Category Archives: The Information Security Profession

A true chance to make CVE a true community program

Application Security, Government and Regulation, News, Organization, Companies and Institutes, Patching, Risk Management, The Information Security Profession, Thoughts, VulnerabilitiesEitan Caspi

This is something I always say – we have too little global, horizontal, community initiatives in cybersecurity. Lots of private and commercial initiatives, but fewer community ones.

The CVE program, run by MITRE, is running out of funding from the US government.
This event can be a trigger to change this. This is a golden opportunity for a change for good for the industry.

This is a chance to change it to be a global program, not only US controlled, funded by governments from around the world, plus core monetary support from the cybersecurity vendors and services giants who make billions of dollars out of cybersecurity and rely on CVE data.

“U.S. Govt. Funding for MITRE’s CVE Ends April 16, Cybersecurity Community on Alert”
https://thehackernews.com/2025/04/us-govt-funding-for-mitres-cve-ends.html

Allegory for Information Security

Employees Awareness, Idioms, Allegories, The Information Security Profession, Thoughts, TipsEitan Caspi

Allegory is a powerful tool to explain a complex topic or summarize it, so many times I  explain that Information Security should be like the atmosphere – it should be transparent (not felt, not bothering), it should prevent bad things (asteroids = malware/other attacks) from coming in, and prevent good things (like oxygen = sensitive/confidential data) from getting out.

Cyber attacks are more certain than fire and theft risks for businesses

Cyber Insurance, Cybercrime, Employees Awareness, The Information Security Market, The Information Security ProfessionEitan Caspi
The insurance company Aviva conducted a research about cyber risks and one of its main conclusions was:
… the research found that businesses are 67% more likely to have experienced a cyber incident than a physical theft and almost five times as likely to have experienced a cyber attack as a fire.
 
If the numbers are real and it not just a PR to sell more cyber insurance – then I think it is a landmark in the history of information security – a major “upward” step in the risks ladder, getting closer to certainty in the probability scale.
 
As I always say – much of our work in cybersecurity is not technical, it is fighting repression, the mentality pushback by humans we work with about dealing with digital risks, and this research may help us by having a statistical evidence that cyber risks are not accidental, they are intentional (be it either a personal or generic targeting) and they are bound to happen, to only question is if we will do something about it.