“World Password Day occurs on the first Thursday in May each year. It’s a day dedicated to raising awareness about the importance of password security and promoting good password practices to enhance your online security.”
And even if you belong to the “passwords are dead” movement, you’d better celebrate anyway because passwords will remain longer than you think.
The papal conclaves that convene to select a new Pope are notorious for their secrecy. The Cardinals who select the new Pope are locked away and generally cannot communicate with the outside world. With one exception: black smoke appears if a vote does not result in the election of a Pope, or white smoke if a Pope is elected.
Because the selection of a Pope has massive influence on both religious and secular affairs worldwide, there are those who desire to hack the papal conclave to get inside information.
“[I]n in October 2019…the Vatican appointed Gianluca Gauzzi Broccoletti as its Director of Security Services.
“Broccoletti brought robust and vigorous experience from previous roles in Italian law enforcement and cybersecurity.
“Under his leadership, the team modernized the Papacy’s setup, with a strong emphasis on AI-powered threat analysis and digital forensics.”
Broccoletti and his staff employ a wide variety of cybersecurity techniques, including phone bans, security cameras, signal jammers, endpoint monitoring, and armed guards.
But this is the first papal conclave conducted under Broccoletti’s watch.
Will he maintain the secrecy of the ballot?
And if you offer a cybersecurity solution, how will your prospects learn about it?
Your cybersecurity firm can provide the most amazing protection software to your clients, and the clients still won’t be safe.
Why not? Because of the human element. All it takes is one half-asleep employee to answer that “We received your $3,495 payment” email. Then all your protections go for naught.
The solution is simple: eliminate the humans.
Eliminating the human element
Companies are replacing humans with bots for other rea$on$. But an added benefit is that when you bring in the non-person entities (NPEs) who are never tired and never emotional, social engineering is no longer effective. Right?
Well, you can social engineer the bot NPEs also.
Birthday MINJA
Last month I wrote a post entitled “An ‘Injection’ Attack That Doesn’t Bypass Standard Channels?” It discussed a technique known as a memory injection attack (MINJA). In the post I was able to sort of (danged quotes!) get an LLM to say that Donald Trump was born on February 22, 1732.
“Visual agents that understand graphical user interfaces and perform actions are becoming frontiers of competition in the AI arms race….
“These agents use vision-language models (VLMs) to interpret graphical user interfaces (GUI) like web pages or screenshots. Given a user request, the agent parses the visual information, locates the relevant elements on the page, and takes actions like clicking buttons or filling forms.”
Clicking buttons seems safe…until you realize that some buttons are so obviously scambait that most humans are smart enough NOT to click on them.
What about the NPE bots?
“They carefully designed and positioned adversarial pop-ups on web pages and tested their effects on several frontier VLMs, including different variants of GPT-4, Gemini, and Claude.
“The results of the experiments show that all tested models were highly susceptible to the adversarial pop-ups, with attack success rates (ASR) exceeding 80% on some tests.”
Educating your users
Your cybersecurity firm needs to educate. You need to warn humans about social engineering. And you need to warn AI masters that bots can also be social engineered.
But what if you can’t? What if your resources are already stretched thin?
If you need help with your cybersecurity product marketing, Bredemarket has an opening for a cybersecurity client. I can offer
I asked Imagen 3 to help me illustrate nth party risk management.
Where you are connected with everyone to whom your connections are connected.
But I wanted to illustrate third-party risk management in a clean way. Back when AIDS became a sad feature of our lives in the 1980s, the description of how it spread from person to person could get a little graphic.
Unlike some clickbait-like article titles, this one from Communications Today succinctly encapsulates the problem up front.
It’s not that the TPRM software is failing to find the red flags. Oh, it finds them!
But the folks at Gartner discovered something:
“A Gartner survey of approximately 900 third-party relationship owners…revealed that while 95% saw a third-party red flag in the past 12 months, only around half of them escalate it to compliance teams.”
Among other things, the relationship owners worry about “the perceived return on investment (ROI) of sharing information.”
And that’s not a software issue. It’s a process issue.
And this is not unique to the cybersecurity world. Let’s look at facial recognition.
Another case in point
I’ve said this over and over, but for U.S. criminal purposes, facial recognition results should ONLY be used as investigative leads.
It doesn’t matter whether they’re automated results, or if they have been reviewed by a trained forensic face examiner.
Facial recognition results should only be used as investigative leads.
Sorry for the repetition, but some people aren’t listening.
But it’s not the facial recognition vendors. Bredemarket has worked with numerous facial recognition vendors over the years, and of those who work with law enforcement, ALL of them have emphatically insisted that their software results should only be used as investigative leads.
And that’s not a software issue. It’s a process issue.
No amount of coding or AI can fix that.
I hope the TPRM folks don’t mind my detour into biometrics, but there’s a good reason for it.
Product marketing for TPRM and facial recognition
Some product marketers, including myself, believe that it’s not enough to educate prospects and customers about your product. You also need to educate them about proper use of the product, including legal and ethical concerns.
If you don’t, your customers will do dumb things in Europe, Illinois, or elsewhere—and blame you when they are caught.
Be a leader in your industry by doing or saying the right thing.
And now here’s a word from our sponsor.
Not the “CPA” guy again…
Bredemarket has openings
There’s a reason why this post specifically focused on cybersecurity and facial recognition.
If you need product marketing assistance with your product, Bredemarket has two openings. One for a cybersecurity client, and one for a facial recognition client.
Everyone knows that cyberattacks don’t just target private organizations. They also target governments, particularly aiming for agencies that either deal with a lot of money (unemployment agencies) or contribute to defending a country (military, homeland security).
