Browsing category

Chief Information Security Officer (CISO)

Artificial Intelligence (AI), C-Suite, Chief Information Security Officer (CISO), CISO, Cognitive Security, Cyber Resiliency, cyber risk, Data Protection, DevOps, Incident Response (IR), Internet of Things (IoT), Privacy, SecDevOps, Security Awareness, Skills Gap,

In Such Transformative Times, the CISO Is Key to Delivering Digital Trust

For organizations today, staying competitive means undergoing rapid digital transformation, yet few appear to have a solid approach for handling the security and privacy implications of such a change. However, ensuring organizations adapt while also retaining a high level of digital trust is exactly where the chief information security officer (CISO) can help. CISOs are adept at reviewing the security of digital crown jewels — sensitive, business-critical data — aligning security to business goals, and ensuring that disruptive technologies such as artificial intelligence (AI), internet of things (IoT) devices and augmented reality are adopted with adequate security and privacy controls.

Conveniently, there are resources to guide CISOs on how to engage on these issues. One such resource is PwC’s “Digital Trust Insights” report, which replaces their long-running Global State of Information Security Survey (GSISS) series with a broader view of cyber risks awaiting the cognitive enterprise. The report — which is based on a survey of 3,000 executives and only about a dozen pages — provides advice for CISOs, boards and business executives to rally around key issues of digital trust as they work to build a reasonably secure digital world.

Get Security Involved Early On

It will come as no surprise to anyone in cybersecurity that the best way to avoid costly and awkward security fixes — or worse, an embarrassing and damaging breach — is to bring in the security function early on in a project. The stakes are even higher for digital transformation projects. While 91 percent of companies executing transformations bring in security and privacy as stakeholders, only 53 percent are proactively managing security and privacy risks “fully from the start.” This varies somewhat by sector, and as expected, the financial services sector is in the lead with 66 percent engaging security and privacy from the start, followed by the healthcare sector (65 percent). The consumer markets sector comes in last, at 49 percent.

Bringing in stakeholders from cybersecurity and privacy from the very beginning of transformation initiatives is key. As the report noted, “Most respondents say emerging technologies are critical for business, but fewer are very confident they have sufficient ‘digital trust’ controls in place.” This is reflected in the survey results with 4 out of 5 organizations reporting that the IoT is critical to at least some parts of their business, yet only 39 percent are “very comfortable” with the digital trust controls deploying alongside their IoT adoption.

Early involvement of the security function will also improve alignment of security efforts with the business, a concern that was raised in the report as few organizations regularly assess that their security controls, frameworks and strategies are still appropriate in light of the digitization of the enterprise and the changing privacy landscape.

Review Security Talent and Workforce Awareness

In most organizations, the security function is already stretched thin and thus not in a position to handle the many new challenges posed by an organization undergoing rapid digital transformation. When the CISO is spending most of his or her time fighting fires or pleading for budget and support, there is little time left to review high-level security strategy, ensure appropriate privacy controls around sensitive data, and adequately communicate enterprisewide security issues to top leadership and the board. Another concern is the low number of organizations that report having a security awareness program (34 percent), and even fewer require training on privacy policies and practices (31 percent).

The way forward is to perform a workforce gap assessment specifically for the cybersecurity and privacy functions, and to commit to filling key roles in security and privacy with the required level of talent. In addition, organizations should review and update — or implement if absent — policies about their IT assets and sensitive data. Security awareness campaigns should be conducted regularly, but avoid the one-size-fits-all web-based approach. Instead, look for or create engaging security awareness materials and evaluate the effectiveness of each campaign. As attackers are continuously refining their tactics, so should you with your security awareness activities.

Improve Communications and Engagement With the Board

As years go by, we get further validation that an increasing number of CISOs are providing the board with updates about cyber risks. Findings from the PwC report echo this progression, with 80 percent of organizations stating their board was provided a risk management strategy. However, only 27 percent of organizations report being “very comfortable” that the board is getting adequate metrics on cyber risk management. Instead, a greater number, 29 percent, report being “uncomfortable” with the adequacy of information reported.

Changing the nature of the engagement between the CISO and the C-suite will take time. But the change needs to get under way, starting with communicating how threats, regulations and third-party risks impact the organization’s cyber risks. CISOs should focus on producing metrics that track the risks to business objectives and how security activities are having a measurable impact to bring those risks down to an acceptable level. Greater emphasis should be placed on the nature and quality of interactions between the CISO and the decision-makers rather than having the CISO deliver a quarterly five-minute broadcast about the organization’s security posture.

Instead, CISOs should spend a little more time learning about their audience, what drives each line of business and their particular concerns, provide materials to prime questions ahead of time, and actively invest in their relationship with the rest of the C-suite and business directors.

Test Cyber Resilience and Improve Strategies

While awareness, engagement and being there from the start are important, the only way to know for sure that the organization is prepared to deal with a data disruption or full-blown cyberattack is to put its cyber defenses to the test. Testing the cyber resilience of the organization can take many forms, depending on the level of the staff or the executives involved. The PwC report found that fewer than half of mid-to-large organizations are “very comfortable” that they have adequately tested their cyber resilience.

Once again, the CISO can and should play a key role on this issue, but doesn’t have to start from an empty slate. Several key organizations have produced reports on cyber resilience, some written specifically for the C-suite and the board, while others were written with chief information officers (CIOs) and CISOs specifically in mind.

Among the many resilience reports available are those from IBM Security and Ponemon Institute, the World Economic Forum (WEF) and the U.S. Department of Homeland Security (DHS). The latter defines resilience in cyberspace as the “ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.” Organizations should evaluate their ability to adapt to changing conditions and threats, including adapting organizational strategies; prepare for (including anticipating and planning ahead of disruptions); withstand (an area that should be tested more regularly than during the yearly pen test); and recover from an adverse event.

The CISO Is Key to Successful Digital Transformation

“Companies that show the connected world how to lead in safety, security, reliability, privacy, and data ethics will be the titans of tomorrow.” — PwC “Digital Trust Insights” report

Becoming a cognitive enterprise will require major changes, changes that can shake the foundation of trust in the organization’s customers and partners. Organizations will need to balance digital innovation with cyber resilience by ensuring early engagement of the security function in major projects and seeking whole-enterprise visibility and awareness of digital risks. The CISO is key to the organization maintaining a high level of digital trust in such transformative times.

The post In Such Transformative Times, the CISO Is Key to Delivering Digital Trust appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

April 18, 2019
Business Continuity, C-Suite, Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, cyber risk, Governance, Incident Response (IR), Risk, Risk Management, Security Leadership, Security Spending,

The Language of Business: Where the Board of Directors and Security Leaders Can Meet

A few years back, a business association asked me to deliver a cybersecurity presentation. I knew some in attendance would report back to their respective board of directors, and I expected it to be a challenging session because cybersecurity knowledge and literacy would be all over the map.

