The Security and Exchange Commission Continues to Enforce Cybersecurity Controls for Publicly Traded Companies


The Security and Exchange Commission (SEC) continues to convey the importance of Cybersecurity for publicly traded companies by finalizing additional rules requiring disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports. The rationale, in my opinion, results in the strengthening, enhancement, and standardization of a registrant’s cybersecurity control measures and reduces the inaccuracies of financial statement reporting within its information systems.

SEC Rule Interpretation     

What does this mean for Publicly Traded Companies? Before I interpret the final ruling, I would like to emphasize the Commission’s dedication to effective cybersecurity risk and controls for publicly traded companies.  In fact, since 2011, the Division of Corporation Finance issued interpretive guidance providing its views concerning operating companies’ disclosure obligations relating to cybersecurity. In 2018, the Commission also issued interpretive guidance to public companies in fulfilling their obligation to take all required actions to inform its investment community and investors about their significant cybersecurity risks and incidents timely. So, it should come as no surprise to companies as to the direction and intent of the commission regarding cybersecurity risk and controls management.  

Now, the interpretation.  In its periodic disclosures, publicly traded companies must:

  1. Report a material cybersecurity incident within four business days after determining that such an incident is material.
  2. Describe its processes for assessing, identifying, and managing material risks from cybersecurity threats and whether those risks are reasonably likely to materially affect its business strategy, operations, or financial condition.
  3. Disclose its cybersecurity governance practices, including the board’s oversight of cybersecurity risk and management’s process to manage, monitor, detect, mitigate, and remediate cybersecurity incidents.
  4. Public companies must comply with the cybersecurity incident reporting obligations 90 days after publication in the Federal Register or by Dec. 18, 2023, whichever is later.
  5. Assistance for the smaller reporting companies comes with an additional 180 days to comply with the final rule.

In my analysis of the final rule, it is well aligned with other incident reporting rules and improves a public company’s ability to mitigate its cybersecurity risks and prevent financial statement inaccuracies. Additionally, the rule evades a registrant’s requirement to restate its financial statements or, more importantly, a reduction in investor confidence levels.

The Pathway Forward

 In my closing, companies shouldn’t see the Commission’s rules and requirements as an additional burden of cybersecurity risk management; however, they should see them as a means for improvement of their risk and control processes, increasing their investor confidence, and providing some level of competitive advantage. My recommendations for adhering to the rule requirements are:

  1. Cybersecurity leaders should ensure that their cybersecurity program is well-aligned with business objectives and strategies. Too often, I see cybersecurity programs and business strategies move in totally opposite directions, resulting in a lack of inclusion, oversight, and awareness of the latest security threats.  
  2. Chief Information Security Officers and Chief Information Officers should have a say in boardroom discussions regarding cybersecurity and information risk management. The Commission expects the Board of Directors to be well-informed regarding cybersecurity matters. The most effective way of getting the information is direct and periodic communication with IT leaders.
  3. Build an effective governance and compliance program that aligns with not only the SEC requirements but other applicable regulations. When complying with federal mandates, an effective compliance program is key.  
  4. Develop and implement effective cybersecurity control procedures based on industry standards (i.e., NIST Cybersecurity Framework or its 800-series, ISO cybersecurity and risk management standards, etc.). Risk assessment and management strategies should be defined, aligned, and disseminated across the organization, and more relevant, incident response policies and procedures should be implemented and current.  These controls should be tested on frequent cycles, with gaps documented and corrective actions performed in a timely manner.  
  5. Internal Audit and Cybersecurity Teams should be tightly integrated. This ensures that governance, risk, and compliance processes are implemented, controls are tested, and remediation is performed timely.  



James Sayles, BS, MBA, DDiV
GRC-Fellow/Professional, Certified Information Security Officer, CISSP, CGEIT, CISM, CRISC, CIA, CISA, CFE, CIPP-US/EU
Sr. Director, Advisory Services – CyberOne Security

Where Are All the Entry-Level Cybersecurity Jobs?

Ten tips for finding your first job by building up your cybersecurity knowledge and experience.

