Tag Archives: cybersecurity

Is There a Calculator On That Slide Rule?

(Imagen 4)

Once again I’m painting a picture, this time of two people: the IT chick, deftly wielding her slide rule as she sizes up hardware and software, and the finance dude, deftly wielding his calculator as he tabulates profit, loss, and other money stuff. Each of them in their own little worlds.

Despite the thoughts of Norman Marks in his post “Cyber is one of many business risks.”

  • “Many years ago, my friend Ed Hill, a Managing Director with Protiviti at the time, coined the expression ‘there is no such thing as IT risk. There is only business risk.’”
  • “The [Qualsys] report reveals a persistent disconnect between cybersecurity operations and business outcomes. While 49% of respondents reported having formal risk programmes, only 30% link them directly to business objectives. Even fewer (18%) use integrated risk scenarios that consider both business processes and financial exposure.”

I admit that I often draw a clear distinction between technical risk and business risk. For example, the supposedly separate questions regarding whether a third-party risk management (TPRM) algorithm is accurate, and what happens if an end customer sues your company because the end customer’s personally identifiable information was breached on your partner company’s system.

Imagen 4.

So make sure that when your IT chick wields her slide rule, the tool has an embedded calculator on it to quantify the financial effects of her IT decisions.

Is There a Calculator On That Slide Rule?

How Many Authentication Factor Types Are There?

(Imagen 4)

An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.

For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”

But how many factors are there?

Three factors of authentication

There are some people who argue that there are only really three authentication factors:

  • Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
  • Something you have, such as a driver’s license, passport, or hardware or software token.
  • Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.

Five factors of authentication, not three

I argue that there are more than three.

  • Something you do, such as super-secret swiping patterns to unlock a device.
  • Somewhere you are, or geolocation.

For some of us, these are the five standard authentication factors. And they can also function for identity verification.

Six factors of authentication, not five

But I’ve postulated that there is one more.

  • Somewhat you why, or a measure of intent and reasonableness.

For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.

  • The person may deserve access if they are an employee and arrive at the location during working hours.
  • That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
  • That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.

Or maybe just five factors of authentication

Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.

So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.

It’s All About Me 2: I Ask, Then I Act

Continuing my self-promotion, as opposed to promotion of my Bredemarket marketing and writing consultancy, how do I promote myself to companies outside of identity and biometrics? 

For example, cybersecurity firms, or third-party risk management (TPRM) firms, or content management system (CMS) firms, or healthcare firms (the non-identification biometric)?

By emphasizing that I ask, then I act.

Resonating with both the Simon Sinek devotees, and the bias to action adherents.

Short in duration, heavy on symbolism, and daring to mention “B2G” before “B2B.” That will start a conversation.

And then if someone fixates on the biometric modalities…

…I will redirect the person to Part One.

I ask, then I act.

About ISO 27001

I’ve previously discussed SOC 2 and its governance in the Bredemarket blog, and I encountered SOC 2 again in a Wednesday webinar from Drata and Armanino, “Ask an Auditor: SOC 2 & ISO 27001 Tips, Tricks, and Pitfalls to Avoid.”

From Drata.

Armanino is the auditor, while Drata is an automation platform that assists companies in measuring conformance to SOC 2, ISO/IEC 27001, and other standards.

The webinar was in the form of an Ask Me Anything session, so naturally a comparison of SOC 2 and ISO/IEC 27001 came up.

As I previously mentioned, the SOC suite was developed by the Association of International Certified Professional Accountants. ISO standards are published by the International Organization for Standardization.

And ISO/IEC 27001 provides an actual certification, unlike SOC 2 which is an atteatation (or iBeta PAD testing, which indicates conformance).

So what is ISO/IEC 27001?

Let’s ask ISO:

“ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.

“The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system….

“ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience andoperational excellence.”

For additional information, see Drata’s page.

Will There Be FEWER States with Mobile Driver’s Licenses in the Future?

(Imagen 3)

Normally when states adopt a new technology, one state will first adopt it, followed by other states, until eventually all states adopt it. (Take REAL ID.)

It’s rare that a state adopts an emerging technology and then trashes it.

