Nathan Sportsman

Today’s San Antonio Chapter of CFMA lunch reminded me why cross-functional learning is one of the most underrated risk management tools we have. Here are the three insights that hit hardest for me: 1. Tax changes create security gaps. Rushed tech purchases to capture bonus depreciation or R&D credits often skip security vetting and that’s where exposure creeps in. 2. Construction firms face rising cyber risk. According to the Dodge Construction Network, 59% of construction firms experienced a cybersecurity threat over a two year period. The industry’s complexity makes it a prime target. 3. Finance + IT disconnect = avoidable risk. In most of the firms I talk to, finance leaders can’t list all of the cloud tools their project teams rely on. This is a blind spot attackers love. Takeaway: Your tax strategy, growth plan, and cybersecurity posture aren’t separate. They’re interconnected systems that can either reinforce or undermine each other. Huge thanks to Kathryn Hall, Bradley Frantz, Nita McBride, and the speaker for today's session Shelley Woitena for an outstanding CFMA meeting. Also wanted to thank Denice Allison for the introduction to the San Antonio crew. What’s an unexpected place you’ve learned something critical about your business?

6

1 Comment

Things Texas Takes Seriously: 1. Cowboy Hats 🤠 2. Not messing with it 🗑 3. Cybersecurity 🔒 Texas’s very own TX-RAMP Certification is becoming increasingly in-demand. Why? Well, Texas has done a few things right to make the cert stick: 1️⃣ It created an achievable standard based on the NIST SP 800-53 framework and provided clear use-cases. 2️⃣ It significantly reduced the audit burden on private companies. The Texas Department of Information Resources performs the certifying assessment – NOT an auditor. 3️⃣ It passed legislation requiring all vendors providing cloud-based services to Texas state agencies and higher education institutions to become TX-RAMP certified. It turns out that, when required by law to get certified or risk losing a big customer, vendors tend to get certified! We have helped a number of customers with TX-RAMP. But, we regularly get smaller companies asking us for help. We can't economically service them. Well, we couldn't... until now! We are announcing TX-RAMP Champ. TX-RAMP Champ allows small companies to get TX-RAMP certified with half the effort. We provide the templates needed, video to explain how to use the templates and access to our experts to help. Rob, that sounds amazing but I want to try it out without having to pay. Imaginary person, that's why we have a 45-day trial option to try out the tool. You can sign up from this link: https://lnkd.in/eFgAQfkx Don't want to sign up? We have a bunch of free resources for learning about TX-RAMP on our TX-RAMP Champ page. Of course, you could sign up for our TX-RAMP Complete and get all of the TX-RAMP resources including: - TX-RAMP Security Plan Workbook with Sample Answers for all Controls - Complete TX-RAMP Documentation Template Library - Complete Training Video Library - Access to one-on-one chats with U.S.-based TX-RAMP efforts - 2 live session reviews of TX-RAMP deliverables What do you think about a solution for helping with TX-RAMP? Do you know someone who is struggling with TX-RAMP and would like a speed boost? Tag them, please!!!

31

19 Comments

The New Attack Vector CEOs Aren’t Watching: Calendar Invites Most CEOs in Central Texas know email is the biggest cyber threat in their business. But there’s a new attack vector slipping past security tools — and it’s hiding in plain sight. Your team’s calendar. Hackers have figured out they can use simple calendar invites to sneak in fake meeting links, impersonate trusted contacts, and get around security filters that normally block dangerous emails. These invites look normal. They land directly on your team’s calendars. And when the reminder pops up, people click. Here’s why this works so well: • Calendar invites don’t look suspicious • They often bypass traditional email filters • Outlook and Google sometimes add them automatically • Your team trusts anything that feels like a “work meeting” For a business, that means one thing: A single click can expose accounts, data, finances, or customer information. At CTTS, we’re helping Austin-area businesses stay ahead by tightening calendar settings, blocking risky invites before they hit the calendar, and removing suspicious events that slip through. Most business leaders never think about securing the calendar. But hackers do. If you want a second set of eyes on your Microsoft 365 or Google Workspace settings, schedule a free strategy session with CTTS. https://lnkd.in/gRnYBBbw #CTTSonline #AustinTX #RoundRockTX #GeorgetownTX #TaylorTX #Cybersecurity #ITSupport

