BLOG Latest Blog December 6, 2023NIST AI Risk Management Framework: What You Should Know and Why You Should CareLast Updated on December 6, 2023 NIST AI Risk Management Framework: What You Should Know and Why You Should Care Learn More Tags/Blog Search Choose 1 or more topics below to expand your search: Application Security Business Continuity Management CCPA Cloud Security Compliance Cybersecurity Cybersecurity Maturity Model Certification (CMMC) Disaster Recovery Ethical Hacking FedRamp GDPR Government Information Security Industry Trends InfoSec Risk Assessment InfoSec Strategies IoT Security ISMS Consulting ISO 22301 ISO 27001 Certification ISO 27701 Network Security NIST Penetration Testing Phishing Privacy Security Awareness Training SIEM SOC 2 Social Engineering Third Party Risk Management Uncategorized Vendor Due Diligence November 22, 2023“Failure is Not an Option”—What Does That Mean for Recovery Planning?Continue Reading November 22, 2023Understanding the Basics: What is ISO 27001?Continue Reading November 2, 2023Understanding and Applying Risk Management Strategies for CMMC CertificationContinue Reading November 2, 20235 Common Mistakes When Pursuing ISO 27001 CertificationContinue Reading November 2, 2023How to Demonstrate Compliance with CMMC: An OverviewContinue Reading November 2, 2023The Difference between ISO 27001 and Other CertificationsContinue Reading October 18, 20233 Essential Tips for Maintaining CMMC ComplianceContinue Reading October 18, 20233 Questions to Consider before Pursuing ISO 27001 CertificationContinue Reading September 5, 2023The Importance of Maintaining an Up-to-Date ISO 27001 CertificationContinue Reading September 5, 2023How to Get CMMC Certified: 7 Steps to Take Before ApplyingContinue Reading September 1, 2023What is CMMC Certification and What Does it Mean for Your Business?Continue Reading August 31, 2023CMMC Rulemaking Update and TimelineContinue Reading August 29, 2023What is ISO 27001 Certification and Why Does It Matter?Continue Reading August 9, 2023Leaking Meta’s LLaMA AI – the Good, the Bad, and the Very BadContinue Reading August 9, 2023Public and/or Shared AI Models Cannot be Trusted Until an AI Bill of Materials Become the NormContinue Reading June 23, 2023Time and Cost Factors to Attain a FedRAMP ATOContinue Reading June 23, 2023FedRAMP ATO: 3 Tips to Minimize Cost, Complexity, and Time to TargetContinue Reading June 23, 2023Big Pros and Cons of an “Agency” Versus “JAB” Approach to a FedRAMP ATOContinue Reading June 23, 2023Getting Ready for Your FedRAMP Third-Party AssessmentContinue Reading June 23, 2023FedRAMP Requirements Can Change Your Solution ArchitectureContinue Reading June 23, 2023To FedRAMP or Not to FedRAMP: That is the (First) QuestionContinue Reading June 23, 2023Intro to FedRAMPContinue Reading June 23, 2023A FedRAMP ATO – The Good, The Bad, and the UglyContinue Reading June 6, 2023What is a Microservice Architecture and How Do I Secure It?Continue Reading June 6, 2023Security and Development Must Work Closely to Secure MicroservicesContinue Reading June 6, 2023How Do Microservices Change Software Security?Continue Reading June 6, 2023Microservices and APIs—How Do They Connect?Continue Reading June 6, 2023What is a Microservice Architecture?Continue Reading May 29, 2023How Poor Cyber Asset Management Enabled the Equifax BreachContinue Reading May 29, 20234 Ways a Strong Cyber Asset Management Program Can Help Block Ransomware AttacksContinue Reading May 29, 2023Active Asset Scanning in OT EnvironmentsContinue Reading May 29, 2023Why Vulnerability Management Tools Fall Short for Cyber Asset DiscoveryContinue Reading May 29, 20232 Biggest Challenges with Cyber Asset ManagementContinue Reading May 24, 