Week in Review: Secure by Design departure, Microsoft's security report, LLMs outrace vulnerabilities - Cybersecurity Headlines

Summary6 min read

Podcast Summary: Cyber Security Headlines Week in Review: Secure by Design Departure, Microsoft’s Security Report, LLMs Outrace Vulnerabilities
Host: Rich Stroffolino
Guest: Bethany Delude, CISO Emeritus
Release Date: April 25, 2025

1. Introduction

Cyber Security Headlines kicks off with host Rich Stroffolino welcoming returning guest Bethany Delude, CISO Emeritus. They set the tone by discussing the week's overarching theme of "connection," highlighting Bethany’s participation in CISO roundtables and emphasizing the importance of solidarity within the cybersecurity community.

Notable Quote:

Rich Stroffolino [00:00]: "Secure by Design leaders leave CISA, LLMs up the ante for exploiting vulnerabilities, and Microsoft and FBI post industry status reports."
Bethany Delude [00:37]: "It was if I were to pick a word or a theme, it was connection."

2. Key News Stories

a. Secure by Design Leaders Depart CISA

Two of the chief architects behind CISA's Secure by Design initiative, Bob Lord and Lauren Zabarek, have announced their departure from the agency. This move raises concerns about the future momentum and commitment to the Secure by Design principles, which emphasize accountability and timely implementation of security measures.

Discussion Highlights:

Bethany Delude [02:53]: Expresses disappointment over the departure, emphasizing that Secure by Design was a robust initiative promoting essential security practices like MFA and eliminating default credentials.
Rich Stroffolino [04:22]: Notes CISA's shifting focus away from certain areas, suggesting that the departure signals a potential decrease in long-term impact and support for Secure by Design.

Notable Quote:

Bethany Delude [02:53]: "It's just table stakes type of things. So I don't know why that's polarizing and that it seems to be deprecated as a priority."

b. Large Language Models (LLMs) Accelerate Exploit Development

LLMs such as OpenAI's GPT-4 and Anthropic's Claude Sonnet 3.7 are now being utilized to swiftly create exploits following vulnerability disclosures. This rapid automation challenges cybersecurity teams to respond more quickly than ever before.

Discussion Highlights:

Bethany Delude [05:58]: Suggests that organizations adopt the same LLM technologies to enhance their defensive capabilities, such as creating custom GPTs for summarizing exploits and generating patch instructions.

Notable Quote:

Bethany Delude [05:58]: "It's about getting folks to run at this new technology the same way the bad actors are running at this technology."

c. Microsoft’s Security Progress Report

In response to the 2023 Exchange Online breach, Microsoft has launched its Secure Future Initiative (SFI) and released a second progress report highlighting significant improvements:

92% of employee accounts now use phishing-resistant MFA.
99% of production assets are inventoried.
Over 6 million inactive tenants have been removed.

However, the report acknowledges incomplete areas, such as transparency and victim notification processes.

Discussion Highlights:

Bethany Delude [08:11]: Commends Microsoft’s efforts, tying them back to the Secure by Design principles and the responsibility that comes with Microsoft’s extensive user base.
Rich Stroffolino [11:08]: Observes that while technical controls have improved, transparency efforts are still lagging, indicating a need for ongoing attention.

Notable Quotes:

Bethany Delude [08:11]: "With that type of market penetration, there is a duty to provide a product that is in fact secure by design."
Rich Stroffolino [11:08]: "They still have a lot more to do. I think it was maybe five initiatives they felt that they were pretty well fortified on."

d. FBI’s Internet Crime Complaint Center (IC3) Report

The FBI’s 25th IC3 report reveals a record high in reported cyber losses:

Total reported losses: $16.6 billion.
Over 850,000 complaints, a 33% increase from 2023.
Cyber-enabled fraud accounts for $13.7 billion (40% of complaints).
Individuals over 60 faced the highest financial losses, totaling over $4.8 billion (a 43% increase from 2023).

