Resilient Cyber Newsletter #31
Cyber EO, TikTok Ban/Reversal, State of the CISO, Red Teaming 100 GenAI Products, & NHI AMA
Welcome!
Welcome back to another issue of the Resilient Cyber Newsletter.
It’s been quite the whirlwind of a week, with the new Cybersecurity Executive Order (EO), a change in the U.S. presidential administration, and more.
We will explore that and many other great resources this week, so let’s get started!
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 8,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
See the Future of Real-Time Cloud Security
Secure your spot on the frontlines of cybersecurity innovation at Symphony 2025.
Nearly every business runs in the cloud and adversaries have followed. Learn how you can transform security operations to defeat modern, cloud-first attacks faster than you ever thought possible.
This virtual summit is packed with sessions including:
The power of real-time cloud security: Get a first look into the bold future of cloud security, unified with the world's leading SecOps platform.
Exclusive intelligence: Gain Unit 42® insights to outsmart and stay ahead of emerging threats.
Game-changing demos: Experience the speed and scale of Cortex®, the world's leading SecOps platform.
Real-world wins: Discover how SOCs are transforming cloud security and gain actionable takeaways for your organization.
Cyber Leadership & Market Dynamics
2025 Cyber Executive Order (EO)
In the final days of the Biden administration, The White House published a broad and wide-reaching Cyber EO, building on the previously issued Cyber EO 14028. The new one is titled “EO on Strengthening and Promoting Innovation in the Nation’s Cybersecurity”.
It addresses six key areas:
Software supply chain security
Federal systems security
Communications Security
Cybersecurity and fraud prevention
AI in cybersecurity
Policy implementation and national security
Software Supply Chain Security
The software supply chain aspect builds on previous efforts, such as CISA’s Secure Software Development Attestation, OMB 22-18, and 23-16, which apply to commercial companies selling software to the Federal government. This new EO calls for machine-readable attestations, improvements to NIST’s SSDF, management of the Government's use of open source, and more.
Federal Systems Security
It also aims to improve threat detection for Federal systems. This includes expanding CISA’s powers to access agency endpoint data, hunting for threats across Federal networks, identifying coordinated cyber campaigns, and overseeing cloud security through FedRAMP. Of course, this comes after several notable incidents impacting Federal agencies, systems, and data.
The expanded powers of CISA should be an interesting topic, given that the incoming administration has had a contentious relationship with CISA, particularly regarding elections and politics.
Communication Security Gets An Upgrade
This past year, massive incidents impacted the U.S. telecom sector, particularly the Salt Typhoon, which affected the U.S.’s largest telecom providers and political officials, presidential candidates, government officials, and others.
This section requires agencies to implement DNS, bolster encryption for email systems, improve routing security (e.g., BGP), and prepare systems for post-quantum cryptography by 2030.
Fighting Cybercrime and Fraud
Cybercrime and fraud are still rampant. Ransomware is wreaking havoc worldwide, and organized crime groups are demanding incredible ransom amounts. This section of the EO focuses on digital identity verification improvements, protecting public benefits programs from fraud, limiting payment fraud, and establishing robust identity validation services.
AI Gets a Cybersecurity Role
AI has been an incredibly hot topic for the last 24 months or so, both for attackers and defenders. There’s been a lot of talk about how we can secure AI and use AI to bolster security and address systemic challenges. While the government is typically risk-averse, it was very refreshing to see the Cyber EO push for using AI to enhance the cyber defense of critical infrastructure and Federal agencies and new datasets for cyber defense research and use AI for vulnerability management integration.
Anyone who follows me knows I often discuss how insurmountable the current vulnerability management landscape is. The NVD has over 200,000 CVEs and continues to see double-digit year-over-year growth, with 40,000 CVEs in 2024. Organizations, including large federal agencies, have vulnerability backlogs in the hundreds of thousands to millions.
AI has great potential to address the never-ending vulnerability management rat race in various ways.