2023How ISO 27001:2022 Attributes Might Impact Your Certification Audit (and Improve Your Security)Continue Reading May 24, 2023ISO 27001:2022—What is the Level of Transition Effort?Continue Reading May 24, 2023ISO 27001:2022—When Should My Org Make the Transition?Continue Reading May 24, 2023ISO 27001:2022—Insights into What’s NewContinue Reading May 12, 2023RSA Conference 2023 Takeaway—“Shifting Security Left” is Now in Full SwingContinue Reading May 12, 2023RSA Conference 2023 Takeaway—Privacy Will Drive Data GovernanceContinue Reading May 12, 2023RSA Conference 2023 Takeaway—AI is Coming But It’s Not Here YetContinue Reading May 12, 2023RSA Conference 2023 Takeaway—More Than Ever, a Product-Centric Security Strategy is DangerousContinue Reading May 9, 2023How Long Before Software Bill of Materials (SBOM) Moves from Buzzword to ExpectationContinue Reading May 9, 2023A Software Bill of Materials (SBOM) Benefits Both Vendors and UsersContinue Reading May 9, 2023What is an SBOM and Why Are My Customers Suddenly Asking for One?Continue Reading April 28, 2023When You’re Doing Cyber Asset Management… What’s An Asset?Continue Reading April 28, 2023If your asset management sucks, your security sucksContinue Reading April 17, 2023Beware the Latest Funds Transfer Fraud —Deepfake Voice CloningContinue Reading April 6, 2023Should We Implement DevSecOps? You May Not Have a Choice.Continue Reading April 5, 2023DevSecOps: Recommended Guidance and Standards to Help Get You StartedContinue Reading April 4, 2023Shifting DevSecOps LeftContinue Reading April 3, 2023DevSecOps Depends on Understanding Application-Specific RiskContinue Reading March 31, 2023Getting Started with DevSecOpsContinue Reading March 30, 2023DevSecOps DefinedContinue Reading March 29, 20234 Tactical Steps to Implementing DevSecOps in 2023Continue Reading March 27, 20237 Reasons Why You Should Get CMMC Certified Ahead of the May 2023 RulemakingContinue Reading March 24, 2023Pros and Cons to a “Hybrid Approach” to Microsoft 365 Commercial and GCC/GCC HighContinue Reading March 23, 2023Why is Microsoft 365 GCC High “So Expensive”?Continue Reading March 21, 2023The “Feature Factor” in Moving to Microsoft 365 GCC or GCC HighContinue Reading March 18, 2023How Long Does a Microsoft 365 “Government Cloud” Migration Take?Continue Reading March 17, 20233 Top Considerations for Migrating to a Microsoft 365 “Government Cloud”Continue Reading March 16, 2023Should My Org Be on a Microsoft 365 “Government Cloud”?Continue Reading March 15, 2023Should we be in Microsoft 365 GCC, GCC High, or Commercial?Continue Reading March 7, 2023Will Implementing the New ISO 27001:2022 Control Set Improve Your ISMS?Continue Reading March 8, 20232 “Gotchas” to Avoid on Your Move to ISO 27001:2022Continue Reading March 6, 20233 Things Your ISO 27001:2022 Auditor Would Love to See in Your ISMSContinue Reading March 5, 2023Benefits of Moving to ISO 27001:2022 ASAPContinue Reading March 4, 2023ISO 27001:2022—How Does It Impact Related Standards?Continue Reading March 3, 2023We’re Working Towards Certification to ISO 27001:2013—How Does ISO 27001:2022 Impact Us?Continue Reading March 2, 2023When Will Auditors Be Ready to Certify ISO 27001:2022 Compliance?Continue Reading March 1, 2023When Should You Move to ISO 27001:2022?Continue Reading February 20, 2023Need to Align Your Web App Security Program with NIST’s SSDF or ISO 27001? OWASP SAMM Can Help.Continue Reading February 19, 2023Don’t Dump Application Security on Your DevelopersContinue Reading February 18, 2023Web Application Security—How Mature Are Most Orgs Today?Continue Reading February 17, 2023How (Not) Good is Your Web App Security? OWASP SAMM Can Tell You.Continue Reading February 16, 2023Getting