It’s a situation I’ve encountered regularly. I remember in one session with about 40 people, I asked what they thought “cybersecurity” meant. Somehow, I think I got 45 different answers. Even within an organization’s board of directors, people who absolutely need to be part of the cybersecurity conversation today, you’d likely get the same variance in responses.

But I welcomed the session because it gave me an opportunity to pilot a new presentation tactic. The presentation focused more on business in general and business development as opposed to cybersecurity, and the presentation style was so outside-the-box, I was actually nervous.

To Engage the Board, Talk Business, Not Cybersecurity

Going in, I knew some of the attendees expected to hear some cybersecurity techno-babble. I did none of that. Instead, I used the simplest possible language and cartoons to disarm these senior leaders for one reason: I wanted them to feel comfortable and able to talk freely about that bogeyman topic, cybersecurity.

By focusing on business and risk instead of cybersecurity, everybody in the room was fully tuned in. Cybersecurity was just color.

You see, by avoiding the technical nature of cybersecurity, the participants made the mental jump from “cybersecurity as an IT issue” to “cybersecurity as a business and risk issue.” They saw how cybersecurity issues could impact and influence their business development plans or pose growth problems. I remember one participant emphatically saying to the group, “You just made me understand this cybersecurity thing isn’t my IT department’s problem … it’s my problem!”

And just like that, you have a new teammate.

CSOs Are From Mars, CISOs Are From Venus and the Board of Directors Are From Andromeda

There has been a great deal of discussion on whether you should have a chief information officer (CIO), chief security officer (CSO) or chief information security officer (CISO), who should do what, what reporting chains should look like, and the need for this type of specialist. The good news is that there is increased interaction between these security leaders and CEOs and the board of directors. It’s a step in the right direction.

But interaction is not enough; it’s speaking the same language that matters. To do that, you actually need to know what you’re in the business of. No two organizations are alike.

As a general observation, I’ve found that security professionals sometimes have difficulty understanding what drives business in their organization. Reading financial statements and appreciating the importance of cash flow may not be a core competency of security teams, but in practice, they should be.

The same can be said for understanding supply chains, knowing who the key customers and vendors are, and determining which costs can really impact the organization’s ability to generate revenue or meet its business mission. These are all issues that senior leaders and the board of directors care about.

Now, these same issues do not necessarily fall within a security professional’s area of responsibility, but the ability to demonstrate business acumen gives the security professional incredible influence with these other players. Therefore, if security employees can demonstrate that they have more than a one-track mind, they may suddenly find more allies within the organization.

Your Job Is to Keep the Business Going

To keep the business going, you need to know how it works. That’s why asking the right business operations questions will make all the difference. You shouldn’t be asking your colleagues, “How long can you go without a computer?” (The answer almost certainly will be, “I can’t.”) Instead, you should be asking, “You don’t have a computer for 72 hours, how do we keep the business going?” Or, “If we lose network capability for 48 hours, how do we survive the downtime?” You get the idea. Note the emphasis on teamwork.

Ask the right questions the right way and you’ll be better prepared to:

To Improve Your Cybersecurity Posture, You Need to Understand the Business

Most successful business leaders understand that rocky times are part of the normal business cycle. The best even expect rocky times, especially during business development phases. That’s not what worries them.

What worries them is if the organization has the ability and resources to weather the storm. For this reason alone, IT and security professionals need to be able to talk business to the C-suite and the board of directors, especially if new security products need to be added into the organization’s portfolio.

Make Life Easy for Your Board of Directors

With increased pressure on the board of directors to play a more active role in cyber risk governance, it is incumbent on internal cybersecurity professionals to learn what makes the organization tick by talking return on investment, cost, growth metrics, cash flow, business development, resource management and so on. If you can speak the language of business, you are better positioned to demonstrate the value of cybersecurity investments to senior leaders. You’re making their life easier, which in turn makes your life easier.

So whether it’s a few online business basics and governance courses or talking with your nonsecurity colleagues about what drives the business, it’s a worthwhile investment in the grand scheme of things.

I understand these business spaces can sometimes make security employees uncomfortable. But if you can master the business language, you’ll suddenly find yourself not galaxies apart from your C-suite colleagues and board members, but rather in the same room, working together to meet the most pressing cybersecurity and business needs of the organization. That’s a good place to be.

The post The Language of Business: Where the Board of Directors and Security Leaders Can Meet appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: George Platsis

March 29, 2019
Artificial Intelligence (AI), Chief Information Security Officer (CISO), Connected Devices, Data Privacy, Data Protection, Endpoint Protection, Internet of Things (IoT), IoT Security, IT Infrastructure, Machine Learning, Network Security, Payment Card Industry (PCI), Risk Management,

A Busy IT Infrastructure Can Lead to Security Disaster

Who doesn’t love new technology, especially when it promises to make tasks easier and improve productivity? That eagerness to add new technology — something IT staff often encourages security leadership to do — has led to the digital transformation, the use of digital technology to solve problems. Smartphones, tablets and cloud computing have been leading the way in the workplace’s digital makeover, but the growing popularity of the internet of things (IoT) could totally change the look of IT infrastructure.

However, digital transformation isn’t all fun and games for security staff. While security teams may enjoy new technology, it can also add cybersecurity complications, particularly when these technologies share an infrastructure.

The PCI-Compliant Vending Machine

During his keynote address at CPX 360 in February, Jeff Schwartz, vice president of North American engineering at Check Point, told a story of the upgraded break room vending machine. Because fewer people carry paper money or loose change, a company decides to upgrade its snack machine to take credit cards. That’s great news for the employee who wants his or her 3 p.m. chip fix but only uses plastic to pay.

However, as Schwartz pointed out, now that the vending machine accepts credit cards, it must follow payment card industry (PCI) compliance standards. If that gets overlooked, the vending machine could end up costing the company in fines. The vending machine will also be hooked up to the internet so it can process the transactions. Now it is at risk of being hacked. If the vending machine is hacked, it opens a door for threat actors to enter your network.

So, what initially looked like a convenience turned into a security headache. With the growth of the IoT and digital transformation, expect this to become a burgeoning risk vector. As Schwartz told his audience, shared resources and IT infrastructure create more opportunities to lose data.

Increased Reliance on Technology Impacts Risk

Simply put, new technology almost always has an impact on risk. New endpoints offer new potential openings for threat actors to exploit. That’s not saying that we don’t need or want the technology; instead, to better secure networks and data, we need to better understand what’s going on with those new endpoints.

