bredemarket

Who? What?

Who are you?

What is that?

Identity and cybersecurity are pretty basic, when you think about it.

(Imagen 3)

Defeating the Metabot to Share Whistic’s Survey Results

There are some things that I don’t bother to share in the Bredemarket blog, but instead just share to my socials.

This morning, I shared a story about the third-party risk management firm Whistic to LinkedIn’s Bredemarket Technology Firm Services page.

You can see an oft-used Bredemarket technique: rather than sharing everything from a third party (geddit?) article, I only share a bit of it, then encourage the reader to click on the link to see the rest of the content. Makes everybody happy. What could go wrong?

Then I shared the same story to Facebook’s Bredemarket Technology Firm Services page.

Or tried to.

First attempt to share to Facebook

Facebook removed the post, accusing me of using “misleading links or content to trick people.”

I’m so devious that even I couldn’t figure out what I did.

Until I re-read the post and noticed this parenthetical comment.

(And one more key finding. Read the article.)

Doesn’t seem like a trick to me, but I explicitly urged people to leave Facebook’s walled garden and read something.

I do this all the time—Facebook is the second most popular traffic source for Bredemarket, after Google—but apparently the way I did it in the Whistic post was a trick to Facebook’s readers.

Second attempt to share to Facebook

The solution was simple: repost the article WITHOUT the offensive parenthetical comment.

So I did.

And Facebook removed the post again.

This isn’t the first time Facebook has rejected content that other platforms accepted without question…including other Meta platforms such as Instagram, Threads, and WhatsApp.

I was this close to ceasing content sharing on Facebook altogether.

But then I had an idea.

Now I’m engaging in real trickery

If I am offending Zuck by using text to supposedly trick people into clicking on a link…

…what would happen if I ONLY posted a link with no text at all?

And rather than posting the text of interest in Facebook’s walled garden…

…I put the text of interest in the Bredemarket blog, along with the Whistic link that offended Facebook so much?

Then I could share it on character-limited platforms such as Threads and Bluesky.

You see the irony here. For a while I’ve strived to place social content natively on each platform. Now the platforms are forcing me to place the real content on a platform I control.

And the text would look something like this:

What I tried to say this morning

Every year, Whistic surveys hundreds of Risk-Management and Information Security leaders to understand the trends, challenges, and opportunities that are actively shaping the third-party risk management (TPRM) industry.

In 2025, the average company in our survey works with 286 vendors—up by 21% versus last year….That increased demand comes with increased risk.

[C]ompanies are spending more time, more money, and more resources on TPRM, but still not meeting their own risk standards or reducing security events.

(And one more key finding. Read the article.)

https://www.whistic.com/resources/blog/2025-impact-report-takeaways

When Beneficial Ownership Diverges From Legal Ownership

I recently discussed some proposed changes to the way in which beneficial ownership information (BOI) is collected. However, even after the changes are made, FinCEN will still collect BOI for foreign firms.

Hungary, facial recognition, and geolocation

Biometric Update recently published a story about facial recognition in Hungary, and its use to identify people who display rainbows and dress in ways “that diverge from the gender they were assigned at birth.” I’m going to zero in on one portion of the story: the facial recognition provider involved.

The company FaceKom has been around under different names since 2010 but has seen significant growth during the past few years thanks to investments from the Central European Opportunity Private Equity Fund (CEOM). The fund has no direct links with [Prime Minister Orbán’s son-in-law, István] Tiborcz. However, it is registered on the same address in Budapest where several companies owned by Orbán ‘s son-in-law operate.

Ah, geolocation! The Chi Fu Investment Fund Management Zrt.’s address of record is 1051 Budapest, Vörösmarty tér 2.

And do you know what else is at that address?

A Western Union Currency Exchange.

From https://interchangefx.com/branches/vorosmarty/.

Well, that’s enough to drive some conspiracy theorists crazy.

Beneficial ownership and legal ownership

So I didn’t find the smoking gun, but I do want to take this opportunity to point out what BENEFICIAL ownership is. Investopedia:

A beneficial owner is a person who enjoys the benefits of ownership even though the title to some form of property is in another name.

Using the Hungarian example (without the Western Union part), it’s not enough to say that CEOM and/or Chi Fu Investment Fund Management Zrt. (I don’t know enough Hungarian to confirm they are one and the same) does not list István Tiborcz (or Victor Orbán) as an official owner or co-owner.

