective as a cybersecurity program manager. I knew we as an organization were better than what the report said and illustrated. As part of my normal after action review, I sought to delve deep and understand why we didn’t do better. We had the technology and the personnel. What was missing?