cybersecurity – Page 3

TPRM: When the Board Gets Involved

As promised, I am going to continue to write about third-party risk management (TPRM).

And as the abstract for a September 9 Gartner roundtable points out, TPRM isn’t just the concern of the Chief Information Security Officer (CISO) any more…

“Third-party networks are expanding, with startups and business model innovators increasingly joining them. The increasing high risk in these networks is prompting boards and senior leaders to enhance and better focus their oversight of TPRM programs.”

Yes…the Board. (Of Directors.)

Now the CISO is sweating bullets.

Wanna Know a “Why” Secret About Bredemarket’s TPRM Content?

Third party risk management, illustrated by a locked safe connected to a breached safe.

(The picture is only from Imagen 3. I’ve been using it since January, as you will see.)

Here’s a “why” question: why does Bredemarket write the things it writes about?

Several reasons:

To promote Bredemarket’s services so that you meet with me and buy them.
To educate about Bredemarket’s target industries of identity/biometrics, technology, and Inland Empire business.
To dive into specific topics that interest me, such as deepfakes, HiveLLM, identity assurance levels, IMEI uniqueness, and Leonardo Garcia Venegas (the guy with the REAL ID that was real).
Because I feel like it.

And then there are really specific reasons such as this one.

In late January I first wrote about third-party risk management (TPRM) and have continued to do so since.

Why?

TPRM firm 1

Because at that time, a TPRM firm had a need for content marketing and product marketing services, and Bredemarket started consulting for the firm.

I was very busy for 2 1/2 months, and the firm was happy with my work. And I got to dive into TPRM issues in great detail:

The incredibly large number of third parties that a vendor deals with…possibly numbering into the hundreds. If hundreds of third parties have YOUR data, and just ONE of those third parties is breached, bad things can happen.
The delicate balance between automated and manual work. News flash: if you look at my prior employers, you will see that I’ve dealt with this issue for over 30 years.
Organizational process maturity. News flash: I used to work for Motorola.
All the NIST standards related to TPRM, including NIST’s discussion of FARM (Frame, Assess, Respond, and Monitor). News flash: I’ve known NIST standards for many years.
Other relevant standards such as SOC 2. News flash: identity verification firms deal with SOC 2 also.
Fourth-party, fifth-party, and other risks. News flash: anyone that was around when AIDS emerged already knows about nth-party risk.

But for internal reasons that I can’t disclose (NDA, you know), the firm had to end my contract.

Never mind, I thought. I had amassed an incredible 75 days of TPRM experience—or about the same time that it takes for a BAD TPRM vendor to complete an assessment.

But how could I use this?

TPRM firm 2

Why not put my vast experience to use with another TPRM firm? (Honoring the first firm’s NDA, of course.)

So I applied for a product marketing position with another TPRM firm, highlighting my TPRM consulting experience.

The company decided to move forward with other candidates.

The firm had another product marketing opening, so I applied again.

The company decided to move forward with other candidates.

Even if this company had a third position, I couldn’t apply for it because of its “maximum 2 applications in 60 days” rule.

TPRM firm 3

Luckily for me, another TPRM firm had a product marketing opening. TPRM is active; the identity/biometrics industry isn’t hiring this many product marketers.

So I applied on Monday, June 2 and received an email confirmation:
And received a detailed email on Tuesday, June 3 outlining the firm’s hiring process.
And received a third email on Wednesday, June 4:

“Thank you for your application for the Senior Product Marketing Manager position at REDACTED. We really appreciate your interest in joining our company and we want to thank you for the time and energy you invested in your application to us.

“We received a large number of applications, and after carefully reviewing all of them, unfortunately, we have to inform you that this time we won’t be able to invite you to the next round of our hiring process.

“Due to the high number of applications, we are unfortunately not able to provide individual feedback to your application at this early stage of the process.

“Again, we really appreciated your application and we would welcome you to apply to REDACTED in the future. Be sure to keep up to date with future roles at REDACTED by following us on LinkedIn and our other social channels.

“We wish you all the best in your job search.”

Unfortunately, I apparently did not have “impressive credentials.” Oh well.

TPRM firm 4?

What now?

If nothing else, I will continue to write about TPRM and the issues I listed above.

