Razorwire Cyber Security Razorthorn Security

The deadline for financial entities is looming – get actionable information and advice on DORA compliance with industry expert Paul Dwyer!
Welcome to Razorwire, your go-to podcast for cutting edge insights and expert analysis in the world of information security. I'm your host, Jim, and in today's episode, we have the privilege of speaking with Paul Dwyer, returning Razorwire guest and veteran in cybersecurity risk and compliance, with over 30 years of experience and the head of the International Cyber Threat Task Force (ICTTF). 
In this episode, Paul and I discuss the operational resilience required by DORA legislation, touching upon substantial fines for compliance failures and the shift towards personal accountability at the business and boardroom levels. We cover the nuances of DORA and its intersections with NIS2, and talk about the importance of better communication within organisations and the growing responsibility of governing bodies and the c-suite. 
Paul shares invaluable insights on the risk-based approach that's overtaking traditional compliance methods, the business opportunities awaiting smaller players in the DORA compliance space, and the essential need for thorough and continuous training programmes.
Key Takeaways
1. Discover compelling real world examples of how compliance failures have led to significant fines for large organisations and why personal accountability at the boardroom level is becoming crucial.

2. Learn how DORA and NIS2 regulations are evolving to include a risk based approach and are pushing for proportionality in implementing controls, shifting the focus from mere compliance to a truly risk-centric perspective.

3. Find out about the new business opportunities that DORA presents for small and midsize players in the market, including offering compliance services and challenging large cloud providers. 


The Era of Accountability in Management: 
"Anybody can fill out a little compliance spreadsheet, oh, there we go tick, tick, tick, we're doing all that, it goes through. But those days are gone because you need to trust, verify everything, you need to get the evidence."
 Paul Dwyer

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:- Operational Resilience: Find out about fines and individual accountability for compliance failures under DORA and NIS2.
- Governance Focus: We talk about increased attention on cybersecurity from governing bodies and the c-suite.
- Risk Based Approach: Why the regulations’ emphasis is on proportional, risk centric controls over mere compliance.
- Business Opportunities: Identifying opportunities for small and midsize players in offering compliance services against large cloud providers.
- Regulatory Adaptability: Why we need DORA regulations to be adaptable to various organisational risks.
- Training and Awareness: Addressing the crucial need for thorough DORA awareness programmes for all levels of staff, especially non-tech leaders.
- Compliance Tools: Introducing tools like CyberPrism and AI-based solutions for assisting organisations in DORA compliance.
- Information Sharing: Discussing the importance of peer-to-peer intelligence sharing and distinguishing it from mere information sharing.
- Leadership Evolution: Emphasising the need for CISOs and other leaders to possess hybrid skills tying cybersecurity with business strategy and legal...

Unlock the secrets to successfully navigating the cybersecurity business landscape with insights from industry legend Jane Frankland on this episode of Razorwire.
Welcome to Razorwire, I'm your host, Jim and in today’s episode, we have the privilege of discussing the intricacies of running a successful cybersecurity business with none other than Jane Frankland. With over 26 years in the industry, Jane has built and sold businesses, influenced trends and mentored the next generation of cybersecurity professionals. 
In this episode, I chat with Jane Frankland about the challenges and most rewarding experiences of running a cybersecurity business. Jane tells us about her journey from the early days of cybersecurity in the 90s to becoming a prominent influencer and entrepreneur. We explore topics like managing growth, the shift towards freelance work and the importance of humility and mentorship in the industry. 
3 Key Talking Points:
1. Managing Business Growth: Jane shares her strategies for managing growth through the use of associates and outsourcing non-core functions. Learn how to scale your business efficiently while keeping your core operations robust.
2. Navigating Industry Trends: We talk about the increasing amount of freelance work in information security, the importance of a reliable pool of pentesters and the risks of crowdsourced pentesting companies. Gain insight on how to adapt your business model to include evolving industry practices.
3. The Role of Mentorship and Humility: Jane and I discuss why mentorship for young professionals is so important and the significance of humility in leadership. Discover why ditching egos and maintaining an approachable demeanour is crucial for building a successful cybersecurity business.
Don't miss out on these pearls of wisdom from one of cybersecurity's most respected voices. 
The Reality of Running a Business: 
"You are literally flying by the seats in your pants and navigating your company, at the helm, which is very, very stressful. Very stressful. And yet it is exciting and it is fun."
 Jane Frankland

