California's SB-53: The AI Transparency Law

Comment

California's SB-53: The AI Transparency Law

California has once again stepped into the role of tech regulator-in-chief. Governor Gavin Newsom just signed SB-53, the Transparency in Frontier Artificial Intelligence Act, into law. It’s being called the most significant state-level AI legislation in the U.S., and it could ripple far beyond Silicon Valley.

Why should the cybersecurity and risk community care? Because SB-53 isn’t just about tech ethics or AI fairness. It introduces real compliance obligations for high-compute AI developers—with teeth. And that changes the way enterprises, SMBs, and cybersecurity leaders will need to think about AI governance going forward.

What SB-53 Requires

The law applies to companies building or deploying so-called frontier AI models—systems with high computational thresholds. The obligations include:

  • Public AI Safety Protocols: Developers must publish their security and safety procedures.

  • Incident Reporting: Any “critical incident” (think misuse, safety failures, or near-miss loss of control) must be reported within 15 days.

  • Whistleblower Protections: Employees raising AI safety concerns are explicitly shielded.

  • Enforcement: Penalties for noncompliance can run up to $1 million per violation.

This is not a symbolic move. For the first time, AI companies face a regulatory framework that makes AI safety both transparent and enforceable.

Why It Matters for Cybersecurity

Cybersecurity professionals should view SB-53 through the same lens as breach notification laws or GDPR-style compliance:

  • AI as a Security Asset or Liability: AI tools now operate in critical infrastructure, healthcare, finance, and education. If an AI model is compromised—or behaves unpredictably—the incident reporting piece of SB-53 mirrors what we already deal with in breach disclosure.

  • Supply Chain & Vendor Risk: If your vendors are deploying AI without SB-53-level controls, your enterprise inherits that risk. Expect procurement teams to start asking vendors about SB-53 compliance as part of due diligence.

  • Legal & Compliance Precedent: Once California acts, other states follow. SB-53 could become the de facto standard nationally, much like CCPA did for privacy.

The Business Impact

For enterprises and startups, SB-53 will force new operational realities:

  • Documentation: AI development teams will need to maintain robust documentation of model safety testing, bias audits, and incident logs.

  • Cross-Team Collaboration: CISOs, CTOs, and legal teams will have to work together on AI governance playbooks.

  • Cost of Compliance: Building out compliance programs is expensive, but the cost of non-compliance will be worse—not just in fines, but in reputational damage.

Industry Reaction

Some leaders are applauding California for setting guardrails where federal policy has lagged. Others warn it may create friction for innovation, particularly for startups that don’t have armies of compliance officers.

As I see it, SB-53 is not the end of innovation. It’s the beginning of serious accountability in AI. And in cybersecurity, accountability is what keeps businesses resilient.

Related Reading

For those who want to go deeper, here are relevant reads and community reactions:

Final Take

SB-53 may not be perfect, but it’s a wake-up call. The era of “move fast and break things” in AI is over—especially when breaking things could mean breaking critical infrastructure or breaching consumer trust.

As cybersecurity leaders, we need to treat AI like any other asset class: with layered defense, vendor risk oversight, and a compliance strategy that keeps pace with the regulators.

California just set the tone. The rest of the country will be watching—and so should you.

Comment

Comment

OpenAI Sora 2: TikTok Competitor or Deepfake Risk? | SecurityJabber

OpenAI Sora 2 AI video app – TikTok competitor with security risks

September 30, 2025 — OpenAI has officially released Sora 2, its upgraded AI video generator, alongside a standalone app designed to compete directly with TikTok. The timing couldn’t be more strategic: with TikTok facing regulatory scrutiny in the U.S., OpenAI is seizing the moment to offer creators and brands a new short-form video platform.

But as with all powerful generative AI tools, Sora 2 comes with opportunities — and risks.

What’s New in Sora 2

  • Video with sound: Fully generated audio, synced to AI-driven visuals.

  • Multiple characters: Complex, scene-driven storytelling.

  • Self-insertion: Users can place themselves directly into AI-generated videos.

This feature set positions Sora 2 as more than just a demo tool — it’s a creator ecosystem. With the new Sora app, users can share videos in a feed that looks and feels like TikTok.

📌 OpenAI Announcement

Why Now? Timing and Market Play

OpenAI’s decision to launch Sora 2 in September 2025 is no accident.

  • TikTok is under fire in Washington, facing potential bans and divestment orders.

  • Instagram Reels and YouTube Shorts are struggling to differentiate.

