Creating a Healthy Cybersecurity Culture in Your Organization

Today’s dependence on technology demands the need for security. A quick scan of the news provides details on latest the breach of the day – yet another tale of how a hacker was able to bypass an organization’s security layers to gain access to customer data. 

Protecting your organization’s assets involves more than emphasizing cyber hygiene or the set and forget of tools and technology. You need a culture that embraces cybersecurity, a culture that makes cybersecurity top of mind among all your employees, top to bottom. Employee behavior plays a critical role in an organization’s cyber resiliency since most breaches are caused by human error. With nearly three-quarters of data breaches involving error, privilege misuse, use of stolen credentials or social engineering, it’s clear that organizations need to address not just the technology element, but also the human element when building a cybersecurity culture.


What defines a cybersecurity culture? What does it look like? 

Every organization has a security culture, the question is whether yours is healthy or unhealthy. A healthy cybersecurity culture is holistic and includes cyber hygiene, tools, and security awareness. Getting there means diving into the values that drive how people should think about and approach security within an organization. These values are shaped by the goals, structure, policies, processes, and leadership of the organization. A healthy, effective cybersecurity culture is one in which every person – top to bottom of the company – values cybersecurity and is motivated to make it better. They get why it’s important and see themselves as part of the solution. Fostering a strong cybersecurity culture ensures that employees are aware of the risks and understand how to respond to or report such risks. 


Developing the right culture is a continuous process 

Culture shifts start from the top – leadership action more than speeches set the tone. When the C-suite and directors role model transparency, accountability and cyber smarts in their own practices, it manifests across the entire company. Culture is the goal, not a simple step. You don’t just flip a switch to change a culture to develop the right behaviors around cybersecurity – it’s a process that gets baked into your organization.

As your team embarks on creating real, long-lasting change in developing a cybersecurity culture, be sure it includes:

  • Organizational buy-in that starts at the top. Ensure senior leadership is committed to cybersecurity and sets a strong example. Your leadership team should actively promote and support cybersecurity initiatives, promoting and embracing policies and processes.
  • Develop clear and comprehensive security polices, guidelines and best practices and make sure they are updated and communicated regularly.
  • Encourage reporting of security concerns including simple reporting of incidents. Create an environment where employees feel comfortable reporting concerns without fear of reprisal.
  • Regularly test your incident response plan, ensuring that all employees know how to report security incidents, with clear steps for containment and recovery.
  • Make sure your drills and exercises include social engineering awareness training. Train staff to recognize and resist tactics such as phishing, baiting and tailgating, and exercises that simulate real-world threats to test your organization’s readiness.
  • Maintain open lines of communication about cybersecurity matters.
  • Celebrate successes including rewards and positive reinforcement to maintain a strong culture.
  • Make security fun and engaging. Consider gamification of monthly trainings or other lighthearted features so people won’t roll their eyes at the thought of yet another security training.
  • Extend culture beyond the workplace.  Encourage discussion of good security habits at home to protect families as well. A security-aware culture should translate beyond the workplace. Provide resources and training for families of employees.
  • Communicate transparently especially around incidents. Breach notifications to customers should extend internally too. Discuss outage root causes without blame or punishment. Learn from incidents through updated controls rather than instill fear.


CyberOne Viewpoint: 

We cannot overstate the foundational importance of human-centric security. Technical controls will fail without an organizational culture that makes cyber risks everyone’s responsibility. Many boards continue grappling to motivate employee behaviors amid rapid digitization. At CyberOne, we guide clients to invest in their people first through policies that empower and educate, backed by resilient systems that support the business.

In summary, building a robust cybersecurity culture requires a multilayered approach with buy-in across the organization. It’s an ongoing initiative that requires constant reinforcement through policies, training, and leadership exemplification. By making security second nature to staff, you vastly improve resilience against cyber threats. The human layer is the first line of defense for any organization.


About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.


The Cost of Cyber Defense: An Investment You Can’t Afford Not to Make

Make no mistake: investing in cybersecurity is critical to the health of your entire organization. Once viewed as an IT issue, cybersecurity has evolved to become an organizational issue. While the investment spans technology, personnel, and training, these costs are frequently dwarfed by potential financial and reputational losses.

Cyber threats continuously evolve, advancing in complexity and frequency at a rate that demands consistent, adequate security budgets to stay ahead of the curve. Just as medical checkups and preventative health underpin personal wellbeing, proactive cybersecurity investments are essential to organizational health and resilience.

Most organizations know they need cybersecurity. They understand that a positive cybersecurity posture helps protect sensitive data, satisfy regulatory and legal requirements, ensure business continuity, protect the organization’s reputation in the event of an attack, shore up the supply chain, and reduce insurance costs, among other things. When thinking about your cyber defense, it’s crucial that your executive team understands that it’s not a matter of “if” but “when” you’ll get hit. And when it does, it’s going to cost you – big – as cyberattacks are increasing in both frequency and cost. For example: 96% of organizations were targeted by an email-related phishing attempt in 2021, and predictions are that by 2031, ransomware will cost victims $265 billion, with attacks occurring every 2 seconds.