5

Audits and forensics aren’t witch-hunts to “name the hacker.” They’re how you stop the next breach. A good audit/forensic review will: Expose misconfigurations and control gaps Surface broken processes (people • tech • vendors) Produce a clear timeline to improve response Provide evidence for insurance claims and regulators Demonstrate senior management intent and due diligence One breach costs more—in money, trust, and time—than doing the work properly up front. At Tylers, we turn incidents into hardening plans: fixes, owners, deadlines. Not blame—better security. #CyberSecurity #DigitalTrust #Forensics #Audit #IncidentResponse #Tylers

17

2 Comments

One data breach could bankrupt your Texas small business and now the law will decide if you survive. Starting September 1, 2025, Texas businesses with fewer than 250 employees can avoid punitive damages after a cyberattack, but only if they have a documented and actively maintained cybersecurity program. This is the new Texas Cybersecurity Safe Harbor law, and it rewards companies that follow recognized security frameworks such as the National Institute of Standards and Technology Cybersecurity Framework, the Center for Internet Security Controls, or the Health Information Trust Alliance framework. I help businesses get there fast by: - Managing your technology so systems are secure, monitored, and updated at all times - Installing and maintaining cybersecurity tools like firewalls, endpoint protection, multi-factor authentication, and intrusion detection - Providing compliance-as-a-service, including risk assessments, written policies, staff training, and ongoing monitoring to keep your protections current The law is clear: prepare now, or face the full cost of a breach later. Reach out to me today and let’s get your business protected before the deadline.

9

1 Comment

The importance of protecting private identifiable information (PII) cannot be overstated Google has agreed to pay the U.S. state of Texas nearly $1.4 billion to settle two lawsuits that accused the company of tracking users' personal location and maintaining their facial recognition data without consent #cyber #cybersecurity #dpo #dataprotection #ciso #informatrionsecurity #hacking #grc https://lnkd.in/ecCGdQVq

2

1 Comment

Pricing pressure is real. So is scope creep. If your MDR includes EDR + SIEM + IR + ‘always‑on’—but your fees haven’t kept pace—you’re subsidizing client outcomes. 4 moves to rebalance value: 1) Convert to outcome SLAs (MTTD/MTTR) 2) Right‑tier your tasks (nearshore Tier 1/2) 3) Follow the sun (offshore nights) 4) Entitle IR hours instead of ‘unlimited’ promises Margin follows structure. Structure the work to win. 🔗 Link in the comments ⬇️👇 #MDR #Pricing #SLA #Margins #Cybersecurity

21

2 Comments

After lengthy late-night discussions with Cédric Bonhomme on sightings and KEV formats, we produced a first draft of a generic format for Known Exploited Vulnerabilities (KEV).  Initially, we considered extending GCVE BCP-05 using the CVE Record format. However, we ultimately concluded that it may be more appropriate to define a standalone format, allowing sources to publish their KEV data independently. Feel free to comment on the discourse link below. KEV Assertion Format – Draft Specification (potential BCP?) This format describes a generic KEV (Known Exploited Vulnerability) assertion format. The goal is to express who claims exploitation, when, based on what, where it was observed, and with which level of confidence, without turning KEV into full threat intelligence. A KEV assertion is usually very binary and lacking some meta-information. The format adds some information which could better capture details about the exploitation. A majority of the fields are optional except vulnerability, status and evidence.[].source which are recommended. 🔗 https://lnkd.in/eaBUFXie GCVE-EU CIRCL (Computer Incident Response Center Luxembourg) CVE Program

145

11 Comments