Security Consulting Firms

Modern IIoT systems demand a balance of safety, security, reliability, resilience, and privacy. This isn't just a tech challenge; it's a cultural one, bridging IT's obsession with privacy and OT's focus on safety. The 𝐈𝐧𝐝𝐮𝐬𝐭𝐫𝐲 𝐈𝐨𝐓 𝐂𝐨𝐧𝐬𝐨𝐫𝐭𝐢𝐮𝐦’𝐬 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤 (𝐈𝐈𝐒𝐅), first released in 𝟐𝟎𝟏𝟔, is now on 𝐕𝐞𝐫𝐬𝐢𝐨𝐧 𝟐.𝟎, with its latest update in 𝟐𝟎𝟐𝟑. Over the years, it has evolved into a robust guide for securing IIoT systems, addressing the unique challenges of integrating IT and OT. The IISF is designed to help manufacturers build trustworthiness across systems by aligning safety, security, reliability, resilience, and privacy in a single framework. The 𝐈𝐨𝐓 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐌𝐚𝐭𝐮𝐫𝐢𝐭𝐲 𝐌𝐨𝐝𝐞𝐥 (𝐒𝐌𝐌), first released in 𝟐𝟎𝟏𝟖, is a structured framework that builds on the IISF’s principles by helping organizations assess and improve their security practices. 𝐖𝐡𝐚𝐭 𝐩𝐫𝐨𝐛𝐥𝐞𝐦𝐬 𝐝𝐨 𝐭𝐡𝐞𝐲 𝐬𝐨𝐥𝐯𝐞? • Securing legacy (brownfield) environments alongside modern, cloud-integrated systems. • Bridging the gap between IT (focused on data security) and OT (focused on operational safety). • Equipping manufacturers with tools to assess risks, address gaps, and build actionable security roadmaps. 𝐇𝐨𝐰 𝐓𝐡𝐞𝐲 𝐖𝐨𝐫𝐤 𝐓𝐨𝐠𝐞𝐭𝐡𝐞𝐫 • 𝐈𝐈𝐒𝐅 𝐏𝐫𝐨𝐯𝐢𝐝𝐞𝐬 𝐭𝐡𝐞 "𝐖𝐡𝐚𝐭" 𝐚𝐧𝐝 "𝐖𝐡𝐲": It explains what security goals organizations should aim for and why they matter in an IIoT context. • 𝐒𝐌𝐌 𝐏𝐫𝐨𝐯𝐢𝐝𝐞𝐬 𝐭𝐡𝐞 "𝐇𝐨𝐰": It helps organizations evaluate their current security maturity, define targets based on IISF principles, and create actionable roadmaps to achieve those targets. 𝐖𝐡𝐲 𝐔𝐬𝐞 𝐁𝐨𝐭𝐡? Together, the IISF and SMM offer a top-down and bottom-up approach: • Start with the IISF to understand the overarching security needs for your IIoT systems. • Use the SMM to assess where you stand and implement practical improvements to achieve those needs. 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐈𝐈𝐒𝐅:  https://lnkd.in/eypinq3G 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐒𝐒𝐌: https://lnkd.in/e398Y9TU ******************************************* • Visit www.jeffwinterinsights.com for access to all my content and to stay current on Industry 4.0 and other cool tech trends • Ring the 🔔 for notifications!

Life used to be simple for CISOs and CIOs. You built a perimeter with firewalls around your network which created a trusted corporate network. Everything on this network was considered trusted. This model of firewall-based security worked reasonably well for some time. But having a trusted corporate network is quite risky in today’s world. Once attackers get through your perimeter or firewall moat and onto your trusted network, they can traverse your network at will, find high-value data, encrypt it and demand ransom. That is why depending upon the notion of a trusted network, secured by firewalls and VPNs, creates significant cyber risk. Zero Trust Architecture was pioneered by Zscaler to solve this problem. It is the opposite of a firewall and VPN architecture, you don't have any trusted users or applications on your network; everyone and everything is untrusted. Zscaler’s Zero Trust Exchange only allows least privilege access - access to what is needed and when it's needed. This results in no lateral movement and critical protection against ransomware attacks. . So-called next-gen firewall vendors are worried about getting disrupted by true Zero Trust Architecture, they claim to deliver it by simply spinning virtual machines of firewalls and VPNs in the cloud as a service, giving a false sense of security. This isn't Zero Trust no matter what label it's given. No wonder so many large enterprises, with hundreds of firewalls deployed, are becoming victims of ransomware attacks. Richard Stiennon, a highly regarded cybersecurity author and senior industry analyst, recently wrote an article in Security Boulevard that clearly captures why legacy security architectures can never deliver true Zero Trust: https://lnkd.in/gzbtXVn7