Despite the risks, security teams still struggle to get the funding necessary to create a robust cybersecurity posture. CISOs looking to justify their cybersecurity budgets need ways to prove return on investment, provide metrics for measuring success, and ensure continued value. Therefore, it’s critical you present the case for robust cybersecurity in a compelling fashion. 

As you prepare your business case, as a starting point, be sure you:

Highlight the need in terms of the total cost of a data breach. While the average global cost of a data breach in 2023 cost organizations more than $4 million USD (which is far more than cybersecurity budgetary requirements) – a 15 percent increase over the past three years – data breaches in the U.S. are much more expensive than other countries, with average cost in the U.S. just over $9 million. Costs include more than just breach containment and remediation, but also downtime, legal expenses, regulatory fines, lost business, and long-term costs such as repairing your reputation. And costs are only expected to increase over time, so need to be emphasized as part of your request. Be sure to include examples or case studies of what could happen if your organization does not act.

Focus on the ROI of your cybersecurity request, not just the costs. Everyone loves data, and your key decision makers are no exception. While it’s true that cybersecurity is an investment and you’ll need to present what those line items entail, don’t just focus on the costs – present the whole picture including an estimated ROI. To prove out your cybersecurity ROI, be sure your calculations subtract the cost from the net gain, such as:

  • Net gain from your investment, including monetary benefits or cost savings realized as a result of the cybersecurity investment. Alternatively, you could use reduced losses from security incidents, costs avoided from data breaches or increased efficiency as the result of improved security measures.
  • Cost of investment, including all costs associated with implementing and maintaining your investment such as initial costs of software and hardware, operational costs, training costs and other cybersecurity-related expenses.

It’s important to note that calculating an exact ROI can be challenging. Some benefits, such as preventing a potential attack, can be difficult to quantify in monetary terms. And some costs may be over an extended period of time, making it important that executives understand the long-term impact of cybersecurity. To gather data that’s as accurate as possible, consult with finance and cybersecurity professionals.

Determine quantifiable metrics for how you will track and measure your investment. Set a clear direction and present a solid case on how your budget request will reduce risk. Create clear metrics up front. Then present how you will track risk reduction over time. One way to do this is to determine the average industry risk score (including competitors and your peers) and compare your own. For example, if the organization had a score of X to start, then compare the difference in implementing the proposed service or solution (perhaps every six months or so) to better magnify the reduction in risk. Comparing your own data with the industry average risk score will help highlight the broader security risk trends and highlight how your organization compares to others. Obviously if your company scores higher than your competitors and peers you’ve helped make your case for your cyber investment.

While there are numerous factors that go into making a business case for cybersecurity, the information above can serve as a starting point. Increasingly complex security challenges and a dynamic threat environment mean you need a strong and agile security planning, programming and budgeting process. By highlighting benefits and ROI of your proposed cybersecurity investment with the realities of what will happen if you don’t make this commitment should help your decision makers understand that an investment in cybersecurity is one they can’t afford not to make.

CyberOne Viewpoint: 

By quantifying potential breach costs and disaster recovery readiness using data-driven metrics tied directly to business outcomes, security leaders make an ironclad case for critical budget increases. These lifesaving investments across people, process and technology controls act as insurance policies against exponentially rising risks in an interconnected world.

Much like dutifully paying insurance premiums amid calm waters, executives must dedicate steady security funds now before the storms hit. Cybercrime costs the world economy over $1 trillion already, yet the majority of successful attacks exploit known unpatched vulnerabilities. Clearly organizations continue underestimating the havoc from being ill-prepared – a status quo that must change immediately.

Forward-looking leaders across healthcare, retail, government and other breach-prone sectors now rightfully elevate cybersecurity to a board-level concern vital to sustaining operations. They understand addressable security gaps can no longer be the weakest link that brings hostile forces past the gates. Just one destructive breach can fatally undermine customer trust, shareholder value and an organization’s foundational mission.

By heeding security’s call to action and dedicating adequate, consistent investment into defense today, organizations globally can collaboratively reach safe harbors tomorrow. Now is the time for cyber resilience to become every executive’s shared priority before the preventable occurs.


About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.


Multifaceted Approach Needed to Combat Today’s Insider Threats

Your organization has made numerous investments to protect against external threats. But what about internal threats?

Threats today aren’t just external, companies face challenges detecting and mitigating a wide range of internal threats. This includes individuals with legitimate access to your organization’s network who might use this access in a way that causes damage to your company. These threats include disgruntled employees or those with malicious intent, employees willing to sell your data to nation-state actors or competitors to make a quick buck, or even the rogue software developer looking to take your company’s intellectual property with them to their new start-up. Also, we cannot forget the threats that stem from employee mistakes, carelessness, or lack of knowledge. 

Growing Risks and High Costs of Insider Threats

And your internal threat risk is growing – and costly. A recent report revealed that 74% of companies are at least moderately vulnerable to insider threats, with an average cost to an organization in 2023 of $15.38 million. 

Many companies have controls in place, which may include a data loss prevention (DLP) tool, native audit logs to see who’s touching the files, or properly configured firewalls/edge controls. But it’s imperative to have a multifaceted approach as your highly technical individuals typically know where your technical controls exist and likely can find a way around those individual controls. Some organizations have even reported instances of individuals taking photos of files with their phones, a scenario in which your DLP tools or alerts won’t protect you.

