As the year comes to an end, I feel like a reflection is needed. 2023 was quite a ride. I planned to have this reflection on LinkedIn, but the Prague shooting on the 21st of December made me limit my social media presence and exposure at this time, out of respect for the victims.
As a security executive, I often find myself troubled about the lack of cyber risk understanding in companys' executive management. I may be wrong, but apparently not very much. Lately, the voices for the need of proper cyber security risk governance at the board level are getting louder, and are coming from multiple sources; including the US Security and Exchanges Committee.
Supply Chain Risk Management is the name of a big security problem in the business world. It is so important that there isn't a single security framework that doesn't include Supply Chain Risk Management in its agenda, guidance, and suggested controls. NIST has a set of resources on the topic, but it is not the only organization that is addressing this problem.
Disclaimer: Nothing below should be taken as a criticism of the services offered. Pointing out their flaws and inefficiencies does not mean they don't have any value.
During the last 3 months I got more times than expected in discussions about patch and vulnerability management. I need to say, there is much misunderstanding going around about these two processes; so much that I could argue that several organizations are exposing themselves significantly, just because the touch points and (lack of) dependencies in these two processes are not clear.