HOW IS THIS POSSIBLE?

Attackers deliberately target your backups to render them unusable. They do this in three ways:

🔸 by deleting your backup
🔸 by encrypting your backup
🔸 by modifying your backup so that when you restore it, you have the wrong data

WORM AS PROTECTION

So how do we protect ourselves from this threat? Enter WORM. WORM stands for "Write Once, Read Many." It's the concept of immutable storage. Immutable means you cannot change it.

The idea behind it is that if you take your backup and place it in immutable storage — meaning you write it once, and then it can no longer be touched, changed, or altered in any way, shape, or form — your data remains protected. Modifying your backup would result in a new version, while your original remains intact.

WORM is a very important part of any data protection strategy. Having immutable backup is not just about compliance. It's also about 𝗧𝗥𝗨𝗦𝗧:

Can you really trust your backups? Can you really trust that data — such as sensitive customer information, financial information, and intellectual property — remains intact, so that when the time comes and you have to restore your backup, the data is still the same?

Or do you run the risk that it has been tampered with?

SO WHAT?

So having WORM and immutable storage is not just about security and compliance, but also about trusting the authenticity and the veracity of the data. And so here's the real challenge: is WORM part of your data protection strategy today? Has it been implemented in a way that actually does the job? Are your backups stored immutably? Are they protected from accidental deletion?

👉 If not, make WORM part of your data protection strategy today. Implement immutable storage to ensure your backups remain safe and secure.

Stay sharp,
Jetro

PS: Here's the NIST CSF 2.0 reference to this topic: PR.DS-11 (PROTECT: Data Security). And CyFun: PR.IP-4 (PROTECT: Information Protection Processes and Procedures).

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

THE REALITY

But here's the reality: legislation doesn't protect us.

You might say, "Jetro, what do you mean?" Well, legislation doesn't protect us because it cannot stop a threat from being carried out. Legislation serves as a deterrent, scaring off potential bad actors. And it's also good as a punitive measure after the fact.

But in the heat of the battle, there's no protection of the law, because the attack is actually happening.

Let me give you an example. The law says: "You shall not steal." That's all great. But if I park my car in the middle of the city, leave it unlocked for a whole day and night, and come back the next day, I’ll probably find it broken into or even stolen. So even though the law says "you shall not steal," there's no real protection in that moment. The law alone won't stop someone from taking it.

TECHNICAL CONTROLS

What we need are technical controls. Technical controls really implement security. They're the real protection. In the car example, I can lock the doors, install an alarm, use reinforced windows, or even leave my bulldog inside the car to welcome those thieves. Those are real protective measures. And the law? It’s good before and after the fact.

The same idea applies to cybersecurity. A company can have a policy that says: "No USB drives allowed." That sounds great. But if the USB ports are not disabled, a bad actor can still use their USB drive to copy sensitive information.

Or a company might have a rule that says: "No unauthorized access behind this door." Again, sounds good. However, if the company fails to enforce it with badges, scanners, guards, cameras, or biometric scanners, anyone can walk in and gain access.

You need technical controls to keep you safe. Laws and regulations are great before and after. In cybersecurity, technical controls include measures such as:

🔸 Encryption
🔸 Multi-factor authentication
🔸 Real-time monitoring
🔸 Identity and access management
🔸 And much more

SO WHAT?

Laws and regulations are good and have their place, but they can't stop an attack when it’s happening. For that, you need technical controls.

My challenge to you is the following: Are you relying too much on policies and regulations? In which areas do you still need to deploy technical controls for real protection?

👉 Remember, modern cybersecurity management is Documentation (policies) 𝗔𝗡𝗗 Implementation (controls).

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

In cloud security, we call this the shared responsibility model. There's a responsibility for the cloud provider and the cloud consumer. That’s you.

Now you may ask, "Jetro, what am I always responsible for?" Three things.

Information & Data

You're always responsible for your information and data. So whatever you put into the cloud, you have to make sure that you back it up, for example. There's no default backup. Yes, hyperscale cloud providers often have these nice features that automatically back up your data, but you have to activate and configure them. That's the whole point.