Strategies to mitigate insider risks:

  • Enhance Audit Logging: Native audit logs from wherever you are storing data. Whether you’re storing it in OneDrive or an on-prem network attached storage device, a product such as Varonis that analyzes all those logs in near real time can help you better understand user behavior as these tools have built-in user behavior analytics. In these cases, you can see that, “Hey, this person touched 1000% more files today than they did previously,” (Ex. opening large amounts of files to scan with smart phone) sending an alert that can be configured to kick off a script to lock that user’s accounts to stop the threat.
  • Least-Privilege Access Model: Implement a least-privileged model where employees only have access to the files and applications required to do their daily duties. With a least-privileged model and privileged account management you can leverage those accounts to put procedures in place to control who has access to your company’s most important data. 
  • Cloud Access Monitoring: Leverage a cloud access security broker (CASB) to give you controls to make sure that only a corporate device or a company-approved device can touch the data. Having a CASB in place can act as the gatekeeper on who is or is not allowed in, and what data they’re allowed to access, dependent upon whether they access from a company resource or not.
  • Utilize Security Awareness Training for Insider Detection: Ensure you have a good security awareness program in place. Education is key in teaching team members about scenarios that could happen, and how to respond. For example: one of our employees received a message that came from a colleague over a 412-area code. Realizing something seemed off, they looked up their coworker’s cell number and saw it was a completely different area code, so knew it was an imposter. 
  • Create Anonymous Reporting Channels: Implement a hotline or other confidential communication channel for employees to report anonymous tips. That way, if they see something and want to say something, they won’t be concerned about retribution.

At CyberOne, we firmly believe that organizations should adopt controls based on their security condition level (SECCON) to reasonably achieve security objectives.  We recommend Insider Threat monitoring at multiple layers to help quickly identify, detect, and respond to common threats.  We are excited to expand the conversation, contact us at


Authored by Scott Wright, Senior Security Solutions Architect

The Security and Exchange Commission Continues to Enforce Cybersecurity Controls for Publicly Traded Companies


The Security and Exchange Commission (SEC) continues to convey the importance of Cybersecurity for publicly traded companies by finalizing additional rules requiring disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports. The rationale, in my opinion, results in the strengthening, enhancement, and standardization of a registrant’s cybersecurity control measures and reduces the inaccuracies of financial statement reporting within its information systems.

SEC Rule Interpretation     

What does this mean for Publicly Traded Companies? Before I interpret the final ruling, I would like to emphasize the Commission’s dedication to effective cybersecurity risk and controls for publicly traded companies.  In fact, since 2011, the Division of Corporation Finance issued interpretive guidance providing its views concerning operating companies’ disclosure obligations relating to cybersecurity. In 2018, the Commission also issued interpretive guidance to public companies in fulfilling their obligation to take all required actions to inform its investment community and investors about their significant cybersecurity risks and incidents timely. So, it should come as no surprise to companies as to the direction and intent of the commission regarding cybersecurity risk and controls management.  

Now, the interpretation.  In its periodic disclosures, publicly traded companies must:

  1. Report a material cybersecurity incident within four business days after determining that such an incident is material.
  2. Describe its processes for assessing, identifying, and managing material risks from cybersecurity threats and whether those risks are reasonably likely to materially affect its business strategy, operations, or financial condition.
  3. Disclose its cybersecurity governance practices, including the board’s oversight of cybersecurity risk and management’s process to manage, monitor, detect, mitigate, and remediate cybersecurity incidents.
  4. Public companies must comply with the cybersecurity incident reporting obligations 90 days after publication in the Federal Register or by Dec. 18, 2023, whichever is later.
  5. Assistance for the smaller reporting companies comes with an additional 180 days to comply with the final rule.

In my analysis of the final rule, it is well aligned with other incident reporting rules and improves a public company’s ability to mitigate its cybersecurity risks and prevent financial statement inaccuracies. Additionally, the rule evades a registrant’s requirement to restate its financial statements or, more importantly, a reduction in investor confidence levels.

The Pathway Forward

 In my closing, companies shouldn’t see the Commission’s rules and requirements as an additional burden of cybersecurity risk management; however, they should see them as a means for improvement of their risk and control processes, increasing their investor confidence, and providing some level of competitive advantage. My recommendations for adhering to the rule requirements are:

  1. Cybersecurity leaders should ensure that their cybersecurity program is well-aligned with business objectives and strategies. Too often, I see cybersecurity programs and business strategies move in totally opposite directions, resulting in a lack of inclusion, oversight, and awareness of the latest security threats.  
  2. Chief Information Security Officers and Chief Information Officers should have a say in boardroom discussions regarding cybersecurity and information risk management. The Commission expects the Board of Directors to be well-informed regarding cybersecurity matters. The most effective way of getting the information is direct and periodic communication with IT leaders.
  3. Build an effective governance and compliance program that aligns with not only the SEC requirements but other applicable regulations. When complying with federal mandates, an effective compliance program is key.  
  4. Develop and implement effective cybersecurity control procedures based on industry standards (i.e., NIST Cybersecurity Framework or its 800-series, ISO cybersecurity and risk management standards, etc.). Risk assessment and management strategies should be defined, aligned, and disseminated across the organization, and more relevant, incident response policies and procedures should be implemented and current.  These controls should be tested on frequent cycles, with gaps documented and corrective actions performed in a timely manner.  
  5. Internal Audit and Cybersecurity Teams should be tightly integrated. This ensures that governance, risk, and compliance processes are implemented, controls are tested, and remediation is performed timely.  