The Chief Information Officer of the U.S. Department of Defense has a vested interest in preventing cyberattacks, not only against DoD, but against its third-party suppliers, which are the subject of today’s acronym, DIB (defense industrial base).
And if you’ve followed along in the Bredemarket blog lately, you know that a key component of preventing cyberattacks is raising your organization’s process maturity in the cybersecurity realm.
And yes, there’s a maturity model and a certification for that, the Cybersecurity Maturity Model Certification, or CMMC.
Cybersecurity is a top priority for the Department of Defense (DoD). The defense industrial base (DIB) faces increasingly frequent, and complex cyberattacks. To strengthen DIB cybersecurity and better safeguard DoD information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) Program to assess existing DoD cybersecurity requirements.
It’s no surprise that the CMMC incorporates multiple levels, in this case three of them.
Level 1: Basic Safeguarding of FCI (Federal Contract Information)
Level 2: Broad Protection of CUI (Controlled Unclassified Information)
Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats
And not only is there a maturity model certification for the defense industrial base, but there’s a conference to help everyone out. After all the geeks celebrate May the Fourth Be With You day, some of the geeks will continue to celebrate on May 5, the date of the fifth annual CMMC Day. Party on.
And if you need product marketing assistance with your cybersecurity product, Bredemarket has an opening for a cybersecurity client and can help with compelling content creation, winning proposal development, and actionable analysis. Book a call: https://bredemarket.com/cpa/
For example, I was not initially part of the process team when the former seat-of-the-pants Printrak had to play CMM catch up with our new corporate overlord Motorola. But it was a bruising experience.
These days you have a lot of startups, not owned by multinationals, that are required by large customers and governments to comply with some standard or another. Winging it is not an option; winging it is failure. Or, in process-speak, winging it can result in a high statistical probability of a large number of adverse findings.
Vanta wants to help.
Its early April “Guide to working with auditors: Best practices for startups” contains several suggestions.
One is to engage with auditors early so that you become familiar with each other.
However, you should NOT give auditors access to your data early. Wait until you are ready. Assuming your data is in a Vanta instance:
“If you’re still finalizing controls in Vanta, granting early access could cause confusion. However, some firms prefer early access for familiarization—as long as they don’t start testing prematurely.”
Are you getting YOUR product’s message out? Or is a stretched team holding you back from creating stellar marketing materials?
Bredemarket has an opening for a cybersecurity client and can help with compelling content creation, winning proposal development, and actionable analysis. Book a call: https://bredemarket.com/cpa/
During my three months working with a third-party risk management (TPRM) client, I never heard anyone mention Invela.
Perhaps with reason. Although LinkedIn says the company was founded in 2024, it didn’t post its first blog until April 20, 2025, or its first LinkedIn posts until April 21.
“Invela has officially launched a transformative network to bolster consumer protection and foster innovation within the open banking ecosystem. The Invela Network, developed in collaboration with industry-leading specialist partners, promises to revolutionize how financial institutions manage third-party risk…”
The post goes on to cite the Consumer Financial Protection Bureau (CFPB), but…well…that’s nice.
Invela’s TPRM solution specifically targets the open banking segment of the financial services industry. Open banking, featuring companies such as Plaid, Kong, and Camunda (among others), facilitates the interchange of financial data, rather than keeping it within each bank’s walled garden.
However, the principals at Invela come from companies such as Mastercard (although I could find no information on Invela’s CEO Steve Smith). But the Invela leadership team presumably knows their market. We will see if they know their marketing.
Which reminds me…if you need help with your cybersecurity product marketing, Bredemarket has an opening for a cybersecurity client. I can offer
Deloitte conducts regular surveys on third-party risk management (TPRM), and just concluded a survey on (English warning) “the rise of AI in TPRM to maximise opportunities while managing the risks.”
One of the key findings:
“Despite low maturity levels, leadership teams are ambitious about embracing intelligent automation, while managing both the risks of AI in their organisations and those arising from third-party AI usage.”
I’ve talked about maturity levels before and their importance in cybersecurity. While ad hoc approaches to TPRM just won’t cut it in terms of protection, a managed or defined level or better will yield a positive return on investment.
(Imagen 3)
And one more thing…
The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:
I just listened to a third-party risk management (TPRM) Mitratech webinar about NIST cybersecurity frameworks, hosted by OCEG, which talked about a farm.
No, they’re not planting corn at NIST’s Gaithersburg headquarters.
(At least I don’t think so. I haven’t been there since early 2009, back when Motorola and Safran people couldn’t talk about the possible acquisition. We did anyway. But I digress.)
Back to TPRM. In Mitratech’s case, FARM stands for “frame, assess, respond, and monitor.”
NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.
If you visit the latest (as of 2024) update to SP 800-161, you can find NIST’s explanation of the FARM in Appendix G. The three referenced levels in the quote below are the enterprise, mission, and operations levels.
The first approach is known as FARM and consists of four steps: Frame, Assess, Respond, and Monitor. FARM is primarily used at Level 1 and Level 2 to establish the enterprise’s risk context and inherent exposure to risk. Then, the risk context from Level 1 and Level 2 iteratively informs the activities performed as part of the second approach described in The Risk Management Framework (RMF). The RMF predominantly operates at Level 3 [SP80037], – the operational level – and consists of seven process steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.
Briefly:
Frame establishes the context.
Assess is the risk assessment itself.
Respond is where the assessors communicate the results of the assessment and propose mitigations and controls.
Monitor is compliance verification and continuous monitoring.
Section G.2 of the document includes much, much more detailed definitions of the FARM elements, should you be interested. I’d provide those details myself, but then I fear I’d have to say to you, “Sorry if I’ve stayed too long.”
Bredemarket 