Category Archives: CISO

CISO’s guide to an effective post-incident board report

A successful cyberattack is undoubtedly one of the most disruptive events an organization can experience. Whether it’s phishing, DDoS, ransomware or SQL injection, the incident often results in major service failures and potentially massive revenue loss, as well as damage to brand reputation and customer trust. As CISO, you are charged not just with overseeing the response and mitigation processes post-breach but also with assembling all relevant information in a post-incident report to the board. … More

The post CISO’s guide to an effective post-incident board report appeared first on Help Net Security.

Prevent shadow IT: Companies need security covering multiple communication vectors

There is a critical need for companies to adopt comprehensive and secure enterprise communications platforms to prevent shadow IT. It is a phenomenon where employees, to compensate for the lack of a comprehensive suite of communication tools within their company, leverage unauthorised external applications for business purposes, creating multiple challenges for companies. Apart from being highly vulnerable to data breaches, these applications also compromise a company’s data/information confidentiality and sovereignty and, in some cases, could … More

The post Prevent shadow IT: Companies need security covering multiple communication vectors appeared first on Help Net Security.

Insights on modern adversaries and their tactics, techniques, and procedures

In today’s ever-evolving cyber landscape, speed is essential for effective cyber defense. CrowdStrike’s Global Threat Report reveals “breakout time” – the critical window between when an intruder compromises the first machine and when they can move laterally to other systems on the network – for top cyber adversaries. This ranking offers organizations unprecedented insight into how fast they need to be at detecting, investigating and remediating intrusions (also known as the 1-10-60 rule) to thwart … More

The post Insights on modern adversaries and their tactics, techniques, and procedures appeared first on Help Net Security.

CISOs Hit the Bottle as Workplace Pressures Build

UK and US CISOs are facing burnout as they struggle to cope with escalating cyber-threats, insufficient budgets and a lack of engagement from the board, according to Nominet. The DNS security

The post CISOs Hit the Bottle as Workplace Pressures Build appeared first on The Cyber Security Place.

Machine learning fundamentals: What cybersecurity professionals need to know

In this Help Net Security podcast, Chris Morales, Head of Security Analytics at Vectra, talks about machine learning fundamentals, and illustrates what cybersecurity professionals should know. Here’s a transcript of the podcast for your convenience. Hi, this is Chris Morales and I’m Head of Security Analytics at Vectra, and in this Help Net Security podcast I want to talk about machine learning fundamentals that I think we all need to know as cybersecurity professionals. AI … More

The post Machine learning fundamentals: What cybersecurity professionals need to know appeared first on Help Net Security.

Increased appetite for biometrics fueled by speed, security and convenience

The Biometric Consumer Sentiment Survey of more than 1,000 U.S. adults who have experience using biometrics to log into their accounts, reveals an increased appetite for the technology. 70 percent of respondents reported that they would like to expand the use of biometric authentication into the workplace, according to Veridium. Consumers cited speed (35 percent), security (31 percent) and not having to remember passwords (33 percent) as the primary reasons for liking biometric authentication. “The … More

The post Increased appetite for biometrics fueled by speed, security and convenience appeared first on Help Net Security.

Why You Need a Security-First Culture to Deliver on Your Customer-First Goals

I’ve been working in the security industry for mumble mumble years, and one recurring problem I’ve noticed is that security is often considered an add-on to business initiatives. This is neither new, nor surprising. And while the “customer-first” approach is not really a new talking point for most companies, “customer-obsessed” became a major business initiative for many in 2018. This is due to a number of factors — increased brand visibility via social media, changing buyer behaviors and evolving data privacy legislation, to name a few — and doesn’t show any signs of changing in 2019.

What Does It Mean to Be Customer-First?

Contrary to what many businesses seem to believe, customer obsession doesn’t mean sending six emails in two weeks to make sure your customer is happy with his or her purchase and requesting a good review or rating. Being customer-first simply means listening to your customers’ needs. It requires you to quickly adjust and react to meet those needs — or, ideally, anticipate them and proactively offer solutions to your customers’ issues.

Most of all, customer obsession requires trust. To build trust among your end users, security must be the foundation of every customer-first initiative. In fact, I’d argue that organizations must be security-obsessed to effectively deliver on their customer-first plans.

Prioritize Security to Build Customer Trust

The benefits of a customer-first business approach are clear: increased loyalty to your brand, revenue gains, etc. It is also apparent why security is so important: No organization wants to suffer the consequences of a data breach. However, by looking deeper into what a security-first to customer-first culture looks like, you’ll quickly uncover the complexity of this issue.

First, there is a distinct difference between checking the boxes of your security requirements (i.e., compliance) and truly making your customers’ welfare a top priority. Of course, adherence to security and privacy regulations is essential. Without these standardized compliance policies, companies could measure success in a variety of ways, which would look different to everyone. And if we’re being honest, meeting compliance regulations is often more about avoiding penalties than improving your business.

Second, your brand is more than just your product or service; it encompasses the way your company looks, feels, talks and spends money and is representative of its culture and beliefs. In other words, your brand is about the way people feel when they interact with your company. According to Forrester Research, today’s buyers are increasingly looking at these other characteristics when they make decisions about the products or services they use.

This is where security becomes essential. If you want to instill trust among your end users, you need to go beyond standard compliance measures. Security must become a foundation of your company culture and your customer-first initiatives. It must be threaded into every business initiative, corporate policy, department and individual. This means technology purchases should be made with your end users’ security in mind, as well as your employee data and corporate assets.

It also means evaluating your business partners and the policies they have in place to ensure they fall within your standards. For example, are you considering moving critical business technology to the cloud as part of your digital transformation initiatives? If so, what do you know about your cloud provider’s security precautions? Are you working with advertisers or marketing organizations that interact with your end users? If so, do you know how they handle your customers’ and prospects’ personal data?

How to Develop a Strong Security Culture

Operating a business that is customer-first is ambitious. It’s also really, really hard. By making security a cultural tenet throughout your organization, you communicate to your customers that your brand is trustworthy, your business has integrity and that they matter to you. So how do you do it?

Collaborate

Design collaboration into your security strategy with open solutions. The threat-solution cycle is a familiar one: A new security event occurs, the news covers it, a new company emerges to solve the problem, your company deploys the solution and then a new security event occurs. The entire industry is stuck in a vicious cycle that we, as vendors, have created. To break this cycle we need to take a page from our adversaries. Share intelligence with our peers and our competitors. Learn from other industries. Use open technology that integrates multiple sources of data. Only then are we equipped to uncover risks to our customers that hide among the chaos.

Build Security Muscle Memory

Many organizations are spending a lot of money on security awareness training, which is great. However, the best training is useless if employees are bypassing security measures for convenience. Make security processes required, enforceable and, above all, easily incorporated into the daily life of your users.

Shift Your Perspective

Security strategy is often an afterthought to business initiatives that cut costs, increase revenue and improve efficiency. Security is, after all, a cost. But a good security culture can set your company apart. It can be the champion or the killer for your brand, particularly in an era where customers’ buying motivations have shifted.

Right now, brand loyalty is an asset. A recent Harris Poll survey found that 75 percent of respondents will not buy from a company, no matter how great the products are, if they don’t trust it to protect their data. Stability, integrity and corporate responsibility are key factors in purchasing decisions. Making security a strategic pillar of your company’s brand is a tremendous responsibility, but one that will go a long way toward establishing trust among your users.

The Best Way to Grow Your Business

A customer-first approach is, arguably, the business initiative that can impact your bottom line the most. Understanding and proactively addressing your customers’ security and privacy concerns shows that you’re not just trying to sell a product or service, but that you are responsible with their data and operate with integrity. In an era where brand integrity matters, security-first is the best way to grow your business.

The post Why You Need a Security-First Culture to Deliver on Your Customer-First Goals appeared first on Security Intelligence.

Most companies anticipate a critical breach in 2019, CISOs need to prioritize threats

80 percent of IT business leaders anticipate a critical breach or successful cyberattack over the coming year, according to the Cyber Risk Index (CRI), a Trend Micro survey of more than 1,000 IT security professionals in the United States. The CRI survey was conducted to measure business risk based on the difference between organizations’ current security posture and their likelihood of attack, with the goal of helping CISOs and their teams better assess, protect, detect, … More

The post Most companies anticipate a critical breach in 2019, CISOs need to prioritize threats appeared first on Help Net Security.

Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event

In June 2017, the cybersecurity world changed. As soon as NotPetya began infecting systems in Ukraine and spreading across Europe and beyond, it became clear that the intent of this worm wasn’t espionage, distributing malware or holding data for ransom. Rather, it was designed to destroy data, shut down systems and create havoc.

One of the most severely impacted organizations was global shipping giant Maersk, which transports 20 percent of the world’s trade goods. When Maersk’s systems went down, it sent shockwaves around the world and caused security observers to shudder. NotPetya was apparently a cyberweapon launched against Ukraine, but a far greater number of countries and organizations became collateral damage.

It was a wake-up call for Maersk, according to Andy Powell, who joined the company as its new chief information security officer (CISO) in June 2018, a year after the NotPetya attack.

“What Maersk was very strong at was our ability to recover,” Powell said in a fireside chat with IBM Security General Manager Mary O’Brien on Tuesday, the opening night of the 2019 IBM Think conference. “Balancing business resilience with preventative measures means that any company can address some of these high-end attacks, but you’ve got to accept that some of them are going to get through. And therefore, you need to be able to recover your business.”

While cybersecurity inevitably changed in the wake of NotPetya, it’s continuing a rapid transformation as businesses digitize and create ever more data. O’Brien and Powell discussed these profound shifts during their chat, along with Kevin Baker, CISO of Westfield Insurance, who underscored the impacts of digital transformation on data security, risk and compliance.

Watch the video from Think 2019

Lessons in Resiliency and Agile Security

In the age of cloud and connected everything, the volume of data being produced has exploded, along with opportunities for greater insights, innovation and new business models. This digital transformation has broad implications for security.

“Our clients want to know where their containers are, they want to know what part of the process is involved, they want to know information around what they’re moving,” Powell said. “We can provide that as part of the transformation.”