Overall, this Cyber EO builds on various previously established, far-ranging efforts, including AI, Supply Chain Security, Federal Agency defenses, and more. Many have speculated how much of it may or may not stick with the presidential administration change, but many of these focus areas are bipartisan, so I suspect it may not change drastically—although time will tell!
TikTok Banned - Then Reversed
It’s been a whirlwind week for TikTok, an application used by an estimated 170 million Americans. A law went into effect, temporarily banning the application and preventing access. President Trump intervened, calling for a 90-day reprieve on the ban to explore scenarios that would allow a U.S. entity to own at least 50% of TikTok.
This has been a hotly contested topic, with some Republicans not agreeing with the delay and many still calling TikTok a critical national security threat to the U.S. During the initial ban, many began to scramble, seeking to use VPNs or other methods to maintain access to the widely popular social media app.
U.S. AI-based search engine company Perplexity submitted a BD to ByteDance, which owns TikTok. However, details of that or other schemes remain unknown at this time. Many national security and cybersecurity professionals in the U.S. are still actively calling for its ban, while others see the ban as an infringement on freedom.
It will be interesting to see how this one plays out. I personally believe social media does pose severe negative risks, particularly to youth, and this is supported by studies and authors such as Jonathan Haidt and others. we’ve begun to see some countries, schools, and others ban the use of cell phones, for example, largely tied to social media.
2025 State of the CISO Report
IANS and Artico published their 2025 State of the CISO report recently, and it is full of great insights, building on a previously published report they had about budget benchmarks within security
The report includes insights from over 800 CISOs across various industries and organization types/sizes.
This includes data about CISO reporting structures, board exposure cadence, compensation and influence. This is a great read for both practicing CISOs, those aspiring to fill the role, those who previously held the role and anyone interested in the current state of the CISO role.
Let’s discuss some of the key findings.
One of the items they highlighted was the CISO’s organization level, as well as how many layers they are removed from the CEO. This is always a hotly debated topic in cyber, with some claiming the CISO should report to the CEO. As you can see, the reporting structure varies depending on the organizational level the CISO finds themselves in.
Another timely topic is the cadence and frequency with which the CISO reports to the board, especially as we increasingly hear that cyber is or should be a board-level concern and the SEC pushes modern rules making cybersecurity more of a board-level topic of discussion. Again, the frequency varies depending on the organizations size.
One thing I thought was particularly interesting is that the report frames CISOs into three archetypes, which are:
As you would suspect, the categories CISOs fall into vary by organization. Those from public large market-cap companies tend to be in the strategic camp, have higher compensation, more leadership influence, and more opportunities for career advancement beyond the CISO role.
These archetypes set the tone for the remainder of the report, which is filled with insightful insights about the types and how to advance through them, as well as the compensation and satisfaction of CISOs in the various categories.
The report also discusses the scope of CISO responsibilities and how they continue to expand beyond Infosec into areas such as business risk, digital strategy, and even IT. We see an uptick in CISOs being dual-hatted as the CIO/CISO (and being compensated accordingly).
Another excellent report from IANS and Artico that I recommend folks dig into!
Top Cities for Founding Cybersecurity Companies
It is always interesting to see what areas are leading when it comes to startups, including in cybersecurity. This insight from industry analyst Richard Stiennon provides just that.
When it comes to the U.S., it is no surprise to see San Francisco/CA leading the pack, but again, we see the outsized role of Israel with Tel Aviv. I will say, I was surprised to see London ahead of New York, but it is also good to see, given a lot of the recent industry discussion about the EU stagnating when it comes to innovation and startups. Someone actually shared a link to an analysis by the UK government showing there are 700 cyber companies in London and over 2,000 in the UK - which is awesome to see!
U.S. Public Sector Exposure (% of Revenue)
Many are understandably anxious about the change in the U.S. presidential administration and efforts such as DOGE and others that may impact Federal spending, or, in this case, Federal IT spending.
Sid Trivedi, a Partner at Foundation Capital, posted on LinkedIn a chart of the U.S. Public Sector Exposure (% of revenue) of leading companies, such as Tenable, Palo Alto, Crowdstrike, and others, pulled from a source at Morgan Stanley.