When I give training, I often ask people: "How many of you are using OneDrive or Google Drive?" All the hands go up. And then I ask, "How many of you backup their data from OneDrive and Google Drive?" And they’re like, "Wait, I have to backup OneDrive?" Yes, because the cloud provider is responsible for having a secure platform available, but you're responsible for the data you put there. So yes, you need to back up your OneDrive, Google Drive, and cloud storage.

Devices (Endpoints)

The second thing you're always responsible for is devices, all the endpoints. Think of smartphones, laptops, and servers; they all connect to the cloud. You have to keep them up to date, patched, and secured. If not, your endpoint is at risk, and therefore your data in the cloud is at risk. Keeping your devices and assets up to date is very important.

Accounts & Identities

The third thing you're always responsible for is accounts and identities. Remember, in the cloud, identity is your first line of defense. It's a public cloud, meaning everybody could theoretically connect to your environment. But who manages the identities? You. Who's responsible for keeping those identities up to date? You.

Remember, identities are not just people — they include devices, APIs, applications, and of course, natural people. They all have an identity, and with an identity comes access privileges. So you're responsible for keeping your identities up to date and well privileged — not overprivileged.

In summary, yes, public cloud is more secure than on-premise if configured well. But you're always responsible for three things:

🔸 Information & Data
🔸 Devices or Endpoints
🔸 Accounts & Identities

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

(Based on information published in De Tijd, 22–23 May 2025)

In May 2025, KBC Securities Services — a subsidiary of the Belgian financial group KBC — confirmed a major data incident involving approximately 5,000 clients. Due to a human error at an external service provider, clients received documents intended for other individuals. These included portfolio positions, internal service rates, and other sensitive financial information.

This was not a breach caused by malware or a cyberattack. It was a supply chain failure, and a deeply human one — with trust, confidentiality, and reputational risk on the line.

Some affected clients could easily identify other investors based on the leaked data. One customer even noted that he recognised a peer as a shareholder of a well-known company and that the portfolio in question was “not small.”

KBC apologised and immediately launched an internal investigation. As of now, no compensation has been announced, and the name of the external service provider involved has not been disclosed publicly.

A Familiar Pattern: Data Exposure Without Hacking

KBC Securities Services provides custody and securities-related services to asset managers, private banks, institutional investors, and family offices. During the annual dispatch of fee statements, a misconfiguration or mislabeling of client records by a third-party vendor caused documents to be sent to unintended recipients.

According to De Tijd, this means:

• Specific clients gained insight into competitors’ portfolios

• Some documents contained commercially sensitive data

• The incident impacted a “limited number of clients” — but 5,000 in total were affected

The Hidden Risk: Third-Party Supplier Security

This case highlights a well-known yet still underappreciated reality: most modern breaches don’t stem from firewall breaches but from weak processes and poor supplier governance.

Two European regulations put this into sharp focus:

NIS2 (for essential & important entities):

• Requires organisations to identify and manage supply chain cyber risks

• Demands oversight of ICT service providers, especially in critical services

• Emphasises incident reporting, including for vendor-related events

DORA (for financial entities):

• Imposes strict rules on third-party ICT risk management

• Classifies vendors as “critical” or “non-critical” with different oversight duties

• Requires notification of major ICT incidents within 4 hours

• Mandates exit strategies, audit rights, and resilience testing

In this case:

• A third-party contractor linked documents to the wrong recipients

• KBC was still held accountable, despite the error occurring externally

• Regulators may investigate under GDPR, NIS2, and DORA

What the Law Requires — and Reality Often Ignores

It’s not enough to sign contracts or fill in due diligence checklists. Under modern EU legislation, organisations are expected to:

• Understand how data flows across their extended digital supply chain

• Proactively govern, monitor, and audit key ICT suppliers

• Include data protection and breach clauses in vendor agreements

• Run simulations and tabletop exercises that include vendor-related failures

KBC is now facing the real-world consequence of what happens when this isn’t watertight — even if the organisation’s internal systems remained uncompromised.

Leadership Actions to Take Now

This incident can — and should — be seen as a learning opportunity for every European organisation that handles sensitive data or outsources digital services.

Here’s what leaders should focus on:

1. Map Your Supplier Ecosystem

   Identify all ICT, SaaS, and data-related service providers — not just Tier 1.

