Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

For technologists


GUEST ESSAY — The rationale for pursuing a culture of cybersecurity– and a roadmap to get there

By Matthew T. Carr

Organizations with strong cybersecurity cultures experience fewer cyberattacks and recover faster than others.

Related: Deploying human sensors

This results from emulating the culture building approaches of high-risk industries like construction that devote sustained attention to embedding safety throughout the organization.

For most organizations, building a cybersecurity culture is a necessary evil rather than a cherished goal. Prioritizing security means desirable cultural norms like openness, trust building, creativity, efficiency, and risk-taking might suffer.

Until a decade ago few organizations needed a cyber security culture. If the security industry catches up with adversaries, then the need for a cybersecurity culture will eventually fade away. Few will miss it.

Cybersecurity culture is a subset of the overall corporate culture. It harnesses beliefs and values to promote secure behaviors by employees in everyday work activities.

Model culture

Cybersecurity culture is necessary today because routine actions such as opening emails, responding to customer requests and using productivity software can put the organization at risk for ransomware and data breaches.

FIRESIDE CHAT: U.S. banking regulators call out APIs as embodying an attack surface full of risk

By Byron V. Acohido

APIs have been a linchpin as far as accelerating digital transformation — but they’ve also exponentially expanded the attack surface of modern business networks.

Related: Why ‘attack surface management’ has become crucial

The resultant benefits-vs-risks gap has not surprisingly attracted the full attention of cyber criminals who now routinely leverage API weaknesses in all phases of sophisticated, multi-stage network attacks.

The collateral damage has escalated to the point where federal regulators have been compelled to step in.

Last October the FFIEC explicitly called out APIs as an attack surface that must, henceforth, comply with a new set of API management practices.

Guest expert: Richard Bird, Chief Security Officer, Traceable

I had the chance to visit with Richard Bird, Chief Security Officer at Traceable.ai, which supplies security systems designed  to protect APIs from the next generation of attacks.

We discussed, in some detail, just how far the new rules go in requiring best practices for accessing and authenticating APIs. Bird also enlightened me about how and why this is just a first step in comprehensively mitigating API exposures. For a full drill down, please give the accompanying podcast a listen.

There’s little doubt that the new FFIEC rules will materially raise the bar for API security. In the short run companies subject to federal financial institution jurisdiction will have to hustle to get their API act together; and in the long run other companies in other verticals should follow suit.

I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

GUEST ESSAY: Here’s why a big cybersecurity budget won’t necessarily keep your company safe

By Zac Amos

The cybersecurity landscape is constantly changing. While it might seem like throwing more money into the IT fund or paying to hire cybersecurity professionals are good ideas, they might not pay off in the long run.

Related: Security no longer just a ‘cost center’

Do large cybersecurity budgets always guarantee a company is safe from ongoing cybersecurity threats?

According to research from Kiplinger, businesses are spending less money on capital equipment, especially as rumors of a mild recession in the future loom. However, organizations in 2023 know one crucial area to spend money n is cybersecurity.

Cyberattacks are becoming more frequent, intense and sophisticated than ever. In response, many businesses of all shapes and sizes will allocate funds to their IT departments or cybersecurity teams to make sure they’re well-defended against potential threats. They may incorporate tools such as firewalls or antivirus software, which are helpful, but not the only tactics that can keep a network secure.

Unfortunately, having a large cybersecurity budget does not necessarily mean a company has a solid, comprehensive security plan. Organizations can spend all they have on cybersecurity and still have pain points within their cybersecurity program.

GUEST ESSAY: Scammers leverage social media, clever con games to carry out digital exploitation

By Collin McNulty

One common misconception is that scammers usually possess a strong command of computer science and IT knowledge.

Related: How Google, Facebook enable snooping

In fact, a majority of scams occur through social engineering. The rise of social media has added to the many user-friendly digital tools scammers, sextortionists, and hackers can leverage in order to manipulate their victims.

Cybersecurity specialists here at Digital Forensics have built up a store of knowledge tracking criminal patterns while deploying countermeasures on behalf of our clients.

One trend we’ve seen in recent years is a massive surge in cases of sextortion. This online epidemic involves the blackmail of a victim by the perpetrator via material gained against them, typically in the form of nude photos and videos.

These sextortionists are some of the lowest forms of criminals, working tirelessly to exploit moments of weakness in their victims induced by loneliness and our most base-level human natures.

Since the dawn of civilization and economics, instances of fraud have always existed. Scholars have determined that the precursors of money in combination with language are what enabled humans to solve cooperation issues that other animals could not.

SHARED INTEL Q&A: Bi-partisan report calls for a self-sacrificing approach to cybersecurity

By Byron V. Acohido

A new report from the Bipartisan Policy Center (BPC) lays out — in stark terms – the prominent cybersecurity risks of the moment.

Related: Pres. Biden’s impact on cybersecurity.

The BPC’s Top Risks in Cybersecurity 2023 analysis calls out eight “top macro risks” that frame what’s wrong and what’s at stake in the cyber realm. BPC is a Washington, DC-based think tank that aims to revitalize bipartisanship in national politics.

This report has a dark tone, as well it should. It systematically catalogues the drivers behind cybersecurity risks that have steadily expanded in scope and scale each year for the past 20-plus years – with no end yet in sight.

Two things jumped out at me from these findings: there remains opportunities and motivators aplenty for threat actors to intensify their plundering; meanwhile, industry and political leaders seem at a loss to buy into what’s needed: a self-sacrificing, collaborative, approach to systematically mitigating a profoundly dynamic, potentially catastrophic threat.

Last Watchdog queried Tom Romanoff, BPC’s technology project director about this analysis.  Here’s the exchange, edited for clarity and length:

GUEST ESSAY: Could CISOs be on the verge of disproving the ‘security-as-a-cost-center’ fallacy?

By Jess Burn

This year has kicked off with a string of high-profile layoffs — particularly in high tech — prompting organizations across all sectors to both consider costs and plan for yet another uncertain 12 or more months.

Related: Attack surface management takes center stage.

So how will this affect chief information security officers (CISOs) and security programs? Given the perennial skills and staffing shortage in security, it’s unlikely that CISOs will be asked to make deep budget or staffing cuts, yet they may not come out of this period unscathed.

Whether the long anticipated economic downturn of 2023 is a temporary dip lasting a couple quarters or a prolonged period of austerity, CISOs need to demonstrate that they’re operating as cautious financial stewards of capital, a role they use to inform their choices regardless of the reality — or theater — of a recession.

This is also a time for CISOs to strengthen influence, generate goodwill, and dispel the perception of security as cost center by relieving downturn-induced burdens placed on customers, partners, peers, and affected teams.

GUEST ESSAY: Five stages to attain API security — and mitigate attack surface exposures

By Rakshith Rao

APIs (Application Programming Interfaces) play a critical role in digital transformation by enabling communication and data exchange between different systems and applications.

Related: It’s all about attack surface management

APIs help digital transformation by enabling faster and more efficient business processes, improving customer experience, and providing new ways to interact with your business.

Whether an API is exposed for customers, partners, or internal use, it is responsible for transferring data that often holds personally identifiable information (PII) or reveals application logic and valuable company data.

Therefore, the security of APIs is crucial to ensure the confidentiality, integrity, and availability of sensitive information and to protect against potential threats such as data breaches, unauthorized access, and malicious attacks.

API security is essential for maintaining the trust of customers, partners, and stakeholders and ensuring the smooth functioning of digital systems. If API security is not properly implemented, it can result in significant financial losses, reputational damage, and legal consequences.