Dr. Kenneth Brancik, CISM, CISSP, CISA, ITIL

Attended the #RISK New York conference this week; excellent event w several hundred #GRC professionals in attendance and lots of great speakers and ideas. Some quick notes... Great observation from Michael Rasmussen that GRC investments shouldn't be about saving time or efficiency; they're supposed to be about *lowering risk.* Which means GRC leaders need to think about what they do, and talk about what they do, in terms of how lower risk will help the business succeed in our cuckoo bananas world. Are you sure you're framing your GRC program, strategy, and budget requests in those terms? Second, by now we've all heard the tale of the lowly accounting clerk who *almost* fell for a deepfake video posing as the CFO, telling the clerk to wire millions overseas. Clerk then called the CFO on the phone, uncovered the scam, saved the day. But what about when the suspicious request *is* legitimate? With AI-enhanced frauds, employees will need to exercise more skepticism all the time. When they challenge senior management, are you sure management will be saying 'Thank you for being so diligent!' Or will they say 'Quit bothering me and do what I say!' Yet another reason why corporate culture matters. And I also had the honor of delivering a presentation at #RISK myself, on how to build a successful AI governance committee. An effective governance committee will need to 'think in two dimensions' about AI at the same time: the big strategic stuff and the small tactical stuff. More below... #compliance #GRC #audit #RiskManagement https://lnkd.in/efYi7dNG

26

2 Comments

Benjamin Franklin urged Philadelphians in 1736 to invest in fire prevention rather than just fighting fires. Nearly 300 years later, the same wisdom applies to ransomware. FinCEN just confirmed what we all suspected: ransomware payments hit $2.1 billion between 2022 and 2024, with a staggering $1.1 billion paid in 2023 alone. As community banks plan their 2026 cybersecurity budgets, some boards are asking "Why spend more if we can just buy cyber insurance and pay if we get hit?" Here's the uncomfortable truth: almost every authority, from the FBI to FinCEN to your regulators, says don't pay the ransom. Paying funds criminal enterprises, offers zero guarantee of data recovery, doesn't eliminate your breach notification obligations or regulatory scrutiny, and paints a target on your back for future attacks. Listen, I know your board is thinking "We're too small to be targeted." Wrong. Ransomware operators know community banks can't afford extended downtime. That makes you MORE attractive, not less. They're betting you'll pay to get back online quickly. The better path? Invest upfront in controls that prevent ransoms from being your only option: • Immutable, offline backups that you test quarterly • Endpoint detection and response for early threat detection • Network segmentation to contain lateral movement • MFA everywhere, especially privileged accounts • Tabletop exercises so your team knows the plan works before crisis hits For example, the average ransomware payment for a smaller institution can run hundreds of thousands of dollars. That same investment spread across strong preventive controls gives you protection that lasts years and actually works, not just "maybe" gets you back online once. Stewardship means protecting what's been entrusted to you, and that includes refusing to fund criminal enterprises with your depositors' money. Good stewards prepare for storms before they hit. Investing in resilience isn't pessimism. It's prudence. Your community is counting on you to make the hard choice: spend money on prevention now rather than being forced to make impossible choices under duress later. What's your bank doing this quarter? Test your backups. Run a tabletop exercise. Make sure "pay the ransom" isn't your only plan. #Ransomware #Cybersecurity #CommunityBanking #RiskManagement #CyberResilience #BankingSecurity

24

1 Comment

ICMYI: Earlier this week, DFS released cybersecurity guidance addressing the risks associated with third-party service providers. This guidance clarifies existing obligations for regulated entities and establishes best practices for mitigating cyber risks.   Details from PYMNTS: https://lnkd.in/dJNBt_SJ

23

Should surveillance software vendors be regulated? In the wake of yet another round of surveillance vendor failure (this one lower profile than others, but in many ways far more serious), I am forced to revisit the question of whether surveillance vendors should be regulated entities. The issue comes down to one of regulatory relationships and disclosures. The unforgivable sin in surveillance is not getting something wrong. Humans will always make errors, even if control processes are in place. However, keeping you head down and not telling your stakeholders and the regulators in a clear and timely fashion is a far graver breach. Regulated entities have an overriding responsibility to keep their regulators informed of anything whether the regulator would expect to be told (wording varies from region to region, but the thrust of the duty remains). Software vendors, however, lack this duty. They are not compelled in the same way to be transparent, to disclose gaps, to engage with their customers and to support the customers in their duties to the regulators. Therefore, although all financial institutions find themselves dependent on software vendors to discharge their regulatory obligations, those vendors in turn, through their unregulated status, may take a different view of the required levels of transparency. On the other hand - regulators are overworked, under-resourced, and already bear responsibility for myriad entities. Would adding yet more to their plate really be the best use of their time? Software vendors already have to maintain acres of certifications, would requiring regulatory certification across the dozens of jurisdictions their products cover really add any value? Would the cost of doing so lead vendors to withdraw their products from certain jurisdictions, thus weakening competition and the overall surveillance environment? In the end, would compliance be nothing more than self-certification and the damocles sword of fines hanging over their heads? I haven't got a good answer to this. But I do know that surveillance software vendors are a genuinely critical part of our ecosystem, and we need to ensure that they meet the high standards we set for our own internal teams. #software #regulation #surveillance #compliance #fines

