<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Blog on Rishipal Yadav · not your CISO</title><link>https://rishipalyadav.github.io/posts/</link><description>Recent content in Blog on Rishipal Yadav · not your CISO</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>© 2026 Rishipal Yadav</copyright><lastBuildDate>Thu, 24 Apr 2025 00:00:00 +0000</lastBuildDate><atom:link href="https://rishipalyadav.github.io/posts/index.xml" rel="self" type="application/rss+xml"/><item><title>The Audit Room Has Two Stories And Neither Is the Full Truth</title><link>https://rishipalyadav.github.io/posts/audit-room-two-stories/</link><pubDate>Thu, 24 Apr 2025 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/audit-room-two-stories/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published in &lt;a href="https://medium.com/dark-roast-security" target="_blank" rel="noreferrer"&gt;Dark Roast Security&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/the-audit-room-has-two-stories-and-neither-is-the-full-truth-06fb15fe3341" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;Every audit room has two stories playing simultaneously. The auditor walks in with a checklist, a mandate, and the quiet authority of an independent assessor. The auditee walks in with months of prep, a defensive posture, and the knowledge that something will be found — the only question is what.&lt;/p&gt;
&lt;p&gt;The problem is neither side is telling their story particularly well. And that communication gap is where audits go from being useful to being theatre.&lt;/p&gt;</description></item><item><title>Security Awareness Training: A Design Thinking Project</title><link>https://rishipalyadav.github.io/posts/security-awareness-design-thinking/</link><pubDate>Sat, 27 Apr 2024 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/security-awareness-design-thinking/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/security-awareness-training-a-design-thinking-project-c06686163480" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;During the last semester (Spring 2024) of my Master of Engineering in Cybersecurity at the University of Maryland, College Park, I joined the Innovation Fellowship cohort at the Academy for Innovation and Entrepreneurship. The project: apply design thinking to security awareness training.&lt;/p&gt;
&lt;p&gt;Security awareness training has a reputation problem. Compliance teams love it. Employees hate it. And the data on whether it actually changes behaviour is, at best, mixed. The question I started with was: what would security awareness training look like if you designed it the way a product designer would — starting with the user, not the policy?&lt;/p&gt;</description></item><item><title>LinkedIn OSINT for a Quick Background Check: A Guide for HR</title><link>https://rishipalyadav.github.io/posts/linkedin-osint-background-check/</link><pubDate>Thu, 27 Apr 2023 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/linkedin-osint-background-check/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/linkedin-osint-for-a-quick-background-check-a-guide-for-hrs-f63dc6b6ac74" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;Most organisations run background checks before someone joins. But the standard checks - employment verification, criminal records — often miss what&amp;rsquo;s hiding in plain sight on LinkedIn. Open source intelligence (OSINT) techniques, applied to a public professional profile, can surface inconsistencies, red flags, and gaps that formal checks don&amp;rsquo;t catch.&lt;/p&gt;
&lt;p&gt;This guide is for HR professionals and hiring managers who want to use LinkedIn more systematically as part of due diligence — without crossing into surveillance.&lt;/p&gt;</description></item><item><title>ChatGPT Policy for Your Organisation: The CISO's Concern</title><link>https://rishipalyadav.github.io/posts/chatgpt-policy-ciso-concern/</link><pubDate>Sun, 09 Apr 2023 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/chatgpt-policy-ciso-concern/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/chatgpt-policy-for-your-organisation-the-cisos-concern-dcc073fa161f" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;ChatGPT has been a buzzword for some time now. Be it a new product built on top of it or another capability announcement, just when you think the hype has peaked, something new drops. And through all of it, security teams have been quietly scrambling to figure out what their policy actually is.&lt;/p&gt;
&lt;p&gt;This is not a technical breakdown of how large language models work. This is a practitioner&amp;rsquo;s take on the questions a CISO — or anyone responsible for security — needs to answer before their organisation gets too comfortable with ChatGPT in the workflow.&lt;/p&gt;</description></item><item><title>You Must Remove Text Message Two-Factor Authentication</title><link>https://rishipalyadav.github.io/posts/remove-sms-two-factor-authentication/</link><pubDate>Sat, 18 Feb 2023 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/remove-sms-two-factor-authentication/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/you-must-remove-text-message-two-factor-authentication-df0b43e55e5d" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;Last night, just before I went to sleep, I decided to check Twitter. The first thing I saw was the announcement that Twitter was removing SMS-based two-factor authentication for non-Twitter Blue users. The reaction was predictably split — some celebrated, some panicked.&lt;/p&gt;
&lt;p&gt;Both reactions missed the point.&lt;/p&gt;
&lt;p&gt;SMS-based 2FA is not secure. It is better than a password alone, but SIM-swapping attacks have made it a weak link that sophisticated attackers exploit routinely. The Twitter decision — however poorly communicated — is directionally correct. The question for security teams and individuals alike is: what replaces it?&lt;/p&gt;</description></item><item><title>Bridging the Skill Gap in Cybersecurity — Hire Generalists, Create Specialists!</title><link>https://rishipalyadav.github.io/posts/bridging-skill-gap-hire-generalists/</link><pubDate>Fri, 20 Jan 2023 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/bridging-skill-gap-hire-generalists/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/bridging-the-skill-gap-in-cybersecurity-hire-generalists-create-specialists-1a730e84b521" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;I have seen a lot of posts about the skill gap, unrealistic hiring expectations, and the number of open security roles. Most of them circle the same frustration: organisations want five years of experience in a technology that has existed for two, and then complain they can&amp;rsquo;t hire.&lt;/p&gt;
