Long popular in the military, “readiness and resiliency” is a staple of cybersecurity, too. It makes sense. Both institutions value (1) being alert to threats and risks while (2) recognizing that the types of threats and risks themselves are less important than the reaction to them. But how companies PERCEIVE risk is often very different from how they TAKE ON risks. Over 90% of my penetration tests have concluded with successful entry into “secure” environments.

So, you (or your friendly neighborhood MSP) have just finished a vulnerability scan as part of a vulnerability management program and/or in preparation for penetration testing. But one ominous question looms: What next? Sorting through hundreds of thousands of vulnerability logs can be daunting, and determining which ones are worth investigating further is even less of a trivial task.

A Domain Name System (DNS) is a protocol that translates human-readable domain names/URLs—like favoritewebsite.com—into IP addresses that computers can read—like 135.24.56.98. DNS servers handle tens of thousands of queries that transfer minute bits of data between devices, systems, and servers—which makes DNS an attractive and easily exploitable vector for hackers (Cloudns.net).

2023 finds us in a sustained cybersecurity hiring crisis. With 3.4 million too few experts to meet global demand, it seems the widespread investments in university programs, increased certification access, and upskilling for existing IT professionals isn’t enough to bridge the gap.

PCI 4.0 — the PCI Standards Security Council’s first update since 2018 to the PCI Data Security Standards (PCI DSS) — is a major iteration that shifts away from the traditional point-in-time assessment. Do you remember how an auditor would annually determine the PCI compliance status of a merchant’s or service provider’s system on a specific day in a specific month and assume — somehow — that the snapshot characterized their status all year?