A Review of the Best News of the Week on Cybersecurity Management & Strategy
RSA 2020: Equifax CISO touts company’s transparency it as seeks breach redemption (SC Media, Feb 27 2020)
Fresh off a financial settlement over its 2017 data breach that affected roughly half the U.S. population, Equifax is forging ahead with a $1 billion-plus investment in a new security plan — and CISO Jamil Farshchi was eager to tout the credit reporting agency’s progress so far in a session this week at the RSA Conference in San Francisco.
ENISA publishes procurement guidelines for cybersecurity in hospitals (Help Net Security, Feb 25 2020)
The EU Agency for Cybersecurity (ENISA) published a cybersecurity procurement guide for hospitals.
KPMG on Key Cybersecurity Considerations for 2020 (SecurityWeek, Feb 25 2020)
In its 2020 annual cyber considerations report, KPMG highlights six major cybersecurity trends and requirements that should occupy the minds of enterprises over the next 12 months. These trends come from interactions with its major clients.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
NIST Publishes SP 800-171 Rev. 2: Protecting CUI (NIST Computer Security Resource Center, Feb 24 2020)
NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, has been approved as final. The protection of CUI while residing in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to carry out its missions and business operations.
The CIA Won’t Admit It Uses Slack (VICE US – undefined US, Feb 21 2020)
While other federal agencies admit everything, up to spending tens of thousands a year to maintain channels like #churchfart, the CIA will neither confirm nor deny.
Wendy Nather on How to Make Security ‘Democratization’ a Reality (Dark Reading:, Feb 25 2020)
Ahead of her keynote at the RSA Conference, Cisco’s head of advisory CISOs outlines to Dark Reading a unique paradigm that asks security teams to stop fighting their users, and start sharing control with them.
Almost Half of Orgs Have Dedicated Cyber-Threat Intelligence Team (, Feb 25 2020)
85% of orgs have at least some kind of resource focusing on CTI
#BSidesSF: Keynote: Slack CISO Reflects on a Decade of Mayhem and Gives Checklist Advice in Its Wake (, Feb 24 2020)
At BSides San Francisco, Larkin Ryder, the interim CISO at Slack, delivered a keynote based on a decade of retrospection, reflection, and prediction
HackerOne Surpasses $82 Million in Paid Bounties (SecurityWeek, Feb 25 2020)
With $40 million in bug bounties paid in 2019, hacker-powered bug bounty platform HackerOne nearly doubled the amount paid out in all previous years combined, reaching $82 million.
How a Hacker’s Mom Broke Into a Prison—and the Warden’s Computer (Security Latest, Feb 26 2020)
Security analyst John Strand had a contract to test a correctional facility’s defenses. He sent the best person for the job: his mother.
Changing the mindset of the CISO: From enforcer to enabler (Help Net Security, Feb 24 2020)
CISOs today have the opportunity to help enable the organization to grow by delivering a digital experience that delights customers while mitigating digital risk. This requires the CISO to advise the business about when and where cyber risks could manifest. Security leaders must now be able to transform their security practices in lockstep with all the other changes wrought by business-wide digital transformation.
Security, Networking Collaboration Cuts Breach Cost (Dark Reading:, Feb 24 2020)
CISOs report increases in alert fatigue and the number of records breached, as well as the struggle to secure mobile devices in a new Cisco study.
#RSAC: Make Security a Business and a Technical Issue (, Feb 24 2020)
Security is both a business and a technical issue, especially as businesses become more digital
#BSidesSF: How to Create a Security Program and Culture as the First Security Hire (, Feb 24 2020)
At BSides San Francisco, Bryan Zimmer, head of security at Humu, delivered a talk on how to create a security program and develop a security-centric culture as the organization’s first security hire
UW Medicine Facing Breach Lawsuit (, Feb 24 2020)
Class-action lawsuit filed against University of Washington School of Medicine over data breach
RSA Conference 2020: Product Announcement Summary (Day 1) (SecurityWeek, Feb 24 2020)
As the industry’s largest conference, many security vendors leverage the event to launch new products and announce updates and enhancements to their offerings. To help cut through the clutter, the SecurityWeek team will publish a daily digest summarizing some of the product and service announcements made throughout the week.
Almost three-quarters of all phishing sites now use SSL protection (Help Net Security, Feb 26 2020)
The total number of phishing sites detected by the Anti-Phishing Working Group (APWG) worldwide in October through December 2019 was 162,155, following the all-time-high of 266,387 attacks recorded in July through September 2019.
What Your Company Needs to Know About Hardware Supply Chain Security (Dark Reading:, Feb 27 2020)
By establishing a process and framework, you can ensure you’re not giving more advanced attackers carte blanche to your environment.
One in five SMBs use no endpoint security at all (Help Net Security, Feb 27 2020)
An alarming number of SMBs (small to medium businesses) in the US and UK are not prepared for a potential cyber attack or breach, BullGuard warns.
#RSAC: How The FBI Caught Voice Phishing (Vishing) Scammers (, Feb 27 2020)
FBI agent details how a criminal gang was able to exploit voice system and payment processors and how the long arm of US law caught the perpetrators in Romania