Sign in to view Tom’s full profile
or
New to LinkedIn? Join now
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
Sign in to view Tom’s full profile
or
New to LinkedIn? Join now
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
Boston, Massachusetts, United States
Sign in to view Tom’s full profile
Tom can introduce you to 1 people at SC Media
or
New to LinkedIn? Join now
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
4K followers
500+ connections
Sign in to view Tom’s full profile
or
New to LinkedIn? Join now
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
View mutual connections with Tom
Tom can introduce you to 1 people at SC Media
or
New to LinkedIn? Join now
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
View mutual connections with Tom
or
New to LinkedIn? Join now
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
Sign in to view Tom’s full profile
or
New to LinkedIn? Join now
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
About
Welcome back
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
New to LinkedIn? Join now
Activity
4K followers
-
Tom Spring shared thisHoliday-week patching is nobody’s idea of fun. But max-severity ColdFusion flaws on internet-facing systems are also not something to leave for “next week.” No known exploitation is good news. It is not a patch strategy. #VulnerabilityManagement #ColdFusionTom Spring shared thisNo, it is not Patch Tuesday. Nevertheless, Adobe just let 11 fixes rip across ColdFusion and Adobe Campaign Classic — including maximum-severity bugs that can allow unauthenticated remote code execution. No known exploitation. No CISA KEV listing. No public proof of concept. Also not a reason to leave internet-facing ColdFusion sitting there while everyone heads into the holiday weekend. Patch the exposed stuff first. https://lnkd.in/gDiRs9mJ #VulnerabilityManagement #Patching #ColdFusion #CybersecurityAdobe Patches 11 ColdFusion, Campaign Classic Flaws; Four Hit Max SeverityAdobe Patches 11 ColdFusion, Campaign Classic Flaws; Four Hit Max Severity
-
Tom Spring shared thisThe bug class here is familiar. The speed is what feels different. Wiz’s Red Agent research is another reminder that AI does not need to invent brand-new categories of risk to change the threat model. It can make old problems move a lot faster. #APISecurity #AgenticAITom Spring shared thisPoint an autonomous AI agent at a root URL. Fifteen minutes later, it has exposed a major airline booking database. That is the unsettling part of Wiz’s Red Agent research. The flaw class itself — broken object-level authorization — is not new. What is new is how quickly an autonomous agent can move from reconnaissance to exploitation without a human steering every step. Bug hunting is changing. So is the speed at which “basic” API security gaps become very not-basic business problems. https://lnkd.in/ge2SDn2J #APISecurity #AgenticAI #CloudSecurity #BOLAAutonomous AI Agent Breaches Airline Booking Database in 15 MinutesAutonomous AI Agent Breaches Airline Booking Database in 15 Minutes
-
Tom Spring shared thisI really like this one from Shaun Nichols because it shows the reporting process in motion. The first version of an infrastructure story is rarely the whole story. Attribution, hosting data, methodology and disputes all matter. This is exactly why cybersecurity journalism needs follow-through, not just scary numbers. #ThreatIntelligence #CybercrimeTom Spring shared thisThis one started as a straightforward cybercrime infrastructure story. Then the beehive got kicked. Shaun Nichols reports on Hunt.io research that initially tied a huge share of Eastern European threat activity to one Bulgarian hosting provider — and then follows the updates, disputes and methodology caveats that made the story more complicated and more interesting. That is the kind of reporting that matters: not just “big number, scary headline,” but what happens when attribution, infrastructure and evidence all collide . Shout out to Shaun on this one. https://lnkd.in/gHTm27_g #ThreatIntelligence #Cybercrime #Malware #InfrastructureOne Bulgarian Host Accounted for 53% of Eastern Europe C2 Servers, Hunt.io SaysOne Bulgarian Host Accounted for 53% of Eastern Europe C2 Servers, Hunt.io Says
-
Tom Spring shared thisThis was a fun and useful conversation with Darren Meyer of Checkmarx. AI is making code move faster. That part is obvious. The harder question is whether security, auditability and risk ownership can keep up when the development pipeline starts looking more like a drive-thru window. #AppSec #AITom Spring shared thisDear AI: We love you. We fear you. Please stop turning the release train into a compliance crime scene. In this SPB video and transcript, I talk with Darren Meyer of Checkmarx about the AppSec Catch-22: AI is helping teams ship code faster, but security teams still need to prove what was found, what was accepted, what was fixed and who owned the decision. The old problem was secure code under deadline pressure. The new problem is secure code under deadline pressure when half the company can suddenly “develop” like they are ordering lunch. https://lnkd.in/gsuMRS4N #AppSec #AI #DevSecOps #SecureByDesignAI’s AppSec Catch-22: Faster Code, More Risk and a Shrinking Audit TrailAI’s AppSec Catch-22: Faster Code, More Risk and a Shrinking Audit Trail
-
Tom Spring shared thisThe “CISO as fall guy” problem is not just unfair. It is bad security. Dan Raywood's piece gets at the bigger issue: if accountability only shows up after the breach, organizations miss the chance to build shared ownership before things go sideways. Worth reading for anyone who manages risk, budget or expectations around security. #CISO #CybersecurityLeadershipTom Spring shared this“Fall guy” was never in the CISO job description. So why are CISOs blamed for breaches 73% of the time — often without the authority, budget or operational control to match? Dan Raywood talks with Fastly CISO Marshall E. about why breach accountability keeps landing on security leaders faster than actual organizational responsibility is catching up. The takeaway is not “blame the CISO better.” It is: incident response works better when ownership is shared before the breach, not assigned after it. https://lnkd.in/g_mDWnwt #CISO #CybersecurityLeadership #IncidentResponse #SecurityCultureCISOs Now Blamed for 73% of Breaches — But Lack the Authority to Stop ThemCISOs Now Blamed for 73% of Breaches — But Lack the Authority to Stop Them