TPRM has an identity crisis. Third-party risk management teams are stuck between Security and Procurement. Security says: "Too administrative. Focus on real threats." Procurement says: "Too technical. Just unlock the PO." Nobody's wrong. But everyone's missing the point. TPRM needs both commercial acumen AND technical security expertise. Most organisations force you to pick a lane. What this creates: - Questionnaire theatre nobody reads - Risks "accepted" without understanding - Tools that don't integrate - Zero authority to enforce remediation It's software supply chain security without the software and the security parts. The trade-off you can't escape: Choose productivity? Fast approvals, deals unblocked. But your assessments become rubber stamps. Choose assurance? Deep validation, continuous monitoring. But you bottleneck deals and get routed around. Three things that actually work: Pick your flavour. Are you quick CYA (accept risks, move fast) or enterprise security's second arm (deeper questions, more time)? You can tier—go deep on some, fast on others—but know your default mode. Risk-tier ruthlessly. Your critical vendors (the ones you have zero leverage over) need different treatment than your 200th SaaS tool. Focus deep assessment where you have influence. Accept you can't enforce, so compensate. You can't make AWS change their security model. Build compensating controls on your side instead of pretending vendor assessments will save you. You're not solving a security problem. You're solving a coordination problem with no enforcement power. Act accordingly. #GRCEngineering #TPRM

“Mapping Cybersecurity Threats to Defenses: A Strategic Approach to Risk Mitigation” Most of the time we talk about reducing risk by implementing controls, but we don’t talk about if the implemented controls will reduce the Probability or Impact of the Risk. The below matrix helps organizations build a robust, prioritized, and strategic cybersecurity posture while ensuring risks are managed comprehensively by implementing controls that reduces the probability while minimising the impact. Key Takeaways from the Matrix 1. Multi-layered Security: Many controls address multiple attack types, emphasizing the importance of defense in depth. 2. Balance Between Probability and Impact: Controls like patch management and EDR reduce both the likelihood of attacks (probability) and the harm they can cause (impact). 3. Tailored Controls: Some attacks (e.g., DDoS) require specific solutions like DDoS protection, while broader threats (e.g., phishing) are countered by multiple layers like email security, IAM, and training. 4. Holistic Approach: Combining technical measures (e.g., WAF) with process controls (e.g., training, third-party risk management) creates a comprehensive security posture. This matrix can be a powerful tool for understanding how individual security controls align with specific threats, helping organizations prioritize investments and optimize their cybersecurity strategy. Cyber Security News ®The Cyber Security Hub™

“We are ISO 27001 certified, are we DORA compliant?” Not so fast. ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you're a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down: 1. Regulatory vs. Voluntary Framework ↳ ISO 27001 – A voluntary international standard for information security management. ↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance. 2. Scope and Focus ↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls. ↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity. 3. Key Compliance Gaps 🔸 Incident Reporting ↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard. ↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis. 🔸 Security Testing ↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk. ↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning. 🔸 Third-Party Risk Management: ↳ ISO 27001 – Covers supplier risk but with general security controls. ↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions. 4. How financial institutions and ICT providers can address the delta? ✅ Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you're not still at this stage now that DORA has been mandatory since January 17, 2025.) ✅ Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines. ✅ Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing. ✅ Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA. ✅ Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience. 💡 ISO 27001 is just the tip of the iceberg - beneath the surface lie significant gaps that only DORA addresses. 👇 What’s the biggest challenge in aligning with DORA? Let’s discuss. ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.

