How you store data and where will have a huge impact on your program’s scope, operations, and technical decisions. As every organization has different business processes and technologies, each data classification project is going to be different, too.
The potential for catastrophic supply chain attacks is mind-boggling when you consider a typical organization does business with hundreds, if not thousands, of third parties. The question isn’t whether your organization’s cyber threat vectors are expanding. You already know the answer is “yes.” The real question is what do you do about it?
Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel Thursday night. By Friday afternoon Lincoln Palmer, the CEO of the hedge fund that owns a majority stake in Illuminating Solutions, was on the phone with me.
You may be naturally inclined to conceal risks from the prying eyes of concerned leadership that may reflect poorly on you or your team, but you must resist the temptation.
If you don’t communicate cyber security matters – including organizational failures – from the people who run the business, you harm the organization.
Mobile devices and applications have drastically reshaped the way we do business. More change is on the horizon as voice recognition, virtual and augmented reality, and artificial intelligence create new customer interfaces and business platforms. But is new technology driving the increased sense of risk?
If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision, and decisions. If you know your Board, you can tailor your message to your audience and avoid some potential surprises.
Endre Jarraux Walls is the Executive Vice President and CISO for Customers Bancorp and Customers Bank. His accolades include: a top 40 under 40 leader in the greater Philadelphia region, a top 10 global CISO, and an American Cyber Awards honoree. He received a BS in Information Technology from Capella University in Minnesota and Accelerated Management Program Certificate from Yale University’s School of Management for Executive Education.
In our third and final interview with Greg Crabb, the Virtual CISO and former CISO and Vice President for the United States Postal Service, he shares the changes he’s seen in cybersecurity during his career and what’s surprised him the most. Greg also explains the 4 C’s of innovation, what’s kept him active during the pandemic, and which family member plans to follow in his footsteps.
In part 2 of this three-part interview, Greg Crabb, Virtual CISO and former CISO and Vice President for the United States Postal Service, discusses how he sees the CISO role evolving. Greg proposes a new title for CISOs, who he feels CISOs should report to, and outlines what a CISO should do in their first 90 days on the job. He also shares an interesting story about what event preceded him joining the US Postal Service.
Greg Crabb is a Virtual CISO and former CISO and Vice President for the United States Postal Service. He, in fact, is a third-generation postal employee. In part 1 of this interview, Greg shares how he got started in the cybersecurity industry 26 years ago, how to keep the business running without compromising security, and what 80’s movie inspired him to get into federal law enforcement.
In the words of renowned cybersecurity technologist and author Bruce Schneier, “Amateurs hack systems, professionals hack people.” Organizations must invest in employee security and awareness programs. Employees engaged in cybersecurity think about security and risk on a daily basis, but what about a frenetic office receptionist, busy ER nurse, or overworked lawyer? Recurring security awareness programs, on a quarterly basis for example, keep security on the forefront of employees’ minds and help mitigate the human errors that cost organizations millions and often CISOs their jobs.
When businesses transitioned last year to remote work and accelerated their digital transformation initiatives to accommodate this shift, it created a golden opportunity for hackers. While businesses implemented new digital services, one problem became glaringly apparent: 3rd party risk. CISOs who want an easy solution for cloud vendor assessment can use the Consensus Assessments Initiative Questionnaire (CAIQ). However, if CISOs need to vet non-cloud providers, there are two recommendations they must consider.
CISO Street recently interviewed Bryan Kissinger, CISO for Trace3 and author of “The Business Minded CISO.” In this video, Bryan discusses the best approach for building a business case for a security program.
Once employees began working remotely, the insider threat moved outside of the network and into homes. Most insider attacks are unintentional, however, CISOs must prepare for and respond quickly to sabotage. CISOs should aspire to have full visibility and control of who in the organization handles sensitive data like financial information and customer records. By doing so, insider risk is somewhat mitigated. CISOs must also ensure the entire workforce is cyber resilient. It’s not enough for employees to know phishing attacks are threat; they must also know how to defend against them.
Supply chain cyberattacks have increased dramatically since the start of the pandemic. To mitigate this risk, CISOs need a vendor risk management strategy that includes knowing which vendors have their data, what type of data they have, and where they store it. A defined patch management strategy also helps CISOs mitigate supply chain risk. If you receive a patch notification from a vendor, you should trust that it’s a good patch. You should, however, test that patch within a secure environment before releasing it into the network. In other words, adopt a trust but verify approach.
New challenges are coming to light as employees return to the office. One near term challenge CISOs must be aware of is balancing a workforce in which some employees work in the office while others remain at home. Some employees fear their careers will stall if they continue to work from home, compared to their in-office coworkers who get daily face time with upper management. Will the fear of not being promoted outweigh the fear of returning to the office? Only time will tell.
Cyber-crime complaints increased 69% from 2019, according to the FBI’s 2020 Internet Crime Report. It’s no surprise therefore that industries are now setting higher standards and requirements, especially in the government sector where a breach could have catastrophic consequences. The Cybersecurity Maturity Model Certification, or CMMC, is a unified standard designed to enhance the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC measures an organization’s ability to protect FCI and CUI and applies to over 300,000 DoD contractors. Requiring CMMC certification is a good first step for setting a security standard, but there is still a lot more organizations can do to protect classified information.
As more working adults receive vaccinations, it’s time for CISOs to create their post-pandemic plans. These plans must address employee concerns about returning to the office, protocols for employees who wish to continue to work remotely, and whether or not the organization will employ out-of-state talent. CISOs must consider these and other important questions as business leaders start to look ahead.
Being an effective leader is difficult during ordinary times, let alone during a global pandemic. Covid completely changed our lives, including the way we work. The best leaders adjusted quickly. CISOs, no strangers to adaption, led this change in many companies. The pandemic’s effects will be felt long after the last person is vaccinated. Business and security leaders therefore must continue to evolve in how they lead and defend their organizations against cyberattacks. Secure remote technologies, beef up security education and awareness for employees, and even mix up daily board briefs. These and other examples keep businesses nimble and responsive. They also keep employees alert and engaged.
Since the global pandemic chased everyone indoors, Zoom web meetings have become the new normal. We will figure this out. Eventually.
CISOs somehow maintain a sense of humor, despite the stress and frustration inherent in their jobs. And we’re all better for it.
CISOs have a lot of patience. Patience however is a virtue that can be tested from time to time. As the old saying goes, if you’re not a part of the solution…
Managing vendors, partners and suppliers can be a dirty job. What do soap and your supply chain have in common?
CISOs in higher education have a unique challenge. They must protect their network from hackers, like CISOs in other industries, but there’s a select group of people on college campuses that are even scarier than hackers…