To secure digital innovation for clients, alongside its legacy systems, Maersk’s security team has taken an agile approach. Security is frequently seen as a roadblock to innovation, Powell said. Bringing together project teams and the security organization helps speed innovations to market by building security into the process from the beginning.

“The reality is the security people need to be working with them in those teams to actually integrate security from day one, and that’s starting to really pay off, because we’re no longer seen as the outsiders,” Powell said. “We’re seen as somebody who is prepared to adopt the culture and work with them. That teamed approach is very important.”

Focus on Data Security, Risk and Compliance

Ohio-based Westfield Insurance, with $4.9 billion in assets, has been in business since 1848. That means “a lot of data,” Baker said during the Think fireside chat.

“Because of digitization, it’s a veritable explosion of data. Our job is to know what data we have, where it is, how many copies of it we have, where it’s moving, who can access it and what the criticality of that data is so we can focus on data that has a regulatory import,” Baker said.

Baker’s team focuses on governance and risk, monitoring existing regulations like the New York Department of Financial Services (NYDFS) cybersecurity regulation. And they look to the horizon for emerging compliance risks, such as California’s data privacy law, which will take effect in January 2020.

The California Consumer Privacy Act (CCPA) follows in the footsteps of the European Union (EU)’s General Data Protection Regulation (GDPR) with strict data privacy mandates, including a “right to be forgotten,” whereby companies will be required to destroy certain types of customer data.

“‘Forget me’ is a new capability that we have to solve for,” Baker said. “So we’re looking for ways that we can tag the data, move the security control down at the data element, and use the same tagging and process in multiple ways. It’s more than data classification, but it starts there.”

How Can Digital Transformation Help Reduce Complexity?

Digital transformation in business — through the adoption of technologies such as the cloud, artificial intelligence, and mobile and smart devices — has had major implications for the security industry as well. Although security products have made strides in protecting businesses beyond the traditional firewall, complexity is a hidden cost of innovation.

“We believe the No. 1 challenge is the complexity that we — the vendors and our clients — have jointly created,” O’Brien said during her chat at the IBM Think conference, her first as IBM Security general manager. “We got here because we let the latest threat of the day or requirement drive our technology and our strategy. So every time there was a new attack, a new merger, a new regulation, we created a new tool.”

The second problem of security innovation, O’Brien added, is that these products are created, purchased and deployed in silos. They are not integrated and don’t naturally talk to each other. According to O’Brien, it’s time to eliminate this complexity to enable business innovation and transformation.

This past October, IBM Security launched IBM Security Connect, a simple, open and connected cloud platform that can automatically access security data no matter where it resides. This enables security teams to take advantage of existing investments, from IBM or other vendors, without compromising effectiveness.

“You have insights today, but not total insights,” O’Brien said. “But because Connect can tap into your existing data wherever it is, you will see the full picture of your security situation without having to migrate your data or manually integrate it.”

For his part, Baker said limiting the number of tools but integrating them across multiple vendor systems is key to making strides toward his team’s data security goals.

“We elected to use not more security tools, but fewer security tools. We chose tools that were on their own pretty powerful, things like IBM’s QRadar and Guardium. Then we integrated that with other vendors,” Baker explained. “We use these tools to create our own link and do our own analysis. Not just the net-new data, but even the legacy data, and then to analyze that data as a single unit, to track the most critical data. We know that we can’t track it all. We need to zero in on what’s important.”

The post Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event appeared first on Security Intelligence.

Security wellness takes more than a fad diet

Every year, millions of people make the same New Year’s resolution: to lose weight and improve health. But by February, a mere thirty days or so into the year, stats show 75 percent of us have fallen off the wagon. The pitfalls are many, whether the resolution is vague and broad, or we neglect to set measurable goals and regular check-ins, or perhaps we’re just not really ready for change. Achieving a true state of … More

The post Security wellness takes more than a fad diet appeared first on Help Net Security.

Large Firms: What Role for the Group CISO?

The role of the CISO and their reporting line seems to be a continuing topic of discussion amongst cyber security professionals.The same title often hides a large diversity of roles,

The post Large Firms: What Role for the Group CISO? appeared first on The Cyber Security Place.

How can we improve adoption and ROI on security investments?

Traditionally, whenever employees are required to interact with security solutions, they push back because they don’t want their lives to be made more complicated with extra procedures and, essentially, clicks. Human behavior dictates that if there’s a tech roadblock, users will find a way around it to get their jobs done. In light of these work arounds, organizations often struggle to quantify how to reduce risk and improve compliance, which makes it harder to prove … More

The post How can we improve adoption and ROI on security investments? appeared first on Help Net Security.

Four Signs You’re Ready for a Virtual CISO

A virtual Chief Information Security Officer (or vCISO) can be a great resource to a company. But how do you know when your company is ready for one? Rob Black of Fractional CISO shares four telltale signs to watch for.

The post Four Signs You’re Ready for a Virtual CISO appeared first on The Security Ledger.

Related Stories

Ransomware Sees Further Decline, Banking Trojan Use Steps Up

Ransomware accounted for one tenth of 1% of all malicious email content in Q4, according to a new threat report from Proofpoint. It’s Q4 threat report found that banking trojans accounted

The post Ransomware Sees Further Decline, Banking Trojan Use Steps Up appeared first on The Cyber Security Place.

6 Steps Every New CISO Should Take to Set Their Organization Up for Success

Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start?

With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.

What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?

Here are six steps to help you get started in a new security executive role.

1. Take Stock of Technology

One of the most important steps you will take in the first few days is reviewing the IT infrastructure of your new company. How are firewalls and servers configured? How many different endpoints connect to the network? What other technology is in place?

According to CSO, you should start by taking stock of which incident prevention security controls are preventing and reporting on malicious activity. You should also determine which security control management consoles, security information and event management (SIEM) tools, and log management solutions are collecting logs and alerts.

Understanding your systems and defenses is priority No. 1 because knowing what your new organization has in place — and where you may need to make additions and changes — will inform the next steps in your first few months in the CISO role.

2. Assess Your Processes

After gaining a comprehensive view into the technology that is in place, it is time to review and evaluate the processes in place for security. Is there an incident response (IR) plan in place? For 77 percent of organizations, the answer is no. Is the IR plan written and tested? What about awareness training? Is it done monthly? Annually? This information will give you a clearer picture of how the company has prioritized security in the past — and an idea of where it needs to go in the future.

This is also the time to poke holes in policies and standards that do not have formal processes attached, and develop and define them to be more effective. Clear, well-defined processes minimize confusion and chaos, and ensure your organization can comply with the policies you want to enforce.

3. Build Out Your Team

Whether you are utilizing existing employees or hiring new team members, building your security team is an immediate priority for a new security leader, according to Dan Lohrmann, former CISO for the state of Michigan and current chief security officer and chief strategist at Security Mentor.

“Focus on talent and relationships,” Lohrmann wrote in an article for Government Technology. “Surround yourself with security pros that work well together and cover skill set weaknesses.”

Direct reports that you will be managing are the first employees you need to get to know. Have one-on-one meetings with each team member if time allows to understand their strengths, weaknesses and insights on where security strategy stands in the organization. These employees have the institutional knowledge you don’t yet have and have dealt with issues and problems already. This time can also be an opportunity to build a relationship of trust so that your direct reports know they can come to you with concerns and feedback going forward.

If you have the luxury of hiring, after getting to know the existing security team, now is the time to assess whether you are lacking certain skills and talent on your team and look to the external talent pool to add to your ranks. This may be easier said than done, since the cybersecurity skills gap has made hiring challenging in recent years.

4. Talk to Key Internal Stakeholders

You want to gain a deeper understanding of the business, its mission, its immediate priorities and its long-term goals as soon as you get in the door. The CISO role is about security and business enablement. You will be expected to protect the organization and contribute to strategic goals.

Start by meeting with executive management when possible, as well as heads of business units. Understand their goals, visions, pain points and objectives. Ask how security management can assist with all of these. Getting to know these stakeholders will be the start of what should be an ongoing relationship and conversation that will give security a strong voice in the organization.

5. Get to Know Customers

Equally important to understanding the executive vision of the company is having a solid comprehension of the people the company serves. Getting to know key customers and clients on the front lines will give you the advantage of grasping how the enterprise is viewed from the outside. The customer lens of the organization will be invaluable in positioning security as a business driver instead of a hindrance.

6. Start Thinking About Your Budget

Gartner predicted that companies would spend around $96 billion on security products and services in 2018. But how can CISOs prove their investments had a measurable impact on corporate risk? It is no longer enough to simply deliver security to an organization; CISOs are also expected to demonstrate return on investment (ROI) and find ways to deliver direct business benefits.

Collecting data, evidence and metrics to demonstrate the need for security investments, why they are necessary in the near future and the proof of corporate payoff is another essential step for new security management. Additionally, this needs to be positioned in a way that business leaders understand, which takes us back to the importance of the prior steps. Without investing time in getting to know executive management and understanding customers, you will be less equipped to make the case for budgetary dollars for security priorities down the road.

Start Your CISO Tenure Off on the Right Foot

Starting a new job in the CISO role can feel overwhelming. But the time for security to be seen as a key player — and to have a major business impact — has never been better. While there may be multiple challenges to address right out of the gate in a new organization, heed these suggestions to start making a positive impact on day one.

The post 6 Steps Every New CISO Should Take to Set Their Organization Up for Success appeared first on Security Intelligence.

Design Your IAM Program With Your Users in Mind

Co-authored by Kevin Pratt

Identity and access management (IAM) should be a seamless part of employees’ day-to-day activities and your organization’s overall security posture. An IAM program controls and administers the access users have to an array of critical systems and data. If your users have difficulty accessing systems and applications with an IAM solution in place, your security posture can suffer. For example, employees may go around established security policies and leverage shadow IT applications to get their jobs done faster.

Many identity programs struggle to gain user acceptance because IAM is a particularly challenging field within security. If you don’t start by following IAM best practices and understanding the business’ goals and users’ needs and requirements, you may find it difficult to gain the levels of user adoption necessary to make an IAM program successful in the long term.