Congratulations to the class of 2023, and welcome to the job market! If you’re interested in cybersecurity, you may be frustrated that most entry-level positions require two to three years of experience. And if everything requires experience, then nothing is really an “entry-level job,” right?

It leaves you wondering: WHERE ARE ALL THE JOBS? 

Here’s what’s going on. Hiring companies normally post jobs seeking an “entry-level expert” in cybersecurity. They are looking for someone with a combination of technical product knowledge and experience performing investigations, troubleshooting, and response activities. 

You may not have these skills right out the gate, so here are 10 ways you can build your cybersecurity resumé: 

  1. Gain Baseline Knowledge in Cybersecurity.
    At a minimum, you should have the Security+ Certification from CompTIA. These topics are some of the most important aspects within the industry, and prospective employers want you to know the basics. The Security+ certification provides a basic understanding of the terms, concepts, and approaches you will need for day one. This is non-negotiable and is a necessary certification to get started in this industry.
  2. Get Cloud Certified.
    Cloud technology is the core of every IT department, and it is critical for you to understand. Whether you want to be a developer, auditor, analyst, or consultant, you need to know cloud-related terms and approaches. Amazon, Azure, and Google all offer free introductory courses for understanding their cloud platforms and the basics of security. Earning their initial certifications or accreditations is necessary to prove your knowledge.
  3. Train on a Leading Technology.
    In addition to cloud knowledge, having an exact platform skill is a game-changer for your resumé. Increasing your knowledge and experience with the largest companies in cybersecurity will never fail. You can get in on the ground floor with these companies as an engineer or analyst that helps respond to alerts, works with help desk tickets, and manages users but you won’t be given full administration rights on day one. Leading companies such as Microsoft, Palo Alto Networks, Fortinet, Okta, Splunk, Proofpoint, CyberArk, Trellix, SailPoint, and Cisco all have platforms in use by a majority of Fortune 1000 corporations and there are positions open to help run and manage these environments.  Many of the cybersecurity companies mentioned above offer free training or a test drive of their products and platforms to help you prepare.
  4. Focus on Operations.
    ITIL certifications are rare these days. ITIL is an adaptable framework for managing cybersecurity. Having an ITIL approach to platform management really shows that you have your act together and separates you from the pack.
  5. Seek Out Advice.
    Join a local association meeting and start networking within the industry. Ask questions to determine what real security managers need in their departments. Associations such as ISSA, ISACA, and CSA are great places to start. Ask about mentor programs or other ways to get involved to meet members in the community.
  6. Start at the Help Desk.
    This has long been the best in-road for getting started in the IT industry by understanding the company, its requirements, and the technologies it has in place. This position allows you to work with a variety of users and provides an opportunity to understand the overall skill level needed to succeed.
  7. Consider Temp or Contract Work.
    Companies are constantly looking for temporary staff members to fill openings when they cannot justify a full-time position. Leveraging a temporary placement will help you get the real-world experience you need and allow you to show off your skills to the hiring manager.
  8. Remember, Your First Job Won’t Last Forever.
    Companies make a sizable investment in your first year of employment and do everything possible to reduce the cost of your position. Think of your first few years as a part of your job search, and put in the extra hours at a consulting firm or systems integrator to get some of the best training possible for success later in your career.  You may be up for a career change or find your niche in a particular area of IT.
  9. Show You Can Train Yourself.
    Online training is practically free, and it is a critical requirement for anyone hoping to join a cybersecurity team. There are an abundance of online providers, and training in cybersecurity has never been more accessible. Look for deals from StackSocial. You can get a full bundle of certifications for less than $50.  Employers will know that you are able to quickly onboard to new technologies and teach yourself vs waiting for expensive in-person training.
  10. Attend Local Cybersecurity Conferences.
    Student rates are often available, making it inexpensive to attend local cybersecurity events. Learn about the latest industry trends, understand and speak with the vendors, network with others in the space, and have a good time. You may need to contact the conference manager directly to ask for a discount code, student rate, or even volunteer to help with the event.