With the IoT, devices, appliances and machinery we once never gave a second thought to are all now connected to the internet — but what do you know about that connectivity? New elevators are now smart elevators, for example, so not only are they adding another endpoint to your network, they are also collecting data.

A device such as an elevator is likely controlled by a third party, meaning that they also have access to the network and data. If the building is shared by a dozen companies, you add in a mixture of data and networks. Who is in charge of the security for the elevator? Who is responsible for the data collected and its protection? What do you know about the elevator company’s security practices? Did you even think you had to worry about the elevator?

Be Mindful of Customer Data

Digital transformation is accomplished not just with business efficiency in mind, but also for customer convenience. In fact, your customers want an easier interaction with your company, and that often comes through technologies such as artificial intelligence (AI), machine learning (ML) and the IoT. Customer-facing AI, such as chatbots, can improve customer communications, for example.

“Customer expectations are far exceeding what you can really do,” George Westerman, principal research scientist with the MIT Sloan Initiative on the Digital Economy, told CIO. “That means a fundamental rethinking about what we do with technology in organizations.”

So, yes, customers have high expectations for the technology your company uses to facilitate better consumer relationships. However, thanks to high-profile data breaches and increasing awareness about data privacy regulations, customers also want to make sure their data is safe. In fact, Schwartz noted in his speech that you shouldn’t be surprised if consumers begin to make their purchasing decisions based on the way your company collects, uses and stores customer data.

Are You in Control of Your IT Infrastructure?

This takes us back to shared IT infrastructure. It isn’t a matter of knowing what endpoints are on the network and collecting data, but how those endpoints have shifted as technology shifts. Having a coffee pot operated by an app is a great convenience for your staff, but how does that impact data gathering? Same with that chatbot: It is certainly a convenient and perhaps cost-efficient way to build customer relations, but your security team better know how the conversations are collected and how the company uses that data or it could turn into a privacy nightmare.

We are still learning how much information sharing is happening on some infrastructures. For example, a smart TV may be an excellent way for an organization to view sensitive corporate or consumer (e.g., a patient in a hospital room) information, but at the same time, employees (or that patient) could use that same TV to tune into their Netflix or Hulu account during their lunch break. Suddenly, you have corporate data mingling with personal data. If it turns out that Netflix is the victim of a data breach, that sensitive corporate data is now at risk.

The more common the IoT and other emerging technologies become in the workplace, the more chief information security officers (CISOs), IT leaders and other decision-makers will need to consider the overall impact of every device using that IT infrastructure. It isn’t a matter of what is connected to your network, but how it is connected and whether you are able to control that connection’s security.

The post A Busy IT Infrastructure Can Lead to Security Disaster appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Sue Poremba

March 29, 2019
Chief Information Security Officer (CISO), CISO, Executives, Security Leaders, Security Leadership, Security Professionals,

Speak the Board’s Language to Communicate the Value of Security

Security teams often complain that the board doesn’t give them the investment they need, the proper level of attention or acknowledgment for a job well done. After all, an attacker only needs to get lucky once, but defenders need to be successful every time. Part of the problem is how security teams communicate risk to their boards. How can they get the value of security across in a way that resonates with business leaders?

Why Our Fear Tactics Aren’t Working

From talking to security teams in a range of industries, it’s clear that part of the challenge is in how we in the security industry measure success. Security is a complex and broad subject that demands deep technical knowledge across a broad range of subjects. When communicating the value of security to those not in the industry, we tend to retreat into talking about confidentiality, integrity and availability. Surprisingly, we still lead with data breaches and confidentiality attacks far more than anything else, sticking to a tried-and-true formula when, for most people in this share-everything age, the loss of availability is a far more terrifying prospect.

The trouble with this approach is that we are falling afoul of another bad habit of security professionals, which is using fear, uncertainty and doubt (FUD) to scare management into giving us the investment, time and kudos we want. Sadly, this formula doesn’t really work because it’s vulnerable to a basic counterposition: “We didn’t do this security stuff before and we are still here; why would that change?” We can talk until we’re blue in the face about increasing cybercrime levels, state actors, hacktivists and dark web marketplaces where those who lack the skills to create their own can buy entire malware tool kits — but no matter how urgent these risks, the board tends to put them on the back burner.

It’s important to keep in mind that cybersecurity is only one of many issues the board needs to worry about. The IT director of a global car manufacturer once told me, “Any spare money we have goes into improving the design of our cars.” Of course this is the right approach: Don’t invest in cybersecurity and you might suffer from an attack, sell a product inferior to that of your competition and you might go out of business, and so on. On top of this, the board has lots of other boring issues to worry about, such as paying staff and suppliers, taxes, meeting new regulations, marketing, sales — the list goes on.

The Department of Yes: How to Make Security Relevant to the Board

So what is to be done? Is the fate of security to always be swept under the rug, relegated to a dark corner of the office, doing amazing things to keep the company safe despite a severe lack of cybersecurity investment? If we stick to the FUD approach, the answer is yes. But it doesn’t have to be that way.

Over the last 10 years, security teams have endeavored to shed their reputation as a “department of no” and become more engaged with the rest of the organization, helping to drive innovation and support their colleagues in developing the business. Now, it’s time for us security professionals to take the next step and start communicating in terms the business side finds exciting.

It is far more interesting, for example, to talk about improving the time it takes to bring someone into the business, or how to improve customer and staff experiences when using our IT systems. In a recent series of pilots IBM conducted for a client, we were tasked with making security relevant. We looked at threats to confidentiality, integrity and availability — so far, everything was normal. But then we looked at how they related to a series of business outcomes.

These business outcomes were financial, operational, regulatory and organizational. Some of these areas are self-explanatory, but within the organizational outcomes, we not only considered matters such as governance, but also subjects such as employees’ experience with their IT systems. In this cutthroat world, where companies struggle to find qualified employees and moving jobs is the norm, it is vitally important to make your organization an attractive place to work, and having good IT is an essential part of that. If business leaders bake intelligent security processes into the organization, they can make all processes faster and more automated and improve the efficiency of the whole business.

Align Business Goals to Prove the Value of Security

Obviously, translating security outcomes in a business context is anything but straightforward. However, by doing so we are better equipped to communicate in a language the board understands and can relate to. Suddenly, it makes perfect business sense to invest in cybersecurity; it means something in terms of the cost of running the business, being more competitive and delivering a better service to customers.

Even better, money spent on cybersecurity is no longer considered a necessary evil at worst or an insurance policy at best. Instead, the company’s cybersecurity investment has knock-on downstream returns that can be measured. Now, the security team is not only a valued part of the business, but it’s even aligned with the board’s goals and values. If you are adding value to the business, it’s easy to show why an investment in security makes sense.

