Khalid Kark

CISA has published a draft of the new CISA SBOM Minimum Elements! The 2021 NTIA Minimum Elements were an important step to help create a common specification of what should be in an SBOM. CISA is proposing an updated, clarified version that can be aligned with existing tools and support use cases. They are actively seeking feedback, so please share, review, and send them your thoughts! https://lnkd.in/eRm_zxT2

201

13 Comments

“PCI SSC has seen comments…” 👀 -Assessor Newsletter, June 2025 A few weeks ago, I raised a flag about FAQ 1597 and the related infographic, where the language suggested that acceptance of lower-risk vulnerabilities wasn’t on the table. That post gained great traction and sparked important conversations in the community. Well, the PCI Security Standards Council has now responded. In their June 2025 Assessor Newsletter, they stated: ✅ Clarification (main bullet points summarized): - “Addressed” ≠ “Resolved.” - Examples of "addressed" where not an exhaustive list. - Low-risk vulnerabilities can be accepted—if justified by a Targeted Risk Analysis (TRA). - Addressing a vulnerability may mean fixing it, compensating for it, disabling it, or accepting the risk. - The TRA must be reviewed annually to ensure it still reflects the environment and risk tolerance. This clarification is welcome—but also tacit acknowledgment that feedback from assessors and the broader community (yes, some of those comments they saw were from you all) helped make it happen. 📌 Next step for the Council: Update FAQ 1597 and the DSS itself at some point to reflect this broader interpretation. The ambiguity in the official text still risks confusion and audit inconsistencies. As of this posting date, the only place this clarification exists is within the assessor newsletter. 🤨 One nitpick I will call out though— the Council called out that their original definition of “addressed” wasn’t all inclusive. However, words matter. For a reminder, this was the definition: Addressed - the entity determines whether to resolve the vulnerability or to mitigate the risk by addressing the vulnerability in another way (e.g., with a compensating control or by disabling a vulnerable service) So to be clear, their definition says resolve OR mitigate. How were we to infer that acceptance is acceptable!?! 🤷‍♂️ If you’re a QSA or manage PCI in your organization, this is a significant development. It gives you back the flexibility to treat low-risk issues rationally, as long as your TRA process is strong. Thank you to Viviana Wesley for letting me know about the publication within the newsletter! #PCIDSS #CyberSecurity #QSA #VulnerabilityManagement #GRC #PCICompliance #InfoSec #AssessorLife

214

19 Comments

Is Cyber Risk on the Rise? Next week, I'm doing a webcast for the RSA Conference to explore that question using 15 years of data on security incidents and losses. It draws from the upcoming 2025 Information Risk Insights Study (IRIS) from Cyentia Institute. Details and registration link below. Summary: Is cyber risk truly skyrocketing, as many believe? Are organizations more prone to breaches now than they were 10 years ago? Have the financial impacts of security incidents increased or decreased over time? Are these trends similar across organizations of all types and sizes? We’ll answer these questions together by analyzing a huge historical dataset of cyber events and losses. #cyberrisk #cyberresilience #cybersecurity March 26, 2025 | 10:00 AM PT | 1:00 PM ET Register: https://lnkd.in/ep3GKQ5w

46

6 Comments

The California Privacy Protection Agency is pleased to announce that Minnesota and New Hampshire have joined the bipartisan Consortium of Privacy Regulators -- this demonstrates a unified and collaborative approach to enforcement across the states https://lnkd.in/gRKTtyta

59

3 Comments

Grateful for the thought leadership of Belmont’s own Paul Connelly, NACD-DC and Gary Garrison, recently featured in MSN and AOL, who make a compelling case for starting cybersecurity education in kindergarten. Their message is clear: strong digital habits and cyber wellness should begin when kids first go online. It’s a powerful example of our ongoing work to prepare students of all ages to thrive in a connected world. Find links to both articles in the comments below.  

55

10 Comments

Today the Cloud Security Alliance released Zero Trust Guidance for Small and Medium-Sized Businesses (SMBs). The foundational guidance detailing these evolving principles guide SMBs in adopting Zero Trust as a core cybersecurity strategy. The unique challenges for SMBs are discussed to provide a roadmap for evaluating, implementing, and benefiting from a Zero Trust architecture. As a precursor for SMBs to the CSA Zero Trust Guiding Principles2 foundational guidance, this document offers relevant context and practical steps tailored for SMBs across the five-step methodology. The document and an executive presentation can be found here https://lnkd.in/e32rbmJS Want to get involved? Sign up here https://lnkd.in/eKFHfJMR Thank you to the primary authors: Frank DePaola  Mark Fishburn  Larry Kinkaid  Andrea Knoblauch  Aaron Robel  Alex Sharpe  🔐Michael Theriault And the CISA staff: Erik Johnson  Stephen Lumpe  Stephen Smith Special thanks to Alice Muravin. #cybersecurity #informationsecurity #riskmanagement #executivesandmanagement #zerotrust #SMB

