Quote for the day:
"Increasingly, management's role is not to organize work, but to direct passion and purpose." -- Greg Satell
The Business Case for Network Tokenization in Payment Ecosystems
Network tokenization replaces sensitive Primary Account Numbers with tokens,
rendering stolen data useless to fraudsters and addressing a major area of
fraud: online payments. "Fraud rates are seven times higher online than in
physical stores, as criminals exploit exposed card numbers," Mastercard's chief
digital officer Pablo Fourez told Information Security Media Group. Shifting to
tokenization protects businesses from financial losses and safeguards reputation
and customer trust. ... But adoption of network tokenization does come with
challenges including issuer readiness, regulatory hurdles and inconsistent
implementations. Integrating network tokenization across multiple card networks
requires multiple integrations, ensuring interoperability and maintaining high
security standards, Fourez said. Compliance with varying regulatory requirements
and achieving scalability without performance issues can be resource-intensive,
he said. Ramakrishnan points to delays in token provisioning that may slow the
speed of transactions if the technology is not scalable. Situations in which one
entity in the payment ecosystem does not use network tokens can be major failure
points that can lead to transaction failure and cart abandonment.The hidden gap in cyber recovery: What happens when roles and processes are overlooked
There’s a big difference between disaster recovery (DR) and cyber recovery.
For DR, infrastructure and backup teams are the central players and an
organization can be up and running in no time. Cyber recovery, however,
involves the entire business — backup teams, network teams, cloud personnel,
incident response teams from security, teams that are validating the active
directory before restores, as well as the application owners and business
owners that depend on those functions. ... “There are bigger questions that
you only get to by testing your process,” Grantham says. “Whatever your
business is, it’s about looking at that data and saying, how do I provide
access in this modified environment? For every one of the applications
supporting that, having a run book to say, this is the people, the process,
linked to the technology to get me to a user in the system performing their
daily function because they need to be able to do their job. That run book
gets them there. If your data is just sitting on a hard drive in the middle of
a data center, how does that help your business?” ... “The idea that cyber
recovery strategies require continual evolution, just like zero trust is an
evolution of different identity standards, is not something that a lot of
businesses have accepted yet,” Grantham says. Microsoft Makes Quantum Computing Breakthrough With New Chip
While it’s been working on its own quantum computing hardware, Microsoft has
also been building out a quantum computing stack, with its Q# development
language and quantum algorithms that can run on the quantum hardware from
IonQ, Pasqal, Quantinuum, QCI, and Rigetti that’s available through Azure —
but the most powerful systems so far are still in the 20-30 qubit range. ... A
prototype fault-tolerant quantum computer will be available “in years, not
decades,” promised Chetan Nayak, Microsoft’s VP of quantum hardware. The
potential of topological qubits is why DARPA announced earlier this month that
Microsoft is one the first two companies to be invited to join its rigorous
program for investigating whether it’s possible to build a useful quantum
computer — where the value of the computing it can do is worth more than what
it costs to build and run — by 2033, using what the agency calls underexplored
systems. ... Initially, there are just eight physical qubits in the Majorana 1
QPU, which Microsoft can assign in different ways to get the number of logical
qubits it wants. Calling it a QPU is a reminder that there will probably be a
lot of different kinds of quantum computer, and that researchers will pick the
one that suits them — like choosing a different GPU for a specific
workload.CISO Conversations: Kevin Winter at Deloitte and Richard Marcus at AuditBoard
A CISO can only be as good as the security team. Assembling a strong team requires good selection and effective management: that is, who do you recruit, and how do you maintain top efficiency? Recruitment is a balance between multiple individual rock stars and a single cohesive team. That’s a personal choice for each CISO, but usually involves a compromise: the best possible individuals with the widest possible range of diversity that will still make a single team. Having recruited the team, the CISO must help them excel both as individuals and one team. “I love the Japanese concept of ‘ikigai’,” said Marcus. Ikigai can be defined as finding your life’s purpose – the meeting point of personal passion, skills, mission, and vocation. “I think you need to deliver an experience for the security team that checks all these boxes. They need to have interesting problems. They need to be using modern technology with some autonomy over what they use. You need to provide a sense of purpose – that what they’re doing is not just about the immediate technical work, but will have a broader impact on the company, the industry, and the world at large. And of course, you must pay them what they’re worth. I think if you do all these things, you’ll have a very happy and motivated and engaged team.”Will AI destroy human creativity? No - and here's why
Today's AI models do more than automate. They engage. They understand user input
conversationally, simulate thought processes, and adapt to preferences. AI's
ability to adapt comes from machine learning constantly improving by analyzing
huge amounts of data. This has made AI smarter and easier for people and
businesses to use. The impact is undeniable in creative industries as AI tools
can design logos, generate intricate artwork, and write compelling narratives,
offering creators new possibilities. These advancements are transforming how
people work, create, and innovate. Generative AI is now the focus of
business strategies, with companies using these technologies to enhance
efficiency and engage with their audiences in new ways. ... That said, the role
of human creativity isn't being erased; it's evolving. Perhaps the designers and
writers of tomorrow aren't disappearing but transforming into prompt engineers
and crafting ideas in collaboration with these tools, mastering a new kind of
artistry. Let's face it: Just because AI creates something doesn't mean it's
good. The ability to discern, curate, and refine that intangible "eye" for
greatness will always remain profoundly human. Unless, of course, Skynet becomes
a reality.
