“Wendy is kind, patient, and understanding. Her ability to distill complex topics down to ELI5 sound bites are rivaled and matched by no one. I would happily recommend Wendy to anyone and would leap at the opportunity to work with her again. She made all of us better by ensuring we had mastery of the hardest to master ideas in infosec. She is the rising tide and she raises all boats around her.”
Wendy Nather
Fort Collins, Colorado, United States
8K followers
500+ connections
Fort Collins, Colorado, United States
8K followers
500+ connections
About
Strategist, research director, former industry analyst and former CISO. 40+ years'…
Activity
-
Today, I did something I haven't voluntarily done in at least 20 years. I subscribed to a newsletter. My whole professional and personal…
Today, I did something I haven't voluntarily done in at least 20 years. I subscribed to a newsletter. My whole professional and personal…
Posted by Wendy Nather
-
Please note: if someone asks you to record a podcast with Michelle Finneran Dennedy and Edna Conway, YOU SAY YES! Thank you, Tom Field, for getting…
Please note: if someone asks you to record a podcast with Michelle Finneran Dennedy and Edna Conway, YOU SAY YES! Thank you, Tom Field, for getting…
Posted by Wendy Nather
-
Currently watching the livestream from SET University's demo day for its Generation H initiative: https://lnkd.in/gw5CGgsA "Generation H is a…
Currently watching the livestream from SET University's demo day for its Generation H initiative: https://lnkd.in/gw5CGgsA "Generation H is a…
Shared by Wendy Nather
Experience
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Volunteer Experience
-
Volunteer presenter
Girlstart
- 2 years 1 month
Science and Technology
Created and presented workshops on security for the annual Expanding Your Horizons Conference (now Girls in STEM) for middle-school girls.
-
Guest lecturer - computer science
The University of Texas at Austin
- Present 9 years 2 months
Education
Lectured on cybersecurity risk analysis and threat modeling for undergraduate computer science class (CS 361).
-
Publications
-
A Peek Into the Psychographics of the CISO
451 Research
Market sizing may tell us what enterprises are buying, but it doesn’t necessarily tell us why they’re buying it. Unless a security technology is bought for compliance – and we consider compliance to be a fully populated security market in its own right – the rationale and motivation for security spending becomes murkier.
Other authors -
-
The Cloud Security Rules
Roer
The Cloud Security Rules explains the different aspects of cloud security to business leaders, CxO's, IT-managers and decision makers. The security principles are the same as before while the implementation and the risks involved are dramatically changed. The book is co-authored by some of the most recognized security specialists and bloggers in the world. The authors are gathered from USA, Europe and Africa, sharing their great knowledge of implementing and securing the cloud. This book is…
The Cloud Security Rules explains the different aspects of cloud security to business leaders, CxO's, IT-managers and decision makers. The security principles are the same as before while the implementation and the risks involved are dramatically changed. The book is co-authored by some of the most recognized security specialists and bloggers in the world. The authors are gathered from USA, Europe and Africa, sharing their great knowledge of implementing and securing the cloud. This book is made to help it easier for you to choose the right cloud supplier as well as setting up and running your critical services in the cloud. Questions you will find answers about include: - Do I have to accept that standard SLA? - What should an SLA include? - What standards should I be paying attention to, if any? - How do I treat mobile workers, and how do they fit into the cloud? - Do I really need to care about logging? - Many more! Since the cloud computing is global, you risk using service providers in other countries than your own - even if you only operate in your own country. The Cloud Security Rules aims at helping you understand the risks involved, and help you determine the best strategy for your organization.