Infuse Empathy Into Your IAM Program Using the Enterprise Design Thinking Framework

Kevin Pratt, senior managing consultant in identity and access management at IBM, has heard countless stories from clients who tried to deploy an IAM tool without first considering users’ needs and their related pain points. I found his advice to be particularly insightful, so I asked him to sit down for an interview to talk about some critical considerations for designing a world-class IAM program.

Question: How would you explain Enterprise Design Thinking to a first-time client?

Pratt: Enterprise Design Thinking is an approach that helps us align IAM projects to the business by focusing on user outcomes. This approach helps us achieve better user experiences, delivers programs at scale and does this in a faster time frame.

With Enterprise Design Thinking for IAM, we first seek to understand what problem we are solving, the different stakeholders that are interacting with and impacted by IAM programs, then identify user needs, pain points and wants. These insights help us to work collaboratively with our clients to identify the right problem to solve, and secondly, correctly design and align user needs to the business. Understanding this convergence of needs across all three dimensions is key to designing a successful IAM program.

Give an example of a time a client used Enterprise Design Thinking to understand what users really want. What was the result, and how did it compare to clients that didn’t focus on IAM best practices?

IAM projects usually fail due to lack of user acceptance. IAM user acceptance can be especially challenging when balancing project and security requirements with the user experience.

So, if you take time, in the beginning, to align IAM work with the needs of your users and the business, you give your users a sense of ownership of the IAM work and build a foundation for a true partnership between the users, the business and IAM practices. As mentioned, these are key to building and executing a successful IAM program.

One client example that comes to mind is a health care organization that was adopting single sign-on (SSO) and wanted to leverage biometrics by using fingerprints. However, many users, like doctors and nurses, have to wear gloves at all times when working with patients and can’t always authenticate their identity with fingerprints.

We quickly identified in a design thinking session that these users needed a different way to authenticate, like a face or iris scan. Rather than deliver an authentication solution that met security requirements but did not meet critical end user requirements, we immediately identified that the end users’ needs did not align. These insights were leveraged to build a set of requirements which would result in seamless user adoption.

Tell me about a time when an organization didn’t obtain stakeholder buy-in.

We hear these stories over and over …

One example in particular comes to mind: A client was building an IAM product that would onboard and offboard users — essentially a robust identity governance and administration solution. A month before the go-live date, a human resources executive went to the C-suite and said that the IAM group forgot to include them at the right level in the conversations around the project requirements. In this situation, HR was particularly concerned about employee transfers, leaves of absence and other temporary leaves because of the access retained by the employees, which puts the business at unacceptable risk. These user requirements weren’t incorporated at the level that HR wanted.

As a result, the project was stopped by the business right before the go-live date, and the project hasn’t moved forward a year later.

Many times, IAM projects do not correctly involve the right stakeholders at the right level. Therefore, it becomes imperative that the right stakeholders are included from the beginning. As an IAM practitioner, it’s your responsibility to walk through the user life cycle process with line-of-business (LOB) executives and other key stakeholders.

All too often, IAM specialists are laser-focused on security requirements and user onboarding. Of course, IAM needs that particular information. However, where you encounter trouble is when IAM experts are not paying attention to what the lines of business are doing with the data.

If you’re only concerned with security, you’re missing an essential component. An Enterprise Design Thinking for IAM session takes you out of the security silo and immerses you, your IAM stakeholders and collaboration teams into the lives and personas of the users that will interact with the new IAM technology. Too many times it is missed during a deployment.

What’s one of your favorite Enterprise Design Thinking exercises? Discuss the approach and why it’s helpful for clients.

One of the most helpful exercises I’ve seen is the empathy map. It enables you and your business to gain a better understanding of the user and their specific needs. It starts with identifying the user that will interact with systems and asks a series of questions.

Ideally, impacted users, or what are referred to as “sponsor users,” are invited to the design thinking sessions, interviewed in advance or the design thinking work is “played back” to them on a regular basis. This results in the user’s voice being present throughout the collaboration process, and the insights which surface as a result of their involvement are continually infused into planning in an iterative manner.

These questions are not just about IAM. The questions get into the user’s life. Sample questions might be:

  • Do employees work remotely?
  • Do employees spend time traveling?
  • Do employees spend time at the office?
  • What is the office environment like?
  • What is your sponsor user thinking, feeling, saying and doing in the context of the problem you’re solving for?

The goal is to develop a robust frame of reference which accurately represents the user.

Then, you put your answers into a grid and identify what your users say, think, feel and do. In the middle of this, we have a picture of this person or user (see image below). The goal is to immerse ourselves into the lives of users.

Empathy Map showcasing what a user thinks, says, does, and feels

Design an IAM program optimized for your business

More often, it’s fairly easy to fill in the “says” section because we know what they said. But we have to take it further and understand what the users are thinking. This requires getting into the mind of the users and including them as a part of the exercise so that the entire team can understand and verbalize what the users are thinking.

Then you move into how they feel. Users often feel frustrated about security solutions, but nobody on the security side usually explores those frustrations. Lastly, what does the user do? If this solution causes a problem, what will the user actually do? This often includes users finding creative ways to bypass our security controls. You need to understand what the negative consequences are for an IAM program failure. You may be able to identify those risks and stop them before they happen.

Once we have these identified, we then start to cluster, remix and group the needs and pains on the empathy map. By grouping like needs and pain points for numerous personas representing users, you begin to see common issues across different users by what they’re saying, thinking, feeling and doing. This exercise allows you to first identify themes in common, then prioritize the problems and determine which ones to solve first. It helps you answer the question that most often comes up: “How do we best address this?”

In summary, an empathy map is a fantastic way to get a deeper understanding of these users that will interact with your IAM processes and technologies.

After you’ve completed this exercise, one thing that can happen is you can have information overload. There may be so many needs and pains that an organization doesn’t know where to start. That’s where the prioritization grid can come into play.

Essentially, you take all the information gathered from the empathy map and put it into a grid that measures the impact on the user. You want to understand the feasibility of each issue. Only having the information from the empathy map isn’t enough — it is only one piece to ensuring user understanding. You need to be able to prioritize the needs and pains, identify what are the real impacts and what the feasibility is for fixing these.

It is important to note that prioritization grids are not limited to use after an empathy map exercise. They can be leveraged as a next step in many other stages of Design Thinking iteration, such as for prioritizing ideas, identifying and managing risk, and developing initial road maps and action plans.

These two exercises are very effective as part of a wider Enterprise Design Thinking approach that drives the engagements from beginning to end. It’s important to realize that Design Thinking isn’t just a workshop and an exercise or two; rather, it’s a completely different way of working with clients.

Why do you think Enterprise Design Thinking helps to build a more successful IAM program?

Enterprise Design Thinking focuses on user outcomes instead of just security outcomes. IAM tools do not exist in a userless vacuum. So, it’s vital for IAM practitioners to include users in their IAM discussions and programs. There’s not a good track record of this happening to date — we can do better for our clients by leveraging the Design Thinking framework and beginning to practice first with our own teams. Try an empathy map in practice to get a start.

At the 2018 Gartner IAM Summit in Las Vegas, we had a workshop where attendees chose a user (CISO, IAM admin, incident response analyst or customer) framed by a design prompt or common problem experienced by those stakeholders to focus on while putting together an empathy map. We had mostly security practitioners in the room.

Unsurprisingly, the user that was chosen by the least number of attendees was the customer. It can be difficult for IAM practitioners to relate to our customers and users. This we are hoping to change by virtue of exposing our IAM practitioners to the framework and how best to leverage it.

With Enterprise Design Thinking, we don’t have to guess what each user wants. We take the time to get to know the users, and this allows us to identify the right problem to solve, correctly align with the users and business, and identify a solution that meets the security requirements, addresses user needs and the needs of the business.

Design an IAM program optimized for your business

The post Design Your IAM Program With Your Users in Mind appeared first on Security Intelligence.

5 reasons why asset management is a hot topic in 2019

Sometimes buzzwords are good predictors of what organizations see as priorities in a given year. If you surveyed both the revenue-generating and security functions of enterprises in 2019, you would hear two terms often repeated: digital transformation and zero trust. While the two terms may seem at linguistic odds, the idea that organizations must embrace the digital age to drive growth and operate more efficiently while simultaneously maintaining adequate information security makes sense. It won’t … More

The post 5 reasons why asset management is a hot topic in 2019 appeared first on Help Net Security.

AI won’t solve all of our cybersecurity problems

AI is already supporting businesses with tasks ranging from determining marketing strategies, to driverless cars, to providing personalized film and music recommendations. And its use is expected to grow even further in the coming years. In fact, IDC found that spending on cognitive and AI systems will reach $77.6 billion in 2022, more than three times the $24.0 billion forecast for 2018. But the question remains – can businesses expect AI adoption to effectively protect … More

The post AI won’t solve all of our cybersecurity problems appeared first on Help Net Security.

Drive Innovation With Your Security Strategy in 2019

It’s hard to keep New Year’s resolutions. According to U.S. News & World Report, nearly 80 percent of them fail by the second week of February — not because the intent is off or the motivation is gone, but simply because the status quo is easier. Change requires discomfort and the development of new habits. This is true not only for individuals, but businesses as well.

Most organizations have announced their intent to be more innovative in 2019 — to make changes that will make them stronger, faster and better. But innovation as an end result requires us to change the way we think and act, to be open to new people and processes, and an uncomfortable level of transparency that, so far, many organizations have been reluctant to embrace when it comes to security strategy. Only when we commit to changing our perspective — and, in turn, our habits — regarding privacy and security can we build the trust needed to catapult our businesses and fuel growth.

A Strong Security Strategy Sets the Pace for Innovation

In every car race, there is a pace or safety car that sets the speed and positions racers for the event. In business, security is often seen as an inhibitor to innovation. I’ve often heard security teams say they are in the “business of no,” but it shouldn’t be this way. Rather, security can be the foundation for your business journey to be more innovative.

At Think 2019, we will hear cybersecurity leaders — and former professional race car driver Danica Patrick — discuss the link between security and innovation. They’ll share ideas and processes for making small adjustments to your security strategy that make good habits easy to establish. By integrating security as a regular component of daily operations, much like safety controls in a race, organizations have more bandwidth to adjust their processes, which empowers them to innovate securely.