&lt;p&gt;But I think the framing is wrong. The skill gap isn&amp;rsquo;t primarily a supply problem — it&amp;rsquo;s a hiring and development problem. Organisations have been optimising for the role they need filled today, not the practitioner they need in three years.&lt;/p&gt;</description></item><item><title>Cybersecurity Roadmap 2023: How Do I Start in Cybersecurity?</title><link>https://rishipalyadav.github.io/posts/cybersecurity-roadmap-2023/</link><pubDate>Fri, 13 Jan 2023 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/cybersecurity-roadmap-2023/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/cybersecurity-roadmap-2023-how-do-i-start-in-cybersecurity-6117386e1e88" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;How do I start in cybersecurity? What basic skills do I need to get into cybersecurity?&lt;/p&gt;
&lt;p&gt;These are the questions I get most often — from students, from software engineers eyeing a pivot, from IT professionals who want to move into security. There is no single right answer, but there are a lot of wrong approaches, and this guide is my attempt to cut through the noise.&lt;/p&gt;</description></item><item><title>Operational Security 101</title><link>https://rishipalyadav.github.io/posts/operational-security-101/</link><pubDate>Wed, 04 Jan 2023 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/operational-security-101/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published in &lt;a href="https://osintteam.blog" target="_blank" rel="noreferrer"&gt;OSINT Team&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/operational-security-101-79697f48cbaf" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;Last week, Andrew Tate got into a Twitter fight with Greta Thunberg, both taking jibes at each other. It got ugly — and the next day, Romanian authorities used a pizza box visible in his response video to confirm his location and arrest him.&lt;/p&gt;
&lt;p&gt;You genuinely could not write a better operational security case study.&lt;/p&gt;
&lt;p&gt;Operational security, or OPSEC, started as a military concept — protecting information about your own operations from an adversary who might use it against you. In the digital age, it applies to everyone: activists, executives, journalists, and apparently influencers who pick fights on Twitter.&lt;/p&gt;</description></item><item><title>So You Do Not Want to Become a CISO Anymore?</title><link>https://rishipalyadav.github.io/posts/so-you-dont-want-to-become-a-ciso/</link><pubDate>Sun, 09 Oct 2022 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/so-you-dont-want-to-become-a-ciso/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/so-you-do-not-want-to-become-a-ciso-anymore-4436a0c724a9" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;There has been quite a chatter in the security community for the last couple of weeks. It is always some discussion — be it a new breach, a new framework, or a regulatory shift — but this one felt different.&lt;/p&gt;
&lt;p&gt;The conversation: is the CISO role broken? Between the SolarWinds aftermath, the SEC charging CISOs personally, the expectation of omniscience with the authority of a middle manager, and the burnout rates — a lot of security professionals who once had the CISO job as their north star are quietly reconsidering.&lt;/p&gt;</description></item><item><title>Educate Your Team — Do Not Chase When It Comes to Security</title><link>https://rishipalyadav.github.io/posts/educate-your-team-dont-chase/</link><pubDate>Mon, 05 Sep 2022 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/educate-your-team-dont-chase/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/educate-your-team-do-not-chase-when-it-comes-to-security-b39925df078a" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;&lt;em&gt;&amp;ldquo;Hey, could you please complete the security training, it was due two days ago?&amp;rdquo;&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;If that message sounds familiar — either as the person sending it or the one ignoring it — your security awareness program has a problem. And the problem isn&amp;rsquo;t that people are lazy or don&amp;rsquo;t care about security. The problem is that you&amp;rsquo;ve built a compliance exercise and called it a culture.&lt;/p&gt;</description></item><item><title>Back to Office: But What About Security?</title><link>https://rishipalyadav.github.io/posts/back-to-office-security/</link><pubDate>Thu, 28 Jul 2022 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/back-to-office-security/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://medium.com/@notyourciso/back-to-office-but-what-about-security-9971b00fa0ba" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;Things are back to normal, and everyone is returning to their offices. Some are ecstatic about free food, coffee, and office gossip. Others are dragging their feet. And most security teams are somewhere in between — quietly aware that two years of remote-first work has created some habits that don&amp;rsquo;t translate well to shared physical spaces.&lt;/p&gt;</description></item><item><title>My Cybersecurity Journey</title><link>https://rishipalyadav.github.io/posts/my-cybersecurity-journey/</link><pubDate>Wed, 25 May 2022 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/my-cybersecurity-journey/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published in the &lt;a href="https://www.isc2.org/Insights/2022/05/Journey-Into-Cybersecurity-Conversations-with-Cyber-Newcomers-Part-1" target="_blank" rel="noreferrer"&gt;(ISC)² blog&lt;/a&gt; and cross-posted on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/my-cybersecurity-journey-f3260df7541" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;I found my first position at a college placement fair. I began working as a software engineer building a digital security platform at HSBC — designing the backend for secure authentication and authorisation for mobile banking apps. It was more of a software development job, but I had to learn a lot about security concepts to actually do it well.&lt;/p&gt;</description></item></channel></rss>