-
Tom Spring shared thisThe scary part here is not that the malware is brilliant. It is that the pretext is good enough. Shaun Nichols does a great job breaking down why even clunky phishing campaigns can still work when they hit the right panic button — in this case, pretending Interpol is on your case. #Ransomware #PhishingTom Spring shared thisNo, Interpol is not investigating you. And no, the “evidence” is not evidence. Shaun Nichols reports on Bitdefender research from Victor Vrabie and Andrei Mogage into a phishing campaign that impersonates INTERPOL investigators, pushes victims toward a password-protected archive, and delivers ransomware instead of the promised video file. The malware may be unsophisticated. The social engineering is not. That is the part defenders should pay attention to. https://lnkd.in/gMgHu2Jh #Ransomware #Phishing #ThreatIntelligence #SMBSecurityFake Interpol Emails Are Delivering Ransomware to SMBsFake Interpol Emails Are Delivering Ransomware to SMBs
-
Tom Spring shared thisThis one is close to my heart because identity security is never just about better authentication or smoother onboarding. Elizabeth Garber's framing gets right to the civic core of the issue: who gets recognized, who gets excluded and what guardrails exist when technology becomes the gatekeeper. A little Fourth of July soapbox from me at Security Point Break. #IdentitySecurity #DigitalIdentityTom Spring shared thisHappy Fourth of July from the identity soapbox. This week, I channel Elizabeth Garber of Humanitech Consulting and her blunt, right-on-the-nose warning to the identity industry: Identity Security tech is not just about wallets, credentials and better DMV UX. It is about power. Who belongs? Who does not? Who decides? Who gets an appeal when the system says no? Give me identity security and liberty — or at least a better username. Pretty sure Patrick Henry said something like that. https://lnkd.in/gfZftn6h #IdentitySecurity #DigitalIdentity #Privacy #CivilRights #FourthOfJulyDigital Identity Meets the Fourth of July | Security Point BreakDigital Identity Meets the Fourth of July | Security Point Break
-
Tom Spring reposted thisIt has been a busy week. On Sunday we pulled off a marathon podcasting session on TWiT.tv - nearly four hours of technology conversation, not helped by a pushy cat pissed off at having her personal space invaded. And readers are taking to AI image creation with a will - the picture was a tribute to the Tartan Army. https://lnkd.in/gKg3GsET Also up today is an extensive interview with Katie Moussouris on the effect of AI, humans, and security for TechFinitive.com. I think she's right on the importance of human oversight and the coming token crunch - companies that overestimate bots could be in a world of hurt and wasted funds. https://lnkd.in/gZeCPzHaDon’t panic, says Katie Moussouris: AI security isn’t replacing humans, it’s proving the need for themDon’t panic, says Katie Moussouris: AI security isn’t replacing humans, it’s proving the need for them
-
Tom Spring shared thisJust as most of us finally learned how to create a half-decent password, the identity industry found something more interesting to worry about: non-human identities. For 20 years, identity security mostly meant us. Our logins. Our reused passwords. Our MFA fatigue. Our ability to spot the phishing email. Then AI agents showed up, and suddenly humans are chopped liver. This week at #Identiverse2026, non-human identity will be everywhere ��� service accounts, API keys, OAuth grants, SaaS connectors, AI agents and all the machine-to-machine access now sprawled across the enterprise. And rightly so. The risk is real. But let’s not kid ourselves. When a machine identity gets abused, the blast radius usually lands back on people: employees, customers, inboxes, tickets, files, calendars and business data. Here is my take on #NHIs via Security Point Break https://lnkd.in/gA9eMTVB #Identiverse2026 #Identiverse #IdentitySecurity #NonHumanIdentity #NHI #AISecurity #AgenticAI #IAM #OAuth #ZeroTrust #Cybersecurity
-
Tom Spring liked thisTom Spring liked thisI’m blown away by the reaction to my #EIC talk last week. Thank you. As I stepped on stage, I was wondering if I’d be brave enough to get the words out. When I wrote the line about the trains, I literally jumped out of my seat and ran away from my computer. I didn’t go back for a week. The talk was about bravery. It wrote itself. It was written by the headlines. It didn’t take an expert, and it didn’t offer many answers. What I can offer you, though, is evidence that this community welcomes bravery: 🙏 KuppingerCole Analysts chose my talk and put it on stage 🫶 When I left the stage, people greeted me with open arms – I had been honestly worried what some of them would think, say, and do. 💡 So many people have shared how it mattered to them and their reflections on the message. Bravery grows in community. Thank you to the people who read the talk or talked to me about it – you challenged me, shaped the arc, made it better, and (most importantly) gave me courage. There are others who offered to help, but then I failed to schedule the time – their support was still an anchor. Others sat near the front because I asked them to. You are the community that gives me strength: Alex Weinert Christine Owen Dean H. Saxe Ian Glazer Bertrand Carlier, CIDPRO Andrea Beskers Megan Shamas Tim Cappalli Jon Lehtinen Mike Kiser Nishant Kaushik Joni Brennan Sebastian Rohr Allan Foster Gail Hodges Nat Sakimura Katryna Dow Mark Haine Joseph Heenan Andrew Hindle Jeff Steadman Shannon Roddy George Fletcher Pieter Kasselman Heather Flanagan Guy Pensa Reiner Mertens André Koot Mirela C. Orestis Theodorakopoulos Elena K. Oscar Hernández Emilie van der Lande Marianne Henriksen John Peart Kevin Grimmeisen Henk Marsman Ferdinand Yves MBARGA Thea Kirsch …. and so many more 🙏 Let’s build bravely together.