  • Short-form creators are hungry for a new platform with viral upside.

If OpenAI can deliver both content creation and distribution, Sora could capture an audience at exactly the right time.

📌 TechCrunch Coverage

Security Considerations

This is where things get tricky.

  • Deepfakes at scale: Self-insertion + voice generation makes identity spoofing easier than ever.

  • Misinformation risk: Synthetic news clips and viral hoaxes could spread faster than current moderation systems can keep up.

  • Bias & governance: Like all generative systems, Sora 2 inherits the biases of its training data. Who moderates the feed will matter as much as the tech itself.

  • Enterprise hesitation: While creators will flock to Sora, businesses and regulated industries may hesitate until clear guardrails are in place.

📌 VentureBeat Coverage

How to Join the Waitlist

Curious to test it for yourself? OpenAI has started a limited access program.

  • Step 1: Download the Sora app (currently rolling out on iOS in the U.S. and Canada).

  • Step 2: Sign up in-app to get notified when your account is eligible.

  • Step 3: Monitor OpenAI’s invites — early access is being granted in waves.

👉 Join the Sora 2 Waitlist

The Big Question

Sora 2 is impressive, disruptive, and risky all at once. The real question isn’t just:

“Can it rival TikTok?”

It’s: “How do we secure and govern it responsibly?”

At SecurityJabber, we’ll be tracking adoption closely — especially how deepfake governance, identity protection, and content moderation evolve in this next wave of AI-powered social platforms.

What do you think?
Would you trust an AI-powered TikTok alternative, or do the risks outweigh the innovation? Drop your comments below — this is one conversation security professionals, creators, and everyday users all need to have.

Comment

Missed RSAC 2025? You Can Still Catch the Insights

Comment

Missed RSAC 2025? You Can Still Catch the Insights

Missed RSAC 2025? You Can Still Catch the Insights

RSA Conference has long been the center of gravity for the cybersecurity industry. Each year in San Francisco, the event gathers thousands of security professionals, risk leaders, and technologists to share ideas, innovations, and hard lessons learned.

But if you skipped the trip to San Francisco in April—dodging the SFO airport chaos and overpriced hotels—you didn’t miss your chance to catch the content.

RSAC has made the entire 2025 presentation library available online through a free RSAC Membership. That means every keynote, panel, and technical deep dive is at your fingertips, on-demand, from anywhere.

Why This Matters

In cybersecurity, staying informed is survival. The threats evolve faster than any one person—or even one organization—can track alone. Conferences like RSAC help distill what’s important:

  • The newest attack trends

  • AI-driven defenses and risks

  • Regulatory and compliance updates

  • Practical insights from practitioners in the trenches

With on-demand access, you can build your own mini-conference experience, replay key sessions, and share insights with your team.

What You Get with RSAC Membership

A free RSAC Membership opens the door to much more than just session replays. Members gain access to a growing library of professional resources:

  • RSAC 2025 Session Recordings – Full replay of the conference, including keynote stage and expert-led breakouts.

  • Cybersecurity AI Research Tools – AI-powered summaries, curated slides, and mind maps from the RSAC Library.

  • Daily Briefs – Curated security news and trend updates to keep you current.

  • RSAC Cybersecurity Atlas Tool – An interactive data set with insights into where the industry is heading.

  • Community Discussion Groups – Peer-to-peer forums focused on specific security, risk, and AI topics.

How to Access RSAC 2025 Content

Here are the direct links:

Once you register, you can log in and start watching sessions immediately.

Looking Ahead: RSAC 2026

RSAC has already announced the dates for next year: March 23–26, 2026, again in San Francisco. If you’re considering attending in person, signing up now will keep you updated and even give you a discount toward a full pass when registration opens.

Final Thoughts

RSA Conference is more than a trade show—it’s a reflection of where the industry is going. For those who couldn’t attend in person, this free membership is one of the best values in cybersecurity learning today.

At SecurityJabber, we believe that sharing knowledge is how we strengthen the industry. So check out the RSAC library, watch the sessions, and let us know:

What free cybersecurity resources do you use to stay sharp?

Comment

Cybersecurity Burnout: The Silent Threat to Teams and Organizations

Comment

Cybersecurity Burnout: The Silent Threat to Teams and Organizations

Burnout in cybersecurity is no longer a side conversation—it’s a growing industry crisis.
Security professionals operate in an environment where threats never sleep. The constant pressure, urgency, and responsibility create conditions that can drain even the toughest professionals.

