Enterprise Security WeeklySubscribe
Vulnerability Management, Breach, Supply chain, AI/ML, AI benefits/risks, Generative AI, Leadership, Security Staff Acquisition & Development

The Growth of Women in Cybersecurity Has Slowed – Why, and What Can We Do About It? – Lynn Dohm – ESW #392

Full Audio

View Show Index

Segments

1. The Growth of Women in Cybersecurity Has Slowed – Why, and What Can We Do About It? – Lynn Dohm – ESW #392

Celebrating and Elevating Women in Cyber: Recently, International Women in Cyber Day (September 1) highlighted the ongoing challenges women face in the cybersecurity field, as well as the progress made in recent years. Women bring exceptional skills and knowledge to cybersecurity; however, it is estimated that they make up only 20% to 25% of the cybersecurity workforce—a percentage that has remained stagnant for years. Even more concerning, women often hit a glass ceiling just six to ten years into their cybersecurity careers. Lynn Dohm sheds light on these issues and emphasizes what the industry needs to focus on to continue celebrating and elevating women in cyber.

Segment Resources:

Guest

Executive Director at Women in CyberSecurity

With over 25 years of organizational and leadership experience, Lynn is a prominent advocate for bridging the critical cybersecurity workforce gap through active involvement in grant-funded programs and nonprofits. Under her leadership, WiCyS has emerged as a leading example of how a collaborative multi-organizational approach can strengthen the cybersecurity workforce through initiatives, training programs, partnerships, and recruitment efforts. Passionate about leveraging diverse mindsets, skill sets and perspectives, Lynn has been recognized for her work in improving the recruitment, retention and advancement of women in cybersecurity.

Hosts

Principal Researcher at The Defenders Initiative
Principal Analyst - Security at theCUBE Research
Product Marketer and Content Strategist at OX Security

2. Special Breaking AI News – there’s too much AI news, can we please stop – ESW #392

This week, we've added an extra news segment just on AI. Not because we wanted to, but because the news cycle has bludgeoned us into it. My mom is asking about Chinese AI, my neighbor wants to know why his stocks tanked, my clients want to know how to prevent their employees from using DeepSeek, it's a mess.

First, a DeepSeek primer, so we can make sure all Enterprise Security Weekly listeners know what they need to know. Then we get into some other AI news stories.

DeepSeek Primer

I think the most interesting aspect of the DeepSeek announcements is the business/market impact, which isn't really security-related, but could have some impact on security teams. By introducing models that are cheaper to train, sell access to, and less demanding to run on systems, DeepSeek has opened up more market opportunities. That means we'll see generative AI used in markets and ways that didn't make sense before, because it was too expensive.

Another aspect that's really confusing is what DeepSeek is or does. For the most part, when someone says "DeepSeek", they could be referring to:

  • the company
  • the open source models released by the company
  • the SaaS service (https://chat.deepseek.com)
  • the mobile app (which is effectively just a front end for #3)
  • the API (which is what the mobile app and SaaS service are built on top of)

From a security perspective, there's little to no operational risk around downloading and using the models, though they're likely to get banned, so companies could get in trouble for using them. As for the app, API, or SaaS service, assume everything you type into them is getting collected by China (so, significantly less safe, probably no US companies should do this).

But because these services are crazy cheap right now, I wouldn't be surprised if some suppliers and third parties will start using DeepSeek - if your third party service provider is using DeepSeek behind the scenes with your data, you still have problem #2, so best to ensure they're not doing this through updated contract language and call to confirm that they're not currently doing it (can take a while to get a new contract in place).

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!

Hosts

Principal Researcher at The Defenders Initiative
  1. 1. FUNDING: from the Security, Funded newsletter #178 – The AI Truffle Shuffle

    Just one AI funding announcement worth chatting about:

  2. 2. NEW FEATURES: Semgrep – How we built an AppSec AI that security researchers agree with 96% of the time
  3. 3. ESSAYS: The “First AI Software Engineer” Is Bungling the Vast Majority of Tasks It’s Asked to Do

    So which is it? Is AI the best thing ever, or a crappy disappointment? We really need to get to the bottom of this in 2025. If the folks at Answer.AI are right, we could be wasting a lot of time and money this year, deploying ineffective generative AI.

  4. 4. KARMA MOMENT: OpenAI Furious DeepSeek Might Have Stolen All the Data OpenAI Stole From Us
Fractional CISO | Author | Educator | Coffee Nerd at Cloud Security Labs
Principal Analyst - Security at theCUBE Research
Product Marketer and Content Strategist at OX Security

3. Semgrep non-drama, Facebook hates Linux – Vulns in Cars, Cell Towers, M365, and more – ESW #392

This week in the enterprise security weekly news, we discuss

  1. funding and acquisitions
  2. Understanding the Semgrep license drama
  3. Ridiculous vulnerabilities everywhere:
  4. vulns to take down your entire city’s cell service
  5. vulns to mess with your Subarus
  6. vulns in Microsoft 365 authentication
  7. cybersecurity regulations are worthless
  8. Facebook is banning people for mentioning Linux
  9. Vigilantes on Github
  10. Mastercard DNS error
  11. Qubes OS
  12. Turning a "No" into a conversation

All that and more, on this episode of Enterprise Security Weekly!