Other authors -
Honors & Awards
-
Security Pioneer, CyberScoop 50 Awards
CyberScoop
https://www.cyberscoop.com/announcing-2021-cyberscoop-50-award-winners/
-
Infosecurity Europe Hall of Fame
Infosecurity Magazine and Infosecurity Europe Conference
https://www.infosecurityeurope.com/en-gb/whats-on/hall-of-fame.html
The Infosecurity Magazine and Infosecurity Europe Editorial and Content teams select the Hall of Fame inductee. The selection process is based on four key criteria. Hall of Fame inductees must:
Be an internationally recognised and respected information security practitioner or advocate
Have made a clear and long-term (over 10 years) contribution to the advancement of information security
Have…https://www.infosecurityeurope.com/en-gb/whats-on/hall-of-fame.html
The Infosecurity Magazine and Infosecurity Europe Editorial and Content teams select the Hall of Fame inductee. The selection process is based on four key criteria. Hall of Fame inductees must:
Be an internationally recognised and respected information security practitioner or advocate
Have made a clear and long-term (over 10 years) contribution to the advancement of information security
Have provided intellectual or practical input that has contributed to and accelerated the advancement of information security
Be an engaging thought-leader demonstrating creativity and original thinking in information security -
SC Media Reboot Leadership Award - Influencer
SC Magazine
https://www.scmagazine.com/home/events/reboot-leadership-awards-2018/influencer-wendy-nather/
-
Women in IT Security "Power Player"
SC Magazine
https://www.scmagazine.com/home/security-news/features/2014-women-in-it-security-wendy-nather/
Languages
-
English
-
-
German
-
Recommendations received
6 people have recommended Wendy
Join now to viewMore activity by Wendy
-
On December 12th, the Cybersecurity Coalition and the Cyber Threat Alliance are hosting #CybernextDC. This event will delve into the current…
On December 12th, the Cybersecurity Coalition and the Cyber Threat Alliance are hosting #CybernextDC. This event will delve into the current…
Shared by Wendy Nather
-
This past weekend was invigorating as all get-out, as I got to work with Pablo Breuer, Ph.D., Jennifer Ewbank, Jen Walker, Daniella Taveau…
This past weekend was invigorating as all get-out, as I got to work with Pablo Breuer, Ph.D., Jennifer Ewbank, Jen Walker, Daniella Taveau…
Posted by Wendy Nather
Other similar profiles
Explore more posts
-
Tobias Musser
CMMC Level 2 Assessment Objective: Flaw Remediation for Controlled Unclassified Information (CUI) Data PRACTICE: Organizations must identify, report, and correct system flaws in a timely manner. ASSESSMENT: All software and firmware have potential flaws. Organizations must identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and antivirus signatures. Be prepared! Your assessor could ask to 🔍 EXAMINE system and information integrity policy. 🗣 INTERVIEW system or network administrators. 📝 TEST organizational processes for identifying, reporting, and correcting system flaws. (CMMC Assessment Guide: Level 2 Version 2.11, page 241) #CMMC #DoD #cybersecurity #NIST #InformationSecurity
-
Thomas LaFayette
The Environmental Protection Agency lacks a documented plan to coordinate incident reporting with CISA, the agency’s Office of Inspector General found. Environmental Protection Agency officials found critical or high-risk vulnerabilities in 97 drinking water systems that serve more than 26 million people across the U.S., according to a report released last week by the agency’s Office of Inspector General. Another 211 water systems, servicing almost 83 million people, had medium-to low-risk vulnerabilities, including open portals that were visible from the outside. These water systems could face major disruptions or physical damage if a malicious hacker tried to exploit those vulnerable systems. The OIG report noted the EPA does not have an incident reporting system and relies on the Cybersecurity and Infrastructure Security Agency’s system. The OIG also could not find documented policies and procedures for how the EPA coordinates with CISA and other federal agencies to address these issues. #criticalinfrastructurecyberrisk #cyberriskmanagement #confidentialcomputing #thirdpartyriskmanagement #threatinformeddefense #GRC #cyberinsurance
-
Andrew Shea
Thanks to @Scott Small and Wade Baker, Ph.D. and the teams at Tidal and Cyentia. To my fellow cyber risk quant folk you know how strongly we drive our partners and customers to define risk scenarios using specific threat actors and/or specific TTP’s to enhance the accuracy of likelihood determination! The work both organizations are doing to help articulate the TTP’s being used for ransomware attacks can help provide a greater level of defensibility of your results. By executing adversarial simulation using these TTP’s increasingly accurate likelihood can be attained.
-
Lindsay P. Stought, CSM, PMP
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical security issue affecting GeoServer, an open-source geospatial data server. The agency has added an OSGeo GeoServer GeoTools eval injection vulnerability, known as CVE-2024-36401 with a CVSS score of 9.8, to its Known Exploited Vulnerabilities (KEV) catalog. GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2 are susceptible to Remote Code Execution (RCE) due to the unsafe evaluation of property names as XPath expressions. This vulnerability stems from how the GeoTools library API, utilized by GeoServer, processes property/attribute names for feature types, exposing systems to arbitrary code execution. The flaw affects all GeoServer instances, as it incorrectly applies XPath evaluation to simple feature types, making them vulnerable to exploitation. #Cybersecurity #GeoServer #Vulnerability #RCE #CISA #SecurityAwareness https://lnkd.in/ggDbpkyr
-
Jim DeSantis
