Is “Autonomous SOC” Real?

On the long-standing debate on the mix between automation and manual operations, here’s what the Cyber Security Hub says:

100+ AI security startups claim they can replace Tier 1 and Tier 2 SOC analysts with 24/7 LLMs. They promise AI can triage, detect, and respond—no humans needed.

But here’s the reality:

  • AI tools hallucinate and miss context
  • Custom attacks slip by without human insight
  • Escalations stall when no one’s validating alerts…

…This isn’t about rejecting AI. It’s about using it wisely—and never cutting people out of the loop.

More here: https://www.linkedin.com/pulse/ai-cant-run-your-soc-heres-guide-proves-the-cyber-security-hub-awa9e

Is the Cyber Security Hub correct? 

Are there truly over 100 firms who promise a completely automated cybersecurity solution?

More importantly, can 100% “autonomous SOC” be circumvented by a determined opponent?

Do Your Technology Prospects Know the Critical Importance of “Continuous” Access Evaluation?

Today’s word is continuous. A word that your technology solution prospects need to understand.

The problem

The Identity Jedi just shared the dirty little secret that we all know but aren’t willing to admit.

[A]ccess reviews aren’t inherently about security — they’re about satisfying auditors.”

The Jedi’s assumption is that the access review is a periodic one, completely satisfied by manually checking boxes.

Because it’s easier to evaluate whether a box is checked than to evaluate whether the system is truly secure, and people who no longer deserve access don’t have it.

The solution

But companies move beyond check boxes anyway, because they realize the other point that the Identity Jedi made.

“Instead of waiting for quarterly reviews, implement continuous access evaluation that flags high-risk or out-of-policy access the moment it happens — not months later.”

Many cybersecurity and TPRM vendors have implemented continuous access evaluation. Has yours?

For the continued access evaluation vendors

And if you are a vendor of a continued access evaluation solution, do your prospects know about why it’s critically important, and the benefits that such a solution provides?

If you haven’t told your prospects about the benefits of continuous access evaluation, it’s time.

And I can help.

A Jewelry-related Third-Party Breach: What Could Go Wrong?

Check this article from cyberdaily.au regarding a reported third-party breach. This one is from Danish jewelry brand Pandora.

“The company said that impacted data includes names, birthdates and email addresses, but that financial information, government identifiers and passwords were not accessed by the threat actors.”

So who was the third party? BleepingComputer has that part of the story:

“While Pandora has not shared the name of the third-party platform, BleepingComputer has learned that the data was stolen from the company’s Salesforce database.”

Not that it’s necessarily Salesforce’s fault. Access could have been granted by a Pandora employee as part of a social engineering attack.

All Salesforce users should read “Protect Your Salesforce Environment from Social Engineering Threats.”

It’s not just a technical issue, but also a business process issue.

Or a user education issue.

Bredemarket can help firms educate their users. Talk to me.

Is There a Calculator On That Slide Rule?

(Imagen 4)

Once again I’m painting a picture, this time of two people: the IT chick, deftly wielding her slide rule as she sizes up hardware and software, and the finance dude, deftly wielding his calculator as he tabulates profit, loss, and other money stuff. Each of them in their own little worlds.

Despite the thoughts of Norman Marks in his post “Cyber is one of many business risks.”

  • “Many years ago, my friend Ed Hill, a Managing Director with Protiviti at the time, coined the expression ‘there is no such thing as IT risk. There is only business risk.’”
  • “The [Qualsys] report reveals a persistent disconnect between cybersecurity operations and business outcomes. While 49% of respondents reported having formal risk programmes, only 30% link them directly to business objectives. Even fewer (18%) use integrated risk scenarios that consider both business processes and financial exposure.”

I admit that I often draw a clear distinction between technical risk and business risk. For example, the supposedly separate questions regarding whether a third-party risk management (TPRM) algorithm is accurate, and what happens if an end customer sues your company because the end customer’s personally identifiable information was breached on your partner company’s system.

Imagen 4.

So make sure that when your IT chick wields her slide rule, the tool has an embedded calculator on it to quantify the financial effects of her IT decisions.

Is There a Calculator On That Slide Rule?

How Many Authentication Factor Types Are There?

(Imagen 4)

An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.

For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”

But how many factors are there?

Three factors of authentication

There are some people who argue that there are only really three authentication factors:

  • Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
  • Something you have, such as a driver’s license, passport, or hardware or software token.
  • Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.