Last year

But that’s exactly what happened in Florida last summer, when the state withdrew support for its Thales mobile driver’s license (mDL) pending the creation of a new mDL from a new vendor.

Update as of June 2025…there isn’t one.

“The Florida Smart ID applications will be updated and improved by a new vendor. At this time, the Florida Department of Highway Safety and Motor Vehicles is removing the current Florida Smart ID application from the app store. Please email FloridaSmartID@flhsmv.gov to receive notification of future availability.”

This year

But hey, I’m sure Florida is working behind the scenes to develop a new mDL. After all, digital identity remains a federal priority.

Um…check Biometric Update.

“At the forefront of the Trump administration’s cybersecurity shift is the categorical removal of Biden-era digital identity initiatives which had encouraged federal agencies to accept digital identity documents to access public benefit programs and promoted federal grants to help states develop secure mobile driver’s licenses.”

Biometric Update is specifically referring to President Donald Trump’s Executive Order issued last Friday, which affects cybersecurity efforts in general. Lots of use of the Q word.

Next year?

But if states aren’t receiving federal funding to develop mDLs, and if states decide that only physical driver’s licenses are in their interest, then will mDL adoption slow?

Or may other states follow Florida’s lead and let their contracts with mDL vendors expire?

SWOT analysis advocates…this is a threat.

Oh, and by the way…don’t forget that moving from mDLs back to physical driver’s licenses leads to a certain loss of privacy

Privacy.

TPRM: When the Board Gets Involved

As promised, I am going to continue to write about third-party risk management (TPRM).

And as the abstract for a September 9 Gartner roundtable points out, TPRM isn’t just the concern of the Chief Information Security Officer (CISO) any more…

“Third-party networks are expanding, with startups and business model innovators increasingly joining them. The increasing high risk in these networks is prompting boards and senior leaders to enhance and better focus their oversight of TPRM programs.”

Yes…the Board. (Of Directors.)

Now the CISO is sweating bullets.

Wanna Know a “Why” Secret About Bredemarket’s TPRM Content?

(The picture is only from Imagen 3. I’ve been using it since January, as you will see.)

Here’s a “why” question: why does Bredemarket write the things it writes about?

Several reasons:

  • To promote Bredemarket’s services so that you meet with me and buy them.
  • To educate about Bredemarket’s target industries of identity/biometrics, technology, and Inland Empire business.
  • To dive into specific topics that interest me, such as deepfakes, HiveLLM, identity assurance levels, IMEI uniqueness, and Leonardo Garcia Venegas (the guy with the REAL ID that was real).
  • Because I feel like it.

And then there are really specific reasons such as this one.

In late January I first wrote about third-party risk management (TPRM) and have continued to do so since.

Why?

TPRM firm 1

Because at that time, a TPRM firm had a need for content marketing and product marketing services, and Bredemarket started consulting for the firm.

I was very busy for 2 1/2 months, and the firm was happy with my work. And I got to dive into TPRM issues in great detail:

  • The incredibly large number of third parties that a vendor deals with…possibly numbering into the hundreds. If hundreds of third parties have YOUR data, and just ONE of those third parties is breached, bad things can happen.
  • The delicate balance between automated and manual work. News flash: if you look at my prior employers, you will see that I’ve dealt with this issue for over 30 years.
  • Organizational process maturity. News flash: I used to work for Motorola.
  • All the NIST standards related to TPRM, including NIST’s discussion of FARM (Frame, Assess, Respond, and Monitor). News flash: I’ve known NIST standards for many years.
  • Other relevant standards such as SOC 2. News flash: identity verification firms deal with SOC 2 also.
  • Fourth-party, fifth-party, and other risks. News flash: anyone that was around when AIDS emerged already knows about nth-party risk.

But for internal reasons that I can’t disclose (NDA, you know), the firm had to end my contract.

Never mind, I thought. I had amassed an incredible 75 days of TPRM experience—or about the same time that it takes for a BAD TPRM vendor to complete an assessment. 

But how could I use this?

TPRM firm 2

Why not put my vast experience to use with another TPRM firm? (Honoring the first firm’s NDA, of course.)

So I applied for a product marketing position with another TPRM firm, highlighting my TPRM consulting experience.

