The cybersecurity landscape is evolving at an unprecedented pace, driven by rapid technological advancements and increasingly sophisticated cyber threats. What was sufficient yesterday, will be lacking for tomorrow. Organizations must stay ahead of these changes to protect their assets and data effectively. To thrive, cybersecurity strategies need to evolve — moving beyond the reactive and fragmented approaches that are often commonplace. Instead, businesses must prioritize strategic foresight, adaptability, and maturity in their security programs.

Cybersecurity risks are continually growing. CISOs, CIOs, CEOs, and Boards are under immense pressure to manage these threats while simultaneously enabling business success. The challenge is significant, but with the right approach and insights, organizations can achieve greater security and unlock new value that is necessary for sustainability.

Here are several areas where the cybersecurity industry must evolve to meet these demands:

1. Strategic Alignment

Cybersecurity is no longer just a technical issue — it’s a business issue. The industry must evolve to ensure cybersecurity programs are directly aligned with an organization’s strategic goals. This involves defining clear and impactful cybersecurity objectives that resonate with the C-suite and Board members. It’s essential that cybersecurity is seen as a business enabler rather than a cost center, helping drive business outcomes while protecting critical assets.

2. Building Dynamic Capabilities

Static security programs are no longer sufficient in today’s fast-evolving threat landscape. Organizations need dynamic approaches to cybersecurity that adapts to emerging risks and threats. The industry must foster the development of continuously evolving security programs that are agile enough to respond to new challenges without compromising business operations. Building a strategic and adaptable cybersecurity framework is crucial for long-term success.

3. Optimizing Risk and Costs

Effective cybersecurity does not have to be exorbitantly expensive. Organizations should focus on identifying areas where risk mitigation can be improved while simultaneously optimizing costs. The evolution of cybersecurity practices will increasingly involve finding the optimal balance between robust security measures, friction to users, and cost efficiency, allowing organizations to manage their security investments wisely without sacrificing protection.

4. Sustainable Risk Management

Organizations must build cybersecurity programs that are not only effective but also sustainable. The future of cybersecurity lies in the creation of flexible, long-term risk management strategies that can scale with the organization. By ensuring that security efforts are adaptable and sustainable, organizations can continue to thrive in the face of changing threats and business needs. The focus must shift from quick fixes to long-term risk management.

5. Enhancing Maturity and Value

The maturity of a cybersecurity program is a key indicator of an organization’s ability to handle threats effectively and efficiently in alignment with expectations. The cybersecurity industry needs to guide organizations on their journey toward greater maturity, helping them move from reactive measures to proactive and strategic cybersecurity initiatives. This evolution in maturity brings not only better security but also enhances overall business value, providing organizations with a competitive edge in their industry.

6. Executive Translation of Cybersecurity Concepts

One of the biggest challenges in cybersecurity is the communication gap between technical teams and executive leaders. For the industry to truly excel, cybersecurity professionals must be able to translate complex cybersecurity concepts into language that resonates with both executives and employees. This ensures that risk-based decisions are understood and embraced across the organization, leading to smarter and more informed business practices.

Conclusion

The cybersecurity industry must evolve in key areas to remain effective and relevant in today’s challenging landscape. Strategic alignment, dynamic capabilities, cost optimization, sustainable risk management, maturity growth, and executive communication are all areas where organizations can excel. By embracing these approaches, businesses can enhance their cybersecurity programs and not only reduce risk but also create value and drive success.

If your organization is ready to assess, improve, or enhance the maturity of its cybersecurity program, seeking expert guidance can help navigate this complex evolution. As a cybersecurity strategist, I offer flexible consulting engagements designed for CISOs, C-suites, and Boards to help drive meaningful change. Together, we can advance your security efforts and achieve sustainable growth in cybersecurity maturity.

The post Evolving Cybersecurity: Aligning Strategy with Business Growth appeared first on Security Boulevard.

Let’s talk about CrowdStrike’s quality assurance failures! Thanks to Help Net Security for publishing my opinion piece. Take a look for a more in-depth explanation of how the bad update made it to over 8 million devices and caused widespread global outages.

CrowdStrike has released preliminary details of how their bad update made it to client systems, which caused the BSODs. It showcases they have a complex product release architecture, which in this case failed. Improvements need to be made and I am concerned that their plans for incremental changes to a flawed Quality Assurance architecture won’t result in the desired long-term outcomes.

