Category Archives: CISO

Most organizations suffered a business-disrupting cyber event

A study conducted by Ponemon Institute found that 60 percent of organizations globally had suffered two or more business-disrupting cyber events — defined as cyber attacks causing data breaches or significant disruption and downtime to business operations, plant and operational equipment — in the last 24 months. Further, 91 percent of respondents had suffered at least one such cyber event in the same time period. Despite this documented history of damaging attacks, the study found … More

The post Most organizations suffered a business-disrupting cyber event appeared first on Help Net Security.

Deception technology: Authenticity and why it matters

This article is the second in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the central role that authenticity plays in the establishment of deception as a practical defense and cyber risk reduction measure. Requirements for authenticity in deception The over-arching goal for any cyber deception system is to create target computing and networking systems and infrastructure that … More

The post Deception technology: Authenticity and why it matters appeared first on Help Net Security.

Can advancing cybersecurity techniques keep pace with new attack vectors in 2019?

A look back through a volatile 2018 has seen the cyber security landscape move towards an even more complex picture. This has been driven by the increased volume and diversity of threats and breaches, tools and network evolution. Security professionals have faced significant challenges in attack detection and mitigation, operating to the necessary policy and legal guidelines and growing teams with suitably-skilled personnel. None of these advances show any signs of slowing in 2019. However, … More

The post Can advancing cybersecurity techniques keep pace with new attack vectors in 2019? appeared first on Help Net Security.

Securing and managing the enterprise Internet of Things

A future where the Internet of Things spreads exponentially is almost certain. Seemingly everybody wants these devices: consumers for the helpful features and manufacturers for the ability to collect data about the product and consumers’ use of it. Paul Calatayud, Palo Alto Networks’ CSO for the Americas, sees the IoT evolving into a new form of distributed computing powered by 5G and ever-increasing bandwidth speeds. The result will be intelligent, programmable devices that operate without … More

The post Securing and managing the enterprise Internet of Things appeared first on Help Net Security.

Why the CISO’s Voice Must be Heard Beyond the IT Department

In a recent company board strategy meeting the CFO presented the financial forecast and outcome and made some interesting comments about fiscal risks and opportunities on the horizon. The COO

The post Why the CISO’s Voice Must be Heard Beyond the IT Department appeared first on The Cyber Security Place.

CISO challenges and the path to cutting edge security

Zane Lackey is the co-founder and CSO at Signal Sciences, and the author of Building a Modern Security Program (O’Reilly Media). He serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane lead a security team at the forefront of the DevOps/Cloud shift as CISO of Etsy. In this interview with Help Net Security he … More

The post CISO challenges and the path to cutting edge security appeared first on Help Net Security.

Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019

As 2018 draws to a close, it’s time to reflect on the strides the cybersecurity industry made over the past year, and how far companies around the world still have to go to improve their security posture. Throughout the year, businesses were plagued by cybersecurity risks and hit with massive data breaches. In the lead-up to the holiday season, security leaders across industries are wishing for a quiet 2019 with no negative data breach headlines.

5 Cybersecurity Missteps That Put Enterprises at Risk in 2018

What lessons did we learn in 2018? And as we look forward, what best practices can we implement to improve defenses in the new year? We asked industry experts where they observe the worst security practices that still leave enterprises exposed to cybersecurity risks, and they offered advice to help companies and users enjoy a merrier, brighter, more secure 2019.

1. Poor Password Policies

Although passwords are far from perfect as a security mechanism, they are still used pervasively in the enterprise and in personal life. Yet password policies are still rife with problems around the globe.

Idan Udi Edry, CEO of Trustifi, said the most foundational — and also most disregarded — cybersecurity practice is maintaining a strong password.

“A unique password should be utilized for every account and not reused,” said Edry. “It is important to update passwords every 30–90 days. Passwords should never include a significant word, such as a pet’s name, or a significant date, such as a birthdate.”

Deploying devices and appliances and then leaving default passwords in place is also still a shockingly common practice. A threat actor with knowledge of a manufacturer or service provider’s default password conventions can do a lot of damage to an organization with factory settings still in place.

Edry advised enterprises to employ two-factor authentication (2FA) to add more security to their access strategy. Douglas Crawford, digital privacy adviser for BestVPN, meanwhile, recommended encouraging employees to use a password manager.

“It is hard to remember strong passwords for every website and service we use, so people simply stop bothering,” said Crawford. “Use of ‘123456’ as a password is still scarily common. And then we use the same password on every website we visit. This [is] particularly irksome, as this entire security nightmare can be easily remedied through use of password manager apps or services, which do the heavy lifting for us.”

2. Misconfigured Cloud Storage

Earlier this year, researchers from Digital Shadows uncovered more than 1.5 billion sensitive files stored in publicly available locations, such as misconfigured websites and unsecured network-attached storage (NAS) drives.

“Unfortunately, many administrators misconfigure [these buckets] rendering the contents publicly-accessible,” wrote Michael Marriott, senior strategy and research analyst with Digital Shadows.

The information uncovered included a treasure trove of personal data, such as payroll, tax return and health care information — all available to prying eyes thanks to overlooked security best practices in cloud storage.

“With the rise of mobility and cloud usage in enterprises, one of the worst security practices is leaving critical cloud services and SaaS applications open to the internet,” said Amit Bareket, co-founder and CEO of Perimeter 81.

It’s time to get proactive to analyze potential exposures in storage and then devise a plan to address cloud data risks to your organization. It’s also important to remember that with any connected service, it is often better not to deploy than to deploy insecurely.

3. Ineffective Cyber Awareness Training

Security begins and ends with your employees — but how much do they know about security? Specifically, how much do they know about the risks they are facing and how their actions could set your business up for a potential incident?

“At this time of the year, it’s critically important to ensure proper employee awareness of the risks related to travel,” said Baan Alsinawi, president and founder of TalaTek, a Washington-based risk management firm. “Using public Wi-Fi at airports or hotels to access corporate data, possible loss of personally-held devices such as an iPad, iPhone or corporate laptop, especially if not encrypted, talking to strangers about work issues or projects over a glass of wine can expose confidential information.”

Of course, a robust awareness program needs to be in place year-round. Data from London-based advisory and solutions company Willis Towers Watson found that employees are the cause of 66 percent of all cyberbreaches, either through negligence or deliberate offense.

Employees should be regularly educated on phishing, social engineering techniques and other attack vectors that could put corporate data at risk. If awareness training isn’t part of your security strategy, 2019 is the time to learn what an effective awareness program looks like and implement one to promote security best practices in your organization.

4. Poor Oversight of Third-Party Cybersecurity Risks

Third-party vendors and partners can be a source of compromise if criminals can access your organization’s sensitive information through their poorly secured systems. If you’re working with third-party vendors and partners, your security is only as good as theirs. If their systems are breached, your data is also at risk.