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:- Business Growth Strategies: Discussing the challenges and careful expansion required to grow a cybersecurity business.
- Outsourcing and Associates: Managing growth by outsourcing non-core functions like marketing and accountancy and using associates.
- Pentesting Workforce: The shift towards freelance pentesters and the challenges of maintaining a reliable pool of talent.
- Revenue Diversification: The importance of diversifying revenue streams and adapting business focus to market changes.
- Industry Egos: Addressing the rise of egos in the information security industry and the importance of humility.
- Emotional and Mental Challenges: Exploring the emotional rollercoaster and loneliness experienced by business owners.
- Mentorship and Support: Highlighting the importance of mentors and coaches for guidance, especially during the early stages of business.
- Client Acquisition and Recruitment: The complexities of recruiting staff, especially pentesters and salespeople and the challenges of client acquisition.
- Financial Management: The critical importance of managing finances accurately and the common pitfalls at the tax level.
- Encouraging Young Talent: The significance of mentoring young professionals and actively supporting their entrance and growth in the cybersecurity industry.
Other episodes you'll...

In a landscape where cyber attacks are constantly evolving, is your business insurance keeping pace?
Welcome to another episode of Razorwire! I'm your host, Jim, and today we dive deep into the dynamic world of cyber insurance. Neil Hare-Brown and Matt Clark, two industry experts, are with us to share their wealth of knowledge and insights on how cyber insurance has changed to address today's security challenges. 
In this episode, we cover the critical role of cyber insurance in modern security strategies, from mitigating the financial impact of cyber incidents to navigating the details of underwriting and premium setting. We also discuss the increasing trend of third party attacks and why companies must prioritise reviewing their vendors and suppliers. By the end of this episode, you'll have a clearer understanding of why cyber insurance is no longer a luxury but a necessity, and how you can leverage it to bolster your organisation's cyber resilience.
Key Talking Points:
1. Rising Costs and Frequent Threats: Neil explains why cyber insurance is crucial for mitigating significant financial impact of cyber crime.
2. Underwriting and Premiums: Matt tells us how insurers use data and tools like ransomware calculators to set premiums and how businesses can proactively improve their cybersecurity posture.
3. Vetting Third Party Vendors: We discuss why we must thoroughly assess third party providers, with insights into new insurance services and facilities aimed at helping businesses manage and recover from cyber incidents more effectively.
Tune in to discover how cyber insurance can be an integral part of your organisation's defence strategy and ensure you're prepared for whatever comes your way.


Cyber Risk Management: 
"I think there is still quite a long way for businesses to go, for boards to appreciate that cyber risk management is not an operational problem."
 Neil Hare-Brown

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:- Impact of Cyber Incidents: How to accurately estimate the financial repercussions of cyber attacks.
- Ransomware and Business Email Compromise: We discuss the current trend for ransomware and business email compromise, and how to protect your organisation from the increased frequency and severity of the attacks. 
- Double Extortion and Data Breaches: The evolution of cyber threats which includes tactics like double extortion and significant reputational harm.
- Using Data to Inform Insurance: How data from insured cyber events helps give risk insights for setting premiums.
- Proactive Cyber Risk Management: Why it’s essential to have a cyber champion on the board.
- Third Party Risks and Cyber Insurance: Third party attacks can severely impact businesses, highlighting the need for comprehensive cyber insurance.
- Evolving Insurance Facilities: New offerings such as breach response services are becoming more accessible and affordable.
- Post-Incident Actions: Breach experiences often lead companies to enhance cybersecurity measures and seek appropriate insurance coverage.
- SMEs and Cybersecurity: Smaller enterprises struggle with maintaining effective cybersecurity processes and benefit greatly from cyber insurance.
- Continuous Learning in Cybersecurity: Why we must continue to learn and evolve for effective cybersecurity strategies.
Resources Mentioneda...