Openness: The Antithesis of Cybersecurity — or Is It?

When it comes to security and privacy, most organizations have spent a lot of time and money keeping their secrets close to the vest. Security is critical when it comes to corporate innovations and intellectual property. However, at the upcoming RSA Conference, we’ll be listening for a conversation on how openness is a critical attribute for closing the gaps in your security portfolio.

First, let’s look at it from a technology and process standpoint. Imagine if an organization that had been breached shared details of its compromise, including techniques, attack sources and more. Other organizations could benefit tremendously from this transparency and use the information to proactively investigate anomalies on their networks. We have seen technical leaders from the industry calling for more collaboration in cybersecurity, and there is a strong drive to begin doing something about it.

Additionally, openness must extend to hiring. According to Frost & Sullivan, there could be 1.8 million unfilled cybersecurity roles by 2022. To address this massive skills gap, I expect to see organizations look outside the security and technology industries for hiring. I also predict that more security roles will be filled by professionals with emergency response skills, such as military veterans and former first responders, as well as underrepresented groups such as women and people with nontechnical experience. This influx of new perspectives will be a catalyst for organizations looking to innovate.

It’s Time to Walk the Walk When It Comes to Customer Trust

The current state of cybersecurity, combined with shifting buyer motivations, has changed the meaning and priority of digital trust. For one thing, security breaches continue to escalate, not only in frequency, but also with regard to information value. Customer trust is eroding.

Further, as more and more consumers are affected by data breaches, they are becoming educated about how these attacks can occur. Add to this a growing population of buyers from a generation that prioritizes business integrity and brand principles into their purchase decisions. Trust is no longer just a talking point; organizations are entering an era where they must continuously prove that they are collecting, storing and using personal data safely and respectfully.

While all industries will feel the impact of digital trust, health care is at the forefront of this change. I am looking forward to a broader conversation about this at HIMSS19 this month, where such key issues as the safety of medical internet of things (IoT) devices and patient records will be major talking points.

As we enter the second month of 2019, let’s not lose sight of why we are making changes to our security programs in the first place. Openness and transparency are critical building blocks for customer trust. In turn, these blocks set a solid foundation for your organization to continuously grow and innovate.

The post Drive Innovation With Your Security Strategy in 2019 appeared first on Security Intelligence.

CISOs: Change your mindset or lose your job

Capgemini commissioned IDC to produce a new piece of research, which reveals the increasing pressure on the Chief Information Security Officer to drive forward digital transformation – or risk losing their seat at the table when it comes to key business decisions. Whilst CISOs are now involved in 90% of significant business decisions, the research found that just 25% of business executives perceive CISOs as proactively enabling digital transformation – which is a key goal … More

The post CISOs: Change your mindset or lose your job appeared first on Help Net Security.

Evaluating the biggest cyber threats to the electric power sector

The network of power plants and lines connecting to homes and businesses is widely considered to be among the most critical infrastructure in the world. It’s also one of the most frequently attacked, with consequences that could potentially reach far beyond the power sector. A new Deloitte Global report, “Managing cyber risk in the electric power sector,” evaluates the biggest cyberthreats to the electric power sector and suggests how companies can manage these risks. The … More

The post Evaluating the biggest cyber threats to the electric power sector appeared first on Help Net Security.

Data Breach Fatigue Makes Every Day Feel Like Groundhog Day

The constant string of data breaches isn’t what I’d call funny, but it does make me think about one of my favorite cinematic comedies. The film “Groundhog Day” stars Bill Murray as a grumpy weatherman who travels to the little town of Punxsutawney, Pennsylvania, where a famous rodent supposedly predicts when spring will arrive.

According to some unexplained movie logic, Murray’s character ends up caught in a time warp so that he wakes up the day after Groundhog Day and it’s — you guessed it — Groundhog Day once again. No matter what he does, he wakes up day after day and the same events happen again and again. As you can imagine, the poor weatherman starts to lose his mind and, for a time, gives up trying to change his fate.

In the world of cybersecurity, things don’t appear to be much different. If it feels like there’s a new data breach reported every day, that’s because it’s more or less true. According to the Privacy Rights Clearinghouse, there have been 9,033 data breaches made public since 2005 — and those are just breaches that were reported in the U.S. or affected U.S. consumers. Spread out over the last 14 years, that averages out to about 1.77 breaches a day.

All told, there were at least 11.6 billion records lost in those breaches. The consequences for the economy and individual businesses and consumers are mounting, and the cost of these breaches is staggering if you consider the average cost per lost record, which was $148 in the U.S. last year.

These data points raise other questions about the human impact of data breach Groundhog Day, if you will. How does the daily barrage of data breaches affect our behavior? Are we responding with urgency to this growing problem as consumers, businesses and security professionals? Or have we given a collective shrug, accepting that this is the new normal?

What Does Data Breach Fatigue Look Like?

One apparent consequence of constant breaches is data breach fatigue — the idea that consumers have become inured to the effects of data breaches and are less motivated to do anything to protect themselves. The data breach fatigue effect is a little hard to calculate, but there is some evidence it exists, and the fallout is harmful to both consumers and the breached organizations.

In one study, researchers measured consumer sentiment on social media in the aftermath of a breach at the U.S. Office of Personnel Management that affected 21.5 million people. According to the study, overall sentiment about the breach was tinged with anxiety and anger, but victims of the breach showed higher levels of sadness. Moreover, social media chatter about the breach dropped off significantly over time. Two months after the breach, engagement was almost nonexistent, which the researchers said showed acceptance, apathy and the onset of breach fatigue.

While there isn’t a lot of data on how people respond to having their personal information breached, there is some evidence in consumer surveys that data breach fatigue is setting in. For example, a significant proportion of users don’t take proactive steps to improve their security after a breach, such as changing their passwords or checking their credit score. Although almost 50 percent of respondents to a 2016 Experian survey said they were taking more precautions to protect their personal information, just 33 percent check their credit scores regularly and only 36 percent review the privacy policies of the companies they do business with.

In another study conducted by RAND Corporation, only half (51 percent) of survey respondents said they changed their password or PIN after a breach, and a scant 4 percent said they started using a password manager. While 24 percent said they became “more diligent” in response to a breach, 22 percent took no action whatsoever.

Finally, a survey conducted by Ponemon Institute in 2014 on behalf of Experian found that many consumers were taking a passive approach to data breach notifications. Of the 32 percent of consumers who had received at least one data breach notification in the prior two years, their concern about breaches didn’t necessarily produce an urgent response. Although 45 percent of breach victims said they were “very concerned” or “extremely concerned” about the potential for identity theft, 32 percent said they ignored the breach notification or took no action, and 55 percent said they did nothing to protect themselves from identity theft.

If data breach fatigue contributes to consumers failing to take the necessary precautions to protect themselves, it could leave those consumers at greater risk of identity theft, damaged credit, financial loss and privacy violations. But before we start blaming the victims for being irresponsible, it’s clear from the Ponemon/Experian study that many breach victims feel powerless or even trapped because the products and services they depend on from breached companies can’t easily be replaced, and nothing they can do as individuals will change the likelihood that their data will be breached.

The Dangers of Data Breach Fatigue

There’s another risk from data breach fatigue that is maybe underappreciated: that organizations will assume their security and privacy practices won’t matter to consumers. We know from surveys that consumers are very concerned about cybersecurity, but constant breaches have caused a steady erosion of trust between businesses and customers.

In another consumer survey from 2018, conducted by The Harris Poll on behalf of IBM Security, only 20 percent of respondents said they “completely trust” organizations they interact with to maintain the privacy of their data, and 73 percent said it is extremely important that companies take swift action to stop a data breach.

People do care about the security and privacy of their information, and some will take their business elsewhere. In the 2014 Ponemon survey for Experian, 29 percent of respondents said they stopped doing business with a company after a breach.

There are some things organizations can do to start rebuilding trust. Consumers expect a certain baseline of activity in a company’s response that includes identity theft protection and credit monitoring, access to customer service to handle questions and, perhaps most importantly, a sincere apology.

According to Michael Bruemmer, a vice president of consumer protection at the Experian Data Breach Resolution Group, the following steps are crucial to effective communications after a breach:

  • Provide timely notification explaining what happened and why.
  • Explain the risks or impact to the customer as a result of the breach.
  • Explain all the facts and don’t sugarcoat the message.
  • Make the communications more personal with less technical and legal jargon.
  • Describe easy-to-follow steps for customers to protect themselves from identity theft and fraud.
  • Consider using other communication channels to reach customers, including social media and a secure website to answer frequently asked questions and a way for customers to enroll in identity theft protection services.

Practice Your Incident Response Plan

Communicating with customers after a breach is just one element of an effective incident response (IR) plan. But most organizations don’t have any plan for responding to a breach.

Caleb Barlow, vice president of threat intelligence at IBM Security, said having an incident response playbook is “just the beginning.” Organizations need to practice for a full-business response and hone the crisis leadership and communication skills of executives, board members and heads of key departments, such as PR and HR.

“In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next,” Barlow wrote in a blog post. “That’s when your training and muscle memory kicks in and you execute your plan. If you don’t practice it, you are exposed to an avoidable disadvantage.”

To stop the cycle of data breaches and data breach fatigue, organizations and consumers alike need to shake off our fatalism and reluctance to change. Cyberattacks and breaches may be inevitable, but we have control over the way we respond, and we can’t afford to accept the status quo.

We can’t keep doing the same things and expect different results. If data breach fatigue keeps organizations stuck in a pattern of passive and uncoordinated breach responses — and if consumers remain reluctant to take security into their own hands — then every day is going to feel like just another Groundhog Day.

Learn how to build your breach response plan

The post Data Breach Fatigue Makes Every Day Feel Like Groundhog Day appeared first on Security Intelligence.

Is your organization ready for the data explosion?

“Data is the new oil” and its quantity is growing at an exponential rate, with IDC forecasting a 50-fold increase from 2010 to 2020. In fact, by 2020, it’s estimated that new information generated each second for every human being will approximate to 1.7 megabytes. This creates bigger operational issues for organizations, with both NetOps and SecOps teams grappling to achieve superior performance, security, speed and network visibility. This delicate balancing act will become even … More

The post Is your organization ready for the data explosion? appeared first on Help Net Security.