“Attackers seeking access to hardened company systems can pivot to breaching an integrated third party, establishing a beachhead there and then leveraging the trust implicit in the integration to gain access,” explained Ralph R. Russo, director of applied computing programs and professor of practice of IT management and cybersecurity at Tulane University School of Professional Advancement.

In 2019, evaluate the state of your third-party risk management. Make it a priority to identify gaps that may put you at risk if you are working with less-than-secure vendors. Implement a vigorous vetting process to determine the security level of your trusted partners.

5. Lack of an Incident Response Plan

A formal, regularly tested cybersecurity incident response plan is essential, yet many organizations continue to operate without one. In fact, 77 percent of companies do not have any formal plan.

Without a written and tested incident response plan, you’re unprepared for the worst-case scenario. It is not enough to focus on prevention; it is essential to establish a comprehensive incident response plan that is clear, detailed, flexible, includes multiple stakeholders, and tested and updated regularly.

Improve Your Security Posture in 2019 and Beyond

If your organization engages in any of these poor practices, it may be time to brush up on your basic cyber hygiene best practices. By following the recommendations outlined here, you can confidently resolve to close gaps in risk mitigation and establish more effective strategies to improve your company’s security posture in 2019 and beyond.

The post Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019 appeared first on Security Intelligence.

How can businesses get the most out of pentesting?

More than 4.5 billion data records were compromised in the first half of this year. If you still feel like your enterprise is secure after reading that statistic, you’re one of the few. Hackers utilizing high-profile exploits to victimize organizations is becoming an almost daily occurrence, with 18,000 to 19,000 new vulnerabilities estimated to show up in 2018. Here’s the thing though – we can still address the situation and make the current threat landscape … More

The post How can businesses get the most out of pentesting? appeared first on Help Net Security.

An introduction to deception technology

This article is first in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the evolution of deception, including its use in the enterprise, with emphasis on the practical requirements that have emerged in recent years to counter the growing number and nature of malicious threats. Purpose of deception for cyber The idea of modern deception in cyber security … More

The post An introduction to deception technology appeared first on Help Net Security.

Achieve Community Immunity With Security Data Integration

Security is a team sport. Both threat actors and cybersecurity professionals are teaming up and collaborating in greater numbers than ever. In fact, a United Nations study found that crime rings that regularly share information drive around 80 percent of cyberattacks. The dark web has become the standard platform to share security data, as well as an effective marketplace to monetize cybercrime activities.

On the defensive side, mature security programs are developing approaches to integrate different teams. According to The New York Times, some companies are even building fusion centers where employees from a range of backgrounds — from fraud detection to forensic analysis to customer service — work together to fight threats. Motivated by the demand from customers, IBM Security built a cyber range and a mobile Cyber Tactical Operations Center (C-TOC) to help battle-test security teams with crisis simulations.

How Can Cybersecurity Professionals Foster More Collaboration?

While many organizations are using the Department of Homeland Security (DHS)’s fusion centers as a model to foster collaboration among teams, the vast majority of companies are facing a skills shortage. According to ISACA, 27 percent of U.S. enterprises are unable to fill open roles for cybersecurity professionals. Given this challenge, how can enterprises promote collaboration and, more importantly, use it to drive better security outcomes?

When considering how to prevent cybercrime, it’s critical to break down barriers to collaboration. It’s time for us to learn from each other, and not reinvent the wheel when it is already working for someone else. We must use the spirit of community to inoculate ourselves against threats and gain long-term immunity. The human race has conquered many deadly diseases, such as smallpox and polio, through community immunity — so why not bring this concept to cybersecurity?

Here are three ways to foster collaboration among teams and achieve community immunity with the help of a security data integration platform:

1. Gain a Global Perspective

We should be able to leverage insights from our peers to enrich our own decision-making. One way to do this is by using a threat score or another normalized method of sharing threat intelligence. Threat sharing should always be anonymous to protect the privacy and security of enterprises and individuals. Threat intelligence should also be specific, whether at the regional or industry level, to make it relevant and actionable.

2. Reduce Blind Spots

Threat intelligence is just one part of security. Analysts need visibility into many other areas, such as database vulnerabilities and fraud analytics. Having a single, collaborative platform to share this security data allows other analysts and researchers to build on and refine the information and, in turn, share improved data with the security community.

3. Generate Personalized Recommendations

The power of global analytics is in leveraging the learnings from a broader environment and making them relevant to us. We often see this approach in retail, where websites recommend a product based on your purchase history or user profile. In security, a recommendation engine that proactively surfaces improvements to your existing program or tips to fine-tune your deployments can be incredibly useful. In addition, as customers move toward purchasing micro-apps and services and when they need them, a recommendation engine can proactively suggest solutions so analysts can stay ahead of threats and leverage the latest innovations available to them.

Don’t Go It Alone

So, how will you build your team? If anything is certain about today’s evolving cyberthreat landscape, it’s that you can’t go it alone. By fostering relationships with peers, improving visibility into databases and vulnerabilities, and investing in systems that generate personalized recommendations, security leaders can launch a more coordinated and collaborative counterattack in the ongoing battle against cybercrime.

The post Achieve Community Immunity With Security Data Integration appeared first on Security Intelligence.

Detecting malicious behavior blended with business-justified activity

With organizations moving to the cloud and remote workers becoming the rule rather than the exception, the definition of the network is changing. Add to this the increasing use of IoT devices, encryption and engagement in shadow IT practices, and it’s easy to see why organizations have trouble keeping their network and systems secure. What’s more, attackers are changing tactics: they are relying less and less on malware and shifting their focus to stealing legitimate … More

The post Detecting malicious behavior blended with business-justified activity appeared first on Help Net Security.

Insights From European Customers on Cybersecurity and Security Awareness

Also co-authored by Luisa Colucci, Lucia Cozzolino, Silvia Peschiera, Emilia Cozzolino and Vita Santa Barletta.

European Cyber Security Month (ECSM), celebrated every year in October, is a European Union (EU) advocacy campaign designed to promote security awareness among citizens.

ECSM has continued to grow since its inception in 2012. The 2018 agenda featured more than 350 events and activities across all EU member countries. ECSM’s schedule also included a rich series of conferences, training sessions, videos, webinars, demonstrations and more, giving eager participants many opportunities to get involved and learn more about security.

The contributors of this article participated in many events and collected many questions about the cybersecurity industry from other attendees. This article gathers those frequent questions, whose answers initially seemed obvious and straightforward, but were very quickly unveiled to more complicated than we previously thought.

Is Cybersecurity a Challenge or an Opportunity?

For people working in the industry, cybersecurity is an opportunity. This may not be the answer people expect, but being direct is important, and the reality is that cybersecurity drives a multibillion-dollar market. Today, the cybersecurity industry is absorbing a lot of talent, and a lot more will be requested in the future. Let’s start with the challenges.

The first challenge organizations face is the need for growth. Enterprises must adopt new technologies or they will be left behind. It is not just about being more profitable. If healthcare devices that are inserted into the body required a medical inquiry for tuning yesterday, today this can be done without a medical inquiry as the medical device can be controlled with WiFi — but it can also be hacked. Therefore, threats impact growth. Compliance also impacts growth. In fact, if compliance is about the execution of security controls necessary to mitigate the possibility of an attack, if there is a penalty associated with the compliance, the penalty has an impact on the financials of an enterprise.