CrowdStrike has a good reputation and leadership, as showcased by the CEO George Kurtz who quickly came out to take responsibility and rally his team to help their customers. There have been many companies, including security companies, who were not transparent or timely when their products caused problems. In fact, it seems more common to initially deny, downplay, or blame others. So, what George did is truly wonderful. It is a testament to CrowdStrike’s work ethics.

However, this is a major outage and CrowdStrike needs to revisit their preliminary improvement plans to account for a flawed strategy that allows for dangerous code to make it to the endpoints — something that should never be allowed to happen.

The world is watching and lessons-learned will likely be used to help improve the operating practices across the industry.

Take read at the article and let me know your thoughts and concerns!

https://www.helpnetsecurity.com/2024/07/25/crowdstrike-quality-assurance-failures/

The post Learning from CrowdStrike’s Quality Assurance Failures appeared first on Security Boulevard.

Not sure who need this resource, but Microsoft updated its
Recovery Tool for the CrowdStrike issue on Windows endpoints:

Here is the link to the Microsoft Tech Community Support
Site:

https://techcommunity.microsoft.com/t5/intune-customer-success/new-recovery-tool-to-help-with-crowdstrike-issue-impacting/ba-p/4196959

As a former cybersecurity Incident Commander for Intel, here
are my additional recommendations:

•          Verify the source of every tool or procedure you
  plan on using!
•          For a large organization, have a single
  accountable tech savvy group create the recovery process and don’t allow other
  groups to home-brew their own fixes
•          Test the fix out on your different builds
•          Formalize the step-by-step process for your
  environment – break down instructions to keep each step simple
•          Make sure you have accounted for hard drive
  encryption hurdles (ex. Bitlocker or other 3^rd party vendors), if
  applicable
•          Roll-out the recovery in phases, starting with
  non-critical systems, just in case there are unforeseen issues and system data
  loss
•          Have a process to record and report which
  systems have successfully been restored
•          If things go sideways, STOP and seek more
  advanced assistance

Happy hunting!

The post New Microsoft Recovery Tool for CrowdStrike Issue on Windows Endpoints appeared first on Security Boulevard.

The world experienced a digital pandemic of systems going offline and displaying the dreaded Windows Blue Screen of Death (BSOD), due to a catastrophic failure caused by a flawed file in an update to CrowdStrike cybersecurity customers. The impacts have been obscenely widespread, with many banks, airlines, train stations, financial exchanges, news agencies, supermarkets, and health care providers to name a few.

CrowdStrike is used by almost 60% of Fortune 500 companies and over half of the Fortune 1,000. It is popular in the financial sector, with deployments in eight of the top 10 financial services firms. Many of the biggest technology, healthcare, and manufacturing companies are also customers.

So far, the faulty CrowdStrike update is not attributed to malicious activities, but the impacts have been massive, prompting social media to unofficially designate today as BSOD day!

Implications

This outage of CrowdStrike customers on Windows 10 systems reinforces three important aspects.

First, cybersecurity solutions need deep and privileged access to systems, making them more impactful if they are hijacked or malfunction. This access is necessary to make preventative defensive changes before attacks occur, to monitor for stealthy attacks, and to coordinate system-level remediation actions when necessary. But when things go wrong, those permissions then can cause equally impactful damages.

The computing stack is like a layered cake, with data at the top, followed by applications, virtual machines, operating systems, VM managers, firmware, and finally hardware at the bottom. The deeper you go the more potential for problems to be impactful and difficult to remedy. Cyber attackers try to get as far down the stack as possible because they can avoid detection from any layer above and are more difficult to evict. When errors occur, the same relevance applies.

Second, the risk of supply chain attacks is real, and depending on the vendor, they could be catastrophic. CrowdStrike is one of the biggest cybersecurity players in the industry. An accidental or malicious problem in their flagship product, as we have seen, can deliver widespread impacts to the most important sectors. Let’s be glad that this was simply a technical glitch. A malicious package inserted into an update could completely take over systems or permanently destroy them.

Third, bad updates, code bugs, and misconfigurations happen all the time. No software, firmware, or hardware company is immune. More effort is needed as part of development and quality assurance, but even for the best organizations, it is possible for a series of mistakes to be made. That is why it is important to not only invest in defense and prevention but also architect ways to securely recover and resolve issues when they arise.

A Perfect Storm

This event has a combination of attributes that amplify the impacts: the issue causes catastrophic system impacts (i.e. the dreaded BSOD), across a large number of systems, in Critical Infrastructure sectors, and the offending code possesses deep permissions within the computing stack.

This is the case we are seeing with Crowdstrike.

This outage reinforces the fact that cybersecurity solutions mitigate risks but also can become a source of risk. Mistakes were made. Trust was lost. The entire cybersecurity industry will be scrutinized, and that is probably the only good outcome of this mess.