Despite the surge in losses, cyber fraud-related arrests increased by 700%, reaching 215 through 11 joint operations with local law enforcement.

Discussion Highlights:

Bethany Delude [13:58]: Highlights the vulnerability of older populations and advocates for personalized security awareness programs to empower individuals to protect their communities.
Rich Stroffolino [16:08]: Emphasizes the importance of community support and personal connections in combating cyber fraud, making the issue more relatable beyond mere statistics.

Notable Quotes:

Bethany Delude [13:58]: "It was a way to really engage the workforce. It wasn't just the CISO telling everyone one more thing they can't do."
Rich Stroffolino [16:08]: "You can have a positive impact. You see reports like this, it's very easy to be like, this is hopeless."

e. UK Companies Combat North Korean Job Scammers

North Korean operatives have shifted their focus to the UK, targeting remote job seekers to gain access to sensitive data and financial gains. These scammers often leverage co-conspirators with physical addresses in the country, making detection challenging.

Discussion Highlights:

Bethany Delude [18:37]: Stresses the necessity for HR departments to enhance their security measures and collaborate closely with cybersecurity teams to verify identities and prevent such scams.
Rich Stroffolino [19:13]: Points out the evolving tactics of scammers, including the use of deepfakes, which necessitates continuous updates to security protocols.

Notable Quotes:

Bethany Delude [19:13]: "I think it's just this is one more group to engage. And HR folks already have been folks to partner with from a cyber perspective."
Rich Stroffolino [19:13]: "We're seeing more and more deepfakes making it so."

f. Verizon Data Breach Investigations Report (DBIR) & Mandiant Findings

The Verizon DBIR highlights an increase in breaches involving third parties such as accountants and law firms, which are used as pathways to target primary organizations. Additionally, Mandiant reports that edge devices like VPNs, firewalls, and routers lack adequate third-party security support, leaving organizations vulnerable to lateral movements by attackers.

Discussion Highlights:

Bethany Delude [22:10]: Emphasizes the persistent challenge of third-party vulnerabilities despite longstanding awareness, calling for improved security within partner ecosystems.
Rich Stroffolino [24:43]: Critiques the reliance on third-party services, noting the inherent security visibility challenges and the need for innovative protective measures.

Notable Quotes:

Bethany Delude [22:10]: "The data from these very credible reports is telling us that exploiting vulnerabilities is the new preferred tactic for getting a foothold."
Rich Stroffolino [24:43]: "Security, it's the joke of as long as if we just didn't have to do business, it would be so much easier to secure everything."

3. Conclusion and Final Thoughts

Bethany Delude reflects on the interconnectedness of the week's stories, underscoring the need for more secure products and robust third-party ecosystem defenses. She highlights the importance of aligning security measures across all facets of an organization, including HR departments.

Notable Quotes:

Bethany Delude [26:22]: "The data is showing we have to have better products and services that are more secure with our third parties and better security with our third-party ecosystem."
Rich Stroffolino [27:36]: "I'm going to give my own thumbs up for the release of the Verizon DBIR because I always use that as my metric for when I'm going to need bifocals."

The episode wraps up with acknowledgments to participants and sponsors, promoting upcoming events and encouraging listeners to engage with the CISO Series community for continuous learning and support.

Key Takeaways

Leadership Changes Impact Initiatives: The departure of key figures from CISA raises concerns about the future of the Secure by Design initiative and its influence on organizational security practices.
LLMs as Double-Edged Swords: While LLMs enhance the speed of exploit development for attackers, they also offer powerful tools for defenders to improve response times and security measures.
Corporate Accountability in Security: Microsoft's comprehensive security progress demonstrates significant advancements but also highlights areas needing further improvement, particularly in transparency.
Rising Cyber Fraud Threats: The FBI's IC3 report underscores the increasing financial losses due to cyber-enabled fraud, especially among vulnerable populations, necessitating enhanced awareness and protective measures.
Evolving Scamming Tactics: North Korean job scammers adapting to UK markets highlight the need for integrated security strategies involving HR and cybersecurity teams to verify identities and prevent data breaches.
Persistent Third-Party Vulnerabilities: Ongoing issues with third-party security in reports like Verizon DBIR and Mandiant emphasize the critical need for stronger defenses and accountability within partner ecosystems.