These tips for finding entry-level cybersecurity positions will prepare you with the skills you need to get a foot in the door and have a successful career in cybersecurity. Hiring managers are looking for ambition, fast ramp-up times, and knowledge about existing products. While the job market for new graduates may seem tight, it still has advantages. If you’re willing to do the work to stand out, you will have a better chance of hearing that you’re the best candidate for the position.  


About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.


What’s New with NIST 2.0 Cybersecurity Framework?

A look at upcoming changes to the standards, guidelines, and practices that organizations of every size need to manage and reduce cybersecurity risk.

By Glenn Sweeney
vCISO at CyberOne Security


The NIST Cybersecurity Framework was originally created in 2014 to give federal users a common standard by which to measure their cybersecurity assessment efforts. Since then, NIST has evolved to include corporate users who have had ongoing input into its content. NIST Cybersecurity Framework is a living document that is regularly refined and improved based on stakeholder feedback to keep pace with changing technology and threat trends.

As a vCISO at CyberOne Security, I actively participate in discussions to help improve the NIST Framework. The scope of CSF 2.0 will cover all organizations across government, industry, and academia to boost its broader use. As stated in the current NIST 2.0 concept paper, a primary goal of cybersecurity measurement and assessment is to determine how well an organization is managing cybersecurity risk, and if and how they are continuously improving. Following are four areas that are being updated to make NIST 2.0 more robust for federal and industry users:

  1. A New “Govern” Function Will Be Added to Core

The NIST Framework Core formerly consisted of five continuous functions — Identify, Protect, Detect, Respond, and Recover. The upcoming version will also include “Govern,” which will address the importance of aligning cybersecurity activities with business risks and legal requirements.

In the past, cybersecurity governance was addressed in the “Identify” function. Addressing it as a function reflects its high importance and allows NIST to go deeper into the topic. The new “Govern Function” will cover four areas that are critical to broad defense and recovery, including:

  • Determining the priorities and risk tolerances of the organization, customers, and larger society
  • Assessing cybersecurity risks and impacts
  • Establishing cybersecurity policies and procedures
  • Understanding of cybersecurity roles and responsibilities

I like to think of Govern as the foundation of a house. It ensures that the entire infrastructure aligns with organizational policies and legal requirements, so it is more stable and secure from the ground up.


  1. Supply Chain Risk Will Be Added to the Identify Function

Technologies and computing services like cloud enable organizations to do business with people and groups all over the world, but they also open enterprises up to third-party vulnerabilities. Feedback from NIST 2.0 respondents make it clear that supply chains are a top risk. Adding Supply Chain Risk to the Identify Function provides an opportunity to go deeper and provide broader guidance on addressing third-party risk. This may include the need for special teams within the organization that are focused on these specific risks. Feedback will inform the final draft of NIST CSF 2.0. You can submit your feedback on this discussion draft at  at any time. 


  1. Respond & Recover Will Be Added to Incident Response Management

Artificial intelligence (AI) is one of the newest and most versatile weapons in the arsenal of bad actors, and it serves as a strong reminder that even the best defenses can be breached. Organizations need a well thought out recovery plan to limit damage while maintaining business as usual. For this reason, NIST 2.0 is expanding consideration of outcomes in the CSF Respond and Recover Functions to include Response and Recovery management. This section may include subtopics such as indirect mitigation, recovery plan execution, and incident forensics. Content is being changed or added to keep up with new and emerging threats and ensure that organizations can accurately assess how prepared they are to recover critical assets and sensitive information and keep their businesses running in the event of a breach.


  1. Updated Digital Identity Guidelines

Finally, NIST 2.0 will also include revised Digital Identity Guidelines with updates to the CSF’s identity management, authentication, and access control category. Through these updates, NIST 2.0 will provide a roadmap for assessing the strength of your approach to managing identities and access that is more tailored to today’s threat landscape.

In my role at CyberOne Security, I leverage NIST to ensure my assessments are as relevant and thorough as possible. As a participant in the process of updating NIST 2.0, I think these new updates will cover a lot of ground in the ongoing effort to keep up with changes to the threat landscape.

If your organization needs help assessing its current security posture, contact CyberOne for customized exposure management support that prioritizes the unique risks to your business. We can help you develop a strategic and tactical roadmap based on previous assessments of your cybersecurity program.