Unknown and unsecured: The risks of poor asset visibility
Asset visibility remains a critical issue because organizations often lack a real-time, unified view of their IT, OT, and cloud environments. Shadow IT, unmanaged endpoints, remote work and third-party integrations create blind spot which increases attack vectors. Without complete visibility, security teams struggle to detect and respond to threats effectively, leaving organizations vulnerable to breaches and compromises. Good visibility across enterprise assets is no longer just a nice to have, it’s a necessity to survive in the digital world. ... Improving visibility of digital assets is critical for all organizations, otherwise, blind spots will exist in networks which criminals can exploit. Organizations must treat every endpoint as a potential entry point, ensuring it is seen and secured. It’s also important to remember that perfect technology doesn’t exist, vulnerabilities will always surface in products, so organizations must not only have an inventory of their assets, but also the ability to apply patches and security updates automatically, without necessarily having to pull all systems down. Improving OT visibility requires a specialised approach due to the sensitive nature of legacy and ICS systems.Hacking Cybersecurity Leadership
Cybersecurity culture often fosters a sense of individualism that lends itself
to operating in isolation—individual interest in areas of cybersecurity lead to
individually-driven projects, individual certifications, etc. That being said,
being siloed is not a sustainable mode of operation. For most cyber
professionals, the challenges are too complex to resolve individually and
negative experiences (failure, shame, guilt, embarrassment, etc.), when
experienced alone, are likely to take an even greater toll than when those
experiences are shared with others. ... In order to boost a sense of competence
at the individual level, leaders need to create a learning-oriented environment
that provides opportunities for individuals to explore, gather, and practice
applying new information. There are specific strategies to build or strengthen
these aspects of the work environment. ... Leaders can also embrace a
growth-mindset culture whereby mistakes do not equate to failures; rather,
mistakes are repositioned as learning opportunities to develop and grow. This
allows individuals to safely explore and practice various aspects of their work.
It’s important to note that this approach also requires a shift toward more
developmental, rather than punitive or evaluative, feedback.Real-World AppSec Priorities Observed in BSIMM15
Many organizations are still in the nascent stages of defining AI-specific attack surfaces and integrating security mechanisms. To stay ahead of these emerging risks, organizations should proactively gather intelligence on AI-related threats, establish secure design patterns for AI models, and ensure that AI security is seamlessly integrated into existing policies and frameworks. Proactivity is key here — a well-rounded strategy to leverage the potential AI can offer must be accompanied by strategic approaches to counter risks and threats it introduces. The use of adversarial testing, which involves simulating potential attacks to identify vulnerabilities, has more than doubled over the past year. This trend indicates a growing recognition among companies of the importance of continuously testing AI models to prevent them from being exploited by malicious actors. While it is not yet possible to definitively attribute the rise in these BSIMM activities to AI-specific concerns, it is evident that these practices will play a crucial role in addressing the emerging risks associated with AI. ... The decline does raise a red flag around the preparedness of organizations to defend against the evolving threat landscape. It also illustrates a need for security education and awareness initiatives.Why Best-of-Breed Security Is Non-Negotiable for SIEM
With cyber threats evolving at an unprecedented pace, security leaders can no
longer afford to treat SIEM as just another layer in a bloated security stack.
Instead, they must take a strategic approach, ensuring that their SIEM leverages
truly best-of-breed security—one that enhances integration, streamlines
operations, and delivers actionable threat intelligence. So, is more always
better? Or is it time to redefine what best-of-breed really means for SIEM? ...
The appeal of best-of-breed security is clear: superior threat detection, deeper
visibility, and greater flexibility to adapt to evolving threats. However, this
approach also introduces complexity. Managing multiple vendors, ensuring
seamless integration, and avoiding operational inefficiencies can quickly become
overwhelming. So, how do security leaders strike the right balance? Success lies
in strategic selection, integration, and optimization—choosing tools that
complement each other and enhance Security Information and Event Management
(SIEM) rather than adding more noise. Adopting a best-of-breed security approach
within a SIEM framework offers several advantages. By integrating specialized
security solutions, organizations can optimize threat detection, improve
agility, and reduce reliance on a single vendor.