Experience & Education
-
SC Media
****** ********* ********
-
*********
***** *******
-
**********
*********
-
************ **********
****** ** **** ****** ********** undefined
-
****** **********
******** ** **** ****** ******* * *******
View Tom’s full experience
See their title, tenure and more.
Welcome back
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
New to LinkedIn? Join now
or
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
Projects
-
SC Awards & Women in IT Security
-
At CyberRisk Alliance, I led two cornerstone recognition programs: The SC Awards, honoring top cyber innovations and individuals in security, and Women in IT Security, which spotlights exceptional leadership, mentorship, and advocacy by women across the industry.
SC Awards: Oversee end-to-end execution: from call for entries, coordinating judges and hundreds of finalists, to writing and editing winner profiles/features and driving press coverage and branded video content (CyberRiskTV)…At CyberRisk Alliance, I led two cornerstone recognition programs: The SC Awards, honoring top cyber innovations and individuals in security, and Women in IT Security, which spotlights exceptional leadership, mentorship, and advocacy by women across the industry.
SC Awards: Oversee end-to-end execution: from call for entries, coordinating judges and hundreds of finalists, to writing and editing winner profiles/features and driving press coverage and branded video content (CyberRiskTV), and strategic social engagement.
Women in IT Security: Managed all editorial and program components - from the annual call for nominations and engagement with dozens of prominent women judges, to the creation of award-winning content packages featuring written profiles, cybersecrity business leadership and video interviews.
Recommendations received
2 people have recommended Tom
Join now to viewView Tom’s full profile
-
See who you know in common
-
Get introduced
-
Contact Tom directly
Other similar profiles
-
Nicole Carroll
Nicole Carroll
NEWSWELL at Arizona State University
5K followersWashington DC-Baltimore Area
Explore more posts
-
Maria Zalm
Public Library of Science… • 916 followers
A thoughtful (paraphrased) comment from Mohammad Hosseini that has particularly stuck with me following National Information Standards Organization's webinar on Research Integrity earlier today: The use of generative AI is a double edged sword. On one hand it can help save time during the research process, but on the other hand it adds time to the process as every claim, quote, and citation put out by generative AI tools neeeds to be double checked against the original source for accuracy. This verification process often costs more time than the initial prompt saved. Responsible and transparent use of generative AI can greatly benefit the research process, but ultimately it is the researchers' responsibility to ensure that the output is correct, reliable, and free from hallucinations and incorrect interpretations of the source data.
22
1 Comment -
Samara Lynn
The Channel Company • 3K followers
A new report from Semperis takes a look at the current state of ransomware risk, and some of the revelations are shocking. While ransomware is on a slight decline, ransomware gangs are getting more aggressive, including threatening business leaders with physical harm, according to the report. Here are more of the report’s key findings:
4
-
Michael Mimoso
Claroty • 3K followers
Excellent new contribution to Claroty Nexus from Providence CISO Mike Ratliff on the #healthcare system's teardown of traditional #GRC. Providence's approach: GRAC — Governance, Risk, Attack Surface Management, and Compliance — is a risk-centric, threat-aligned function built for outcomes, not reporting, Ratliff writes. https://hubs.li/Q03yc3pB0
2
-
CJ Fairfield
The Channel Company • 4K followers
According to HP Wolf Security’s latest Threat Insights Report, bad actors are launching sophisticated tasks with greater ease than ever before, using purchased malware services. MES Computing Senior Editor Samara Lynn has the details on other newer tactics hackers are employing, and more takeaways from the report, which examined data collected by the HP Sure Click cybersecurity platform from July to September 2025 ⬇️
1
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top contentOthers named Tom Spring in United States
-
Tom Spring
Royal Oak, MI -
Tom Spring
Simi Valley, CA -
Tom Spring
Aurora, CO -
Tom Spring
Circleville, OH
55 others named Tom Spring in United States are on LinkedIn
See others named Tom Spring