For more detailed insights and daily updates, visit CISOseries.com.

Loading summary

Transcript35 lines

[00:00]
Rich Stroffolino
From the CISO series, it's cybersecurity headlines secured by Design leaders leave CISA LLMs up the ante for exploiting vulnerabilities and Microsoft and FBI post industry status reports. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to some insight, some opinion and expertise from one of our favorite returning guest making her third appearance on this show. CISO emeritus of note, Bethany Delude. Thank you so much for being here. Bethany. I gotta ask before we jump into the news, how was your week in cybersecurity?
[00:37]
Bethany Delude
I have to say this was one of those incredibly energizing weeks. It was if I were to pick a word or a theme, it was connection. I got to participate in a couple CISO roundtables which was always such a great source of learning. Got to connect dots across all the headline stories that we read today. And so it just has been a very positive energizing week until all the CISOs out there listening who had a week that was not so positive and energizing. I've sat with sat exactly where you sit and I am rooting for you, your company and all those affected by a week that did not go as intended.
[01:17]
Rich Stroffolino
And I'm just going to say spoiler, we have some positive news here including your three, I don't know how to point out on video you have three stars here, Bethany for being a three time guest. So energy and an award all in one. You can't ask for anything more. We also can't ask anything more from our sponsor for this week, Dropzone AI. You can meet them SA just head on over to booth ESE 60 and tell them the CISO series sent you. Remember you can join us on YouTube live. Do so go to cisoseries.com hit the events dropdown and look for the cybersecurity headlines week in review image. If you click on it, I guarantee you'll be brought to some sort of portal in which you can watch this show. We got David Cross in there, we got ccl, we got Kevin Farrell coming in. He was doing double duties on Super Cyber Friday as well. Thank you for all of your time and joining us. We've got about 20 minutes though, speaking of time, so let's jump into the news first up here. Secure by Design leaders leave CISA Two of the chief architects of CISA Secure by Design initiatives have announced that they're leaving the agency. Senior technical advisor Bob Lord and senior advisor Lauren Zabarek are departing. They joined CISA in 2022 and 2023 respectively. Acting CISA Director Bridget Bean said the agency will continue to urge companies to develop products that are secure by by design. Now it's sad to see such talent leave, but given the position CISA finds itself in saying that it's trying to redefine its mission here it is not too much of a surprise. I'm curious Bethany, how do you feel this will impact companies own motivations to continue with the Secure by Design initiative and just kind of that principle in general?
[02:54]
Bethany Delude
Yeah, it's a bit disheartening. It was a great initiative that was introduced. I think it placed accountability in the right spot and it also for those who signed on to the principles related to the initiative, it gave timelines associated for when they were going to act in accordance with these principles. So this is a troubling bellwether that this is. If what we're talking about is leadership leaving instead of talking about what is the next great action being taken to promote this initiative, then it tells folks that they can take their foot off the pedal and that's not a good thing. Something that I did when I was thinking about this segment is I went back and refreshed my memory on what those design principles are. And when you look at that for the CISOs on this call, it's puzzling that anyone wouldn't sign up using mfa. Getting rid of default credentials, eradicating class of flaws like cross site scripting and SQL injection. It's just very table stakes type of things. So I don't know why that's polarizing and that it seems to be deprecated as a priority.
[04:22]
Rich Stroffolino
