hello world [what’s up]

Hey there Cartomancers, hope you’re having a lovely day (if you see what I just did there). So I accidentally clicked on a productivity YouTube video (How to wake up early WITHOUT being tired (re-train your body clock) from Tayla Burrell this week (btw: don’t train your YouTube algorithm that you like planners, habit hacking, or productivity - unless you want to be recommended a LOT of hustle culture), but it was a happy accident, I learned some stuff.

I’ve always wanted to be an early riser so this vid caught my eye. There are a couple of recommendations you might find familiar (find your caffeine window, find low-tech ways to down-regulate before bedtime, etc), but one item caught my attention and I’ve been working on: get some sun at the beginning of the day and the end of the day. Being an indoor kitty, I barely get any sun at all, but I can believe the quality of the light in the morning helps wake you up, while the light as the sun sets starts to naturally get the body ready to relax.

The sun has started coming out once in a while so I’m going to work on greeting the sun in the morning and waving “see you later” at the end of the day. I’ll let you know if that helps me sleep better and/or wake up earlier.

This week on the FutureCast we’re got:

• New Training Data aka News

  • Amex says Goodbye to Accertify, Why?

  • Scams: Shifting from the quick play to the long game, or nah?

  • The War for Your Inbox & Your Smartphone

• Noodling in the Lab

  • CISO Lyfe: No Rest for the Weary, No Brakes in the Fast Lane

• Recommended reading

  • No quippy overviews, just a couple of articles you might like

training data [what’s news]

🗨️ Why Say Goodbye to Accertify?

For months I’ve been hearing that American Express has been looking to sell it’s SaaS payment fraud screening service, Accertify. I didn’t really get the “why” behind the sale, but it’s been sitting in back of my head for a while. If you’re not familiar, Accertify is a hosted app that sits between a merchant/retailer, and it’s payment processor. And in the last couple of weeks, it’s happened, Amex has sold Accertify.

When Amex bought Accertify in 2010, they claimed that customers were able to “quickly [achieve] significant gains in the efficiency, accuracy and productivity of their fraud prevention efforts with reductions of 50% or more in their fraud losses and customer complaints due to fraud.”

I mean, that’s good stuff. I was a user of Accertify in the early years following the acquisition, and as far as hosted fraud prevention apps - it was pretty slick, in the sense that it had working integrations with device ID services, all the bells and whistles with the payment processors turned on, fairly easy to navigate as a rules analyst. And it had Amex, one of the great payment innovators, sitting behind it. 

Mid-2023, Amex was still promoting the idea that Merchants Need Modern Payment Systems to Meet Customer Demand, and by modern, they mean fast, digitized - and integrated. There are quite a few excellent fraud screening and risk detection tools that can be purchased and wired into one’s processor integration as a standalone service, but both Visa and MasterCard have their own suites of integrated services like Visa’s Cybersource and MasterCard’s Brighterion – even processors are offering integrated solutions, like TSYS’s PRIME Fraudguard. If integrated is the way to go, why sell?

Sadly, I’ve found little chatter to answer my questions. I even went back through some 10-K’s but don’t see share of revenue broken down by the subsidiaries I’d be interested in tracking - at least not in the ones that I scanned through. And the press releases my friends - they are a bust. No context. What we know is that Accel-KKR is the buyer, and the close is expected in 2024. What went out on PR Newswire is better, we get details like:

• 40% of the Top 100 online retailers, major global airlines, prominent sports betting platforms use Accertify

• Global fraud detection and prevention market size was valued at $36.9 billion in 2022 and is projected to grow from $44.0 billion in 2023 to $182.7 billion by 2030

• That’s a CAGR of 22.6% during the forecast period. 

This paints a rosy picture of Accertify and their growth potential, I’m not seeing red flags. So best I can figure, the investment required to capitalize on the growth potential was aligned with - but not core - to Amex’s strategy. The idea projected is they simply needed those resources for other investments. AKKR does love to snap-up tech companies. Perhaps Amex still loves Accertify, they just thought maybe a more B2B investor could love them a little more? What do you think?

🗨️ Scams: Shifting from the quick play to the long game, or nah?

Last week Microsoft shared details on a new offering in it’s Entra Suite, Microsoft Entra Verified ID introduces Face Check in preview | Microsoft Security Blog. A complement to authentication technology, Microsoft is (again) stepping into the identity space, helpfully weighing in on some consumer identity verification techniques.

