I’ve previously discussed SOC 2 and its governance in the Bredemarket blog, and I encountered SOC 2 again in a Wednesday webinar from Drata and Armanino, “Ask an Auditor: SOC 2 & ISO 27001 Tips, Tricks, and Pitfalls to Avoid.”
From Drata.
Armanino is the auditor, while Drata is an automation platform that assists companies in measuring conformance to SOC 2, ISO/IEC 27001, and other standards.
The webinar was in the form of an Ask Me Anything session, so naturally a comparison of SOC 2 and ISO/IEC 27001 came up.
As I previously mentioned, the SOC suite was developed by the Association of International Certified Professional Accountants. ISO standards are published by the International Organization for Standardization.
And ISO/IEC 27001 provides an actual certification, unlike SOC 2 which is an atteatation (or iBeta PAD testing, which indicates conformance).
“ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
“The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system….
“ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience andoperational excellence.”
As promised, I am going to continue to write about third-party risk management (TPRM).
And as the abstract for a September 9 Gartner roundtable points out, TPRM isn’t just the concern of the Chief Information Security Officer (CISO) any more…
“Third-party networks are expanding, with startups and business model innovators increasingly joining them. The increasing high risk in these networks is prompting boards and senior leaders to enhance and better focus their oversight of TPRM programs.”
Because at that time, a TPRM firm had a need for content marketing and product marketing services, and Bredemarket started consulting for the firm.
I was very busy for 2 1/2 months, and the firm was happy with my work. And I got to dive into TPRM issues in great detail:
The incredibly large number of third parties that a vendor deals with…possibly numbering into the hundreds. If hundreds of third parties have YOUR data, and just ONE of those third parties is breached, bad things can happen.
The delicate balance between automated and manual work. News flash: if you look at my prior employers, you will see that I’ve dealt with this issue for over 30 years.
Organizational process maturity. News flash: I used to work for Motorola.
All the NIST standards related to TPRM, including NIST’s discussion of FARM (Frame, Assess, Respond, and Monitor). News flash: I’ve known NIST standards for many years.
Other relevant standards such as SOC 2. News flash: identity verification firms deal with SOC 2 also.
Fourth-party, fifth-party, and other risks. News flash: anyone that was around when AIDS emerged already knows about nth-party risk.
But for internal reasons that I can’t disclose (NDA, you know), the firm had to end my contract.
Never mind, I thought. I had amassed an incredible 75 days of TPRM experience—or about the same time that it takes for a BAD TPRM vendor to complete an assessment.
But how could I use this?
TPRM firm 2
Why not put my vast experience to use with another TPRM firm? (Honoring the first firm’s NDA, of course.)
So I applied for a product marketing position with another TPRM firm, highlighting my TPRM consulting experience.
The company decided to move forward with other candidates.
The firm had another product marketing opening, so I applied again.
The company decided to move forward with other candidates.
Even if this company had a third position, I couldn’t apply for it because of its “maximum 2 applications in 60 days” rule.
TPRM firm 3
Luckily for me, another TPRM firm had a product marketing opening. TPRM is active; the identity/biometrics industry isn’t hiring this many product marketers.
So I applied on Monday, June 2 and received an email confirmation:
And received a detailed email on Tuesday, June 3 outlining the firm’s hiring process.
And received a third email on Wednesday, June 4:
“Thank you for your application for the Senior Product Marketing Manager position at REDACTED. We really appreciate your interest in joining our company and we want to thank you for the time and energy you invested in your application to us.
“We received a large number of applications, and after carefully reviewing all of them, unfortunately, we have to inform you that this time we won’t be able to invite you to the next round of our hiring process.
“Due to the high number of applications, we are unfortunately not able to provide individual feedback to your application at this early stage of the process.
“Again, we really appreciated your application and we would welcome you to apply to REDACTED in the future. Be sure to keep up to date with future roles at REDACTED by following us on LinkedIn and our other social channels.
“We wish you all the best in your job search.”
Unfortunately, I apparently did not have “impressive credentials.” Oh well.
TPRM firm 4?
What now?
If nothing else, I will continue to write about TPRM and the issues I listed above.
And if any TPRM firm wants to use my technology experience and hire me as a full-time product marketer, contact my personal LinkedIn account: https://www.linkedin.com/in/jbredehoft
I’m motivated to help your firm succeed, and make your competitors regret passing on me.
Sadly, despite my delusions of grandeur and expositor syndrome (to be addressed in a future Bredemarket blog post), I don’t think any TPRM CMOs are quaking in their boots and fearfully crying, “We missed out on Bredehoft, and now he’s going to work for the enemy and crush us!”
“Employ comprehensive security measures. Ensure protection for the data on your systems, your customer systems, and the systems integrated with those systems. Employ third-party risk management (TPRM) to minimize the risk when biometric data is stored with cloud providers, application partners, and companies in the supply chain.”
If you don’t already know this, whenever you read a Bredemarket-authored article, always click the links. This includes the articles I write for others…such as Biometric Update. If you clicked a particular link at the end of my guest post, you found out which third party behaved badly with Customs and Border Protection (CBP) data:
“Facial images of travelers and license plate data have been stolen from a U.S. Customs and Border Protection (CBP) subcontractor….While the agency did not identify the subcontractor to the Post, it did provide a statement titled “CBP Perceptics Public Statement.”…Perceptics was hacked in May, and The Register reported thousands of files…were available on the dark web.”
“ID.me will transfer your Biometric Information to our third party partners only when required by a subpoena, warrant, or other court ordered legal action.”
It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?
As can be expected, some people are very concerned about what this means.
“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, asenior policy analyst with the American Civil Liberties Union.
“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”
Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.
“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”
If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.
But as a former IDEMIA employee, my curiosity was piqued.
