Phishing Tests: A Waste of Time?
In the ever-evolving landscape of cybersecurity, one practice has become almost ubiquitous: phishing tests/simulations. Organizations deploy these tests with the intention of fortifying their defenses, but I genuinely feel that constantly bombarding users with phishing simulations is a waste of time. Yes, this view may be seen as controversial, but I wanted to take a moment to explain why I feel phishing tests might not be the panacea they are…
Addressing the Pain Point: Determining Severity for Findings in Consulting Reports
In the consulting world, the one consistent deliverable across all engagement types is the report, which often becomes a focal point for clients. It not only raises awareness for what was found, but many times can also be the justification they desperately need to take back to their leadership to justify additional resources whether it be people, processes, and/or technology. Yet, despite the uniformity in deliverable expectations, there’s a significant…
Turning the Page: Why I Chose to Leave Consulting Behind for a More Grounded Future
In this blog post, I want to share with you all the personal and professional journey I’ve been on, leading to my decision to leave the consulting world and return to being an individual contributor with an asset owner/operator. I’ll dive deep into my reasons behind this shift, and I want to apologize upfront for any strong language that might slip through. This topic is close to my heart, and…
Building Trust as a Penetration Tester: The Key to Effective Client Relationships and Impactful Advice
In the world of cybersecurity, the role of a penetration tester is not just about identifying vulnerabilities but also about building a relationship of trust with the client. This trust is essential for the client to take the advice and feedback seriously and act on it. Here’s how to establish and maintain this crucial trust: Establishing Trust: More Than Just Pointing Out Flaws As a penetration tester, the initial interaction…
The Pitfall of Overspecialization in Cybersecurity Job Postings: A Call for Generalist Roles
In the ever-evolving landscape of cybersecurity, the trend in job postings towards hyper-specialization – pigeonholing professionals into narrow fields like vulnerability management, identity & access management, or network security – is not just puzzling but also deeply concerning. This approach, widely adopted across the industry, raises several critical questions that need addressing. Why Aren’t Generalists Celebrated? In a field as dynamic and interconnected as cybersecurity, the value of a generalist…
Living Off the Land: A Dying Breed in Cybersecurity
As technology continues to evolve at speeds faster than ever could be thought possible, so does the cybersecurity industry. With this growth, there is an influx of tools designed to simplify tasks, optimize processes, and promise unbeatable security. But herein lies a danger – an over-reliance on these tools. The “old-school”, ingenious principle known as ‘living off the land’ is, unfortunately, becoming a dying breed in cybersecurity. The Reliance on…
The World of OT Cybersecurity..
The world of OT cybersecurity is mired in a frustrating cycle of back-and-forth that often feels like an endless maze of our own creation. At the heart of this is the plethora of compliance frameworks, each subtly different from the next, leading to a chaotic and confusing landscape. Customers are left bewildered, trying to decipher which framework is the “best” or most relevant for their needs. This confusion is a…
The Market Is Flooded With Products…
The market is flooded with products that propose solutions to non-existent problems. This trend not only misdirects valuable resources but also detracts from the true potential of existing technologies in improving industrial operations. The industry is witnessing an influx of gadgets and software boasting advanced features or niche applications that, while technologically impressive, do not address the core needs or existing challenges of industrial control systems. The essential question for…
10 Reasons Why Cyber Policy Exclusions Aren’t What You Think
In today’s hyper-connected world, organizations are constantly striving to fortify their cyber defenses. From firewall configurations, network segmentation, to intrusion detection systems, there’s a myriad of tools and techniques at our disposal. However, a common practice among many teams is to implement broad cyber exclusions in their security tools, either to reduce false positives or enhance system performance. While the intent is often noble, this approach can unwittingly weaken an…
Pertinent Issues Concerning Penetration Tests and Vulnerability Assessments in OT
Recently, my experiences in the ICS/OT cybersecurity space have compelled me to address a few pertinent issues concerning penetration tests and vulnerability assessments. Through this post, I hope to shed light on some common misconceptions and underscore the genuine value behind these activities. The Frustrations of Premature Penetration Testing It’s not uncommon for organizations to jump onto the penetration testing bandwagon and without truly understanding its prerequisites. I have frequently…