Data security, Cybersecurity Asset Management, Careers, Insider threat, Leadership, Third-party risk, Vulnerability management

ESW #286 – Ragnar Sigurdsson, Roey Yaacovi

The new category of Data Security Posture Management, what is it and why it's important. Discussing real customer stories where DSPM products played a critical role in helping companies secure their data.

Since the dawn of the internet, companies have been fighting cyber vulnerabilities with a myriad of traditional technologies. And assigning cybersecurity training to people without really knowing its effectiveness or being able to tell the difference between knowledge and behavior.

This is why AwareGO created the Human Risk Assessment. Designed by behavioral and cybersecurity experts, it allows organizations to measure human risk and resilience across a number of critical cybersecurity threat vectors.

It measures cyber risks connected to social media that are not only personal but can affect the workplace as well.

It helps assess awareness of secure password handling with multiple interactive experiences and situations.

And it allows you to discover how employees would deal with tricky situations around the workplace, such as tailgating and shouldersurfing …. and issues related to remote work.

All in a safe and friendly environment.

After completing the assessment employees get individualized results with an explanation of what they did right and what they could have done better. This offers guidance and a chance to learn.

The overall results help organizations gather actionable insights and make informed decisions about their security strategy.

The Human Risk Assessment works as a stand alone product but its flexibility allows integration into existing platforms.

When combined with AwareGO’s live action training content it can bring your organization’s cyber resilience to the next level.

Segment Resources:

https://awarego.com/human-risk-assessment/

https://www.securityweekly.com/awaregoresource

https://awarego.com/how-to-measure-human-cyber-risk-finally/

https://awarego.com/materials/the-human-side-of-cybersecurity/ This segment

View Show Index

Full Audio

Segments

1. How to Measure Human Cyber-Risk, Finally! – Ragnar Sigurdsson – ESW #286

Since the dawn of the internet, companies have been fighting cyber vulnerabilities with a myriad of traditional technologies. And assigning cybersecurity training to people without really knowing its effectiveness or being able to tell the difference between knowledge and behavior.

This is why AwareGO created the Human Risk Assessment. Designed by behavioral and cybersecurity experts, it allows organizations to measure human risk and resilience across a number of critical cybersecurity threat vectors.

It measures cyber risks connected to social media that are not only personal but can affect the workplace as well.

It helps assess awareness of secure password handling with multiple interactive experiences and situations.

And it allows you to discover how employees would deal with tricky situations around the workplace, such as tailgating and shouldersurfing …. and issues related to remote work.

All in a safe and friendly environment.

After completing the assessment employees get individualized results with an explanation of what they did right and what they could have done better. This offers guidance and a chance to learn.

The overall results help organizations gather actionable insights and make informed decisions about their security strategy.

The Human Risk Assessment works as a stand alone product but its flexibility allows integration into existing platforms.

When combined with AwareGO’s live action training content it can bring your organization’s cyber resilience to the next level.

Segment Resources:

https://awarego.com/human-risk-assessment/

https://www.securityweekly.com/awaregoresource

https://awarego.com/how-to-measure-human-cyber-risk-finally/

This free whitepaper explains the methodology behind the Human Risk Assessment: https://awarego.com/materials/the-human-side-of-cybersecurity/ This segment is sponsored by AwareGO. Visit https://securityweekly.com/awarego to learn more about them!

Sponsored By

AwareGo

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Guest

Ragnar Sigurdsson
Ragnar Sigurdsson
Head of R&D and Co-Founder at AwareGo

Ragnar is a CISSP, CEH, penetration tester and ethical hacker. Seeing that traditional cybersecurity awareness training doesn’t work, Ragnar created a new way to train employees on proper security measures and assess the human cyber-risk factor.
Ragnar believes the cybersecurity can’t be addressed by technology alone and that the human risk factor should be an integral part of every cybersecurity strategy. Modern human risk management requires a solution that understands human behavior — that’s why all AwareGO products and Human Risk Assessment included have been created by cybersecurity and behavioral experts.
Changing human behavior is hard. Ragnar thinks we should empower people with short, positive and fun security messages that are in line with AwareGO’s ethos of no blame — no shame.
Cybersecurity culture isn’t built in one day. Building culture and managing human risk means creating a virtuous cycle of identifying vulnerabilities, measuring human cybersecurity resilience and delivering meaningful, fine-targeted training.