James Sayles, BS, MBA, DDiV
GRC-Fellow/Professional, Certified Information Security Officer, CISSP, CGEIT, CISM, CRISC, CIA, CISA, CFE, CIPP-US/EU
Sr. Director, Advisory Services – CyberOne Security

Where Are All the Entry-Level Cybersecurity Jobs?

Ten tips for finding your first job by building up your cybersecurity knowledge and experience.

Congratulations to the class of 2023, and welcome to the job market! If you’re interested in cybersecurity, you may be frustrated that most entry-level positions require two to three years of experience. And if everything requires experience, then nothing is really an “entry-level job,” right?

It leaves you wondering: WHERE ARE ALL THE JOBS? 

Here’s what’s going on. Hiring companies normally post jobs seeking an “entry-level expert” in cybersecurity. They are looking for someone with a combination of technical product knowledge and experience performing investigations, troubleshooting, and response activities. 

You may not have these skills right out the gate, so here are 10 ways you can build your cybersecurity resumé: 

  1. Gain Baseline Knowledge in Cybersecurity.
    At a minimum, you should have the Security+ Certification from CompTIA. These topics are some of the most important aspects within the industry, and prospective employers want you to know the basics. The Security+ certification provides a basic understanding of the terms, concepts, and approaches you will need for day one. This is non-negotiable and is a necessary certification to get started in this industry.
  2. Get Cloud Certified.
    Cloud technology is the core of every IT department, and it is critical for you to understand. Whether you want to be a developer, auditor, analyst, or consultant, you need to know cloud-related terms and approaches. Amazon, Azure, and Google all offer free introductory courses for understanding their cloud platforms and the basics of security. Earning their initial certifications or accreditations is necessary to prove your knowledge.
  3. Train on a Leading Technology.
    In addition to cloud knowledge, having an exact platform skill is a game-changer for your resumé. Increasing your knowledge and experience with the largest companies in cybersecurity will never fail. You can get in on the ground floor with these companies as an engineer or analyst that helps respond to alerts, works with help desk tickets, and manages users but you won’t be given full administration rights on day one. Leading companies such as Microsoft, Palo Alto Networks, Fortinet, Okta, Splunk, Proofpoint, CyberArk, Trellix, SailPoint, and Cisco all have platforms in use by a majority of Fortune 1000 corporations and there are positions open to help run and manage these environments.  Many of the cybersecurity companies mentioned above offer free training or a test drive of their products and platforms to help you prepare.
  4. Focus on Operations.
    ITIL certifications are rare these days. ITIL is an adaptable framework for managing cybersecurity. Having an ITIL approach to platform management really shows that you have your act together and separates you from the pack.
  5. Seek Out Advice.
    Join a local association meeting and start networking within the industry. Ask questions to determine what real security managers need in their departments. Associations such as ISSA, ISACA, and CSA are great places to start. Ask about mentor programs or other ways to get involved to meet members in the community.
  6. Start at the Help Desk.
    This has long been the best in-road for getting started in the IT industry by understanding the company, its requirements, and the technologies it has in place. This position allows you to work with a variety of users and provides an opportunity to understand the overall skill level needed to succeed.
  7. Consider Temp or Contract Work.
    Companies are constantly looking for temporary staff members to fill openings when they cannot justify a full-time position. Leveraging a temporary placement will help you get the real-world experience you need and allow you to show off your skills to the hiring manager.
  8. Remember, Your First Job Won’t Last Forever.
    Companies make a sizable investment in your first year of employment and do everything possible to reduce the cost of your position. Think of your first few years as a part of your job search, and put in the extra hours at a consulting firm or systems integrator to get some of the best training possible for success later in your career.  You may be up for a career change or find your niche in a particular area of IT.
  9. Show You Can Train Yourself.
    Online training is practically free, and it is a critical requirement for anyone hoping to join a cybersecurity team. There are an abundance of online providers, and training in cybersecurity has never been more accessible. Look for deals from StackSocial. You can get a full bundle of certifications for less than $50.  Employers will know that you are able to quickly onboard to new technologies and teach yourself vs waiting for expensive in-person training.
  10. Attend Local Cybersecurity Conferences.
    Student rates are often available, making it inexpensive to attend local cybersecurity events. Learn about the latest industry trends, understand and speak with the vendors, network with others in the space, and have a good time. You may need to contact the conference manager directly to ask for a discount code, student rate, or even volunteer to help with the event.

These tips for finding entry-level cybersecurity positions will prepare you with the skills you need to get a foot in the door and have a successful career in cybersecurity. Hiring managers are looking for ambition, fast ramp-up times, and knowledge about existing products. While the job market for new graduates may seem tight, it still has advantages. If you’re willing to do the work to stand out, you will have a better chance of hearing that you’re the best candidate for the position.  


