Latest news with #CodeRED
TECHx
3 days ago
- Business
- TECHx
What Cybersecurity Vendors Must Do to Earn CISOs Trust
Home » Interview Of The Week » What Cybersecurity Vendors Must Do to Earn CISOs Trust What do CISOs really want from cybersecurity vendors? Denis Yakimov of Equiti Group offers a perspective in this exclusive interview published in CodeRED June–July Edition. From the importance of aligning cybersecurity initiatives with business strategy to the flaws in vulnerability management and the value of co-developing tools, Yakimov outlines what's working, what's broken, and how vendors can better support enterprise security goals in an evolving digital ecosystem. What are the top cybersecurity priorities for your organization this year? This year, our top priority is to support the business in achieving sustainable growth and stability as it works toward its strategic objectives. I often see CISOs setting goals in isolation focusing on internal KPIs or reacting to emerging threats without aligning with the broader business context. But it's critical to remember that security exists to enable the business, and everything we do should be guided by that principle. How do you align cybersecurity initiatives with overall business goals? Everything starts with the business setting its goals for the year, which are typically based on shareholder expectations. At Equiti, business goals are clearly defined and openly communicated, so every employee understands the direction in which the organization is heading. From a security standpoint, we use these goals as a foundation and, at the beginning of the year, during strategy planning, we brainstorm which cybersecurity actions will most effectively support the achievement of these goals. For instance, in 2024 we achieved ISO 27001 certification, which helped Equiti take a significant step toward building stronger trust with key clients and partners and becoming one of the leading brokers in the UAE. Similar security initiatives are aligned with goals related to operational resilience, among others. What are the key factors you consider when evaluating cybersecurity vendors? We take a comprehensive approach when selecting vendors, using comparison tables and well-defined evaluation criteria. These always include compatibility with our existing environment and compliance with local regulatory requirements. For example, in the UAE, financial institutions must store regulated customer data within the country, which immediately disqualifies many SaaS vendors without local data centers. Given that Equiti is a rapidly growing organization, scalability and ease of deployment are critical factors for us. Once all evaluation criteria are met, we proceed with a PoC, a data privacy assessment, and a third-party risk assessment. While the process may seem complex at first, we aim to complete evaluations at a startup pace – typically within 2–3 weeks. How do you prefer vendors to approach you, with education, product demos, proof of value? I believe that anything that helps evaluate a solution within the context of our own environment is highly valuable. I have a hard time understanding vendors who reject proof of concept and instead get caught up in internal approval cycles at this stage. For me, that's usually a yellow flag. If a vendor is willing to schedule as many meetings as necessary to ensure that the solution works effectively within our infrastructure, that is always an additional reason for me to prioritize them. It signals a high likelihood that they will continue to provide support after the purchase and that they have nothing to hide. What are the biggest gaps in current cybersecurity solutions that vendors should address? In my view, areas such as vulnerability management, despite their long history, are still underdeveloped. Even well-established and experienced vendors like Qualys and Rapid7 continue to generate a significant amount of noise in their vulnerability dashboards, and current prioritization methods do little to change that. I regularly speak with many CISOs across the industry, and I keep hearing about hundreds or even thousands of high and critical vulnerabilities reported by their VM solutions. Yet, in reality, 99% of security incidents are either unrelated to vulnerability exploitation or are linked to vulnerabilities that were not flagged or covered by these VM tools at all. Are there specific challenges in integration, scalability, or support that you've faced? We've encountered situations where we acquire a tool that fits our needs very well, but face challenges finding the right expertise to implement it properly, considering all the specific requirements. And it's not even about internal resources – it's about the expertise available on the market. While evaluating a solution itself is relatively straightforward, assessing the contractor's expertise, especially ensuring they are both trustworthy and fairly priced, can be quite difficult. I've previously worked at various MSPs, and I clearly remember how service providers often focused on selling the service first, while trying to acquire the necessary expertise during the implementation phase. What role do vendors play in helping you maintain compliance? When it comes to vendors and compliance, I truly appreciate the direction the market is taking toward GRC Engineering. I believe this area has the potential to become highly developed and popular in the future – similar to how DevSecOps gained momentum in its time. Take Vanta, for example. Although it is essentially a tool for automating GRC processes, its interface is so simple and intuitive that it has successfully captured a market even among startups—a segment where