He pointed out that the U.S. Federal government spends roughly $25 billion annually on security products and services, a figure that has grown by 10% or more year over year for the last five years. The average security company derives 7% of its revenue from U.S. government spending.
Amidst all the speculation about budget and cost cuts, Sid recommends that organizations ensure their customer base is diverse to avoid impacts caused by an over-reliance on a particular sector, such as the Government.
Gap Between Cyber-Resilient and Cyber-Vulnerable Will Widen
I’ve been following some folks at analyst firm Canalys lately. They often provide good insights on industry spending, M&A, and other trends. They recently projected that IT spending will grow by 8.3% in 2025.
One thing I thought was most interesting about cybersecurity is that they cited one of the major risks to economic growth and IT spending in 2025 as the continuing growth of the divide between cyber-resilient and cyber-vulnerable people.
Their rationale is that technology deficits will increase due to IT budget struggles and the rise of malicious AI, especially by nation-state actors. This will cause those without sufficient budgets (and without sufficient internal security expertise, in my opinion) to struggle to keep pace with the threat landscape and, as a result, continue to become more vulnerable.
AI
The US “has to win” the AI innovation race, Open AI exec says
We continue to hear from tech and AI leaders about the importance of the U.S. winning the AI innovation race on the global stage, primarily against China. This latest message comes from an OpenAI exec.
Still, it mimics similar messages we’ve heard from other organizations such as Antropic, whose CEO co-authored a piece titled “Trump Can Keep America’s AI Advantage”, which discusses China trying to catch up and the claim that the U.S. needs proactive development efforts and strong export controls to maintain it’s AI lead.
New AI Challenges Will Test CISOs & Their Teams in 2025
The rapid adoption and implementation of AI products and services challenge CISOs. The quickly evolving regulatory landscape, particularly in the EU, involves a unique mix of technical security considerations and board-level concerns.
This piece from GitLab’s CISO, Josh Lemos, outlines some of the key challenges and top trends he suspects will occur in 2025 for AI and CISOs.
Among those risks, he cites:
Vulnerabilities in proprietary LLMs may lead to broad-impact security incidents due to their widespread use and adoption.
AI and Cloud-Native Workloads Will Increase Demand for Highly Adaptive Identity Management
AI Will Help Scale Security Within DevOps
A key theme of the piece is that, if done correctly, AI will challenge security teams and be a powerful tool they can wield.
Red Teaming 100 GenAI Products
Microsoft recently published a comprehensive paper titled "Lessons from Red Teaming 100 GenAI Products." And it is full of great insights, such as:
The various case studies they used, including different application and system types and different types of vulnerabilities and findings
LLMs amplify existing security risks while also introducing new ones
Their AI threat model ontology, including the system, actor, and TTPs used, as well as the weaknesses identified and impacts involved
Their approach of probing both safety and security, as well as the types of AI products that were tested, such as Apps & Features, Copilots, Plugins, and Models
These insights from the Microsoft team are a valuable resource for the security community regarding considerations for securing GenAI adoption and use.
Microsoft provided a breakdown of the systems they tested, including Apps and Features, Copilots, Plugins, and Models.
They also laid out their AI Red Teaming ontology for modeling GenAI system vulnerabilities, as seen below:
Microsoft summarized their top 3 key takeaways from the paper and overall effort:
GenAI systems amplify existing security risks and introduce new ones
GenAI introduces novel attack vectors and risks while also overshadowing longstanding known risks and threats that get lost in the discussion around AI security. They cite examples such as outdated dependencies, credential exposure, sanitization, and encryption. However, there also are new novel risks, such as model-level weaknesses and specific attack techniques like prompt injections, which capitalize inability to ’s inability to distinguish between system-level instructions and user data.
Humans are at the center of improving and securing AI
Despite all of the hype around AI, Agents, and disrupting the workforce, Microsoft makes the case that red teaming, in particular, cannot be automated entirely. This includes subject matter expertise, cultural competence, and emotional intelligence. However, they point to several areas that AI can help automate, streamline, and improve when it comes to red teaming.
