Resilient Cyber Newsletter #13
Cyber Workforce Woes, 2024 Security Budget Report, White House Takes on Internet Routing Security and Navigating the MITRE ATLAS
Welcome!
Welcome to another issue of the Resilient Cyber Newsletter, bringing you the best resources when it comes to cybersecurity leadership, market dynamics, AppSec and more!
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 6,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
If you’re interested in Vulnerability Management, you can check out my book “Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem” on Amazon. It is focused on infusing efficiency into risk mitigation practices by optimizing resource use with the latest best practices in vulnerability management.
Cybersecurity Leadership & Market Dynamics
Cyber Workforce Woes
The topic of the cybersecurity workforce continues to become an increasingly hot one. This week, The White House’s Office of the National Cyber Director (ONCD) announced a hiring sprint they’ve named “Service to America” which goes through October and is aimed at helping defend cyber space and filling several thousands of jobs the U.S. Government has in IT/Cyber.
However, the ONCD and others continue to cite metrics, such as from Cyberseek, which claims there are roughly 470,000 job openings and essentially that we have a massive amount of unfilled roles that needs to be addressed.
The problem of course is more complicated than that, including Cyberseek’s partners including cyber certification organizations such as CompTIA and others, who have an incentive to inflate numbers and also compel others to pursue opportunities in cybersecurity.
It isn’t just credentialing organizations playing a part, but also individuals looking to capitalize on the interest of those looking to get into cyber as well, often with outlandish claims around acquiring “six figure salaries” with little to no experience and in a short time frame.
This topic has quite a bit to unpack, and likely warrants its own article.
Safe to say, its complicated, and there is a lot of blame to go around.
Modest Rises in Cyber Budgets
IANS, an organization I am a faculty member of released their “2024 Security Budget Benchmark Report” showing the state of security budgets and staffing. It included responses from over 750 CISO’s from April-August 2024.
It was reported that security budgets rose 8% in 2024, which is higher than the 6% of 2023, but about half of the growth rates seen in 2021-2022 (16% and 17% respectively).
It needs to be pointed out that 2021/2022 saw a massive explosion in remote work, and organizations scrambling to secure the new paradigm of BYoD, remote workforce, SaaS surge and more.
One big area that did see a decline is staffing. It was said that security staff hiring decreased from 31% in 2022, 16% in 2023 and just 12% in 2024 with 1/3 of CISO’s saying they were maintaining a consistent headcount with no growth.
This hiring in stagnation helps highlight why we see so many folks also struggling to find new roles.
As always, it was stated that high growth budget scenarios typically came after an incident or breach, showing that much like the field of security itself, security budgets are also reactionary.
White House ONCD Released Roadmap to Enhance Internet Routing Security
This week the White House Office of the National Cyber Director (ONCD) released a “Roadmap to Enhance Internet Routing Security”, which focuses on the Border Gateway Protocol (BGP) in particular.
The effort ties to the latest U.S. National Cyber Strategy and aims to secure the foundation of the Internet. The plan is not only a great discussion around securing Internet routing and the use of BGP, but also an understanding of how Internet routing works and the entities involved.
AI
AI Revenues
Sapphire Ventures recently published GenAI Revenue Figures, Public Disclosures, Reporting and Analyst Estimates.
While it includes some of the usual suspects and giants of the industry, it also has some insights into up and coming firms, as well as even the role of consulting, with Accenture for example boasting $500M in AI revenue from AI consulting. This emphasized to me that organizations are seeking out guidance and expertise on AI adoption and use.
MITRE ATLAS
As AI adoption continues to accelerate, we need a way to navigate risks, and to do so with real-world data, not hype and FUD.
That's why MITRE's Adversarial Threat Landscape for AI Systems (ATLAS) is such a great resource for navigating AI risks. I had a chance to sit down with the MITRE ATLAS lead this week, Christina Liaghati, PhD
We dove into:
What the ATLAS Project is, and how it can be used
Why it is key to have a way to characterize AI risks
The need for a data-driven approach with real-world incidents, research and avoiding FUD
The promise and peril of AI when it comes to cyber
I also wrote a long form article diving deep into every aspect of ATLAS, titled “Navigating AI Risks with ATLAS”.ATLAS is another great AI security resource for the community, and in previous articles we have covered some examples, such as:
AppSec, VulnMgt and Software Supply Chain
Open Source - The $9 TRILLION Dollar Resource Companies Take For Granted
By now, I’ve discussed the Open Source Software (OSS) ecosystem extensively. It’s well known that OSS runs most modern organizations and is a core part of the software landscape with 90%+ of codebases containing OSS and 70-80% of codebases being made up of OSS.