About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.


What’s New with NIST 2.0 Cybersecurity Framework?

A look at upcoming changes to the standards, guidelines, and practices that organizations of every size need to manage and reduce cybersecurity risk.

By Glenn Sweeney
vCISO at CyberOne Security


The NIST Cybersecurity Framework was originally created in 2014 to give federal users a common standard by which to measure their cybersecurity assessment efforts. Since then, NIST has evolved to include corporate users who have had ongoing input into its content. NIST Cybersecurity Framework is a living document that is regularly refined and improved based on stakeholder feedback to keep pace with changing technology and threat trends.

As a vCISO at CyberOne Security, I actively participate in discussions to help improve the NIST Framework. The scope of CSF 2.0 will cover all organizations across government, industry, and academia to boost its broader use. As stated in the current NIST 2.0 concept paper, a primary goal of cybersecurity measurement and assessment is to determine how well an organization is managing cybersecurity risk, and if and how they are continuously improving. Following are four areas that are being updated to make NIST 2.0 more robust for federal and industry users:

  1. A New “Govern” Function Will Be Added to Core

The NIST Framework Core formerly consisted of five continuous functions — Identify, Protect, Detect, Respond, and Recover. The upcoming version will also include “Govern,” which will address the importance of aligning cybersecurity activities with business risks and legal requirements.

In the past, cybersecurity governance was addressed in the “Identify” function. Addressing it as a function reflects its high importance and allows NIST to go deeper into the topic. The new “Govern Function” will cover four areas that are critical to broad defense and recovery, including:

  • Determining the priorities and risk tolerances of the organization, customers, and larger society
  • Assessing cybersecurity risks and impacts
  • Establishing cybersecurity policies and procedures
  • Understanding of cybersecurity roles and responsibilities

I like to think of Govern as the foundation of a house. It ensures that the entire infrastructure aligns with organizational policies and legal requirements, so it is more stable and secure from the ground up.


  1. Supply Chain Risk Will Be Added to the Identify Function

Technologies and computing services like cloud enable organizations to do business with people and groups all over the world, but they also open enterprises up to third-party vulnerabilities. Feedback from NIST 2.0 respondents make it clear that supply chains are a top risk. Adding Supply Chain Risk to the Identify Function provides an opportunity to go deeper and provide broader guidance on addressing third-party risk. This may include the need for special teams within the organization that are focused on these specific risks. Feedback will inform the final draft of NIST CSF 2.0. You can submit your feedback on this discussion draft at  at any time. 


  1. Respond & Recover Will Be Added to Incident Response Management

Artificial intelligence (AI) is one of the newest and most versatile weapons in the arsenal of bad actors, and it serves as a strong reminder that even the best defenses can be breached. Organizations need a well thought out recovery plan to limit damage while maintaining business as usual. For this reason, NIST 2.0 is expanding consideration of outcomes in the CSF Respond and Recover Functions to include Response and Recovery management. This section may include subtopics such as indirect mitigation, recovery plan execution, and incident forensics. Content is being changed or added to keep up with new and emerging threats and ensure that organizations can accurately assess how prepared they are to recover critical assets and sensitive information and keep their businesses running in the event of a breach.


  1. Updated Digital Identity Guidelines

Finally, NIST 2.0 will also include revised Digital Identity Guidelines with updates to the CSF’s identity management, authentication, and access control category. Through these updates, NIST 2.0 will provide a roadmap for assessing the strength of your approach to managing identities and access that is more tailored to today’s threat landscape.

In my role at CyberOne Security, I leverage NIST to ensure my assessments are as relevant and thorough as possible. As a participant in the process of updating NIST 2.0, I think these new updates will cover a lot of ground in the ongoing effort to keep up with changes to the threat landscape.

If your organization needs help assessing its current security posture, contact CyberOne for customized exposure management support that prioritizes the unique risks to your business. We can help you develop a strategic and tactical roadmap based on previous assessments of your cybersecurity program.


About Glenn Sweeney


Glenn Sweeney is a successful information security leader with over 20 years of cybersecurity technical and managerial experience supporting many types of industries from small to large enterprises. He has a passion to help businesses create a cybersecurity strategy and program using the latest frameworks such as NIST, ISO, IEC, and CIS, giving them the direction they require to succeed in implementing, managing, and administering a proven security program. Glenn has quite a list of information security certifications that include Certified Information System Security Professional (CISSP), SANS GIAC-GSEC, SANS GIAC Certified Incident Handler, Certified HIPAA Security Expert (CHSE), Certified Cybersecurity Awareness Professional (CCAP), EC-Council Computer Hacking Forensic Investigator (CHFI), and CompTIA Security+.

Does Your Organization Need a Cloud Security Architect? Part 2 of 2

Continuing the thought from my previous blog: Does Your Organization Need a Cloud Security Architect? – CyberOne (

Building a Strong Cloud Posture: Key Considerations for Cloud Cyber Architects

When it comes to deploying and managing cloud services, security should be a top priority. In this blog, we will explore three vital aspects that organizations should focus on during the building out of their cloud environment: segmentation, policies (identity-based and organizational), and infrastructure as code (IaC). By understanding the importance of these elements, businesses can enhance their cloud security measures and mitigate potential risks.

