Tony Vargas

Here’s a pattern I’m seeing more often: More sites. More assessments. More reporting expectations. Same headcount. Security teams are being asked to scale output without scaling structure. So what happens? Assessments become episodic. Reporting takes too long. Prioritization becomes subjective. And leaders spend more time translating risk than reducing it. This isn’t a capability issue. It’s an architecture issue. At some point, physical security has to operate with the same operational discipline as finance and IT. Otherwise it stays in permanent catch-up mode. For security people overseeing medium to large portfolios (20+ sites): What’s currently your biggest bottleneck volume, visibility, or validation? And why do you think this is?

5

1 Comment

Great guidance from Norris Carden, a Lead CCA. I've been in the cyber world for decades, and a CMMC Audit is unlike anything I've seen. It requires a lawyer-like understanding of the controls, and there is relatively little latitude in meeting the assessment objectives. If you've gone through an ISO audit and think that's at the same level of rigor: nope. The sooner you bring in a partner that understands the specifics of CMMC, the better. If you're just beginning, we can help with scope and strategy. If you're ready for a dry run, we can do a mock audit. And anything in between. MAD Security #CMMC #CyberLeadership

4

1 Comment

Lockheed Martin wrote a post about expecting their suppliers to be CMMC compliant. Seems the prime contractors are pushing their subs harder and harder to get compliant. Interesting quotes: "By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements." "To assist our programs with understanding and improving their suppliers’ CMMC readiness, Lockheed Martin Supply Chain Cybersecurity is reaching out to all suppliers whose latest self-assessment is indicative of unmet cyber requirements (including unimplemented CMMC controls)." "Suppliers are encouraged to engage with NIST MEP and/or the CyberAB Marketplace to validate preparedness for an anticipated CMMC third-party assessment and certification." As an assessor who has participated as Lead CCA, CCA, or CCA QA on over 20 assessments, I've seen some incredibly prepared suppliers for their assessments, and some not so much. I've also seen some MSPs that are making compliance easier with certified environments while other MSPs are uninformed and providing terrible advice. If you'd like some guidance on getting ready for CMMC, or recommendations on high-quality MSPs or C3PAOs, DM me - always happy to help. https://lnkd.in/gvMC7Mjh

35

2 Comments

OCR Director Defends HIPAA Updates: "There's a very high cost of doing nothing. A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties." https://hubs.ly/Q04793ML0

1

🦀 When Security Research Bots Go Rogue: The Trivy "OpenClaw" Incident Following the Moltbook chaos and the Stanford Artemis research I’ve been tracking, we just witnessed a new milestone in "agentic" security: 🚨 the breach of Trivy (and several other major projects) by the hackerbot-claw (OpenClaw) bot. The "Agent" Problem: What makes this fascinating (and terrifying) is that this wasn't necessarily a "hacker" in the traditional sense. It was an autonomous bot, likely designed for "security research", that got out of control (or was let loose). It scanned, verified, and executed at a speed no manual SOC could match. It identified a GitHub Actions vulnerability, exfiltrated secrets, and began automatically dismantling the repo. I want to give a shout-out to the team at Aqua Security / Trivy. As a former CISO, I’ve seen my fair share of incident responses, and their handling of this was top! Radical transparency is the only way to maintain trust in an era of automated attacks My Takeaway: We are officially in the era of Autonomous Supply Chain Exploitation. If you aren't auditing your GitHub Actions permissions (specifically pull_request_target triggers), you are leaving the door unlocked for the next "research bot" to walk in. What are you doing to monitor "agentic" activity in your CI/CD pipelines? Are we ready for bots that can exploit faster than we can patch? #CyberSecurity #CISO #Trivy #OpenClaw #AI #SupplyChainSecurity #PaloAltoNetworks #GitHubActions

58

6 Comments

CMMC compliance is a business imperative – not a box to check. With Cybersecurity Maturity Model Certification requirements already appearing in contracts and full enforcement coming fast, defense contractors who delay may face more than high costs. They risk legal exposure, lost revenue and being shut out of future opportunities. With insight from #DoD #CIO Katie Arrington, #cybersecurity #risk and #compliance company CyberRx, and #Tech CEO Emile Sayegh, read my latest Forbes column to learn what leaders need to know about CMMC 2.0, the costs of certification and noncompliance, and why early action is your best competitive advantage. https://lnkd.in/e6t7Rm83 Ola Sage Israel Briggs Greg Smith Matt Grinstead Rachel Bamgbose #CMMC #CMMCCompliance #Cybersecurity #LeadershipStrategy #DefenseContracting #RiskManagement #GovCon

31

2 Comments

For years, security teams worked to satisfy auditors and check compliance boxes. But today, the harshest critics of your cybersecurity posture aren’t regulators - they’re insurers. Because cyber risk has become an underwriting risk. If you can’t prove control maturity, you’ll pay more - or worse, find out your coverage means nothing when you need it. Cyber risk is now a pricing, eligibility, and survivability problem, a lot more than a technical issue. Real-World Lessons: When “Covered” Didn’t Mean Protected Even well-funded organizations are learning how unforgiving insurers have become: 1. Inchcape Australia v Chubb Insurance (2022) A ransomware attack caused business disruption, but the insurer ruled losses as “indirect” and not payable. 2. Hacked Business Loses Cyber Payout (Australia, 2023) A small business breach claim was denied - missing MFA and weak controls nullified the policy. 3. Supplier Breach, No Cover (2024) A company’s AU$30K response cost claim tied to a vendor incident was rejected - policy misalignment. These aren’t mere paperwork errors. They reflect a systemic shift: insurers now validate cyber maturity at the same depth attackers exploit it. Meeting the Baseline Isn’t Enough “Compliance-ready” doesn’t mean “insurable.” Policies are being restricted, repriced, or outright denied when: Controls exist only on paper, not in enforcement, and IR playbooks haven’t been tested in 12+ months. MFA or segmentation is missing on privileged or legacy systems, while Shadow IT, unmonitored vendors, or undisclosed prior incidents exist. You can’t produce evidence - metrics, logs, or test reports - on demand. Cyber insurance is no longer a safety net. It’s a maturity audit disguised as a policy. If you approach it like compliance, you’ll overpay or be left uncovered. If you treat it like risk management, you’ll earn leverage - lower premiums, higher trust, and resilience that outlasts any claim dispute.

21

1 Comment