2. Conduct Real Due Diligence

   Ask for evidence of security practices, audits, breach logs, and recovery processes.

3. Strengthen Contracts

   Add clauses for breach reporting, data segregation, audit rights, and minimum standards.

4. Include Vendors in Incident Response Exercises

   Don’t stop at phishing drills — simulate a vendor error with client impact.

5. Link This to Board-Level Risk

   Supplier risk is now board-level accountability under both NIS2 and DORA.

Final Thought: The Next Mistake May Be Invisible Until It’s Too Late

KBC’s fast response and transparency are commendable. But even with compliance training, automated checks, and layered controls, one human error at one vendor triggered a regulatory, reputational, and operational crisis.

This wasn’t about firewalls. It was about governance.

The lesson?

Third-party security is not a back-office issue. It is a core part of your business resilience.

What You Can Do Next

Based on recent assessments, most European organizations still lack sufficient visibility and control over their ICT service providers.

To help you get started, we’ve developed a concise Third-Party Security Maturity Checklist to assess your readiness for NIS2 and DORA.

✅ Want to benchmark your practices?
✅ Need support with vendor governance or contract clauses?
✅ Curious about real-world resilience planning?

👉 Call us or reach out via WhatsApp: +32495814741

About the Author
I’m Jetro WILS. I help mid-sized organisations and critical sectors build real cyber resilience — not just checkboxes — by aligning security governance with NIS2, DORA, and modern cloud environments.

As a Chief Information Security Officer, I Strengthen Cybersecurity Management, Compliance, and Resilience for European Organizations.

Disclaimer

This article is based on publicly available information from De Tijd (22–23 May 2025) and does not represent an official investigation or legal conclusion.

Sources:

• https://www.tijd.be/ondernemen/banken/kbc-riskeert-stevige-reputatieschade-na-datalek/10608733.html

• https://www.tijd.be/ondernemen/banken/data-van-duizenden-klanten-gelekt-bij-effectendochter-kbc-bank/10608636.html

Now, they're moving to the cloud, and suddenly, the equipment fades away, their data is somewhere in the cloud, and they're thinking, "Is public cloud secure enough to store my data?" And that’s because they have less control.

It's a fair question to ask.

But here is what I always say to those clients: Public cloud, if configured well, is more secure than on-premises. But if misconfigured, your data is on the street.

So why is that? These hyperscale cloud providers are intrinsically motivated to build the most secure and scalable platform available. They want to host many customers worldwide, so if their platform is not secure, it will kill their business case. They are invested in having the most secure platform.

The second reason a public cloud is more secure than on-premises is the security teams that monitor it 24/7 at these hyperscale cloud providers. They can quickly locate and respond to security incidents and then roll out these security improvements worldwide.

Let me give you an example. If something's happening in Azure Australia, here in Europe, we're sleeping; it's the middle of the night, but in Australia, something's going on with Azure. They will remediate that incident. They will even push out an update across Azure worldwide. So here in Azure West-Europe, we get these security benefits as well, while even sleeping.

So by joining a hyperscale cloud provider, we are falling under the protective umbrella of their cybersecurity teams.

So, first, they have a vested interest in building the most secure platform available. It’s their core business. Second, they have 24/7 SOC teams that are always up-to-date, keeping track of what's happening and publishing these updates worldwide.

So, a local security incident triggers an update for the whole global ecosystem. That’s one of the benefits.

Conclusion

So, to wrap up, why is a public cloud by default more secure than on-premises?

1. Because these hyperscale cloud providers are vested in building the most secure platform, it’s their economic engine and whole business.

2. They monitor what's going on 24/7 worldwide. You can benefit from the updates from the other side of the world. So that is the protective umbrella of a hyperscale cloud provider.

All I just said is one half of the story.

Yes, the hyperscale cloud provider is responsible for building the most secure platform they can. But on the other hand, you are responsible for configuring that platform as securely as possible. So with a misconfiguration, your data is on the streets. But if you configure it well, it is more secure than on-premises.

How do misconfigurations happen? Well, that is something for another video.