About Glenn Sweeney


Glenn Sweeney is a successful information security leader with over 20 years of cybersecurity technical and managerial experience supporting many types of industries from small to large enterprises. He has a passion to help businesses create a cybersecurity strategy and program using the latest frameworks such as NIST, ISO, IEC, and CIS, giving them the direction they require to succeed in implementing, managing, and administering a proven security program. Glenn has quite a list of information security certifications that include Certified Information System Security Professional (CISSP), SANS GIAC-GSEC, SANS GIAC Certified Incident Handler, Certified HIPAA Security Expert (CHSE), Certified Cybersecurity Awareness Professional (CCAP), EC-Council Computer Hacking Forensic Investigator (CHFI), and CompTIA Security+.

Does Your Organization Need a Cloud Security Architect? Part 2 of 2

Continuing the thought from my previous blog: Does Your Organization Need a Cloud Security Architect? – CyberOne (

Building a Strong Cloud Posture: Key Considerations for Cloud Cyber Architects

When it comes to deploying and managing cloud services, security should be a top priority. In this blog, we will explore three vital aspects that organizations should focus on during the building out of their cloud environment: segmentation, policies (identity-based and organizational), and infrastructure as code (IaC). By understanding the importance of these elements, businesses can enhance their cloud security measures and mitigate potential risks.

Segmentation: A Fundamental Security Measure

One reason organizations separate workloads in data centers by geographical locations and within them is to satisfy security requirements. For the same reason, cloud environments should also establish segmentation boundaries for workloads. Thinking back to the house analogy in my previous post: a house has doors between various rooms; some of those doors leverage deadbolt locks, where others are secured by children who have simply posted on the door “Stay Out!”. The key takeaway here is segmentation should be defined to handle various types of sensitive workloads and data. Segmentation is accomplished by leveraging both cloud accounts and cloud objects. Regardless of the chosen CSP (AWS, Azure, GCP, etc), they all have essentially the same approach for organizing accounts as well as the constructs for cloud objects (VPCs, Subnets, NACLs, Security Groups). Organizations typically leverage segmentation to isolate the following environments: Production, Development, Sandbox – with possibly micro-segmentation taking place within those environments. Mature, security-minded organizations will leverage dedicated accounts for Security and Infrastructure services. Deploying all workloads in a single account, relying on a single VPC/Subnet, is suboptimal even for smaller organizations.

Establishing Effective Cloud Policies

After completing the segmentation, it is crucial for the organization to prioritize the establishment of policies for effectively controlling cloud consumption. This sequence is essential due to the nature of how cloud policies are formulated, which are primarily based on the account and object structures. Three key types of cloud policies exist:

  1. Account policies: These policies are applied at the organizational/account level, providing users with broad controls to limit actions. Examples include enforcing encryption, restricting object deployment to specific regions, and denying high-risk or unapproved cloud services.
  2. IAM policies: IAM (Identity and Access Management) policies define who can perform specific actions and should adhere to the principle of least privilege. They can be used independently or in conjunction with resource-level policies to establish a defense-in-depth posture.
  3. Resource-level policies: These policies limit the actions that can be performed on cloud objects and, like IAM policies, should prioritize the least amount of privilege.

Leveraging Infrastructure as Code (IaC) for Enhanced Security

One common approach for those new to the cloud is to obtain an account and then deploy objects directly from the CSP console – I’m guilty of this approach myself. Unlike the common approach of deploying objects directly from the CSP console, IaC offers an organized and discrete manner of provisioning cloud resources. IaC supports automation, agility, auditing, and compliance, etc. IaC also provides the ability for security teams to examine what the object owner intends to push to the cloud, aligning with the principles of DevSecOps. Security teams have two approaches for the inspection – manual review of code or leveraging cloud native or 3rd party tools. Obviously, the manual approach is time consuming but opens up opportunities for the security team to see specific aspects of the cloud service that might conflict with organizational policies. Leveraging tools, native or 3rd party, to perform the review can be beneficial seeing as they provide built-in compliance frameworks. Ideally, organizations should combine both approaches based on contextual insight, allowing for a comprehensive security assessment. Going back to the house analogy, IaC provides the ability to compartmentalize your cloud environment and allows for the possible reinspection by the security team to only consist of what is being requested to change.   