Hosts

Adrian Sanabria
Adrian Sanabria
Director of Product Management at Tenchi Security
Katie Teitler
Katie Teitler
Senior Security Strategist at Axonius
Tyler Shields
Tyler Shields
CMO at JupiterOne

2. Data Security Posture Management – Roey Yaacovi – ESW #286

The new category of Data Security Posture Management, what is it and why it's important. Discussing real customer stories where DSPM products played a critical role in helping companies secure their data.

Announcements

  • Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!

Guest

Roey Yaacovi
Roey Yaacovi
CTO at Polar Security

Roey was born in the USA and at age 14 moved to Israel where he served 6 years at the Prime Minister’s Office, Cyber Division. Additionally he worked a few years at CheckPoint before leaving there to start Polar Security with Guy Shanny, where he is the CTO.

Hosts

Adrian Sanabria
Adrian Sanabria
Director of Product Management at Tenchi Security
Katie Teitler
Katie Teitler
Senior Security Strategist at Axonius
Tyler Shields
Tyler Shields
CMO at JupiterOne

3. Twitterpocalypse 2022, Wiz, Awesome Free Tools, & News Catch Up – ESW #286

In the Enterprise Security News: We discuss Twitterpocalypse 2022! The Biggest Winner? Security startup Wiz reaches $100M ARR in 18 months??? Tons of funding we probably won’t get to, sorry in advance, we’ve got 2 weeks of news to catch up on! Awesome free tools, free training and DIY tips! Third party attacks and supply chain attacks continue to ramp up, John Deere’s security deficiencies get exposed again, Cyber insurers reduce coverage… again, ESPN8 the Ocho, explained, and more, on this episode of Enterprise Security Weekly!

