What does it take for a CISO to successfully come out of a data breach without any dents in their reputation? One expert says it’s personal branding.

Headspace CISO Jameeka Green Aaron is a post-breach CISO. However, a quick Google search of Green Aaron—whose career spans over two decades with leadership roles at companies such as Nike and Okta—won’t immediately reveal this fact. Green Aaron told IT Brew that this is “intentional.”

“The reason that I have done that is that I want you to know that I’m a post-breach CISO,” Green Aaron said. “It means I’ve got some chops and that I can do this job really well and that I can take you through an incident and we can come out on the other side of it.”

She added that while the ability to successfully navigate a breach is often used as a “litmus test” to evaluate CISOs, that’s not the only value she brings to the table. Green Aaron has “an opinion about a myriad of subjects,” from non-human identities (think API keys and OAuth tokens) to being a Black woman in the industry—areas that have both become part of her personal brand.

“In many cases, CISOs hit the headlines when their companies have been breached,” Green Aaron said. “That’s not the only thing that you want the world to know about you, right?”

Read the rest here.—BM

THIS IS NOT A BILL. But some bad actors are hoping you think it is.

A report from the API security platform Wallarm said fraudsters are using Docusign accounts to send invoices that appear “strikingly authentic.” Threat actors use the document-signing platform’s legitimate services to deceive users and to automate the process, according to the blog post released on November 5.

“Attackers found a way to confuse people using the basic concept of Docusign that allows you to send any documents to anyone,” Ivan Novikov, CEO at Wallarm, told IT Brew.

“It looks so real, because it is real,” he said.

The details:

• The scam used a realistic Norton Antivirus signature document, likely created by copying a genuine one, Novikov said.
• These fake invoices may include accurate pricing and additional charges, like an activation fee, according to the Wallarm report.
• The fraudster can then use an e-signed document to request payment from the organization outside of Docusign, the blog post said.
• Threat actors used the legitimate Docusign APIs to facilitate mass distribution.

2 Legit…Attackers have frequently employed legitimate services—URL shorteners, company mail servers, and popular file-sharing services, to name a few—to sneak past an organization’s security filters.

Read more here.—BH

For some employees, failing a phishing test can feel like being on an episode of Punk’d. For others, the mistake can lead to not-so-staged consequences.

According to a recent Arctic Wolf report, more than one-third (34%) of IT and security decision-makers send phishing simulation tests at least every two weeks.

Repercussions for those who repeatedly fail these simulations vary. Some employees who miss the mark on these tests, which have garnered backlash in recent years, are offered short training sessions following their oversight. However, Joshua Crumbaugh, CEO of PhishFirewall, an AI-powered anti-phishing solution company that focuses on non-punitive phishing campaigns, told IT Brew that others face more serious penalties.

“I know of a number of our Fortune 50s that still implement what they call a three-strikes-and-you’re-out policy,” Crumbaugh said. “All that means is you fail three phishing tests and you get fired.”

Silverfort CISO John Paul Cunningham told us that he has seen other extreme examples of corrective action, such as requiring an entire department to take remedial training if a repeat offender fails or that the consistent failure has a one-on-one conversation with their company’s CISO or CEO.

Keep reading here.—BM