As Unit21 points out, you don’t have to literally own (either on your own or through a trust) 25% of an entity to be a beneficial owner. Here’s another criterion of a beneficial owner:

Any individual that holds a significant ability to control, manage, or direct the legal entity

De facto control without de jure control could very well be wielded by a powerful politician, or his son-in-law.

(Imagen 3)

Enter the Wildebeest Truckers

You can bet that I paid attention to AKings’ latest post after I saw how it began:

“Indiana. The Crossroads of America. A place where colossal semi-trucks roar in from the north, south, east, west, and every conceivable direction in between, like a great migration of diesel-belching wildebeests on their way to deliver vital supplies.”

Bredemarket’s self-promotional content is replete with wildebeests, iguanas, and wombats. Much of this was from an urge to differentiate from those who eat their own dog food. So Bredemarket ate its own iguana food, then its own wildebeest food.

But “wildebeest trucker” is a new one on me.

How do you differentiate your marketing content from that of your competitors?

Or do you eat their dog food?

But goin’ back to Indiana, AKings’ post is a literal tour of the state over a year, including an encounter with angry union members in Kokomo (not that Kokomo). Recommended reading.

(Wildebeest truck driver Imagen 3)

And the CVE Funding Winner Is…

Update to my prior post.

According to Reuters, CVE funding has been extended…for 11 months.

So like everything else, the fix for the problem is temporary.

(Imagen 3)

If the United States Won’t Pay For the CVE Program…Who Will?

From The Register:

“The [CVE] program is sponsored, and largely funded by the Cybersecurity and Infrastructure Security Agency, aka CISA, under the umbrella of the US Department of Homeland Security. It appears MITRE has been paid roughly $30 million since 2023 to run CVE and associated programs.”

$30 million is peanuts.

If the U.S. government won’t fund it (and it still may), and if private firms won’t fund it, perhaps the EU will take it over. Or Canada. Or China.

The only complication is whether MITRE can run it if someone other than the feds is paying.

View this post on Instagram

A post shared by John Bredehoft (Bredemarket) (@bredemarket)

The Silent Type

“It’s OK. The competitor isn’t talking, so we can say anything we want.”

But what if “the competitor”…is YOU?

Get in the content conversation: https://bredemarket.com/cpa/

(Imagen 3)

RACI WOMBAT Talk

A wombat in lingerie, or a racy wombat. Not a RACI wombat, the topic of the blog post.

Earlier this month I posted a revelation:

I don’t want to reveal Bredemarket’s secret process, so I’m just going to call it WOMBAT. Not that WOMBAT is unique to Bredemarket; far from it. Many companies use WOMBAT.

And many companies don’t use WOMBAT. In fact, they abhor WOMBAT and call it stifling. (Emotion words. Geddit?)

But I’ve found over the years that if you don’t use WOMBAT, there’s a very good chance that you’ll break things.

And who catches hell? The consultant. “Why did you do what we asked you to do? Now look at the mess you made!”

So out of a sense of fear and self-preservation (geddit?), there are times that I’ve secretly used WOMBAT and not told my clients I’m doing it.

Well, I’m going to reveal one component of WOMBAT in this post because I’m surprised that I haven’t already discussed it.

But there’s a risk involved, because once I discuss this component, there are about five people in the world who will immediately know what my WOMBAT is. But luckily for me, none of them read the Bredemarket blog, so my secret is safe.

(Speaking of risk, the racy—not RACI—wombat image was created by Imagen 3.)

RACI

As some of you undoubtedly figured out, I’m going to discuss RACI: Responsible, Accountable, Consulted, and Informed.

Assume for the moment that Bredemarket grows beyond its sole proprietorship origins and becomes a multinational employing thousands of people. At some point I’ll be sitting in my luxurious executive suite, nibbling on caviar, and I’ll bark out an order:

“Write a blog post about a wildebeest amusement park!”

Now the blog post won’t just magically happen. And because the fictional Bredemarket is a huge enterprise, it will take more than one person to make it so. Perhaps four, perhaps more, perhaps fewer. Here’s how Bob Kantor at CIO defines Responsible, Accountable, Consulted, and Informed:

Responsible: People or stakeholders who do the work. They must complete the task or objective or make the decision. Several people can be jointly Responsible.

