Tag Archives: security

The Military, Cyberattacks, and Maturity

Everyone knows that cyberattacks don’t just target private organizations. They also target governments, particularly aiming for agencies that either deal with a lot of money (unemployment agencies) or contribute to defending a country (military, homeland security).

The Chief Information Officer of the U.S. Department of Defense has a vested interest in preventing cyberattacks, not only against DoD, but against its third-party suppliers, which are the subject of today’s acronym, DIB (defense industrial base).

And if you’ve followed along in the Bredemarket blog lately, you know that a key component of preventing cyberattacks is raising your organization’s process maturity in the cybersecurity realm.

And yes, there’s a maturity model and a certification for that, the Cybersecurity Maturity Model Certification, or CMMC.

Cybersecurity is a top priority for the Department of Defense (DoD). The defense industrial base (DIB) faces increasingly frequent, and complex cyberattacks. To strengthen DIB cybersecurity and better safeguard DoD information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) Program to assess existing DoD cybersecurity requirements.

It’s no surprise that the CMMC incorporates multiple levels, in this case three of them.

  • Level 1: Basic Safeguarding of FCI (Federal Contract Information)
  • Level 2: Broad Protection of CUI (Controlled Unclassified Information)
  • Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

And not only is there a maturity model certification for the defense industrial base, but there’s a conference to help everyone out. After all the geeks celebrate May the Fourth Be With You day, some of the geeks will continue to celebrate on May 5, the date of the fifth annual CMMC Day. Party on.

Also see Biometric Update’s article, as well as NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

And if you need product marketing assistance with your cybersecurity product, Bredemarket has an opening for a cybersecurity client and can help with compelling content creation, winning proposal development, and actionable analysis. Book a call: https://bredemarket.com/cpa/ 

(Military wildebeest image from Imagen 3)

Startups Entering the Wonderful World of Process

I’ve talked about governance and maturity models before in regards to cybersecurity. The complicating factor is that companies with little process maturity are flung into the world of standards and auditors. 

For example, I was not initially part of the process team when the former seat-of-the-pants Printrak had to play CMM catch up with our new corporate overlord Motorola. But it was a bruising experience.

These days you have a lot of startups, not owned by multinationals, that are required by large customers and governments to comply with some standard or another. Winging it is not an option; winging it is failure. Or, in process-speak, winging it can result in a high statistical probability of a large number of adverse  findings.

Vanta wants to help.

Its early April “Guide to working with auditors: Best practices for startups” contains several suggestions. 

  • One is to engage with auditors early so that you become familiar with each other.
  • However, you should NOT give auditors access to your data early. Wait until you are ready. Assuming your data is in a Vanta instance:

“If you’re still finalizing controls in Vanta, granting early access could cause confusion. However, some firms prefer early access for familiarization—as long as they don’t start testing prematurely.”

Vanta’s guide is at https://www.vanta.com/resources/guide-to-working-with-auditors-for-startups

(Wombat image via Imagen 3)

PS to cybersecurity product marketers

Are you getting YOUR product’s message out? Or is a stretched team holding you back from creating stellar marketing materials? 

Bredemarket has an opening for a cybersecurity client and can help with compelling content creation, winning proposal development, and actionable analysis. Book a call: https://bredemarket.com/cpa/ 

Why Invela TPRM?

During my three months working with a third-party risk management (TPRM) client, I never heard anyone mention Invela.

Perhaps with reason. Although LinkedIn says the company was founded in 2024, it didn’t post its first blog until April 20, 2025, or its first LinkedIn posts until April 21.

But the second blog post, dated April 21, is the one that matters.

“Invela has officially launched a transformative network to bolster consumer protection and foster innovation within the open banking ecosystem. The Invela Network, developed in collaboration with industry-leading specialist partners, promises to revolutionize how financial institutions manage third-party risk…”

The post goes on to cite the Consumer Financial Protection Bureau (CFPB), but…well…that’s nice.

Invela’s TPRM solution specifically targets the open banking segment of the financial services industry. Open banking, featuring companies such as Plaid, Kong, and Camunda (among others), facilitates the interchange of financial data, rather than keeping it within each bank’s walled garden.

Which of course increases risk.

Hence companies such as Invela.

I was unable to find a “why” story for Invela that compared to the why story I previously found for Ubiety Technologies. Obviously the Invela people never read my book.

However, the principals at Invela come from companies such as Mastercard (although I could find no information on Invela’s CEO Steve Smith). But the Invela leadership team presumably knows their market. We will see if they know their marketing.

Which reminds me…if you need help with your cybersecurity product marketing, Bredemarket has an opening for a cybersecurity client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

A Mature Approach to Artificial Intelligence-Powered TPRM Automation

Deloitte conducts regular surveys on third-party risk management (TPRM), and just concluded a survey on (English warning) “the rise of AI in TPRM to maximise opportunities while managing the risks.”

One of the key findings:

“Despite low maturity levels, leadership teams are ambitious about embracing intelligent automation, while managing both the risks of AI in their organisations and those arising from third-party AI usage.”

I’ve talked about maturity levels before and their importance in cybersecurity. While ad hoc approaches to TPRM just won’t cut it in terms of protection, a managed or defined level or better will yield a positive return on investment.

(Imagen 3)

And one more thing…

The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:

  • compelling content creation
  • winning proposal development
  • actionable analysis

Book a call: https://bredemarket.com/cpa/ 

Frame, Assess, Respond, and Monitor (FARM) in Third-Party Risk Management

I just listened to a third-party risk management (TPRM) Mitratech webinar about NIST cybersecurity frameworks, hosted by OCEG, which talked about a farm.