The post Speak the Board’s Language to Communicate the Value of Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Gavin Kenny

March 28, 2019
Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, Compliance, Cybersecurity Framework (CSF), Cybersecurity Legislation, Data Privacy, Data Protection, Privacy, regulatory compliance, Risk Management, Security Leaders, Security Leadership,

Adopting the NIST 800-53 Control Framework? Learn More About the Anticipated Changes in 2019

The final version of the National Institute of Standard and Technology (NIST)’s Special Publication (SP) 800-53 Revision 5 is on the horizon for 2019. What does the initial public draft tell us about what we can expect in its final version? Even more importantly, what does it mean for organizations seeking to adopt the new guidelines?

NIST SP 800-53 Revision 5 is expected to deliver major updates to the existing fourth revision, which was originally published in 2013. Since its inception, this publication has been the de facto guideline for security control implementations, security assessments and Authorization to Operate (ATO) processes for government information systems. There are many draft changes in the fifth revision, but one of the most significant impacts is that it marks a departure from limiting the control sets to federal information systems. The framework is now recommended for all systems in all industries.

In addition to control baseline updates, other major changes NIST anticipates will be in the final version include:

  • Organizations must now designate a senior management official responsible for managing the security policies and procedures associated with each control family.
  • Changing the structure of the controls to be more outcome-based, which leads to increased clarity, consistency and understanding.
  • Full integration of privacy controls into the security control catalog to create a consolidated view of all controls.
  • The addition of two new privacy control families: Individual Participation (IP) and Privacy Authorization (PA).
  • Program Management (PM) control family nearly doubles in scope (includes additional emphasis on privacy and data management).
  • New appendices to detail the relationship between security and privacy controls.

What Will NIST 800-53 Rev. 5 Mean For Organizations?

The changes expected in the fifth revision touch on a variety of subjects and affect a wide range of business and security functions. Below are some areas that will be particularly affected and considerations that will have a significant impact on how organizations manage their security programs.

Senior Management Ownership

First and foremost, leadership accountability is given much greater emphasis across the framework. Organizations will need to identify key senior management personnel to own specific policy efforts and oversight actions for the life of each system. By driving accountability from the top down, organizations stand to benefit from executive sponsorship of security policies and gain better visibility into the effectiveness of governance controls and the organization’s overall security status.

Data Privacy

Dedicated privacy control families and new privacy guidance woven into existing controls drive greater focus on privacy and sensitive data management. Privacy needs to be ingrained into all aspects of cybersecurity now and in the future, especially with new regulations in place to protect personal data. Organizations may need to review their org chart to ensure it provides the most effective strategic alignment between C-suite, security and privacy teams. Ownership of control implementations between security and privacy will be a key decision point when transitioning to the final release of Revision 5 in the near future.

Third-Party Assessments

NIST SP 800-53A will undergo a fifth revision in conjunction with the updates to SP 800-53. This is the companion document third-party assessors use as part of the ATO process to determine the effectiveness of control implementations and evaluate risk posture. Implementing and adapting the updated controls will be crucial to new or existing ATO renewals in the long term.

How Can Business Leaders Enhance Security Over Time?

Chief information officers (CIOs), chief information security officers (CISOs) and other organizational leaders need to start thinking about how to advance security and privacy initiatives in unison to achieve business goals and manage risk effectively. The update to NIST 800-53 will affect each organization differently. It’s still important to perform due diligence to determine how the final changes apply in each unique situation; however, as a whole, adopting recommended guideline serves to unify security standards and help all organizations strengthen their security posture as the threat and regulatory landscapes evolve.

Additional information and the full list of changes in the NIST 800-53 Revision 5 draft can be found on the NIST website, along with the publication schedule.

The post Adopting the NIST 800-53 Control Framework? Learn More About the Anticipated Changes in 2019 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jason Yakencheck

March 25, 2019
Chief Information Security Officer (CISO), Collaboration, cyber resilience, cyber risk, Governance, Incident Response (IR), IT Infrastructure, Risk Management, Security Leadership, Threat Detection, Threat Sharing,

Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort

Cyber risks have been a top concern of global leaders for a while now, with cyberattacks appearing four times as a top-five risk by likelihood in the past decade. This year, leaders ranked two technological risks in the top 10 by impact: cyberattacks in seventh place and critical information infrastructure breakdown in eighth place. To combat these global risks, organizations must improve their cyber resilience efforts.

In February 2019, the World Economic Forum (WEF) released a special report titled “Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards,” which supplements a prior report on cyber resilience issued in 2017. In light of the interconnectedness of organizations and ecosystems today, I’d argue that the report’s main principles can apply well beyond the electrical industry. Examples of other ecosystems that could be severely disrupted — or, worse, catastrophically impacted — by cyberattacks or cyber failures include the global banking sector, global stock exchanges, and the transportation sector and its supporting infrastructure.

We Need a Systemwide View of Resilience

Of course, it is easier to mentally conceive of the impacts of cyber risks on the electrical grid as they relate to our way of life; many of us have had the displeasure of living through a blackout, where the noise of our busy lives suddenly makes way to the deafening silence of a powered-down world. However, as organizations begin to understand and take stock of the interconnectedness of their supply chains and the intricate nature of their business partnerships, the cyber risk discussion must evolve from internally focused defenses and reactions into a larger systemwide view of resilience.

To help guide global stakeholders — government leaders, boards of directors, top leadership, and IT and security leaders — the WEF resilience report provides a number of principles that organizations should follow and governments should keep a close eye on. Failure to act now, while we still can — and can do so at a reasonable cost — could lead to systemic shocks and engender cascading failures on a scale never seen before.

While the idea of “stress tests” has been used many times in the financial sector, its applicability to our connected world is long overdue. But it all starts at the top, with a strong governance principle.

The Governance of Cyber Resilience

Over the past decade, there has been a shift in the boardroom to pay increasing attention to the issues of cybersecurity and cyber risks. Instead of leaving those issues for IT to deal with, board directors have rightfully become more engaged in overseeing management’s activities and, by extension, ensuring that the organization is as cyber resilient as it needs to be.

At the board level, resilience in the cyber realm isn’t about asking, “Are we doing something?” or, “What are we doing?” but rather, “How well are we doing?” and, “How do we know we would be able to recover from a cyber outage?” The WEF report provides several questions for boards to ask of top leadership and chief information security officers (CISOs), such as:

  • How much operational technology (OT) do we have? How much crossover is there between OT, IT and physical security? Could an issue in one domain move into another?
  • Have roles and responsibilities for each area — resilience for IT, OT and physical — been defined? How well do these areas collaborate or integrate with one another, as opposed to operating in silos?
  • What processes and structures are in place to “ensure a coordinated cyber resilience strategy” across the organization?

