Welcome to issue #36 of the Resilient Cyber Newsletter.
We’re back with another great collection of discussions, articles, and resources across security.
We continue to see disruption across the U.S. Federal tech landscape from CISA to USDS. We discuss the state of CISO and security budgets, walk through the 3 CISO archetypes defined by IANS, and dive into resources from OWASP and others in the community around AppSec.
So, let’s get to it!
Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 30,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 30,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
How Secure Are You and Your Business Against Cyber Threats?
In today's world, cyber threats are more sophisticated than ever. Cyber threats are evolving rapidly, outpacing business defenses and increasing risk. Passwords? They're outdated - and can be cracked in under a minute. Cybercriminals are intercepting SMS codes, hacking authentication apps, and spreading malware through mobile scams.
While businesses invest in network security, they often overlook the "front door"—the user login.
In this episode of Resilient Cyber, we sit down with Steve Martano, Partner in the cyber Security Practice at Artico Search, to discuss the recent IANS & Artico Search Publications on the 2025 State of the CISO, security budgets, and broader security career dynamics.
Steve and I touched on some great topics, including:
The 2025 State of the CISO report and key findings
Board reporting cadences for CISOs and the importance of Boardroom involvement in Cybersecurity
The three archetypes of CISOs: Tactical, Functional, and Strategic
How security leaders can advance their careers to becoming strategic CISO as well as key considerations for organisations looking to attract and retain their security talent
The growing scope of responsibility for CISO roles from not just Infosec but to broader IT, business risk, and digital strategy and implications for CISO’s
Security budget trends, spending, macroeconomic factors, and allocations
Below is a list of some of the great resources from IANS and Artico on various areas of interest for CISOs and Security leaders alike!
Speaking of the various categorizations of CISOs, CSO Online recently ran an article discussing the CISO archetypes and the way CISOs fit (or not) into the roles depending on the organziation. A misfit scenario can be a negative experience for both the CISO, and the organization.
The article draws on the IANS report for reference and discusses how some CISOs can move between the archetypes depending on the needs of the day and organization, while others tend to thrive in a specific category. There is nuance too, depending on the organizations size and maturity the CISO may not have the luxury of being strategic, and in fact, may be juggling multiple roles themselves with little to no resources or supporting cast.
This is something Steve and I dove into in the conversation above, for those who want to tune in and learn more.
Given the Federal trend around layoffs, RIF’s, resignations and more, we’ve seen a lot of incredibly talented engineering, security and technology professionals actively seeking new roles. I wanted to highlight a couple of valuable resources below, one for former CISA folks actively seeking roles, and the other for USDS. These are great opportunities to hire incredibly mission driven and talented technology professionals!
When we think of security incidents it is common to think of impacts such as reputational harm, stock price, financial consequences, ransom and more. However, another often undiscussed toll is that of the emotional impact on the cybersecurity team dealing with the incident.
This article discusses that emotional impact, as well as how it can end up leading to financial impacts on the organziation such as decreased performance due to low morale and attrition among the team.
It's been reported that Apple has pulled its iCloud end-to-end encryption feature for UK users after the government demanded a backdoor. What's ironic is that Western nations, on the one hand, get on their soapboxes and criticize authoritarian nations and how citizens are treated.
While actively undermining the privacy of their own citizens on the other in the name of "security". Apple expressed its disappointment that these protections won't be available to customers in the U.K. despite rising data breaches and threats to customers' privacy.
We continue to see an interesting intersection between digital technologies and democracy.This will only continue as technology encompasses every aspect of society, from personal life to national security.
Let this sort of thing be a warning for U.S. citizens.
While there are many differences between the current and previous U.S. Presidential administrations, there is also some alignment. One area is a Biden-era plan to revamp U.S. Cyber Command. This includes compiling and then implementing a list of authorities that Cyber Command would need to be more effective and also eliminating or reducing regulations that hinder its ability to conduct cyber operations.
This also seems to align with speculation that has been swirling about a forthcoming cybersecurity executive order (EO) that is poised to focus on increasing the U.S.’s ability to be more effective at offensive cyber operations, while previous cyber EO’s have heavily focused on defense.
Additional projected focus areas for Cyber Command 2.0 include:
A cyberwarfare innovation center to better engage with industry.
An advanced cyber training center to scale training across the military’s cyber forces.
A new force generation model within the military branches.
A talent management task force to oversee a hodgepodge of workforce-related steps, like standardized retention pay and bonuses
The CISO role can differ depending on the industry, organization type and size, and more. One of the unique examples includes being a CISO at a cybersecurity vendor.
This particular role is often not viewed as being a “real” CISO, as described by Tyler Farr in this piece on CSO online. That is because many view the role as more sales-oriented than really security-focused and securing an organization against cyber risks.
However, as Tyler points out, being a CISO for a security vendor often comes with all of the internal security responsibilities of a traditional organization and increased accountability and visibility since security sales run on trust. If you have an incident as a vendor, you can lose credibility and find it more difficult to gain and keep customers’ trust.
As Tyler says in this piece, “In cybersecurity, the product is a promise.” Customers want to know how the product is secured and that it promises to protect them and their data and help reduce risk. As Tyler states, security vendor CISOs are a bridge to customer trust.
I will add from my perspective, depending on the size of the vendor, the CISO may be focused strictly on internal security practices, while there may be one or more “Field CISOs” who function as that bridge to trust and are out in the “field” engaging with customers and functioning in more of a sales capacity, while the CISO may be focused on internal organizational and product security, but this really varies and depends on the vendor’s size and maturity.
