All news with #security awareness tag

🔍 CISOs increasingly face a torrent of vendor pitches and must probe beyond marketing to find tools that genuinely improve security. Experienced security leaders recommend five core questions about business fit, operational impact, integration and maintenance, update cadence, and concrete use cases. They emphasize live demos and practitioner testing so teams can spot technical gaps and avoid products that merely add noise. Be wary of vague claims, fearmongering, buzzword-heavy pitches, or vendors who resist feedback.

📉 A CIISec poll of UK cybersecurity professionals finds most believe budgets are not keeping pace with rising threats: only 5% say funding is in line with or ahead of risk while 84% disagree. Despite funding concerns, 78% report good or excellent job prospects and 73% expect the security market to grow over the next three years. CIISec recommends prioritizing the people challenge—skills development and communication—since improving talent often costs less and yields faster impact than new tooling.

🔒 The article advises that organizations should proactively restructure security programs instead of waiting for breaches or regulator intervention. It cites the 2024 FTC order against Marriott, following incidents exposing personal data of 344 million guests, as a cautionary example. Practical guidance includes an independent top-to-bottom review, listening tours, delivering quick visible wins, simplifying tool stacks, adopting AI-enabled capabilities, and investing in staff and training. It also outlines frequent mistakes such as insufficient executive buy-in, hiring biases, and underestimating evolving threats.

🔒 Security hardening boosts protection for organizations, especially SMBs, by reducing their attack surface without large additional investments. Key measures include strong authentication and authorization—enforcing strict passwords, multifactor authentication, least-privilege access and network access controls—alongside timely patching, data encryption and segmented, tested backups. Regular staff training, account audits and permission reviews complete a practical, low-cost defense posture.

🛡️ The Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) announced the official start of Cybersecurity Awareness Month 2025, centered on the theme Building a Cyber Strong America. Administered by CISA, the campaign urges state, local, tribal, and territorial (SLTT) governments, small and medium businesses, and supply chain partners to bolster protections for critical services such as water, power, communications, food, and finance. Officials emphasized a whole-of-society approach and recommended immediate adoption of core controls—recognize and report phishing, require long unique passwords, enable multifactor authentication, keep software patched, enable system logging, back up data, and encrypt sensitive information—to improve resilience nationwide.

🛡️ Coherence is framed as the operational backbone for insider-risk programs, stressing shared meaning and alignment rather than surveillance alone. The author argues most insider incidents stem from two vectors — malicious intent and human error — both amplified by semantic drift. Building coherence requires aligning messaging across HR, communications, legal, and security, training for narrative fidelity, equipping line managers with rituals and lexicons, and creating feedback channels that surface drift before behavioral anomalies.

🔒 A YouGov survey commissioned by Initiative Sicher Handeln finds many younger internet users — the so-called Digital Natives — struggle to spot common phishing signals. Nearly half of Gen Z (49%) do not recognise unsolicited attachments as suspicious, and fewer notice impersonal salutations, spelling errors, or bogus urgency. The online poll (Sept 8–10, 2025; 2,044 German adults) prompts the Stop, Question, Protect appeal.

🔒 At DEF CON 33, Google and Airbus hosted the GenSec Capture the Flag (CTF) to promote human–AI collaboration and accelerate adoption of AI in cybersecurity workflows. Nearly 500 participants completed introductory challenges, 23% used AI for security for the first time, and 85% found the event useful for learning practical AI applications. The CTF also featured Sec-Gemini as an optional assistant in the UI; 77% of respondents rated it very or extremely helpful, and organizers are incorporating feedback into future iterations.

🔐 Fortinet’s Veterans Program, in partnership with VetSec, provides veterans and spouses free access to training, hands-on labs, and certification vouchers to accelerate entry into cybersecurity. Participants progress from foundational courses through associate-level credentials, including structured offerings such as the Networking Fundamentals Bootcamp. Graduates like Jeramiah Poff and Derek Zobler reported direct job placements—roles ranging from security architect to cyberthreat hunter—demonstrating measurable workforce impact.

🔐 Selecting an AI platform is necessary but insufficient; successful enterprise adoption hinges on how the system is introduced, integrated, and supported. CISOs must publish a clear, accessible AI use policy that defines permitted behaviors, off-limits data, and auditing expectations. Provision access by default using SSO and SCIM, pair rollout with vendor-led demos and role-focused training, and provide living user guides. Build an AI champions network, harvest practical productivity use cases, limit unmanaged public tools, and keep governance proactive and supportive.