Segmentation: A Fundamental Security Measure

One reason organizations separate workloads in data centers by geographical locations and within them is to satisfy security requirements. For the same reason, cloud environments should also establish segmentation boundaries for workloads. Thinking back to the house analogy in my previous post: a house has doors between various rooms; some of those doors leverage deadbolt locks, where others are secured by children who have simply posted on the door “Stay Out!”. The key takeaway here is segmentation should be defined to handle various types of sensitive workloads and data. Segmentation is accomplished by leveraging both cloud accounts and cloud objects. Regardless of the chosen CSP (AWS, Azure, GCP, etc), they all have essentially the same approach for organizing accounts as well as the constructs for cloud objects (VPCs, Subnets, NACLs, Security Groups). Organizations typically leverage segmentation to isolate the following environments: Production, Development, Sandbox – with possibly micro-segmentation taking place within those environments. Mature, security-minded organizations will leverage dedicated accounts for Security and Infrastructure services. Deploying all workloads in a single account, relying on a single VPC/Subnet, is suboptimal even for smaller organizations.

Establishing Effective Cloud Policies

After completing the segmentation, it is crucial for the organization to prioritize the establishment of policies for effectively controlling cloud consumption. This sequence is essential due to the nature of how cloud policies are formulated, which are primarily based on the account and object structures. Three key types of cloud policies exist:

  1. Account policies: These policies are applied at the organizational/account level, providing users with broad controls to limit actions. Examples include enforcing encryption, restricting object deployment to specific regions, and denying high-risk or unapproved cloud services.
  2. IAM policies: IAM (Identity and Access Management) policies define who can perform specific actions and should adhere to the principle of least privilege. They can be used independently or in conjunction with resource-level policies to establish a defense-in-depth posture.
  3. Resource-level policies: These policies limit the actions that can be performed on cloud objects and, like IAM policies, should prioritize the least amount of privilege.

Leveraging Infrastructure as Code (IaC) for Enhanced Security

One common approach for those new to the cloud is to obtain an account and then deploy objects directly from the CSP console – I’m guilty of this approach myself. Unlike the common approach of deploying objects directly from the CSP console, IaC offers an organized and discrete manner of provisioning cloud resources. IaC supports automation, agility, auditing, and compliance, etc. IaC also provides the ability for security teams to examine what the object owner intends to push to the cloud, aligning with the principles of DevSecOps. Security teams have two approaches for the inspection – manual review of code or leveraging cloud native or 3rd party tools. Obviously, the manual approach is time consuming but opens up opportunities for the security team to see specific aspects of the cloud service that might conflict with organizational policies. Leveraging tools, native or 3rd party, to perform the review can be beneficial seeing as they provide built-in compliance frameworks. Ideally, organizations should combine both approaches based on contextual insight, allowing for a comprehensive security assessment. Going back to the house analogy, IaC provides the ability to compartmentalize your cloud environment and allows for the possible reinspection by the security team to only consist of what is being requested to change.   

Final Thoughts

In today’s cloud-driven landscape, prioritizing security is paramount for organizations deploying and managing cloud services. Segmentation, accomplished through the strategic use of cloud accounts and objects, is vital for effectively handling different types of sensitive workloads and data. Establishing effective cloud policies allows for granular control over cloud consumption and fosters a defense-in-depth posture. By embracing IaC, organizations can provision cloud resources in an organized, automated, and compliant manner with effective collaboration between development, security, and operations teams. By combining manual review and tool-based assessments, organizations can achieve a comprehensive security assessment. Embracing these aspects empowers organizations to build a robust and secure cloud environment for their critical workloads.


About Marc 

Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University).

Does Your Organization Need a Cloud Security Architect? Part 1 of 2

Building a Strong Framework

Cloud almost always disrupts business as usual. A cloud security architect can see the cracks that can be missed by 3rd-party tools or native and less experienced non-cloud security professionals.

Over nearly a decade in cloud security, I’ve noticed some common missteps among enterprises that deploy cloud infrastructure and services, whether through Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Often, they begin to consume cloud services without establishing a solid security foundation during the development and deployment of their cloud infrastructure and workloads. Similarly, cloud administrators may rely on overly permissive identity and access management (IAM) policies. Hiring a cloud security architect is like hiring a contractor to build a house. A professional has the experience and expertise to lay a strong foundation and oversee construction of the framework, so you can have confidence that your build will be secure even if you choose to add on in the future.

The Role of Cloud Security Architects

Cloud security architects bring deep experience from the trenches of designing and implementing secure cloud solutions. They may work with your application teams on one day and your infrastructure team on another. But their most valuable role is taking a broad view of your entire organization, its consumption of cloud, and how corporate and applicable regulatory/compliance security policies are adhered to on a day-to-day basis.