No, they’re not planting corn at NIST’s Gaithersburg headquarters.

(At least I don’t think so. I haven’t been there since early 2009, back when Motorola and Safran people couldn’t talk about the possible acquisition. We did anyway. But I digress.)

Back to TPRM. In Mitratech’s case, FARM stands for “frame, assess, respond, and monitor.”

Here’s how Mitratech introduced the topic in a 2022 post:

NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.

If you visit the latest (as of 2024) update to SP 800-161, you can find NIST’s explanation of the FARM in Appendix G. The three referenced levels in the quote below are the enterprise, mission, and operations levels.

The first approach is known as FARM and consists of four steps: Frame, Assess, Respond, and Monitor. FARM is primarily used at Level 1 and Level 2 to establish the enterprise’s risk context and inherent exposure to risk. Then, the risk context from Level 1 and Level 2 iteratively informs the activities performed as part of the second approach described in The Risk Management Framework (RMF). The RMF predominantly operates at Level 3 [SP80037], – the operational level – and consists of seven process steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

Briefly:

  • Frame establishes the context.
  • Assess is the risk assessment itself.
  • Respond is where the assessors communicate the results of the assessment and propose mitigations and controls.
  • Monitor is compliance verification and continuous monitoring.

Section G.2 of the document includes much, much more detailed definitions of the FARM elements, should you be interested. I’d provide those details myself, but then I fear I’d have to say to you, “Sorry if I’ve stayed too long.”

If Your Identity System Only Manages People, It Is Flawed

This is painful, but it has to be done.

I’ve spent 30 years working with the identities of PEOPLE and ensuring that all PEOPLE accessing a system are properly identified.

In other words, leaving a huge GAPING security hole.

Look at what Okta is doing;

“[N]ew Okta Platform capabilities…help businesses secure AI agents and other non-human identities with the same level of visibility, control, governance, and automation as human ones. The Okta Platform will now bring a unified, end-to-end identity security fabric to organizations for managing and securing all types of identities across their ecosystem, from AI agents to API keys to employees.”

I think that “unified” will take the place of “trust” as the identity buzzword. Thankfully.

If you’re only selling biometrics, or maybe biometrics and ID cards, where will your customers go to get the rest of their systems? Or will you just be a commodity supplier to the companies that provide the REAL systems?

(Unified security AI picture from Imagen 3)

When Can Cybersecurity Professionals “Wing It”?

In my career, I’ve experienced all levels of process maturity, ranging from “process for process’ sake” to “winging it.”

  • Many, many years before Marie Kondo popularized the term “spark joy,” one of my former employers shut down the entire office for the afternoon so that we could spend that time cleaning up. Thankfully this was not instituted (institutionalized?) as a weekly occurrence.
  • On the other extreme, some organizations resist process and just wing it. To the point that I literally hide when I use a process.

Now the ability to “wing it” can be used in some circumstances but not in others. Obviously improvisational comedians “wing it” by definition. But Ike (pre-matrix) couldn’t have used the “wing it” approach on D-Day.

What about cybersecurity? Can you “wing it” when you’re attacked?

Jack Freund says no:

The evolving threat landscape demands robust governance architectures and well-defined board duties to ensure resilience against cyberthreats. Effective cybergovernance not only protects an organization’s digital assets but also reinforces trust among stakeholders. 

Governance is a critical component of cybersecurity, if for no other reason than to prove that your organization actually HAS cybersecurity. Ideally an organization will govern its cybersecurity by some type of “maturity model.”

And that’s more than refraining from calling someone a poopy head.

(AI image from Imagen 3)

The One PII/PHI Data Point No One is Discussing

In a February 2024 discussion of the differences and similarities between personally identifiable information (PII) and protected health information (PHI), I published an exhaustive list of types of PII, some of which are also PHI.

  • Social Security Number. 
  • Passport number.
  • Driver’s license number.
  • Taxpayer identification number.
  • Patient identification number.
  • Financial account number.
  • Credit card number.
  • Personal address.
  • Personal telephone number.
  • Photographic image of a face.
  • X-rays.
  • Fingerprints.
  • Retina scan.
  • Voice signature.
  • Facial geometry.
  • Date of birth.
  • Place of birth.
  • Race.
  • Religion.
  • Geographical indicators.
  • Employment information.
  • Medical information.
  • Education information.
  • Financial information.

Looks complete to you, doesn’t it? Well, it isn’t. To, um, identify the missing bit of information that is both PII and PHI, take a look at this LinkedIn post from Jack Appleby. (Thanks to packaging expert Mark Wilson for bringing this post to my attention.)

“A dream brand just sent me a gift package & invite… but they broke the two most important rules of influencer gifting…

“The package was a ridiculously cool collab hoodie + an invite to an event I’ve wanted to go to since I was just a little kid… but the hoodie is a medium… and I’m an XL… and my name was spelled wrong on the invitation.”

And no, I’m not talking about Jack Appleby’s name.

I’M TALKING ABOUT HIS HOODIE SIZE.

And yes, hoodie size in combination with other information is both PII (personally identifiable information) and PHI (protected health information). If your hoodie size is XXL, but your height is only 5’1”…that has some health implications.

Yet at the same time it’s also vital business information. It’s collected from prospects and new employees at trade shows and during employee onboarding. And as Appleby’s example shows, there are potentially severe consequences if you get it wrong.

But does your favorite compliance framework include specific and explicit clauses addressing hoodie size? I bet it doesn’t. And that could be a huge privacy hole.

(The hoodie in my selfie is from my 2022-2023 employer. And yes I still wear it. But I got rid of my IDEMIA, MorphoTrak, Motorola, and Printrak attire.)

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)