Yeah, that's I guess deprecated as a priority does not sound great given though that we have seen CISA's messaging being very specific. Right. About what CISA is no longer going to be doing. Right. They really are backing away from all of the election interference stuff and that kind of stuff. Like so the fact that they have said we're not interested in this at all to me is at least okay, that's still on the table for cisa. Even if the fact that you have some of the, you know, the primary architects of it leaving signals, hey, maybe they aren't going to be as they didn't feel they were going to be as engaged or as meaningful or as impactful in that, you know, going long term. Sean Kelly I guess we'll need to go back to the bad old days of secure it after the fact. Yeah, Sean Yeah, maybe don't be baking in those credentials, folks. I'm just going to go ahead and say we can maybe all agree on that. Next up here, today's LLMs craft exploits from patches at lightning speed. Large language models like OpenAI's GPT4 and Anthropic's Claude Sonnet 3.7 are accelerating the process of creating working exploits. After a vulnerability disclosure, a researcher at Pro Defense demonstrated that AI could analyze code patches, identify security flaws and generate proof of concept attack scripts, quickly reducing a defender's response time. Experts warn this rapid automation is also shrinking reaction windows for cybersecurity teams. You know Bethany, given everything we've seen from LLM news, you know, no surprise here, but given the permanent state of cat and mouse in this business, how can organizations use the same technology to fight the LLM enhanced exploits? They can move faster. How are we using this to move faster in response?
[05:59]
Bethany Delude
I think something that it's a mindset change. Folks are used to tackling vulnerabilities responding to CVEs in the same manner. Just as the bad actors have embraced LLMs embrace creating custom GPTs. That's something that for security teams to get room, invest in training them so that they can use the same technology, Perhaps create custom GPTs to summarize different product exploits, to create step by step instructions on patching, to create executive summaries to do those tasks related to fixing vulnerabilities that can accelerate patch velocity and accelerate prioritization of which patches to deploy and focus upon. I think it's getting folks to run at this new technology the same way the bad actors are running at this technology and to purchase products where someone else has ran at it and now you don't need to know the nuts and bolts, but you can leverage that same acceleration.
[07:08]
Rich Stroffolino
All right, next up here, one of the many reports that we'll be covering in the rest of the show, Microsoft's latest security progress report. As part of the investigation of Microsoft's 2023 Exchange online breach, the Cybersafety Review Board concluded that the intrusion of China linked threat actor storm 058 was preventable and listed a bunch of ways Microsoft dropped the ball. As a result, Microsoft launched its Secure Future Initiative, or sfi and it's now published its second progress report. This now shows that Microsoft has implemented things like phishing resistant MFA now covering 92% of employee accounts. It also has 99% of production assets are now inventoried and token validation has shifted to hardened SDKs as well as over 6 million inactive tenants having been removed. The report does state, however, that the CSRB recommendations about transparency and victim notification process refinements remain largely incomplete or Microsoft is waiting on industry consultation, that kind of stuff. Bethany, you chose this as one of the stories to talk about this week. What stands out to you in this report?
[08:11]
Bethany Delude
Well, part of the reason I selected the story is because it allowed me to quote Spider man, which is with great power comes great responsibility. This is something Microsoft is so it's just part of the fabric, folks. Whether home users, corporate users, domestically, globally, Microsoft is just woven into the fabric of professional and personal lives. I think with that type of market penetration, there is a duty to provide a product that is in fact secure by design. I'm going right back to that first article. I'm just going to weave that in at every potential juncture. On the one hand it gave me, I guess I liked the fact that the Cyber Safety review board and bringing the Microsoft president of the company before Congress, things like that, did spark a reprioritization within Microsoft to put security more in the forefront. When you reading this report, there are just so many, I guess notable changes and accomplishments from adding a new deputy ciso. We all know that having accountability for cybersecurity is key and I do want to acknowledge that yes, Voltaire did say that quote before it was attributed to Uncle Ben, but I think Spider man didn't have it penetrate our psyches more so well and Stan Lee couldn't rip.
[09:57]
Rich Stroffolino
Off, I think therefore I am. Yeah, so that worked out.
[10:00]
Bethany Delude