50

11 Comments

🚨 Key Takeaways from Ashford's SEC Settlement on Cyberattack Disclosure🚨 The SEC recently announced that asset manager Ashford has agreed to settle charges related to misleading disclosures about a 2023 ransomware attack. This case highlights several critical issues in cybersecurity governance and regulatory compliance: 🔒 The Breach: Hackers accessed 12 terabytes of sensitive data, including identity card photos, partial credit card numbers, and bank account details. Despite the severity, Ashford’s early disclosures claimed no customer information was compromised, a statement the SEC challenged. Which is problematic, because they must have known: they either knew and did not disclose, or did not know because their staff was not skilled enough to understand the details. SNAFU. 📄 Regulatory Scrutiny: The SEC’s investigation emphasized the importance of accurate and timely cyberattack disclosures. Ashford’s settlement comes under the agency’s new rules from 2023 requiring companies to report material cyber incidents within four business days. 💰 Cost of Compliance: Ashford’s decision to delist from public markets, citing cost savings, underscores the financial impact of cybersecurity and regulatory requirements on publicly traded companies. 🤔 Shifting Regulatory Landscape: With SEC Chair Gary Gensler stepping down, there is speculation about how enforcement might evolve under new leadership. Will companies face lighter penalties or more flexible disclosure timelines? The Takeaway: This case serves as a reminder that cybersecurity is not just an IT issue, it is a governance priority. For companies, the risks of insufficient disclosure extend beyond financial penalties to reputational damage and erosion of stakeholder trust. As the regulatory environment evolves, organizations must double down on proactive cyber-risk management and transparent communication with investors and customers. What is your perspective on the balance between regulatory oversight and corporate responsibility in cybersecurity? #Cybersecurity #Governance #Compliance #RiskManagement #SEC #Ransomware #DataPrivacy 

36

1 Comment

When the Cybersecurity Information Sharing Act quietly expired, the “spigot of information” turned off just as cyberattacks continue to surge. This lapse weakens everyone’s defenses by reducing visibility and slowing down early warnings. So how can organizations stay protected when government-to-private threat sharing stalls? Build your own intel pipeline—and fast. Read LMG Security’s blog for more: https://lnkd.in/g78fhG8q #Cybersecurity #ThreatIntelligence #InfoSharing 

22

2 Comments

🚨 The Cybersecurity Information Sharing Act (#CISA) protections quietly expired this week. For the past decade, CISA enabled organizations to share cyber threat intelligence with government and peers under legal safeguards. With those protections gone, companies may think twice before collaborating — just as threat actors are ramping up their tactics. This moment is a reminder of how vital #trust and #transparency are in collective defense. Even without legal frameworks, security teams will need to find ways to keep intelligence flowing and risks visible. #CyberSecurity #ThreatIntelligence #CollectiveDefense

18

Cyber Privacy course @Collin College Sunday Oludare Ogunlana, Ph.D., AIGP, CISSP, CCISO, CIPP/US, CEI. Thank you, Professor. What is Cyber Privacy? What is CyberSecurity question asked? How do we answer? Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks, damage, or unauthorized access. It involves safeguarding information from threats like hacking, data breaches, and viruses. With the increasing reliance on technology, cybersecurity plays a critical role in maintaining privacy, ensuring the safety of personal data, and protecting critical infrastructure across various sectors. SBD - Secure by Design "Secure by Design" refers to an approach where security is integrated into the system’s architecture from the outset. Rather than adding security as an afterthought, this approach ensures that software, hardware, and networks are designed with built-in security features to prevent vulnerabilities and reduce the risk of cyberattacks. It's about embedding security throughout the development lifecycle. DEI - Diversity, Equity, and Inclusion Diversity, Equity, and Inclusion (DEI) are essential for creating work environments that value and celebrate the uniqueness of every individual. DEI ensures equal opportunities for all, regardless of background, and fosters a culture of respect and inclusion. Diversity refers to the range of backgrounds, perspectives, and experiences. Equity focuses on fairness in opportunities and treatment, while inclusion creates a sense of belonging and respect in the workplace. PBD - Privacy by Design Privacy by Design is the concept of embedding privacy into the system’s design process from the beginning. By proactively protecting personal data, privacy is prioritized throughout the development and operation of systems. This approach ensures compliance with data protection regulations and safeguards user privacy from the outset. Privacy Engineering Privacy Engineering involves the design and implementation of systems and processes that protect user privacy. This includes applying technical, legal, and organizational strategies to handle data responsibly, ensuring privacy risks are minimized, and complying with regulations like GDPR and CCPA. Privacy engineers work to create systems that prioritize data protection and meet the highest standards of user trust. Keep Moving – Inspiring Words "You’re capable of anything you set your mind to." "You don’t have to be the best at everything; you just need to try your best." "It’s about the journey, not just the destination." "Treat others how you want to be treated." "Don’t let your peers’ actions affect how you feel about yourself." "Every mistake is a lesson." "I believe in you, and I support you." "Magic happens outside your comfort zone." "Be yourself." #Cybersecurity #PrivacyByDesign #DiversityAndInclusion #SecureByDesign #PrivacyEngineering #TechForGood #CareerGrowth #Inspiration

21

8 Comments

Just had a great discussion with @ReversingLabs about CISA's new procurement tool for third-party software risk management (TPSRM). While the tool aims to boost security for software onboarding, the manual and cumbersome process highlights the need for more automated, scalable approaches to managing supply chain risks. The challenges are real, but so are the opportunities to innovate. 🔐 Read the full interview: https://bit.ly/46jH2f0 #Cybersecurity #TPSRM #SoftwareSupplyChain #CISA

16

2 Comments