Roberta French

Cyber attackers do not all think the same—why should defenders? Latinas in cyber bring cultural fluency, multilingual skills, and sharp pattern recognition that threats do not see coming. Yet they make up less than 1 percent of the field. That is not just a gap—it is a missed opportunity. If we want security strategies that actually scale, we need to start by widening the talent pipeline. #Diversity #Cybersecurity #Culture

88

5 Comments

🚨 🚨 #Quishing isn’t new. This version is. QR-code phishing has existed for years — but the FBI’s alert focuses on how it’s now being operationalized by #Kimsuky, a North Korean state-sponsored cyber espionage group long associated with credential theft, intelligence collection, and long-term access to policy, academic, and government environments. In these campaigns, Kimsuky uses QR codes to intentionally shift targets off managed endpoints and onto personal mobile devices, bypassing email security, #EDR, and conditional access. The result is session token theft that quietly defeats #MFA, followed by #persistent access and secondary phishing from trusted mailboxes. What makes this worth an FBI FLASH is the outcome: #sessiontoken theft that bypasses MFA without triggering failure alerts, followed by persistence and #secondary phishing from trusted accounts. Quiet. Efficient. Effective. #Practical takeaway: make QR codes a first-class threat in your identity strategy. Update #training, extend visibility into #mobile flows, and assume #attackers will aim for the path that avoids your best controls. https://lnkd.in/gPZAAjzA

18

3 Comments

💡 Rising (ISC)² AMF Fees — A Growing Concern for Global Members I’ve been a proud (ISC)² member since 2006, maintaining my credentials (like the CISSP) in good standing for nearly two decades. Over these years, I’ve watched the organization evolve, expand globally, and strengthen its mission of advancing cybersecurity - a mission I deeply believe in. However, while processing my Annual Maintenance Fee (AMF) due on October 1, 2025, I was taken aback by a sudden change that deserves broader discussion. Here’s the progression: When I joined, the AMF was USD $85. It later increased to USD $125, which stayed constant for years. Now, it has risen to USD $135, plus a new tax component of USD $24.30 (≈18%) introduced without clear communication or explanation. On paper, a $10 increase may seem modest. But when you add the new tax, the overall jump of nearly 20% becomes significant - especially for members in regions where earning power is far lower. For context: The per capita income in India is about USD $2,500, Compared to over USD $71,000 in the U.S. For many professionals in emerging economies, maintaining an international credential like CISSP isn’t just about paying a fee - it’s about staying connected to a global standard, investing in credibility, and feeling part of a larger professional family. When costs rise sharply and unexpectedly, that sense of inclusion starts to feel out of reach for some. Adding to the concern, emails to the (ISC)² Asia-Pacific office seeking clarification have gone unanswered so far. This leaves an important set of questions open: ·        Is this new tax applicable worldwide, or limited to specific regions? ·        Has there been any member communication explaining the change? ·        Can (ISC)² consider a region-sensitive AMF model to reflect global income diversity? We understand operational costs, taxes, and inflationary pressures - that’s part of doing business anywhere. But what members value most is transparency, fairness, and engagement. This isn’t a complaint - it’s a call for clarity and inclusion. (ISC)² has built an extraordinary global community of professionals. Ensuring equitable policies across geographies will make that community even stronger. Cybersecurity is global - our professional associations should be equitable too. 🌍 #ISC2 #CISSP #Cybersecurity #ProfessionalMembership #Transparency #GlobalCommunity #AMF #Inclusion #ISC2Members #ProfessionalEthics

27

3 Comments

Leadership in Technology #2 Inspiring innovation Effective technology leaders create an environment that encourages creativity and experimentation, allowing team members to explore new ideas and learn from mistakes. Fostering collaboration Leaders promote open communication and trust among team members, facilitating cross-functional collaboration that leverages diverse expertise for successful project outcomes. Driving progress By setting clear goals and providing necessary resources, leaders help their teams stay competitive and adapt to industry advancements, ensuring continuous learning and development. Creating a supportive environment Leaders prioritize the needs of their team members, fostering a culture of trust and mentorship that empowers individuals to take ownership of their work and feel confident in their abilities. Remember, Leadership is a journey, not a destination. It is a marathon, not a sprint. It is a process, not an outcome. ~John Donahoe

31

1 Comment

Do Things Differently: Design Greenfield, Evolve Brownfield In cybersecurity, the demands of an ever-changing threat landscape often keep us focused on patching, addressing vulnerabilities, reinforcing infrastructure, and optimizing for performance — in essence a “brownfield” approach. While these practical, effective, and necessary steps keep operations running smoothly while adapting to evolving security needs, it’s worth asking: are we limiting ourselves by building on what already exists? Greenfield projects offer an exciting alternative: starting from a blank slate allows us to design security-first architectures that are inherently resilient, scalable, and future-proof. Greenfield initiatives enable us to implement innovative technologies, integrate models like zero trust, and create systems optimized for today’s most complex threats. The freedom to innovate without the constraints of legacy frameworks can make all the difference in staying one step ahead. The challenge lies in striking the right balance between preservation and innovation. It’s not about choosing one approach over the other, it’s about embracing both strategically. Brownfield systems must be maintained and reinforced where they are still relevant. Simultaneously, greenfield solutions should be developed in areas where innovation and agility are imperative. Progress then comes from charting a clear path forward for brownfield systems, whether through gradual migration to more advanced frameworks or, when appropriate, decommissioning outdated systems altogether. By doing so, we can create a cybersecurity environment that not only safeguards the present but also anticipates the future. This dual approach empowers organizations to balance stability with transformation. Together, these strategies pave the way for a resilient, forward-thinking cybersecurity landscape that’s ready for whatever comes next. #Cybersecurity #Innovation #Greenfield #Brownfield #DoThingsDifferently