IT Security Expert Blog: Information Security no longer the Department of “NO”

The information security function within business has gained the rather unfortunate reputation for being the department of “no”, often viewed as a blocker to IT innovation and business transformation. A department seen as out of touch with genuine business needs, and with the demands of evolving workforce demographic of increasing numbers of numbers Millennials and Centennials. However, new research by IDC\Capgemini reveals that attitudes are changing, and business leaders are increasingly relying on their Chief Information Security Officers (CISOs) to create meaningful business impact.


The study bears out a shift in executive perceptions that information security is indeed important to the business. With the modern CISOs evolving from that of a responder, to drivers of change, enabling to build businesses to be secure by design. The survey found CISOs are now involved in 90% of significant business decisions, with 25% of business executives perceive CISOs as proactively enabling digital transformation, which is a key goal for 89% of organisations.

Key findings from the research include:
  • Information security is a business differentiator – Business executives think the number one reason for information security is competitive advantage and differentiation, followed by business efficiency. Just 15% of business executives think information security is a blocker of innovation, indicating that information security is no longer the ‘department of no’
  • CISOs are now boardroom players – 80% of business executives and CISOs think their personal influence has improved in the last three years. CISOs are now involved in 90% of medium or high influence boardroom decisions 
  • CISOs must lead digital transformation efforts – At present, less than 25% of business executives think CISOs proactively enable digital transformation. To stay relevant, CISOs must become business enablers. They need to adopt business mindsets and push digital transformation forward, not react to it. CISOs that fail to adopt a business mindset will be replaced by more forward-thinking players. 
From NO to GO

CISOs have made great leaps forward
  • Focused on making security operations effective and efficient
  • Engaged with the rest of the business
  • Seen as key SMEs to the board
  • Responding to business requests and enabling change

CISOs now need to pivot to because business leaders
  • Need to be part of the business change ecosystem
  • Must be seen as drivers rather than responders
  • CISO as entrepreneur and innovator


    IT Security Expert Blog

    5 New Year’s Resolutions for Your IoT Security Strategy

    A new year has arrived, and with it comes the opportunity to make all kinds of transformations to help your business. No matter how you navigated the dangerous threat landscape

    The post 5 New Year’s Resolutions for Your IoT Security Strategy appeared first on The Cyber Security Place.

    Information Security no longer the Department of “NO”

    The information security function within business has gained the rather unfortunate reputation for being the department of “no”, often viewed as a blocker to IT innovation and business transformation. A department seen as out of touch with genuine business needs, and with the demands of evolving workforce demographic of increasing numbers of numbers Millennials and Centennials. However, new research by IDC\Capgemini reveals that attitudes are changing, and business leaders are increasingly relying on their Chief Information Security Officers (CISOs) to create meaningful business impact.


    The study bears out a shift in executive perceptions that information security is indeed important to the business. With the modern CISO evolving from that of a responder, to a driver of change, enabling to build businesses to be secure by design. The survey found CISOs are now involved in 90% of significant business decisions, with 25% of business executives perceive CISOs as proactively enabling digital transformation, which is a key goal for 89% of organisations surveyed by IDC.

    Key findings from the research include: 

    • Information security is a business differentiator – Business executives think the number one reason for information security is competitive advantage and differentiation, followed by business efficiency. Just 15% of business executives think information security is a blocker of innovation, indicating that information security is no longer the ‘department of no’ 
    • CISOs are now boardroom players – 80% of business executives and CISOs think their personal influence has improved in the last three years. CISOs are now involved in 90% of medium or high influence boardroom decisions 
    • CISOs must lead digital transformation efforts – At present, less than 25% of business executives think CISOs proactively enable digital transformation. To stay relevant, CISOs must become business enablers. They need to adopt business mindsets and push digital transformation forward, not react to it. CISOs that fail to adopt a business mindset will be replaced by more forward-thinking players.
    From NO to GO
    CISOs have made great leaps forward
    • Focused on making security operations effective and efficient 
    • Engaged with the rest of the business 
    • Seen as key SMEs to the board 
    • Responding to business requests and enabling change
     

    CISOs now need to pivot to because business leaders
    • Need to be part of the business change ecosystem
    • Must be seen as drivers rather than responders
    • CISO as entrepreneur and innovator

    Taking ethical action in identity: 5 steps for better biometrics

    Glance at your phone. Tap a screen. Secure access granted! This is the power of biometric identity at work. The convenience of unlocking your phone with a fingertip or your face is undeniable. But ethical issues abound in the biometrics field. The film Minority Report demonstrated one possible future, in terms of precise advertising targeting based on a face. But the Spielberg film also demonstrated some of the downsides of biometrics – the stunning lack … More

    The post Taking ethical action in identity: 5 steps for better biometrics appeared first on Help Net Security.

    The biggest cybersecurity challenge? Communicating threats internally

    IT executives responsible for cybersecurity feel a lack of support from company leaders, and 33 percent feel completely isolated in their role, according to Trend Micro. IT teams are under significant pressure, with some of the challenges cited including prioritizing emerging threats (47 percent) and keeping track of a fractured security environment (43 percent). The survey showed that they are feeling the weight of this responsibility, with many (34 percent) stating that the burden they … More

    The post The biggest cybersecurity challenge? Communicating threats internally appeared first on Help Net Security.

    Cybersecurity Experts Share Insight For Data Privacy Day 2019

    You’ll have to forgive my ignorance—but what is an appropriate gift for Data Privacy Day? Perhaps an encrypted portable drive? That might not be a bad idea, but what I have

    The post Cybersecurity Experts Share Insight For Data Privacy Day 2019 appeared first on The Cyber Security Place.

    Social Engineering Training: Why Getting Hacked Is a Security Advantage

    It was one of the highest phishing rates I had ever seen: Almost 60 percent of employees clicked the malicious link. Yet the client, a chief information security officer (CISO) of a Fortune 100 company, asked a question that caught me completely off-guard.

    “So what?” he said, clearly unimpressed.

    As a “people hacker” for X-Force Red, IBM Security’s team of veteran hackers, I’ve performed social engineering exercises for companies around the world. There seem to be a lot of misconceptions about my job and the usefulness of social engineering assessments in security audits.

    Confronted with that CISO’s indifference, I tried to explain exactly how serious our findings were and what the consequences might mean for the business.

    During this assessment, my team started off by getting several payloads through the company’s email filters undetected. We identified that only two of the 300 employees reported the phishing email. The incident response (IR) team didn’t start its investigation until two days later; during those two days, we managed to infiltrate some of the legal team’s email accounts, where we discovered that the company was the target of a lawsuit that wasn’t yet public. If that lawsuit were to leak, it could significantly hurt the company’s reputation.

    Additionally, by reusing some of the passwords we had compromised, we were able to log in to multiple employee payroll accounts, where we had access to direct deposit information — again, undetected. A criminal attacker could have changed direct deposit account numbers to siphon funds from employee paychecks.

    My answer seemed to surprise the CISO and his team. In the end, they acknowledged that I provided a lot more information about their security posture than they expected to receive from the assessment.

    Learn more at the Jan. 29 webinar

    Components of a Quality Social Engineering Assessment

    If you ask someone to define a social engineering assessment, they would most likely say it tests the human aspect of security. However, if done correctly, it evaluates much more than that. Yes, assessments track how many times employees click a link, open an attachment or divulge sensitive information to a suspicious recipient on the phone. However, they can also assess if and how employees are reporting suspicious activity, and the effectiveness of IR and security awareness training programs.

    With a well-designed assessment, the client should have a better understanding of how their IR team handles social engineering attacks. Many components of IR programs can be analyzed by answering questions such as:

    • How much time did it take for the IR team to respond to the social engineering activity?
    • Did the IR team follow any playbooks?
    • Did the team determine which employees knowingly or unknowingly divulged credentials, and did they issue password resets for those users?
    • If employees provided their credentials, did the IR team investigate whether those credentials were being used elsewhere as part of a suspicious activity?

    In this type of engagement we test more than just people and processes; we can assess the effectiveness of security technologies too. Many of the actions performed — such as emailing a malicious payload, having an employee open a malicious USB device on their workstation, etc. — attempt to bypass different types of technologies in places such as email filters, intrusion detection systems (IDSs), antivirus software and more. Social engineering attack vectors test deployed technology to determine whether the social engineer can bypass them.

    Effectiveness and Ethics of Social Engineering

    Some critics have argued that social engineering assessments are pointless, as they know employees will always fail against such an attack. But these assessments provide valuable metrics, which are important to track over time to identify how employees are performing and identify any major deviations. Often, individual employees fall victim repeatedly. It’s important to identify these users so they can receive additional training, and the company should ensure those accounts have limited access.

    Others have pointed to social engineering tests that went too far, such as targeting employees’ personal accounts. Each social engineering consultancy tests differently. That’s why it’s important for security leaders to define what’s acceptable for the company, so that testers don’t cross any ethical lines. This conversation between security leaders and testers typically happens during the scoping process.

    Here’s another common refrain: “We already have a security awareness training program in place, and it covers social engineering.” But how do you know the program is effective? Without properly testing it, there is no way to determine whether it could efficiently and successfully contain an attack. Plus, employees should have continuous opportunities to identify social engineering activities. It is not a one-and-done exercise. Social engineering exercises are the most realistic training employees can get outside of an actual attack.

    How a Box of Doughnuts Can Breach Your Defenses

    Some of the social engineering assessments performed by X-Force Red include physical tests, such as walking into a building carrying a box of doughnuts to get past security, and remote tests, such as impersonating an auditor to trick employees into divulging sensitive corporate data over the phone. For each test, only a limited amount of company insiders know we are coming, and we scope the project ahead of time to ensure it is effective and ethical.

    I can’t give away all our tricks of the trade, but you’ll have an opportunity to hear from five X-Force Red hackers, including me, when we share our greatest hits and best practices during a one-hour webinar on Jan. 29 at 11:00 a.m. EST. You may be surprised by some of the many ruses that get us through the door.