selling anything from the security domain is typically challenging due to immaturity and limited budgets. On our side, we are also taking proactive steps toward compliance automation. However, we must consider a wide range of factors, including our presence in multiple countries and various privacy obligations. How is your cybersecurity budget evolving year-over-year? There is a lot of talk on social media about cybersecurity underbudgeting, but in reality, many organizations tend to overinvest. A common pattern is CISOs onboarding numerous dashboards that generate excessive noise and offer limited optimization. At Equiti, even though we're open to increasing the cybersecurity budget, our team has been focused on cost optimization for two consecutive years, mainly through smarter licensing decisions. This often means replacing vendors – always with a proper risk assessment – but given the vast range of available solutions on the market, finding quality alternatives at a lower cost is rarely a challenge today. What's your advice to vendors looking to position their solutions for budget approval? My advice is not to focus on addressing yet another threat, but rather to demonstrate how your tool brings real business value. Modern CISOs are increasingly expected to speak the language of the business and sit at the board table. As a result, the tools in a CISO's toolkit should support business enablement, not just threat mitigation or the addition of another dashboard. If you look at the most successful cybersecurity companies such as Wiz, Okta, or Zscaler they've become integral to their customers' operations and have a direct impact on business efficiency. Have you collaborated with vendors on co-developing or customizing solutions? Absolutely. Vendors willing to adapt their roadmap for our needs are always strong candidates. For example, we're working closely with a SAST vendor that is developing integration features for one of our specific CI/CD environments. Since this environment is relatively niche and not widely supported out of the box, the vendor's willingness to invest effort in saving us extensive engineering time on custom integration has been a major factor in our decision. I must admit, this kind of flexibility is more common among small to mid-sized vendors. What common mistakes do vendors make when engaging with CISOs? Pushing too hard and being overly persistent. In my view, if someone genuinely needs your product, they will be responsive and willing to do whatever it takes to close the deal quickly. If you spend your time chasing people who show limited interest, you might move the deal forward temporarily, but in the end, it will likely fall through and you will have simply wasted time. What's one innovation or improvement you hope to see from vendors in the next 12 months? Although I remain skeptical about the grand future predicted for AI,where it is expected to replace humans, I personally would like to see more practices focused not on solving isolated micro-tasks or problems by introducing yet another tool to the portfolio, but rather on enabling the correlation of all available security data into a unified pool of interconnected knowledge. Such an approach could help predict where threats are most likely to emerge or which changes would yield the most significant impact. I believe that an AI system capable of aggregating insights across the entire organization and its cybersecurity tools could deliver this kind of value. In today's world, many security leaders still make strategic decisions based on educated guesses and abstract, subjective risk assessments essentially, reading tea leaves rather than relying on data-driven foresight.
TECHx
6 days ago
- Business
- TECHx
Startups Can't Afford to Ignore Cybersecurity: Interview
Home » Startups » Startups Can't Afford to Ignore Cybersecurity: Interview Fresh off an award win at GISEC North Star 2025, TECHx Media spoke with Vivek Chandran, CEO of RISKNOX Private Limited, for an interview featured in the recent June–July 2025 edition of CodeRED. In this conversation, he explains why cybersecurity has become a survival issue for startups. Size and speed no longer guarantee success. As cyberattacks grow more sophisticated, even early-stage startups are in the crosshairs. Once dismissed as too small to target, they now face the same threats as global enterprises. To understand what's at stake and what emerging businesses should do, Vivek brings a grounded, tactical view of the evolving threat landscape and how startup leaders can survive and thrive in 2025 and beyond. What are the top cybersecurity threats that startups should be most concerned about in 2025 and the coming years? The cybersecurity threat landscape isn't what it was even five years ago, it's evolving constantly. That's the first thing startups need to understand: it's not a static problem. The tools and tactics used by cybercriminals change every few months, if not weeks. If I had to pick the top three threats right now, AI-enabled cyberattacks would top the list. We're seeing a rise in sophisticated attacks powered by artificial intelligence, from deepfake phishing to automated vulnerability scanning and exploitation. These are faster, more adaptive, and harder to detect than traditional threats. Second, and this may surprise some, is human negligence. It's not a 'threat' in the classic sense, but it's often the root cause of security breaches. You can spend millions on tech, but one employee clicking the wrong link can still bring the system down. Humans remain the weakest link. And third, phishing is still a huge problem. It's old-school, but highly effective. Startups are particularly vulnerable because they