Full episode and show notes

The Cyber Canon, ditching the SOC 2, and the weekly enterprise news – Helen Patton – ESW #416

Segment 1 – Interview with Helen Patton: Introducing the Cybersecurity Canon Did you know that there’s a hall-of-fame for cybersecurity books? Over the past decade, the Cybersecurity Canon has published reviews on dozens of cybersecurity books and established a hall of fame. Hall of fame books are defined as titles that all cybersecurity professionals should read – a great short list for those new to the field and overwhelmed by choices. Helen Patton, co-founder and Chief of Staff for the Cybersecurity Canon joins us to tell us all about the Canon, how it came to be, and its transformation into a more visible and active organization. We’ll also discuss Helen’s own book, “Navigating the Cybe...

Full Segment Notes

Segment 1 - Interview with Helen Patton: Introducing the Cybersecurity Canon

Did you know that there’s a hall-of-fame for cybersecurity books? Over the past decade, the Cybersecurity Canon has published reviews on dozens of cybersecurity books and established a hall of fame. Hall of fame books are defined as titles that all cybersecurity professionals should read - a great short list for those new to the field and overwhelmed by choices.

Helen Patton, co-founder and Chief of Staff for the Cybersecurity Canon joins us to tell us all about the Canon, how it came to be, and its transformation into a more visible and active organization.

We’ll also discuss Helen’s own book, “Navigating the Cybersecurity Career Path”, and an upcoming second book she’s working on as well!

Segment Resources:

Segment 2 - Topic: Does the SOC 2 need to die?

AJ Yawn thinks so.

The TL;DR is that he thinks industry-specific frameworks are more appropriate and effective.

You can check out some more of his thoughts on LinkedIn, or on the Alice in Supply Chains podcast.

  • Ayman recommends checking out https://mvsp.dev/ as a potential alternative (or as a complementary process to actually get secure)

Segment 3 - This Week's Enterprise Security News

And finally, in the enterprise security news,

  1. a bit of funding with a side of layoffs
  2. McDonald’s applicants are not lovin’ it
  3. a WILD story about a vulnerability in the US train system
  4. Meta still on the hook for $8B in privacy violations
  5. What is Agentic Misalignment?
  6. Using AI when coding is… slower?
  7. Auth Omnibus
  8. Pop some popcorn - AI acquisitions are getting crazy

All that and more, on this episode of Enterprise Security Weekly.

Guest
Cybersecurity Advisor at Cisco Systems

Helen Patton is a strategic cybersecurity advisor at Cisco. Previously she served as a CISO for the Cisco Security Business Group, and an Advisory CISO, providing strategic insights to the security community. She was the CISO at The Ohio State University and spent ten years in risk and resiliency at JPMorganChase.
Helen actively encourages cybersecurity collaboration across and within industries, to enable better information security and privacy practices. She actively works to expand the cyber workforce, and mentors people interested in pursuing careers in security, privacy and risk management. She advocates for more naps and is anti-bagpipes.
Helen has a Master’s degree in Public Policy. She serves on various cybersecurity advisory boards and industry groups. Helen is a blogger and the author of “Navigating the Cybersecurity Career Path”.

List of Articles

Adrian Sanabria

  1. FUNDING: Courtesy of the Security, Funded newsletter, issue #202 – The Calm Between Storms

    Last week's vibe check asked the question, which problem in security will never be solved?

    Overwhelmingly, the answer was Phishing and Social Engineering, followed by Third party risk, and then Shadow IT/AI

    LAYOFFS It has been a while since layoffs made the news (not that they haven't been quietly happening), but we've got some news here! It's just one case, so we can't yet tell if it is an isolated case, or the start of another layoff trend. Layoff tracker Layoffs.fyi lists only 9 cases of layoffs for cybersecurity vendors in 2025, though that does include 180 laid off by Okta, 500 by Crowdstrike, and all 300 Skybox employees when it shut down in February.