That is absolutely true those things. So I like that and I like some of the things that Microsoft has done. Like they had their Zero Day Quest inaugural event last year, but now those are the things that you're looking at in front of you all the Atom Microsoft, yay, well done. But then behind that you think, wow, there was a lot of stuff to clean up. That's where we move from a thumbs up to maybe a little bit of a head scratcher. In the Zero Day Quest, for example, there were 180 vulnerabilities identified. That's fantastic. It's great that they sponsored event. It's great that they monetized the fight. There's me finding those vulnerabilities. At the same time products were going live with 180 vulnerabilities. It's a constant like the cat and mouse game. So lots to applaud here. And also some things that give one a little pause.
[11:09]
Rich Stroffolino
I do find it very interesting that Microsoft released a very, seemingly a very transparent progress report that did admit that their transparency goals are the things that they have done. Is that just a matter of prioritization for that, for that kind of customer response and transparency? Right. Like technical controls are the first priority. Once we have all those down, should we read anything more into that?
[11:32]
Bethany Delude
I think it's again just about prioritization. When you went through the number of things that they agreed to do and where they were in that, in that list, they still have a lot more to do. I think it was maybe five initiatives they felt that they were pretty well fortified on. So it's like anything, you pick the things that you think are the most important and work down your list. So I'm not reading too much into that just yet. We'll see what their next report says.
[12:02]
Rich Stroffolino
And we have a link to that in our show notes. So make sure you check out the full report. It is available. No paywall or anything like that or sign up wall or anything like that. So be sure to check it out because there is a lot of really good stuff in there. Before we move on to our next story, I have to spend a few moments and thank our sponsor for today. DropZone AI alert investigation is eating up your security team's day. 30 to 40 minutes per alert adds up fast. DropZone AI's SoC analyst transforms this reality by investigating every alert with expert level thoroughness at machine speed. Their AI SoC analyst gathers evidence, connects the dots across your security tools and delivers clear reports with recommended actions all in minutes. No playbooks to build, no code to right. Just consistent high quality investigations that free your team to focus on what matters. Stopping actual threats. Meet them at RSA. Head on over to booth ESE 60 and tell them the CISO series sent you another report coming out here. This one from the good old Federal Bureau of Investigation, their 25th installment of its annual Internet Crime Complaint center or IC3 report. The agency revealed a new high for reported losses last year, reaching I'm going to say an astounding $16.6 billion with over 850,000 complaints up 33% from 2023. Cyber enabled fraud accounted for a staggering $13.7 billion of those losses and accounted for 40% of ICC's complaint volume. People over the age of 60 suffered the most significant financial losses coming in at over $4.8 billion. And that's a 43% increase from 2023 to end, I guess. On a little bit of a positive note here, the FBI said last year cyber fraud related arrests increased 700% to 215 through 11 joint operations with local law enforcement agencies. Lots of numbers there. A lot of them don't sound great. Bethany, what stands out to you in this?
[13:59]
Bethany Delude
Yeah, so a couple things. So the vulnerable population. So thinking a bit about that, folks, you know, over 60 and they were, you know, the average loss was like $100,000, which is pretty significant. You know, I see this report as a call to action, which in this way. So it made me think about when in a previous CISO role I had done like your typical security awareness type outreach to the, to the workforce, only I really personalized it. And I talked about one of these scams. It was an emergency scam that someone had tried against my mom. And when you looked at it, they got their information from my father's obituary. So that was a very, I guess generates emotion when people read notes like that. And she knew to call me and despite being upset, did not become victimized by a crime. And so I put out in that communication a call to that company's workforce to say, you have access to a world class security awareness program. The people in your circle don't, and in your ecosystem, so take these learnings and help your mom. And it was a way to really engage the workforce. It wasn't just the CISO telling everyone one more thing they can't do. It was CISO empowering every person to do something helpful. Helpful for their ecosystem in their, both their personal and their professional lives. So, so I went, read this report and I looked at the scams. I do want to point out, Rich, they're still using pig butchering, page 14. And I had to scratch. Like, I thought we agreed we weren't going to call it that anymore.