Well, if any TPRM firm wants to contract with Bredemarket, schedule a meeting: https://bredemarket.com/cpa/

And if any TPRM firm wants to use my technology experience and hire me as a full-time product marketer, contact my personal LinkedIn account: https://www.linkedin.com/in/jbredehoft

I’m motivated to help your firm succeed, and make your competitors regret passing on me.

Sadly, despite my delusions of grandeur and expositor syndrome (to be addressed in a future Bredemarket blog post), I don’t think any TPRM CMOs are quaking in their boots and fearfully crying, “We missed out on Bredehoft, and now he’s going to work for the enemy and crush us!”

But I could be wrong.

Simeio: Identity is the Perimeter of Cybersecurity

Simeio opened its monthly newsletter with a statement. Here is an excerpt:

“May spotlighted how even the most advanced enterprises are vulnerable when identity systems are fragmented, machine identities go unmanaged, and workflows rely too heavily on manual intervention—creating conditions ripe for risk. Enterprises need to get the message: identity is the perimeter of cybersecurity, and orchestration is the force multiplier. It’s time to learn how to effectively leverage it.”

Read the rest of Simeio’s newsletter on LinkedIn at https://www.linkedin.com/pulse/identity-matters-may-2025-identitywithsimeio-iby0e

Of course, there’s that interesting wrinkle of the identities of non-person entities, which may or may not be bound to human identities. Simeio, with its application onboarding solution, plays in the NPE space.

As for me, I need to start thinking about MY Bredemarket monthly LinkedIn newsletter (The Wildebeest Speaks) soon. June approaches. (Here’s the May edition if you missed it.)

Employ Security (6/7)

This is the sixth of seven vendor suggestions I made in my Biometric Update guest post.

“Employ comprehensive security measures. Ensure protection for the data on your systems, your customer systems, and the systems integrated with those systems. Employ third-party risk management (TPRM) to minimize the risk when biometric data is stored with cloud providers, application partners, and companies in the supply chain.”

If you don’t already know this, whenever you read a Bredemarket-authored article, always click the links. This includes the articles I write for others…such as Biometric Update. If you clicked a particular link at the end of my guest post, you found out which third party behaved badly with Customs and Border Protection (CBP) data:

“Facial images of travelers and license plate data have been stolen from a U.S. Customs and Border Protection (CBP) subcontractor….While the agency did not identify the subcontractor to the Post, it did provide a statement titled “CBP Perceptics Public Statement.”…Perceptics was hacked in May, and The Register reported thousands of files…were available on the dark web.”

As I concluded my guest post,

“Do not let this happen to your business.”

But here’s a positive example:

“ID.me will transfer your Biometric Information to our third party partners only when required by a subpoena, warrant, or other court ordered legal action.”

(Imagen 3)

Driver’s License Data and Third Party Risk Management

An iguana wearing sunglasses steals a driver's license from a conveyer belt, representing identity fraud.

It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?

Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.

As can be expected, some people are very concerned about what this means.

“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.

“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”

Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.

“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”

If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.

But as a former IDEMIA employee, my curiosity was piqued.

Has anyone ever gained unauthorized access to a state driver’s license database?

So I checked, and could not find an example of unauthorized access to a state driver’s license database.

But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:

“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….

“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”

Well, at least the hacked data didn’t include weight. Or claimed weight.

Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.

Be cautious, and remember that others with good intentions might not be cautious enough.

CVE 2026

As I mentioned earlier, funding for the Common Vulnerabilities and Exposures program was extended. The details:

“The U.S. Cybersecurity and Infrastructure Security Agency said that Mitre, which has run the CVE Program since its launch in 1999, can continue to do so until early March 2026.

“This is a temporary solution. Clearly, the U.S. government wants to get rid of CISA paying for the CVE program. Someone else needs to seize the funding and governance reigns, and the opportunity to do so allows for creating a less U.S.-centric endeavor.”

If a new funding mechanism can ensure technical program continuity—while at the same time providing the $30 million business continuity by shielding the program from the chaotic whims of one country and one person—then this could be a long term solution.

The cybersecurity ecosystem has a little over 10 months to figure out how to fund the CVE program beginning in 2026.

Which means that nothing of substance will get done for the next 9 months. (How’s that TikTok sale going?)

Well, maybe North Korea will volunteer to fund the program…

(Imagen 3)

May 1 is World Password Day

The KnowledgeFlow Cybersecurity Foundation reminds us that the Upland Amazon Fresh grand opening isn’t the only big event this Thursday.