The post Massive CrowdStrike IT Outage Has Global Implications for Cybersecurity appeared first on Security Boulevard.

As an AT&T customer, I did receive the unwelcome news that they suffered a data breach.

Here is a rundown for what you should to know.

BREACH DETAILS

· This is a sizable data breach of about 109 million customers

· Call and text interactions from May 1, 2022 to October 31, 2022

· AT&T is blaming a 3rd party cloud platform — Snowflake

· FBI Investigating and 1 arrest has been made

· Hackers accessed and exfiltrated the files sometime from April 14th to 25th

· Telephone numbers and phone logs were acquired, but AT&T says call and text message content wasn’t exposed.

The breach does not contain customers’ personal information, like birthdays or social security numbers.

Apparently, AT&T Paid the ransom — which is not smart. Wired magazine reported that AT&T paid the hackers over $300,000 to delete the stolen information and provide video proof.

OVERALL RISK

Given that personal information was not exposed, the risk is nominal.

So far there is not conclusive proof that the data has been released in the wild, but that could change

Expect more phishing attacks

There could be some ramifications for those who need to keep their call logs secret — undercover agents, supreme court justices, cheating spouses, etc.

The geolocation data, which identifies the cellular towers that phones were connected to during activities, is interesting but likely not too valuable to attackers

SEC rules for mandatory shareholder notification were followed, with the US Government granting 2 delays to AT&T. Normally it is a 4 day rule.

AT&T has not deemed this breach a material event to its shareholders.

Overall, the scale of this breach is unfortunate, but the sensitivity of the data in not too worrying for the vast majority of those effected.

However, this breach does show an unfavorable trend in AT&T’s security posture.

ISSUES and RECOMMENDATIONS

AT&T, “Protecting customer data is a top priority. “ is not true. This is the second major breach in just 3 months, with 70 million customer’s affected back in April.

So, let’s talk about what I expect as a cybersecurity professional:

First, protect your data better! Use MFA, encrypt at rest, clean up the access permissions, institute data blocking for exfiltration

Second, remove all sensitive PII data you really don’t need. Why do you need my SSN, actual date of birth, the tower I most use during the day or evening, even my home address is questionable for my mobile phone and I pay electronically. Remove these. And if it is required by dated regulations, then drive the charge to have those regulations updated so all the telecommunications vendors aren’t a weak point for data harvesters.

Third, implement a data destruction policy to destroy old customer data. Do you really need to keep call logs of people dating back 2 years? I would argue there is likely a mound of data you want to have, but don’t actually need to have. Clean that up, lighten your servers, and focus on keeping your network up.

FALLOUT

AT&T is getting proficient at handling major data breaches, which is not really a compliment.

I hope its big competitors lean-in and invest in cybersecurity to showcase how they can protect their customers, thus leveraging security as a competitive advantage for consumers to choose a communications provider that really is making customer data protections a top priority!

AT&T, I will be considering how you protect my data when my contract is up and I look at other providers!

Be sure to like and follow me on LinkedIn and the Cybersecurity Insights channel

Follow Matthew on LinkedIn: https://www.linkedin.com/in/matthewrosenquist/

Follow for more Cybersecurity Insights: https://www.youtube.com/CybersecurityInsights

The post AT&T Data Breach: Understanding the Fallout appeared first on Security Boulevard.

There is no indication that the root of Microsoft’s cybersecurity issues is being addressed. In fact, all indications are that the executive team is somewhat worried and bewildered at the diverse and numerous issues arising. After many embarrassing incidents, which recently culminated in the President of Microsoft being called to answer questions before Congress, the Board and senior executive team once again instituted security measures to resolve the problems. Confidence among the cybersecurity community was not high, as this was not the first time such promises were made. Shortly thereafter, more security failures occurred.

Microsoft has announced additional measures as part of their Secure Future Initiative, which was actually created in November last year to solve the previous embarrassing problems that plagued them in 2021–2023, in another attempt to stem the cybersecurity failures. Based upon events that happened in July 2023, the U.S. Cyber Safety Review Board criticized the company’s leadership and culture which led to a “cascade of Microsoft’s avoidable errors”. Since then, two more major breaches have occurred and a myriad of other unsettling security issues.