often lack the infrastructure to detect and respond to social engineering attacks quickly. Phishing doesn't need to be advanced to be dangerous, it just needs to be convincing. How has the cybersecurity landscape changed over the past five years? What trends should startups keep an eye on? The past five years have been transformational. The biggest disruptor has been AI and, again, it's a double-edged sword. AI is helping us build smarter, more efficient cybersecurity tools that automate detection and response. But on the flip side, attackers are using the same AI to supercharge their campaigns. Another major shift is that every new technology introduces new vulnerabilities. AI, blockchain, IoT they all come with their own security challenges. And often, organizations adopt these technologies faster than they can secure them. Finally, governmental and regulatory forces are playing a bigger role. From GDPR to CCPA and now the Cyber Resilience Act, we're seeing a global trend toward mandatory cybersecurity compliance. This is actually a good thing it forces businesses to maintain at least a minimum viable security posture. Should cybersecurity be a legal responsibility for startups, or is that too ambitious at an early stage? In an ideal world, yes, cybersecurity would be a legal responsibility for every business, regardless of size. But in the real world, especially for startups, it's complicated. Startups often don't have the budget or the team to build a full-fledged cybersecurity framework. As a founder myself, I know how tough it is, cybersecurity can feel like a luxury when you're trying to stay afloat. But that doesn't mean startups are off the hook. What I believe and advocate is a shared responsibility model. Cybersecurity shouldn't be one person's job. Everyone, from founders to interns, should be aware of the basic principles of digital safety. Startups may not be able to do everything, but they can start with the basics: secure passwords, multi-factor authentication, data access control, and regular backups. These don't cost much but can go a long way. How do global data regulations like GDPR, CCPA, and the Cyber Resilience Act shape the way startups operate? They're reshaping the mindset and that's crucial. A few years ago, cybersecurity was often viewed as a luxury. Many smaller companies thought, 'Why would anyone target us?' That thinking no longer holds. These regulations are forcing accountability. They're saying: If you're collecting user data, you're responsible for securing it. No exceptions. And that accountability builds trust not just with regulators, but with customers. What these regulations have done is establish a baseline culture of cybersecurity. Even if a company isn't directly under the purview of something like GDPR, they often adopt the practices anyway to future-proof their operations. This is especially important as startups scale globally. Do you believe governments should impose stricter cybersecurity regulations on startups, or offer more support instead? Support first, regulations later. Imposing strict rules too early can backfire. Startups, already stretched thin, might try to find workarounds just to stay in business. What governments should do instead is invest in capacity-building offer grants, training programs, and subsidized tools. Help small businesses adopt best practices without breaking their budgets. Once there's a baseline maturity in the ecosystem, then phase in stricter compliance rules. This layered or phased approach is more sustainable and more effective in the long run. There's talk of a cybersecurity talent shortage. Is it really that hard to find skilled professionals? There's no shortage of interest but there is a gap between certifications and real-world skills. Many candidates have credentials but lack hands-on experience. Startups, in particular, need practical problem-solvers, not just textbook experts. What we need more of are experiential learning platforms, internships, cyber ranges, environments where people can learn by doing. For founders, my advice is to hire based on potential and adaptability. You might not be able to compete with tech giants on salary, but you can offer learning, autonomy, and purpose, which many securities professionals' values just as much. If you could give one piece of cybersecurity advice to every new founder, what would it be? Don't let lack of budget stop you from doing something. There are tons of free and low-cost resources out there from SANS to OWASP to NIST guidelines. You can absolutely build a minimal, but meaningful, cybersecurity foundation even if you're bootstrapping. Treat cybersecurity like any other critical function, your dev team, your HR, your marketing. It's not optional anymore. Even a basic security hygiene culture can drastically reduce your risk. Do you think cybersecurity will eventually be seen as a fundamental utility, as essential as electricity or water? Without a doubt. We already rely on digital infrastructure for everything, finance, healthcare, transportation, energy. If any of these go down due to a cyberattack, the consequences are devastating. Cybersecurity is no longer just about protecting data. It's about protecting lives and national security. We're also seeing how cyber warfare is becoming a central strategy in geopolitical conflicts. So yes, cybersecurity will and should, become a default layer of modern society. It's the new electricity. Invisible, but absolutely essential. Vivek Chandran's message to founders is clear: cybersecurity is a necessity, not a luxury. Startups may face budgetary and staffing constraints, but that's no excuse for ignoring the risks. From AI-driven threats to phishing scams and regulatory pressures, the cyber battlefield is real, and unforgiving. Fortunately, knowledge is power. And as Vivek points out, the tools to get started are already out there, many of them free. For founders in 2025, the goal isn't perfection, it's proactive protection