A recent BBC article brought this issue into the spotlight, confirming what many of us already know: burnout is not just a personal health matter—it’s a core security risk.

Why Burnout Matters in Cybersecurity

Most people think burnout is simply about working too many hours. In cybersecurity, it’s more complex:

  • Unrelenting Threats: Attacks happen 24/7. Security teams can’t simply “pause” risk.

  • High Stakes: One mistake could mean a breach with millions in losses.

  • Constant Alerts: False positives, endless logs, and the “always-on” mindset grind down mental health.

  • Invisible Impact: Burnout doesn’t just hit individuals—it ripples into team cohesion, decision-making, and overall organizational resilience.

The Dual Responsibility: Organizations and Professionals

Burnout prevention must be shared between organizations and the professionals themselves.

For Organizations:

  • Treat burnout as a business risk, not just an HR issue.

  • Build realistic staffing models and rotate on-call responsibilities.

  • Encourage time away from screens, and respect off-hours boundaries.

  • Normalize conversations about stress and workload at the leadership level.

For Security Professionals:

  • Practice self-care: eat well, exercise, and sleep consistently.

  • Avoid the trap of doom scrolling—constant negative news increases stress.

  • Take intentional breaks from tech.

  • Dedicate one day a week to unplug, reconnect with family, and refresh spiritually.

The Bigger Picture: Resilience Beyond Systems

Cybersecurity is fundamentally about resilience. But resilience isn’t just about hardened systems, SIEMs, or firewalls—it’s about the people defending them.

If our defenders are exhausted, disengaged, or burned out, our systems are inherently weaker. Protecting defenders is part of protecting the enterprise.

Conclusion

Burnout is the silent threat lurking behind even the most advanced cybersecurity programs. Leaders must step up, professionals must prioritize balance, and together we must treat human resilience with the same seriousness we treat technical resilience.

Cybersecurity doesn’t just need skilled professionals—it needs sustainable professionals.

Comment

GRRCon: The DefCon of Michigan

Comment

GRRCon: The DefCon of Michigan

When people talk about the great hacker conferences, the big names usually come up first—DEF CON in Vegas, Black Hat, or maybe ShmooCon if you’re an East Coast insider. But in the heart of the Midwest, in Grand Rapids, Michigan, there’s another event that has quietly become a pillar of the cybersecurity community: GRRCon.

Comment

Comment

RSA Conference 2023 - Well Worth it and Timely

Welcome to the 2023 RSA Conference! I never missed one from 2007 until Covid, and this is my first year back, I have got to say I'm impressed with how well it has adapted to the current situation. This year's conference is great so far, and it is excellent to be back in-person after so long. The hallway track is fantastic this year.

Today, Monday, April 24th, I attended Carahsoft's Public Sector Day, which was designed to showcase solutions for the Federal and State verticals. Carahsoft did an incredible job in setting up for this conference. They had an impressive panel discussion on the current state of cybersecurity in the GOV/ED space, which was both informative and enlightening.

Initially, I wasn't planning on attending the full conference, but I found myself drawn in by the fantastic presentations and engaging speakers. If you haven't made it to RSA yet, I highly recommend attending next year. For connections and content it is competitive and worth it. For

Although I haven't visited the expo hall yet, I've attended several networking events on Sunday and Monday, and I must say, the energy has been incredible. The market has faced numerous challenges, but the positive vibe at this conference is contagious, and I'm feeling more hopeful than ever about the future of cybersecurity.

I'm excited to head over to the show floor tomorrow, and I can't wait to see what's in store for me there. With ~40,000 attendees, over 400 exhibitors and more than 700 sessions, the RSA Conference promises to be one of the most comprehensive cybersecurity events this year.

One thing I've always appreciated about RSA is the mentorship aspect. It's an opportunity to connect with peers, learn from industry leaders, and share experiences. If you're new to the industry or looking to develop your cybersecurity career, RSA is an excellent place to start. If you’re an industry veteran? It’s like old home week or a reunion.

In addition to the many fantastic sessions and events, RSA also offers an incredible opportunity to explore and learn about the latest technology and solutions on the show floor. From cutting-edge startups to established industry players, the expo hall offers a wealth of knowledge and resources for all attendees.

I highly recommend that anyone interested in cybersecurity attend RSA at least once in their lifetime. The experience is invaluable, and the knowledge gained can make a real difference in your career. The connections? Even better.

