CYBR.Signal

CISOs are typically not the owner of their organization's most critical (or even non-critical) assets and data. There are usually business unit leaders assigned to that, and the CISO's role is to help reduce the risk to those assets. If the CISO does have direct access to those assets, it's a bad architectural design. That's today's #CyberSunday topic.Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

 Security conferences and events are often built with a certain audience in mind. Some are for a a general audience, and others are focused on the CISO. But if an event has a focus on the CISO, it should be for a good reason. I discuss some of those reasons in today's #CyberSunday.Things Mentioned:https://www.linkedin.com/posts/kane-n_its-sad-to-see-many-security-events-these-activity-7209360322237800448-eiiE?utm_source=share&utm_medium=member_desktophttps://www.execseccon.com/Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CAST Check out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:TAB Cyber Foundation

Does practice make perfect? Probably not perfect, but it does make you better. That also applies when performing tabletop exercises. But is it feasible to practice as much as you SHOULD when everyone has other jobs to do? That's what Michael is talking about in today's #CyberSunday.Things Mentioned:·      Peter Sacawaker’s LinkedIn Post - https://www.linkedin.com/feed/update/urn:li:activity:7207171692832432128/·      Clint Bodungen’s tabletop company - https://threatgen.comWant to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

In mentorship, it's often thought that the mentor is doing the teaching and the mentee is doing the learning. But mentors should also be open to and seek out lessons that they can take from the mentee. In this #CyberSunday, I talk about how tenured #cybersecurity professionals can learn about new tech and new concepts from those who are newer to the field but have other experiences.Things Mentioned:HSC User Group - https://www.hscusergroup.com/Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

The 2024 RSA Security Conference is here. While I am not going this year, I do want to give a few professional networking pointers for folks who are going, especially if you are a new conference attendee. These conference habits have helped me in my professional career, and I hope they help you as well.#CyberSunday #RSA2024 #securityconference #cybersecurityA quick note... I am talking about "professional networking" advice in this video, but I mentioned Jennifer Leggio's article in SecurityWeek in which she makes some very important points about other aspects of your professional like (no matter what profession you are in). Thanks to Jennifer for writing a very brave piece: https://www.securityweek.com/beyond-the-buzz-rethinking-alcohol-as-a-cybersecurity-bonding-ritual/Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

Attack vectors and methods tend to by cyclical, meaning attackers will come back to see if old tricks will yield new results. I talk about one such attack vector that might be coming back in style... with a slight twist.Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

SIEM (Security Incident and Event Management) has been a round a long time. But there are some recent trends and new vendors that are creating fresh ways to implement and operationalize SIEM. I'm discussing a couple of the larger SIEM and security operations trends on today's #CyberSunday.Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON. Support or apply to our Scholarship Program:·      TAB Cyber Foundation

How can you tell if a new #cybersecurity concept (think Zero Trust) in cybersecurity is a just a flash in the pan or a valuable idea that can be utilized in your program? In this #CyberSunday, I talk about an unusual method for being able to potentially tell the difference. Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch Keep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CAST Check out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON. Support or apply to our Scholarship Program:·      TAB Cyber Foundation

There is a lot of fear of the security implications about AI and other new and/or improved technologies. And while some fear is healthy, we also can't let it keep us from thinking about uses for that same tech to improve security. Let's talk about it in this #CyberSunday.Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

Michael  talked about security control monitoring a few weeks ago. In this #CyberSunday, he is digging in a bit around an essential part of control monitoring: configuration management/monitoring. What is config management/monitoring, what do you need to do before you can even start monitoring and managing configs, etc. Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch Keep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CAST Check out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON. Support or apply to our Scholarship Program:·      TAB Cyber Foundation

There is a lot of talk and advice on social media, blogs, etc. about the Cybersecurity job market. There's no doubt it's a tough market right now, but does that mean you should stay away? Here's my opinion on the topic and some quick advice of my own for experienced cyber folks who are having trouble getting interviews.Things Mentioned: https://www.linkedin.com/feed/update/urn:li:activity:7174160450119467008/?updateEntityUrn=urn%3Ali%3Afs_feedUpdate%3A%28V2%2Curn%3Ali%3Aactivity%3A7174160450119467008%29 Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch Keep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CAST Check out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON. Support or apply to our Scholarship Program:·      TAB Cyber Foundation