to “Secure by Design” with OWASP SAMMContinue Reading February 15, 2023What is OWASP SAMM and How Can It Elevate Your Application Security?Continue Reading February 10, 2023The TISAX Audit Process: Here’s What to ExpectContinue Reading February 9, 2023TISAX and ISO 27001: How Do They Relate?Continue Reading February 8, 2023TISAX Assessment Objectives, Levels, and LabelsContinue Reading February 7, 2023What is TISAX and Why Should We (as an Auto Industry Supplier) Care?Continue Reading February 6, 2023Understanding TISAX (Trusted Information Security Assessment Exchange)Continue Reading February 3, 2023Emerging Use Cases for Cyber Threat IntelligenceContinue Reading February 3, 2023How Does Cyber Threat Intelligence Relate to Attack Surface Management or Digital Risk Management?Continue Reading February 2, 2023Still Think Your Org Has Nothing Hackers Want?Continue Reading February 2, 2023Cybercrime Business Models and Supply ChainsContinue Reading February 1, 2023How Financially Motivated Cybercriminals Really Operate, and Why You (as an Org with Exploitable Assets) Should CareContinue Reading February 1, 2023Understanding How Cybercriminals Operate Can Protect Your BusinessContinue Reading January 26, 2023What’s New and Exciting with AWS Security?Continue Reading January 25, 2023Public Cloud Consumers: Is Your Management Plane Secure?Continue Reading January 25, 2023What are the Most Important AWS Security Tools that Every Org Should Use?Continue Reading January 25, 2023Why Do So Many Orgs Stumble on Cloud Security?Continue Reading January 25, 2023Different Public Cloud Services Equal Different Shared Security Responsibilities with Your CSPContinue Reading January 25, 20232 Top Security Problems that AWS Users Cause ThemselvesContinue Reading January 25, 2023AWS Cybersecurity Best Practices—From Amazon’s Security Solutions ArchitectContinue Reading January 23, 2023Cyber Insurance Considerations for DIB OrgsContinue Reading January 23, 2023Export Controlled Data: What is It and Why Should We (as a US Government Contractor) Care?Continue Reading January 23, 2023DIB Orgs: Here’s How to Avoid False Claims Act SanctionContinue Reading January 23, 2023Should You Voluntarily Disclose a CUI Incident or Data Breach?Continue Reading January 23, 2023CUI Basic and CUI Specified—What’s the DifferenceContinue Reading January 23, 2023Understanding the Legalities around Controlled Unclassified Information (CUI)Continue Reading January 18, 2023Security Staffing Moves for a Down EconomyContinue Reading January 18, 2023Want to Work Smarter Not Harder in a Down Economy? Embrace Security Automation.Continue Reading January 18, 2023In a Down Economy, Ensure You’re Getting the Max from Security InvestmentsContinue Reading January 18, 2023Why You Should Keep Making Needed Security Investments in a Down EconomyContinue Reading January 18, 2023Why Aligning Cybersecurity with Trusted Frameworks is More Important than Ever in a Down EconomyContinue Reading January 17, 2023A Cybersecurity Strategy is More Critical Than Ever in a Slow EconomyContinue Reading January 17, 2023John Verry’s Top 10 Ideas to Advance Security and Compliance Even in a Tight EconomyContinue Reading January 13, 2023CMMC Rulemaking Changes Again—What’s the Timeline Now?Continue Reading January 5, 2023Leveraging OOTB “Policy as Code” for Cloud Security Posture ManagementContinue Reading January 5, 2023Addressing False Positives and Alert Fatigue across Enterprise Security ToolsContinue Reading January 5, 2023Your Cloud Security Posture Needs Both Preventive and Detective/Corrective ComponentsContinue Reading January 4, 2023Governance as Code—Is It the Answer to Cloud-Native Security?Continue Reading January 4, 2023Security, Compliance