The second element to consider is that enterprises have invested a lot in different technologies and processes, but have not spent enough integrating them. Processes are actually less integrated than products. For example, security information and event management (SIEM) is rarely integrated with vulnerability management or patch management, and misconfiguration actually continues to be one of the major vectors for data breaches.

Another challenge is the ever-growing mass of operational technology (OT) and Internet of Things (IoT) devices connected to network infrastructure. The adoption of IT practices related to these devices is a good thing, but it is not always as straightforward as one might imagine because processes are totally different and vary from one industry to another. For example, if something goes wrong on a train, the train stops. However, if something goes wrong on a plane, you cannot just stop it midflight. In addition, we are exposed to highly sophisticated malware agencies that can develop phishing campaigns and malware, control devices and recycle cryptocurrencies.

Moving to the opportunities, many tend to think that the cybercriminal population is different than the traditional criminal population, but this is not true. Because of the cyberworld, criminals have just been moved into the cyberspace, leaving the overall entropy unchanged with the difference that in the real world, the perfect crime is possible. In the cyber world, threat actors always leave something behind — a trace. We need technologies that can help us find those traces among billions of unstructured records. Artificial Intelligence (AI) can help with such a task. Finally, criminals also use the cyber world. This is a great opportunity to use the same investigation techniques developed in cybersecurity to stop the more old-fashioned and traditional criminals.

Who Are the Bad Guys?

We cannot always claim that those who work on the defensive side are good, and those who work on the attacking side are bad. This would be like saying that those who carry a gun are inherently bad — it is not as simple as one might think. We actually need to consider two elements. The first is that many increasingly think cybersecurity is something that has an intrinsic value, and that someone else can take care of it. For example, if we develop a camera with a traditional operating system where a password is stored on the firmware, we would tend to think that someone else will secure the password.

The second is the belief that what happens in the cyber world is only real when the benefits are perceived. But when things go wrong, then it is bad. In the real world, if a door is open, we do not enter unless we are either invited or authorized to do so. The same should happen in the cyber world. Instead of trying to work out who is bad or who is good, we should increase security awareness and start thinking that what happens in the cyber world is serious and real, and could lead to dramatic situations with serious consequences.

Does Compliance Help?

Compliance helps if it is a continuous process and if we believe in the security controls we have been forced to implement. If it is just a moment to pass the audit, this does not help. Like most security controls, compliance requires a periodic execution of set controls. Systems and applications are administered by humans, and humans make mistakes. Yet new vulnerabilities are discovered every day. What seems secure today may not be secure tomorrow. The only solution to this ever-changing landscape is the periodic execution of a strong set of controls.

How Much Should We Invest in Cybersecurity?

Usually, investment is based on the value of the business and the assets. Today, IoT adoption is creating a definite shift because the IoT provides threat actors with millions of devices — with no substantial revenue/cost impact — that they can use to launch an attack. Therefore, when we introduce a device into our network architecture, we must protect it and protect ourselves from it during the entire life cycle. This is something we should highly consider while building a secure ecosystem. The cybersecurity has an intrinsic value, but we should all work toward keeping a safe environment and improving security awareness, and we cannot assume that someone else will take care of it.

What Happens When You Are Breached?

Beyond the fines and penalties, the loss of customer trust is arguably the greatest damage that will result from a cyberattack. Customers do not really care about the money enterprises spend on security; all they care about is the fact that a company lost their data. The scariest thing is that today’s cybercriminals are real, advanced and persistent, so once they gain a foothold, they have access to your infrastructure and they will take every possible step to ensure they will continue to have access. Therefore, if you stop an attack, do not assume you are in the clear. You should always assume that attackers are inside your network, even if you have not yet discovered what they are after.

 

The post Insights From European Customers on Cybersecurity and Security Awareness appeared first on Security Intelligence.

Things To Understand To Prevent Data Loss

By Julia Sowells Senior Information Security Specialist at Hacker Combat, Customer data is the lifeblood of any business entity; they are driven towards the increasing obligation of securing it as they

The post Things To Understand To Prevent Data Loss appeared first on The Cyber Security Place.

C-Suite: GDPR Could Lead to Greater Risk of Breaches

Almost a quarter of UK and German businesses (23%) believe the GDPR may have resulted in a greater risk of data breaches, six months after the legislation was introduced.  The

The post C-Suite: GDPR Could Lead to Greater Risk of Breaches appeared first on The Cyber Security Place.

The Importance of “S” in “CISO”

A Chief Information Security Officer is the brigadier general of the security force of an organization. While the c-suite normally looks at the financial and overall management of an organization,

The post The Importance of “S” in “CISO” appeared first on The Cyber Security Place.

How Corporate Boards Can Be More Proactive Mitigating Cyber Risks

Many corporate boards have made significant progress about understanding the importance of cyber security to the competitive health and sustainability of the companies they oversee. They’ve certainly gotten the message

The post How Corporate Boards Can Be More Proactive Mitigating Cyber Risks appeared first on The Cyber Security Place.

Is security the real stuff of nightmares?

The Chief Information Security Officer role (CISO), is the most senior cyber security role in any organisation, and the role has developed rapidly in recent years under the wave of increased digital needs. With more customer data gathered and stored than ever before, the risk of implementing a sub-par security strategy effects every level of the organisation. CISOs are the custodians, responsible for protecting the face of their business and trust of its customers as … More

The post Is security the real stuff of nightmares? appeared first on Help Net Security.

7 trends driving enterprise IT transformation in 2019

Enabling the business outcome in a ‘Real-Time’ enterprise environment is the next challenge for global brands and government agencies in 2019. Tech companies will need to drive hard to continually exceed to their customers’ expectations during a time of accelerating change. They will need to show how technology can help deliver on their customers’ objectives, improve agility, security and impact, or they risk being disrupted. Here is Verizon Enterprise Solutions’ view of those enterprise technology … More

The post 7 trends driving enterprise IT transformation in 2019 appeared first on Help Net Security.

Why compliance is never enough

Organizations are well aware of the security risks inherent in our hyper-connected world. However, many are making the mistake of focusing their attention on being compliant rather than on ensuring that their security strategy is effective and efficient. As the threat landscape continues to evolve this type of compliance-driven, checkbox mentality is setting many organizations up for a potentially disastrous fall (or breach). Being in compliance does not guarantee that a company has a comprehensive … More

The post Why compliance is never enough appeared first on Help Net Security.

Take cybersecurity into your own hands: Don’t rely on tech giants

Google doesn’t want you to have to think about cybersecurity at all, similar to how we think about breathing, which sounds like a great idea. However, in all of my years in cyber security, from the Israeli Defence Forces’ Intelligence Corps Unit to my years at the government’s National Cyber Bureau – where I worked with one of the most attacked organizations in the world, the Israel Electric Corporation – I’ve learned that trusting solely … More

The post Take cybersecurity into your own hands: Don’t rely on tech giants appeared first on Help Net Security.

