
Cynthia Brumfield
Cynthia Brumfield is a veteran communications and technology analyst who is currently focused on cybersecurity. She runs a cybersecurity news destination site, Metacurity.com, consults with companies through her firm DCT-Associates, and is the author of the book published by Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework.


Why metrics are crucial to proving cybersecurity programs’ value
Methodologies to measure the effectiveness of cybersecurity efforts exist. Tying them to the real world is the trick.

States step up cybersecurity efforts as threats increase
Spurred by recent attacks, some U.S. states are taking action and allocating funds to boost their defenses against cyber threats.

SEC filings show hidden ransomware costs and losses
A review of 2021 8-K filings with the U.S. Securities and Exchange Commission reveals a more complete picture of the financial damage from ransomware.

Cyber incident reporting measures approved in the omnibus spending bill
Critical infrastructure entities and federal agencies will have to report significant cyber incidents to CISA within 72 hours and ransomware attacks within 24 hours under legislation passed by the House that will likely become law.

Biden’s cryptocurrency executive order addresses illicit financial risks
Early indications are that the cryptocurrency industry will work with the U.S. government to help minimize risk and make it harder for cybercriminals to profit from their activities.

Purported massive leak of Russian soldiers' data could sink morale, digital security
The publication of personal data on 120,000 Russian soldiers, if accurate, could provide a means to demoralize troops in Ukraine and make them targets for cyber campaigns.

Rash of hacktivism incidents accompany Russia’s invasion of Ukraine
Some in the cybersecurity community say actions on behalf of Ukraine help even the odds, while others warn that unauthorized hacking could interfere with government cyber operations.

NIST seeks information on updating its Cybersecurity Framework
Security community welcomes the update, but a U.S. GAO report cites slow adoption among government.

Skyrocketing cryptocurrency bug bounties expected to lure top hacking talent
Bounties as high as $10 million dollars make hunting cryptocurrency vulnerabilities lucrative for those with the proper skillsets. It might eventually drive up fees for traditional bounties, too.

NIST releases software, IoT, and consumer cybersecurity labeling guidance
The new guidance aims to tighten security requirements for federally purchased software and give consumers better insight into the security of software and devices they buy.

4 alternatives to encryption backdoors, but no silver bullet
Alternatives to backdoors in end-to-end encryption exist, but not all address privacy and security concerns, say experts at last week’s Engima conference.

DHS creates Cyber Safety Review Board to review significant cybersecurity incidents
The CSRB will advise the President and Department of Homeland Security director, as well as review major security events starting with the Log4j exploits.

Alpha-Omega Project takes a human-centered approach to open-source software security
The Linux Foundation and OpenSSF project, with backing from Microsoft and Google, aims to improve security of 10,000 open-source projects.

OMB issues zero-trust strategy for federal agencies
All federal agencies must meet zero-trust goals that the U.S. Office of Management and Budget has set by 2024, building on earlier federal cybersecurity initiatives.

SEC eyes more expansive cybersecurity requirements
New rules for publicly traded companies could add protections for consumer information, strengthen incident reporting, and require assessment of third-party risk.

Biden memo aims to bolster cybersecurity in national security systems
A national security memorandum places new cybersecurity requirements for reporting and preventing security incidents involving sensitive national security systems.

Tech sector embraces public-private collaboration on open-source software security
Participants in a White House meeting on securing open-source software expressed optimism for working effectively with government to help prevent Log4j-like events.

CISA sees no significant harm from Log4j flaws but worries about future attacks
The U.S. cybersecurity agency can't rule out that adversaries are using Log4j to gain persistent access to launch attacks later.

FTC, SEC raise legal risks surrounding the log4j flaw
The U.S. Federal Trade Commission also threatened possible legal action for companies that don't address the risk from the Log4j vulnerabilities.