Hosts

Principal Researcher at The Defenders Initiative
  1. 1. FUNDING: from the Security, Funded newsletter #178

    A few funding announcements worth chatting about:

  2. 2. DIVESTITURE: Inside information: WithSecure sells its Cyber security consulting business

    In 2022, the Finnish cybersecurity company, F-Secure split into two companies. The consumer business continued with the F-Secure brand, while the enterprise business rebranded as WithSecure.

    Now, a few years later, WithSecure is selling off its consulting business to Neqst for EUR 22.5M.

  3. 3. DRAMA: Josh Grossman on LinkedIn: Seems like there’s a bit of confusion around the recent Semgrep licence changes

    Confusion for sure! TL;DR:

    1. it's not as big a deal as most folks are making out of it
    2. the response feels mostly like a marketing/sales grab from competitors (including OpenGrep)
  4. 4. DUMPSTER FIRES: John Hammond on “Facebook flags Linux topics as ‘cybersecurity threats’ — posts and users being blocked”

    I don't need a ton of additional reasons to not use Facebook, but thanks for this one!

  5. 5. VULNERABILITIES: Cellular Security Ransacked

    Roughly a BAJILLION YEARS after L0pht testified to Congress that they could take down the public Internet in about 30 minutes, the curiously named Florida Institute for Cybersecurity Research released information claiming it is possible to persistently DoS cell service to large areas with just a few packets.

    Paper here: https://nathanielbennett.com/publications/ransacked.pdf

  6. 6. VULNERABILITIES: Subaru Security Flaws Exposed Its System for Tracking Millions of Cars

    9.5 years ago, Charlie Miller and Chris Valasek messed with Andy Greenburg by remotely killing the engine of the Jeep Cherokee he was actively driving.

    9 years ago, Troy Hunt reported that the Nissan Leaf app allowed control over the cars with nothing more than the VIN number.

    In November 2024, Sam Curry and Shubham Shah discovered a similar issue in Subaru's STARLINK service. Using just publicly available information about a vehicle's owner:

    • any car could be remotely started, stopped, or locked/unlocked
    • The vehicle's location history was available
    • The customer's PII was available

    The car industry has had 10 years to search for these sorts of issues and squash them. It wasn't easy to do per se, but still seems a basic enough issue for a security review to have spotted and flagged.

  7. 7. VULNERABILITIES: How Did Hackers Bypass Microsoft’s MFA Vulnerability?

    The disturbing trend of researchers finding very basic, easy to exploit vulnerabilities in popular, publicly accessible services managed by huge multi-billion dollar companies continues.

    Microsoft again makes this list with an attack that's just plain brute force. The researchers had to get a little clever with how to manipulate the sessions to avoid lockouts, but the fact that it was still ultimately brute forcing six digit codes seems like the kind of problems we shouldn't be finding in the world's largest tech company's primary authentication mechanism.

    Here's the main PDF from the research: https://pages.oasis.security/rs/106-PZV-596/images/oasis-security-authquake-mfa-bypass.pdf?version=0

  8. 8. ESSAYS: From Katie Teitler-Santullo – How We Can Finally Be Sure Regulations Won’t Fix Cybersecurity
  9. 9. SQUIRREL: Vigilante Justice on GitHub ◆ Truffle Security Co.

    Both hilarious and concerning

Fractional CISO | Author | Educator | Coffee Nerd at Cloud Security Labs
  1. 1. FAIL: MasterCard DNS Error Went Unnoticed for Years

    Even giants can fatfinger things. Not sure what's worse here, the misconfiguration not being noticed for YEARS or the way they responded to this researcher. We are quite lucky this was not exploited.

  2. 2. LTE and 5G Security Flaws (Are we surprised?)

    A plethora of vulnerabilities were found in LTE and 5G networks. Mostly resulting in DOS attacks, including unauthenticated attacks that didn't require a SIM card!

  3. 3. A Security Conscious Operating System?

    Capable of running apps and services inside isolated compartments, Qubes OS claims to provide a secure environment for your computing workloads

  4. 4. ESSAY (Audio): Turn ‘No’ Into a Conversation

    How to turn rejection around without a fight. The best method to get someone to do something is if they are intrinsically motivated to do a thing. Any parent knows this well. Persuade with finesse, not force

Principal Analyst - Security at theCUBE Research
Product Marketer and Content Strategist at OX Security

Related

You can skip this ad in 5 seconds