7

Dragos, Inc. is estimating that OT Disruptions Could Cost $330B Globally. I had the chance to weigh in on the importance of having the right visibility when handling OT data (or really any data). Security Magazine

6

1 Comment

I've briefed Fortune 500 audit committees, executive leadership teams, and military generals. None of them want to hear about your firewall rules. They want three numbers that actually matter to the business: **Mean Time to Detect (MTTD)** Not "we have 47 security tools." They want → "We detect threats in 12 minutes vs. industry average of 287 days." Real impact. Real timeline. Real comparison. **Business Risk Exposure ($)** Not "we mitigated several vulnerabilities." They want → "$2.3M in potential business disruption reduced to $180K through proactive remediation." Translate technical risk into dollars they understand. **Security Debt Ratio** Not "we're implementing new controls." They want → "18% of our security infrastructure needs modernization, down from 34% last quarter." Show them you're fixing the foundation, not just patching holes. Here's what I learned after these briefings: Executives don't care about your CVSS scores or vulnerability counts. They care about business continuity, financial impact, and forward progress. The moment you start speaking their language — dollars, timelines, and trend lines — you get budget approvals instead of blank stares. Your cybersecurity program is only as strong as your ability to communicate its value to people who've never configured a firewall. What metrics do you use to translate technical risk into business language? #CyberSecurity #CISO #RiskManagement #ExecutiveLeadership #InfoSec

36

11 Comments

Corporate Cybersecurity Requires Focus, Not Distraction Cybersecurity leadership is not about being everywhere or mediating every conversation; it’s about prioritization. Directors must focus on corporate risk tolerance, regulatory obligations, and operational resilience. When personal agendas or informal debates take precedence, consistency erodes, security posture fragments, and credibility with senior leaders weakens. The most effective cybersecurity leaders set clear boundaries. They listen, but they stay mission-focused. They communicate transparently, but they avoid being pulled into distractions that don’t materially reduce risk. In today’s threat landscape, focus isn’t just a leadership trait—it’s a security control.

8

In today's digital age, the threat landscape is constantly evolving, making cybersecurity a shared responsibility across all departments. By implementing comprehensive training programs and encouraging open communication, organizations can empower colleagues to recognize and respond to potential threats.

3

Pragmatic, strategic governance is fundamental to security departments at large organizations. With sound department standards, operational procedures, and technical standards we can manage at scale, lowering risk, liability, and expenses. I share a little insight on the topic here in this recent interview with Security Journal Americas (SJA). PPG The Security Foundation (TSF) International Security Management Association (ISMA) Diplomatic Security Service OSAC

100

6 Comments

Ransomware hasn’t just evolved, it’s restructured. What used to be a slow, technical breach has become a fast-moving extortion campaign. And in 2025, the pressure is designed less for encryption, more for leverage. We’re seeing a shift that CISOs can’t ignore: • Initial access via known vulnerabilities—not phishing • AI-written ransom emails that mimic internal language and tone • Victim shaming within hours on leak sites, dark web, and even LinkedIn The attack chain is shorter. The pressure is higher. The damage is reputational first, operational second. The real challenge? Most enterprise response plans are still built for containment. But ransomware today requires crisis alignment. Legal. PR. Risk. CXOs. Everyone needs to know their role before the breach. Here’s how we’re reframing our posture: 🔹 We measure “Time to Remediate Known-Exploited CVEs”. Response starts with exposure visibility. 🔹 Our backups are validated through real restore exercises. Recovery must align with business RTOs. 🔹 Our comms team has a breach playbook and draft statements because brand damage is real-time. 🔹 We simulate hybrid scenarios Extortion + data exfil + regulatory notification, all within 48 hours. Ransomware in 2025 is less about encryption. It’s more about leverage. And unless your leadership model shifts from control to coordination, you’ll find yourself reacting to headlines and not preventing