and Governance in the Cloud—How Do They Relate?Continue Reading January 4, 2023Dynamic Relationships between Governance, Security, and ComplianceContinue Reading December 28, 2022Is Your Board Prepared for the SEC’s New Cybersecurity Regulations?Continue Reading December 20, 2022Is Attack Surface Management Right for SMBs?Continue Reading December 20, 2022Factoring Third-Party Risk into Attack Surface ManagementContinue Reading December 19, 2022How Much of Your Attack Surface is Beyond Your Visibility?Continue Reading December 19, 2022Is It Still a Data Breach if the Data was Outside Your Infrastructure?Continue Reading December 19, 2022How Do Assets Relate to Attack Surface Management?Continue Reading December 15, 2022What is Digital Business Risk Management and Why is It So Valuable to Security Leaders?Continue Reading December 15, 2022Is Digital Business Risk Management the Future of Attack Surface Management?Continue Reading November 23, 2022Monitoring Security of Your Deployed Public Cloud ApplicationContinue Reading November 22, 2022Validating Security Within Your DevOps PipelineContinue Reading November 10, 2022Time’s (Almost) Up for California Privacy ComplianceContinue Reading November 21, 2022Skills to Look for in Developers to Move Your Applications to the CloudContinue Reading November 18, 2022Should We Containerize Our Cloud-Based Application?Continue Reading November 17, 2022Should You Outsource Managing Your App Along with Building It?Continue Reading November 16, 2022Are There Any Simple Templates to Help Manage a Secure Web App in the Public Cloud?Continue Reading November 15, 2022The Complexities of Deploying a Secure Application in the CloudContinue Reading November 14, 2022What are a New Privacy Lead’s Biggest Challenges? (From a Fortune 500 CPO)Continue Reading November 11, 2022Tips from a Fortune 500 CPO on Automating Your Privacy ProgramContinue Reading November 10, 2022Tackling the Legal Side of Privacy without Becoming a LawyerContinue Reading November 9, 2022How Does Physical Security Tie into Privacy?Continue Reading November 7, 2022The New Intersection of Privacy and Security (from a Fortune 500 CPO)Continue Reading November 7, 2022The Intersection of Privacy & SecurityContinue Reading October 26, 2022What Will It Take to Survive a Third-Party CMMC Level 2 Assessment?Continue Reading October 26, 2022DIB Orgs: Here’s What’s Up with CMMC “Flowdown” and New Pressures from PrimesContinue Reading October 25, 2022We Don’t Think We Need CMMC Level 2 but the Government Says We Do…Continue Reading October 25, 2022Should We Pursue a Voluntary CMMC Assessment?Continue Reading October 24, 2022Is There a Path for Non-US Companies to be CMMC Certified?Continue Reading October 24, 2022ISO 27001 Certified Orgs—Here’s the Latest on CMMC ReciprocityContinue Reading October 24, 2022House Approves Updated FedRAMP Authorization ActContinue Reading October 21, 2022Can SMBs Afford CMMC Level 2 Certification?Continue Reading October 21, 2022When Do We Need to Be CMMC 2.0 Certified?Continue Reading October 20, 2022DIB Orgs: Here are Answers to Your Top CMMC Encryption and MFA QuestionsContinue Reading October 20, 2022Does My DIB Org Need a SIEM for CMMC ComplianceContinue Reading October 19, 2022Your Top CMMC Questions AnsweredContinue Reading October 14, 2022SME InfoSec Leads: Here’s How to Kickstart a Privacy ProgramContinue Reading October 17, 2022How Automation Can Help Operationalize a Privacy ProgramContinue Reading October 13, 2022How Automation Can Help with Data Privacy Impact AssessmentContinue Reading October 12, 2022SMEs: Do You Know Where All Your Customers’ Personal Data Resides?Continue Reading October 11, 2022SMEs: Are Your Customers Pushing You