For the CISO, this is an opportunity to be more of a strategic partner and adviser to top leadership and the board, to shed much-needed light on just how well the organization is prepared to detect, contain and recover from a cyber disruption. However, having the board’s support is key to helping the CISO break what are otherwise longstanding barriers and the “this is how we’ve always done it” attitude. With that support, the CISO can work to integrate cyber risk management into all business decisions.

Resilience by Design

One of the most striking differences between IT and OT is their very different design imperatives. Most of IT was designed with short component lifetimes (3–5 years), a preference for confidentiality (at least when compared to expectations for OT components), and expectations that delays, while inconvenient, are part of the IT ecosystem as components are replaced, upgraded or simply patched.

By contrast, OT components are designed to last 10 to sometimes 20 years, with high-availability requirements under near real-time conditions, meaning there’s never a good time to take OT systems down for maintenance or patching.

It is thus critical to design and deploy cyber resilient components for new IT and OT systems and closely monitor existing systems already in place. On this front, board directors are told to ask questions such as:

  • How are cyber risks considered and accounted for at the onset of new projects and in current operations, across the business?
  • How does management ensure that appropriate controls have been put in place, and how is the effectiveness of those controls evaluated and monitored? Just how cyber resilient are current systems?
  • How does leadership communicate the importance of cyber resilience throughout the organization and enable cross-functional information flows?

The good news is that boards and management can empower their CISO and the rest of the security function to take the lead on providing answers to these questions. The bad news is that looking at the organization as an island isn’t the right approach; we must consider the whole ecosystem.

Reciprocal Impacts Between Organizations and Ecosystems

Boards are also coming to grips with the reality that compliance isn’t sufficient to safeguard their organization’s operations and profits given the complex, highly interconnected ecosystems they operate within. With this realization, boards are asking better questions and engaging in enterprise risk conversations to drive important topics, such as the availability and distribution of security resources and budgets, and a more holistic approach to enterprise risk management that goes beyond compliance to also include risk appetite and alignment with organizational goals and strategy.

Beyond the internal focus, boards are also asking top leadership to look outward, to ensure that management is aware and understands how changes and disruptions in the ecosystem can impact the organization and, conversely, how disruptions in the organization’s own IT and OT could impact the wider ecosystem.

This focus goes beyond the routine of third-party vendor assessments and the management of those particular risks to include a broader view of the risks posed to the organization by the ecosystem and vice versa: highest external risks and their impacts, reputational risks, external dependencies and procurement process agility, testing and integration of new systems, and preparedness against cascading failures originating outside the organization.

Collaborate and Test Across Your Ecosystem

With the realization that “we’re all in this together,” boards want to learn how effectively their organizations are collaborating with the rest of the ecosystem in planning and testing cyber resilience. What mechanisms are in place to share best practices and alerts (e.g., the various Information Sharing and Analysis Centers in the U.S.)? What government resources or bodies are available to interface with? How does management ensure that it is aware of relevant information that may be shared with the organization via those channels? How is information received through such channels used for strategic decisions by management?

A clear example of this commitment to collaboration across the ecosystem for the betterment of all is the Charter of Trust, which leading global companies such as Siemens, Airbus, Allianz, Daimler and IBM have signed on to as a way “to strengthen trust in the security of the digital economy.” The 10 principles outlined in the Charter of Trust are fully aligned with, and reinforce the commitment of, the management of each of those companies to creating a better, safer digital ecosystem for us all.

While collaboration and sharing of threat information and best practices is key, the entire ecosystem would be left in a highly fragile state if peers and competitors didn’t also collaborate to prepare and test their cyber resilience plans. Once again, the CISO is well-placed to be part of those discussions and exercises, to help evaluate just how well the ecosystem can respond to and recover from a cyber incident.

Top leadership and board directors are coming to grips with the need for their organizations — together with their peers and competitors in the ecosystem — to be more resilient to cyber attacks and disruptions. CISOs, who now have a seat at the table, must play a leading role in this effort.

The post Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

March 22, 2019
Application Development, Application Security, Authentication, Chief Information Security Officer (CISO), CISO, Cybersecurity Jobs, DevOps, New Collar, passwords, Security by Design, Security Professionals, Security Strategy, Skills Gap, Software Development,

Creating Meaningful Diversity of Thought in the Cybersecurity Workforce

The other day, I learned something that great French winemakers have known for centuries: It is often difficult to make a complex wine from just one variety of grape. It is easier to blend the juice from several grapes to achieve the structure and nuance necessary to truly delight the palate.

We are similarly relearning that building diversity into the cybersecurity workforce allows us to more easily tackle a wider range of problems and get to better, faster solutions.

Essential New Facets of Diversity

I don’t want to strain the metaphor too much, but we can certainly learn from our winemaking friends. Just as they search for juice with attributes such as structure, fruitiness and acidity, we search for ways to add the personal attributes that will be accretive to the problem-solving prowess and design genius of our teams. One of my personal quests has been to add the right mix of business skills to the technical teams I have had the honor to lead.

On my personal best practice adoption tour, I have made many familiar stops. I learned and then taught Philip Crosby’s Total Quality Management system and fretted about our company’s whole-product marketing mastery in the ’90s (thank you, Geoffrey Moore, author of “Crossing the Chasm”). Over the last 15 years, I implemented ITIL, lean principles and agile development (see the “Manifesto for Agile Software Development”), applied core and context thinking (“Dealing with Darwin”) to help my teams establish skill set development plans, and used horizon planning (introduced in “The Alchemy of Growth” by Baghai, Coley and White) to assign budget.

Throughout this journey, I kept trying to add the best practices that were intended for development, manufacturing and marketing to the mix. I was just not content to “stay in my lane.” I did this because I believe that speaking the language of development, manufacturing and marketing — aka the language of business — is essential for technology and security.

Innovation and the Language of Business

As a security evangelist, I have long advocated that chief information security officers (CISOs) must learn how to be relevant to the business and fluent in the language of business. A side benefit I did not fully explore at the time was how much the diversity of thought helped me in problem-solving.

We have been discovering the value of diversity of thought through programs such as IBM’s new collar initiative and the San Diego Cyber Center of Excellence (CCOE)’s Internship and Apprenticeship Programs. IBM’s initiative and the CCOE’s program rethink recruiting to pull workers into cybersecurity from adjacent disciplines, not just adjacent fields.

Toward the end of my stay at Intuit, I participated in a pilot program that brought innovation catalyst training to leaders outside of product development. Innovation catalysts teach the use of design thinking to deliver what the customer truly wants in a product. While learning the techniques I would later use to coach my teams and tease out well-designed services — services that would delight our internal customers — I was struck by an observation: People of different job disciplines didn’t just solve problems in different ways, they brought different values and valued different outcomes.

So, another form of diversity we should not leave out is the diversity of values derived from different work histories and job functions. We know that elegant, delightful systems that are socially and culturally relevant, and that respect our time, our training and the job we are trying to do, will have a higher adoption rate. We struggle with how to develop these systems with built-in security because we know that bolted-on security has too many seams to ever be secure.

To achieve built-in security, we’ve tried to embed security people in development and DevOps processes, but we quickly run out of security people. We try to supplement with security-minded employees, advocates and evangelists, but no matter how many people we throw at the problem, we are all like Sisyphus, trying to push an ever-bigger rock up an ever-bigger hill.

The Value of Inherently Secure Products

The problem, I think, is that we have not learned how to effectively incorporate the personal value and social value of inherently secure products. We think “make it secure too” instead of “make it secure first.” When I think about the design teams I’ve worked with as I was taking the catalyst training, the very first focus was on deep customer empathy — ultimate empathy for the job the customer is trying to do with our product or service.

People want the products they use to be secure; they expect it, they demand it. But we make it so difficult for them to act securely, and they become helpless. Helpless people do not feel empowered to act safely, they become resigned to being hacked, impersonated or robbed.

The kind of thinking I am advocating for — deep empathy for the users of the products and services we sell and deploy — has led to what I believe, and studies such as IBM’s “Future of Identity Study” bear out, is the imminent elimination of the password. No matter how hard we try, we are not going to get significantly better password management. Managing 100-plus passwords will never be easy. Not having a password is easy, at least for the customer.

We have to create a new ecosystem for authentication, including approaches such as the intelligent authentication that IAmI provides. Creating this new ecosystem gives us an opportunity to delight the customer. Writing rules about what kinds of passwords one can use and creating policies to enforce the rules only delights auditors and regulators. I won’t say we lack the empathy gene, but our empathy is clearly misplaced.

Variety Is the Spice of the Cybersecurity Workforce

As we strive to create products and services that are inherently secure — aka secure by design — let’s add the diversity of approach, diversity of values and advocacy for deep customer empathy to the cybersecurity workforce diversity we are building. Coming back to my recent learning experience, I much prefer wines that were crafted by selecting grape attributes that delight the palate over ones that were easy to farm.

The post Creating Meaningful Diversity of Thought in the Cybersecurity Workforce appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bill Bonney

March 20, 2019
Advanced Attacks, Blockchain, Chief Information Security Officer (CISO), CISO, Cloud Services, Collaboration, customer experience, Infrastructure Security, Public Cloud, Risk Management, RSA Conference, Security Conferences, Security Services, Security Trends, Threat Prevention, X-Force, Zero-Day Attacks,

The Biggest Stories From RSAC 2019: What Scares the Cybersecurity Experts?

RSAC 2019 has officially wrapped. The reported attendance at San Francisco’s Moscone Center was more than 42,500, but to anyone who was there, it seemed like there was at least 60,000 security professionals on the ground. Whether or not you attended, there was no possible way to take in all of the 31 keynotes, 621 sessions and more than 700 vendors in the business expo. Fortunately, the RSA show website is filled with free materials, including on-demand presentation videos, conference blog posts and slide decks to capture what you missed.

When you’re at a show as large as RSAC 2019, it’s only natural that you’ll discover perspectives that are new and, sometimes, at odds. The conference brings together luminaries and cybersecurity experts from diverse fields such as research, government, industry and nonprofit sectors. This can result in tension, like the clash in perspectives between cryptography experts and government officials around privacy rights on the show’s opening day.

The diverse viewpoints at RSAC can also facilitate intensive collaboration around much-needed solutions, such as the mini-track on Wednesday dedicated to the growing need for public interest technologists. When the perspectives of chief information security officers (CISOs) and experts at RSAC 2019 are viewed as a continuum, you can begin to see a story emerging about the state of cybersecurity in 2019 and what organizations should pay attention to moving forward.

Your Security Ecosystem Matters

In the business expo, presentations and in conversations with CISOs, there was a very real sense that the industry is moving away from distributed security solutions and products. Security leaders and vendors are increasingly realizing the risks of deploying too many standalone solutions that don’t talk to each other. It’s costly and it doesn’t create better security results for many organizations. The industry is beginning to emphasize the value of a single-pane-of-glass approach.

Rob Westervelt, research director at the International Data Corporation (IDC), believes the growing complexity of security solutions has created gaps in coverage in the enterprise because many organizations don’t understand the capabilities of the technology they have deployed. When you’re trying to manage a complex security stack, it can easily create issues with misconfiguration and policies that aren’t uniform across the enterprise.

Infrastructure Attacks Could Become a Nightmare

There was, unsurprisingly, a heightened focus on the risks of infrastructure-level attacks at the conference. Former CIA director and former secretary of defense Leon Panette’s biggest nightmare is a malware attack that disables critical parts of U.S. infrastructure. As reported by ZDNet, Panette believes that this nature of attack has the potential to be a “digital Pearl Harbor” with millions of lives lost.

Open Collaboration and New Releases

RSA Conference 2019 invariably hosts exciting new tech announcements, including the National Security Agency (NSA)’s Ghidra reverse engineering tool for open collaboration among security researchers. Reverse engineering is the technical practice of taking code of unknown origin, including malware, and analyzing components to understand the code’s capabilities. It’s a primary focus among security researchers to understand and stop emerging threats, including zero-day viruses and advanced persistent threats (APTs).

IBM announced its X-Force Red Blockchain Testing service to test vulnerabilities in blockchain platforms in the enterprise. IBM’s X-Force Red security team will provide services to test the back-end processes for networks powered by blockchain, including a comprehensive analysis of chain code, public key infrastructure, hyperledgers and the applications used for access control. In addition, this service will also assess hardware and software applications that are usually used to control access and manage blockchain networks.

Maintain Trust With Digital Risk Management

Rohit Ghai, president of RSA, is scared of the “cataclysmic results” of a possible future in which trust no longer exists. He defines trust as the ability for an organization to understand and manage risk. Ghai believes that mechanisms to ensure trust — and the presence of trust — are critical for enterprise IT to work effectively.

Ghai urged organizations to “think of security as a risk management problem; focus on minimizing impact.” To maintain an effective environment where trust can exist, Ghai advised companies to adopt solutions for digital risk management, including automated solutions for risk identification and silent security.

The Most Dangerous Hacks Are Dynamic

In a highly anticipated panel discussion, researchers from the SANS Institute presented their top exploits. Ed Skoudis, Heather Mahalik and Johannes Ullrich highlighted the risks of DNS hijacking, domain fronting and, increasingly, targeted attacks on an organization via compromised cloud accounts. According to Mahalik, attackers are increasingly learning to leverage information stored in public cloud services and using this data against users and enterprises.

Security Isn’t Funny

The final keynote at RSAC 2019 was a conversation with comedian, actress and writer Tina Fey. When asked if she saw any similarities between comedy and cybersecurity, Fey simply responded, “No.” Cybersecurity isn’t funny to Fey, and many of the 42,500 attendees at the RSA conference would likely agree with her.

Fey proceeded to draw similarities between her experience in improv comedy, perhaps inspired by her time on Saturday Night Live, and how she thinks organizations can improve. According to Fey, both improv groups and cybersecurity teams need to trust peers, collaborate and practice extensively to improve.

This perspective was echoed by IBM Security General Manager Mary O’Brien in her joint keynote with IBM Security Vice President Caleb Barlow, “Change Your Approach to Get It Right.”

“I think it’s time to rewrite our playbook,” O’Brien said. “As an industry, we face unrelenting waves of new attacks and business challenges … we need to be exponentially better.”

O’Brien called for open collaboration in the organization and new agile working models for companies. She encouraged organizations to forget everything they thought they knew about perfect security to move forward.

“We need a culture that knows failing is part of making progress, a culture that encourages other points of view and new ways of operating,” she said.

RSAC 2019 in Review

As RSAC 2019 is reviewed over the next days and weeks, it’s clear cybersecurity is no longer simply the IT department’s responsibility. CISOs are sitting closer to the board. Cybersecurity is an increasingly political and cultural issue, and new public interest technologists are needed to create effective policy and progress in government.

Threats and risks continue to evolve, and few attendees at RSAC would argue that the old ways of doing things can move anyone forward. We need new models, new security ecosystems and new types of cybersecurity experts for the industry to become “exponentially better.”

The post The Biggest Stories From RSAC 2019: What Scares the Cybersecurity Experts? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jasmine Henry

March 18, 2019
Artificial intelligence, Artificial Intelligence (AI), Chief Information Security Officer (CISO), Cognitive Security, Data Management, Data Privacy, Governance, Internet of Things (IoT), Security Strategy, Security Technology,

How CISOs Can Facilitate the Advent of the Cognitive Enterprise

Just as organizations are getting more comfortable with leveraging the cloud, another wave of digital disruption is on the horizon: artificial intelligence (AI), and its ability to drive the cognitive enterprise.

In early 2019, the IBM Institute for Business Value (IBV) released a new report titled, “The Cognitive Enterprise: Reinventing your company with AI.” The report highlights key benefits and provides a roadmap to becoming a cognitively empowered enterprise, a term used to indicate an advanced digital enterprise that fully leverages data to drive operations and push its competitiveness to new heights.

Such a transformation is only possible with the extensive use of AI in business and technology platforms to continuously learn and adapt to market conditions and customer demand.

CISOs Are Key to Enabling the Cognitive Enterprise

The cognitive enterprise is an organization with an unprecedented level of convergence between technology, business processes and human capabilities, designed to achieve competitive advantage and differentiation.

To enable such a change, the organization will need to leverage more advanced technology platforms and must no longer be limited to dealing only with structured data. New, more powerful business platforms will enable a competitive advantage by combining data, unique workflows and expertise. Internal-facing platforms will drive more efficient operations while external-facing platforms will allow for increased cooperation and collaboration with business partners.

Yet these changes will also bring along new types of risks. In the case of the cognitive enterprise, many of the risks stem from the increased reliance on technology to power more advanced platforms — including AI and the internet of things (IoT) — and the need to work with a lot more data, whether it’s structured, unstructured, in large volume or shared with partners.

As the trusted adviser of the organization, the chief information security officer (CISO) has a strong role to play in enabling and securing the organization’s transformation toward:

  • Operational agility, powered in part by the use of new and advanced technologies, such as AI, 5G, blockchain, 3D printing and the IoT.

  • Data-driven decisions, supported by systems able to recognize and provide actionable insights based on both structured and unstructured data.

  • Fluid boundaries with multiple data flows going to a larger ecosystem of suppliers, customers and business partners. Data is expected to be shared and accessible to all relevant parties.

Shows relationship between data, processes, people, outside forces, and internal drivers (automation, blockchain, AI)Source: IBM Institute for Business Value (IBV) analysis.

Selection and Implementation of Business Platforms

Among the major tasks facing organizations embarking on this transformation is the need to choose and deploy new mega-systems, equivalent to the monumental task of switching enterprise resource planning (ERP) systems — or, in some cases, actually making the switch.

The choice of a new platform will impact many areas across the enterprise, including HR and capital allocation processes, in addition to the obvious impact on how the business delivers value via its product or service. Yet, as the IBM IBV report points out, the benefits can be significant. Leading organizations have been able to deliver higher revenues — as high as eight times the average — by adopting new business and technology platforms and fully leveraging all their data, both structured and unstructured.

That said, having large amounts of data doesn’t automatically translate into an empowered organization. As the report cautions, organizations can no longer simply “pour all their data into a data lake and expect everyone to go fishing.” The right digital platform choice can empower the organization to deliver enhanced profits or squeeze additional efficiency, but only if the data is accurate and can be readily accessed.

Once again, the CISO has an important role to play in ensuring the organization has considered all the implications of implementing a new system, so governance will be key.

Data Governance — When Security and Privacy Converge

For the organization to achieve the level of trust needed to power cognitive operations, the CISO will need to drive conversations and choices about the security and privacy of sensitive data flowing across the organization. Beyond the basic tenets of confidentiality, integrity and availability, the CISO will need to be fully engaged on data governance, ensuring data is accurate and trustworthy. For data to be trusted, the CISO will need to review and guarantee the data’s provenance and lineage. Yet the report mentions that, for now, fewer than half of organization had developed “a systemized approach to data curation,” so there is much progress to be made.

Organizations will need to balance larger amounts of data — several orders of magnitude larger — with greater access to this data by both humans and machines. They will also need to balance security with seamless customer and employee experiences. To handle this data governance challenge, CISOs must ensure the data flows with external partners are frictionless yet also provide security and privacy.

AI Can Enable Improved Cybersecurity

The benefits of AI aren’t limited to the business side of the organization. In 2016, IBM quickly recognized the benefits cognitive security could bring to organizations that leverage artificial intelligence in the cybersecurity domain. As attackers explore more advanced and more automated attacks, organizations simply cannot afford to rely on slow, manual processes to detect and respond to security incidents. Cognitive security will enable organizations to improve their ability to prevent and detect threats, as well as accelerate and automate responses.