    Register for the Jan. 29 webinar

    The post Social Engineering Training: Why Getting Hacked Is a Security Advantage appeared first on Security Intelligence.

    Break Through Cybersecurity Complexity With New Rules, Not More Tools

    Let’s be frank: Chief information security officers (CISOs) and security professionals all know cybersecurity complexity is a major challenge in today’s threat landscape. Other folks in the security industry know this too — although some don’t want to admit it. The problem is that amid increasing danger and a growing skills shortage, security teams are overwhelmed by alerts and the growing number of complex tools they have to manage. We need to change that, but how? By completely rethinking our assumptions.

    The basic assumption of security up until now is that new threats require new tools. After 12 years at IBM Security, leading marketing teams and making continuous contact with our clients — and, most recently, as VP of product marketing — I’ve seen a lot of promising new technology. But in our rapidly diversifying industry, there are more specialized products to face every kind of threat in an expanding universe of attack vectors. Complexity is a hidden cost of all these marvelous products.

    It’s not just security products that contribute to the cybersecurity complexity conundrum; digitization, mobility, cloud and the internet of things (IoT) all contribute to the complexity of IT environments, making security an uphill battle for underresourced security teams. According to Forrester’s “Global Business Technographics Security Survey 2018,” 31 percent of business and IT decision-makers ranked the complexity of the IT environment among the biggest security challenges they face, tied with the changing nature of threats as the most-cited challenge.

    I’ll give you one more mind-boggling statistic to demonstrate why complexity is the enemy of security: According to IBM estimates, enterprises use as many as 80 different security products from 40 vendors. Imagine trying to build a clear picture with pieces from 80 separate puzzles. That’s what CISOs and security operations teams are being asked to do.

    7 Rules to Help CISOs Reduce Cybersecurity Complexity

    The sum of the parts is not greater than the whole. So, we need to escape the best-of-breed trap to handle the problem of complexity. Cybersecurity doesn’t need more tools; it needs new rules.

    Complexity requires us as security professionals and industry partners to turn the old ways of thinking inside out and bring in fresh perspectives.

    Below are seven rules to help us think in new ways about the complex, evolving challenges that CISOs, security teams and their organizations face today.

    1. Open Equals Closed

    You can’t prevent security threats by piling on more tools that don’t talk to each other and create more noise for overwhelmed analysts. Security products need to work in concert, and that requires integration and collaboration. An open, connected, cloud-based security platform that brings security products together closes the gaps that point products leave in your defenses.

    2. See More When You See Less

    Security operations centers (SOCs) see thousands of security events every day — a 2018 survey of 179 IT professionals found that 55 percent of respondents handle more than 10,000 alerts per day, and 27 percent handle more than 1 million events per day. SOC analysts can’t handle that volume.

    According to the same survey, one-third of IT professionals simply ignore certain categories of alerts or turn them off altogether. A smarter approach to the overwhelming volume of alerts leverages analytics and artificial intelligence (AI) so SOC analysts can focus on the most crucial threats first, rather than chase every security event they see.

    3. An Hour Takes a Minute

    When you find a security incident that requires deeper investigation, time is of the essence. Analysts can’t afford to get bogged down in searching for information in a sea of threats.

    Human intelligence augmented by AI — what IBM calls cognitive security — allows SOC analysts to respond to threats up to 60 times faster. An advanced AI can understand, reason and learn from structured and unstructured data, such as news articles, blogs and research papers, in seconds. By automating mundane tasks, analysts are freed to make critical decisions for faster response and mitigation.

    4. A Skills Shortage Is an Abundance

    It’s no secret that greater demand for cybersecurity professionals and an inadequate pipeline of traditionally trained candidates has led to a growing skills gap. Meanwhile, cybercriminals have grown increasingly collaborative, but those who work to defend against them remain largely siloed. Collaboration platforms for security teams and shared threat intelligence between vendors are force multipliers for your team.

    5. Getting Hacked Is an Advantage

    If you’re not seeking out and patching vulnerabilities in your network and applications, you’re making an assumption that what you don’t know can’t hurt you. Ethical hacking and penetration testing turns hacking into an advantage, helping you find your vulnerabilities before adversaries do.

    6. Compliance Is Liberating

    More and more consumers say they will refuse to buy products from companies that they don’t trust to protect their data, no matter how great the products are. By creating a culture of proactive data compliance, you can exchange the checkbox mentality for continuous compliance, turning security into a competitive advantage.

    7. Rigidity Is Breakthrough

    The success of your business depends not only on customer loyalty, but also employee productivity. Balance security with productivity by practicing strong security hygiene. Run rigid but silent security processes in the background to stay out of the way of productivity.

    What’s the bottom line here? Times are changing, and the current trend toward complexity will slow the business down, cost too much and fail to reduce cyber risk. It’s time to break through cybersecurity complexity and write new rules for a new era.

    Discover Outcome-driven security solutions for the enterprise

    The post Break Through Cybersecurity Complexity With New Rules, Not More Tools appeared first on Security Intelligence.

    Why You Should Be Worried About London Blue’s Business Email Compromise Attacks

    Phishing is nothing new, and efforts to train employees on how to detect and thwart phishing attacks should always be an essential component of any security awareness training program. But what happens when phishing attacks specifically target chief financial officers (CFOs)?

    Researchers have discovered increasing evidence of a threat group named London Blue, a U.K.-based collective that focuses on CFOs at mortgage companies, accounting firms and some of the world’s largest banks. According to a report passed on to authorities by Agari, London Blue has collected email addresses for more than 50,000 senior-level targets in the U.S. and other countries, of which 71 percent hold a CFO title. The Agari report noted that London Blue operators have been utilizing email display name deception to trick senior employees into making fraudulent payments to the threat group’s accounts.

    The ABCs of BEC

    This type of attack, classified as business email compromise (BEC), builds on the typical phishing attack by taking the social engineering aspect to the next level — and sometimes includes elaborate hacking into email servers and the takeover of executive email accounts. But perhaps the most concerning feature of London Blue is that it is an organized cybercrime gang (OCCG) and, as such, works as efficiently as any modern corporation, with specific departments for lead generation, financial operations and human resources.

    Crane Hassold, Agari’s senior director of threat research, explained that the report came about when London Blue targeted the company’s CFO for a potential BEC attack.

    “Once that came in we started doing a little more digging, and there was a lot of active engagement with the scammers to understand more about them,” he said. It took Agari about four months of engagement after first observing the threat group to release the report.

    BEC is a hot topic because it has been relatively successful. What’s really interesting to Hassold and his team is that the attack doesn’t require any technical means to get a result.

    “When we think of cyberattacks, we think of things like malware-based attacks where there’s something technical that happened, but in this case, it’s pure social engineering,” said Hassold. Given his background with the Federal Bureau of Investigation (FBI)’s Behavioral Analysis Unit, Hassold is keenly aware that social engineering is the conduit to many cyberattacks.

    “A lot of work has to go into them in order to make them successful, but the reasons we’re seeing these being used more commonly is that they’re relatively easy to do with no technical knowledge needed to send one of these things out,” he said. Even if these attacks have a success rate of less than 1 percent, Hassold noted, threat actors can still net tens of thousands of dollars a month.

    The Simple, Yet Successful Tactics of London Blue

    On a positive note, despite being so organized, groups like London Blue are still using old-school tactics such as the “Nigerian prince” scam, in which poor grammar and spelling are prominent. Red flags should be easy to spot. Yet, somehow, these scams still work on a very limited scale.

    “They’re still around because they are successful enough,” said Hassold. “Even though most people would look at one of those things and ask ‘how could anyone actually fall for this?’, there’s always going to be a tiny population of people that will fall for it. They prey on central components of the human brain, like trust, fear and anxiety.” Those components are usually on overdrive when an employee gets an email he or she believes is coming from a CEO or CFO.

    Not only have London Blue’s tactics remained the same over the last few years, but its BEC attack isn’t all that complicated. According to Agari’s report, the threat group uses a throwaway email address and changes the display name to match the CEO or CFO of a company. Attackers then send an email to the target financial executive — from their collection of email addresses — asking them to initiate a money transfer for some made-up reason. If London Blue gets a response from the victim, it replies with one or two bank accounts that they control for the money transfer.

    Go Back to Security Basics

    There’s no reason to believe that the rise in senior-level phishing attacks is going to stop anytime soon. So what are the best tactics to prevent this type of attack?

    The easiest solution, of course, is to avoid clicking on links or attachments that appear suspicious. Even if an email seems to be legitimately coming from someone you know, it’s best to think twice before clicking or replying.

    “We’ve been accustomed to just simply reacting or responding to emails,” said Hassold. “That’s how we do business, but I think part of what we need to do is take a second to stop and think about what we’re looking at before we take any action.”

    Like anything related to security, doing your due diligence is a must, even for day-to-day emailing. While security awareness training for the C-suite is never a bad idea, in the case of a BEC attack, it may not be immediately helpful. Because these attacks have such a low overall success rate, you’d need a perfect 0 percent click rate in security awareness simulations to completely prevent them. Additionally, in Hassold’s experience, CEOs and CFOs are generally less receptive to security awareness training.

    “They are extremely busy doing a lot of other different types of activities, so sitting down and having them learn about what the threats are to the business is difficult,” he explained.

    CSOs and CISOs: Brush Up on Your Marketing Skills

    Instead of awareness training, your chief security officer (CSO) or chief information security officer (CISO)’s time may be better spent making sure other executives understand cyber risks in a way that resonates with them — for example, by showing financial executives real-world incidents that have cost companies millions of dollars. No executive wants his or her company to be the next Maersk; the container shipping conglomerate lost up to $300 million and had to reinstall 45,000 PCs and 4,000 servers after being hit by NotPetya ransomware in 2017, according to ZDNet.

    I recall having a long conversation about security awareness with the CSO of a large beverage company, who told me that when it comes to convincing other executives of the importance of security, you need to act like the marketing department and sell them on the concept. This CSO often has her team create pitch decks full of real-world examples to underscore the importance of proper security hygiene. This tactic can work wonders when executed effectively.