54

2 Comments

Another one of my favorite reads, Stephen M. R. Covey’s The Speed of Trust. It provides a clear framework to help #InfoSec leaders build teams that are more effective, resilient, and collaborative. The idea is simple: trust is a performance multiplier. It speeds up communication, lowers friction, and improves decision-making. In the context of InfoSec, where timing and clarity are critical, trust becomes an edge. Trust as a Performance Driver InfoSec is often seen as a blocker. Teams are pulled in late, deliver bad news, and seem to slow progress. That perception changes when the team builds credibility. Covey identifies four key foundations of trust: integrity, intent, capabilities, and results. * Integrity means being honest, consistent, and ethical. It shows up when security professionals admit mistakes, report risks transparently and stick to their commitments. * Intent is about motives. If other teams see security as a partner, not an obstacle, collaboration improves. Aligning InfoSec priorities with business goals builds goodwill. * Capabilities must evolve. The threat landscape changes constantly. A team that learns continuously and adapts quickly earns internal respect. * Results validate trust. If the team consistently prevents incidents, improves response times, and supports audits, people believe in the value it brings. Putting Trust into Practice Covey outlines 13 trust-building behaviors. Several are critical for security teams. * Talk straight. Be clear and honest. Drop the tech jargon and FUD. * Create transparency. Share security decisions, metrics, and incident reports. Let others see how and why you operate. * Clarify expectations. Make security requirements easy to understand and implement. * Right wrongs. When things go wrong, own the mistake and fix both the issue and the process behind it. * Extend trust. Give team members autonomy. People grow into the trust you give them. Collaboration Across the Organization InfoSec depends on partnerships with IT, engineering, HR, legal, and leadership. To build lasting collaboration, involve other teams early, listen to their concerns, and explain risks in practical terms. Work with them, not against them. When security is embedded into conversations from the start, resistance drops and adoption increases. The Payoff A high-trust InfoSec team responds faster, communicates better, and gains influence. It becomes a respected partner that protects the business without slowing it down. Covey’s principles give security leaders the tools to lead with integrity, build real partnerships, and make trust the foundation of resilience.

7

The State of Nevada systems have been crippled by ransomware. For weeks. Then so read this: The state of Nevada does not have a single Chief Information Security Officer (CISO); instead, a Chief Information Officer (CIO) role exists, and responsibility for information security is a collaborative effort involving multiple IT security and department leaders, according to this State of Nevada article. Alan Cunningham previously served as the State CIO and oversaw the Enterprise Information Technology Services Division, which supports state agencies, but the position of a dedicated State CISO is not present. Key Takeaways • No dedicated State CISO: Thoughts anyone?

72

89 Comments

Cyber risks aren’t just an IT issue—they’re a business risk. As threats become more sophisticated, the real challenge is making sure leadership understands what’s at stake. Boards are now expected to take ownership of cyber-risk. But instead of patch reports and threat maps, they need a clear view of how security ties to business continuity, brand reputation, and fiduciary responsibility. What makes an impact: Frame security in terms of ROI, risk exposure, and customer trust. Partner with HR, finance, and legal to build alignment Create a culture where security is part of everyone’s job Let’s stop treating cybersecurity as just a compliance exercise—and start embedding it into the DNA of the business, from the front lines to the boardroom. https://lnkd.in/d6qgjA-u #CyberSecurity #CyberRisk #Leadership #SecurityCulture #RiskManagement #Governance

11

2 Comments

Does a written leadership philosophy still matter in today’s tech-driven world? I’d genuinely love your thoughts—especially from those in cyber, IT, and tech. In 1997, one of the most inspirational and influential leaders I ever served shared his leadership philosophy with our team. It wasn’t flashy—but it was clear, authentic, and grounded in purpose. It was one of many leadership moments that shaped my journey—but it’s always been foundational. Why? Because it immediately set the tone, clarified expectations, and served as a catalyst for the culture he defined—and that we, as a team, fully bought into. The result? We became a truly high-performing team—recognized nationally for our excellence in mission execution. That early experience made a lasting impression on me. Since then, I’ve written and shared a leadership philosophy for every new role—military and civilian, cybersecurity and IT alike. For me, it’s never been about the paper—it’s about the people. It’s about: • Clarity and alignment from day one • Trust built on transparency • Leading by example—because saying it isn’t enough • Creating space for feedback, growth, and shared accountability I’ve learned to model the leaders who inspired me, and just as importantly, to avoid repeating the toxic or ineffective behaviors I’ve witnessed along the way. That mindset has shaped how I lead—and how I grow. This post isn’t just about sharing a leadership tool. It’s about starting a conversation—with those leading, and those being led. Whether you’re a leader or an individual contributor (or both—because most of us answer to someone), I’d love your perspective: 1. Have you ever received a written leadership philosophy? Did it inspire you—or fall flat? 2. When a leader shares their philosophy, does it help you understand how to work with them, shape the culture, or succeed on their team? 3. What do you wish more leaders would do early on to set the tone and earn trust? 4. What’s the most powerful example you’ve seen of a leader truly living their stated philosophy? What made it feel authentic? 5. What advice would you give to a new leader stepping into a high-stakes role—especially in cybersecurity or IT? Leadership is universal. Whether you wear a uniform, a badge, or a hoodie—your ability to inspire, connect, and elevate others transcends titles and roles. I believe feedback is a gift. And I’d truly appreciate yours. #First100Days #CyberLeadership #MissionFirstPeopleAlways #LeadershipPhilosophy #LeadByExample #PeopleFirst #CultureAndStrategy

40

19 Comments