Cybersecurity 2019: Predictions you can’t ignore

As we move forward to 2019, expect credit card and payment information theft to continue to rise. Yes, this isn’t a major surprise; however, if organizations can better address the reasons for the rise in cybercrime, they will be better prepared. Bolder cyberattacks against digital businesses The good news: advanced security technologies are constantly being brought to market. The not-so-good news: threat actors are not letting that get in the way; witness more intensified and … More

The post Cybersecurity 2019: Predictions you can’t ignore appeared first on Help Net Security.

The current state of cybersecurity in the connected hospital

Abbott and The Chertoff Group released a white paper that shares key findings from a recent study of 300 physicians and 100 hospital administrators on cybersecurity challenges in the hospital environment. Results found that while physicians and hospital administrators view cybersecurity as a priority, the majority of them feel underprepared to combat cyber risks in the connected hospital. “Cybersecurity is a shared responsibility across all of us working in today’s healthcare system,” said Chris Tyberg, … More

The post The current state of cybersecurity in the connected hospital appeared first on Help Net Security.

Are we chasing the wrong zero days?

Zero days became part of mainstream security after the world found out that Stuxnet malware was used to inflict physical damage on an Iranian nuclear facility. After the revelation, organization focused efforts on closing unknown pathways into networks and to detecting unidentified cyber weapons and malware. A number of cybersecurity startups have even ridden the “zero day” wave into unicornville. Stuxnet’s ability to halt operations forced critical infrastructure operators to think about they could fall … More

The post Are we chasing the wrong zero days? appeared first on Help Net Security.

Internal negligence to blame for most data breaches involving personal health information

Your personal identity may fall at the mercy of attackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits. Internal dangers New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers – not because of hackers or external parties. … More

The post Internal negligence to blame for most data breaches involving personal health information appeared first on Help Net Security.

Privacy laws do not understand human error

In a world of increasingly punitive regulations like GDPR, the combination of unstructured data and human error represents one of the greatest risks an organization faces. Understanding the differences between unstructured and structured data – and the different approaches needed to secure it – is critical to achieve compliance with the many data privacy regulations that businesses in the U.S. now face. Structured data is comprised of individual elements of information organized to be accessible, … More

The post Privacy laws do not understand human error appeared first on Help Net Security.

Third parties: Fast-growing risk to an organization’s sensitive data

The Ponemon Institute surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners. According to the findings, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent — up 5 … More

The post Third parties: Fast-growing risk to an organization’s sensitive data appeared first on Help Net Security.

Soft Skills, Solid Benefits: Cybersecurity Staffing Shifts Gears to Bring in New Skill Sets

With millions of unfilled cybersecurity jobs and security experts in high demand, chief information security officers (CISOs) are starting to think outside the box to bridge the skills gap. Already, initiatives such as outsourced support and systems automation are making inroads to reduce IT stress and improve efficiency — but they’re not enough to drive long-term success.

Enter the next frontier for forward-thinking technology executives: Soft skills.

How Important Are Soft Skills in the Enterprise?

Soft skills stem from personality traits and characteristics. Common examples include excellent communication, above-average empathy and the ability to demystify tech jargon, as opposed to the certifications and degrees associated with traditional IT skills.

Historically, IT organizations have prioritized harder skills over their softer counterparts — what good is empathy in solving storage problems or improving server uptime? However, as noted by Forbes, recent Google data revealed measurable benefits when teams contain a mix of hard and soft skills. The search giant found that the “highest-performing teams were interdisciplinary groups that benefited heavily from employees who brought strong soft skills to the collaborative process.”

How Can Companies Quantify Qualitative Skill Sets?

Soft skills drive value, but how can organizations quantify qualitative characteristics? Which skill sets offer the greatest value for corporate objectives?

When it comes to prioritization, your mileage may vary; depending on the nature and complexity of IT projects, different skills provide different value. For example, long-term projects that require cross-departmental collaboration could benefit from highly communicative IT experts, while quick-turnaround mobile application developments may require creative thinking to identify potential security weaknesses.

According to Tripwire, there is some industry consensus on the most sought-after skills: Analytical thinking tops the list at 65 percent, followed by good communication (60 percent), troubleshooting (59 percent) and strong ethical behavior (58 percent). CIO calls out skills such as in-house customer service, a collaborative mindset and emotional intelligence.

Start Your Search for Soft Cybersecurity Skills

The rise of soft skills isn’t happening in a vacuum. As noted by a recent Capgemini study, “The talent gap in soft digital skills is more pronounced than in hard digital skills,” with 51 percent of companies citing a lack of hard digital skills and 59 percent pointing to a need for softer skill sets. CISOs must strive to create hiring practices that seek out soft-skilled applicants and a corporate culture that makes the best use of these skills.

When it comes to hiring, start by identifying a shortlist of skills that would benefit IT projects — these might include above-average communication, emotional aptitude or adaptability — then recruit with these skills in mind. This might mean tapping new collar candidates who lack formal certifications but have the drive and determination to work in cybersecurity. It also means designing an interview process that focuses on staff interaction and the ability of prospective employees to recognize and manage interpersonal conflict.

It’s also critical to create a plan for long-term retention. Enterprises must create IT environments that maximize employee autonomy and give staff the ability to implement real change. Just like hard skills, if soft skills aren’t used regularly they can decay over time — and employees won’t wait around if companies aren’t willing to change.

Cultivate Relationships Between Humans and Hardware

Just as IT certifications are adapting to meet the demands of new software, hardware and infrastructure, soft skills are also changing as technology evolves. Consider the rise of artificial intelligence (AI): Often portrayed positively as a key component of automated processes and negatively as an IT job stealer, there’s an emerging need for IT skills that streamline AI interaction and fill in critical performance gaps.

As noted by HR Technologist, tasks that require emotional intelligence are naturally resistant to AI. These include everything from delivering boardroom presentations to analyzing qualitative user feedback or assisting staff with cybersecurity concerns. Here, the human nature of soft skills provides their core value: Over time, these skills will set employees apart from their peers and organizations apart from the competition. Enterprises must also court professionals capable of communicating with AI tools and human colleagues with equal facility. These soft-centric characteristics position new collar employees as the bridge between new technologies and existing stakeholder expectations.

It’s Time to Prioritize Softer Skill Sets

There’s obviously solid value in soft skills — according to a study from the University of Michigan, these skills offer a 256 percent return on investment (ROI). For CISOs, the message is clear: It’s time to prioritize softer skill sets, re-evaluate hiring and recruitment practices, and prepare for a future where the hard skills of AI-enhanced technology require a soft balance to drive cybersecurity success.

The post Soft Skills, Solid Benefits: Cybersecurity Staffing Shifts Gears to Bring in New Skill Sets appeared first on Security Intelligence.