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

The conversation covers various themes including the benefits of moving to Azure, the cultural shifts required for cloud adoption, architectural considerations for cloud migration, the significance of network design, and the financial implications of cloud services through FinOps.

In this conversation, Jetro and Josh discuss the critical aspects of cloud operations, focusing on Cloud FinOps, automation, cybersecurity, and the Azure ecosystem.

They emphasize the importance of investing in skills for IT operations, the role of automation in enhancing security, and best practices for OLTP systems in Azure.

The discussion also covers the significance of governance and security in cloud operations, the reality of serverless computing, and the future of Azure with technological innovations.

CHAPTERS

(00:00:00) INTRO

(00:00:42) Introduction to Azure Integration and Author Background

(00:05:33) Unlocking Opportunities with Azure for IT Leaders

(00:10:09) Cultural Shifts in Cloud Adoption

(00:12:04) Architectural Considerations for Cloud Migration

(00:16:39) The Importance of Network Design in Azure

(00:21:50) Understanding Cloud Costs and FinOps

(00:25:12) Understanding Cloud FinOps and Cost Management

(00:25:45) The Importance of Automation in Cloud Operations

(00:30:33) Investing in Skills for IT Operations

(00:31:38) The Role of Automation in Cybersecurity

(00:32:09) Best Practices for OLTP Systems in Azure

(00:35:07) Exploring the Azure Ecosystem for Data Analytics

(00:37:33) Serverless Computing: Hype or Reality?

(00:43:28) Governance and Security in Cloud Operations

(00:45:47) The Future of Azure and Technological Innovations

Graham Gold, co-author of the Microsoft Cybersecurity Architect Exam, discusses extensive background in IT, the relevance of cybersecurity architecture in cloud environments, and the evolving landscape of cybersecurity practices.

Key topics include the importance of identity management, the challenges of hybrid cloud environments, and strategies for assessing and improving security in cloud applications.

The conversation emphasizes the need for visibility, risk management, and a proactive approach to cybersecurity. Moreover Graham Gold discusses critical aspects of modern security architecture, emphasizing the importance of least privilege, segregation of duties, and the roles of SIEM and SOAR in enhancing security operations.

He highlights the necessity of automation in security processes to keep pace with the rapid changes in cloud environments.

The discussion also covers the state of security awareness in financial services, navigating compliance in the cloud, budgeting for security investments, and the shared responsibility model in cloud security.

Finally, Graham provides insights on preparing for the SC-100 exam and his future endeavors in the field of security.

CHAPTERS

(00:00:00) INTRO

(00:00:40) Introduction to Cybersecurity Architecture

(00:03:57) Understanding Microsoft Certification Levels

(00:05:52) The Relevance of Cybersecurity in Cloud

(00:08:03) Shifts in Cybersecurity Architecture with Cloud

(00:11:11) Identity as the New Perimeter

(00:15:59) Challenges in Hybrid Cloud Environments

(00:20:05) Making Sense of Data in the Cloud

(00:24:57) Assessing Security in Cloud Environments

(00:31:36) Implementing Defense in Depth Strategies

(00:33:10) Understanding Least Privilege and Segregation of Duties

(00:33:38) The Role of SIEM and SOAR in Security Architecture

(00:36:01) Automation in Security Operations

(00:38:36) The State of Security Awareness in Financial Services

(00:40:39) Navigating Compliance in the Cloud

(00:43:22) Budgeting for Security: Prioritizing Investments

(00:50:38) The Shared Responsibility Model in Cloud Security

(00:53:35) Preparing for the SC-100 Exam and Future Insights

Eyal Estrin discusses his background in cloud security and the importance of adapting to new security challenges in cloud environments.

He emphasizes the shared responsibility model, the critical nature of identity and access management, and the risks associated with neglecting cloud security.

Also he shares insights on budgeting for security investments, balancing agility with security, and common pitfalls organizations face in cloud security.

In this conversation, Eyal Estrin discusses various aspects of cloud security, focusing on identity and access management, data protection strategies, and the importance of knowledge in cybersecurity.

We emphasize the need for organizations to adopt best practices in managing identities, implementing encryption, and preparing for future threats in the cloud landscape.