An X/Twitter thread about technology vs communication in #cybersecurity inspired today's video. Which one do you think is more important or more difficult? Watch today's #CyberSunday to get Michael's opinion.Things Mentioned: https://x.com/mikepsecuritee/status/1760299590337622309?s=20Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

Today's #CyberSunday is about monitoring controls regularly (as opposed to a point-in-time assessment). Michael gets into some methods of monitoring and what you should monitor them against (hint: monitoring is NOT just technical).Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON. Support or apply to our Scholarship Program:·      TAB Cyber Foundation

Many of us were affected by the cell carrier outage last week. Some initial explanations have come out, but are those explanations plausible? And is a #cyberattack just - or more - plausible than the explanation that AT&T gave? On today's #cybersunday, Michael talks about the outage, the explanations both given and imagined, and some ideas on what lessons we should learn from the outage. Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CAST Check out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

Indecision and apathy from alert fatigue are big issues in #cybersecurity. But have you thought about how FUD marketing can cause some of the same problems? And it's not just vendors throwing the FUD. In today's cybersunday, Michael talks about the issues with FUD and how you need to watch out for it from some unusual sources. Things Mentioned:https://www.securityweek.com/beyond-the-hype-questioning-fud-in-cybersecurity-marketing/https://brothke.medium.com/the-big-lie-of-millions-of-information-security-jobs-a7cb1b30c5b6Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch Keep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CAST Check out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON. Support or apply to our Scholarship Program:·      TAB Cyber Foundation

It's #cybersunday, and it's also time for the Big Game (can't use the real name because reasons). Michael is a big American Football fan, so he's getting into #cybersecurity football analogies. But he's also trying to dig a little deeper and staying away from some obvious analogies. Let us know what you think about them!Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

Michael is in the snow in Michigan to record today's Cyber Sunday. The cold weather and road conditions inspire a cybersecurity analogy around making decisions and determining priorities for your security program.Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

Michael is wrapping up his Risk Management/Assessment series on today's #CyberSunday. His two points today are around risk assessment frameworks and a caution about GRC tools.We hope you enjoyed the series! If there's anything you'd like to see Michael cover in future videos, let us know! Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren LynchKeep up with HOU.SEC.CON·      LinkedIn·      Twitter·      Facebook·      InstagramCheck out our other show·      HOU.SEC.CASTCheck out our Conferences:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.Support or apply to our Scholarship Program:·      TAB Cyber Foundation

Michael tells a story from his professional past explaining some of the differences between Risk Mitigation and Risk Avoidance.  The scenario on today's #CyberSunday runs through some of the reasons and calculations that went into the decision leadership made between fixing the risk or avoiding it. Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren Lynch Keep up with HOU.SEC.CON·      Houstonseccon.com·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CAST

2024 is almost here, and that means a special end-of-year CyberSunday to close out the year. Today, Michael is talking about three topics that warrant special consideration for enterprise security programs in the new year. Listen in and tell us what you think!  Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch Keep up with HOU.SEC.CON·      Houstonseccon.com·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CAST

It is crucial to know what role the CISO/security leader plays when it comes to risk. In today's #CyberSunday Michael talks about working with asset owners/business leaders before, during, and after a risk assessment. Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch Keep up with HOU.SEC.CON·      Houstonseccon.com·      LinkedIn·      Twitter·      Facebook·      Instagram Check out our other show·      HOU.SEC.CAST 

Risk assessments have inherent value for the business if done correctly. But there can also be explicit value for the business in performing a risk assessment and implementing a security program based on that assessment. In this #CyberSunday, Michael talks about both.Mentioned Twitter/X Post: https://x.com/mattjay/status/1730618458272866622?s=46&t=LUbuPP0qd83nb1-gVcAXLwWant to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch 

Before you can figure out what risks to accept, you have to prioritize the risk. Before you can prioritize risk, you have to get visibility in your environment to determine what your risks are made of. In today's #CyberSunday, Michael talks about the benefits of risk prioritization and visibility into your environment to find those risks. Mentioned LinkedIn Post: https://www.linkedin.com/feed/update/urn:li:activity:7124455952996581376Thank you to Forescout for sponsoring this episode!Want to reach out to the host? Email us at [email protected] In this episode:Hosted By: Michael FarnumEditing By: Lauren Lynch Keep up with HOU.SEC.CONHoustonseccon.comLinkedInTwitterFacebookInstagram Check out our other showHouSecCast

