In this episode of Security Gets Serious, host Ben Carr sits down with Mark Weatherford, former Chief Information Security Officer (CISO) for both California and Colorado, as well as Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security.

Mark and Ben dive into the complex roles and responsibilities of the Chief Information Security Officer (CISO), drawing on Mark's extensive experience in leading security teams at the highest levels of both state and federal government.

Mark currently serves as the Vice President of Policy and Standards at Gretel, is the Founding Partner of Aspen Chartered Consulting, and holds positions on the Board of Directors and Advisory Boards of numerous leading and emerging cybersecurity and technology companies.

With a career spanning both public and private sectors, Mark has held several high-profile executive roles in cybersecurity. His previous positions include Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation (NERC), and Chief Information Security Officer for the state of Colorado.

In 2008, Mark was appointed by Governor Arnold Schwarzenegger as California's first Chief Information Security Officer. Three years later, the Obama Administration selected him to serve as Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security.

A former naval officer with a deep background in cryptology, Mark was instrumental in advancing the U.S. Navy's cybersecurity capabilities. He served as the Director of Navy Computer Network Defense Operations, Director of the Navy Computer Incident Response Team (NAVCIRT), and was responsible for establishing the Navy's first operational red team, underscoring his commitment to strengthening cyber defense strategies.

Your Host, Ben Carr, Halcyon Chief Security and Trust Officer: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Mark Weatherford, VP of Policy and Standards at Gretel, Founding Partner of Aspen Chartered Consulting, who was formerly Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security.

We jump into the discussion with some recent news that fallout from the 2023 MOVEit exploit campaign fallout included the leak of 1000’s of companies’ exfiltrated records – including Amazon (2.8 million records), MetLife (585,000 records), and HSBC (280,000 records).
It was previously reported that ransomware operator Cl0p had compromised an undetermined number of victims with the exploit, although it is unclear how well they were able to monetize the attacks.
This comes on top of insurer Coalition releasing their 2024 Cyber Claims Report: Mid-Year Update which found that while the frequency of ransomware attacks slightly decreased in early 2024, their severity intensified as claims rose significantly. The report noted a 140% increase among businesses with over $100 million in revenue, with ransomware attacks now driving 18% of all cybersecurity claims.

Mark provides some keen insights into what this means as far as the relative maturity curve of the ransomware economy, how much more growth can we expect given the success of the RaaS model in enabling less skillful attackers, and whether the US government’s response being largely limited to the issuing of guidelines and frameworks is adequate.

We then take a look at mass data exfiltration events that are now a part of nearly every ransomware attack, such as the National Public Data attack that exposed 2.7 billion records and the Change Healthcare (UHG) attack that exposed the private data of 100 million people, and how potential legal and regulatory impact following an attack in essence is re-victimizing victim organizations.

For example, Lehigh Valley Health Network recently agreed to a $65 million settlement following a class-action lawsuit over a 2023 data breach, Enzo Biochem was ordered to pay $4.5 million to New York, New Jersey, and Connecticut following a 2023 ransomware attack, and the City of Columbus is facing a class-action suit following a ransomware attack that compromised the 6.5 TB of data including personal information of city employees.

We know that ransomware operators are clearly after sensitive data, and we know determined attackers will get in sooner or later. So, is every organization that handles private or regulated data basically on notice that when they are targeted by attackers, they will also be targeted by regulators, then they also will be targeted by shareholders and/or customers?
Is this a constructive approach to the ransomware problem? Can we do better?

About Our Guest:
Mark Weatherford occupies so many important positions, it's hard to know where to start. He is VP of Policy and Standards at Gretel and Founding Partner of Aspen Chartered Consulting, as well as sitting on the Board of Directors and Advisory Boards for dozens of leading and emerging cybersecurity and technology companies.

Mark also has an extensive background in executive-level cybersecurity roles, showcasing a distinguished career in both public and private sectors. He has served as Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, a Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation (NERC), and Chief Information Security Officer for the state of Colorado.

In 2008, he was appointed by Governor Arnold Schwarzenegger as California’s inaugural Chief Information Security Officer. Later, in 2011, the Obama Administration selected him to serve as the Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Securit

In this episode of Security Gets Serious, host Ben Carr sits down with Chaunda Dallas, MSIT, a Healthcare Cybersecurity Specialist dedicated to safeguarding patient data and driving innovation in healthcare and sports technology.

Ben leans into Chaunda’s more than twenty years of hands-on experience in healthcare, which began with her work as an emergency room nurse where she has seen firsthand the critical role of technology in patient care and the risks to patients presented by system downtime, which motivated her transition into the cybersecurity field.

As an educator and current Ph.D. student, Chaunda's expertise bridges the gap between healthcare and technology, and she actively mentors aspiring cybersecurity professionals through Women in Cybersecurity (WiCyS) as a Technical Mentor and is an active member and volunteer with BlackGirlsHack (BGH) and The Diana Initiative (TDI).

Chaunda contributed to several research projects on healthcare information technology and data protection during her master's degree studies, including Detection of Heart Disease Using Mobile Health Technology, The Use of Healthcare Information Technology in Ambulatory Surgical Centers, and The Adoption, Issues, and Challenges of Wearable Healthcare Technology for the Elderly.

Your Host, Ben Carr, Halcyon Chief security and Trust Officer: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.