Final Thoughts

In today’s cloud-driven landscape, prioritizing security is paramount for organizations deploying and managing cloud services. Segmentation, accomplished through the strategic use of cloud accounts and objects, is vital for effectively handling different types of sensitive workloads and data. Establishing effective cloud policies allows for granular control over cloud consumption and fosters a defense-in-depth posture. By embracing IaC, organizations can provision cloud resources in an organized, automated, and compliant manner with effective collaboration between development, security, and operations teams. By combining manual review and tool-based assessments, organizations can achieve a comprehensive security assessment. Embracing these aspects empowers organizations to build a robust and secure cloud environment for their critical workloads.


About Marc 

Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University).

Does Your Organization Need a Cloud Security Architect? Part 1 of 2

Building a Strong Framework

Cloud almost always disrupts business as usual. A cloud security architect can see the cracks that can be missed by 3rd-party tools or native and less experienced non-cloud security professionals.

Over nearly a decade in cloud security, I’ve noticed some common missteps among enterprises that deploy cloud infrastructure and services, whether through Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Often, they begin to consume cloud services without establishing a solid security foundation during the development and deployment of their cloud infrastructure and workloads. Similarly, cloud administrators may rely on overly permissive identity and access management (IAM) policies. Hiring a cloud security architect is like hiring a contractor to build a house. A professional has the experience and expertise to lay a strong foundation and oversee construction of the framework, so you can have confidence that your build will be secure even if you choose to add on in the future.

The Role of Cloud Security Architects

Cloud security architects bring deep experience from the trenches of designing and implementing secure cloud solutions. They may work with your application teams on one day and your infrastructure team on another. But their most valuable role is taking a broad view of your entire organization, its consumption of cloud, and how corporate and applicable regulatory/compliance security policies are adhered to on a day-to-day basis.

As a cloud security architect myself, I see the role as that of a contractor overseeing the construction or renovation of a house. All too often, the house has already been built on a poor foundation before the security team gets involved. This commonly occurs when a team has been directed to quickly move to the cloud and they take the assumption “the cloud is secure” – clearly, because someone else is managing it. When they start building the house, organizations tend to leverage agile approaches which certainly aligns with cloud adoption BUT thought must be put into the agile methodology pouring the foundation is considered. As well, organizations often don’t understand how existing corporate and compliance security policies apply to the cloud and/or they don’t understand cloud risks well enough to establish a strong foundation to build on. That can affect the entire organization down the road as cloud gains use across the enterprise. But when teams are told to “Go deploy!” they do, and commonly lay a weak foundation.

At that point, there is typically rework needed to ensure a solid foundation. There’s also a good probability that workloads will have to be moved while the rework tasks are being completed. 

Involving security early and often during all phases of development can help avoid this scenario. Otherwise, someone has to go back and fix the security foundation or, even more challenging, rooms that are built upon the foundation containing the workloads. If the walls are already up and people are working (and sometimes living) in the building, it’s much more time-consuming and expensive. This is an extremely common occurrence. A good cloud security architecture expert can help by shoring up security, even as your cloud consumption increases.

Cloud Is NOT Just Someone Else’s Datacenter

While traditional architecture shares some aspects of cloud services, such as virtual machines, storage, and networking objects, cloud services create more risk due to their flexibility. Most cloud services allow for data-flow connections to other cloud services, raising the risk of bypassing traditional security control points, even in cases where the data flows can be established to non-approved accounts. Similarly, the profusion of cloud APIs allow cloud consumers to be more granular with their infrastructure and workloads, but it also increases risk. You can compare cloud to a conference center where organizers use its spaces in different ways — perhaps for a tradeshow one week and a gala the next. This type of space provides flexibility, but securing it is more difficult. 

This difference between traditional architecture and cloud architecture is critical, and those who believe cloud is “just using someone else’s data center” are likely to make common mistakes that put their security at risk. One mistake is when organizations assign the role to an existing security architect who has spent his or her career supporting traditional data centers and three-tiered applications. Without cloud-specific training, a security architect may not know that cloud uses space differently or that how users move through the space impacts its security. 