[15:52]
Rich Stroffolino
But I, you know, I just feel sorry for the pigs at this. They're getting a bad. I mean, the pig butchers themselves are getting a bad name. I feel like butcher shops are thinking people are scamming them. I'm not a fan. I'm not. We can call it romance. There's like, there's a more simple name that just called a romance scam. I don't understand this.
[16:08]
Bethany Delude
Yeah, yeah, they were combining confidence and romance scams and like, you know, quote pig butchering. It's like, no, no, it doesn't have to be, quote, pig butchering. So just. Yeah, I think the report was no surprises. Just again, just as we say, my family got my Irish up on, you know, the folks who are victimizing so many vulnerable populations.
[16:35]
Rich Stroffolino
And as CCL points out, it's kind of echoing everything you said, Bethany. We need more community support and awareness and. Yeah, that kind of one. That ability to know that you can have a positive impact. Right. You see reports like this, it's very easy to be like, this is hopeless. Everything's getting worse all the time that you have. You know, this community has expertise that we can give to our networks and to provide a personal context. Right. To not make it nameless numbers. To be like, this happened to my mom, this happened to my, you know, this happened to someone in my family. And provide supportive ways to kind of deal with that, I think is really. Yeah. Is really the way to go with that. So. Yeah, I really appreciate that, Bethany.
[17:13]
Bethany Delude
Sure thing. Yeah, we do have some agency. It's. That's a good feeling.
[17:19]
Rich Stroffolino
I mean this is kind of. We're backdooring into a philosophy. You know, we had Voltaire, we now we have agency. All right, so if, I don't know if we, if we talk about the phenomenology, I guess will really complete the cycle here. All right, so next up here, let's see if we can finish into this one. British companies told to hold in person interviews to thwart North Korea job scammers. After finding it too difficult to pursue the job finding scam in the US North Korean operatives are now focusing on Europe and specifically the UK to seek out remote work with the goal of accessing sensitive data as well as cash, which is always a classic. They are often assisted by co conspirators who hold physical addresses in the country. John Holtquist, the chief analyst at Google's threat intelligence group, told the UK news outlet the Guardian, many of the remedies are in the hands of the HR department, which usually has very little expertise dealing with a covert state adversary. Hulququist added that companies need to do a better job checking physical identities and ensuring that the person you're talking to is who they claim to be. This scheme usually breaks down when the actor is asked to go on camera or come into an office for an interview. Bethany, we don't often bring HR into our show here, but what should companies do to delegate this responsibility to HR department, as Hulquist suggests here? Is this HR and cybersecurity needing to move more in lockstep?
[18:38]
Bethany Delude
It is. There's so many times we think that something that has been very well publicized that CISOs are very locked into and aware of it hasn't necessarily reached your HR department. So with these scams, and it's interesting, as I mentioned earlier, I participate in many different roundtables and this was a topic That a year ago was thought to be theoretical, even though there were joint advisories issued on this topic and I think dating back to 2022.
[19:13]
Rich Stroffolino
And.
[19:13]
Bethany Delude
Then more recently in discussions, people had war stories of different kinds of devices connected and facilitating this. And when you unpacked those conversations, sometimes it turned out that there was breakdowns in HR processes or onboarding processes. So I think it's important to not assume that someone in your organization has that same level of awareness that you do, that they. That your head of HR read the. I thought no before. I still applaud them for being so. We used the word transparent earlier. Transparent about their North Korean IT worker and putting that out there when that happened. So I think it is about engaging them and showing them just how good the mechanisms are to pretend to be a legitimate worker. So, yes, I think it's just this is one more. One more group to engage. And HR folks already have been folks to partner with from a cyber perspective. Someone goes to change their bank deposit, you don't just process that. You have to have steps in place. So I think it's just a natural extension of a conversation that's already happening.