The company decided to move forward with other candidates.

The firm had another product marketing opening, so I applied again.

The company decided to move forward with other candidates.

Even if this company had a third position, I couldn’t apply for it because of its “maximum 2 applications in 60 days” rule.

TPRM firm 3

Luckily for me, another TPRM firm had a product marketing opening. TPRM is active; the identity/biometrics industry isn’t hiring this many product marketers.

  • So I applied on Monday, June 2 and received an email confirmation:
  • And received a detailed email on Tuesday, June 3 outlining the firm’s hiring process.
  • And received a third email on Wednesday, June 4:

“Thank you for your application for the Senior Product Marketing Manager position at REDACTED. We really appreciate your interest in joining our company and we want to thank you for the time and energy you invested in your application to us.

“We received a large number of applications, and after carefully reviewing all of them, unfortunately, we have to inform you that this time we won’t be able to invite you to the next round of our hiring process.

“Due to the high number of applications, we are unfortunately not able to provide individual feedback to your application at this early stage of the process.

“Again, we really appreciated your application and we would welcome you to apply to REDACTED in the future. Be sure to keep up to date with future roles at REDACTED by following us on LinkedIn and our other social channels. 

“We wish you all the best in your job search.”

Unfortunately, I apparently did not have “impressive credentials.” Oh well.

TPRM firm 4?

What now?

If nothing else, I will continue to write about TPRM and the issues I listed above.

Well, if any TPRM firm wants to contract with Bredemarket, schedule a meeting: https://bredemarket.com/cpa/

And if any TPRM firm wants to use my technology experience and hire me as a full-time product marketer, contact my personal LinkedIn account: https://www.linkedin.com/in/jbredehoft

I’m motivated to help your firm succeed, and make your competitors regret passing on me.

Sadly, despite my delusions of grandeur and expositor syndrome (to be addressed in a future Bredemarket blog post), I don’t think any TPRM CMOs are quaking in their boots and fearfully crying, “We missed out on Bredehoft, and now he’s going to work for the enemy and crush us!”

But I could be wrong.

Simeio: Identity is the Perimeter of Cybersecurity

Simeio opened its monthly newsletter with a statement. Here is an excerpt:

“May spotlighted how even the most advanced enterprises are vulnerable when identity systems are fragmented, machine identities go unmanaged, and workflows rely too heavily on manual intervention—creating conditions ripe for risk. Enterprises need to get the message: identity is the perimeter of cybersecurity, and orchestration is the force multiplier. It’s time to learn how to effectively leverage it.”

Read the rest of Simeio’s newsletter on LinkedIn at https://www.linkedin.com/pulse/identity-matters-may-2025-identitywithsimeio-iby0e

Of course, there’s that interesting wrinkle of the identities of non-person entities, which may or may not be bound to human identities. Simeio, with its application onboarding solution, plays in the NPE space.

As for me, I need to start thinking about MY Bredemarket monthly LinkedIn newsletter (The Wildebeest Speaks) soon. June approaches. (Here’s the May edition if you missed it.)

Employ Security (6/7)

This is the sixth of seven vendor suggestions I made in my Biometric Update guest post.

“Employ comprehensive security measures. Ensure protection for the data on your systems, your customer systems, and the systems integrated with those systems. Employ third-party risk management (TPRM) to minimize the risk when biometric data is stored with cloud providers, application partners, and companies in the supply chain.”

If you don’t already know this, whenever you read a Bredemarket-authored article, always click the links. This includes the articles I write for others…such as Biometric Update. If you clicked a particular link at the end of my guest post, you found out which third party behaved badly with Customs and Border Protection (CBP) data:

“Facial images of travelers and license plate data have been stolen from a U.S. Customs and Border Protection (CBP) subcontractor….While the agency did not identify the subcontractor to the Post, it did provide a statement titled “CBP Perceptics Public Statement.”…Perceptics was hacked in May, and The Register reported thousands of files…were available on the dark web.”

As I concluded my guest post,

“Do not let this happen to your business.”

But here’s a positive example:

“ID.me will transfer your Biometric Information to our third party partners only when required by a subpoena, warrant, or other court ordered legal action.”

(Imagen 3)