Highlights of their best hacks and missteps 2021–2024

· Jan 2021: Microsoft Exchange Server Vulnerability Leads to 60,000+ Hacks

· April 2021: 500 Million LinkedIn Users’ Data Scraped and Sold

· Aug 2021: Thousands of Microsoft Azure Customer Accounts and Databases Exposed

· Aug 2021: 38 Million Records Exposed Due to Microsoft Power Apps Misconfiguration

· Mar 2022: Lapsus$ Group Breaches Microsoft

· Oct 2022: 548,000+ Users Exposed in BlueBleed Data Leak

· July 2023: Chinese Hackers Breach U.S. Agencies Via Microsoft Cloud

· Sept 2023: 60k State Department Emails Stolen in Microsoft Breach

· Jan 2024: Microsoft Azure Breached by Russian Intelligence Group, Source Code Stolen

· May 2024: Microsoft Announces Recall Feature, a Privacy and Security Nightmare

· June 2024: Microsoft Fails to Renew Their Security Certificates for Office*

*Unexpected expiration of Microsoft security certificates has happened numerous times, causing disruption (including to Teams in Feb 2024 and 2020, and to Azure in 2023 and 2013).

Failures Ahead

Sadly, it is clear they are attempting to leverage the same flawed framework, that created the systemic issues, to somehow solve the problem. Well, the problem is leadership which does not see the broader security issues, so having the same leaders guiding the way, will not get them out of this predicament.

I have been discussing, talking, and analyzing the many recent cybersecurity issues with colleagues, and in one of my most recent posts, I asked if anyone was willing to reach out to Satya, perhaps the most powerful person in the world of digital technology. No takers.

So, I put pen to e-paper and have published an open letter to him to paint the picture on the problems and offer recommendations on how Microsoft can evolve to be a much better steward of trust for its products and as a foundation for our global electronic ecosystem.

For context, I have seen nearly identical issues in other large organizations and have written many articles on the failures of cybersecurity leadership. In fact, I have identified and wrestled an identical issue in one of the biggest tech firms in the US. It is addressable.

Let’s Raise Expectations!

But I believe it will take Satya Nadella to be aware and engaged.

It is time we raise our collective voices to the top. To the CEO himself, Satya Nadella, who at the end of the day is ultimately responsible. I think at this point it will take his direct intervention.

If you have a chance, take a read of the full letter to Mr. Nadella. If you like it, upvote, share, and comment. If you don’t feel free to add your thoughts on how Microsoft should tackle this persistent problem. Let’s get this in front of the CEO of Microsoft, so we all can be safer in our computing and have a trustworthy foundation for digital innovation, productivity, and success.

Read the Open Letter to Satya Nadella, to address Cybersecurity Leadership Issues - Posted to Help Net Security: https://www.helpnetsecurity.com/2024/07/09/microsoft-cybersecurity-dilemma/

The post Microsoft in Cybersecurity Leadership Crisis – Open Letter to the CEO appeared first on Security Boulevard.

The post 50 CISOs & Cybersecurity Leaders Shaping the Future appeared first on Security Boulevard.

Shadow AI, the internal
use of AI tools and services without the enterprise oversight teams expressly
knowing about it (ex. IT, legal, cybersecurity, compliance, and privacy teams, just to name a few), is becoming a problem!

Workers are flocking to use 3rd party AI services
(ex. websites like ChatGPT) but also there are often savvy technologists who
are importing models and building internal AI systems (it really is not that
difficult) without telling the enterprise ops teams. Both situations are
increasing and many organizations are blind to the risks.

According to a recent Cyberhaven
report:

• AI is Accelerating:  Corporate data
  input into AI tools surged by 485%
• Increased Data Risks:  Sensitive data
  submission jumped 156%, led by customer support data
• Threats are Hidden:  Majority of AI use
  on personal accounts lacks enterprise safeguards
• Security Vulnerabilities:  Increased
  risk of data breaches and exposure through AI tool use.

The risks are real and
the problem is growing.

Now is the time to get ahead of this problem.
1. Establish policies for use and
development/deployment
2. Define and communicate an AI Ethics posture
3. Incorporate cybersecurity/privacy/compliance
teams early into such programs
4. Drive awareness and compliance by including
these AI topics in the employee/vendor training

Overall, the goal is to build awareness and
collaboration. Leveraging AI can bring tremendous benefits, but should be done
in a controlled way that aligns with enterprise oversight requirements.

"Do what is great, while it is small" -
A little effort now can help avoid serious mishaps in the future!

The post The Rise and Risks of Shadow AI appeared first on Security Boulevard.

There are tremendous opportunities in cybersecurity and the industry needs many more qualified workers.  Training plays an important part.  That is why I am partnering with Infosec4TC, an online training provider that offers free courses in addition to affordable classes, to offer huge discounts on cybersecurity training (links below have embedded discount codes). 