Why the EU Is More Likely to Drive IT and Security Trends Than the US

The General Data Protection Regulation (GDPR) has been a game changer for data privacy, and U.S. companies are beginning to catch up to the EU in data management practices. However, privacy is only one area in which U.S. organizations are falling behind their European counterparts. To promote compliance with data privacy regulations, both current and forthcoming, U.S. companies will have to invest a lot more in advancing security programs.

What Drives Security Trends?

The largest companies tend to drive technology and security trends. However, Europe is pushing the envelope at a greater rate than American companies.

It likely comes down to GDPR. According to Spiceworks, regulatory changes surrounding data privacy — including huge fines surrounding a data breach — have led to a greater emphasis on security enhancements like encryption. This has also likely been the catalyst for EU to adopt security technologies such as artificial intelligence (AI) and machine learning (ML).

Still, Spiceworks found that most companies on either continent turn to relatively inexpensive solutions to implement security — antivirus and security awareness training are the two most popular — as opposed to more aggressive defense strategies such as honeypots. More regulated industries are also more likely to adopt emerging security tools, which could explain why a region under the broadest data protection mandate is so far ahead.

Identify Your Program’s Weak Links

Spiceworks found that American companies tend to prefer security awareness as their primary solution for cybersecurity, as opposed to the EU, which favors technology-based tools. However, according to a study by MediaPro, 85 percent of employees who work in the financial industry, where a data breach can be particularly damaging, fail at basic security tasks such as recognizing personal data. Financial employees were also unable to tell the difference between a phishing scam and legitimate email, and the majority of employees do not alert IT or security staff when they do see a problem.

Relying on security awareness training as the primary security tool is risky. At the same time, even technological tools that improve workplace efficiency expand the organization’s digital attack surface.

Improving IT Starts With Budgeting

Spiceworks looked at the state of IT budgets, which are either staying the same or increasing across both American and European businesses. Primary spending drivers include replacing old tech and preparing for the end of Windows 7 support, which will happen in 2020, according to the survey.

Although security-specific spending is projected to increase in the coming year, according to the report, updating aging infrastructure is also a direct response to ransomware campaigns such as last year’s WannaCry attack and to promote compliance with data privacy regulations such as GDPR.

How Can Companies Budget Differently?

The size of the organization also plays a role in how it budgets. For example, while smaller companies are spending money to replace tech due to the end of its life cycle or for business growth, large enterprises are focused on improving their digital transformation with the latest technologies.

Across organizations, security software makes up about 10 percent of the IT budget. But, as the study noted, large enterprises or 5,000 employees or more are more likely to increase IT budgets due to heightened security concerns, whereas budgets at midsize organizations made up of 500 to 999 employees are more likely to grow due to corporate tax cuts.

American companies tend to be more averse to digital transformation than European ones. According to Spiceworks, one reason goes back to budgeting. To save money, organizations will wait out the life cycle of security technologies, using them until they don’t work anymore. If security leaders can adjust their existing tools to meet new requirements, thereby reducing costs, they likely will.

The cybersecurity skills shortage also comes into play. There aren’t enough skilled IT workers who can implement an automated security system, so it’s easier and cheaper to try and change behaviors of current employees and maintain old networks. This is especially true in small and midsize businesses.

Balance Security Awareness and Tech

The most effective security practices will blend security awareness with emerging security technologies.

People are prone to make errors, but decision-makers too often assume that an hourlong online seminar explaining how to spot a phishing campaign is an effective security training program. Instead, security awareness has to be built into an overall security policy and, like audits and penetration tests, conducted regularly.

Before building awareness training, decision-makers should recognize what they are securing. Is it customer data? Intellectual property? Personal devices connected to the network? Knowing what you are securing will provide a baseline of the type of awareness necessary.

The training itself should be interactive and frequent. Some companies will send out fake phishing emails to random employees to see who takes the bait. Employees who fail are required to do another round of training. Awareness training should explain why this particular information is being secured and, of course, grow with company needs.

Adding emerging security technologies is a bit trickier, because this will depend on budgets and staffing. Implementing a managed security service provider will add continuous monitoring to your network. Tools such as hardware authentication, privileged access and identity management systems, and user behavior analytics can trigger alerts of unauthorized use that even an effectively trained employee may not detect.

Companies Can’t Afford to Be Reactive

Cybersecurity has historically tended to be reactive — responding to an attack that’s already happened and working to prevent it from happening again. In a post-GDPR world, companies can’t afford to remain passive until after an incident.

As North American governments begin to address data privacy issues with their own legislation, companies will need to adapt similarly to their European counterparts. Expect to see more American organizations follow the EU’s example and adopt security technologies to better mitigate potential threats.

The post Why the EU Is More Likely to Drive IT and Security Trends Than the US appeared first on Security Intelligence.

Organizations unable to achieve business resilience against cyber threats

The Resilience Gap study, which surveyed over 4,000 business decision makers across the United States, United Kingdom, France, Germany and Japan found that while 96% of the global business decision makers believe that making technology resilient to business disruptions should be core to their firm’s wider business strategy, the reality is very different. In fact, only 54% of respondents claim that it definitely is. Barriers to achieving business resilience Despite 96% of respondents claiming that … More

The post Organizations unable to achieve business resilience against cyber threats appeared first on Help Net Security.

4 Tips to Make the Most of Your Security Budget

Despite frequent news headlines describing large-scale data breaches around the globe, chief information security officers (CISOs) still struggle to justify security investments to top leadership. According to Gartner, security spending makes up only about 5.6 percent of overall IT funds.

Whatever security budget is ultimately approved by enterprise leadership, it’s up to CISOs to optimize the allocation of that money. More funds might help, but only if they know how to spend it effectively — and that planning starts before the first pitch. Let’s take a closer look at four key steps security leaders can take to maximize their return on security investment.

1. Assess Risks, Assets and Resources

A CISO should first thoroughly evaluate the systems, data and other business assets that are both valuable and potentially at risk in the organization. Today, this makes up an ever-evolving network, and priorities will shift over time to reflect changes in the business and the threat landscape.

“You should first identify and document the assets you need to protect most,” said Jo-Ann Smith, director of technology risk management and data privacy at Absolute. “What’s important to your business, and what are the main threats to your systems and data?”

That evaluation needs to take place before you even set foot in the executive office or boardroom to advocate for security. Its findings will be foundational to the security program’s goals and budget recommendations. Technologies purchased and the needs they serve will be unique to each business.

In other words, the results of the initial review could mean many different things for different CISOs. The general models provided by industry frameworks can help security leaders shape priorities and identify gaps specific to their businesses.

Kip Boyle, CEO of Cyber Risk Opportunities, noted that the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the best method to assess cyber risk.

“We find that most companies are underinvested in such key mitigations as indemnity contractual provisions with suppliers and customers, antiphishing training, cyber insurance coverage and crisis management planning,” he said. “Yet these are all crucial to mitigating modern cyberthreats.”