Whatever your role or position in the industry, I'd like to remind everyone to mentor and be mentored. Sharing knowledge and experiences is essential in our field. It's a way to give back to the community and help those just starting in their careers. if you’re just starting out, ask for mentorship. Then pass it on.

Watch your 6 - what does that mean? Keep an eye on your surroundings and being aware of potential threats. As cybersecurity professionals, we must always be vigilant and take proactive steps to protect our networks and systems.

I hope you've enjoyed this year's RSA Conference as much as I have. Remember to stay well, and I look forward to seeing you all again next year.

Comment

Comment

RSA Conference

RSA is back, and WE are back at RSA. We will be posting some great highlights from the show. Stay tuned for more on RSA 2023!

Reach out if you’d like to meet in person out here. Looking forward to seeing you all!

davycinco@twitter

linkedin.com/daveglenn

Comment

Comment

Healthcare Cybersecurity Maturity and HIPAA Compliance

Many people incorrectly equate HIPAA compliance with cybersecurity. While HIPAA compliance is a key requirement  for healthcare,  it is not enough to protect your organization from cyber risk. Many organizations that are technically compliant continue to suffer debilitating cybersecurity events. Here are 3 areas you can focus on to ensure a strong cybersecurity posture that aligns with HIPAA compliance: 

3 Areas of Focus for Healthcare Cybersecurity Maturity and HIPAA Compliance

Cyber Risk Gap Analysis and Prioritization and Risk Management (RM)

Conducting a security risk gap analysis to establish a baseline is a critical first step in working towards cybersecurity and risk management maturity. This process involves objectively analyzing your current state against a framework to understand your security and risk posture. Once you have that baseline, and by understanding the potential business impact, you can prioritize measures specific to your organization to achieve your desired state and meet compliance requirements. Measuring potential impact on your organization and only then prioritizing remediation activities ensures that you get the best value and protection for your resource, time, and financial investment. This allows you to fix the highest priority items first, based upon your unique requirements.  

Cloud and Transformational Security (CTS)

Healthcare organizations rely on cloud connected components more than ever, and cloud architectures are becoming increasingly complex, often incorporating  hybrid or multi-cloud environments. This reliance on the cloud opens cybersecurity risks that HIPAA compliance alone cannot address. When it comes to cloud-based devices or software, a well-executed cloud risk strategy, when properly executed, prevents oversight and provides assurance that privacy and security risks to critical data and systems are mitigated. 

Vendor Risk Management (VRM)

In order to comply with HIPAA regulation, healthcare organizations must have third-party vendors complete a security risk assessment when protected health information (PHI) is involved. As a result the vendor and the organization are aware of security gaps that must have a remediation plan before they work together. In order to proactively manage risks to the business between annual assessments, vendor management needs to be treated as a continuous program. Creating a formal vendor risk management program establishes a consistent system to manage and measure vendor posture and impact. 

Using an automated system for internal risk management systems

Creating a system for assessing cybersecurity risk, detecting gaps, and prioritizing corrective action can be a complex process. While many organizations have succeeded in establishing robust internal risk management systems, the journey to success can be extremely costly, time consuming, and frustrating. Leveraging a platform and automatic improvement model can provide a proven process to help healthcare providers and systems not only comply with regulatory mandates, but simultaneously build a strategy that aligns business objectives and technology infrastructure. 

Creating a centralized repository for all of your risk data, a dashboard for fast executive visibility as well as a proven process for delivering sustainable ongoing security and compliance maturity is important. This type of system can shorten the cycle from annual or semi-annual assessments to real-time continuous visibility into your current remediation progress, new risks that may have appeared, and potential new priorities. This integrated approach conserves valuable time and resources (very often in short supply) while maximizing the effectiveness of your data security plan.

Enabling organizations to quantify impact, continuously measure current  risk posture and develop a more efficient process, while effectively managing the remediation process builds a model to significantly enhance the level of commitment and communication quality between business and technology decision makers and leaders within organizations and could help to remove the “analysis paralysis” that results in inaction, ineffective strategy, and inadequate response so often found after regulatory cyber risk assessments. 