We often hear about the disruption that AI will cause among the workforce, including for Developers. In a bit of a play on the word “prompt” this piece from NYT makes the case that GenAI and AI-driven coding tools are leading to an evolution of the way Developers work rather than an extinction. As the saying goes, AI won’t take your job, but someone using AI will.
The piece discusses how many Developers are now regularly working with copilot coding tools and couldn’t imagine not doing so for everything from development, testing, integration and more.
The article covers the fundamental way AI is changing but not eliminating the way Developers work and the CEO of GitHub is quoted as saying how in the coming years 80-90% of the code written may be by AI, with many already saying it is saving them 4-5 hours a week if not more. Exampled cited include getting new Development team members up to speed, capturing documentation for code (something no one enjoys doing), and helping transition legacy code bases to new languages, which has potential when we look at the push to move to memory safe languages, such as Rust, which got a big push by CISA and others in 2024.
There’s also discussion about the implications for Developers in terms of hiring, and it cites how the demand for junior Developers has weakened. There are additional sources citing this dip overall, such as Subtack’s leading outlet, The Pragmatic Engineer, who shared a piece showing Developer job listings have reached a five year low (see below):
At first, it is easy to think this is specific to Developers, but as they show below, this coincides with an overall decline in postings as well, which isn’t surprising given we came out of the COVID era, ZIRP, and have faced persistent economic challenges in not just the U.S. but around the world.
However, we can see that despite an overall decline in postings, Developers did indeed face a steeper and more drastic decline.
In addition to the way AI is changing the way Developers work, I have been particularly interested in if the “productivity” boon of more code faster will equate to more vulnerabilities and an explosion of the digital attack surface, especially given LLM’s are trained on open source code bases which often include vulnerabilities. While the research is still maturing on this, right now it looks like that will be the case, making security, and leveraging AI for AppSec even more critical.
Red Teaming is emphasized in leading AI security frameworks and requirements, from NIST's AI RMF to the EU's AI Act. Red Teaming is a longstanding cyber practice that identifies and mitigates risks against systems.
However, with the introduction and evolution of GenAI and LLMs, there are some nuanced considerations, including models, implementation, systems, data, runtime, and more.
Luckily, the OWASP® Foundation produced their GenAI Red Teaming Guide, which I break down in my latest article.
Many U.S. Federal agencies are facing severe cuts and downsizing. Among those include the National Institute of Standards and Technology (NIST), home of the US AI Safety Institute. It is being reported that the organization may be targeted for deep layoffs, including “probationary” employees, who are in their first year or two on the job.
This isn’t incredibly surprising given we’re seeing cuts across many agencies, and the latest AI EO which focused on innovation, American dominance and removing burdensome regulations, including the previous Biden AI EO, which focused on safety and security.
AppSec, Vulnerability Management, and Supply Chain Security
NHI's remain one of the most discussed topics in the identity security space. This is especially true with the excitement around Agentic AI.
That's why the OWASP® Foundation's NHI Top 10 Risks is a timely resource. It covers the top 10 risks related to NHIs and ties those risks to real-world breaches, surveys, and vulnerabilities.
I break down the OWASP NHI Top 10 in my latest article with CSO Online
Many are painfully familiar with the Common Vulnerability Scoring System (CVSS) and its shortcomings. CVSS often gets a bad rep, and understandably so, as it has many challenges.
Many organizations fail to take advantage of it fully and only use CVSS base scores without any temporal or environmental/organizational context. This is a really awesome open-source tool, cvss-bt, by Stephen Shaffer
It automatically and continuously enriches CVSS scores by accounting for exploit code maturity/exploitability
It uses various sources, such as CISA KEV, VulnCheck KEV, EPSS, Metasploit, Nuclei, ExploitDB, and PoC-in-GitHub
Salt Typhoon was the name attributed to the threat actors that conducted the “largest breach of U.S. telecommunications” in 2024. It is evident that among the attack vectors, the group used a 7-year-old vulnerability in Cisco software/products.
"The hackers, tied to Chinese intelligence, mostly gained access to Cisco devices by acquiring victim login information, but in a single case took advantage of a Cisco router flaw that has been publicly documented in the National Institute for Standards and Technology’s vulnerability database for seven years."
We can hammer vendors all we want to produce "Secure-by-Design/Default" products, and organizations can optimize vulnerability prioritization based on known exploitation and exploitability.
But seven years is a really long time. The digital ecosystem is rife with legacy software, products, and well-known vulnerabilities, many of which have available patches. But if they aren't remediated, it doesn't matter.
We often hear that cyber is in the business of revenue protection, but how do we put that into actions? The OWASP TaSM is one tool to help. It lets an organization overlay major threats across a matrix aligned with NIST’s Cybersecurity Framework (CSF) and build a security plan aligned with each function of CSF as well as align safeguards accordingly.
Below is a notional example of TaSM with with example threats as well as functions and safeguards to address those threats.
TaSM can also be used for metrics and measuring improvement, as well as enhancing threat modeling (shown in order below):
TaSM even shows how it can be aligned with AI threats, such as below:
TaSM is a very versatile framework and can be used for many purposes as seen below. It is led by my friend Ross Young, who’ve I’ve previously interviewed on Resilient Cyber, where he discussed all the ins and outs of How to Become a CISO