Accountable: Person or stakeholder who is the “owner” of the work. He or she must sign off or approve when the task, objective or decision is complete. This person must make sure that responsibilities are assigned in the matrix for all related activities. Success requires that there is only one person Accountable, which means that “the buck stops there.”

Consulted: People or stakeholders who need to give input before the work can be done and signed-off on. These people are “in the loop” and active participants.

Informed: People or stakeholders who need to be kept “in the picture.” They need updates on progress or decisions, but they do not need to be formally consulted, nor do they contribute directly to the task or decision.

Personally, there may be cases when you only want a single person to be responsible for the work. But I agree that only one should be accountable.

Applying RACI

Using my ludicrous example, one (or more) people will be responsible for writing the wildebeest amusement park blog post, a single person (presumably one of my junior vice presidents) will be accountable for approving it, and various entities will be consulted for feedback (and, in the ideal world, may actually provide feedback). Then there are a few people who will be informed about the project, merely to roll their eyes at the whole thing.

Regardless of the process you institute, whether it is my super-secret WOMBAT process or something else, RACI responsibilities will help tremendously. Here’s another quote from Bob Kantor at CIO:

Having managed and rescued dozens of projects, and helped others do so, I’ve noted that there is always one critical success factor (CSF) that has either been effectively addressed or missed/messed up: clarity around the roles and responsibilities for each project participant and key stakeholder. No matter how detailed and complete a project plan may be for any project, confusion or omission of participant roles and responsibilities will cause major problems.

And some Accountable person approved what Kantor said.

Reapplying RACI

And this also affects Bredemarket’s content, proposal, and analysis work. For example, let’s look at the proposal that I recently helped a Bredemarket client win.

Two of us were jointly responsible for completing and submitting the proposal: myself, and a person at the client company. Yes, I know what I just said about preferring that only one person be responsible, but the federal agency in question would not let me submit the proposal; someone from the client had to do it.
This second person was the one who was accountable for the submission of the proposal.
There were several people who were consulted regarding this proposal. I cannot reveal their roles, but let’s just say that all of them were…um…critically important.
Then there were a few people here and there who were informed of the proposal progress.

Perhaps Bredemarket can work on a project with you. Let me know. https://bredemarket.com/cpa/

Frame, Assess, Respond, and Monitor (FARM) in Third-Party Risk Management

A farmhouse being attacked by iguanas with machine guns, representing third-party risk management threats.

I just listened to a third-party risk management (TPRM) Mitratech webinar about NIST cybersecurity frameworks, hosted by OCEG, which talked about a farm.

No, they’re not planting corn at NIST’s Gaithersburg headquarters.

(At least I don’t think so. I haven’t been there since early 2009, back when Motorola and Safran people couldn’t talk about the possible acquisition. We did anyway. But I digress.)

Back to TPRM. In Mitratech’s case, FARM stands for “frame, assess, respond, and monitor.”

Here’s how Mitratech introduced the topic in a 2022 post:

NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.

If you visit the latest (as of 2024) update to SP 800-161, you can find NIST’s explanation of the FARM in Appendix G. The three referenced levels in the quote below are the enterprise, mission, and operations levels.

The first approach is known as FARM and consists of four steps: Frame, Assess, Respond, and Monitor. FARM is primarily used at Level 1 and Level 2 to establish the enterprise’s risk context and inherent exposure to risk. Then, the risk context from Level 1 and Level 2 iteratively informs the activities performed as part of the second approach described in The Risk Management Framework (RMF). The RMF predominantly operates at Level 3 [SP80037], – the operational level – and consists of seven process steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

Briefly:

Frame establishes the context.
Assess is the risk assessment itself.
Respond is where the assessors communicate the results of the assessment and propose mitigations and controls.
Monitor is compliance verification and continuous monitoring.

Section G.2 of the document includes much, much more detailed definitions of the FARM elements, should you be interested. I’d provide those details myself, but then I fear I’d have to say to you, “Sorry if I’ve stayed too long.”

Earthquake Phone Alerts Work

Back when AOL keywords roamed the earth, you didn’t learn about an earthquake until you felt it. Now, sensors and smartphones attempt to provide advanced notice.

A little while ago my phone started beeping loudly. By the time I figured out why, I felt a strong jolt.

Luckily it was 90 miles away from me, and it was NOT a 6.0 as initially reported. (Helpful hint: an earthquake’s magnitude is never as initially reported.)

But it appears that many of us received advance warning.

Now if everyone can agree on the magnitude…