“The new Sophos logo nods to our history, but it’s reimagined with a shield that represents our defense against cyberattacks. Inside that shield lives the dual strength of Sophos: AI-native technology and world-class human expertise. Together, they create unmatched defense that adapts as fast as threats evolve.”
Oh, and the consultation:
“Our partners are core to our success, and their feedback on the rebrand has been energizing…”
My bet is that Sophos will not have to withdraw this logo, like another logo change that was recently reversed.
Have you ever used the phrase “sort of unique”? Something is either unique or it isn’t. And International Mobile Equipment Identity (IMEI) numbers fail the uniquness test.
Claims that International Mobile Equipment Identity (IMEI) numbers are unique
Here’s what a few companies say about the IMEI number on each mobile phone. Emphasis mine.
Thales: “The IMEI (International Mobile Equipment Identity) number is a unique 15-digit serial number for identifying a device; every mobile phone in the world has one.”
Verizon: “An IMEI stands for International Mobile Equipment Identity. Think of it as your phone’s fingerprint — it’s a 15-digit number unique to each device.”
Blue Goat Cyber: “In today’s interconnected world, where our smartphones have become an indispensable part of our lives, it is essential to understand the concept of IMEI – the International Mobile Equipment Identity. This unique identifier plays a crucial role in various aspects of our mobile devices, from security to tracking and repairs.”
These and other descriptions of the IMEI prominently use the word “unique.” Not “sort of unique,” but “unique.”
Which means (for non-person entities, just like persons) that if someone can find a SINGLE reliable instance of more than one mobile phone having the same IMEI number, then the claim of uniqueness falls apart completely.
Examples of non-uniqueness of IMEI numbers on mobile phones
“In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
“The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning.”
So don’t claim an IMEI is unique when there is evidence to the contrary. As I said in my April post:
“NOTHING provides 100.00000% security. Not even an IMEI number.”
What does this mean for your identity product?
If you offer an identity product, educate your prospects and avoid unsupportable claims. While a few prospects may be swayed by “100%” claims, the smarter ones will appreciate more supportable statements, such as “Our facial recognition algorithm demonstrated a 0.0022 false non-match rate in the mugshot:mugshot NIST FRTE 1:1 laboratory testing.”
When you are truthful in educating your prospects, they will (apologizes in advance for using this overused word) trust you and become more inclined to buy from you.
If you need help in creating content (blog posts, case studies, white papers, proposals, and many more), work with Bredemarket to create the customer-focused content you need. Book a free meeting with me.
On the long-standing debate on the mix between automation and manual operations, here’s what the Cyber Security Hub says:
100+ AI security startups claim they can replace Tier 1 and Tier 2 SOC analysts with 24/7 LLMs. They promise AI can triage, detect, and respond—no humans needed.
But here’s the reality:
AI tools hallucinate and miss context
Custom attacks slip by without human insight
Escalations stall when no one’s validating alerts…
…This isn’t about rejecting AI. It’s about using it wisely—and never cutting people out of the loop.
“[A]ccess reviews aren’t inherently about security — they’re about satisfying auditors.”
The Jedi’s assumption is that the access review is a periodic one, completely satisfied by manually checking boxes.
Because it’s easier to evaluate whether a box is checked than to evaluate whether the system is truly secure, and people who no longer deserve access don’t have it.
The solution
But companies move beyond check boxes anyway, because they realize the other point that the Identity Jedi made.
“Instead of waiting for quarterly reviews, implement continuous access evaluation that flags high-risk or out-of-policy access the moment it happens — not months later.”
Many cybersecurity and TPRM vendors have implemented continuous access evaluation. Has yours?
For the continued access evaluation vendors
And if you are a vendor of a continued access evaluation solution, do your prospects know about why it’s critically important, and the benefits that such a solution provides?
If you haven’t told your prospects about the benefits of continuous access evaluation, it’s time.
Check this article from cyberdaily.au regarding a reported third-party breach. This one is from Danish jewelry brand Pandora.
“The company said that impacted data includes names, birthdates and email addresses, but that financial information, government identifiers and passwords were not accessed by the threat actors.”
“While Pandora has not shared the name of the third-party platform, BleepingComputer has learned that the data was stolen from the company’s Salesforce database.”
Not that it’s necessarily Salesforce’s fault. Access could have been granted by a Pandora employee as part of a social engineering attack.
Once again I’m painting a picture, this time of two people: the IT chick, deftly wielding her slide rule as she sizes up hardware and software, and the finance dude, deftly wielding his calculator as he tabulates profit, loss, and other money stuff. Each of them in their own little worlds.
“Many years ago, my friend Ed Hill, a Managing Director with Protiviti at the time, coined the expression ‘there is no such thing as IT risk. There is only business risk.’”
“The [Qualsys] report reveals a persistent disconnect between cybersecurity operations and business outcomes. While 49% of respondents reported having formal risk programmes, only 30% link them directly to business objectives. Even fewer (18%) use integrated risk scenarios that consider both business processes and financial exposure.”
I admit that I often draw a clear distinction between technical risk and business risk. For example, the supposedly separate questions regarding whether a third-party risk management (TPRM) algorithm is accurate, and what happens if an end customer sues your company because the end customer’s personally identifiable information was breached on your partner company’s system.
Imagen 4.
So make sure that when your IT chick wields her slide rule, the tool has an embedded calculator on it to quantify the financial effects of her IT decisions.
An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.
For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”
But how many factors are there?
Three factors of authentication
There are some people who argue that there are only really three authentication factors:
Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
Something you have, such as a driver’s license, passport, or hardware or software token.
Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.
Somewhat you why, or a measure of intent and reasonableness.
For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.
The person may deserve access if they are an employee and arrive at the location during working hours.
That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.
Or maybe just five factors of authentication
Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.
So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.
Continuing my self-promotion, as opposed to promotion of my Bredemarket marketing and writing consultancy, how do I promote myself to companies outside of identity and biometrics?
For example, cybersecurity firms, or third-party risk management (TPRM) firms, or content management system (CMS) firms, or healthcare firms (the non-identification biometric)?
By emphasizing that I ask, then I act.
Resonating with both the Simon Sinek devotees, and the bias to action adherents.
Short in duration, heavy on symbolism, and daring to mention “B2G” before “B2B.” That will start a conversation.
And then if someone fixates on the biometric modalities…
I’ve previously discussed SOC 2 and its governance in the Bredemarket blog, and I encountered SOC 2 again in a Wednesday webinar from Drata and Armanino, “Ask an Auditor: SOC 2 & ISO 27001 Tips, Tricks, and Pitfalls to Avoid.”
From Drata.
Armanino is the auditor, while Drata is an automation platform that assists companies in measuring conformance to SOC 2, ISO/IEC 27001, and other standards.
The webinar was in the form of an Ask Me Anything session, so naturally a comparison of SOC 2 and ISO/IEC 27001 came up.
As I previously mentioned, the SOC suite was developed by the Association of International Certified Professional Accountants. ISO standards are published by the International Organization for Standardization.
And ISO/IEC 27001 provides an actual certification, unlike SOC 2 which is an atteatation (or iBeta PAD testing, which indicates conformance).
“ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
“The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system….
“ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience andoperational excellence.”
Bredemarket 