Another all too common mistake I find is that cloud account roles are sometimes given full access to all APIs within a service — or even worse — everyone is a cloud administrator. Risk analysis should be performed on the cloud service APIs and guardrails should be established to reduce risk for the enterprise. 

As I previously said, cloud disrupts business and how we manage our infrastructure and workloads. It takes departments that were once carved up and siloed and fuses them together. Depending on how a company is organized, this can result in discussions about who owns which cloud objects and how certain business processes will function. To facilitate this shift, you need a cloud security architect with eyes across the company who can provide contextual insight into how business and security issues intersect. 

How to Rate a Cloud Security Architect

Before I get into how to choose a cloud security architect, I should point out that your organization shouldn’t solely rely on cloud security services that monitor and enforce security policies, whether native or third party. Even though services such as Microsoft Defender for Cloud are designed to monitor and assist in enforcing security policies in the cloud, at a minimum, they don’t understand context and generally speaking look for best practices and recommendations against industry standards and compliance frameworks. They lack the ability to automatically translate corporate policies and security architectural principles (i.e. don’t connect production to non-production workloads or networks). Whether your cloud environment is infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS) — or even a combination of the three — you need the expert eye of a cloud security architect to work alongside the various organizations consuming cloud to ensure a solid security posture. A seasoned cloud security architect leverages their insight into your business allowing them to maintain a high level of visibility across cloud resources, identify and manage risks before vulnerabilities are introduced within your cloud infrastructure and maintain security policies across your enterprise.

When you choose to hire a Cloud Security Architect, never solely rely on someone having a certification as sole proof that they are capable of designing, implementing, and defending your cloud security infrastructure. They may have the technical understanding of how to do the job, but the key way someone gains the skills and expertise needed to build and protect your house is through hands-on, trial-and-error experience. Ask prospective hires about their worst experiences supporting the design and implementation of cloud services. If they insist that every deployment was a success, they probably aren’t prepared for the worst. Hire someone who has war stories; someone who has experienced the good, the bad, and the ugly of securing enterprise cloud environments. Then you’ll feel confident they can defend your infrastructure against threats —no matter what type of unforeseen issues arise. 

Final Thoughts

It’s common for an enterprise to implement cloud environments with sub-par security postures because they are pressured to move fast and lack the knowledge needed to properly secure the cloud. One common challenge with the adoption of cloud is the application of the term agile, which is a more than acceptable approach when, and only when, the architecture and all supporting aspects of the environment have been thought through. People are people, and when they are working agile, they aren’t thinking about the repercussions of every decision they make. Rearchitecting your security after the fact is a huge undertaking and can be costly. Finding workarounds and optimizing your security based on the house you have and not the one you wish you had built requires the help of an expert who can make sure your cloud security infrastructure is strong enough to defend against attacks at all levels.

No matter where your organization is in its migration to the cloud, CyberOne has the expertise to help operationalize and optimize your security environment. Connect with us to get started.


About Marc 

Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University). 

Artificial Intelligence: What is on the horizon?

Artificial Intelligence: What Is on the Horizon?

The cybersecurity industry is under immense pressure as digital threats continue to increase and evolve. Artificial intelligence (AI) is widely understood to be a critical next step for optimizing cybersecurity processes and functions and enabling security operations centers (SOCs) to keep pace. Generative AI platforms like ChatGPT will play a leading role as SOCs find innovative ways to tap their potential for the benefit of cybersecurity teams. 

AI Continues to Advance Cybersecurity

AI offers better automation, faster, more accurate analysis and increased visibility into your network and systems, opening up exciting possibilities for security professionals.

Many SOCs already use AI and machine learning to drive risk assessments and prioritize events, incident response, and documentation. Newer technologies such as machine learning services (MLS) from Microsoft® Azure Security Center (ASC) will further enable SOCs to automate rules creation and centrally manage them within the MLS. One of many benefits is the ability to reduce false positives while simultaneously increasing detection accuracy levels overall.

