As our cyber defense focus has shifted, so has the array of potential solutions. The choices we CISOs make in what we buy, and how, therefore matters. Best of breed may offer capability and expertise unavailable in bundled solutions. As a result, the good enough provided by bundled solutions may not be good enough anymore.
As our cyber defense focus has shifted, so has the array of potential solutions. The choices we CISOs make in what we buy, and how, therefore matters. Best of breed may offer capability and expertise unavailable in bundled solutions. As a result, the good enough provided by bundled solutions may not be good enough anymore.
Automated measuring of control effectiveness is a very good idea conceptually. Unfortunately, organisations can’t confidently say their controls are really deployed everywhere they’re expected.
When software reaches EOL, it means that program will no longer be supported by the developer and there will be no more updates. Without updates and bug fixes, this software becomes vulnerable to hackers and cyber criminals.
Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no trace we were ever there.
An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. While bringing business experts into a SOC function might help security professionals get a better alignment with the business and strategize the SOC, it will not address all the scalability and agility problems inherent in a SOC.
Regulators and auditors are asking more frequently about organizations’ cybersecurity awareness and cultural programs. The sooner these organisations begin empowering their employees, the sooner they will improve their cybersecurity posture.
When software reaches EOL, it means that program will no longer be supported by the developer and there will be no more updates. Without updates and bug fixes, this software becomes vulnerable to hackers and cyber criminals.
Greg Crabb is a Virtual CISO and former CISO and Vice President for the United States Postal Service. He, in fact, is a third-generation postal employee. In part 1 of this interview, Greg shares how he got started in the cybersecurity industry 26 years ago, how to keep the business running without compromising security, and what 80’s movie inspired him to get into federal law enforcement.
In the words of renowned cybersecurity technologist and author Bruce Schneier, “Amateurs hack systems, professionals hack people.” Organizations must invest in employee security and awareness programs. Employees engaged in cybersecurity think about security and risk on a daily basis, but what about a frenetic office receptionist, busy ER nurse, or overworked lawyer? Recurring security awareness programs, on a quarterly basis for example, keep security on the forefront of employees’ minds and help mitigate the human errors that cost organizations millions and often CISOs their jobs.
When businesses transitioned last year to remote work and accelerated their digital transformation initiatives to accommodate this shift, it created a golden opportunity for hackers. While businesses implemented new digital services, one problem became glaringly apparent: 3rd party risk. CISOs who want an easy solution for cloud vendor assessment can use the Consensus Assessments Initiative Questionnaire (CAIQ). However, if CISOs need to vet non-cloud providers, there are two recommendations they must consider.
CISO Street recently interviewed Bryan Kissinger, CISO for Trace3 and author of “The Business Minded CISO.” In this video, Bryan discusses the best approach for building a business case for a security program.
Whether you’re deciding what to wear or where to eat, having options is ideal. The same is true when it comes to presenting your business case to your CIO or Board of Directors: you’re better off if you can give them options. Present them with three options: 1) a bare-minimum, 2) centrist, and 3) best-case, no holds barred approach to your cybersecurity program or a strategic initiative. This lets them know you’ve done your homework and it puts the onus on the decision maker, not you.
CISO Street recently interviewed Bryan Kissinger, CISO for Trace3 and author of “The Business Minded CISO.” In this video, Bryan discusses the best approach for building a business case for a security program.
When employees started working from home so, too, did the hackers. The rampant digital transformation opened up vulnerabilities for organizations that prioritized moving to digital quickly over moving to digital securely. Many organizations saw phishing emails containing malicious Zoom links or malware disguised as COVID-19 related webpages. Hackers easily took advantage and attacked these vulnerable devices now residing outside of the organization.
The cloud made the transition to working from home during the pandemic a lot easier. Applications like Office 365 allowed employees to transition from the corporate office to the home office with little disruption. The successful shift to telework proved that if an employee has a good internet connection, he or she can work from practically anywhere. Organizations continue to move systems and workflows to the cloud with the realization that the shift to remote work may stick even after everyone has been vaccinated. Buyers must beware, though, as this rush to the cloud brings plenty of challenges and invites risk.
The threat landscape has changed dramatically since the start of the pandemic. Ransomware attacks have sharply increased and shifted in severity from standard to double extortion attacks. As organizations transitioned to a remote workforce, the threat landscape moved into the home, creating a whole host of vulnerabilities. A growing reliance on third parties, including cloud and SaaS services, put access to sensitive data like PII, PHI, and IP outside the corporate firewall. The best way to defend against this new threat landscape is to get in front of these risks. This means security needs to be top of mind all the time.
There is no silver bullet when it comes to preventing ransomware attacks. The best way to thwart an attack is to get back to basics. Require multi-factor authentication. Limit access to the network. Implement a zero-trust policy. Run user training programs. These are not the only steps CISOs should take, but they are necessary for building a secure foundation. Threat actors have banded together for decades to engineer attacks, but now it’s the “good guys’” turn to come together, share knowledge, and create processes to mitigate the risk of a ransomware attack.
Picture this: you’re a CISO at a hospital rushing from meeting to meeting, fielding calls in between, when suddenly you get the call. Bad actors infiltrated your system and are holding your digital assets for ransom. They’re demanding $500,000 or they’ll release your data. Data recovery isn’t your only concern. Many of these systems are literally keeping patients alive. What do you do?
When CISOs can see their organization’s data and track its lateral movement, they significantly mitigate the risk of a cyber attack or data breach. To achieve this level of cyber intelligence, your tools must be able to talk to each other. This includes the people in your organization who have access to your data; they must be able to talk to each other. With cyber intelligence, you can visualize the vulnerabilities in your organization. Without it, CISOs have only a matter of time before a threat actor takes advantage of the holes in their network.
The whole organization, not just the security team, needs to know how to respond when a cybersecurity incident occurs. Putting together an incident response plan that’s comprehensive and effective therefore can be a daunting task. Is it easy for management to execute? Is it easy for staff to follow? Do you conduct periodic table-top exercises? When was the last time you ran one? If you’re not sure where to start, or want to refresh your current IR plan, watch this video.
There’s more to information sharing than calling the Feds. You also need to inform your partners in the event of a cybersecurity incident, not just third parties but fourth and fifth parties, too. You need to consider what information to share and how to share it. If your Microsoft Exchange server was exploited, for example, information sharing via email is far from advisable. Information sharing can be especially difficult for smaller organizations who may not have processes behind information sharing. All organizations must establish processes that include information sharing and also demonstrate the value of it to their employees.
The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.
The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.