For me, October was the acknowledgment of digital security and awareness, but honestly, it was more than that. November is a moment of reflection. For me, it’s reflecting on the question of how can we understand the barriers between awareness and implementation? To answer this, it’s imperative to understand the…

Shadow-IT — Deployed information technology systems or services by employees or non-IT departments, to work around the shortcomings of the central information systems; actual or perceived. Example: The marketing team decides to use Third-party Software-as-a-Service (SaaS) applications outside the control of their IT department Scamicry — A “legitimate” interface or…

Looking back 5 years, the FDA marked National Cyber Security Awareness Month with a statement [1] (available on third party site) I feel is important to reflect on: “At FDA, we strongly believe that medical device cyber safety is a large and shared responsibility that requires diligence from all stakeholders…

There was much fanfare that Moody’s put another “triple-A stamp of approval” on Security Ratings firm BitSight to the tune of $250 million. While this is a substantial, newsworthy investment, it isn’t “new” though. …

“Dozens of hospitals and clinics in West Virginia and Ohio are canceling surgeries and diverting ambulances following a ransomware attack that has knocked out staff access to IT systems across virtually all of their operations. Three hospitals started diverting emergency patients to Camden Clark Medical Center. The facility is an…

Prologue Shortly after seeing this story on Security Ratings published, attempts to reach Mr. Phil Venables were made to comment and offer assistance. Unfortunately, after a reasonable amount of time passed, it was determined that Mr. Venables did not wish to be reached for comment. I’m now releasing a response to…

Let’s talk about contextual evidence, or rather the lack thereof, in the Security Ratings industry: For more than a year, I’ve witnessed the various Security Ratings vendors tell their customers and assessed organizations what they deem as “severe” findings in their reports, without any contextual evidence to support either investigation…

Dear RiskRecon (and other Security Ratings vendors passively assessing organization’s patching posture), Failing to recognize, investigate, and implement the many well-documented ways that have been shared with you for how you identify backported security fixes in applications does not equate to a “false-positive” like you claim. …

In a previous article, I spoke about receiving Security Rating reports with hundreds of pages findings. Many, if not all, Security Ratings reports contain findings and ratings of an assessed organization’s software patching cadence. We’ve all been reminded to ‘patch early and often’ and these Security Ratings reports are no…