Unmask the reality of the information security world in this week's episode of Razorwire! Join me, Jim, and my guests, Chris Dawson and Iain Pye, as we talk about our daily frustrations working in infosec and the pressing issues facing cybersecurity professionals. We dissect the gripes, pet peeves and laughable clichés that saturate our industry.
From the hype of award ceremonies to the absurdity of exaggerated credentials on LinkedIn, this conversation is packed with insights and anecdotes that will resonate with every cybersecurity professional. Stay tuned and subscribe for this candid look at the ups and downs of our industry.
Key Talking Points:
1. Real Talk on Compliance and Regulations: Discussing the hype around compliance requirements like GDPR and DORA, we break down the importance of understanding and managing these regulations without falling for marketing gimmicks.
2. Vendor Exaggerations vs. Reality: Discussing the overblown claims around GDPR and DORA compliance and the serious implications for cybersecurity.
3. Grandstanding Egos: The rise of self-proclaimed thought leaders and influencers and their role in fuelling fear, uncertainty and doubt within the infosec community.
Tune in for a frank and entertaining discussion on the gritty realities of information security!
The Struggles of Simplicity: 
"Your average user will go out their way to circumnavigate the controls that you've put in place."
Iain Pye
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:- Annoying Infosec Practices: This satirical podcast dives into some of the most irritating practices in the infosec industry.
- Auditor Issues: The frustrations of dealing with auditors. Enough said.
- Integrity at Work: We talk about significance of acting professionally in workplace settings.
- Infosec Vendor Marketing: The creative license taken by vendor marketing departments and how to stay wise to exaggerations.
- Risk Management Complexity: We talk about the overwhelming abundance of acronyms, and the importance of clear communication and documentation.
- Compliance and Regulations: We look into the implications of compliance requirements such as GDPR and the upcoming DORA.
- Exaggerated Professional Profiles: We lament the trend of elaborate and often exaggerated LinkedIn profile titles and qualifications.
Resources Mentioned- The Cyber Sentinel’s Handbook
- GDPR (General Data Protection Regulation)
- DORA (Digital Operational Resilience Act)
- LinkedIn
- Chat GPT
Other episodes you'll enjoyPreventing Burnout in Cyber Security
a href="https://www.razorthorn.com/cyber-security-professionals-shortage-burnout-how-to-protect-against-it-razorwire-podcast/" rel="noopener noreferrer"...

In this episode of Razorwire, I sit down with Rob Black, a dynamic figure in the world of cybersecurity with a unique background in military strategy and defence. From the realms of computer game design to the high stakes world of defusing IEDs, Robert brings unparalleled insight into how we can revolutionise cybersecurity by understanding and manipulating the psychology of our adversaries. This episode is packed with outside-the-box strategies that will transform your approach to defending your network.
In our conversation, Robert and I explore the intersection of human psychology and cybersecurity, emphasising the impact of deception and misinformation on attackers. Robert shares parallels to military tactics and offers practical advice on psychological tools to gain an upper hand in infosec. We discuss real world studies and notable cyber incidents like Stuxnet to underscore the importance of strategic thinking beyond mere technological solutions. Tune in for an engaging discussion that could reshape your cybersecurity practices.
Key Talking Points:
1. Deception Tools and Strategy - Robert explains how to slow down attackers using deception technology, inspired by military tactics, causing them to mistrust their tools and make erratic decisions.
2. Psychological Influence on Threat Actors - Learn how to improve the effectiveness of your network defence by understanding and engaging with the decision making processes of threat actors.
3. Real World Case Studies - We discuss impactful examples, including the NSA's deception studies and the infamous Stuxnet attack, to illustrate how psychological and strategic insights can be applied to bolster cybersecurity efforts.
Join us on Razorwire and arm yourself with revolutionary tactics to stay ahead in the constantly evolving landscape of cybersecurity. 
Deception 2.0: Envisioning the Future of Cybersecurity
"So attackers believe the systems they're using because they've got no reason to believe the computer won't lie. So how do we make it, inside our manmade network, that they have to tread carefully because they don't know what to trust and what not to trust?" Robert Black
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:- Psychological Defence in Cybersecurity: How we can use psychological tactics, such as inducing paranoia, in defending against cyber threats.
- Effectiveness of Deception: We discuss an NSA study which demonstrates how knowledge of deception impacts penetration testers' speed and decision making.
- Human Factors over Technology: We talk about the merits of using human behaviour analysis and psychology alongside technology for cybersecurity strategies.
- Corporate Espionage and Misinformation: How to use misinformation and disrupt attackers’ expectations as part of your defence strategy.
- A Multidisciplinary Approach to Cybersecurity: We discuss the merits of incorporating diverse perspectives, including arts and philosophy, into cybersecurity education and strategy.
- Vendor and CISO Relationships: Why vendors must understand and address the real problems faced by CISOs.
- Proactive Defence Strategies: Why we need to move beyond assurance to proactive measures in cybersecurity defence.
- Shift in Cybersecurity Mindset: How to progress the growing recognition of cybersecurity as a critical business threat and the importance of improved risk assessments.
- Influence of Deception Technology: How we can use fake networks and behavioural economics techniques to manipulate attackers' behaviour.
Guest...