    Don’t Underestimate the Threat of Business Email Compromise

    For Hassold, the biggest takeaway from Agari’s report is how groups like London Blue acquire their information.

    “These groups are using legitimate services used by sales teams all over the world to curate their targets,” he said.

    Using popular sales prospecting tools, threat groups can narrow targets by granular demographics and export them into a nice CSV file. The report concluded that “the pure scale of the group’s target repository is evidence that BEC attacks are a threat to all businesses, regardless of size or location.” Agari also predicted that the use of legitimate services for malicious means will increase in the future.

    Business email compromise attacks are clearly a major threat for IT and security leaders to keep an eye on as attackers continue upping their game and making their emails look more legitimate. A strong security culture, combined with a back-to-the-basics approach to security training, can help enterprises avoid being on the receiving end of a successful attack.

    The post Why You Should Be Worried About London Blue’s Business Email Compromise Attacks appeared first on Security Intelligence.

    How to know when you’re ready for a fractional CISO

    Many companies eventually find themselves in the following situation: they’re growing, their technology, infrastructure and teams are expanding, perhaps a M&A is on the horizon, and the board is asking pointed questions about security. It’s usually at this point that a business starts to notice fissures in the walls of what once felt like a tightly locked structure. New challenges in operations, culture, and security begin to arise. Inevitably, when a company hits this phase … More

    The post How to know when you’re ready for a fractional CISO appeared first on Help Net Security.

    How accepting that your network will get hacked will help you develop a plan to recover faster

    As anyone in the network security world will tell you, it is an extremely intense and stressful job to protect the corporate network from ever-evolving security threats. For a security team, a 99 percent success rate is still a complete failure. That one time a hacker, piece of malware, or DDoS attack brings down your organization’s network (or network availability) is all that matters. It’s even more frustrating when you consider that the proverbial ‘bad … More

    The post How accepting that your network will get hacked will help you develop a plan to recover faster appeared first on Help Net Security.

    Maximize Your Defenses by Fine-Tuning the Oscillation of Cybersecurity Incidents

    Information security is an interesting field — or, perhaps more accurately, a constant practice. After all, we’re always practicing finding vulnerabilities, keeping threats at bay, responding to cybersecurity incidents and minimizing long-term business risks.

    The thing is, it’s not an exact science. Some people believe that’s the case, but they are only fooling themselves. Some security professionals strive for perfection in terms of their documentation. Others want their users to make good decisions all the time. I’ve even had people ask if I could do my best to provide a clean vulnerability and penetration testing report when doing work for them. Scary stuff.

    I believe we’ve reached this point of striving for perfection largely due to compliance. Rather than truly addressing security gaps, we’re stuck in the mindset of checking boxes so that someone, somewhere can get the impression that work is being done and all is well in IT. Striving for perfection only serves to skew expectations and set everyone involved up for failure. The reality is you’re never going to have a perfect state of security, but you can have reasonable security if you take the proper steps.

    Ready, Set, Practice

    To improve enterprise security, organizations must do what I refer to as fine-tuning the oscillation of their security program. What do I mean by that? Let me give you a car racing analogy.

    I compete in the Spec Miata class with the Sports Car Club of America (SCCA). It’s a super-competitive class with very little room for mistakes. Everything that we do as Spec Miata racers has to be fined-tuned — that is, if we’re going to win. Everything matters, from how hard we get on the brakes to how quickly we turn the steering wheel to how we get on and off the throttle. Even the turn-in points and apexes of corners are extremely important. Each little thing we do either works in our favor or works against us.

    In car racing, fine-tuning the oscillation means getting better and better at the little things over time. In other words, we minimize atypical events — the mistakes that would show up as spikes on a graph — and get more consistent the more we race. You can certainly make improvements throughout a single race, but most fine-tuning comes with experience and years of seat time.

    Make Small Adjustments Over Time

    Information security is no different. In the context of your overall security program, threats, vulnerabilities and subsequent cybersecurity incidents represent the oscillation. If you’re looking for a visual, fine-tuning the oscillation means minimizing the amplitude and maximizing the frequency of a sine wave to the point where you have a tiny squiggly line that represents your security events. It’s almost a straight line, but as I said before, there’s no such thing as perfection in security.

    Instead of having low-hanging fruit such as missing patches and weak passwords, you’re staying on top of patch management and password policy enforcement. Instead of a lack of network visibility, you have systems and technologies in place that allow you to see things happening in real time. Instead of experiencing a security incident, you’re able to prevent or mitigate the threat. Instead of a breach, you have business as usual.

    Rather than playing by the terms of malicious actors seeking to bring down your business, you are the one in control. This is all done through acknowledging your weaknesses and blind spots and making small adjustments over time.

    Minimize the Impact of Cybersecurity Incidents

    Start viewing your security program from this perspective by asking a few simple questions. What areas need the most attention? Do you have some quick wins that you could start with to get your momentum going? Most organizations have a handful of areas with known security gaps that are creating big exposures — things like third-party patching, unstructured (and unprotected) information scattered about networks, and user security awareness and training. Aim to quickly close the gaps that create the greatest risk so you can spend more focused time on the smaller, but more difficult, problems.

    Stretching out that sine wave and fine-tuning the oscillation of impactful cybersecurity incidents should be your ultimate goal. Be it racing cars or running a security department, time, money and effort are the essential elements. If you’re going to do either one well, it’s going to require good information, solid decision-making, and intentional and disciplined practice over and over again. That’s the only way you’ll get better.

    The post Maximize Your Defenses by Fine-Tuning the Oscillation of Cybersecurity Incidents appeared first on Security Intelligence.

    Implementing ISO 27001 and Avoiding Potential GDPR Consequences

    With the increase in cyber-attacks and information security breaches – 72% of large UK firmsidentified an information security breach in 2018, a rise from 68% from 2017 – the importance of protecting both

    The post Implementing ISO 27001 and Avoiding Potential GDPR Consequences appeared first on The Cyber Security Place.

    The most effective security strategies to guard sensitive information

    Today’s enterprise IT infrastructures are not largely hosted in the public cloud, nor are they SaaS-based, with security being the single largest barrier when it comes to cloud and SaaS adoption. With the recent rise in breaches and privacy incidents, enterprises are prioritizing the protection of their customers’ personally identifiable information, according to Ping Identity. Most infrastructure is hybrid Less than one quarter (21%) of IT and security professionals say that more than one half … More

    The post The most effective security strategies to guard sensitive information appeared first on Help Net Security.

    Branching out more efficiently and securely with SD-WAN

    As enterprises expand, through organic growth or acquisition, they need to support the IT needs of more distributed locations. These often include teams in shared office spaces versus enterprise-owned or leased facilities. To serve remote locations and users, enterprises are rapidly moving toward cloud-based applications including Unified Communications as a Service (UCaaS). As always, IT teams are under pressure to contain costs and are turning to Software Defined Wide Area Networks (SD-WAN) to play a … More

    The post Branching out more efficiently and securely with SD-WAN appeared first on Help Net Security.

    Reimagining risk management to mitigate looming economic dangers

    In a volatile market environment and with the edict to “do more with less,” many financial institutions are beginning efforts to reengineer their risk management programs, according to a new survey by Deloitte Global, with emerging technologies in the driver’s seat. Seventy percent of the financial services executives surveyed said their institutions have either recently completed an update of their risk management program or have one in progress, while an additional 12 percent said they … More

    The post Reimagining risk management to mitigate looming economic dangers appeared first on Help Net Security.

    Should enterprises delay efforts to remediate most vulnerabilities?

    Companies today appear to have the resources needed to address all of their high-risk vulnerabilities. The research demonstrates that companies are getting smarter in how they protect themselves from today’s

    The post Should enterprises delay efforts to remediate most vulnerabilities? appeared first on The Cyber Security Place.

    Business resilience should be a core company strategy, so why are businesses struggling to take action?

    A recent survey showed that only 51% of U.S. business decision makers say their organization is definitely as resilient as it needs to be against disruptions such as cyber threats. In addition, the survey showed that 96% of U.S. business decision makers claim business resilience should be a core company strategy. If 96% of business decision makers realize this, why are organizations still struggling to protect themselves against cybercrime and technology-based disruption? IT teams face … More

    The post Business resilience should be a core company strategy, so why are businesses struggling to take action? appeared first on Help Net Security.

    Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure

    Just how well are organizations informing stakeholders about cyber risks? As 2018 drew to a close, that was the question that EY sought to answer in its “Cybersecurity Disclosure Benchmarking” report. EY looked at how Fortune 100 organizations are sharing information related to cybersecurity in their proxy statements and 10-K filings, specifically analyzing these documents for the following:

    • Information related to how the organization manages cybersecurity and security awareness and training — and whether those are part of a wider enterprise risk management (ERM) program.
    • Whether or not public filings contained statements about the importance of cybersecurity risks as strategic risks, or their potential impact on business objectives.
    • How the board is discharging its responsibility to oversee risks, focusing specifically on cybersecurity risks, including board member qualifications regarding cybersecurity as well as the structure and frequency of cyber reports from management.

    Before we look at what EY’s analysis revealed, let’s take a step back and look at the environment that got us here.

    Business Are Under Pressure to Disclose Cyber Risks

    It’s no secret that cybersecurity has become a regular topic of discussion for boards and top leadership. But just because something is discussed every once in a while doesn’t mean that organizations are taking effective steps to deal with it. As the events of past two years have shown, cybersecurity risks are real, and publicly traded organizations that experience a cyber incident — be it a breach, ransomware attack, denial-of-service (DoS) or other digital disruption — will quickly find themselves in the spotlight with ample, but unwanted, news coverage.

    The problem for many of these companies isn’t the spotlight from the press or the immediate drop in stock value — it’s the secondary but very significant impacts coming from class-action lawsuits, fines and other regulatory enforcements, and long-lasting scrutiny from regulators such as the U.S. Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC).

    The SEC’s 2011 guidance reminded board directors that cybersecurity — at the time a relatively new issue rising to the board’s level — was a material issue to be addressed. The 2011 guidance specifically mentioned the need “to disclose conclusions on the effectiveness of disclosure controls and procedures,” especially since a cyber incident could impact many of the other areas in which organizations are normally required to disclose information (e.g., financial and operational risks).