I have negotiated with the great team at Infosec4TC to reduce the price on select courses by up to 65% off!  Many courses include working on real cybersecurity projects, realistic assignments, and prep-work for certifications.  They have an impressive TrustPilot score and a 14 Day Money Back Guarantee full refund policy!

Check out these featured classes:

Cyber Security Specialist Live Workshop – a total of 64 hours of instruction that cover the breadth of issues for operational specialists.  Check out the course curriculum for details.

SOC Analyst (Blue Team) Live Workshop – a live, hands-on course designed for front-line tier-1 Security Operations Center analysts.  It teaches tools, analysis, event management, threat hunting, and incident response principles.

ISO/IEC 27001:2022 Lead Implementer Live Workshop – an interactive session that covers the standards, methods, and best practices for Information Security Management Systems (ISO 27001) for managers and supervisors.

Also available is the Gold Membership Access membership that grants access to over 175 training courses, labs, materials, practice exams, and exam simulators.  Check out the details.

Be sure to look at the free classes as well!

Drop me a note if you take one of these courses.  Let me know your thoughts and if I should continue to work with them to offer big discounts!

The post Unlock Your Cybersecurity Career: Exclusive Discounts on Top Training Courses! appeared first on Security Boulevard.

This year, virtual CISOs must begin making a difference in our industry.  For the longest time, small and medium businesses (SMBs) have been abandoned by the cybersecurity industry.  But, SMBs need security leaders to guide them through the maze of cyber risk and craft practical strategies that align with their unique ever-evolving business objectives.

Sadly, SMBs cannot afford an experienced full-time CISO.  They often either ignore the risks or get lured into purchasing shiny tools that do not meet their overall needs.  Before spending money on security solutions, it's crucial to understand the risks and develop clear objectives that support the overall business goals.

This is the role of a CISO: to set the direction and establish cybersecurity program foundations that will meet the expectations of the Board and C-suite.

However, there are not enough CISOs to go around which creates a high premium on their time.  Hiring a CISO can cost hundreds of thousands of dollars, which is far beyond what most SMBs are willing to commit.  But they don’t actually need a full-time CISO.  An hour or two may be perfect for guidance, leadership, and strategy development.  This is where the fractional/virtual CISOs (vCISO) community can play a role!

Experienced CISOs often have a few hours extra per week and yearn to take on new challenges, as long as it does not impact their day job.  Many retiring CISOs still have the itch to contribute, but don’t want to commit the long hours of managing all the operations and details.  They would rather leverage their experience to provide guidance and help organizations avoid costly pitfalls.

It becomes a perfect fit.

Experienced leaders offer guidance at a fraction of the cost, with short-term contracts keeping commitments flexible. Everyone wins.

vCISOs can provide leadership without being tied to the demanding operational aspects.  By dedicating a few hours a week, vCISOs help SMBs benefit from experienced cyber risk leadership with direction, focus, and an understanding of the evolving risks.  SMBs can then make informed business decisions that properly account for cybersecurity factors.  The practical benefits include effective prioritization and efficient allocation of resources for an optimized cybersecurity posture, based upon their unique needs.

There are risks in the vCISO market.  Two things to watch out for:

First, beware of vCISO services offered by security vendors masquerading as impartial advisors.  In many cases, this is just a ploy to get customers to buy the parent company’s products or services.  These people are effectively used as a sales channel and incentivized to convince SMBs to purchase their wares.  They aren’t necessarily looking out for their clients’ best interests.  Instead, seek out vendor-agnostic vCISOs that will work with what you have and align recommendations to your actual needs.

Second, many will assert themselves as seasoned cybersecurity leaders, but in actuality, lack the practical experience needed to be a successful vCISO.  Let’s be clear, a vCISO is NOT an entry-level job.  Rather it is the opposite.

An experienced cybersecurity leader can quickly understand the major risks and business needs, develop a customized set of strategic plans for a specific organization, and communicate effectively to executives so they may rapidly understand and make well-informed decisions.  vCISOs must be vetted properly to make sure they can deliver quality results in very limited timeframes.  Otherwise, it will be money wasted!

If you are interested in exploring how vCISOs can help businesses, sectors, or various audiences, reach out to me directly or visit my website.  We must purposefully work to support the SMB community.  Let's join forces to make this year a turning point in fortifying SMBs and bolstering their digital security and competitiveness!

The post Unlocking SMB Cybersecurity: The Rise of Virtual CISOs in 2024 and Beyond appeared first on Security Boulevard.