Improved automation and greater risk assessment capabilities will also enable SOCs to utilize formal methods for use case content development. Automated penetration testing and breach attack simulation will become a standard requirement after each content change. 

GPT-4 Will Spark a Surge in Innovation

Chatbots are becoming increasingly vital cybersecurity tools. One of the most innovative is ChatGPT, the large language model developed by OpenAI.

ChatGPT is now in its fourth version, which the company promises to be its “most advanced system, producing safer and more useful responses.” GPT-4 can provide enhanced cybersecurity protection by utilizing AI, natural language processing (NLP), and machine learning algorithms to respond to complex cybersecurity threats.

With its gift for contextual understanding, GPT-4 can reduce or even replace many cybersecurity roles that are labor-intensive, iterative, and expensive. In addition to providing automated cybersecurity solutions at a fraction of the cost, GPT-4 can also quickly adapt to new cybersecurity threats as they arise.

Organizations that deploy ChatGPT technology for cybersecurity will progressively see their operations become more efficient, cost-effective, and secure. 

Get Ready for ChatGPT Versus ChatGPT 

Generative AI tools are transforming the matrix between how cyberattacks are coordinated and unleashed, and how successful organizations fight back. 

Bad actors are exploiting the endless possibilities of ChatGPT to quickly deploy and operationalize more sophisticated attacks. ChatGPT can mimic the input it is given and generate human-like responses that can be used to access personal data. This makes it a dangerous threat to cybersecurity teams.

ChatGPT’s ability to automatically mass produce business email compromise (BEC) communications should not be underestimated. Cleverly crafted messages can easily evade standard cybersecurity protection. It is up to us as cybersecurity practitioners to anticipate these kinds of threats and take proactive steps to tackle them before they become a real danger. Today’s cybersecurity environment has been described as an arms race between attackers and defenders, and ChatGPT is the weapon of choice.

Organizations that should be vigilant are struggling to keep pace, which makes it inevitable that this cybersecurity challenge will be a key focus in 2024 and beyond. As cyberattacks become increasingly complex and targeted, those organizations will need to fill more cybersecurity jobs while also looking for the latest cybersecurity tools to help protect their networks. ChatGPT fits the bill. It is advanced enough to automatically assess potential security threats and mitigate them with little to no human involvement, which makes it the perfect match for taking on a proliferation of ChatGPT-driven attacks.

ChatGPT Will Not Be Coming for Our Jobs

As revolutionary as ChatGPT is, it still has limitations and will never fully replace cybersecurity professionals — especially when it comes to being proactive and anticipating potential issues before they arise. 

At best, ChatGPT will assist with cybersecurity tasks that help make cybersecurity professionals more effective. It can also simplify tasks that once required expert-level skills, such as knowing how to update a firewall or a router to block an IP address. For example, ChatGPT might provide step-by-step instructions to walk less skilled team members through the changes.

ChatGPT can be useful for cybersecurity analytics, event log management, and audit compliance, and it can enable more efficient processes, including:

  • monitoring incoming traffic for malicious intent
  • identifying malicious actors
  • automating incident response
  • performing an attack analysis
  • detecting anomalies in security logs from different sources
  • and more

ChatGPT enables SOCs to automate security-related tasks that would otherwise be time-consuming or require iterative manual effort. Implementing it can quickly free up cybersecurity personnel so they can focus on larger, more strategic tasks that require specialized knowledge.

Cybersecurity experts will always be needed: ChatGPT will simply make them more efficient and effective, resulting in improved and evolving protection from emerging threats.


In the coming years, advanced AI will be an essential tool for updating security protocols and launching robust cyber defense initiatives. The newest version of ChatGPT, GPT-4, stands out for its advanced features that allow for greater security, faster deployment speeds, and improved performance. The platform is quickly becoming essential for preventing potential attacks or intrusions by bad actors who are already leveraging its AI-driven learning algorithms. Plus, it offers valuable guidance and role replacement capabilities. In our increasingly connected world, it is more important than ever to take advantage of this expansive technology to protect data and networks from malicious threats. Are you ready?

