Celebrating and Elevating Women in Cyber: Recently, International Women in Cyber Day (September 1) highlighted the ongoing challenges women face in the cybersecurity field, as well as the progress made in recent years. Women bring exceptional skills and knowledge to cybersecurity; however, it is estimated that they make up only 20% to 25% of the cybersecurity workforce—a percentage that has remained stagnant for years. Even more concerning, women often hit a glass ceiling just six to ten years into their cybersecurity careers. Lynn Dohm sheds light on these issues and emphasizes what the industry needs to focus on to continue celebrating and elevating women in cyber.

Segment Resources:

• 2023 State of Inclusion Benchmark in Cybersecurity
• 2024 Cyber Talent Study by N2K and WiCyS
• WiCyS Programs

This week, we've added an extra news segment just on AI. Not because we wanted to, but because the news cycle has bludgeoned us into it. My mom is asking about Chinese AI, my neighbor wants to know why his stocks tanked, my clients want to know how to prevent their employees from using DeepSeek, it's a mess.

First, a DeepSeek primer, so we can make sure all Enterprise Security Weekly listeners know what they need to know. Then we get into some other AI news stories.

I think the most interesting aspect of the DeepSeek announcements is the business/market impact, which isn't really security-related, but could have some impact on security teams. By introducing models that are cheaper to train, sell access to, and less demanding to run on systems, DeepSeek has opened up more market opportunities. That means we'll see generative AI used in markets and ways that didn't make sense before, because it was too expensive.

Another aspect that's really confusing is what DeepSeek is or does. For the most part, when someone says "DeepSeek", they could be referring to:

• the company
• the open source models released by the company
• the SaaS service (https://chat.deepseek.com)
• the mobile app (which is effectively just a front end for #3)
• the API (which is what the mobile app and SaaS service are built on top of)

From a security perspective, there's little to no operational risk around downloading and using the models, though they're likely to get banned, so companies could get in trouble for using them. As for the app, API, or SaaS service, assume everything you type into them is getting collected by China (so, significantly less safe, probably no US companies should do this).

But because these services are crazy cheap right now, I wouldn't be surprised if some suppliers and third parties will start using DeepSeek - if your third party service provider is using DeepSeek behind the scenes with your data, you still have problem #2, so best to ensure they're not doing this through updated contract language and call to confirm that they're not currently doing it (can take a while to get a new contract in place).

This week in the enterprise security weekly news, we discuss

1. funding and acquisitions
2. Understanding the Semgrep license drama
3. Ridiculous vulnerabilities everywhere:
4. vulns to take down your entire city’s cell service
5. vulns to mess with your Subarus
6. vulns in Microsoft 365 authentication
7. cybersecurity regulations are worthless
8. Facebook is banning people for mentioning Linux
9. Vigilantes on Github
10. Mastercard DNS error
11. Qubes OS
12. Turning a "No" into a conversation

All that and more, on this episode of Enterprise Security Weekly!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw-392