Tags: cybersecurity, healthcare, HIPAA

Comment

Comment

Personal OpSec - random notes

Hey. Happy Thursday. Really good version of Tom Ryan’s Security Mindset Clubhouse room last night. Talked a ton about personal OpSec. A few links and tips below. The team talked about various strategies to protect security and identity including:

  • There’s the obvious like not texting or emailing stuff like SSN, Pictures of ID or SS card, using as few identifiers as possible

  • Using services you have already shared data with instead of signing up for a new service to give more personal information to - like VISA, MC, AMEX… OR using the credit bureaus (Experian, Transunion, Equifax

  • Using a “standard” fake birthday when signing up for websites

  • Using a paid service like “Delete Me” to keep your personal data posted on the web to a minimum / remove personal data sold by brokers. How We Work - DeleteMe (joindeleteme.com) (Thanks Eric)

  • Making sure your family members know “the rules” about posting pictures of you on social

    • Mixed discussion of letting that happen at all

    • Stay out of pictures altogether if you can help it (Thanks Jane)

  • Elixabeth has shared in the past how she works with younger relatives to put together a fake persona for them when they join social. That way they start out NOT exposing their real contact info, but keeps consistent track of the data used.

  • Much discussion about using “standard” fakes for mother’s maiden and other key identifiers when setting up a non-financial account if you HAVE to use that info.

  • Using a fake email service like Nada (thanks Dave M) to individualize setup emails, or one time use (to sign up for whitepapers, etc) nada - Disposable Temp Email (getnada.com)

  • Reading stuff from Michael Bazzell, listening to his podcast, or usign his free workbooks on data removal and credit freeze IntelTechniques by Michael Bazzell (Very useful website.. thanks again Dave)

All in all, I highly recommend joining the Law, Tech and Infosec https://www.clubhouse.com/club/law-tech-infosec club (and Tuesday 11:30am PT / 2:30pm ET discussion) as well as the Security Mindset https://www.clubhouse.com/club/security-mindset club (and Wednesday 3:00pm PT/6:00pm ET discussion rooms to see for yourself.)

Watch your 6… See you there.

Comment

Comment

BlackHat 2021, DefCon 29 and Usenix 30th Security Symposium

Another summer has almost passed, and I missed the Vegas pilgrimage. What with masks and shots, sick people and crazy people… I am still not 100% down with travel. Don’t get me wrong, some crazy part of me really misses waking up in a hotel room wondering where I am and what is on my calendar for the day, but sadly it’s not really fully back to “normal” (which my sister says “is just a setting on the dryer”). All that said, my plan is to be there next year.

I’ve heard mixed reviews. The consensus was that it was lightly attended, and that there were many more “innovation vendors” than main stream big guys. But maybe that’s a good thing. I’ve always enjoyed the outside ring of vendors at shows like RSA, and think that we need more of those in the industry.

Consolidation continues on, and companies are recognizing that there is a balance to the idea that workers that have a less rigid onsite work schedule can be happier and more productive. Then there a great number of people that have not used the time wisely and have instead used this for an excuse to slack. Whichever you are, I hope you’re finding ways to be successful in the new normal.

But I digress.. Thanks to my good friend Tom Ryan, I have this killer list to share with you. Here are slides, talks and videos of some of the best of this year’s Vegas security fest. Check em out. Some great stuff here:

DefCon 29 Videos: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20video%20and%20slides/

DefCon 29 Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/

BlackHat 2021 (Slides accessible within each talk's link): https://www.blackhat.com/us-21/briefings/schedule/index.html

30th Usenix Security Symposium (papers and presentations): https://www.usenix.org/conference/usenixsecurity21/technical-sessions

Do you have any training links to share? Information that might be useful? Post below please! I’m interested.

Comment

Comment

What is SecurityJabber all about?

Welcome back friends. What is SecurityJabber all about you ask? Glad you asked. SecurityJabber is a forum for interviews and discussion of current cybersecurity topics. I interview great guests, discuss what’s going on in Cybersecurity, and sponsor a host of discussions both online and in real life.

I’ve now been in technology for almost 30-years, and in cybersecurity for 20+. I guess that makes me old. I’ve learned a ton and met a lot of great people. I’m hoping to share some of what I’ve learned with you, and spark some great discussions. I look forward to hanging out and getting to know you!

Comment

Comment

Back for real this time --- 2020 year in review

Wow. What a crazy whirlwind of a last 18-months. COVID-19, a 2020 none of us could have imagined. (Although I’ve been introduced to some creative fiction that came really close.)

We are LONG past 2020 now, but this post was sitting in drafts and I thought I would subject you to it anyway.

