Dave Ferguson

Today’s San Antonio Chapter of CFMA lunch reminded me why cross-functional learning is one of the most underrated risk management tools we have. Here are the three insights that hit hardest for me: 1. Tax changes create security gaps. Rushed tech purchases to capture bonus depreciation or R&D credits often skip security vetting and that’s where exposure creeps in. 2. Construction firms face rising cyber risk. According to the Dodge Construction Network, 59% of construction firms experienced a cybersecurity threat over a two year period. The industry’s complexity makes it a prime target. 3. Finance + IT disconnect = avoidable risk. In most of the firms I talk to, finance leaders can’t list all of the cloud tools their project teams rely on. This is a blind spot attackers love. Takeaway: Your tax strategy, growth plan, and cybersecurity posture aren’t separate. They’re interconnected systems that can either reinforce or undermine each other. Huge thanks to Kathryn Hall, Bradley Frantz, Nita McBride, and the speaker for today's session Shelley Woitena for an outstanding CFMA meeting. Also wanted to thank Denice Allison for the introduction to the San Antonio crew. What’s an unexpected place you’ve learned something critical about your business?

6

1 Comment

Audits and forensics aren’t witch-hunts to “name the hacker.” They’re how you stop the next breach. A good audit/forensic review will: Expose misconfigurations and control gaps Surface broken processes (people • tech • vendors) Produce a clear timeline to improve response Provide evidence for insurance claims and regulators Demonstrate senior management intent and due diligence One breach costs more—in money, trust, and time—than doing the work properly up front. At Tylers, we turn incidents into hardening plans: fixes, owners, deadlines. Not blame—better security. #CyberSecurity #DigitalTrust #Forensics #Audit #IncidentResponse #Tylers

17

2 Comments

Things Texas Takes Seriously: 1. Cowboy Hats 🤠 2. Not messing with it 🗑 3. Cybersecurity 🔒 Texas’s very own TX-RAMP Certification is becoming increasingly in-demand. Why? Well, Texas has done a few things right to make the cert stick: 1️⃣ It created an achievable standard based on the NIST SP 800-53 framework and provided clear use-cases. 2️⃣ It significantly reduced the audit burden on private companies. The Texas Department of Information Resources performs the certifying assessment – NOT an auditor. 3️⃣ It passed legislation requiring all vendors providing cloud-based services to Texas state agencies and higher education institutions to become TX-RAMP certified. It turns out that, when required by law to get certified or risk losing a big customer, vendors tend to get certified! We have helped a number of customers with TX-RAMP. But, we regularly get smaller companies asking us for help. We can't economically service them. Well, we couldn't... until now! We are announcing TX-RAMP Champ. TX-RAMP Champ allows small companies to get TX-RAMP certified with half the effort. We provide the templates needed, video to explain how to use the templates and access to our experts to help. Rob, that sounds amazing but I want to try it out without having to pay. Imaginary person, that's why we have a 45-day trial option to try out the tool. You can sign up from this link: https://lnkd.in/eFgAQfkx Don't want to sign up? We have a bunch of free resources for learning about TX-RAMP on our TX-RAMP Champ page. Of course, you could sign up for our TX-RAMP Complete and get all of the TX-RAMP resources including: - TX-RAMP Security Plan Workbook with Sample Answers for all Controls - Complete TX-RAMP Documentation Template Library - Complete Training Video Library - Access to one-on-one chats with U.S.-based TX-RAMP efforts - 2 live session reviews of TX-RAMP deliverables What do you think about a solution for helping with TX-RAMP? Do you know someone who is struggling with TX-RAMP and would like a speed boost? Tag them, please!!!

31

19 Comments

“Are we compliant?” is not the same question as “Are we secure?” Too many teams check every box on the compliance list… and leave the back door wide open. Compliance frameworks are baselines — minimum requirements, not maximum protections. They’re designed to raise the floor, not build your ceiling. The trap? Once the audit’s done, people relax. Old controls stay on paper but break in production. Exceptions pile up. Gaps widen. And attackers don’t care that you have a shiny certificate — they care about that one misconfiguration you forgot to fix. Use compliance as your floor, not your finish line. Keep testing, keep verifying, keep asking: Does this still make sense? Because the threat landscape won’t wait for your next audit cycle.