OSS adoption and use is driven by things such as the thriving ecosystem, speed to market, avoiding re-creating the wheel and significant cost savings on R&D and native development.
But, what is the real cost savings and overall financial value of OSS?
As it turns out, research from Frank Nagle and Harvard estimate it would cost firms $8.8 trillion to create from scratch what OSS openly provides for free.
Additionally insane, they estimate that 5% of programmers are responsible for 90% of the value created for both supply and demand of OSS.
It’s often said “software is eating the world”, and now it is safe to say OSS ate software.
Defining Reachability - is it just hype?
Although the concept and capability of reachability analysis has been around for some time, it has gotten much more interest recently with the rise of software supply chain attacks, attempts to secure OSS usage and also organizations looking to mature their vulnerability prioritization approaches.
I wrote about the importance of reachability for vulnerability prioritization in my book Effective Vulnerability Management and I’m the Chief Security Advisor for Endor Labs, an SCA company that prides itself on its robust reachability capabilities.
Reachability is now going mainstream, being cited in the latest Gartner Hype Cycle for AppSec. James Berthoty of Latio Tech recently penned an article discussing if reachability matters or if it is just hype.
James jokes about what he calls the “Vulnerability Cycle of Sadness”
While funny, it is a sad reality that security wastes thousands of hours, dollars and business cycles a year forcing Developers to address vulnerabilities that aren’t exploitable.
This is largely due to Security living in the stone ages and using fundamentally flawed approaches for vulnerability prioritization, such as Common Vulnerability Scoring System (CVSS) base scores, rather than context-driven approaches using sources like CISA KEV, EPSS, Reachability, asset criticality, data sensitivity and more. Something I have written about extensively countless times.
What is CI/CD Security and What Tools Do You Need to Do it?
We've heard more and more chatter about "CI/CD Security"
But what exactly is it, and why do you need it?
I discuss all of that and more in my latest blog with Endor Labs, including:
❓ What CI/CD Security is
✅ Why it matters
🛠 Tools that can help, such as Pipeline Discovery, Repository Security Posture Management, Secrets Detection, Code-to-Cloud Traceability and Artifact Signing
Much of our focus on software supply chain security looks at the output and software artifacts, and rightfully so. However, the underlying tooling and processes used to create software are equally important and increasingly a target of malicious actors.
The 7 Fastest Growing AppSec Companies
Industry Analyst published what he defined as the “7 Fastest Growing AppSec Companies” list. These companies grew more than 15% and had between 50 and 500 employees and together took in more than $481 Million in funding.
TL;DR: The NSA’s Zero Trust “Devices Pillar” Cyber Information Sheet (CSI)
The NSA began putting our a series of “Cybersecurity Information Sheets” as guidance for agencies and organizations implementing Zero Trust, with a bend towards DoD-defined ZT approaches.
My co-worker Mackenzie Wartenberger published a summary blog of the latest publication which focuses on the Devices pillar in ZT.
It covers:
Device Inventory
Device Detection and Compliance
Device Authorization and Real-Time Inspection
Remote Access Protection
Automated Vulnerability and Patch Management
Centralized Device Management
Endpoint Threat Detection and Response
While this article focuses on DoD and Federal Agencies, Zero Trust is no doubt seeing a massive industry wide push.
A reminder for my readers, Zero Trust isn’t a product. Much like cybersecurity, it isn’t something you buy, but something you do :)
OWASP SAMM Fundamentals Course - FREE
We continue to see a push for software security and maturity. OWASP’s Software Assurance Maturity Model (SAMM) is among the industry leading frameworks for measuring and maturing organizational software development and security practices.
OWAS released a FREE OWASP SAMM course which covers:
Governance
Design
Implementation
Verification
Operations
OWASP SAMM is an excellent framework for maturing software security practices and is also one of the resources that the NIST Secure Software Development Framework (SSDF) cites.