About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow and Past-President of the South Texas ISSA chapter. He holds certifications such as SABSA Security Architecture, CISSP, CISA, and Six Sigma. At CyberOne, Ricky provides security architecture design and leadership management for customers across the country. Ricky previously held roles at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the practice lead for developing Security Operations programs for ArcSight SIEM products. Ricky was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. Ricky has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Ricky is based in Houston, TX and has a degree in Management Information Systems from Texas A&M University.

Attorney-Client Privilege and Cybersecurity: What’s Changed and How to Adapt

What does the recent Eastern District of Virginia decision mean for your company when you need incident response services?

What would have been a fairly straightforward question changed on May 26, 2020, with a court order issued in the Eastern District of Virginia?

The Interpretation of Attorney-Client Privilege in Cybersecurity Is Changing

In response to a March 2019 data breach, the breached company, which had an existing IR retainer with an incident response firm, decided to hire outside counsel. Outside counsel then executed a contract with the same IR vendor to conduct incident response services.

This had been standard practice for years. Until this ruling, in working with outside counsel, the report and all other work product would have been protected by the attorney-client privilege. However, the court ruled that the report must be disclosed. Prior to this decision, this was unheard of.

IR Reports Must Be Prepared in Response to Litigation for Privilege to Apply

From the ruling, the deciding issue was “whether the [IR company’s] report would have been prepared in substantially similar form but for the prospect of that litigation.” The court clarified its reasoning, stating that in order to receive protection under the work product doctrine, “the material must be prepared because of the prospect of litigation.”

While this was clearly the case, the court took the unusual position that this particular work would have been done in the ordinary course of business regardless of the prospect of litigation and was therefore not covered.

Existing Incident Response Engagements May Prohibit Attorney-Client Privilege

The published opinion indicates that the court weighed a number of factors in making that determination. Chief among these was an existing Master Service Agreement (MSA) the company had with the same IR vendor. The existing MSA dated back to 2015 and was supplemented with ongoing statements of work for similar services performed.

Pending appeal of this decision, this leaves companies who need incident response services in an awkward position.

Many Companies Have Long-Standing Incident Response Contracts

Companies that use incident response services often develop long-standing relationships with one or more IR firms. In some cases, cyber breach insurance companies demand it.

There is also an economic incentive for this kind of relationship as the IR firm learns the details of the company and can provide better service since it is familiar with the company’s environment. This decision, if upheld, would stand those established relationships on end.

It would also create a perverse incentive for the company to hire a separate IR firm through outside counsel to react to the most critical breaches where time is of the essence.

How Should You Adapt Your Incident Response Strategy?

So what can you do to limit the impact of the decision until the appeal is resolved? Below are some key items to ensure you work into your strategy.

Engage Outside Firms

In the event of a cyberattack or data breach, engage with outside counsel or forensic investigators, even when there is an existing relationship between your company and the forensics firm(s).

Clearly Delineate Separate IR Engagements

Make it clear internally that outside counsel is directing the incident response engagement and that such investigations are being conducted separately from any pre-existing cyber consulting activities with the forensic firm(s).

Ensure that it is clear in the Statement of Work for the specific engagement that the report is being prepared with the prospect of litigation in mind.

Employ the Principle of Least Privilege

The more widely the forensic report is distributed, the more likely it becomes that the court will not provide attorney work-product protection. The principle of least privilege (PoLP) can help safeguard against this.

The forensic firm should only share the report with those for whom access is necessary. In most cases, this means outside counsel. Outside counsel can then share the report with your company at their discretion.

Review the Contracts of Any Existing Relationships

If there is one overarching MSA, consider rewriting the MSA into separate agreements for consulting services and incident response services.

Ensure agreements covering the provision of such services make explicit that incident response services will be covered by an independent, unrelated agreement.

As part of this, ensure that the billing for the work is expressly billed as a legal expense.

Rely on Facts, Not Opinions

Ensure that the forensic firm writes a fact-based – not opinion-based – report for distribution from counsel to the company.

While it may well be necessary for the forensics firm to provide opinions, speculation, background, and technical explanation to provide the best advice to the company, those opinions should not be in the final report.

Create an attorney report separate from the client report to make clear that this work was done with the intent to prepare for litigation.