<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Security-Awareness on Rishipal Yadav · not your CISO</title><link>https://rishipalyadav.github.io/categories/security-awareness/</link><description>Recent content in Security-Awareness on Rishipal Yadav · not your CISO</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>© 2026 Rishipal Yadav</copyright><lastBuildDate>Sat, 27 Apr 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://rishipalyadav.github.io/categories/security-awareness/index.xml" rel="self" type="application/rss+xml"/><item><title>Security Awareness Training: A Design Thinking Project</title><link>https://rishipalyadav.github.io/posts/security-awareness-design-thinking/</link><pubDate>Sat, 27 Apr 2024 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/security-awareness-design-thinking/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/security-awareness-training-a-design-thinking-project-c06686163480" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;During the last semester (Spring 2024) of my Master of Engineering in Cybersecurity at the University of Maryland, College Park, I joined the Innovation Fellowship cohort at the Academy for Innovation and Entrepreneurship. The project: apply design thinking to security awareness training.&lt;/p&gt;
&lt;p&gt;Security awareness training has a reputation problem. Compliance teams love it. Employees hate it. And the data on whether it actually changes behaviour is, at best, mixed. The question I started with was: what would security awareness training look like if you designed it the way a product designer would — starting with the user, not the policy?&lt;/p&gt;</description></item><item><title>You Must Remove Text Message Two-Factor Authentication</title><link>https://rishipalyadav.github.io/posts/remove-sms-two-factor-authentication/</link><pubDate>Sat, 18 Feb 2023 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/remove-sms-two-factor-authentication/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/you-must-remove-text-message-two-factor-authentication-df0b43e55e5d" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;Last night, just before I went to sleep, I decided to check Twitter. The first thing I saw was the announcement that Twitter was removing SMS-based two-factor authentication for non-Twitter Blue users. The reaction was predictably split — some celebrated, some panicked.&lt;/p&gt;
&lt;p&gt;Both reactions missed the point.&lt;/p&gt;
&lt;p&gt;SMS-based 2FA is not secure. It is better than a password alone, but SIM-swapping attacks have made it a weak link that sophisticated attackers exploit routinely. The Twitter decision — however poorly communicated — is directionally correct. The question for security teams and individuals alike is: what replaces it?&lt;/p&gt;</description></item><item><title>Educate Your Team — Do Not Chase When It Comes to Security</title><link>https://rishipalyadav.github.io/posts/educate-your-team-dont-chase/</link><pubDate>Mon, 05 Sep 2022 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/educate-your-team-dont-chase/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/educate-your-team-do-not-chase-when-it-comes-to-security-b39925df078a" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;&lt;em&gt;&amp;ldquo;Hey, could you please complete the security training, it was due two days ago?&amp;rdquo;&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;If that message sounds familiar — either as the person sending it or the one ignoring it — your security awareness program has a problem. And the problem isn&amp;rsquo;t that people are lazy or don&amp;rsquo;t care about security. The problem is that you&amp;rsquo;ve built a compliance exercise and called it a culture.&lt;/p&gt;</description></item><item><title>Back to Office: But What About Security?</title><link>https://rishipalyadav.github.io/posts/back-to-office-security/</link><pubDate>Thu, 28 Jul 2022 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/back-to-office-security/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://medium.com/@notyourciso/back-to-office-but-what-about-security-9971b00fa0ba" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;Things are back to normal, and everyone is returning to their offices. Some are ecstatic about free food, coffee, and office gossip. Others are dragging their feet. And most security teams are somewhere in between — quietly aware that two years of remote-first work has created some habits that don&amp;rsquo;t translate well to shared physical spaces.&lt;/p&gt;</description></item></channel></rss>