🛡️ The article warns NFT buyers about practical security risks that can turn valuable tokens into worthless assets. It describes attacks such as metadata manipulation and centralized storage that permit creators to change or remove artwork after sale, and marketplace scams that exploit currency symbols and interface design. The piece highlights phishing vectors including Discord takeovers and malicious airdrops, and recommends defenses like multi-wallet segregation, the five-minute rule, and regular permission audits.

🔍Teamwork, problem-solving and analytical thinking now outrank core technical skills in entry-level cybersecurity hiring, according to an ISC2 study of 929 hiring managers across the US, UK, Canada, Germany, India and Japan. The report finds AI is reshaping priorities: managers favour human strengths that AI can't duplicate while routine monitoring is increasingly automated. Experts warn that overreliance on certifications and broken entry pipelines exclude capable candidates, prompting vendors and employers to broaden recruitment through apprenticeships, neurodiverse hiring and outreach to career changers.

🔐 Team-wide VMware certification acts as a force multiplier for security, operations, and talent retention. Certified teams share a common language around architecture, reduce misconfigurations, and respond to incidents faster. Expertise in vSphere, NSX, vSAN, and cloud foundations teaches not just deployment but secure, scalable configuration. Programs like VMUG Advantage make broad certification practical with labs, exam vouchers, and personal-use licenses.

📉 Bridewell's analysis of FOI data shows a marked fall in HMRC-impersonation phishing reports in the first half of 2025, with 41,202 incidents versus 102,226 in 2024 and 152,995 in 2023. Email-based attacks drove most of the decline while SMS phishing rose. The firm warns AI-enhanced social engineering is increasing and advises users to pause, avoid suspicious links and verify communications via official channels.

🛡️ Attaullah Baig, former head of security at WhatsApp, has filed a whistleblower lawsuit alleging that Facebook knowingly failed to fix multiple security flaws in breach of its 2019 settlement with the FTC. The complaint asserts that in 2022 roughly 100,000 accounts were compromised daily, rising to as many as 400,000 daily lockouts by last year, and that inadequate anti-scraping protections exposed profile data at scale. Baig invokes the whistleblower-protection provisions of the Sarbanes-Oxley Act, and the filing has prompted wider media coverage and potential regulatory scrutiny.

🔒 CISOs face many behavioral and strategic traps that can stall or end careers if not addressed. Leaders, coaches and consultants identify ten common mistakes — from failing to align security with business priorities and treating security as a pure technology function, to reflexively saying no, enforcing rigid rules, misunderstanding AI, lacking transparency, not networking, and mishandling incidents. The article emphasizes becoming an enabler, tying controls to ROI, communicating clearly, and rehearsing response plans to build resilience.

🔐 Security leaders often struggle to show boards how cyber risk affects revenue, governance and growth. The sponsored course Risk Reporting to the Board for Modern CISOs was created to teach practical skills for framing risk in business terms: concise dashboards, high-impact presentations, and building financial and strategic business cases. It also introduces Continuous Threat Exposure Management as a forward-looking reporting model.

🔐 The role of the CISO is shifting from technical expert to manager of people and systems, making a human-centered approach essential to reduce the most significant cyber risks. Rather than repeating awareness campaigns, CISOs should design practical, scenario-based training, align security with corporate values, and foster a supportive security culture. Technology and policy must enable good behavior, while deliberate, minimal friction creates effective learning moments. A mature Human Risk Management program uses assessment, segmentation, targeted interventions and continuous feedback to deliver measurable risk reductions.

🚀 Google is previewing two Gemini CLI extensions that bring security analysis and Cloud Run deployment directly into your terminal. The security extension introduces /security:analyze to scan local git diffs for issues such as hardcoded secrets, injection flaws, broken access control, and insecure data handling, and returns clear remediation guidance or optional fixes. The Cloud Run extension adds /deploy, a one-command flow to build, containerize, push, and configure services on Cloud Run, returning a public URL and supporting terminal, VS Code agent mode, and Cloud Shell.

🧭 The article argues that the modern CISO role has become unmanageable for many practitioners and often fails to deliver meaningful, long-term change. It traces causes to short tenures, technologist backgrounds, and siloed corporate governance, and advocates splitting responsibilities by creating a senior CSO focused on business protection while returning the CISO to a technical, execution-oriented remit. The author urges CISOs to rebuild trust through demonstrable delivery rather than constant demands, and suggests this structural change will improve governance, tenure, and recruitment.