After spending several decades in this industry, I have seen growth in many different security products and in many different areas. All the while, I’ve questioned whether specific technologies were offering real value or were just over-marketed to create more revenue opportunities for investors. As we have seen repeatedly, categories of security products blossom in many different ways. So many vendors, so much technology. Where do we go from here?

I am all about the baselines. I’ve made an entire career out of them. But if you were to ask a random person on the street what that means, the reaction would be: “Who the heck are you, and why are you asking me random weird questions.” So it would be better if you found someone in the tech industry at least.

I have wanted to do a series like this for some time. I frequently watch movies and point out social engineering and OSINT techniques or inaccuracies as well as OPSEC blunders. These blunders, in addition to the matrix style waterfall screens, are equally bad as the “hacking” you see in movies.

The City of Waco has warned residents that their online payments for water services may have been intercepted by hackers who stole credit card details. The heart of the problem lies in the third-party online payment software that Waco and several other cities and municipalities use to let residents pay their bills, pay parking fines, as well as make other financial transactions.

Finding a security vendor that is the best fit for your company’s business objectives, culture, risk profile, and budget is challenging today. The purpose of this blog is to suggest that working with a “vendor partner” is more than working with a standard technology vendor in that a partner aligns not only with “Technology” concerns but also with “People and Process” concerns.

The Risk Management Framework (RMF) is most commonly associated with the NIST SP 800-37 guide for “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” which has been available for FISMA compliance since 2004. This was the result of a Joint Task Force Transformation Initiative Interagency Working Group; it’s something that every agency of the U.S. government must now abide by and integrate into their processes.

As we begin our new decade of the 2020s, we can look back at the last 30 odd years and examine the collaboration between technology and our daily lives. If you think of your day-to-day, it’s easy to see how much our society relies on technology. Consider our smart devices such as mobile phones, watches, even homes. However, what about the technology that we don’t see, that gives us clean drinking water, removes wastewater, and keeps our homes warm?

In the not-too-distant future, I can clearly see how ISO 27001, SOC 2 and HITRUST certifications could become a diminished, legacy activity, viewed as a rarity left over from marketing efforts to distinguish an organization’s security posture from its competition. Absurd? Unrealistic?

Consider how many times a day you check your mobile phone, smartwatch, smart TV, and/or other connected devices. How normal does it seem to be reaching out to an external source, not actually sure where this information is stored, or even coming from, but that it’s there, accessible and ready to be taken in? Organizations wishing to migrate to a third-party cloud solution (‘the cloud’) need to understand this point well.