The discussion also highlights the significance of privileged identity management and the role of training in bridging knowledge gaps among IT professionals.

CHAPTERS

(00:00:00) INTRO

(00:00:36) Introduction to Cloud Security and Eyal's Background

(00:02:46) Understanding Cloud Security Challenges

(00:04:25) The Importance of Cloud Security Today

(00:06:15) Shared Responsibility Model in Cloud Security

(00:08:18) Key Risks of Neglecting Cloud Security

(00:10:49) Changing Mindsets in Cloud Security

(00:13:04) Layered Security Approach in Cloud

(00:15:23) Budgeting for Cloud Security Investments

(00:18:31) Balancing Agility and Security in Cloud Deployments

(00:26:26) The Cornerstone of Identity and Access Management

(00:28:37) Common Pitfalls in Identity and Access Management

(00:29:57) Enhancing Identity and Access Management

(00:31:00) Break-Glass Scenarios in Production Environments

(00:32:48) Privileged Identity Management (PIM) Insights

(00:34:46) Data Protection and Encryption Strategies

(00:39:10) Future Threat Landscape in Cloud Security

(00:43:09) Bridging the Knowledge Gap in Cybersecurity

(00:45:29) Final Thoughts on Cloud Security Best Practices

In this episode of the Blue Dragon podcast, Krishna Chaitanya Rao Kathala, author of 'Privacy in the Age of Innovation' discusses the importance of privacy in the context of AI, the role of Privacy Enhancing Technologies (PETs), and how organizations can implement these technologies to ensure compliance with regulations like GDPR.

Krishna explains various techniques such as differential privacy, federated learning, and homomorphic encryption, and emphasizes the need for a structured approach to data governance and security in AI applications.

CHAPTERS

(06:11) The Rise of AI and Privacy Concerns

(09:00) Key Techniques of Privacy Enhancing Technologies

(12:00) Implementing PETs in AI Lifecycle

(18:01) Choosing the Right PET for Your Organization

(24:50) Building Secure AI Solutions

(29:49) Best Practices for Cloud Security in AI

(34:50) Measuring Effectiveness of PETs

(45:02) Conclusion and Future Directions

In reality

Of course, in reality, that doesn't happen that often. Typically, an organization has 5 or 10 IT people, and they do everything. They onboard new colleagues, they keep the printers and the WiFi working, they have to test new applications and roll them out. And then you're going to ask them to, on top of that, do a 24/7 monitoring of their entire security events and respond on time? That is tricky.

So what I typically say is a SOC costs between 1 and 1.5 FTE.

1. But this FTE never goes to sleep because it's the whole team behind it. So it's available 24/7.

2. This FTE never falls ill because there's a whole team behind it.

3. And this FTE is always up-to-date on the latest cyber threats, trends, technologies, and practices because we get trained all the time.

Basically, you can offload or delegate that responsibility to a Managed Security Service Provider (MSSP), which means that your people are now free to work on real valuable things for your organization. Things that only they can do because it's something really internal.

Now, the beauty of this is that if you have a good external SOC, they also have a lot of automation, and so a lot of things will get handled automatically. In this way, you can unburden your team and keep them focused on the things that really matter and bring business value.

Conclusion

So why do you need a SOC? You don't always need one, but typically, especially in the SMB market where you only have 5 or 10 IT folks doing everything, it is wise to have an external SOC.

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

Now, what is that?

Imagine your organization one day gets a cyber attack. Ransomware is installed, everything is encrypted, systems are down, sensitive documentation and information are stolen, and basically, the whole organization is shut down. We've seen this with hospitals and governments as well. What do you do? How do you respond? That’s your Incident Response plan or procedure.

Now, when I ask this question to clients, typically, they say, very honestly, "Well, Jetro, that's a great question. If this would happen, all hell would break loose, and we would panic." And that is the reality. So, what NIS 2 mandates is that we prepare for such an event and have our Incident Response plan documented.

What does that mean?

Document the roles and responsibilities:

• Who is responsible for what?

• Who is responsible for cloud systems and on-premise systems?

• Who is the Data Protection Officer?

• Who will communicate with the press or the outside world in case of such an incident?

All these roles and responsibilities need to be documented.