[20:35]
Rich Stroffolino
Yeah. If this is news like you were saying, if. I think CISOs can suffer from being the extremely online whatever the cybersecurity version of that is. Right. We're all tuned into this where you're listening to cybersecurity headlines. Good job. But yeah, that may not reach down to the rest of your org. And I would even say it up to John Hulquist. I mean, obviously he's kind of an expert. Like, I'm not trying to school him, but we're seeing more and more deepfakes making it so. Hey, showing up on video. Yeah, if you ask them for the spur of the moment, maybe they can't do that. But that is increasingly, you know, not becoming the barrier like, you know, the, the litmus test that might have been just a couple of years ago or just maybe a year ago or something like that. So that's another thing to, you know, maybe keep the HR department appraised of as well. For sure. All right, our last story here today. Kind of a double story here. We got more reports. Edge technologies and third party vendors as threats. So these reports came out. First up, the old Verizon data breach investigations report. The dbir, always a classic. It attributes an increase in breaches involving third parties in which organizations such as accountants and law firms are used as ways to reach their intended targets. Then a report from Mandiant shows that devices like VPNs, firewalls and routers lack third party security support, making organizations vulnerable. Bethany Here we have two groups of people and tools respectively that operate on the edge of a target organization, yet are direct targets for exploitation. Because hey, let's move laterally. It's what all the crazy kids are doing. Neither of these are new. Why are these still newsworthy in this report for CISOs?
[22:10]
Bethany Delude
Because they still haven't been solved. The data is showing us that our third parties and our partner ecosystem is a increasing attack vector. That's how folks are getting in. We go back to, well now it feels like a million years ago, so maybe half a million years ago when Target was attacked through its H vac, like that was a wake up call. And then yet this persists. So I think what is interesting this week is three major reports. We had the FBI report, we had MTRS, we have DBIR and then we have what we started with, with the Secure by Design initiative. And yet the data, the data from these very credible reports is telling us that exploiting vulnerabilities is the new preferred tactic for getting a foothold. So I think we're hearing about this because if you're creating products that aren't secure, that's our corporate perimeter is wherever we log into something or wherever our data is stored, chances are you don't have the same visibility and control with folks outside of your direct, I guess, chain of command, for lack of a better word. So we need to find better ways to strengthen that ecosystem so that we can perhaps see this number decline.
[23:54]
Rich Stroffolino
Yeah, and when it comes to the dbir, I always increasingly am sympathetic to, as a security practitioner, you can't go, don't hire lawyers or accountants. That's a great way to lose every single time. Right? Because like, and, and that's where the, the threat actors know that they have like, you know, you need to engage with these services that, that you're tooling and your visibility into them. Even if you know they're, they're, they're having audits and stuff like that done, your visibility there is never going to be as perfect as it is even in your own organization, which we know is already problematic. So like in terms of that creativity and finding those weak points of knowing like business still needs to get done. So security, it's the joke of as long as if we just didn't have to do business, it would be so much easier to secure everything.
[24:44]
Bethany Delude
Right. And so many third parties, whether it's service provider or product SaaS, they're sticky. Once you are, they're part of your business model, it's tough to pivot. So another challenge is finding out what are the levers to incentivize security as a like a metric for how for product design, product quality, because once you have this relationship, they do tend to be pretty sticky. And as much as certain regulations, folks who are working their way through Dora know that you need to identify your critical vendors and that you need to have an exit strategy and easier said than done.
[25:37]
Rich Stroffolino