This is funny to me; many have said this for years and now NIST is aligning with it. What companies need to be focusing on is password-less methods, not trying to make a legacy password method "less-bad". Windows Hello for Business, passkey, or other phishing resistant methods are the only real way to increase your security posture. Even with a 24-character password, end users will still write that on a sticky note. 😄
-
Countermeasures Group
Known Exploited Vulnerabilities Remain Unmitigated Past Deadlines: - Critical severity KEVS took nearly 4.5 months (137 median days) - High severity vulnerabilities take more than 9 months (238 median days) - Medium severity vulnerabilities take nearly 1.5 years (517 median days) https://lnkd.in/g_RExD96
-
Andrew von Ramin Mapp
The National Security Agency (NSA) has recently released guidance aimed at enhancing logging and threat detection capabilities in response to living-off-the-land (LotL) incidents targeting critical infrastructure. LotL techniques involve threat actors leveraging legitimate tools and protocols to carry out malicious activities, making them harder to detect. The NSA's recommendations emphasize the importance of robust logging practices and proactive threat detection measures to counter these sophisticated attacks. #NSA #Databreaches #incidentResponse #LotL #cyberattacks
-
Alexandre Dulaunoy
New blog post: Improving Cybersecurity Taxonomies Describing Impact and Cyber Harms Against Organizations I’ve introduced a new MISP taxonomy and shared insights into the critical role of impact description in effective information sharing. https://lnkd.in/eUJb-svP #CyberSecurity #MISP #taxonomies #taxonomy MISP Project (@[email protected] ) CIRCL (Computer Incident Response Center Luxembourg)
1 Comment -
Bob Chaput
ATTENTION: HEALTHCARE BOARD MEMBERS AND C-SUITE EXECUTIVES. ODDS ARE YOUR ORGANIZATION HAS NOT CONDUCTED AN OCR-QUALITY® RISK ANALYSIS! Shocking? NO! Since ... 90% of the organizations subjected to an OCR investigation involving electronic Protected Health Information (ePHI) are found to have failed to conduct the very first requirement (risk analysis implementation specification) in the very first standard (Security Management Process) in the very first area (Administrative Safeguards) of the ol' HIPAA Security Rule. OCR Audits produced equally dismal compliance findings. How can you address your cyber risks if you don't know what they are? EASY FIX! Attend the upcoming COMPLIMENTARY Clearwater OCR-Quality® Risk Analysis Working Lab. #HIPAA #riskanalysis #riskmanagement #cyberriskmanagement #boardcyberoversight #boardofdirectors
-
Kevin Beaver
Check out this podcast interview with me just after my TribalNet keynote in Vegas recently. I was asked a random question at the end about the first concert I attended that you might find interesting (and it's not just what's listed in the podcast description). #infosec #CISO #CIO #businessleaders #cybersecurity #podcast #keynotespeaker #backtobasics #rockconcerts #ISAC
-
Shakeel Ali
Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure: Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft https://lnkd.in/g38wnDDe
-
Thomas LaFayette
The proposed rule would also require the disclosure of cyber incidents to CISA and physical security concerns to TSA. The Transportation Security Administration is seeking public comment on proposed requirements for surface transportation and pipeline companies to implement cyber risk management programs, the agency said Wednesday. The public comment period ends on Feb. 5, 2025. The proposed rule calls for certain pipeline, passenger and freight rail operators and rail system companies with high-risk profiles to develop comprehensive cyber risk management programs. Pipeline, rail and certain bus transportation or transit systems would be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency. The sectors would report any physical security risk concerns to TSA. #criticalinfrastructurecyberrisk #confidentialcomputing #thirdpartyriskmanagement #threatinformeddefense #GRC #cyberinsurance
1 Comment -
Paul C Dwyer
Hmmm how do I leverage the NIST CSF 2.0 www.ncsecourse.com for Compliance and Reporting "How can an organization enhance its cybersecurity governance framework according to the NIST CSF 2.0's Govern function? Include recommendations for establishing roles, responsibilities, policies, and procedures to manage cybersecurity risk effectively." #NISTCSF ICTTF - Cyber Security Community, Academy and Events
3 Comments -
Teri Radichel 🩵
I’ve written a number of posts on testing and rolling out security controls safely on my blog including this one from 2020 ~ Better Testing for Better Outcomes. I have a bunch of others in a thread on X (sorry it’s the easiest right now) and on my blog. Taking the time to properly test and building tests into the software itself can prevent a lot of pain later. I explain how to do that in my posts and show examples of things not properly tested as well. https://lnkd.in/gcJ-PeG
4 Comments -
Wade Baker, Ph.D.
ICYMI: The inaugural study on EPSS performance and broader vulnerability exploitation trends published this week. If you've ever wanted data-driven answers to questions like these listed in the ToC shown here, download it today (free, no registration req'd): https://lnkd.in/gBbsgwQM #vulnerabilitymanagement #vulnerabilities #infosec
8 Comments -
Tobias Musser
CMMC Level 2 Assessment Objective: Connections Termination PRACTICE: Organizations must terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. ASSESSMENT: This requirement applies to internal and external networks, to prevent malicious actors from taking advantage of an open network session or an unattended computer at the end of the connection. Organizations need to balance user work patterns and needs against security to determine the length of inactivity that will force a termination. Be prepared! Your assessor could ask to 🔍 EXAMINE procedures addressing network disconnect. 🗣 INTERVIEW system or network administrators. 📝 TEST mechanisms supporting or implementing network disconnect capability. (CMMC Assessment Guide: Level 2 Version 2.11, page 224) #CMMC #DoD #cybersecurity #NIST #InformationSecurity
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore More