Workshop Resources: OWASP Threat and Safeguard Matrix (TaSM)

cybersecurityclub.substack.com · _clickfix_ · 11 days ago · tutorial
quality 7/10 · good
0 net
Tags
google info-disclosure malware phishing
Workshop Resources: OWASP Threat and Safeguard Matrix (TaSM) Cybersecurity Club - Learning, Networking & Connecting Subscribe Sign in Workshop Resources: OWASP Threat and Safeguard Matrix (TaSM) Dark Marc Apr 01, 2026 4 Share The Cybersecurity Club recently hosted a global workshop on building stronger digital defenses using the OWASP Threat and Safeguard Matrix (TaSM). The session was led by Ross Young, the framework's creator, who served at the CIA and NSA before holding senior positions at several major financial institutions. Nearly 300 professionals from ten countries across North America, Europe, Africa, Asia, and Australia registered for the event, which blended expert guidance, live demonstrations, and hands‑on collaboration. » Not a Cybersecurity Club member yet? Join here! (It’s FREE) A Practical Framework for Modern Security The workshop opened with an introduction to TaSM, an OWASP project Ross created to help organizations identify their most significant risks and align safeguards across people, processes, and technology. Traditional security models organize controls by technology layers. TaSM takes a different approach, organizing defenses by material threats such as phishing, ransomware, web application attacks, and third-party data loss. It then aligns corresponding safeguards with the NIST Cybersecurity Framework functions: Identify, Protect, Detect, Respond, and Recover. This approach helps teams visualize how their safeguards work together to prevent, detect, and recover from attacks. “We're so focused on checking the box instead of asking: are we actually secure?” — Ross Young, creator of the OWASP Threat and Safeguard Matrix, speaking at the Cybersecurity Club Workshop (2026) From Theory to Application Ross brought the framework to life by running four common threats through the TaSM model, demonstrating how organizations can populate the matrix and use it to stress-test their defenses. For each threat, he identified the relevant NIST functions and asked where gaps existed. With phishing, for example, the Protect column drew in MFA, email security gateways, and user training, while Detect mapped to deception technology and EDR tools, and Recover pointed to disclosure templates and tabletop exercises. The matrix made visible whether an organization was over-invested in protection but under-prepared to respond. He applied the same structure to ransomware, web application attacks, and third-party data loss, each time using the matrix to surface missing controls and prioritize where investment would have the most impact. The exercise reinforced TaSM’s central idea: cybersecurity isn’t about checking boxes but about building defense-in-depth. By mapping material threats to safeguards across all five NIST functions, the framework helps teams understand how their people, processes, and technologies work together as an integrated system rather than isolated controls. Confronting AI Data Security Risks During the live workshop, Ross led participants through filling out the TaSM matrix for a real-world scenario: preventing sensitive data leaks into AI tools such as ChatGPT and Google Gemini. The concern is practical: employees routinely paste sensitive internal data into AI tools without realizing it may be stored, used for training, or exposed. “Sensitive data leaks into AI tools are already happening. The question is whether you can see it and stop it.” — Ross Young Working through the matrix together, attendees proposed a mix of technical and procedural safeguards including data loss prevention systems, cloud access security brokers, SASE VPNs, LLM proxies, and user training. Ross emphasized that policies must be backed by technical enforcement, monitoring, and legal response procedures to be truly effective. “Policies alone don’t stop attacks. You need technical enforcement, monitoring, and legal response ready to go.” — Ross Young Measuring What Matters Effective security programs rely on a small set of meaningful metrics, not an overwhelming list. Ross suggested that limiting focus to roughly ten indicators is far more valuable than tracking everything. Every metric should include three elements: current status, trend, and goal. That structure applies whether tracking Mean Time to Remediate (MTTR), configuration compliance against CIS Benchmarks or DISA STIGs, phishing click and reporting rates, or third-party vendor certifications like ISO 27001 or SOC 2. The goal is to give CISOs a way to show measurable improvement to executive teams rather than just reporting activity. The Future of Automated Security The session closed with a look at what comes next. Ross Young's new company, Clear Capabilities , is building AI agents to automate cybersecurity tasks such as threat modeling, architecture reviews, and compliance documentation. He predicted that using tools like Claude Code and Google Gemini to program in plain language will soon be a standard skill for cybersecurity professionals, enabling faster and more adaptive defenses. “Before, you probably had to go learn computer science, learn a hard programming language like C++, Java, Rust or something else. Now the programming language is English.” — Ross Young Resources and Further Learning The following resources were shared during the workshop to help participants learn more about the OWASP TaSM framework, apply it in their own environments, and stay connected with Ross Young’s work. #1 OWASP Threat and Safeguard Matrix (TaSM) Project OWASP TaSM Project is a framework by Ross Young that maps real‑world threats to safeguards aligned with the NIST Cybersecurity Framework. It helps teams move from compliance checklists to practical, defense‑in‑depth planning. #2 TaSM Template The TaSM Template is a downloadable worksheet that lets teams build their own Threat and Safeguard Matrix, identify coverage gaps, and prioritize security investments. #3 Cybersecurity Tools Murder Board The Cybersecurity Tools Murder Board is a structured review process that challenges every security tool’s value, exposing redundancy and waste so only high‑impact, threat‑aligned technologies remain. #4 CISO Tradecraft Podcast The CISO Tradecraft Podcast hosted by Ross Young and G Mark Hardy offers leadership and technical insights for CISOs, covering strategy, communication, and emerging security trends. #5 Clear Capabilities on LinkedIn Clear Capabilities on LinkedIn is the official page for Ross Young’s company developing AI agents that automate cybersecurity tasks like threat modeling and compliance documentation. #6 Ross Young on LinkedIn Ross Young’s LinkedIn profile features updates on cybersecurity strategy, AI automation, and his work with OWASP TaSM, Clear Capabilities, and CISO Tradecraft. #7 Cybersecurity’s Dirty Secret: Why Most Budgets Go to Waste Cybersecurity’s Dirty Secret is Ross Young’s book showing how to cut waste, justify security spending, and build smarter defenses by focusing on real risk reduction instead of bigger budgets. Key Takeaways The workshop made clear that modern cybersecurity is shifting from compliance checklists to measurable, threat-driven defense. The OWASP Threat and Safeguard Matrix (TaSM) sits at the center of that shift, helping organizations see their safeguards as a connected system, aligning people, processes, and technologies to protect what truly matters. Through examples of phishing, ransomware, web application attacks, and AI data leaks, the session demonstrated how TaSM turns theory into a practical roadmap for resilience. Across the discussion, several lasting takeaways emerged: Focus on material threats that could cause real business harm. Measure progress with a small set of clear metrics such as MTTR, phishing rates, and third-party assurance. Use AI and automation to scale critical security tasks like threat modeling and compliance validation. Treat cybersecurity as a business enabler, not a barrier. Together, these ideas outline a blueprint for the next generation of defense: proactive, data-driven, and ready for the pace of AI-powered change. Want to Attend the Next Workshop? The Cybersecurity Club is a free global community for cybersecurity enthusiasts and professionals at every level. Join to stay up to date on upcoming events, access resources from past sessions, and connect with like-minded members from around the world. Join Cybersecurity Club 4 Share Discussion about this post Comments Restacks Top Latest Discussions No posts Ready for more? Subscribe © 2026 Dark Marc · Privacy ∙ Terms ∙ Collection notice Start your Substack Get the app Substack is the home for great culture
← Back to stories