Yes, most definitely. Most definitely. Big thank you to all of our audience that came in today was just having some fun in the chat. Kevin Farrell, I hope you said trying to install a ceiling fan so you missed some of the show. That means that was not successful. So I'm wishing you success on ceiling fan installation. I suggest you go back and listen to the rest of the show because we had a fantastic conversation, although I think we kind of put a button on it at the very end there. But ccl we had Sean Kelly, one of our producers from cybersecurity headlines in there. David Cross, the big boss, David Spark of course and some P Domingo was also in there giving us that Voltaire rep. So thank you for that so much there. So thanks to everybody that gets in there. Helps make the show better. Before we get out of here, Bethany, was there any story that was a thumbs up or an eye roller for you today?
[26:22]
Bethany Delude
The combination of the stories that promoted the three major reports that were released this week. There's definite thumbs up and probably an eye, not a roller but a rubber because as I read them all this week, it was a lot of eye strain. A lot of eye strain this week. But I love how those stories and the story on the secure by design, just questioning what the future is there, the connections among them because again like I mentioned, the data is showing we have to have better products and services that are more secure with our third parties and better security with our third party ecosystem. I did appreciate that Mandy in MTrends they called out that one of the top exploited vulnerabilities was based on a SQL injection. And then you look at the secure by design when the principles is stop using design patterns that are known to be exploitable. So.
[27:33]
Rich Stroffolino
Or the most. The most known one. Yes.
[27:36]
Bethany Delude
Yeah. So just as hopefully when people see this data that they will be incentivized to do better.
[27:47]
Rich Stroffolino
I'm going to give my own thumbs up for the release of the Verizon dbir because I always use that as my metric for when I'm going to need bifocals because I always like to read the snarky footnotes. And I made it another year folks, so we're getting there. We're doing good. Thank you Verizon Footnotes. I appreciate that. Bethany. Thank you so much for being on the show. We will have to have you on again as soon as possible. Where can people find you online if they are so inclined?
[28:12]
Bethany Delude
You can find me on LinkedIn. Pretty active on there. And on another CISO series program, yes, I have three stars for this one, but I've got six total so I'm going for a record.
[28:25]
Rich Stroffolino
And next month you're going to be doing an AMA that we're organizing over on the cybersecurity subreddit. So make sure you look for that. Thank you once again, Bethany Delude, CISO Emeritus. I'm going to say CISO emeritus of note. And thank you so much for your time and your expertise. This has been a blast.
[28:40]
Bethany Delude
It's been my pleasure everyone. Have a good weekend.
[28:43]
Rich Stroffolino
And thanks also to our sponsor for today, DropZone AI. Remember to meet them at RSA. That's Booth ESE 60. And speaking of RSA, the CISO series has a ton of fun events going on around the show. We'll be recording a live CISO Series podcast at BSides SF on April 27, hosting an RSA Happy hour at Lucky Strike San Francisco on the 28th and very excited. The big boss man, David Spark is doing his San Francisco walking tour on May 1st. I know you're saying, rich, that's a lot of information. How am I going to remember that? All you fools just go to cisoseries.com, look for our events page. All that information is there. You don't have to remember it. We keep an index. That's what the Internet is for. Thanks to everyone in our audience today. I know we can't always get every single comment up on the screen, but it is a delight to see them each and every week and it's a delight hanging out with all of you, helping make the show better. Please join us again next week. We're going to have another episode of our Week in Review that starts starts at 3:30pm Eastern. We're taking Super Cyber Friday off for RSA, but to register to join us, head on over to YouTube and subscribe to our YouTube channel. Or just go to the events page cisoseries.com in the meantime, you can still get your daily News fix every single day. Give us about six minutes, we'll get you all caught up it's called Cyber security headlines. And make sure you subscribe and tell a friend until the next time we meet. For myself, for Bethany, for our producer extraordinaire, Steve Prentiss, for the big boss man, David Spark. And all of us here on the CISO series Family, here's wishing you and yours to have a super Sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.