Towards a Privacy Program?Continue Reading October 10, 2022The Two Audiences For Privacy & How They Drive Data CollectionContinue Reading October 7, 2022Is Cybersecurity Certification Worth the Effort?Continue Reading October 6, 2022Can Disaster Recovery and Business Continuity Help with Software Supply Chain Risk Assessment?Continue Reading October 5, 2022Can Cybersecurity Frameworks Help with Software Supply Chain Risk Management?Continue Reading October 4, 2022Supply Chain Risk Management and Third-Party Risk Management: What’s the Difference?Continue Reading October 3, 2022What is Software Supply Chain Risk Management and Why Should We (as an Org That Uses Software) Care?Continue Reading October 3, 2022The FTC’s Intensified Prosecution of Deceptive Cybersecurity and Privacy Practices: Here’s What You Should KnowContinue Reading September 30, 2022Unpacking Critical Elements of Supply Chain Risk ManagementContinue Reading September 30, 2022PATCH Act Legislation Could Expand Medical Device Manufacturing Cybersecurity RegulationsContinue Reading September 27, 2022NIST Update on HIPAA Security Rule Can Help Your Org Reduce ePHI Risk ExposureContinue Reading September 19, 2022OMB Mandates US Federal Agencies to Comply with NIST Guidance on Software Supply Chain SecurityContinue Reading August 8, 2022How Does the NIST Secure Software Development Framework (SSDF) Compare with OWASP SAMM, BSIMM, etc.?Continue Reading August 4, 2022What is the Software Development Lifecycle and Why is It Central to Software Security?Continue Reading July 28, 2022The Cyberspace Solarium Commission Report and CMMC—How Do They Connect?Continue Reading July 28, 2022We Need Public/Private Partnership to Fight the Cyber War We’re InContinue Reading July 27, 2022What is the Cyberspace Solarium Commission Report and Why Should I Care?Continue Reading July 22, 2022How Does DevOps Impact Your Database Security?Continue Reading July 21, 2022How Moving to the Cloud Impacts Your Database SecurityContinue Reading July 20, 20223 Reasons Why Database Security is UndervaluedContinue Reading July 20, 20225 Top Database Risks You Didn’t Know You HadContinue Reading July 19, 2022Confronting the Wild West of Database SecurityContinue Reading July 18, 2022The Argument for More Board-Level Cybersecurity ExpertiseContinue Reading July 15, 2022What is “Secure By Default” and How Do We Get There?Continue Reading July 14, 2022Looking Beyond Trusted Frameworks to Achieve Robust CybersecurityContinue Reading July 13, 2022Bridging the Gap Between Cybersecurity and the Business WorldContinue Reading July 8, 2022Does Your Cyber Liability Insurance Fit with Your Total Insurance Coverage?Continue Reading July 8, 20223 Top Reasons Why an Attorney Should Review Your Cyber Liability Insurance PolicyContinue Reading July 8, 2022Are Cyber Liability Insurance Companies (Entirely) to Blame for Today’s Onerous PremiumsContinue Reading July 8, 2022Why Cyber Liability Insurance Has Become the “Wild West”Continue Reading July 7, 2022Legal and Infosec Strategies to Deal with Exploding Cyber Liability Insurance PremiumsContinue Reading September 1, 2022DIB Orgs: Time is Almost Up for DFARS and NIST 800-171 ComplianceContinue Reading August 26, 2022What is the OWASP Software Assurance Maturity Model (SAMM) and Why Should We (as an Org That Develops Software) Care?Continue Reading August 26, 2022Applying the OWASP Software Assurance Maturity Model (SAMM) in Your EnvironmentContinue Reading August 30, 2022OWASP SAMM’s 5 Business Functions UnpackedContinue Reading August 29, 2022BSIMM and OWASP SAMM ComparedContinue Reading August 29, 2022Using OWASP’s Software Assurance Maturity Model (SAMM) and Application Security Verification Standard (ASVS) TogetherContinue Reading August 25, 2022Breaking Down the Latest in Software Security Standards & the Impact on SaaS BusinessesContinue Reading August 23, 2022Top Use Cases for Continuous API SecurityContinue Reading August 22, 2022What is Continuous API Scanning and Why Should We (as App Developers) Care?Continue Reading August 22, 2022What are the Financial Benefits of API-Level Security?Continue Reading August 19, 2022How Does an API-First Architecture Affect Your App Attack Surface?Continue Reading August 19, 2022Application Security and API Security are Becoming Synonymous—Are You Ready?Continue Reading August 18, 2022What You Need to Know about APIs and API SecurityContinue Reading August 12, 2022Aligning Security with Business Goals to Create More ValueContinue Reading August 12, 2022The “Value Creation” Side of Return on Security Investment (ROSI) EstimatesContinue Reading August 11, 2022A Risk-Based Approach to Calculating Return on Security Investment (ROSI)Continue Reading August 11, 2022Return on Security Investment (ROSI): What is It and How Do You Calculate It?Continue Reading August 10, 2022How to Measure the Value of Information SecurityContinue Reading August 8, 2022What’s the Effort to Align Your Dev with the NIST Secure Software Development Framework (SSDF)?Continue Reading August 4, 2022Making the Most of the CMMC Assessment Guidance from the CyberABContinue Reading August 5, 2022Here’s Why Software Vendors Should Align with the SSDF Whether Mandated or NotContinue Reading August 5, 2022Why Does the USG Think We Need the NIST Secure Software Development Framework (SSDF)?Continue Reading August 4, 2022What is the NIST Secure Software Software Development Framework and Why Should We (as a Software Vendor) Care?Continue Reading August 3, 2022What NIST’s Secure Software Development Framework Means to YouContinue Reading July 26, 2022US Gov. Cybersecurity Roadmap: Where it came from and Where is it Going?Continue Reading August 1, 2022US Government Threat Intelligence Programs: Where Are They Headed?Continue Reading July 29, 2022Recent White Papers from the Cyber Solarium Commission—What is Their Purpose?Continue Reading July 29, 2022What is the Cyberspace Solarium Commission 2.0 Project and Why Should I (as a US Citizen) Care?Continue Reading July 27, 2022What is Continuity of the Economy Planning and Why Should I (as a US Citizen) Care?Continue Reading July 21, 2022Your Database Attack Surface is Bigger than You ThinkContinue Reading July 14, 2022The Strategy Behind the Gula Tech Adventures PortfolioContinue Reading July 18, 2022Why Philanthropy is Important in CybersecurityContinue Reading July 14, 2022How Do You Know If Your Business is Really Secure?Continue Reading July 11, 2022What is a Breach Counselor and Why Do We (as an Org with Cyber Liability Insurance) Care?Continue Reading July 11, 2022Do You Know Your Cyber Liability Insurance Obligations?Continue Reading June 30, 2022CMMC 2.0: Is Certification Worth the Cost and Risk?Continue Reading June 29, 2022CMMC 2.0: Choose Your Registered Provider Organization CarefullyContinue Reading June 28, 2022CMMC 2.0: DoD Emphasizes “Nothing Has Changed” (So Why Aren’t You Ready?)Continue Reading June 27, 2022CFIUS Cybersecurity Considerations: Here’s What You Need to KnowContinue Reading June 27, 2022CMMC 2.0: DoD Clarifies Rollout Schedule and MoreContinue Reading June 24, 2022Benefits of Categorizing NIST 800-171 Requirements as Technical Versus NontechnicalContinue Reading June 24, 2022Important Clarifications on CMMC v2 from CMMC Day May 9, 2022Continue Reading June 16, 2022What Really Drives Innovation in Cybersecurity?Continue Reading June 16, 2022Are We More or Less Secure than 20 Years Ago?Continue Reading