Boston Globe
24-07-2025
- Climate
- Boston Globe
Providence will retire its rarely-used emergency sirens, moving fully digital
'It could have actually further confused people,' Decerbo said in an interview with the Globe. The tragedy 'renewed the discourse about public alert and warning' across the country, she said. Advertisement Providence isn't prone to tsunamis, but has experienced Get Rhode Island News Alerts Sign up to get breaking news and interesting stories from Rhode Island in your inbox each weekday. Enter Email Sign Up 'Unless you are right next to it, and outdoors, you really can't tell what the person is saying,' Decerbo said. Indoors, it can only be heard within a half mile. And when the city conducted its regular tests of the sirens, people asked: 'what am I supposed to do when I hear a siren?' The city is now rolling out its new emergency alert plan starting Sept. 1, which includes decommissioning the sirens and streamlining the protocols for two types of digital alerts: one that comes to your phone automatically for life-threatening emergencies, and a second opt-in system for public information that is not life-or-death. Advertisement The recent Under the new operating procedure, a short list of people — including Decerbo, Mayor Brett Smiley, the fire and police chiefs and their deputies — can call the Rhode Island Emergency Management agency to send a Wireless Emergency Alert for a life-threatening emergency that requires an evacuation or shelter in place. (This system is already used for AMBER Alerts and National Weather Service warnings.) The city has pre-crafted messages in English and Spanish, which would then be pushed automatically to cellphones in the selected geographic area. Wireless emergency alerts should be turned on by default, though people can double-check in their phone settings that the sound is on so they can be woken up for a middle-of-the-night evacuation. (While reporting at the emergency management agency, a Globe reporter discovered she had silenced her own alerts.) The existing Clara Decerbo, Providence's emergency management director, can send a CodeRED alert from her computer. Steph Machado/Globe Staff The wireless alerts are useful in a life-threatening emergency like street flooding, for example, when the most dangerous place to be is in a car. Someone passing through Providence when flash flooding hits might not get a CodeRED alert, which is based on their address, but would get the wireless emergency alert. Advertisement While relying on cellphones is not a perfect system — power can go out, and phones can die — installing citywide sirens would be prohibitively expensive, Decerbo said, and still wouldn't solve the issue of residents deciphering what action to take if they hear a siren. Outdoor sirens are no longer considered a key component to emergency alert systems, especially outside of the tornado alley region in the central US, and civil defense sirens that once warned of air raids have been dismantled in most places. Once Providence decommissions its sirens, the only Rhode Island municipality that will still have them is Warren, a coastal town that installed two sirens for weather-related alerts several years ago. Brown University has its own private sirens, which were In Massachusetts, the only outdoor sirens still in use are in the towns within 10 miles of the Massachusetts also uses the Decommissioning the sirens will save Providence $20,000 to $30,000 a year in maintenance, plus the system was due for a pricey upgrade that would have cost $250,000, Decerbo said. Advertisement If something happened in the middle of the night, like the Texas flooding event, the backup plan to the phone alerts would be to send police and firefighters to evacuation areas and go door-to-door and use megaphones. The Texas flooding has prompted scrutiny over the warning system there, and concerns about cuts at the National Weather Service, which sends alerts about severe weather. Decerbo said she is 'very concerned' about national cuts to The city also contracts with meteorologist Steve Cascione, a former TV broadcaster, to help inform the city's emergency decisions. 'Texas is a really tragic and catastrophic example of how important public alert and warning is, and we want everyone to be aware of what we're doing,' Decerbo said. Steph Machado can be reached at
Yahoo
17-07-2025
- Climate
- Yahoo
Data: Kerr County sent first targeted alert two days after deadly flood
HUNT, Texas (KXAN) — Federal Emergency Management Agency (FEMA) data does not show a record of Kerr County officials issuing a locally targeted emergency alert to warn people in the area of the rapidly rising waters until two days after the deadly flood. The emergency flash flood warnings issued on July 4 and 5 came from the National Weather Service, which were distributed through CodeRED, a mass notification system that requires members of the public to register to receive alerts. As Kerr County leaders avoid alert questions, new audio surfaces in CodeRED timeline Records show the earliest warnings of the flash floods, which claimed more than 100 lives in Kerr County alone as of July 15, were issued by the NWS at 1:14 a.m. on July 4, telling people to move to higher ground. The county shared a San Antonio meteorologist's post on Facebook at 5:31 a.m. on July 4. County officials added their warning to the shared post, saying, 'Flooding along the Guadalupe River is happening