A CISO recently shared a LinkedIn post regarding speaking engagements. In this post he advised security leaders to ONLY accept paid engagements as their time is valuable. In this week’s #cybersunday Michael, who is not only a CISO but the founder of a cybersecurity conference, pushes back on this idea in favor of giving back to the community by sharing your time and knowledge. Mentioned LinkedIn Post: https://www.linkedin.com/posts/davidedelvecchio_when-asked-to-participate-as-a-speaker-to-activity-7126136985928237056-feIk/?utm_source=share&utm_medium=member_ios Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch 

Reviewing accepted risks is a crucial part of a risk management program. In today's #cybersunday, Michael talks about some important best practices like considering risk tolerance changes, involving business units in your review process, and others.Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch

Some recent notable #cybersecurity breaches have come from #socialengineering attacks. Humans are always going to fall for this, but we can help lessen the success of these attacks via awareness training. Michael talks in today’s #cybersunday about how #securityawarenesstraining can be targeted and doesn’t have to be so boring and difficult.  Want to reach out to the host? Email us at [email protected] Hosted By: Michael FarnumEditing By: Lauren Lynch 

If you're looking for an MDR (Managed Detection and Response) vendor, the temptation is to think of them as a product company versus a services company. On this #cybersunday, Michael talks about why that happens, why it can lead to more confusion when trying to decide which vendor to go with, and some of the things you need to think about that can help you choose.Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren Lynch 

The Barracuda ESG Vulnerability is still causing havoc, with the vendor telling their customers to replace the box. In this CyberSunday, Michael discusses some of the implications and considerations of this kind of vulnerability in an important and widely-deployed security device. Things Mentioned:·      https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally·       https://www.infosecurity-magazine.com/news/barracuda-appliances-exploited/·      https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/Want to reach out to the host? Email us at [email protected] By: Michael FarnumEditing By: Lauren Lynch

There are a few paths to getting into cybersecurity, and not all of them are considered “technical”. But what does that mean? In this #CyberSunday, Michael talks about a discussion around GRC as a career path and if it is “technical” or not.  Things Mentioned:·      https://www.linkedin.com/posts/mikesportfolio_cybersecurity-informationsecurity-infosec-activity-7097581791925993472-6ZN7?utm_source=share&utm_medium=member_desktop

How do you work towards a solution for a problem like Shadow IT with people when everyone wants to try to throw tech at it? On today's #CyberSunday, I talk about how using security champions in your company can help. #ShadowIT #cybersecurity #securitychampions

We all know about Shadow IT, and we know it is a big issue (bigger these days with the ease of workload deployment in the cloud). But are we also aware that there is Shadow Security? What is Shadow Security, and is it a problem? Here's my take on today's #CyberSunday.#shadowit #shadowsecurity #cloud #cloudsecurity #workloads #risk #cybersecurity 

Knowing your audience when you're giving information about your #cybersecurity program, efforts, etc. is extremely important. Are they technical? Are they even in the field? Is the information helpful to YOU or to THEM?  Make sure you're not wasting their time or yours by taking into consideration to whom you are speaking before you actually speak.On today's #CyberSunday, I talk about three real scenarios in which I have been involved where the audience was not fully taken into consideration, and a bit of the fallout each time.#KnowYourAudience

Operational/Operations Security is the practice of making sure sensitive data/information about your operations doesn't leak out. in today's #CyberSunday, I give a few real examples of OpSec failure I have noticed recently and what some of the consequences could be.#OpSec #cybersecurity

A friend of mine recently experienced a #breach in his organization. There were two lessons that stood out to me as he was going through the post-mortem, and I'm sharing them on today's #cybersunday.#Cybersecurity #lifelessons 

It's flooding a bit in Houston, and that made me... of course... think of #cybersecurity. On today's #CyberSunday, I am talking about making sure you pay attention to the small things in your program, so that they don't turn into bigger things.