2. Align the Security Budget With Business Goals

When demonstrating the return on security investment to executives and board directors, security leaders must speak the language of money. How does security serve the business?

“CISOs should always align with the business when evaluating how to spend,” said Larry Friedman, CISO at Carbonite. “Security spend should be calculated based on the risk associated with assuring continuity with important business processes.”

This goes beyond protecting data and maintaining regulatory compliance. Seeking opportunities to use security funding not just for risk mitigation, but also to boost revenue and accomplish other business wins such as enhanced productivity, helps the CISO position security as a dynamic business enabler rather than a static cost center.

The CISO should implement automated security intelligence and analytics tools to reduce the security team’s busywork and help it focus on more strategic projects. As you analyze opportunities for investment, consider not only how much they cost, but also how much they could save the company or add in value.

3. Hire and Train Good People

The oft-lamented cybersecurity skills gap shows few signs of closing. A recent report from the International Information System Security Certification Consortium (ISC2) placed the worldwide cybersecurity skills gap at almost 3 million unfilled positions, and about two-thirds of businesses believe they have inadequately staffed security teams.

It stands to reason that one of the best investments in a security program is an effective staff. However, in a tight market for employers seeking talent, organizations may have to look inward and invest in training employees who otherwise might not have considered a security career.

By training people that are already part of the organization and recruiting them to work in security, CISOs can offer opportunities for professional growth and build their security teams while taking advantage of the employees’ institutional knowledge.

4. Invest in Security Culture

An effective cybersecurity strategy must include a corporate culture in which every employee values security. But the “2018 Cybersecurity Culture Report” from the Information Systems Audit and Control Association (ISACA) and Capability Maturity Model Integration (CMMI) Institute found that most organizations still struggle with establishing a security culture. In addition, 95 percent of survey respondents noted a gap between their current and desired organizational culture of cybersecurity.

What does it mean to build security culture into business? It’s means getting all employees — from the security team to the executive suite — to feel invested in the company’s security and risk posture and to engage in secure behavior. Investments in security culture could include initiatives such as awareness training, a secure development life cycle program, and rewards for employees who demonstrate compliance and report incidents.

Some numbers bear out the benefit: According to the ISACA/CMMI study, organizations that reported an inadequate security culture are spending 19 percent of their annual cybersecurity budget on training and awareness. Firms that report stronger cultures spent a share more than twice as large on average (43 percent).

In an ISACA blog post about the study results, Heather Wilde, chief technology officer (CTO) at ROCeteer, noted that the benefits of security culture investment go beyond security. A majority of respondents (66 percent) said their organization experienced a reduction in cyber incidents, but Wilde noted that many other benefits were customer-facing: improved trust, stronger reputation and increased revenue, to name a few.

There is no simple answer to the question of how best to allocate security budget dollars, and the optimal course will vary widely from business to business. But a thorough assessment of a company’s current security posture and culture, along with an evaluation of how security can benefit business goals and enable the company mission, gives the CISO a road map for prioritizing investments.

The post 4 Tips to Make the Most of Your Security Budget appeared first on Security Intelligence.

Building a Security Awareness Program

At the second annual Infosecurity North America conference at the Jacob Javits Convention Center in New York, Tom Brennan, US chairman, CREST International, moderated a panel called Securing the Workforce: Building, Maintaining and Measuring

The post Building a Security Awareness Program appeared first on The Cyber Security Place.

What’s keeping Europe’s top infosec pros awake at night?

As the world adapts to GDPR and puts more attention on personal privacy and security, Europe’s top information security professionals still have doubts about the industry’s ability to protect critical infrastructure, corporate networks, and personal information. Black Hat Europe’s new research report entitled, Europe’s Cybersecurity Challenges, details the thoughts that are keeping Europe’s top information security professionals awake at night. The report includes new insights directly from more than 130 survey respondents and spans topics … More

The post What’s keeping Europe’s top infosec pros awake at night? appeared first on Help Net Security.

60% of firms believe a major security event will hit in the next few years

Only 30 percent of 1,250 senior executives, management and security practitioners in the U.S., U.K. and Canada are confident their business will avoid a major security event in the coming two years and 60 percent believe an attack will hit in the next few years, according to eSentire. In terms of cyberattack preparedness in global organizations, the research also uncovered gaps between the C-suite, board and technical leaders. Among CEO and board members surveyed, 77 … More

The post 60% of firms believe a major security event will hit in the next few years appeared first on Help Net Security.

How Can Industry Leaders and Academia Help Improve Cybersecurity Education?

Just as the field of cybersecurity grew out of information technology, cybersecurity education is evolving as an offshoot of the computer science field. The current state of cybersecurity course offerings as an underdeveloped computer science footnote is allowing the skills gap to grow. To change this, higher education has to address the theoretical and hands-on skills students need to do their jobs post-graduation.

Without sufficient expert staffing, security teams lack the resources necessary to do their jobs effectively; in this way, the skills gap itself is a significant security risk. How, then, can the industry educate the next generation at scale? While there is no one answer, let’s take a look at what’s going on in classrooms across colleges and universities to see how higher education can evolve to meet the needs of the industry.

How to Recognize Shortcomings in Cybersecurity Education

By taking a closer look at the actual cybersecurity training programs higher education currently provides, industry leaders can help draw the road map of where it needs to go. How can they improve its offerings without bankrupting students who are already spending tens of thousands of dollars on degrees that fail to prepare them for the real-world problems they will face?

Bo Yuan, professor and chair of the Department of Computing Security at Rochester Institute of Technology (RIT), acknowledged that many undergraduate degree programs in cybersecurity start out with common introductory courses in computing and mathematics, such as Computer Science I and II and Calculus, eventually ramping up to more specialized training.

“As they get further into the program, students at RIT take more cybersecurity-focused courses, including Introduction to Cryptography and Cyber Security Policy and Law,” Yuan said. “In master’s degree programs, courses often focus on the theoretical foundations of computing security and how to become leaders in the implementation of computing security and information assurance policies and practices.”

To ensure that graduates are able to successfully transition from the classroom to the security operations center (SOC), cybersecurity education leaders should expand and more deeply integrate their hands-on learning opportunities.

Why Student Outreach Is Crucial

With the hefty price tag on degrees these days, students need to be judicious in the programs they choose. But it’s also up to industry leaders to reach out to their future recruits and help connect them with opportunities. Although one-to-one engagement across school districts is impossible, any role security professionals can play is a significant investment in long-term cybersecurity strategy.

Steering students cybersecurity training programs that offer them the chance to detect, identify and respond to existing threats in a simulated environment will yield the best returns. Unfortunately, those opportunities are not equally available to all students, and many won’t have the exposure they need to recognize their specialized interests within computer science early enough to plan effectively to get there.

Collaborate to Offer Experiential Learning

Hands-on learning opportunities are essential for cybersecurity students, and many academic institutions, including RIT, enable students to gain experience through simulated real-world exercises. But the students need to know what’s out there before making career-defining decisions to specialize one way over another.

To that end, some security companies have already parterned with educational organizations to extend opportunities for such immersive training.

“We have a heavy hands-on component to the degree programs with labs and project assignments,” Yuan explained. “Additionally, RIT computing security students are required to do two terms of co-ops (paid internships) before graduation.”

Yuan noted that RIT students have engaged in cooperative educational experiences with organizations such as IBM, Eaton Corporation and government agencies. These experiences often lead to job offers before graduation; both students and recruiters are reaping the benefits of these arrangements.

Why It’s Important to Make Connections Early

Through internships and co-ops, students can develop strong cybersecurity skills in the field, which hiring organizations desperately need to keep up with the evolving threat landscape. The Advanced Cyber Security Center (ACSC) and the University of Massachusetts created the Cybersecurity Education and Training Consortium (CETC) to bring industry leaders and students together. According to a press release, “The CETC will connect higher education leaders with business leaders to promote academic programming in cybersecurity that aligns with the needs of Massachusetts employers.”

Higher education programs around the world should partner with the cybersecurity industry to learn more about the needs of students and professionals. Through these innovations, students and enterprises can gain efficient access to both learning opportunities and talent. By working together with institutions of higher learning, businesses can ensure that students come out of learning programs armed with an understanding of the existing threat landscape and how to monitor its constant change so that they are fully equipped to do their jobs.

The post How Can Industry Leaders and Academia Help Improve Cybersecurity Education? appeared first on Security Intelligence.

Cybersecurity and ethical data management: Getting it right

Data can provide information, information can lead to insight and knowledge, and knowledge is power. It’s no wonder, then, that seemingly everybody in this modern, computerized world of ours loves

The post Cybersecurity and ethical data management: Getting it right appeared first on The Cyber Security Place.

Trusting Security Metrics: How Well Do We Know What We Think We Know?

Security leaders aren’t the only ones who seek valuable metrics from accurate instruments. If you remember analog dashboards in cars, you might also remember how unreliable fuel gauges tended to be. As a result, it was impossible to know when you needed to stop for gas.

So when we can’t trust our instruments, how sure can we be of what we think we know? In many ways, organizations today are coming to a similar realization about their security metrics. So what are we to do? Junk the car? Cover up the gauge? Replace it at a significant cost? How about learning to live with it once we realize it still has some value, but needs to be framed in the right way?

If some of the readings from your dashboard have varying levels of accuracy and lag, you might be able to adjust your interpretations of them to correct for those discrepancies.

Understand Measures, Metrics and Their Value

According to the National Institute of Standards and Technology (NIST)’s “Framework for Improving Critical Infrastructure Cybersecurity,” measures are “quantifiable, observable, objective data supporting metrics” and thus “most closely aligned with technical controls.” By contrast, metrics are used to “facilitate decision making and improve performance and accountability” and thus “create meaning and awareness of organizational security postures by aggregating and correlating measures,” according to the framework.

In other words, underlying measures express technical readings, as well as the proper configuration and effectiveness of your controls. The metrics, which are reported to top leadership, should be grounded in context and relevance to the business and its objectives.

Naturally, greater accuracy yields greater value. But complete context requires a diversity of insights. What if you can’t have both?

Why We Need to Check What We Think We Know

In a 2016 white paper titled “Unified Security Metrics,” Cisco shared its experience as the organization sought to unify its metrics to handle security concerns “much more strategically than reactively.” Since implementing its unified security metrics (USM) approach, the chief information officer (CIO) has been able to develop “an overall picture of the business risk,” which enables security professionals to remediate issues more quickly and better align their strategies with business objectives.

But along the way, Cisco’s experience also taught its leaders the importance of analyzing and documenting the quality and feasibility of measurements to determine whether they are “available, trusted and accessible,” and whether the collection and reporting of such measures could be automated. This helped set the company on a path to not only continuously monitor its posture, but also to seek to continuously improve its metrics.

What Happens When You Use Imperfect Measures in Decision-Making?

Before rolling up security measures into metrics, organizations should undergo a systematic review process as described in the Cisco white paper. Look closely at the measurement data collected, the questions that those data points help answer, the category of that measurement (people, process, technology, etc.), as well as attributes such as availability, scalability and, finally, quality.

One example of a process measure to consider is the number of closed and open incidents. Look particularly at whether the root cause and long-term solution of an incident has been identified and tracked to closure. While Cisco reported that this measure is readily available, it is only partially automated, and its quality is deemed as “partly” satisfactory.

Yet even this imperfect data — neither fully automated nor of high quality — has value to the organization when tracked and reported across time. Taken alongside other metrics, it can still contribute to a clearer picture of the organization’s cybersecurity posture and its handling of incidents.

Build Context to Initiate Conversations With Top Leadership

Although an isolated security measure might be an imperfect reflection of reality, it may yet still present enough value to the organization to be useful as one part of a metric that is shared with top leadership and the board. In the previous example, the number of open incidents still being investigated provides an important view into the organization’s ability to identify root causes, which allows the security team to continuously improve its ability to defend against similar attacks in the future.

Because some metrics are of higher quality than other, it is important to document which ones are based on near real-time, rock-solid measurements, and which ones are collected manually and of less-than-perfect quality. The key benefit of cyber risk metrics is to initiate conversations between security leadership and the board. This is the essential springboard for all future security projects.

The post Trusting Security Metrics: How Well Do We Know What We Think We Know? appeared first on Security Intelligence.

How Emerging Technologies Can Unexpectedly Advance — Or Impede — Cybersecurity Gender Inclusion

Cybersecurity problems and deficiencies have been front-page news for some time, yet some of the industry’s most intractable — and embarrassing — themes remain the same. Along with SQL injections, weak passwords and social engineering, we continue to deal with the fact that women currently only make up about 20 percent of the global security workforce, according to Cybersecurity Ventures. It’s important to note that the gender gap that our industry faces today also occurred in previous waves of technology. And while some security advances have unexpectedly benefited gender inclusion, others have had the opposite effect.

How Emerging Security Technologies Have Impacted Gender Inclusion

Many of us reflect on the men and women who were not only ahead of their time, but truly helped engineer the times we live in now.

My thoughts sometimes turn to my late mom, who grew up in Brooklyn in the 1930s — way before Brooklyn was anything near cool. Among the many aspects of her amazing but difficult life was the time she spent as a champion high school swimmer and New York City lifeguard, as well as a supervisor and trainer of other lifeguards. Unfortunately, at the time, women could typically only be lifeguards at city pools and basins, not at the more challenging open-ocean beaches. Thus, mom’s own lifeguarding was primarily based at a public pool in Brooklyn, while many of her male students graced the more glamorous chairs of Coney Island and Rockaway. Ocean security was almost exclusively a man’s domain. The stated reasons for this were that only men — large men — could handle the panicked throes of the near-drowning ocean swimmer, in which there were often desperate and instinctual attempts to submerge the rescuing lifeguards who approached.

Now, as anyone who has been on a beach or watched Baywatch — I watch it for the lifeguarding techniques — knows, there are presently many women lifeguards, even in the most treacherous waters. One factor that accelerated this long-delayed inclusion was a small, simple piece of security technology: the lifeguard’s rescue can, or float. A lifeguard typically throws the can to calm a distressed swimmer and keep him or her above water while being towed back to shore. With this technique, a lifeguard’s key attributes are swimming ability, empathy, judgment and timing — not merely the ability to stay big and buoyant.

While the lifeguarding float almost immediately improved gender inclusion, another piece of technology — of which my mother was also familiar — may have reduced it: the typewriter. The typewriter was originally considered a complex and arcane men’s-only piece of machinery that, to some extent, made documents more secure. It was only when the typewriter was streamlined and commoditized that typing became “women’s work.” Before modern technologies, the typewriter resulted in further gender differentiation — not the inclusion the rescue float brought about. Today, no one would think of gender considerations for a typing class.

Break Down the Walls Holding Back Women in Cybersecurity

These past examples can inform initiatives for present-day cybersecurity gender inclusion. Once, when discussing surf security and ocean rescue with my mom and other lifeguards, I said that I believed a lifeguard could recognize a swimmer who would be in trouble as soon as he or she stepped into the water. They gently shook their heads at my naiveté and corrected me: You can recognize a swimmer who will be in trouble as soon as he or she steps onto the beach.

When it comes to a fully enabled and diverse cybersecurity workforce, many enterprises may be inadvertently walking into trouble as they enter the dangerous waters of threat proliferation and workforce challenges. Thus, as new cybersecurity techniques and technologies make their way into society and the workplace, we should all pay close attention to both their anticipated and unexpected effects on gender inclusion.

While we can’t predict the future, we can help shape it during every passing minute. It is up to all of us to implement the waves of emerging security technologies and processes — whether they protect ocean surfing or web surfing — in ways that encourage, not deter, greater gender inclusion.

The post How Emerging Technologies Can Unexpectedly Advance — Or Impede — Cybersecurity Gender Inclusion appeared first on Security Intelligence.

Insurance Occurrence Assurance?

You may have seen my friend Brian Krebs’ post regarding the lawsuit filed last month in the Western District of Virginia after $2.4 million was stolen from The National Bank of Blacksburg from two separate breaches over an eight-month period. Though the breaches are concerning, the real story is that the financial institution suing its insurance provider for refusing to fully cover the losses.

From the article:

In its lawsuit (PDF), National Bank says it had an insurance policy with Everest National Insurance Company for two types of coverage or “riders” to protect it against cybercrime losses. The first was a “computer and electronic crime” (C&E) rider that had a single loss limit liability of $8 million, with a $125,000 deductible.

The second was a “debit card rider” which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E rider. The insurance company said the bank could not recover lost funds under the C&E rider because of two “exclusions” in that rider which spell out circumstances under which the insurer will not provide reimbursement.

Cyber security insurance is still in its infancy and issues with claims that could potentially span multiple policies and riders will continue to happen – think of the stories of health insurance claims being denied for pre-existing conditions and other loopholes. This, unfortunately, is the nature of insurance. Legal precedent, litigation, and insurance claim issues aside, your organization needs to understand that cyber security insurance is but one tool to reduce the financial impact on your organization when faced with a breach.

Cyber security insurance cannot and should not, however, be viewed as your primary means of defending against an attack.

The best way to maintain a defensible security posture is to have an information security program that is current, robust, and measurable. An effective information security program will provide far more protection for the operational state of your organization than cyber security insurance alone. To put it another way, insurance is a reactive measure whereas an effective security program is a proactive measure.

If you were in a fight, would you want to wait and see what happens after a punch is thrown to the bridge of your nose? Perhaps you would like to train to dodge or block that punch instead? Something to think about.

Leaping Forward – Telling the Story of How InfoSec Has Matured into Cyber Risks

Readers of this blog know that I've spent nearly the past decade curating some of the best quotes about information security and related topics. What started as a self-serving repository of good material for my own use eventually grew into this blog. I owe a big thank you to all of those who, over the course of the years, have shared this site with others around them.

However, in the past year, I have to admit that I've been much more active on a different blog, that of the IBM sponsored SecurityIntelligence blog. Which brings me to this post.

Just this week, the IBM site published my 30th article, "Five Signs the CISO Who Got You Here Isn’t the Best One to Get You There," whose topic relates nicely to the evolution of the field of information security -- let's admit, security was never really just an IT issue -- and the evolution of the role of CISO.

Just as businesses have had to evolve in order to thrive, or even just to survive, so must we evolve, as information security professionals, in the face of a changing reality. We now have the attention that we've been asking C-Suite executives and board directors for. We must now step up to fulfill this new role, to meet these new expectations. The stakes are high -- businesses everywhere are getting hammered by attackers, some after a quick buck, others after the company's crown jewels.

In pitching and developing these 30 articles, I've always sought to bring value to the reader, primarily aimed at CISOs or aspiring CISOs. I'm including below the full set of links to these 30 articles (in ascending chronological order). And since IBM's blog doesn't allow for comments, I'm inviting readers everywhere to leave comments on this post instead.

Again, thank you for your support, and for your readership.


As an Information Security Professional, Are You Having the Right Conversations?
Improving Your Security Awareness Campaigns: Examples From Behavioral Science
Cyber Risks: From the Trenches to the Boardroom
CISO Influence: The Role of the Power Distance Index and the Uncertainty Avoidance Dimensions
How Helping Educators Is Good for the Cybersecurity Industry
Addressing the Information Security Skills Gap in Partnership With Academia
Why Is Your Board of Directors Finally Asking About Cyber Risks?
What Cybersecurity Questions Are Boards Asking CISOs?
Five Must-Read Articles on the Cybersecurity Skills Gap
What Can CISOs Take From the New NYSE Cybersecurity Guide?
How Are US Armed Forces Closing the Cyber Skills Gap?
How Should CISOs Report Cyber Risks to Boards?
Beyond Tech Skills: Leadership Qualities for CISOs
Get the Most Out of Your Recent Security Hires With Soft Skills
Get the Most Out of Your Recent Security Hires: The Value of Professional Development
New Year’s Resolutions for the Effective CISO
Cyber Risks: Three Areas of Concern for 2016
Highlights From the World Economic Forum’s Global Risks Report 2016
2015: The Year Feds Warned About Cyber Risks
Is Your CISO Ready to Be a Risk Leader?
Is Your CISO Out Of Place?
FTC Studying Practices of Nine PCI Companies
C-Suite Dynamics Can Impact The Organization's Cybersecurity
It's Not Too Late to Correct Your Security Posture
Securing the C-Suite, Part 1: Lessons for Your CIO and CISO
Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs
Securing the C-Suite, Part 3: All Eyes on the CEO
Engaging Conversations Key to Improving Cyber Risk Decisions
How to Make the Most of Your Pen Test
Five Signs the CISO Who Got You Here Isn't The Best One To Get You There