How to Measure Human Cyber-Risk, Finally! – Ragnar Sigurdsson – ESW #286
Since the dawn of the internet, companies have been fighting cyber vulnerabilities with a myriad of traditional technologies. And assigning cybersecurity training to people without really knowing its effectiveness or being able to tell the difference between knowledge and behavior. This is why AwareGO created the Human Risk Assessment. Designed by behavioral and cybersecurity experts, it allows organizations to measure human risk and resilience across a number of critical cybersecurity threat vectors. It measures cyber risks connected to social media that are not only personal but can affect the workplace as well.
It helps assess awareness of secure password handling with multiple interactive experiences and situations.
And it allows you to discover how employees would deal with tricky situations around the workplace, such as tailgating and shouldersurfing …. and issues related to remote work.
All in a safe and friendly environment. After completing the assessment employees get individualized results with an explanation of what they did right and what they could have done better. This offers guidance and a chance to learn. The overall results help organizations gather actionable insights and make informed decisions about their security strategy.
The Human Risk Assessment works as a stand alone product but its flexibility allows integration into existing platforms. When combined with AwareGO’s live action training content it can bring your organization’s cyber resilience to the next level.
Segment Resources: https://awarego.com/human-risk-assessment/
https://www.securityweekly.com/awaregoresource
https://awarego.com/how-to-measure-human-cyber-risk-finally/
This free whitepaper explains the methodology behind the Human Risk Assessment: https://awarego.com/materials/the-human-side-of-cybersecurity/ This segment is sponsored by AwareGO. Visit https://securityweekly.com/awarego to learn more about them!
Ragnar is a CISSP, CEH, penetration tester and ethical hacker. Seeing that traditional cybersecurity awareness training doesn’t work, Ragnar created a new way to train employees on proper security measures and assess the human cyber-risk factor.
Ragnar believes the cybersecurity can’t be addressed by technology alone and that the human risk factor should be an integral part of every cybersecurity strategy. Modern human risk management requires a solution that understands human behavior — that’s why all AwareGO products and Human Risk Assessment included have been created by cybersecurity and behavioral experts.
Changing human behavior is hard. Ragnar thinks we should empower people with short, positive and fun security messages that are in line with AwareGO’s ethos of no blame — no shame.
Cybersecurity culture isn’t built in one day. Building culture and managing human risk means creating a virtuous cycle of identifying vulnerabilities, measuring human cybersecurity resilience and delivering meaningful, fine-targeted training.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Data Security Posture Management – Roey Yaacovi – ESW #286
The new category of Data Security Posture Management, what is it and why it's important. Discussing real customer stories where DSPM products played a critical role in helping companies secure their data.
Roey was born in the USA and at age 14 moved to Israel where he served 6 years at the Prime Minister’s Office, Cyber Division. Additionally he worked a few years at CheckPoint before leaving there to start Polar Security with Guy Shanny, where he is the CTO.
Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!
Twitterpocalypse 2022, Wiz, Awesome Free Tools, & News Catch Up – ESW #286
In the Enterprise Security News: We discuss Twitterpocalypse 2022! The Biggest Winner? Security startup Wiz reaches $100M ARR in 18 months??? Tons of funding we probably won’t get to, sorry in advance, we’ve got 2 weeks of news to catch up on! Awesome free tools, free training and DIY tips! Third party attacks and supply chain attacks continue to ramp up, John Deere’s security deficiencies get exposed again, Cyber insurers reduce coverage… again, ESPN8 the Ocho, explained, and more, on this episode of Enterprise Security Weekly!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Adrian Sanabria
- UNICORNING: Cloud security startup Wiz reaches $100M ARR in 18 months – TechCrunchUnicorns gone wild - do we really think Wiz has hit $100M in 18 months??? Let's dive in. The Timeline: the company was founded in Jan 2020, so it wasn't zero lines of code to 100M in 18 months - they've existed for 32 months now, so it's likely the first line of code was written LONG before they started generating revenue (which is where the clock begins for the 18 month figure) Their Past: These same founders built, grew and sold Adallom to Microsoft for $320M in ~3 years on $49.5M of funding. That was long before funding rounds and valuations went crazy. Public indicators: They're private, so they could say anything, but I've generally found the amount of funding and employee count on LinkedIn to be decent indicators of growth and size. I can't recall a case where I saw these factors off by an order of magnitude or anything like that in the ~10 years I've been using them to estimate size and growth. They raised $600M in 22 months. That's bonkers and would certainly enable them to