Credential stuffing is an often-used attack. But for the love of all that is holy, your master password in your password manager should not be susceptible to this!!! Today, I talk about what credential stuffing is, what password manager has been hit by it recently, and generally get grumpy about the whole thing.#CyberSunday #credentialstuffing #bigmistake #cybersecurity

The CI/CD OWASP Top 10 came out last month (not sure how I missed that!). What does that mean? Well, that depends on what you're responsible for in the CI/CD pipeline! Here are some thoughts form me on the topic on today's #CyberSunday.#cicd #cicdpipelines #owasp #owasptop10 #development #appsec

The holidays should be a time to celebrate food, friends, and family (and football). Maybe this is also a good time to measure the effectiveness of your #managedsecurity provider.#mdr #securitymetrics #Thanksgiving #cybersecurity #CyberSunday

How you set priorities around building a #cybersecurity program differs based on your perspective. On today's #cybersunday, I talk about how the perspective of the advisor must be tempered by the perspective of the practitioner working day-to-day in the trenches.#prioritization #perspective

I was quoted in an article last week about the latest CISA directive on #assetmanagement and #vulnerabilitymanagement (link below). I was the cynical voice in that article, and I wanted to explain a little more on this #CyberSunday about whether these two #cybersecurity #fundamentals should be paired as closely as they are by #CISA.Link to article: https://securityboulevard.com/2022/10/cisa-directs-federal-agencies-to-boost-system-visibility/

In today's #CyberSunday, I go a little outside the normal #cybersecurity discussion and talk about how #liftandshift isn't always negative when it comes to moving workloads into the cloud. I specifically talk about my experiences with a couple of different security vendors (I didn't name anyone specifically) who took different approaches and the positive and negatives associated with those cloud moves.#cloud #cloudinfrastructure #digitaltransformation 

Securing the digital transformation is not a new problem. It is actually an old problem with modern concerns. A lot of people are talking about how concerned they are with machine identities, APIs, IoT, etc.. But these things aren't new. They've actually been in existence for quite a long time. What we're REALLY saying is that these things are proliferating out of control, and they're not properly secured. But why has it become a problem?Today's #CyberSunday is all about my take on this issue.#digitaltransformation #machineidentities #internetofthings #apis

Dr. Gerald Auger and I gave a talk last week at the Houston Technology Summit titled "Building Cooperation and Understanding Between Security and IT". We talked a lot about the differences in skills and mission between the two groups, and how there should be more empathy between them. Here's my #CyberSunday quick take on our presentation.#cybersecurity #informationsecurity #informationtechnology #empathy #cooperation

Is regulatory compliance fundamental to your #cybersecurity program? In this #CyberSunday, I compare regulations against standards and talk about which one comes before the other.#regulations #compliance

There have a been a few times in the history of #cybersecurity product development when a new solution has been truly innovative. But what is extremely rare is when a tool is innovative, fills a true need, and is practical to install/deploy. In this #cybersunday, I give some examples of what I see as innovative products, talk about whether they filled a big need at the time they came out, and whether they were practical to deploy.#innovation #productdevelopment #practical

There were two big themes from discussions with our customers at #BlackHat. One is a commonly discussed problem these days (lack of people). The other takes us back to the fundamentals of #cybersecurity (asset management). And neither were buzzwords or #vaporware.#CyberSunday #SecurityFundamentals #SkillsShortage #assetmanagement #people

I'm headed out to Vegas tomorrow for the #BlackHat #cybersecurity conference, and it made me think about a couple of questions that have been on my mind for a bit: do you prefer local cons or national cons, and do you mainly go to cons for the talks or checking out the vendors? I weigh in with my opinions (sorta - I'm a bit biased because I run #HouSecCon). What's your take?#CyberSunday #CyberConferences #HackerSummerCamp

Low-Code/No-Code dev tools are fueling the rise of the "Citizen Developer", but there are real security implications around the tools that enable the non-developer to build applications. I'm just starting to research this more, but here are some of my initial thoughts on today's #CyberSunday.#lowcodenocode #appsec #cybersecurity

While feature comparisons are important when choosing a #cybersecurity product, what do you do when two products are essentially the same? On this #CyberSunday, I talk about making sure the vendor has #alignment with your business when you've done the rest of your due diligence on features and functionality.

On this #CyberSunday, I'm talking about how #SASE (Secure Access Service Edge) and #SSE (Security Service Edge) are not exactly the same. You need to know what problem you're trying to solve (use cases are always important), and you have to be aware of the differences between them so you can choose the right solution/vendor.#cybersecurity #sdwan #casb #SDN