Unprecedented ransomware attacks including a blitz against healthcare organizations that escalated quickly. I was hosting a series of healthcare focused roundtables at the time, and on several of the sessions we went from an average of 10-20 attendees to over 100. Nedless to say, people were paying attention. And for the first time, many media outlets reported that a ransomware attack led directly to the death of a patient. The story was that ransomware intended for a nearby university crippled a German hospital. As a result, a patient headed for Duesseldorf University Clinic was redirected to a hospital in Wuppertal, a 32-kilometer (20-mile) drive. This delayed Doctors giving her treatment for an hour, and she died… Since then, the argument has been presented that she had complications that meant she likely would have died anyway, but this STILL brought a ton of attention to the issues of ransomware and how it could impact patient safety. This attention has resulted in board members and executives paying attention to not just compliance, but good security hygiene. This is good news and should be celebrated.

The FBI’s Internet Crime Report for 2020 was released in March 2021, and had some startling statistics. They received over 790,000 (791.790 if you’re actually counting) complaints of internet crime (more than $300,000 more than in 2019), and reported losses of more than $4.2bn. They received an average of over 2,000 complaints per day, and 5.6 million total complaints since inception. It’s an interesting read.

So 2021 was when we were all supposed to go back to “normal” whatever that is.

From a contested election, to riots and racial violence these truly are troubled times. So what’s in store in the rest of 2021? I, for one, hope we pay attention to our better angels and feed the beast that embraces positivity and forward progress. Let’s see what happens!

Now that we are in

Comment

Comment

SO... Here's RSA 2020 (and we're back...)

Ok everyone. After a crazy hiatus (more about that later), we are relaunching and plan to be better than ever. Life gets ahead of you sometimes, then you have an event… like a virus (and this is no Melissa) that slaps you and says “HEY DUDE” LIFE. Welcome to 2020, and COVID-19. Engineered? Maybe. Scary? Heck yes. Gonna stop us from having a great RSA? No Freaking Way.

So despite the prevalence of masks on people that usually don’t even wash their hands when leaving a restroom (GROSS, you know who you are…), and companies like IBM, AT&T Security and Verizon dropping out of the conference, the show must go on. Oh and IBM? People DO get fired for buying you now. AT&T, you don’t scale, and Verizon, you’re a great phone services company, but we don’t care about your security offerings anyway. (Opinions expressed here are my own, NOT my company, but you can have them if you want em.)

Things we are excited about in no particular order…

If you know me the way some of you do you will swear I’m saying this under duress, but Microsoft. YES that Micro$oft. Indirectly this company has payed my bills for the last three decades. And I’ve had a fascination with them since elementary school at KSDA just up the road from Redmond. They’re no longer just a killer tech marketing company, they’re actually investing real money in cyber security. To the tune of >$1bn year. That’s more than 10 of my favorite boutique favorites combined. And they’re focusing on some thingsthat matter. Like Mobile

Phishing… No, I’m serious. People are missing the point of something as simple as DMARC. And despite all the vendor consolidation out there, I heard the story of “don’ beat em, join em from the Valimail CEO, Alex Garcia-Tobar. And it made a ton of sense

I’m late for my next happy hour….talk to you in a minute. Stay safe and for God’s sake, cover your mouth when you sneeze.

Comment

Comment

Episode 37: With Guests from Blacksands

Security Jabber - Episode 37 - Segment 1

Security Jabber - Episode 37 - Segment 2

Security Jabber - Episode 37 - Segment 3

Guest Interview with Blacksands

About Blacksands:
Danati blacksands began with the development of a cutting edge Collaborative Ecosystem for Advanced Engineering and Research & Development targeting the Automotive Industry.  As development progressed, we realized that the risk to companies losing Billions in intellectual property was extremely high.  New engine development can exceed $1 Billion and much of this work was vulnerable to cyber theft.  Network Security and especially Cloud based Network Security was completely inadequate.

Therefore, we halted development on the Ecosystem and sought a security solution.  We needed to not only know, definitively, who was connected but also control these connections dynamically.  We needed to have system that were simple to use and impervious to the constant barrage of cyber-warfare.  When none was to be found we asked a few fundamental questions:

  • Why are we perpetually on the defense in cyber-security?
  • Why are we connecting to the entire world and then trying to filter out the bad entities?
  • Could we create a solution that is pro-active instead of re-active?
  • Can we make our connections invisible to the rest of the world?

In development of blacksands we discovered answers to these questions and much more.  Traditional network security operates on the ‘Trust but Verify’ principle – connect to everyone and filter out the bad.  blacksands inverts this with its ‘Verify then Trust’ process – connecting only to the appropriate entities, never to the world.

Comment