But also:

• Which authorities will we contact or inform of such an event?

• Who will do the contact and outreach to the government and the authorities?

• What are the communication channels?

Panic mode

During a crisis, everybody is in panic mode. How do we communicate? Some organizations have all this information on SharePoint, but if SharePoint is unavailable, well, good luck finding out who to contact and when.

So, what I always recommend is to have a backup communication channel, such as a WhatsApp group, for emergency purposes only. That is all about documenting all the steps we need to take in case of a crisis or an incident.

Practice

The second thing is we need to practice. Just like with fire drills, where we physically sound the fire alarm, evacuate to the designated spot, and perform headcounts, we need to do the same in the cyber world. Cyber incidents must be drilled and simulated throughout the year.

Lessons learned

The third thing we have to do is a lesson-learned exercise. While doing these exercises, you will find some bottlenecks or things that didn’t go well. That's perfectly fine. We learn from them and use that knowledge to update documentation and procedures, drill again, and continue improving.

NIS 2 is not about achieving perfection. It is about increasing your cyber resilience through continuous improvement.

Conclusion

So three key takeaways:

1. Document your Incident Response procedure and have a backup communication channel.

2. Conduct exercises, drills, and simulations—practice, practice, practice.

3. Learn from mistakes, refine processes, and apply that knowledge to improve.

By following these steps, you will increase your organization's cyber resilience.

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

Two Dimensions

Documentation is all about how well you have written down your information security policies and governance. Think of, for example:

• How do we deal with USB drives?

• How do we deal with third-party software, and how do we download and install it on your system?

• How often should we do backups?

That's all documentation.

On the other hand, there’s Implementation. That is effectively installing, enabling, and activating controls to keep your environment safe. So, effectively installing anti-malware, doing effective training on anti-phishing, and blocking USB drives.

Four Quadrants

Now, NIS2 looks at both dimensions. And that’s interesting because then you can combine them and have four different personas or profiles of a company.

If you have a lot of Documentation but not a lot of Implementation, you are a PAPER TIGER. There’s a lot of stuff in the cabinets and on paper, but not much has been implemented.

On the other hand, if your team is doing a lot of Implementation and really putting up controls, but they lack the legal framework or the governance around them, I call them ACTION HEROES. They are in the field doing the work, but there is no legal backup.

If your organization is doing both Documentation and Implementation, hey, you are the ROLE MODEL. Congratulations! Keep going.

And if your organization is low on Documentation and low on Implementation, you are a GHOST. You really don't exist according to the NIS2 security standards.

And you?

So, with that said, comes an interesting question: What type of organization are you working in? Are you the Action Hero? Are you the Paper Tiger? Are you the Role Model? Or are you the Ghost?

Think about that.

You need both Documentation and Implementation.

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

Imagine you’re an organization that really did its best to log as much as possible, keeping everything centralized, baselining the timestamps, and actually keeping the log files for three to six months. Great! But now what?

Sitting on a digital shelf

Let's be honest. You're going to have log files of thousands of events. Nobody is going to sift through all those events looking for potentially suspicious activities. So, typically, the log files are just sitting there on a digital shelf.

Nobody's doing anything with them.

That is not leveraging the log files.

Machine Learning

In a modern security architecture, you want to apply machine learning to those log files. AI is built for pattern recognition. It can detect the normal pattern of your organization's flow and then identify anomalies, weird events, and risky activities. Once detected, it triggers an alert.

Then, a human security operator will review these preselected events flagged by AI. That is the way forward. This whole system is called a SIEM—Security Information and Event Management system. A SIEM helps process logs efficiently.

Conclusion

You need three things:

🔸 First, centralize your log files, as mentioned in the previous video;

🔸 Second, apply machine learning to analyze those logs;

🔸 Third, respond to the anomalies.

This way, your security team is not overwhelmed by manual work and can focus on critical threats.

And that is the way forward.

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

The lack of centralized logging or leveraging logs.

Let me explain.

Imagine you have to secure a building because inside are very valuable crown jewels. It's in the middle of the night; it's pitch black outside.

You know there are gates and fences, and you may even have some security guards patrolling, but there are no cameras, sensors, or communication between the guards.