🚩 The US government pushes for PQC adoption and extensive use of cryptography. On Jan. 16th, 2025, the Biden administration published the "Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity" (EO 14144). The Trump administration revoked several Biden Executive Orders on the inauguration day, but this EO was not one of them. This EO shows near-future requirements by US agencies to their vendors. These requirements may permeate to the financial sector as requisites from US agencies to their providers or as features that will be more relevant in major technology products and offerings. It also shows interesting trends on actions that may need to be prioritized. The EO focuses on making cybersecurity controls effective to avoid organizations and the supply chain to comply minimally with no impact in improving security. It seeks accountability of software and cloud services providers.  👉 Highlights on cryptography There are several requirements promoting the use of cryptography and accelerating the transition to PQC: ✔ Use of public-key cryptography to implement phising-resistant authentication. ✔ Implement Internet routing protections to defend against malicious traffic diversions ✔ Implement cryptography-protected DNS, email, voice, videoconference and instant messaging. ✔ Implement PQC "as soon as practicable". ✔ Improve key management onprem and in the cloud. I appreciate the expanded focus on means to achieve data protection: 👍 Introducing or improving cryptography in various processes and protocols. 👍 Protecting Internet traffic routing, as it is a first step for HNDL attacks. More details: 📌 The order highlights “the People’s Republic of China presenting the most active and persistent cyber threat” to the US. 📌 Use of Route Origin Authorizations and performing Route Origin Validation filtering. 📌 NIST to publish updated guidance on BGP security methods, route leak mitigation and source address validation. 📌 Encrypted DNS must be deployed wherever supported. 📌 Email messages must be encrypted in transport and, where practical, use end-to-end encryption. 📌 Expand the use of authenticated transport-layer encryption between email servers and with clients. 📌 Voice, VCand IM must enable transport encryption and use end-to-end encryption by default. 📌 Implement PQC key establishment or hybrid key establishment including a PQC algorithm as soon as practicable upon support from the vendors. 📌 Support TLSv1.3 ASAP but no later than 2029. 📌 Cryptographic keys with extended lifecycles should be protected with HSMs, TEEs, etc. Executive order: https://lnkd.in/d-ifZtrf National Institute of Standards and Technology (NIST) responsibilities: https://lnkd.in/dnhUbrfH #pqc #cryptography #cybersecurity #policy

🫣“You’ll never need to work again.”👀 Insider threats are not hypothetical — they are a growing attack vector. As the BBC recently highlighted, ransomware gangs are actively reaching out to employees with offers in exchange for access. Adversaries aren’t just breaking into networks — they’re attempting to buy their way in. "You'd be surprised at the number of employees who would provide us access." Threat actors are actively probing for employees to open the gates. Organizations need to be ready — with both a culture and an architecture that assume compromise. This is where Zero Trust Architecture proves its value. It’s not about distrusting employees — it’s about designing systems that: ✅ Verify every user and device, continuously ✅ Limit the blast radius through segmentation ✅ Provide guardrails against MFA fatigue and social engineering ✅ Detect anomalies in behavior and access patterns Modern security architectures must plan for the possibility that an insider — whether malicious, coerced, or simply tricked — could be the entry point. Zero Trust, as reflected in NIST SP 800-207, Zero Trust Architecture, and CISA’s Zero Trust Maturity Model, addresses this risk head-on by assuming compromise and minimizing its impact. (Full disclosure: I co-authored both during my time at CISA, standing up their Zero Trust Initiative.) At #Zscaler, I’m fortunate to be part of a team helping organizations — across government and industry — on their Zero Trust journeys, building resilience against evolving threats from both outside and within. 📎 Link to BBC's article in the comments. #technology #informationsecurity #artificialintelligence #cybersecurity