The timing is interesting, within a few days of this article from 404 Media, Inside the Underground Site Where ‘Neural Networks’ Churn Out Fake IDs. I’ve been speaking with companies that are besieged on both sides of the identity chain, but with all of the progress we’ve made on authentication, identity verification (or “proofing”) is still underserved, as SSN + DOB was the baseline for years, and what’s most easily available to companies in the US (running a quick check against bureau data) — but that’s been busted for years.

We keep adding public record or credit bureau data into these checks, but it’s just not enough: synthetic identities are as much of a problem in many markets as stolen identities, and we’re still running with the same toolset we had 10 years ago at customer onboarding. This plays out not just on the consumer side, but also on platforms that try to match buyers and sellers, hosts and vacationers (Booking.com scams that look 'so real' have surged, costing Australians thousands of dollars), and even employees and employers (Hackers Exploit Job Boards, Stealing Millions of Resumes and Personal Data). Note: Not to be too sunshine-y for you, but verifying ithe dentity of a business is WAY HARDER than for a consumer. 

I wonder if the advancements we’ve made in authentication (robbing scammers of quick wins associated with phishing) have turned these scammers to playing a longer game. It’s the difference between stealing someone’s banking password, and simply convincing them to send you money. Is this why scams are skyrocketing? If only we could see account hijackings decrease, we could figure out if we’re moving the market.

So things will get more interesting in this space, and although I’m skeptical of developing a reliance on biometrics in the verification process, we’re going to have to navigate this terrain one way or another.  

🗨️ The War for Your Inbox & Your Smartphone

Speaking of the long game vs short games, those scammers might love the chance to romance you out of your funds - but they have not stopped hammering on people’s inboxes and devices.

• In the grand tradition of hijacking an account to phish folks more directly, Phishing attack uses compromised SendGrid accounts to target additional users | CSO Online.

• In other news, Google gets direct with DMARC, bulk senders must authenticate their emails (that includes this newsletter, yo, even though we’re still a micro-bulk sender at the Futurecast), Google To Crack Down Against Spammers To Protect Gmail Users. Understanding senders is a way faster route to curb spam than trying to evaluate content, so I’m excited to see if the composition of my spam-traps change [because I’m a big ol’ nerd].

• Apps are also being targeted - 'Coyote' Malware Begins Its Hunt, Preying on 61 Banking Apps.

• And always check app store listings carefully, A password manager LastPass calls “fraudulent” booted from App Store | Ars Technica. Adware is one thing (Flashlight apps don’t need access to your address book), but it really is awful when people get tricked while in the process of trying to upgrade their security.

🗨️ The OTHER bucket: No witty overview here, just links.

• No need to search for invite codes, Bluesky opens its doors: Bluesky CEO Jay Graber Says She Won’t ‘Enshittify the Network With Ads’ | WIRED 

• Flipper Zero, Looks like a Game Boy, about as well received as a Blue Box: Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown | Ars Technica

• I freaking love public, well-done post-mortems. Cloudflare brings the heat: Cloudflare: Thanksgiving 2023 security incident

• Yuck, involuntary payload hosting hits legit sites (reminder eleventy-billion, don’t read the comments, don’t click on weird links, and DEFINITELY don’t click on links in the comments, yo: Hackers push USB malware payloads via news, media hosting sites

• Webkit exploits - welcome to VR: Apple fixes zero-day bug in Apple Vision Pro that ‘may have been exploited’ | TechCrunch

a noodle from the lab [what we’re working on]

🗨️ CISO Lyfe: No Rest for the Weary, No Brakes in the Fast Lane

Some articles for context:

• Cyber Chiefs Seeking Board Seats Have Their Work Cut Out for Them - WSJ

• The CISO Carousel and Its Effect on Enterprise Cybersecurity

• Improving cybersecurity culture: A priority in the year of the CISO

• The CISO Role Undergoes a Major Evolution

• Cyber Threat Landscape: 7 Key Findings and Upcoming Trends for 2024

• SEC’s SolarWinds Case Could ‘Chill’ Cybersecurity Reporting Practices: Trade Group

CISOs. What would you say you do here?

For the last couple of years, the view from the hottest seats in cyber has been changing, and it’s a bit unclear about where it’s all leading. What’s going on? Well, there’s been a lot of discussion about:

• CISO tenures (i.e. they’re short) and the impact that has on a) the executive’s ability to reasonably get up to speed, and b) the team/org they build and leave. 