Welcome back to Razorwire, the podcast slicing through the tangled world of cybersecurity! I'm your host, Jim and in this episode we’re talking about the crucial balance between trusting your workforce and exerting control over your security ecosystem. 
Joining me are Iain Pye, sharing his insights into privacy roles, and David Higgins from CyberArk, who will discuss the challenges and strategies of effective cybersecurity. Whether you're managing remote teams or integrating third party services, this episode is packed with expert analysis and actionable advice.
We discuss: 
1. Discover how ISO and SOC certifications are shaping the way organisations approach security, as David Higgins analyses the paradigm shift towards a consumer-empowered landscape within cybersecurity.
2. Discussion on the interplay between trust and control in the era of remote work, with insights on the importance of effective incident response capabilities, even when resources are lean.
3. Learn about pragmatic approaches to vendor risk assessment and understand why a tiered method for evaluating vendor criticality could be pivotal for your cybersecurity strategy.
Prepare to challenge your perspectives on cybersecurity's conventional wisdom and join us on Razorwire, where we cut through complexity to bring clarity to the professionals on the digital frontlines.
“We've got devices that we no longer own. We've got platforms that we no longer run. We've got data stored in locations we're not responsible for and we've got employees working in environments that would that we've got zero control over. So moving to zero trust so that was it a ‘never trust, always verify mindset’? Makes a lot of sense."
David Higgins
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:- Adjusting Control to Criticality: The more critical the processing and servicing, the greater the expectation of control.
- Certifications as Trust Indicators: The importance of obtaining certifications to demonstrate commitment and investment in establishing trust.
- Consumer Empowerment Through Software as a Service: How the shift to SaaS models puts more power into consumers' hands, necessitating service providers to meet their security expectations.
- Remote Work Security Challenges: How to tackle concerns about trust, control and security in home working environments.
- Sensitive Data in Risk Zones: Identifying and dealing with risks associated with employees working in red-listed countries.
- Cybersecurity Budgets and Risk Games: How to manage budgets and risk assessments effectively.
- Third Party Risk Management: How to implement third party assurance programmes for managing risk and ensuring thorough vulnerability assessment with vendors.
- The Evolving Cyber Threat Landscape: How to effectively deal with the rise in targeted phishing attacks through a balance of trust and control for detection and response.
- Zero Trust and Continuous Authentication: Why we should focus on implementing zero trust architecture and continuous authentication methods like MFA and biometrics.
- Economic Impact on Security Measures: Increasing costs and the economic downturn are major concerns affecting the budgets for security tools, certifications and overall organisational security measures.
GUEST BIODavid HigginsDavid is the Senior Director – Field Technology Office at CyberArk. Since joining in 2010, Higgins has worked to help the world’s leading - and most complex - organizations secure and protect their privileged access. Today, he advises clients on threats associated with...