How will you efficiently detect an attack?

You're blind.

That's the equivalent of an organization that does not log its events.

Digital Real Estate

In the digital real estate, events or activities happen all the time:

🔸 Users log in from all over the place

🔸 New devices connect to your environment

🔸 Data flows in and out of your network

If you're not logging these things, you're blind.

So, rule number one is to log these events.

Rule number two is to centralize these logs.

I still see too many organizations with these log files scattered everywhere, which is inefficient when performing post-processing and analysis. So, centralize, normalize, and baseline the timestamps to apply post-processing.

The third rule is to store these logs for a long enough time.

I recommend three to six months.

Why?

Because most breaches are only discovered after weeks or even months. If you only log in for one month, you're still basically blind to how the attacker accessed your environment.

So, three to six months.

Conclusion

To summarize, one of the top findings is the lack of centralized logging and the application of the logs for analysis.

Three rules:

🔸 Log as much as you can

🔸 Centralize the logs and normalize the timestamps

🔸 Keep these logs for three to six months

Now, that, of course, is just step one.

Step two, well, that's for another time.

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)

(00:00) Introduction and Background

(06:47) The Evolution of Cloud Security

(10:40) Data Classification and User Awareness

(13:44) Privacy Regulations: Europe vs. US

(23:59) Assessing Risk Culture and Tolerance

(26:24) The Importance of Planning and Preparedness

(30:11) Building a Risk-Aware Organization

(34:16) Allocating Budget for Security Initiatives

(38:54) The Critique of 'DevSecOps'

(44:15) The Future Outlook: Expanding Training Services and Mentoring Initiatives

CHAPTERS

(00:00) Understanding Operating Models

(08:02) The Impact of Cloud and Edge Technologies

(12:58) The Failure of Bimodal IT

(23:44) Building a Foundation for Future-Proof IT

CHAPTERS

(00:00) Introduction and Background

(08:32) Practical AI in Industrial Environments

(13:09) Case Study: Using AI in Manufacturing

(21:58) Taking Action Based on AI Signals

(24:02) The Impact of AI on Organizational Culture and Processes

(26:04) The Importance of Data Quality and Preparation

(28:47) Considering Alternative Technologies and Starting from the Desired Output

(32:00) Continuous Training and Retraining of AI Models

CHAPTERS

(00:00) Introduction and Background

(03:03) Understanding Cloud Security Posture Management (CSPM)

(05:18) The Benefits of Cloud Security Posture Management

(09:17) Integrating CSPM into the Cloud Security Ecosystem

(19:04) The Importance of Cloud Asset Inventory in Cybersecurity

(25:05) Addressing the Perception of Cloud Insecurity

(29:02) Compliance Management and Governance in the Cloud

(32:06) Introduction to CSPM and Compliance Management

(36:42) CSPM Tools for Hybrid Cloud Environments

(39:53) Expanding Compliance Beyond IT Infrastructure

(48:49) DevSecOps and the Shift Left Approach

(54:29) The Future of Qamar Nomani

CHAPTERS

(00:00) Introduction and Background of Marcelo Leite

(07:40) Understanding the Concepts of Database, Data Warehouse, Data Lake, and Data Lake House

(19:14) The Importance of Data Classification and DLP in Data Security

(26:55) Exploring the Concept of Data Mesh

(32:02) Why CTOs and CIOs Should Consider Data Mesh

(33:09) Managing Complex Data Environments with Data Mesh

(41:00) Ensuring Security in Cloud-Based Data Platforms

(49:53) Analyzing Logs and Telemetry with Kusto Query Language (KQL)

(53:23) Simplifying Data Analytics with SaaS Solutions

(58:37) The Future of Data: Serving AI and Automation

CHAPTERS

(00:00:00) Introduction and Background

(00:06:15) The Importance of Writing in Cybersecurity

(00:11:10) Marker 7

(00:13:19) The Impact of Cloud Computing on Information Security

(00:25:33) Data-Driven Decision-Making in Cybersecurity

(00:34:21) Challenges in the Cybersecurity Industry: Stress and Burnout

(00:41:18) Upcoming Books: Making Choices and Becoming the Best Cybersecurity Expert