Five factors of authentication, not three

I argue that there are more than three.

  • Something you do, such as super-secret swiping patterns to unlock a device.
  • Somewhere you are, or geolocation.

For some of us, these are the five standard authentication factors. And they can also function for identity verification.

Six factors of authentication, not five

But I’ve postulated that there is one more.

  • Somewhat you why, or a measure of intent and reasonableness.

For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.

  • The person may deserve access if they are an employee and arrive at the location during working hours.
  • That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
  • That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.

Or maybe just five factors of authentication

Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.

So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.

It’s All About Me 2: I Ask, Then I Act

Continuing my self-promotion, as opposed to promotion of my Bredemarket marketing and writing consultancy, how do I promote myself to companies outside of identity and biometrics? 

For example, cybersecurity firms, or third-party risk management (TPRM) firms, or content management system (CMS) firms, or healthcare firms (the non-identification biometric)?

By emphasizing that I ask, then I act.

Resonating with both the Simon Sinek devotees, and the bias to action adherents.

Short in duration, heavy on symbolism, and daring to mention “B2G” before “B2B.” That will start a conversation.

And then if someone fixates on the biometric modalities…

…I will redirect the person to Part One.

I ask, then I act.

About ISO 27001

I’ve previously discussed SOC 2 and its governance in the Bredemarket blog, and I encountered SOC 2 again in a Wednesday webinar from Drata and Armanino, “Ask an Auditor: SOC 2 & ISO 27001 Tips, Tricks, and Pitfalls to Avoid.”

From Drata.

Armanino is the auditor, while Drata is an automation platform that assists companies in measuring conformance to SOC 2, ISO/IEC 27001, and other standards.

The webinar was in the form of an Ask Me Anything session, so naturally a comparison of SOC 2 and ISO/IEC 27001 came up.

As I previously mentioned, the SOC suite was developed by the Association of International Certified Professional Accountants. ISO standards are published by the International Organization for Standardization.

And ISO/IEC 27001 provides an actual certification, unlike SOC 2 which is an atteatation (or iBeta PAD testing, which indicates conformance).

So what is ISO/IEC 27001?

Let’s ask ISO:

“ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.

“The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system….

“ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience andoperational excellence.”

For additional information, see Drata’s page.

Will There Be FEWER States with Mobile Driver’s Licenses in the Future?

(Imagen 3)

Normally when states adopt a new technology, one state will first adopt it, followed by other states, until eventually all states adopt it. (Take REAL ID.)

It’s rare that a state adopts an emerging technology and then trashes it.

Last year

But that’s exactly what happened in Florida last summer, when the state withdrew support for its Thales mobile driver’s license (mDL) pending the creation of a new mDL from a new vendor.

Update as of June 2025…there isn’t one.

“The Florida Smart ID applications will be updated and improved by a new vendor. At this time, the Florida Department of Highway Safety and Motor Vehicles is removing the current Florida Smart ID application from the app store. Please email FloridaSmartID@flhsmv.gov to receive notification of future availability.”

This year

But hey, I’m sure Florida is working behind the scenes to develop a new mDL. After all, digital identity remains a federal priority.

Um…check Biometric Update.

“At the forefront of the Trump administration’s cybersecurity shift is the categorical removal of Biden-era digital identity initiatives which had encouraged federal agencies to accept digital identity documents to access public benefit programs and promoted federal grants to help states develop secure mobile driver’s licenses.”

Biometric Update is specifically referring to President Donald Trump’s Executive Order issued last Friday, which affects cybersecurity efforts in general. Lots of use of the Q word.

Next year?

But if states aren’t receiving federal funding to develop mDLs, and if states decide that only physical driver’s licenses are in their interest, then will mDL adoption slow?

Or may other states follow Florida’s lead and let their contracts with mDL vendors expire?

SWOT analysis advocates…this is a threat.

Oh, and by the way…don’t forget that moving from mDLs back to physical driver’s licenses leads to a certain loss of privacy

Privacy.

TPRM: When the Board Gets Involved

As promised, I am going to continue to write about third-party risk management (TPRM).

And as the abstract for a September 9 Gartner roundtable points out, TPRM isn’t just the concern of the Chief Information Security Officer (CISO) any more…

“Third-party networks are expanding, with startups and business model innovators increasingly joining them. The increasing high risk in these networks is prompting boards and senior leaders to enhance and better focus their oversight of TPRM programs.”

Yes…the Board. (Of Directors.)

Now the CISO is sweating bullets.