Leveraging AI as part of a larger security automation and orchestration effort has clear benefits. The “2018 Cost of a Data Breach Study,” conducted by Ponemon Institute, found that security automation decreases the average total cost of a data breach by around $1.55 million. By leveraging AI, businesses can find threats up to 60 times faster than via manual investigations and reduce the amount of time spent analyzing each incident from one hour to less than one minute.

Successful Digital Transformation Starts at the Top

Whether your organization is ready to embark on the journey to becoming a cognitive enterprise or simply navigating through current digital disruption, the CISO is emerging as a central powerhouse of advice and strategy regarding data and technology, helping choose an approach that enables security and speed.

With the stakes so high — and rising — CISOs should get a head start on crafting their digital transformation roadmaps, and the IBM IBV report is a great place to begin.

The post How CISOs Can Facilitate the Advent of the Cognitive Enterprise appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

March 13, 2019
Chief Information Security Officer (CISO), CISO, Data Breaches, Data Privacy, Internet of Things (IoT), Personally Identifiable Information (PII), Risk Management, Security Framework, Security Intelligence & Analytics, Security Strategy, Security Testing, Vulnerabilities,

An Apple a Day Won’t Improve Your Security Hygiene, But a Cyber Doctor Might

You might’ve begun to notice a natural convergence of cybersecurity and privacy. It makes sense that these two issues go hand-in-hand, especially since 2018 was littered with breaches that resulted in massive amounts of personally identifiable information (PII) making its way into the wild. These incidents alone demonstrate why an ongoing assessment of security hygiene is so important.

You may also see another convergence: techno-fusion. To put it simply, you can expect to see technology further integrating itself into our lives, whether it is how we conduct business, deliver health care or augment our reality.

Forget Big Data, Welcome to Huge Data

Underlying in these convergences is the amount of data we produce, which poses an assessment challenge. According to IBM estimates, we produce 2.5 quintillion bytes of data every day. If you’re having problems conceptualizing that number — and you’re not alone — try rewriting it like this: 2.5 million terabytes of data every day.

Did that help? Perhaps not, especially since we are already in the Zettabyte era and the difficulty of conceptualizing how much data we produce is, in part, why we face such a huge data management problem. People are just not used to dealing with these numbers.

With the deployment of 5G on the way — which will spark an explosion of internet of things (IoT) devices everywhere — today’s Big Data era may end up as a molehill in terms of data production and consumption. This is why how you manage your data going forward could be the difference between surviving and succumbing to a breach.

Furthermore, just as important as how you will manage your data is who will manage and help you manage it.

Expect More Auditors

It’s not uncommon for larger organizations to use internal auditors to see what impact IT has on their business performance and financial reporting. With more organizations adopting some sort of cybersecurity framework (e.g., the Payment Card Industry Data Security Standard or NIST’s Framework for Improving Critical Infrastructure Cybersecurity), you can expect to hear more compliance and audit talk in the near future.

There is utility in having these internal controls. It’s a good way to maintain and monitor your organization’s security hygiene. It’s also one way to get internal departments to talk to each other. Just as IT professionals are not necessarily auditors, neither are auditors some sort of IT professionals. But when they’re talking, they can learn from each other, which is always a good thing.

Yet internal-only assessments and controls come with their own set of challenges. To begin, the nature of the work is generally reactive. You can’t audit something you haven’t done yet. Sure, your audit could find that you need to do something, but the process itself may be very laborious, and by the time you figure out what you need to do, you may very well have an avalanche of new problems.

There are also territorial battles. Who is responsible for what? Who reports to whom? And my personal favorite: Who has authority? It’s a mess when you have all the responsibility and none of the authority.

Another, perhaps bigger problem is that internal controls may have blind spots. That’s why there is value in having a regular, external vulnerability assessment.

When it Comes to Your Security Hygiene, Don’t Self-Diagnose

Those in the legal and medical fields have undoubtedly been cautioned not to act as their own counsel or doctor. Perhaps we should consider similar advice for security professionals too. It’s not bad advice, considering a recent Ponemon Institute report found that organizations are “suffering from investments in disjointed, non-integrated security products that increase cost and complexity.”

Think about it like this: You, personally, have ultimate responsibility to take care of your own health. Your cybersecurity concerns are no different. Even at the personal level, if you take care of the basics, you’re doing yourself a huge favor. So do what you can to keep yourself in the best possible health.

Part of healthy maintenance normally includes a checkup with a doctor, even when you feel everything is perfectly fine. Assuming you’re happy with your doctor and have a trusting relationship, after an assessment and perhaps some tests, your doctor will explain to you, in a way that you are certain to understand, what is going on. If something needs a closer look or something requires immediate attention, you can take care of it. That’s the advantage of going to the doctor, even when you think you’re all right. They have the assessment tools and expertise you generally do not.

‘I Don’t Need a Doctor, I Feel Fine’

Undoubtedly, this is a phrase you have heard before, or have even invoked on your own. But cybersecurity concerns continue to grow and internal resources remain overwhelmed by responding to so many alerts and financial constraints or understaffing. Therefore, the need for some outside assistance may not only be necessary, but welcomed, as that feeling of security fatigue has been around for some time now.

There is an added wildcard factor too: I’m confident many of us in the field have heard IT professionals say, “We’ve got this” with a straight face. My general rule of thumb is this: If attackers can get into the U.S. Department of Defense, they can get to you, so the “I feel fine” comment could very well include a dose of denial.

When considering external assistance — really just a vulnerability assessment — it’s worth thinking through the nuance of this question: Is your IT department there to provide IT services, or is it there to secure IT systems? I suggest the answer is not transparently obvious, and much of it will depend on your business mission.

Your IT team may be great at innovating and deploying services, but that does not necessarily mean its strengths also include cybersecurity audits/assessments, penetration testing, remediation or even operating intelligence-led analytics platforms. Likewise, your security team may be great at securing your networks, but that does not necessarily mean it understands your business limitations and continuity needs. And surely, the last thing you want to do is get trapped in some large capital investment that just turns into shelfware.

Strengthen Your Defenses by Seeing a Cyber Doctor

Decision-makers — particularly at the C-suite and board level, in tandem with the chief information security officer (CISO) and general counsels — should consider the benefits of a regular external assessment by trusted professionals that not only understand the cybersecurity landscape in real time, but also the business needs of the organization.

It’s simple: Get a checkup from a cyber doctor who will explain what’s up in simple language, fix it with help if necessary and then do what you can on your own. Or, get additional external help if needed. That’s it. That semiannual or even quarterly assessment could very well be that little bit of outside help that inoculates you from the nastiest of cyber bugs.

The post An Apple a Day Won’t Improve Your Security Hygiene, But a Cyber Doctor Might appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: George Platsis

March 12, 2019
Older Posts