• Liability: A couple of high-profile cases have led folks to wonder not just “how do I land that gig”,  but “how do I land that gig and what do I need to negotiate into the contract to be successful…and safe”.

• Technical skills: How technical does a CISO need to be? Should CISOs go through a tech screen? What’s the right skillset?

• Business skills: How much strategy, executive presence, and leadership experience is needed for the role? 

• Reporting relationship and Org design: Should the CISO report to the CTO, or the CEO? Is the security function an engineering function, and IT function, or something else?

• Board-ability: Does the CISO have an independent relationship with the BOD or Audit committee? Or do they just drop in slides once in a while? Should the CISO “drive” or “train” the board, or are they there just to deliver status updates? 

• Performance: Once in the door, what does success look like? Is success something that can be achieved with the budget provided? 

• Remit: What’s in and what’s out of scope? How deep into the product does the CISO need to go? How broadly across the organization is it appropriate for the CISO to work?

• Ecosystem: How connected does the CISO need to be to what’s going on in the ecosystem? From a threat perspective? From an emerging tech perspective? From a vendor/tooling perspective?

What seems to be happening is, CISOs are a “yes, and” role. Meaning - the modern CISO is expected to get elbow (neck, crown of head) deep into technical detail and also be strategic and business-savvy enough to span the entire business. Is expected to report into whatever C-suite is handy, but also flawlessly align across all stakeholders, and make magic happen with a tiny team and a tiny budget. You know. “Yes, and” a unicorn too.

My strongest sentiment and intuition here is that (like any good economist) the answer to ALL of these questions is “it depends” (on the role, on the company, on the problem set at hand), and that what we’re going to start seeing in the CISO market is further specification/differentiation in roles, while we also (as a means of self-defense) more specificity on what’s “minimum acceptable” practice as a CISO. I’m guessing it will be a companion or module that connects to something like the NIST-CSF. If your program is this big/this mature, then the CISO needs to span this scope of practice. Further, we already see CISO specialization: I promise you the CISO of a startup is a already a very different gig than the CISO of a Fortune 50 company.

Because there’s so much variation in the expectations, size, and opportunities of different roles - is it a problem if CISOs have (on average) shorter tenures than other executives? (Also, compared to what/who?) We talk about the short tenures as if they’re an indictment of the roles or of the folks who are coming in and out of them, but could it actually be an indicator of health — that a growing company is a different environment 18 months ago than it is now, and talent moves to where it’s most needed (and best compensated)?

• Maybe you’re the “MVP CISO” adding a basic set of protections as things are just getting up and running, or you are the “Going Public CISO” who creates the concept of GRC and manages the cybersecurity program to a particular standard.

• When I look at our peers, I definitely see folks who prefer to work with the larger resource set available at a public company, while others prefer building things from scratch. Very different scopes, very different skillsets needed.

• Maybe this is how it is because companies change shape over time, their resource pool shifts, the threat model shifts, and CISOs either shapeshift in place or move onto new challenges that are a better fit?

Or maybe the economist in me is an optimist, and the CISOs have acceleration at the early end of a gig, and once they start grinding in place, they start looking for greener pastures and a break between roles to recover.

Regardless of the “why”, whether the CISO tenure issue is a problem or actually a sign of healthy mobility in a dynamic market, how will dynamics in the environment affect the growth and shaping of our industry? For example, will tenure will end up forcing us to confront liability in a different way. The CISO Carousel, as dubbed by Security Week, creates churn that can be difficult for teams to bridge, and that churn itself can invite gaps or vulnerabilities in our security programs. If CISOs find liability burdensome, roles ill-fitting, or budgets too small, where does the liability go? An interesting question perhaps for cybersecurity insurers to think about - it might turn out they might have a vested interest in whether the hottest hot seat in cybersecurity is sustainable.

_{find more cartomancy [what’s happening]}

coming soon

▶️ On Feb 22, Join me at InfoSec Compliance Now, a free virtual event hosted by AuditBoard from 8:30 AM - 12 PM PT. I’m kicking off the event on a panel with presenters from Fannie Mae, Saviynt, and Cartomancy Labs (that’s me!), where we’ll discuss what 2023 taught us about AI and the ways it’s reshaping the compliance landscape. Reserve your spot today!

on demand

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle