As our cyber defense focus has shifted, so has the array of potential solutions. The choices we CISOs make in what we buy, and how, therefore matters. Best of breed may offer capability and expertise unavailable in bundled solutions. As a result, the good enough provided by bundled solutions may not be good enough anymore.
The difference between the success and failure of a data classification program is a lack of action. The purpose of this blog post is to provide you with enough background and understanding to develop a plan. Here is a framework, something to develop into a plan and intelligently pitch to senior management. The following will give you the tools to persuade the required business leaders to implement a successful Data Classification program.
Angela Freidman immediately breaks into tears when she realizes that the man she’d been spying on for her internet buddies was missing. Angela was an active member of several activist organizations that don’t believe billionaires should exist and used this information to get closer to a particularly radical activist that she’d “been crushing on.”
How you store data and where will have a huge impact on your program’s scope, operations, and technical decisions. As every organization has different business processes and technologies, each data classification project is going to be different, too.
The potential for catastrophic supply chain attacks is mind-boggling when you consider a typical organization does business with hundreds, if not thousands, of third parties. The question isn’t whether your organization’s cyber threat vectors are expanding. You already know the answer is “yes.” The real question is what do you do about it?
Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel Thursday night. By Friday afternoon Lincoln Palmer, the CEO of the hedge fund that owns a majority stake in Illuminating Solutions, was on the phone with me.
Stacy Bostjanick, Director of CMMC Policy for the OUSD A&S, DoD, Mike Raeder, former Deputy CISO, Director Information Security for Northrop Grumman, and Alise Brzezinski, Practice Lead CMMC for Fortalice Solutions collaborated to answer viewer questions from our latest webinar, “Everything You Wanted to Know About CMMC Preparedness”. If you missed this webinar or would like to watch it again, you can view it below.
If you’re a CISO, dealing with risk is the name of the game. CISOs however don’t play to win; they play not to lose. To prevent an attack, they need to know their environment inside and out.
Lots of C-level executives deal with stress. CISO stress however may be unlike most others. Poorly defined expectations, a lack of training for the role, and exclusion from broader strategic discussions can lead a CISO to drink. In fact, a recent survey revealed a disturbing number of CISOs deal with work-related stress by consuming alcohol or other forms of self-medication.
In this interview, Brian explains how he transitioned employees from the office to the home, the need to redefine normal in a post-pandemic world, how he balances the company’s security needs with employee productivity and how he sees the CISO role evolving. He also shares the strangest issue he’s faced as a CISO, and what he does every Friday morning to stay engaged with his team.
“Trust but verify” is a mantra CISOs have traditionally applied to IT security but are now embracing when vetting technologies and technology vendors. Confined by tight budgets and an aversion to shelfware, CISOs need to be extremely confident in their technology investments. Ultimately, referrals, not flashy demos, matter. So for technology vendors looking to sell to CISOs, make sure your current customers love your product before selling it to anyone else.
“Trust but verify” is a mantra CISOs have traditionally applied to IT security but are now embracing when vetting technologies and technology vendors. Confined by tight budgets and an aversion to shelfware, CISOs need to be extremely confident in their technology investments. Ultimately, referrals, not flashy demos, matter. So for technology vendors looking to sell to CISOs, make sure your current customers love your product before selling it to anyone else.
“The show must go on” is not just a famous Queen song or a mantra in showbiz. Whether your network suffers a failed software update, a big storm cuts off your supply chain, or you have a major breach, you must do everything you can to keep the business running. In other words, your organization must be resilient. One aspect of cyber resilience is establishing a business continuity and disaster recovery plan. Perhaps the most important aspect of resiliency, however, is the resiliency of your team. It’s important to keep in mind the impact a major incident can have on your employees, especially in a post-pandemic world.
As the Scout motto states: Be prepared. Whether you’re camping in the woods, training for the Olympics, or practicing for a cyber incident, preparation is essential. With data security in general and incident response in particular, CISOs must ensure all members of the organization participate in monthly or quarterly table-top exercises. The traditional model – requiring employees to watch a training video once a year – is insufficient. Table-tops and incident training scenarios, while time consuming, are more than a best practice. They are essential for proper incident response preparedness.
Too often organizations play roulette with their legacy systems, which is fine until it’s not. If organizations can’t kick their legacy software habit, they better be prepared to protect it. CISOs will inevitably need more budget to maintain the software and protect the data within it, which may ultimately cost more than the more current version. Given the higher risks and costs, CISOs should just say “no” to legacy software.
Once employees began working remotely, the insider threat moved outside of the network and into homes. Most insider attacks are unintentional, however, CISOs must prepare for and respond quickly to sabotage. CISOs should aspire to have full visibility and control of who in the organization handles sensitive data like financial information and customer records. By doing so, insider risk is somewhat mitigated. CISOs must also ensure the entire workforce is cyber resilient. It’s not enough for employees to know phishing attacks are threat; they must also know how to defend against them.
Supply chain cyberattacks have increased dramatically since the start of the pandemic. To mitigate this risk, CISOs need a vendor risk management strategy that includes knowing which vendors have their data, what type of data they have, and where they store it. A defined patch management strategy also helps CISOs mitigate supply chain risk. If you receive a patch notification from a vendor, you should trust that it’s a good patch. You should, however, test that patch within a secure environment before releasing it into the network. In other words, adopt a trust but verify approach.
New challenges are coming to light as employees return to the office. One near term challenge CISOs must be aware of is balancing a workforce in which some employees work in the office while others remain at home. Some employees fear their careers will stall if they continue to work from home, compared to their in-office coworkers who get daily face time with upper management. Will the fear of not being promoted outweigh the fear of returning to the office? Only time will tell.
The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.
The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.