“World Password Day occurs on the first Thursday in May each year. It’s a day dedicated to raising awareness about the importance of password security and promoting good password practices to enhance your online security.”

And even if you belong to the “passwords are dead” movement, you’d better celebrate anyway because passwords will remain longer than you think.

(Imagen 3)

Hacking the May 7 Papal Conclave

This past weekend the world watched the funeral of Pope Francis.

Which means that the time has come to select a new Pope. The conclave for this purpose will begin on May 7.

The papal conclaves that convene to select a new Pope are notorious for their secrecy. The Cardinals who select the new Pope are locked away and generally cannot communicate with the outside world. With one exception: black smoke appears if a vote does not result in the election of a Pope, or white smoke if a Pope is elected.

Because the selection of a Pope has massive influence on both religious and secular affairs worldwide, there are those who desire to hack the papal conclave to get inside information.

Which is why the Vatican employs a cybersecurity expert.

“[I]n in October 2019…the Vatican appointed Gianluca Gauzzi Broccoletti as its Director of Security Services.

“Broccoletti brought robust and vigorous experience from previous roles in Italian law enforcement and cybersecurity.

“Under his leadership, the team modernized the Papacy’s setup, with a strong emphasis on AI-powered threat analysis and digital forensics.”

Broccoletti and his staff employ a wide variety of cybersecurity techniques, including phone bans, security cameras, signal jammers, endpoint monitoring, and armed guards.

But this is the first papal conclave conducted under Broccoletti’s watch.

Will he maintain the secrecy of the ballot?

And if you offer a cybersecurity solution, how will your prospects learn about it?

Bredemarket can help:

compelling content creation
winning proposal development
actionable analysis

Book a call: https://bredemarket.com/cpa/

(Imagen 3)

Why Replacing Your Employees with VLM NPE Bots Won’t Defeat Social Engineering

(Scammed bot finger picture from Imagen 3)

Your cybersecurity firm can provide the most amazing protection software to your clients, and the clients still won’t be safe.

Why not? Because of the human element. All it takes is one half-asleep employee to answer that “We received your $3,495 payment” email. Then all your protections go for naught.

The solution is simple: eliminate the humans.

Eliminating the human element

Companies are replacing humans with bots for other rea$on$. But an added benefit is that when you bring in the non-person entities (NPEs) who are never tired and never emotional, social engineering is no longer effective. Right?

Well, you can social engineer the bot NPEs also.

Birthday MINJA

Last month I wrote a post entitled “An ‘Injection’ Attack That Doesn’t Bypass Standard Channels?” It discussed a technique known as a memory injection attack (MINJA). In the post I was able to sort of (danged quotes!) get an LLM to say that Donald Trump was born on February 22, 1732.

(Image from a Google Gemini prompt and response)

Fooling vision-language models

But there are more serious instances in which bots can be fooled, according to Ben Dickson.

“Visual agents that understand graphical user interfaces and perform actions are becoming frontiers of competition in the AI arms race….

“These agents use vision-language models (VLMs) to interpret graphical user interfaces (GUI) like web pages or screenshots. Given a user request, the agent parses the visual information, locates the relevant elements on the page, and takes actions like clicking buttons or filling forms.”

Clicking buttons seems safe…until you realize that some buttons are so obviously scambait that most humans are smart enough NOT to click on them.

What about the NPE bots?

“They carefully designed and positioned adversarial pop-ups on web pages and tested their effects on several frontier VLMs, including different variants of GPT-4, Gemini, and Claude.

“The results of the experiments show that all tested models were highly susceptible to the adversarial pop-ups, with attack success rates (ASR) exceeding 80% on some tests.”

Educating your users

Your cybersecurity firm needs to educate. You need to warn humans about social engineering. And you need to warn AI masters that bots can also be social engineered.

But what if you can’t? What if your resources are already stretched thin?

If you need help with your cybersecurity product marketing, Bredemarket has an opening for a cybersecurity client. I can offer

compelling content creation
winning proposal development
actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Now I’m Just Playing with Google Gemini

I asked Imagen 3 to help me illustrate nth party risk management.

Where you are connected with everyone to whom your connections are connected.

But I wanted to illustrate third-party risk management in a clean way. Back when AIDS became a sad feature of our lives in the 1980s, the description of how it spread from person to person could get a little graphic.