Defense in depth is key for keeping AI systems safe
Microsoft points out that while there are various mitigations and approaches to addressing AI safety and security risks, much like broader security, no one thing is a silver bullet and fundamental concepts such as defense in depth are still alive and well.
AI in Action: 5 Essential Findings from the 2024 Federal AI Use Case Inventory
Like many others, The U.S. Federal government has been exploring how they can take advantage of AI. This culminated in thousands of use cases in an inventory. The outgoing Federal CIO published a blog discussing 5 essential findings:
Compared to 2023, Federal agencies have more than doubled their AI use in the last year, citing improvements to operational efficiency and the execution of their missions as key drivers for increased utilization.
Federal agencies predominantly leverage AI to assist with administrative and IT functions; however, AI use cases in health and medical applications closely follow.
Approximately 50% of all reported AI use cases are developed in-house, illustrating Federal agencies’ capacity for innovation.
Federal agencies are showcasing increased AI maturity, including by accelerating access to necessary tools and infrastructures for development.
Approximately 13% of Federal AI use cases could impact the public’s rights or safety, as defined by OMB Memorandum M-24-10.
NVIDIA Offers Free AI Courses
As AI adoption and exploration continues, organizations and practitioners must ensure a workforce prepared to take advantage of the technology. Industry leader NVIDIA is offering several interesting AI courses for FREE, including:
AI for All: From Basics to GenAI Practice
Getting Started with AI
GenAI Explained
Building a Brain in 10 minutes
AppSec, Vulnerability Management, and Supply Chain Security
Cloud-native Workspace Security Gaps and Challenges
In this episode, we sit down with Rajan Kapoor, Field CISO of Material Security, to discuss the security risks and shortcomings of native cloud workspace security offerings and the role of modern platforms for email security, data governance, and posture management.
Email and Cloud Collaboration Workspace Security continues to be one of the most pervasive and challenging security environments, and Rajan provided a TON of excellent insights. We covered:
Why email and cloud workspaces are some of the most highly targeted environments by cyber criminals, what they can do once they do compromise the email environment, and the broad implications.
The lack of security features and capabilities of native cloud workspaces such as M365 and Google Workspaces and the technical and resource constraints that drive teams to seek out innovative products such as Material Security.
The tug of war between security and productivity and how Material Security helps address challenges of the native workspaces that often make it hard for people to do their work and lead to security being sidestepped.
Particularly industries that are targeted and impacted the most, such as healthcare, where there is highly sensitive data, regulatory challenges, and more.
Common patterns among threats, attacks, and vulnerabilities and how organizations can work to bolster the security of their cloud workspace environments.
This is a fascinating area of security. We often hear “identity is the new perimeter” and see identity play a key role in trends such as zero trust. But, so often, that identity starts with your email, and it can lead to lateral movement, capturing MFA codes, accessing sensitive data, impacting business partners, phishing others in the organization, and more, all of which can have massive consequences for the organizations impacted.
Rajan brought his expertise as a Field CISO and longtime security practitioner to drop a ton of gems in this one, so be sure to check it out!
Non-Human Identity (NHI) - Ask Me Anything (AMA)
NHIs have been a hot topic in cyberspace over the past 12-18 months, especially as credential compromise continues to plague organizations and NHIs significantly outpace human users.
I had a chance to join Astrix Security for an NHI AMA last week, and we dove into many great topics, including NHI fundamentals, misconceptions, governance, incident response, and more!
CSA - Zero Trust Guidance for SMB’s
We all know Zero Trust has been a key trend in the last several years, from NIST’s 800-207 to the U.S. Government's Federal Zero Trust Strategy, moves by the DoD, and, of course, by the broader commercial industry, vendors, and organizations of all shapes and sizes.
That said, implementing Zero Trust in SMB environments can be particularly challenging due to resource constraints, a lack of in-house talent, and other factors. That’s why this new Zero Trust Guidance for Small and Medium-Sized Businesses (SMBs) from Cloud Security Alliance (CSA) looks promising.