40

4 Comments

I’ve been having many conversations about SBOMs vs component inventories. Requirements affecting the financial sector, notably PCI-DSS and DORA, mandate an “inventory of.. 3rd party software components” (PCI) or the capability to “track the usage of… third party libraries.” (DORA). So what’s the difference? The simple way to think about it as that all *good* SBOMs are inventories or component lists, but not all component lists are SBOMs. Section 10(j) of EO 14028 defines an SBOM as a “formal record containing the details and supply chain relationships of various components used in building software.” This means that an SBOM should capture some details about the dependency structure, and it must be represented in a way that supports automation. Functionally? It’s a graph, and it’s in a widely used, machine-readable format (CycloneDX or SPDX). SBOMs are structured to support trust, provenance, and action. The trust derives from the generation process—something that’s explicitly captured in the draft CISA Minimum Elements. Being able to trace provenance can derive from a number of features, including producing a hash of the original software code, if the SBOM generator had access to it. Alternatively, an SBOM generation tool can offer real evidence that observed bits in a binary correlate to the component building blocks. Most importantly, an SBOM is designed to be used, not just as a static inventory. When properly assembled and maintained, it can feed directly into vulnerability management, incident response, license tracking, and a host of other risk management tools, as well as overall metrics on software freshness and quality. It goes beyond “what do I have” and helps answer “what am I exposed to”? By explicitly being defined as a dynamic feature (“if you update your code, update your SBOM”), SBOMs are inherently temporal, tracking specific releases and often lifecycle phases. This is why that can be so powerful for things like incident response and forensic risk management. We are also in a world where quality SBOM tools exist. SBOM tools can always produce inventories, but not vice versa. Every SBOM generator has to be a very good inventory tool. But most inventory tools aren’t prepared to make the security, provenance, and legal claims that SBOMs require. Later this week, I’ll do a deeper dive into what we’re seeing around the CRA draft around vulnerability handling, and the language around the identification of software components vs. SBOMs.

96

5 Comments

NIST released the 2025 AML Taxonomy. Here’s what’s new vs. 2023. This document is becoming one of the key references for how enterprises understand and categorize AI security threats. I’d say the new release makes a big leap toward real-world relevance, and that’s great. So, let’s break it down. 𝗪𝗵𝗮𝘁’𝘀 𝗻𝗲𝘄 𝗳𝗼𝗿 𝗖𝗜𝗦𝗢𝘀: 1. More attack coverage: More detailed classifications and subcategories for attacks, particularly in Generative AI (GenAI): prompt injection and misuse are now separate, clearly defined categories. 2. More enterprise context: Attention to practical impact and operational risks in AI deployments. The paper covers good examples of attacks and mitigations in real enterprise environments. 3. Reflection of recent developments and wider AI adoption: New concerns like AI supply-chain security, agent-based AI systems, and enterprise integration reference architectures. 𝗪𝗵𝗮𝘁’𝘀 𝗻𝗲𝘄 𝗳𝗼𝗿 𝗔𝗜 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘁𝗲𝗮𝗺𝘀: 1. More refined taxonomy with additional subcategories like Misaligned Outputs, Energy-Latency Attacks, and so on. 2. More real-world context: Special sections focused on practical AML vulnerabilities and attacks seen in the field, making it more relevant for enterprises and analysts. 3. Generative AI is more deeply integrated into the framework, covering enterprise-specific issues like agent-based GenAI models and prompt injection in real scenarios. 4. New attack and mitigation categories: Misuse Violations (e.g., prompt injections that bypass safeguards) and attacks on AI agents, calling out risks in these emerging system types. 5. Broader international collaboration & stronger cross-institutional input: Authors from the U.S. AI Safety Institute and the U.K. AI Security Institute. Overall, this update reflects how fast AI security is maturing—and how taxonomy is catching up to the field reality. If you're building or securing AI at scale, it’s worth reading.

27

3 Comments

🔍 Why NIST SP 800-18 Revision 2 Matters More Than Ever Public comments are open until July 30, 2025—a key opportunity for professionals to shape the future of digital risk governance. The newly released draft of NIST SP 800-18 Rev. 2 is more than just an update—it's a strategic leap forward in how organizations manage security, privacy, and cybersecurity supply chain risks. 🚀 NIST has released the initial public draft of SP 800-18r2: “Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems.” This update provides unified guidance for creating system security plans, privacy plans, and supply chain risk management plans—helping organizations document controls, responsibilities, and risk management practices more consistently and efficiently. Key highlights: Integrates security, privacy, and supply chain risk management into system planning Supports automation and alignment with the NIST Risk Management Framework Includes supplemental resources like plan outlines and roles/responsibilities templates Here’s why this matters: ✅ Unified Risk Management: The draft consolidates system security, privacy, and supply chain risk management plans into a single, cohesive framework—streamlining oversight and decision-making. ✅ Alignment with Key Frameworks: It integrates guidance from the NIST Risk Management Framework, Privacy Framework, and SP 800-161r1, ensuring consistency across enterprise and mission-level risk strategies. ✅ Automation-Ready: With support for GRC tools, the draft encourages automation in plan development and maintenance—boosting efficiency and reducing human error. ✅ Clarity on Roles & Responsibilities: Updated outlines and templates help organizations clearly define who’s accountable for what, improving governance and accountability. ✅ Critical for Supply Chain Security: In an era of increasing third-party risks, the emphasis on Cybersecurity Supply Chain Risk Management (C-SCRM) is a timely and essential addition. Access the draft and comment instructions here: [NIST SP 800-18r2 Draft](https://lnkd.in/gdViq3XD) #NIST #Cybersecurity #Privacy #SupplyChainRisk #RiskManagement #securitybites #saurabhjain

9