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Adrian Sanabria
Adrian Sanabria
Director of Product Management at Tenchi Security
  1. 1. UNICORNING: Cloud security startup Wiz reaches $100M ARR in 18 months – TechCrunch - Unicorns gone wild - do we really think Wiz has hit $100M in 18 months??? Let's dive in. The Timeline: the company was founded in Jan 2020, so it wasn't zero lines of code to 100M in 18 months - they've existed for 32 months now, so it's likely the first line of code was written LONG before they started generating revenue (which is where the clock begins for the 18 month figure) Their Past: These same founders built, grew and sold Adallom to Microsoft for $320M in ~3 years on $49.5M of funding. That was long before funding rounds and valuations went crazy. Public indicators: They're private, so they could say anything, but I've generally found the amount of funding and employee count on LinkedIn to be decent indicators of growth and size. I can't recall a case where I saw these factors off by an order of magnitude or anything like that in the ~10 years I've been using them to estimate size and growth. They raised $600M in 22 months. That's bonkers and would certainly enable them to pull off some crazy growth (as much as money alone can, I guess?!?) They've got ~500 employees on LinkedIn and nearly doubled their employees in the last 6 months. I don't even know how you do that, but when you do the revenue per employee math, it comes out a bit low, if anything, based on what I'm used to seeing for security startups ($200k per employee) In conclusion, I wouldn't be surprised to hear that this $100M took some creative work and squinting to produce, but hell - they've got experience building and growing fast and the rest of the numbers are equally crazy but back up the claim, so maybe they really are at $100M? ¯_(ツ)_/¯ If we knew net new ARR and burn, we could REALLY form an opinion though. Is this a PR stunt? Absolutely - why else share private revenue numbers? There are some interesting startup growth metrics out there, and one we can calculate with the info they've given us is Dave Kellogg's Hype Factor Capital Raised / ARR = Hype Factor $600M / $100M = 6 Kellogg suggests the following scale: A hype factor of 1-2 is target A hype factor of 2-3 is good, particularly well before an IPO A hype factor of 3-5 is not good, too much hype and too little ARR A hype factor of 5+ suggests there is very little “there there” at all. Dave’s take is that some hype can be good, as it creates a halo effect that can help increase ARR (e.g. ”they’ve raised a ton of capital, must be worth checking out!”) But too much (5+) might be a negative indicator
  2. 2. FUNDING: ICS Cybersecurity Leader TXOne Networks Raises $70 Million in Series B Funding
  3. 3. FUNDING: ThreatX Raises $30 Million in Series B Funding to Accelerate Growth in Global API Protection Market
  4. 4. FUNDING: ThreatX Raises $30M to Build Out API Capabilities, Hire
  5. 5. FUNDING: Wire grabs $24M for secure messaging that’s big with the G7 – TechCrunch
  6. 6. FUNDING: Spin Technology raises $16M to protect SaaS apps against attacks – TechCrunch
  7. 7. FUNDING: SynSaber Raises $13M in Series A Funding – FinSMEs
  8. 8. FUNDING: Safe-T Group Secures Up to $4 Million in Strategic, Non-Dilutive Funding to Boost Consumer Privacy Business
  9. 9. FUNDING: Defendify Raises $3.35 Million to Expand its Comprehensive Cybersecurity Solution and Accelerate Growth
  10. 10. FUNDING: EasyDMARC Closes $2.3 Million in Seed Round
  11. 11. FUNDING: Brookstreet Announces Its Investment in CyberOwl (Maritime Cybersecurity Specialist) — Brookstreet Equity Partners LLP
  12. 12. CRYPTO: US Treasury Sanctions Tornado Cash
  13. 13. FREE TRAINING: The Technical Building Blocks of Zero Trust - Hands on training that demystifies Zero Trust? Yes please!
  14. 14. FREE TOOLS: BlueHound: Community Driven Resilience. – Zero Networks - Free attack mapping tool, very cool!
  15. 15. FREE TOOLS: Introducing Threatest, A Go Framework For End-to-end Testing Of Threat Detection Rules
  16. 16. NEW TOOLS: Seraphic, another browser security startup - https://seraphicsecurity.com/seraphic-data-sheet/
  17. 17. NEW TOOLS: Nightfall AI - DLP 2.0
  18. 18. THIRD PARTY ATTACKS: Mailchimp compromise used to target crypto exchanges through DigitalOcean - Hard to attack your target directly? Go after their third parties!
  19. 19. THIRD PARTY ATTACKS: Twilio compromise allows attackers to go after Signal users - Hard to attack your target directly? Go after their third parties!
  20. 20. STUNT HACKING: Sick Codes’ John Deere research presented at DEF CON - From the desk of Cory Doctorow "This weekend, I watched a hacker jailbreak a John Deere tractor live on stage"
  21. 21. HOT TAKES: How a Former Sequoia Capital Partner Cornered the Israeli Security Startup Market - Reads a lot like a puff piece to me - one tiny exit does not translate into "cornering the market", even a niche one.
  22. 22. REGULATIONS: slightly unrealistic DOD spending bill - From Jerry Gamblin on Twitter: "The House passed a defense spending bill saying you can't sell software to the DoD that has *any* known CVEs in it."
  23. 23. LEGAL: SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement
  24. 24. SUPPLY CHAIN: Snyk finds 12 malicious Python libraries in PyPi - Catalin Cimpanu on Twitter: "Snyk finds 12 Python libraries that steal Discord and Roblox credentials and payment info"
  25. 25. DIY TIPS: Introducing Google Workspace DLP: How Compass scales security data leak prevention automation - Roll your own DLP for GDrive/Google Workspace!
  26. 26. DIY TIPS: How to detect suspicious activity in your AWS account by using private decoy resources - DIY AWS honeypots and decoys!
  27. 27. TWITTERPOCALYPSE 2022: Former security chief claims Twitter buried ‘egregious deficiencies’
  28. 28. TWITTERPOCALYPSE 2022: Twitter whistleblower won hacker acclaim for exposing software flaws
  29. 29. TWITTERPOCALYPSE 2022: Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies
  30. 30. TWITTERPOCALYPSE 2022: Twitter engineer still has commit rights 18 months after being laid off - Al Sutton on Twitter: "If you are wondering if the stuff about Twitter security being lapse is just one person complaining, you might be interested to know that, 18 months after being let go from the company, I've not been removed from their employees GitHub commiters group."
  31. 31. TWITTERPOCALYPSE 2022: Endpoint Security: Intuition around the Mudge Disclosures
  32. 32. TRENDS: Lloyd’s to Exclude Catastrophic Nation-Backed Cyberattacks From Insurance Coverage - What about collateral damage from state-sponsored attacks, like NotPetya?
  33. 33. SQUIRREL: Anonymous poop gifting site hacked, customers exposed
  34. 34. SQUIRREL: Janet Jackson had the power to crash laptop computers
  35. 35. SQUIRREL: Excel esports on ESPN show world the pain of format errors
Katie Teitler
Katie Teitler
Senior Security Strategist at Axonius
Tyler Shields
Tyler Shields
CMO at JupiterOne
prestitial ad