    • Snyk lays off 110-130 employees, 8-10% of its workforce

    FUNDING

  2. VULN DISCLOSURES: McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the Password ‘123456’

    Sean brought this up last week, but we ran out of time and didn't get to it. In the time since then, I've had a chance to read up on it! The lessons learned here are numerous:

    1. bad password (123456 was the username AND password), but it was a test account, so that's okay, right?
    2. test and production environments/accounts were not segregated (whoops! not okay then)
    3. no MFA on test account
    4. very basic appsec vulnerability (IDOR, insecure direct object reference) that any security review or penetration test would have caught - it's literally one of the first things a pen tester would try - changing the ID/record number to see if you could pull another record from the database that isn't your own
    5. Data exfil from a test account was not detected
    6. no security assessment, review, or pentest (even the most junior reviewer would have caught most of this stuff) - if one DID occur, it can safely be disregarded as a valid assessment, if it's missing stuff like this
    7. TPCRM controls didn't require a security assessment for the third party providers
    8. No VDP or clear guidance on where to report a security issue

    The good news: Paradox.ai fixed the issue in a day and updated their website to make the process for reporting security issues very clear. Their response to this issue was fast, transparent, and comprehensive. Kudos, that's how it's done, folks! Orgs 1,000 times the size of Paradox somehow still get this wrong most of the time.

  3. VULNERABILITIES: A WILD story about a vuln in the US train system

    (2) neils on X: "Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story:" / X

  4. LEGAL: Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations

    Incredibly, the Cambridge Analytica debacle is still following the Zuck around. This leads me to wonder whether privacy funds are outpacing losses to cyber criminals...

  5. AI RISKS: Understanding Agentic Misalignment in AI: Risks and Insights

    I'm still trying to decide if this is overblown by Dan. The researchers at Anthropic are clear that there are no known cases where any of the risks they found occurred in actual AI model use, and that all their findings come from simulations.

    There's no small amount of AI inference going on - we're likely into the billions of prompts served daily, for every use case imaginable (and some I'd rather not imagine), and if none of this use is triggering a single AI blackmail scenario, I find it hard to get too concerned.

    But no technology we've seen come to the forefront in the past is quite like AI. Should we file this into the same bucket as side channel attacks, or take it more seriously?

  6. AI RESEARCH: Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity

    This is a fascinating study that comes with a lot of caveats and insights. My thoughts:

    1. Clearly, the big finding is that experienced open source developers were 19% slower with AI-enabled dev tools (e.g. Cursor) than without.
    2. But this time also included the time necessary to learn the tools, which hardly seems like a fair comparison. I'd expect this to speed up as devs get more familiar with the tools.
    3. A very interesting data point is that developers felt like they were 20% faster with the AI tools than without.

    I have a theory on that third point: if the AI tools are taking some of the cognitive load off the developer, perhaps there's value here, even if using the AI tools takes longer overall. Bear with me here. Creative work suffers from hyperfocused sessions and context switching (as a developer would do when moving from fixing a bug to refactoring code to designing a new feature, etc). This might result in a limit of, say, 2-3 hours of productive work per day before the dev's brain is fried, and they can no longer be productive.

    If an AI tool can offload some of that cognitive load (even though it takes them longer to complete the task), it might be worth the extra time cost if the developer can significantly improve their productivity over the course of a full day. This study only looked at per task efficiency though - future studies would have to look at productivity in the larger context of a work day or work week to study this.

    Anyway, just a thought.

  7. SQUIRREL: Infinite Mac Construction Set

    Finally - 1980's operating systems meet 2020s AI.

  8. BUT WHY: Mercedes-Benz expands collaboration with Microsoft to boost in-car productivity with Enhanced Meetings for Teams app, Intune integration and Microsoft 365 Copilot

    The first technology package you pay extra to have removed ;)

Ayman Elsawah

  1. RESOURCES: Auth Omnibus
  2. AI ACQUISITIONS: Cognition, maker of the AI coding agent Devin, acquires Windsurf
  3. NEWSLETTERS: Pricing Power, Reading’s Demise & Late-Night Vibe Coding
Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Segments

Related Content

You can skip this ad in 5 seconds