4

For years, security teams worked to satisfy auditors and check compliance boxes. But today, the harshest critics of your cybersecurity posture aren’t regulators - they’re insurers. Because cyber risk has become an underwriting risk. If you can’t prove control maturity, you’ll pay more - or worse, find out your coverage means nothing when you need it. Cyber risk is now a pricing, eligibility, and survivability problem, a lot more than a technical issue. Real-World Lessons: When “Covered” Didn’t Mean Protected Even well-funded organizations are learning how unforgiving insurers have become: 1. Inchcape Australia v Chubb Insurance (2022) A ransomware attack caused business disruption, but the insurer ruled losses as “indirect” and not payable. 2. Hacked Business Loses Cyber Payout (Australia, 2023) A small business breach claim was denied - missing MFA and weak controls nullified the policy. 3. Supplier Breach, No Cover (2024) A company’s AU$30K response cost claim tied to a vendor incident was rejected - policy misalignment. These aren’t mere paperwork errors. They reflect a systemic shift: insurers now validate cyber maturity at the same depth attackers exploit it. Meeting the Baseline Isn’t Enough “Compliance-ready” doesn’t mean “insurable.” Policies are being restricted, repriced, or outright denied when: Controls exist only on paper, not in enforcement, and IR playbooks haven’t been tested in 12+ months. MFA or segmentation is missing on privileged or legacy systems, while Shadow IT, unmonitored vendors, or undisclosed prior incidents exist. You can’t produce evidence - metrics, logs, or test reports - on demand. Cyber insurance is no longer a safety net. It’s a maturity audit disguised as a policy. If you approach it like compliance, you’ll overpay or be left uncovered. If you treat it like risk management, you’ll earn leverage - lower premiums, higher trust, and resilience that outlasts any claim dispute.

21

1 Comment

💬 "Where's your risk heat map?" The ISO 27001 auditor was puzzled. A recent client of ours had quantitative risk analysis using FAIR—loss event frequency, probable loss magnitude, financial impact. But no familiar red/yellow/green matrix. "We don't need one," their security lead explained. "FAIR gives us better decision-making capability." This is where most ISO implementations play it safe. Heat matrices are comfortable. Auditors recognize them. They check the box. But they're also mostly useless for actual risk management. "Medium risk" doesn't tell you whether to spend €10K or €100K on controls. The FAIR methodology from FAIR Institute does. 🙌 Over 9 months, our client built their ISO 27001 program using quantitative risk assessment. The result: zero non-conformities on first audit. 🎉 But getting there required something most companies avoid: defending a better approach when the auditor expects the standard one. 📢 The lesson isn't "use FAIR for ISO." It's that certification frameworks are exactly that—frameworks. You can build security that actually drives decisions, or you can build security that passes audits. This client chose both. If your risk assessment can't help you prioritize what to fix first, it's decoration—not decision-making.

149

38 Comments

The $100K Layoff: The Unacceptable Risk of the Insider Threat ​This is not a story about revenge; it's a critical case study in Privilege Escalation and Insider Risk Management that every IT leader and CEO needs to review. ​In 2019, Texas-based software developer Davis Lu, anticipating a layoff, planted a malicious 'kill switch' in his company’s network. The code, chillingly named "IsDLEnabledinAD," was designed to trigger upon his account deactivation. ​The Triggered Fallout: ​System Failure: The entire global system was compromised, leading to infinite loops, server crashes, and critical operational halts. ​Data Destruction: Thousands of global employees were locked out, and critical files were deleted. ​Financial Damage: The employer reported losses in the hundreds of thousands of dollars. ​Lu ultimately faced 4 years in federal prison, but the question for the industry remains: Why did a single employee have the administrative access to cause this level of catastrophic, automated damage? ​Key Takeaways for Risk Mitigation: ​Principle of Least Privilege (PoLP): Were Lu's admin keys truly necessary for his reduced role after the 2018 corporate realignment? Access must be dynamically tied to current responsibilities. ​Automated Offboarding: Tying the kill switch directly to his Active Directory deactivation shows a crucial failure in the offboarding protocol. Deprovisioning must be staggered and monitored, not a single, unmonitored action. ​Code Review & Audit Trails: How did malicious code with explicit names like "Hakai" (Japanese for "destruction") bypass code review and enter the production environment unnoticed? If you are a CIO, CISO, or HR leader, what is your most critical immediate step to secure server access before a high-risk employee termination? ​👇 Share your best practice for mitigating the Insider Threat in the comments below. ​#InsiderThreat #CyberSecurity #RiskManagement #Layoffs #HRTech #DevSecOps ​✅ Follow me for deep dives into real-world security failures and actionable risk management strategies.

