NetSPI Blog

Ryan Wakeham

Ryan Wakeham has been with NetSPI since 2005 and has nearly 20 years of IT and cyber security experience. He holds a graduate degree in Information Security from the Georgia Institute of Technology and has a background that includes vulnerability testing, compliance advisory consulting, and security management program assessment & development. Over his years with NetSPI, Ryan has worked with clients ranging from Fortune 10 organizations and top US financial institutions to multinational retailers and global technology companies. For several years, Ryan led NetSPI’s pentesting team. In his current role, Ryan partners with NetSPI’s clients to better understand their security challenges and develop solutions to meet their needs.

Ryan Wakeham
September 22nd, 2013

The Value of Detective Controls

For as long as I can remember, security professionals have spent the majority of their time focusing on preventative controls. Things like patching processes, configuration management, and vulnerability testing all fall into this category. The attention is sensible, of course; what better way to mitigate risk than to prevent successful attacks in the first place? […]

Ryan Wakeham
December 12th, 2012

2013 Cyber Threat Forecast Released

The Georgia Tech Information Security Center and Georgia Tech Research Institute recently released their 2013 report on emerging cyber threats. Some of these threats are fairly predictable, such as cloud-based botnets, vulnerabilities in mobile browsers and mobile wallets, and obfuscation of malware in order to avoid detection. However, some areas of focus were a bit […]

Ryan Wakeham
October 15th, 2012

Thoughts on Web Application Firewalls

I recently attended a talk given by an engineer from a top security product company and, while the talk was quite interesting, something that the engineer said has been bugging me a bit. He basically stated that, as a control, deploying a web application firewall was preferable to actually fixing vulnerable code. Web application firewalls […]

Ryan Wakeham
June 22nd, 2012

Web Application Testing: What is the right amount?

It is becoming more common these days (though still not common enough) for organizations to have regular vulnerability scans conducted against Internet-facing, and sometimes internal, systems and devices. This is certainly a step in the right direction, as monthly scans against the network and service layer are an important control that can be used to […]

Ryan Wakeham
May 24th, 2012

Enterprise Vulnerability Management

Earlier this month, at the Secure360 conference in St. Paul, Seth Peter (NetSPI’s CTO) and I gave a presentation on enterprise vulnerability management.  This talk came out of a number of discussions about formal vulnerability management programs that we have had both internally at NetSPI and with outside individuals and organizations.  While many companies have […]

Ryan Wakeham
March 19th, 2012

Pentesting the Cloud

Several months ago, I attended an industry conference where there was much buzz about “The Cloud.”  A couple of the talks purportedly addressed penetration testing in the Cloud and the difficulties that could be encountered in this unique environment; I attended enthusiastically, hoping to glean some insight that I could bring back to NetSPI and […]

Ryan Wakeham
February 7th, 2012

The Annual Struggle with Assessing Risk

In my experience, one of the security management processes that causes the most confusion among security stakeholders is the periodic risk assessment.  Most major information security frameworks such as ISO/IEC 27002:2005, the PCI Data Security Standard, and HIPAA, include annual or periodic risk assessments and yet a surprising number of organizations struggle with putting together […]

Ryan Wakeham
October 26th, 2011

Why I Hate The Cloud

The Cloud is one of the “new big things” in IT and security and I hate it.  To be clear, I don’t actually hate the concept of The Cloud (I’ll get to that in a minute) but, rather, I hate the term. According to Wikipedia, cloud computing is “the delivery of computing as a service […]

Ryan Wakeham
October 12th, 2011

Mobile Devices in Corporate Environments

Mobile computing technology is hardly a recent phenomenon but, with the influx of mobile devices such as smartphones and tablet computers into the workplace, the specter of malicious activity being initiated by or through these devices looms large.  However, generally speaking, an information security toolkit that includes appropriate controls for addressing threats presented by corporate […]