New Cyber Security Audit Guidelines Alert! CERT-In has released Comprehensive Cyber Security Audit Policy Guidelines (CIGU-2025-0002)—a significant step forward in strengthening audit quality, governance, and security assurance across India’s digital landscape. What’s new? ✅ Clear roles for auditors and auditees ✅ Mandatory CVSS + EPSS scoring for vulnerabilities ✅ Red-teaming, ICS/OT testing, and SBOM audits included ✅ Audit ethics, independence, and post-audit data handling redefined ✅ Annual audits minimum—risk-based triggers encouraged ✅ Detailed responsibilities for internal monitoring, secure coding, and secure infra This isn’t just compliance—this is resilience by design. 📄 Whether you’re a CISO, tech leader, or audit firm, it’s time to align with these expectations. Let’s make audits meaningful—not just mandatory. #CyberSecurity #CERTIn #IndiaCyberGuidelines #CyberAudit #InfoSec #OTSecurity #Compliance #RiskManagement

I created a Pentest Guide with a Complete Breakdown. Whether you're an aspiring Pentester or an organization looking for one, this will give you an understanding of what the service is and how it differs. Penetration Testing comes in all flavors, here is a breakdown: 🖥 White box | Gray box | Black box White box = your pentester has the keys, diagrams, and all kind of other information. This is great for an extremely thorough assessment. Gray box - your pentester has some information but not everything. They have the correct IPs and URLs to test, but they aren't totally informed. This would simulate an attacker that had "some" information about the org. Black box - you give them nothing. The tester starts at the perimeter and treats your org like a stranger. Slow, noisy, and excellent at revealing blind spots in detection and monitoring. 👮♂️ External vs Internal External - this tests the edge of your organization, such as internet-facing apps, VPNs, and other exposed services. Think "what can someone access from the outside". Internal - this assumes someone is already inside such as a phished employee or even a rogue contractor. It finds lateral-movement gaps, trusts, and privilege escalation paths. 🟣 🔴 Pentest | Red Team | Purple Team Pentest - this is a focused and scoped security assessment that is going to provide a list of findings and remediation. It's great for compliance and checklists. Red team - this is an adversary simulation. Longer, stealthy, multi-vector. Goal is to accomplish mission objectives such as exfiltrating data and persisting in the network) Purple team - this is when offensive teams and defensive teams are working together and learning in real time. Defense is watching for alerts while offense is moving within the network. 👁🗨 Other Scope Examples: Web app pentest — OWASP-style, auth, injection, business logic. Network pentest — host misconfigurations, open ports, weak services. Cloud pentest — IAM misconfigurations, improper S3 buckets, etc. API pentest — broken auth, object-level authorization flaws. Mobile pentest — reverse engineering, insecure storage, weak cert pinning. IoT/Embedded — firmware, radio protocols, physical interfaces. Social engineering / Phishing — usually an easy path in Physical — tailgating, badge cloning, on-site access. ✔ Before any pentest, you should be prepared to fix the findings. A penetration test does no good if your team is not ready to remediate. Please ♻ to help others learn about the practice of pentesting. ❓ Questions? My DMs are always open. #cybersecurity #informationsecurity #infosec #pentesting

A 'secure SDLC' is a much broader term than DevSecops or application security. It incorporates security (CIA controls) into all phases of software development, from requirements gathering to maintenance. While individual security measures such as web security, SAST, DAST and secure coding are effective in their own right, they do not provide comprehensive end-to-end software security. Product security is another emerging term along the same lines. To truly fortify software against evolving threats, organizations should consider embracing the concept of Secure SDLC. By embracing Secure SDLC, organizations build a foundation of proactive risk mgmt, robust change mgmt., secure architecture, thorough testing, and ongoing vigilance, ensuring the software's cyber resilience. Additionally, organizations can focus on: 1. Building a security culture - This can be achieved through a variety of means, such as setting security goals, providing security training, and rewarding security-minded behaviour for its software and technology specialists. 2. Security tools and technologies - Leveraging technology solutions for tasks such as static and dynamic analysis, and penetration testing. 3. Engaging with security partners - Partners can provide security expertise, tools, and technologies that can help to identify and mitigate security risks within secure SDLC space. #applicationsecurity #websecurity #softwaresecurity #ethicalhacking #devsecops CYTAD #apisecurity #penetrationtesting