1

One data breach could bankrupt your Texas small business and now the law will decide if you survive. Starting September 1, 2025, Texas businesses with fewer than 250 employees can avoid punitive damages after a cyberattack, but only if they have a documented and actively maintained cybersecurity program. This is the new Texas Cybersecurity Safe Harbor law, and it rewards companies that follow recognized security frameworks such as the National Institute of Standards and Technology Cybersecurity Framework, the Center for Internet Security Controls, or the Health Information Trust Alliance framework. I help businesses get there fast by: - Managing your technology so systems are secure, monitored, and updated at all times - Installing and maintaining cybersecurity tools like firewalls, endpoint protection, multi-factor authentication, and intrusion detection - Providing compliance-as-a-service, including risk assessments, written policies, staff training, and ongoing monitoring to keep your protections current The law is clear: prepare now, or face the full cost of a breach later. Reach out to me today and let’s get your business protected before the deadline.

9

1 Comment

LOS DOSE – SOC 2 Quality Guild Edition I’m stoked that the quality of the SOC 2 is being questioned these days. It’s easy to say SOC 2 is dead or SOC 2 sucks or whatever. It’s much harder to do something about it. The SOC 2 Quality Guild is doing just that. If you are in the GRC and assurance space, pay attention to the work that Troy Fine, Henry Stanley, Dr. Omar Sangurima, CISSP, Val Dobrushkin, Chris Honda and MANY are doing. I know I've seen Danielle Kucera on the Slack channel! Jack Rumsey....#GRCDestroyer Because of the work of these folks, there is a new standard for SOC 2 quality and reliability that every GRC practitioner should engage and adopt at https://s2guild.org. Stay warm out there!

25

5 Comments

I used to compete in smart contract auditing contests. You find a critical vulnerability in someone's protocol. You submit it. Then you wait 6 to 8 weeks for the results to be verified. That protocol is live the entire time. ━━━━━━━━━━━━━━━━━━━ That's when it clicked for me. The security industry had built its feedback loops around researchers. Nobody had built them around founders. A founder doesn't have 8 weeks. They have a launch date, a team, and money on the line. ━━━━━━━━━━━━━━━━━━━ That's why we do private audits in 7 to 14 days. Not because we rush. Because founders can't afford to wait. And when we built our own community challenges - same real contracts, same real vulnerabilities - we close the loop in under 3 days. Because the faster researchers get feedback, the sharper the people reviewing your code become. ━━━━━━━━━━━━━━━━━━━ Speed without quality is just a liability. But quality without speed is a luxury most founders can't afford. That balance is what we build everything around. #Web3Security #SmartContracts #DeFi #BlockchainSecurity #Web3Founders

4

1 Comment

The name they gave this exploit, "ToolShell," tells you everything. It’s not a glitch. It’s a key, purpose-built to dismantle a system from the inside by exploiting the very logic meant to protect it. SharePoint’s authentication protocol wasn't just bypassed; it was re-purposed. The street always finds its own uses for things. A simple HTTP header became the fulcrum to pivot an entire security model into an attack vector. The system’s trust was turned into a weapon against itself. And the NNSA breach? That’s not the surprise. That’s the punchline. It’s the moment the curated fiction of impenetrable, state-level security collides with the messy reality of its own code. This isn’t about patching anymore. It's about admitting that the systems we’ve built are now black boxes. The real question isn't how we fix the next bug, but how we operate in a world where we have to assume the foundational trust is already gone. #ZeroDay #CVE #VulnerabilityManagement #Deserialization #CVE202553770 #ToolShell #Microsoft #CyberSecurity #InfoSec #DataBreach #CyberAttack #ThreatIntel

1

For those of you navigating CRA & RED-DA compliance… this one’s worth a read. For many years product security compliance was treated like a checklist exercise something to rush through right before launch. CRA and RED-DA changed that. Today, compliance isn’t optional, and treating it as a one-off task is a recipe for delays, lost trust, and missed opportunities. My colleague David Nosibor shares how the PSCOPE Maturity Framework can flip the script turning regulatory compliance into a continuous operational capability that drives performance, scalability, and trust. Instead of chasing PDFs and scrambling for evidence, PSCOPE builds shared language, measurement, and maturity across governance, automation, supply chain, and monitoring. I strongly believe that this is exactly the kind of shift our ecosystem needs. https://lnkd.in/eBudy-wk #CyberSecurity #CRA #RED #Compliance #ProductSecurity #PSCOPE #ContinuousCompliance #CyberResilience #IoT #Regulations #CyberPass

20

1 Comment