now. Be safe and move to higher ground. Do not drive through water. Turn Around – Don't Drown!' After the initial alert at 1:14 a.m., an additional 21 flash flood alerts were issued by the NWS on July 4 in Kerr County, according to archived alert data. FEMA records indicate that the county itself never issued an alert on July 4 about the dangerous flash flooding through the Integrated Public Alert & Warning System (IPAWS), which can alert all phones in a geographical area, regardless of whether a person has enrolled for emergency alerts. Sheriff hints at 'after action' review, as records reveal warning of 'worst-case flood event' KXAN reached out to Kerr County officials about the timing of their alerts. This story will be updated when a response is received. Contrary to alerts issued by the NWS, IPAWS provides authorities the ability to write their own warning message, which is delivered through multiple communication pathways 'to reach as many people as possible to save lives and protect property,' according to FEMA. 'Utilizing multiple pathways for public alerts increases the likelihood that the message will successfully reach the public,' according to FEMA. The only IPAWS alerts Kerr County issued occurred on July 6 and July 13 due to the 'high probability' and 'high confidence' of river flooding, according to FEMA IPAWS data. Records show these Kerr County IPAWS alerts classified the severity of the weather events as 'Extreme' and the presence of an 'Imminent Threat' with headlines stating 'Evacuation Immediate' and 'Local Area Emergency.' According to FEMA IPAWS alert data, Kerr County Emergency Management Coordinator William 'Dub' Thomas is the person who authorized and issued the IPAWS alerts. KXAN reached out to Thomas for additional details regarding the alerts he authorized. A county commission meeting video from Nov. 16, 2020, shows Thomas advocating for the emergency alert system as lifesaving shortly before the commissioner approved the measure. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Economic Times
14-07-2025
- Climate
- Economic Times
Texas flooding: stories of loss, resilience, and urgent need
Grief in Kerr County Camp tragedy Live Events What this crisis teaches us Nature's fury vs. human vulnerability In Flash Flood Alley, rivers can transform from gentle streams into walls of water in under an hour—catching even the prepared unaware. The value of modern alerts Had broader public-alert systems been activated sooner, more lives might have been spared. Now, the state is facing pressure to modernize and act faster. Community matters From families carrying each other on boats to college towns holding processions for victims, neighborliness is rising in response to tragedy. These moments of unity reflect the very best of the human spirit, even in darkest times. Legacy of loss Beyond the statistics—children, campers, parents, counselors, couples with plans and dreams—were lives rich in potential and love. Their absence is not just a number—it's a void felt in homes, campuses, and churches across Texas. How you can help & respond Stay weather-wise : If you're in the Hill Country or other flood-prone regions, sign up for public alert systems like IPAWS and CodeRED. : If you're in the Hill Country or other flood-prone regions, sign up for public alert systems like IPAWS and CodeRED. Support recovery : Many families need help with housing, food, and funeral costs—donations to vetted local groups can make an immediate difference. : Many families need help with housing, food, and funeral costs—donations to vetted local groups can make an immediate difference. Push for change : Reach out to local representatives to advocate for upgrades to early-warning systems and better emergency protocols. : Reach out to local representatives to advocate for upgrades to early-warning systems and better emergency protocols. Hold space for grief: In towns across Texas, vigil events and memorials are planned to honor those lost. Sharing their stories helps ensure they're never forgotten. (You can now subscribe to our (You can now subscribe to our Economic Times WhatsApp channel In the heart of Texas Hill Country, the floods claimed at least 132 lives—many in Kerr County , where entire families and groups of campers were swept away in a matter of hours. Boats, trailers, and homes vanished as the waters tore through the Guadalupe River canyon. Authorities are still searching for over a hundred people believed to be missing. One of the most heartbreaking stories: a young college student who stayed behind to help shelter loved ones, his final call cut short by the raging flood before his home was washed away. His voice now a powerful reminder of bravery in utter Mystic and a neighboring youth camp were struck at night, with dozens of campers and counselors caught in flash floods . A camp leader delayed evacuation—making split-second decisions as waters surged. The loss of children and caregivers has left families and communities shattered. Investigations reveal that code-based alerts (CodeRED) were used instead of broader systems like IPAWS. Residents didn't receive timely warnings via all channels—some alerts arrived after the worst had already passed, spurring calls for and recovery efforts continue—amid rising rivers and renewed storms. Crews are using boats, drones, sonar, and dog teams to bring closure to families. But the danger isn't over: flood watches persist, and another round of heavy rain is on the started as a holiday weekend turned into one of the deadliest inland flood events in modern U.S. history. The immediate focus is on rescue and recovery—but the deeper challenge lies in learning, adapting, and preventing future tragedies.