As a cloud security architect myself, I see the role as that of a contractor overseeing the construction or renovation of a house. All too often, the house has already been built on a poor foundation before the security team gets involved. This commonly occurs when a team has been directed to quickly move to the cloud and they take the assumption “the cloud is secure” – clearly, because someone else is managing it. When they start building the house, organizations tend to leverage agile approaches which certainly aligns with cloud adoption BUT thought must be put into the agile methodology pouring the foundation is considered. As well, organizations often don’t understand how existing corporate and compliance security policies apply to the cloud and/or they don’t understand cloud risks well enough to establish a strong foundation to build on. That can affect the entire organization down the road as cloud gains use across the enterprise. But when teams are told to “Go deploy!” they do, and commonly lay a weak foundation.

At that point, there is typically rework needed to ensure a solid foundation. There’s also a good probability that workloads will have to be moved while the rework tasks are being completed. 

Involving security early and often during all phases of development can help avoid this scenario. Otherwise, someone has to go back and fix the security foundation or, even more challenging, rooms that are built upon the foundation containing the workloads. If the walls are already up and people are working (and sometimes living) in the building, it’s much more time-consuming and expensive. This is an extremely common occurrence. A good cloud security architecture expert can help by shoring up security, even as your cloud consumption increases.

Cloud Is NOT Just Someone Else’s Datacenter

While traditional architecture shares some aspects of cloud services, such as virtual machines, storage, and networking objects, cloud services create more risk due to their flexibility. Most cloud services allow for data-flow connections to other cloud services, raising the risk of bypassing traditional security control points, even in cases where the data flows can be established to non-approved accounts. Similarly, the profusion of cloud APIs allow cloud consumers to be more granular with their infrastructure and workloads, but it also increases risk. You can compare cloud to a conference center where organizers use its spaces in different ways — perhaps for a tradeshow one week and a gala the next. This type of space provides flexibility, but securing it is more difficult. 

This difference between traditional architecture and cloud architecture is critical, and those who believe cloud is “just using someone else’s data center” are likely to make common mistakes that put their security at risk. One mistake is when organizations assign the role to an existing security architect who has spent his or her career supporting traditional data centers and three-tiered applications. Without cloud-specific training, a security architect may not know that cloud uses space differently or that how users move through the space impacts its security. 

Another all too common mistake I find is that cloud account roles are sometimes given full access to all APIs within a service — or even worse — everyone is a cloud administrator. Risk analysis should be performed on the cloud service APIs and guardrails should be established to reduce risk for the enterprise. 

As I previously said, cloud disrupts business and how we manage our infrastructure and workloads. It takes departments that were once carved up and siloed and fuses them together. Depending on how a company is organized, this can result in discussions about who owns which cloud objects and how certain business processes will function. To facilitate this shift, you need a cloud security architect with eyes across the company who can provide contextual insight into how business and security issues intersect. 

How to Rate a Cloud Security Architect

Before I get into how to choose a cloud security architect, I should point out that your organization shouldn’t solely rely on cloud security services that monitor and enforce security policies, whether native or third party. Even though services such as Microsoft Defender for Cloud are designed to monitor and assist in enforcing security policies in the cloud, at a minimum, they don’t understand context and generally speaking look for best practices and recommendations against industry standards and compliance frameworks. They lack the ability to automatically translate corporate policies and security architectural principles (i.e. don’t connect production to non-production workloads or networks). Whether your cloud environment is infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS) — or even a combination of the three — you need the expert eye of a cloud security architect to work alongside the various organizations consuming cloud to ensure a solid security posture. A seasoned cloud security architect leverages their insight into your business allowing them to maintain a high level of visibility across cloud resources, identify and manage risks before vulnerabilities are introduced within your cloud infrastructure and maintain security policies across your enterprise.

When you choose to hire a Cloud Security Architect, never solely rely on someone having a certification as sole proof that they are capable of designing, implementing, and defending your cloud security infrastructure. They may have the technical understanding of how to do the job, but the key way someone gains the skills and expertise needed to build and protect your house is through hands-on, trial-and-error experience. Ask prospective hires about their worst experiences supporting the design and implementation of cloud services. If they insist that every deployment was a success, they probably aren’t prepared for the worst. Hire someone who has war stories; someone who has experienced the good, the bad, and the ugly of securing enterprise cloud environments. Then you’ll feel confident they can defend your infrastructure against threats —no matter what type of unforeseen issues arise. 

Final Thoughts

It’s common for an enterprise to implement cloud environments with sub-par security postures because they are pressured to move fast and lack the knowledge needed to properly secure the cloud. One common challenge with the adoption of cloud is the application of the term agile, which is a more than acceptable approach when, and only when, the architecture and all supporting aspects of the environment have been thought through. People are people, and when they are working agile, they aren’t thinking about the repercussions of every decision they make. Rearchitecting your security after the fact is a huge undertaking and can be costly. Finding workarounds and optimizing your security based on the house you have and not the one you wish you had built requires the help of an expert who can make sure your cloud security infrastructure is strong enough to defend against attacks at all levels.

No matter where your organization is in its migration to the cloud, CyberOne has the expertise to help operationalize and optimize your security environment. Connect with us to get started.


About Marc 

Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University). 

Artificial Intelligence: What is on the horizon?

Artificial Intelligence: What Is on the Horizon?

The cybersecurity industry is under immense pressure as digital threats continue to increase and evolve. Artificial intelligence (AI) is widely understood to be a critical next step for optimizing cybersecurity processes and functions and enabling security operations centers (SOCs) to keep pace. Generative AI platforms like ChatGPT will play a leading role as SOCs find innovative ways to tap their potential for the benefit of cybersecurity teams. 

AI Continues to Advance Cybersecurity

AI offers better automation, faster, more accurate analysis and increased visibility into your network and systems, opening up exciting possibilities for security professionals.

Many SOCs already use AI and machine learning to drive risk assessments and prioritize events, incident response, and documentation. Newer technologies such as machine learning services (MLS) from Microsoft® Azure Security Center (ASC) will further enable SOCs to automate rules creation and centrally manage them within the MLS. One of many benefits is the ability to reduce false positives while simultaneously increasing detection accuracy levels overall.

Improved automation and greater risk assessment capabilities will also enable SOCs to utilize formal methods for use case content development. Automated penetration testing and breach attack simulation will become a standard requirement after each content change. 

GPT-4 Will Spark a Surge in Innovation

Chatbots are becoming increasingly vital cybersecurity tools. One of the most innovative is ChatGPT, the large language model developed by OpenAI.

ChatGPT is now in its fourth version, which the company promises to be its “most advanced system, producing safer and more useful responses.” GPT-4 can provide enhanced cybersecurity protection by utilizing AI, natural language processing (NLP), and machine learning algorithms to respond to complex cybersecurity threats.

With its gift for contextual understanding, GPT-4 can reduce or even replace many cybersecurity roles that are labor-intensive, iterative, and expensive. In addition to providing automated cybersecurity solutions at a fraction of the cost, GPT-4 can also quickly adapt to new cybersecurity threats as they arise.

Organizations that deploy ChatGPT technology for cybersecurity will progressively see their operations become more efficient, cost-effective, and secure. 

Get Ready for ChatGPT Versus ChatGPT 

Generative AI tools are transforming the matrix between how cyberattacks are coordinated and unleashed, and how successful organizations fight back. 

Bad actors are exploiting the endless possibilities of ChatGPT to quickly deploy and operationalize more sophisticated attacks. ChatGPT can mimic the input it is given and generate human-like responses that can be used to access personal data. This makes it a dangerous threat to cybersecurity teams.

ChatGPT’s ability to automatically mass produce business email compromise (BEC) communications should not be underestimated. Cleverly crafted messages can easily evade standard cybersecurity protection. It is up to us as cybersecurity practitioners to anticipate these kinds of threats and take proactive steps to tackle them before they become a real danger. Today’s cybersecurity environment has been described as an arms race between attackers and defenders, and ChatGPT is the weapon of choice.

Organizations that should be vigilant are struggling to keep pace, which makes it inevitable that this cybersecurity challenge will be a key focus in 2024 and beyond. As cyberattacks become increasingly complex and targeted, those organizations will need to fill more cybersecurity jobs while also looking for the latest cybersecurity tools to help protect their networks. ChatGPT fits the bill. It is advanced enough to automatically assess potential security threats and mitigate them with little to no human involvement, which makes it the perfect match for taking on a proliferation of ChatGPT-driven attacks.

ChatGPT Will Not Be Coming for Our Jobs

As revolutionary as ChatGPT is, it still has limitations and will never fully replace cybersecurity professionals — especially when it comes to being proactive and anticipating potential issues before they arise. 

At best, ChatGPT will assist with cybersecurity tasks that help make cybersecurity professionals more effective. It can also simplify tasks that once required expert-level skills, such as knowing how to update a firewall or a router to block an IP address. For example, ChatGPT might provide step-by-step instructions to walk less skilled team members through the changes.

ChatGPT can be useful for cybersecurity analytics, event log management, and audit compliance, and it can enable more efficient processes, including:

  • monitoring incoming traffic for malicious intent
  • identifying malicious actors
  • automating incident response
  • performing an attack analysis
  • detecting anomalies in security logs from different sources
  • and more

ChatGPT enables SOCs to automate security-related tasks that would otherwise be time-consuming or require iterative manual effort. Implementing it can quickly free up cybersecurity personnel so they can focus on larger, more strategic tasks that require specialized knowledge.

Cybersecurity experts will always be needed: ChatGPT will simply make them more efficient and effective, resulting in improved and evolving protection from emerging threats.


In the coming years, advanced AI will be an essential tool for updating security protocols and launching robust cyber defense initiatives. The newest version of ChatGPT, GPT-4, stands out for its advanced features that allow for greater security, faster deployment speeds, and improved performance. The platform is quickly becoming essential for preventing potential attacks or intrusions by bad actors who are already leveraging its AI-driven learning algorithms. Plus, it offers valuable guidance and role replacement capabilities. In our increasingly connected world, it is more important than ever to take advantage of this expansive technology to protect data and networks from malicious threats. Are you ready?

About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow and Past-President of the South Texas ISSA chapter. He holds certifications such as SABSA Security Architecture, CISSP, CISA, and Six Sigma. At CyberOne, Ricky provides security architecture design and leadership management for customers across the country. Ricky previously held roles at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the practice lead for developing Security Operations programs for ArcSight SIEM products. Ricky was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. Ricky has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Ricky is based in Houston, TX and has a degree in Management Information Systems from Texas A&M University.