pull off some crazy growth (as much as money alone can, I guess?!?) They've got ~500 employees on LinkedIn and nearly doubled their employees in the last 6 months. I don't even know how you do that, but when you do the revenue per employee math, it comes out a bit low, if anything, based on what I'm used to seeing for security startups ($200k per employee) In conclusion, I wouldn't be surprised to hear that this $100M took some creative work and squinting to produce, but hell - they've got experience building and growing fast and the rest of the numbers are equally crazy but back up the claim, so maybe they really are at $100M? ¯_(ツ)_/¯ If we knew net new ARR and burn, we could REALLY form an opinion though. Is this a PR stunt? Absolutely - why else share private revenue numbers? There are some interesting startup growth metrics out there, and one we can calculate with the info they've given us is Dave Kellogg's Hype Factor Capital Raised / ARR = Hype Factor $600M / $100M = 6 Kellogg suggests the following scale: A hype factor of 1-2 is target A hype factor of 2-3 is good, particularly well before an IPO A hype factor of 3-5 is not good, too much hype and too little ARR A hype factor of 5+ suggests there is very little “there there” at all. Dave’s take is that some hype can be good, as it creates a halo effect that can help increase ARR (e.g. ”they’ve raised a ton of capital, must be worth checking out!”) But too much (5+) might be a negative indicator
- FUNDING: ICS Cybersecurity Leader TXOne Networks Raises $70 Million in Series B Funding
- FUNDING: ThreatX Raises $30 Million in Series B Funding to Accelerate Growth in Global API Protection Market
- FUNDING: ThreatX Raises $30M to Build Out API Capabilities, Hire
- FUNDING: Wire grabs $24M for secure messaging that’s big with the G7 – TechCrunch
- FUNDING: Spin Technology raises $16M to protect SaaS apps against attacks – TechCrunch
- FUNDING: SynSaber Raises $13M in Series A Funding – FinSMEs
- FUNDING: Safe-T Group Secures Up to $4 Million in Strategic, Non-Dilutive Funding to Boost Consumer Privacy Business
- FUNDING: Defendify Raises $3.35 Million to Expand its Comprehensive Cybersecurity Solution and Accelerate Growth
- FUNDING: EasyDMARC Closes $2.3 Million in Seed Round
- FUNDING: Brookstreet Announces Its Investment in CyberOwl (Maritime Cybersecurity Specialist) — Brookstreet Equity Partners LLP
- CRYPTO: US Treasury Sanctions Tornado Cash
- FREE TRAINING: The Technical Building Blocks of Zero TrustHands on training that demystifies Zero Trust? Yes please!
- FREE TOOLS: BlueHound: Community Driven Resilience. – Zero NetworksFree attack mapping tool, very cool!
- FREE TOOLS: Introducing Threatest, A Go Framework For End-to-end Testing Of Threat Detection Rules
- NEW TOOLS: Seraphic, another browser security startuphttps://seraphicsecurity.com/seraphic-data-sheet/
- NEW TOOLS: Nightfall AIDLP 2.0
- THIRD PARTY ATTACKS: Mailchimp compromise used to target crypto exchanges through DigitalOceanHard to attack your target directly? Go after their third parties!
- THIRD PARTY ATTACKS: Twilio compromise allows attackers to go after Signal usersHard to attack your target directly? Go after their third parties!
- STUNT HACKING: Sick Codes’ John Deere research presented at DEF CONFrom the desk of Cory Doctorow "This weekend, I watched a hacker jailbreak a John Deere tractor live on stage"
- HOT TAKES: How a Former Sequoia Capital Partner Cornered the Israeli Security Startup MarketReads a lot like a puff piece to me - one tiny exit does not translate into "cornering the market", even a niche one.
- REGULATIONS: slightly unrealistic DOD spending billFrom Jerry Gamblin on Twitter: "The House passed a defense spending bill saying you can't sell software to the DoD that has *any* known CVEs in it."
- LEGAL: SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement
- SUPPLY CHAIN: Snyk finds 12 malicious Python libraries in PyPiCatalin Cimpanu on Twitter: "Snyk finds 12 Python libraries that steal Discord and Roblox credentials and payment info"
- DIY TIPS: Introducing Google Workspace DLP: How Compass scales security data leak prevention automationRoll your own DLP for GDrive/Google Workspace!
- DIY TIPS: How to detect suspicious activity in your AWS account by using private decoy resourcesDIY AWS honeypots and decoys!
- TWITTERPOCALYPSE 2022: Former security chief claims Twitter buried ‘egregious deficiencies’
- TWITTERPOCALYPSE 2022: Twitter whistleblower won hacker acclaim for exposing software flaws
- TWITTERPOCALYPSE 2022: Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies
- TWITTERPOCALYPSE 2022: Twitter engineer still has commit rights 18 months after being laid offAl Sutton on Twitter: "If you are wondering if the stuff about Twitter security being lapse is just one person complaining, you might be interested to know that, 18 months after being let go from the company, I've not been removed from their employees GitHub commiters group."
- TWITTERPOCALYPSE 2022: Endpoint Security: Intuition around the Mudge Disclosures
- TRENDS: Lloyd’s to Exclude Catastrophic Nation-Backed Cyberattacks From Insurance CoverageWhat about collateral damage from state-sponsored attacks, like NotPetya?
- SQUIRREL: Anonymous poop gifting site hacked, customers exposed
- SQUIRREL: Janet Jackson had the power to crash laptop computers
- SQUIRREL: Excel esports on ESPN show world the pain of format errors