Has anyone ever gained unauthorized access to a state driver’s license database?
So I checked, and could not find an example of unauthorized access to a state driver’s license database.
“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….
“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”
Well, at least the hacked data didn’t include weight. Or claimed weight.
Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.
Be cautious, and remember that others with good intentions might not be cautious enough.
“World Password Day occurs on the first Thursday in May each year. It’s a day dedicated to raising awareness about the importance of password security and promoting good password practices to enhance your online security.”
And even if you belong to the “passwords are dead” movement, you’d better celebrate anyway because passwords will remain longer than you think.
The papal conclaves that convene to select a new Pope are notorious for their secrecy. The Cardinals who select the new Pope are locked away and generally cannot communicate with the outside world. With one exception: black smoke appears if a vote does not result in the election of a Pope, or white smoke if a Pope is elected.
Because the selection of a Pope has massive influence on both religious and secular affairs worldwide, there are those who desire to hack the papal conclave to get inside information.
“[I]n in October 2019…the Vatican appointed Gianluca Gauzzi Broccoletti as its Director of Security Services.
“Broccoletti brought robust and vigorous experience from previous roles in Italian law enforcement and cybersecurity.
“Under his leadership, the team modernized the Papacy’s setup, with a strong emphasis on AI-powered threat analysis and digital forensics.”
Broccoletti and his staff employ a wide variety of cybersecurity techniques, including phone bans, security cameras, signal jammers, endpoint monitoring, and armed guards.
But this is the first papal conclave conducted under Broccoletti’s watch.
Will he maintain the secrecy of the ballot?
And if you offer a cybersecurity solution, how will your prospects learn about it?
Your cybersecurity firm can provide the most amazing protection software to your clients, and the clients still won’t be safe.
Why not? Because of the human element. All it takes is one half-asleep employee to answer that “We received your $3,495 payment” email. Then all your protections go for naught.
The solution is simple: eliminate the humans.
Eliminating the human element
Companies are replacing humans with bots for other rea$on$. But an added benefit is that when you bring in the non-person entities (NPEs) who are never tired and never emotional, social engineering is no longer effective. Right?
Well, you can social engineer the bot NPEs also.
Birthday MINJA
Last month I wrote a post entitled “An ‘Injection’ Attack That Doesn’t Bypass Standard Channels?” It discussed a technique known as a memory injection attack (MINJA). In the post I was able to sort of (danged quotes!) get an LLM to say that Donald Trump was born on February 22, 1732.
“Visual agents that understand graphical user interfaces and perform actions are becoming frontiers of competition in the AI arms race….
“These agents use vision-language models (VLMs) to interpret graphical user interfaces (GUI) like web pages or screenshots. Given a user request, the agent parses the visual information, locates the relevant elements on the page, and takes actions like clicking buttons or filling forms.”
Clicking buttons seems safe…until you realize that some buttons are so obviously scambait that most humans are smart enough NOT to click on them.
What about the NPE bots?
“They carefully designed and positioned adversarial pop-ups on web pages and tested their effects on several frontier VLMs, including different variants of GPT-4, Gemini, and Claude.
“The results of the experiments show that all tested models were highly susceptible to the adversarial pop-ups, with attack success rates (ASR) exceeding 80% on some tests.”
Educating your users
Your cybersecurity firm needs to educate. You need to warn humans about social engineering. And you need to warn AI masters that bots can also be social engineered.
But what if you can’t? What if your resources are already stretched thin?
If you need help with your cybersecurity product marketing, Bredemarket has an opening for a cybersecurity client. I can offer
I asked Imagen 3 to help me illustrate nth party risk management.
Where you are connected with everyone to whom your connections are connected.
But I wanted to illustrate third-party risk management in a clean way. Back when AIDS became a sad feature of our lives in the 1980s, the description of how it spread from person to person could get a little graphic.
Unlike some clickbait-like article titles, this one from Communications Today succinctly encapsulates the problem up front.
It’s not that the TPRM software is failing to find the red flags. Oh, it finds them!
But the folks at Gartner discovered something:
“A Gartner survey of approximately 900 third-party relationship owners…revealed that while 95% saw a third-party red flag in the past 12 months, only around half of them escalate it to compliance teams.”
Among other things, the relationship owners worry about “the perceived return on investment (ROI) of sharing information.”
And that’s not a software issue. It’s a process issue.
And this is not unique to the cybersecurity world. Let’s look at facial recognition.
Another case in point
I’ve said this over and over, but for U.S. criminal purposes, facial recognition results should ONLY be used as investigative leads.
It doesn’t matter whether they’re automated results, or if they have been reviewed by a trained forensic face examiner.
Facial recognition results should only be used as investigative leads.
Sorry for the repetition, but some people aren’t listening.
But it’s not the facial recognition vendors. Bredemarket has worked with numerous facial recognition vendors over the years, and of those who work with law enforcement, ALL of them have emphatically insisted that their software results should only be used as investigative leads.
And that’s not a software issue. It’s a process issue.
No amount of coding or AI can fix that.
I hope the TPRM folks don’t mind my detour into biometrics, but there’s a good reason for it.
Product marketing for TPRM and facial recognition
Some product marketers, including myself, believe that it’s not enough to educate prospects and customers about your product. You also need to educate them about proper use of the product, including legal and ethical concerns.
If you don’t, your customers will do dumb things in Europe, Illinois, or elsewhere—and blame you when they are caught.
Be a leader in your industry by doing or saying the right thing.
And now here’s a word from our sponsor.
Not the “CPA” guy again…
Bredemarket has openings
There’s a reason why this post specifically focused on cybersecurity and facial recognition.
If you need product marketing assistance with your product, Bredemarket has two openings. One for a cybersecurity client, and one for a facial recognition client.
Bredemarket 