Evan Schuman's Stories in 
Do the Marriott cybersecurity settlements send the wrong message to CISOs, CFOs?
This CSO piece covers Marriott's settlement with both the Federal Trade Commission and almost every American state to partially close the loop on the fallout from three major data breaches between 2014 and 2020 impacting more than 344 million customers. But the terms of the settlements are worrying some cybersecurity executives. Read full story
FCC orders T-Mobile to deliver zero trust and better MFA
This CSO piece covers a consent decree negotiated between the agency and the telco, T-Mobile also promised to more heavily invest in cybersecurity overall. Read full story
Microsoft privilege escalation issue forces the debate: 'When is something a security hole?'
This CSO piece covers recent news that Fortra has announced what it dubs a Microsoft security hole. There is no dispute that the privilege escalation issue exists, but there is much argument over whether it's a flaw. Read full story
Personhood: Cybersecurity's next great authentication battle as AI improves
This CSO piece discusses the ability to differentiate bots from humans is becoming increasingly critical. Near infinite scalability of fake AI humans on the cheap makes human impersonation an awfully powerful weapon for bad actors. Read full story
Microsoft fixes Authenticator design flaw after eight years overwriting accounts
This CSO piece examines the latest confirmation from Microsoft. It has finally fixed a vexing glitch that locked Authenticator users out of their accounts — something just about every other authenticator app has avoided since inception. Read full story
Dutch regulator fines Clearview €30 million… or more
This CSO piece examines how the Dutch data protection authority is considering pursuing the face recognition company's directors for privacy violations next. Read full story
8 cloud security gotchas most CISOs miss
This CSO piece looks at the typical enterprise leveraging a dozen cloud vendors globally, there are plenty of ways for security nightmares to sneak in. Here are a few lesser-known issues that could haunt you. Read full story
CrowdStrike questions could give CISOs pause — with options available
This CSO piece looks at the unanswered questions regarding CrowdStrike's processes that led to a global Windows outage strike at central issues of trust, transparency, validation, and interdependency for CISOs, which could result in a rethink given the stakes and ease of defection. Read full story
Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out
This CSO piece looks at how the Microsoft Authenticator experience can go beyond momentary frustration to full-blown panic as end-users become locked out of their accounts. Despite user complaints for years, no fix has been issued, leaving IT experts wondering, 'Why would you pick Microsoft?' Read full story
Will the public nature of ransom payments change CISO strategy over whether to pay?
This CSO piece looks into reports identifying a $75 million ransom payment made in March by a Fortune 50 company raise some questions. Read full story
NHIs may be your biggest — and most neglected — security hole
This CSO piece looks at an increase in attackers seeking out non-human identities, as ultra-easy onramps to everything of value in your enterprise. The solution? Stop treating NHIs as though they are another human end-user. Read full story
Federal judge greenlights securities fraud charges against SolarWinds and its CISO
This CSO piece looks at the SEC lawsuit against SolarWinds where the court dismissed most of the SEC's charges, the by far most serious charge – securities fraud by both the company and its CISO – survived. CISOs have little reason to celebrate. Read full story
What savvy hiring execs look for in a CISO today
This CSO piece looks at how the CISO role is undergoing a sea change, requiring a range of seemingly contradictory skills and experiences. Here's how experts see the role evolving — and how hiring execs assess the blend of "Mother Teresa and a kamikaze pilot," as one CIO puts it, necessary to succeed as a CISO today. Read full story
AT&T confirms arrest in data breach of more than 110 million customers
This CSO piece looks at first cybersecurity incident where the Justice Department initially allowed an enterprise to not disclose. Read full story
Spam blocklist SORBS shuts down after over two decades
This CSO piece looks at how the service was unsustainable but those in the email deliverability industry expressed mixed feelings about the closure. Read full story
FBI offers to share 7,000 LockBit ransomware decryption keys with CISOs
This CSO piece looks at how it's not clear how many of the decryption keys are still viable, but it's likely to be a boon for many enterprise victims who did not pay the ransom. Read full story
Major service tag security problems reported in Microsoft Azure
This CSO piece examines how Microsoft has opted not to fix the issue reported by Tenable Research, but many defend that decision, arguing that this should be decided by CISOs based on their environment. Read full story
SEC rule for finance firms boosts disclosure requirements
This CSO piece examines the amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. Read full story
US deploys commerce and communications against cyber threats, Blinken says
This CSO piece looks at how the US government is moving to address the challenges of quantum computing, cloud strategies, and generative AI, Anthony Blinken said in a speech that was light on specifics. Read full story
Marriott admits it falsely claimed for five years it was using encryption during 2018 breach
This CSO piece examines Marriot's revelation in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained. Read full story
US supreme court ruling suggests change in cybersecurity disclosure process
This CSO piece examines how the decision puts pressure on CISOs and those crafting SEC filings as wording could be judged as "half-truths" and considered misleading. Read full story
Will generative AI kill KYC authentication?
This CSO piece looks at how generative AI can create fake documents and personal histories that fool common know-your-customer authentication practices. Read full story
Is your cloud security strategy ready for LLMs?
This CSO piece looks at existing cloud security practices, platforms, and tools that will only go so far in protecting organizations from threats inherent to the use of AI's large language models. Read full story
Rise of the cyber CPA: What it means for CISOs
This CSO piece answers the question: New accountant certification rules starting January 2024 could deliver many new cybersecurity-trained accountants. Is this good or bad news for CISOs? Read full story
How US SEC legal actions put CISOs at risk and what to do about it
This CSO story looks at how CISOs could find themselves in a painful Catch-22 situation when the US Securities and Exchange Commission's new cybersecurity rules are enacted in December. Read full story
6 new ways threat actors will attack in 2021
This CSO story looks at cyber criminals leveraging improved capabilities and vulnerabilities introduced during the COVID crisis to improve the efficiency of their attacks. Read full story