    However, in 2018, the SEC released updated guidance for cyber-related disclosures to not only remind organizations of their duty to have controls in place to deal with insider trading, but to, in the words of SEC Chairman Jay Clayton, “promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” Clayton went on to say he had requested that the SEC division of corporation finance continue to carefully monitor cybersecurity disclosures.

    For those wishing to learn from the mistakes of others, the SEC maintains a list of cyber enforcement actions that includes cybersecurity-related matters.

    Top Findings From EY’s Cybersecurity Disclosure Study

    EY’s analysis of 10-K filings and proxy statements from Fortune 100 firms found that all organizations — yes, 100 percent — included cybersecurity as a risk factor consideration. Furthermore, 84 percent mentioned cybersecurity in the risk oversight section, and nearly 7 in 8 organizations had charged at least one committee with oversight of cyber risks (though, in 70 percent of those organizations, that committee was the audit committee, whose agenda is already bursting with challenging issues).

    In terms of board qualifications, 41 percent of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34 percent of organizations mentioned the frequency of board reports, with just 11 percent reporting briefing the board annually or quarterly.

    Finally, in terms of risk management, 70 percent of organizations mentioned their cybersecurity efforts and activities, such as training, personnel, refining of processes and monitoring. However, only 30 percent made any reference to incident response planning, disaster recovery or business continuity, and a tiny fraction, just 3 percent, indicated that their preparations included items such as tabletop exercises or simulations.

    An Opportunity for CISOs to Play a Larger Role

    As companies increasingly acknowledge cybersecurity risks as strategic risks, chief information security officers (CISOs) have an opportunity to play a larger role in the organization’s plans, investments and overall digital strategy. Instead of representing the camp of “security-as-an-IT-issue” — and with this, the simplistic view of security as an impediment to business — the CISO can help drive better conversations around cyber risks and educate top leadership and the board on emerging cybersecurity and privacy issues, including those that aren’t directly connected to cybersecurity such as artificial intelligence (AI), robotics and blockchain.

    CISOs can drive progress by engaging with top leadership and the board to provide broader awareness, education and participation in matters that organizations should be more transparent about. Those cyber-related matters include incident response and emerging threats as well as gauging the organization’s readiness (e.g., tabletop exercises, simulations) and the effectiveness of its cyber risk management program.

    Recommendations for Board Directors

    The EY report provides several recommendations in the form of questions for boards to improve their engagement regarding cybersecurity risks. It’s worth asking the following questions of your organization:

    • Has responsibility for cybersecurity been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?
    • Is the board getting regular briefings on the organization’s strategy regarding cybersecurity risks and cyber resilience? How engaged is the board in reviewing the organization’s cyber risk management program, and security-related investments?
    • How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?

    The report also mentioned the benefits of contracting with external advisers to provide board directors the opportunity to have a “dialogue with third-party experts whose views are independent of management.”

    In 2019, it is imperative that enterprises take action to inform investors about cybersecurity risks and incidents in a timely manner — even enterprises that are subject to risks but have not yet been the target of a cyberattack. In this light, board directors, top leadership and CISOs should take another look at how well their 10-K and proxy statements satisfy the requirement to disclose material information regarding cybersecurity risks.

    The post Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure appeared first on Security Intelligence.

    What Can Consumers and IT Decision-Makers Do About the Threat of Malvertising?

    If you haven’t already heard of malvertising, it’s one of the latest portmanteaus you’ll hear more about in 2019. Malvertising, or malicious advertising, is a type of online attack in which threat actors hide malicious code within an advertisement as a means to infect systems with malware. It works like any other type of malware, but can be found in ads across the internet — even legitimate websites such as The New York Times and BBC.

    While these attacks have been around for several years, the rate at which they’re increasing is escalating, and the threat to the enterprise is getting more challenging to diagnose.

    Frank Downs, director of cybersecurity practices at the Information Systems Audit and Control Association (ISACA), recognizes malvertising as the natural evolution of malware in today’s world of higher security.

    “Leveraging traditional advertising capabilities, it makes it much easier for a malicious actor to seem legitimate,” he said.

    Whether you’re at home, on a mobile device or sitting at your desktop at work, discerning which ads contain malware is difficult — especially compared to attacks such as phishing, where malicious messaging may be easier to detect.

    So what can be done to educate both end users and IT decision-makers? Do workable strategies to defend against malvertising exist?

    Ad-Blocking Software: The Ups and Downs of the Tried and True

    While it’s easy to become discouraged given the perniciously stealthy nature of malvertising, it’s important to remember that ad-blocking software can handle a great deal of these threats by ensuring that most ads are never even presented to the user.

    “Solutions exist which range from simple browser plugins, such as AdBlock Plus, to advanced traffic filtering tools,” said Downs.

    He went on to single out an open-source, community-led initiative that’s gained some traction among cyber enthusiasts: Pi-hole.

    “These devices are cheap, easily configured, community-developed systems which run on small Raspberry Pi devices. They block over 100,000 advertising domains and have gained an avid following online, making them more effective every day,” Downs explained.

    However, Pi-hole isn’t for everyone. Most enterprises only need to deploy ad-blocking software and stop users from disabling it. If a valid use case requires a user to access a specific website, the security team should be alerted so they can determine the next course of action. The downside with this option is that it’s cumbersome and not user-friendly, resulting in users calling support teams to complain about how their workflow is negatively impacted.

    “The reality is, no amount of user training is going to stop the problem. Enterprise CXOs have enough to concern themselves with,” said Sherban Naum, senior vice president of corporate strategy and technology for Bromium. “Malvertising is a pain that can be easily remedied by isolating the entire session, allowing a user the freedom to surf the web without the risk of compromise.”

    Naum said he is seeing more customers taking the isolation route to remove the user from the decision tree when it comes to real-time runtime security.

    Where Does the Buck Stop?

    This is all practical for the well-informed enterprise, but end-user awareness is critical as malvertising proliferates. As it stands, users generally lack understanding of how ads and malware work together.

    While it’s easy to place the onus on ad-blocking software providers, the issue is surrounded by complexity and extends beyond ad blockers. Because legitimate webpages benefit financially from ads, they’re asking users to disable ad blockers to access their site.

    “The practice of asking users to disable a security product for their own benefit is troubling,” said Naum. “Ad blocker companies are doing the right thing to block ads, but users are left with making a decision to either maintain the ad blocker or disable it, as most see legitimate, well-known categorized websites as safe.”

    What users may not be aware of is that these large sites are fed by hundreds of random servers that aren’t under the control of the top-level domain provider. This leaves users, employees and consumers as the final security decision-makers, which is anything but optimal.

    “What would help is if large sites didn’t prompt users to disable security tools but rather let the visitor access the site and focus more on delivering their service than earning revenue on ads,” Naum said.

    Return to Security Best Practices to Deal With Malvertising

    That’s obviously easier said than done. If the threat of malvertising shows no signs of slowing down, sites that run ads may face the unfortunate dilemma of having to choose between revenue or keeping visitors safe. Until that happens, it’s our responsibility to be informed and do what we can.

    To accomplish this, we must come to terms with the fact that we can’t stop the unknown or trust systems that are entirely out of our control. Further, enterprises must stop relying on legacy architectures and systems to identify attacks.

    “Once you have accepted that you need to isolate the untrusted, then happy clicking on malware isn’t an issue and cybercrime is less effective,” said Naum. “However, perhaps the best way of looking at this holistically is that there will always be cybercrime and the enterprise needs to focus on what they are doing to ensure their users are not a victim.”

    Malvertising is one more threat that will keep your IT decision-makers up at night, but any company with a protection-first mindset should be able to remain ahead of the curve. Security awareness training for the user may yield limited results in stopping this threat, but in cases like this, a security-minded C-suite will always be ahead of the game.

    The post What Can Consumers and IT Decision-Makers Do About the Threat of Malvertising? appeared first on Security Intelligence.

    Beware the man in the cloud: How to protect against a new breed of cyberattack

    One malicious tactic that has become quite prevalent in recent years is known as a ‘man in the cloud’ (MitC) attack. This attack aims to access victims’ accounts without the need to obtain compromised user credentials beforehand. Below, this article explains the anatomy of MitC attacks and offers practical advice about what can be done to defend against them. What is MitC attack? To gain access to cloud accounts, MitC attacks take advantage of the … More

    The post Beware the man in the cloud: How to protect against a new breed of cyberattack appeared first on Help Net Security.

    Cybercrime could cost companies trillions over the next five years

    Companies globally could incur $5.2 trillion in additional costs and lost revenue over the next five years due to cyberattacks, as dependency on complex internet-enabled business models outpaces the ability to introduce adequate safeguards that protect critical assets, according to Accenture. Based on a survey of more than 1,700 CEOs and other C-suite executives around the globe, the report — Securing the Digital Economy: Reinventing the Internet for Trust — explores the complexities of the … More

    The post Cybercrime could cost companies trillions over the next five years appeared first on Help Net Security.

    Succeed in Your Cloud Migration With a Secure Hybrid Cloud Strategy

    Picture this: An object storage misconfiguration has left thousands of customer records fully exposed. Your company is about to face costly compliance consequences and a loss of customer trust. How should you respond? More importantly, how could a secure hybrid cloud strategy have helped prevent such an incident from happening in the first place?

    As IT teams face significant pressure to develop a successful cloud migration strategy, organizations are treating security as an afterthought in their rush to quickly move to the cloud. Today, 81 percent of organizations have a multicloud strategy, according to RightScale. Migration without cloud security services for visibility and governance can significantly increase the complexity, costs and risks of adoption.

    In This Article

    When Unsecure Cloud Migration Becomes Disastrous

    Too often, security is forgotten in the excitement to capture the hybrid cloud’s remarkable potential. Perceptions that secure processes can slow digital transformation may lead to security being treated as an afterthought. While effectively managed cloud adoption can improve data security and disaster recovery, many organizations are wary of public cloud providers’ shared responsibility models with third-party security providers, which can increase the complexity for users and complicate processes for access and governing compliance compared to on-premises deployments. A Cybersecurity Insiders survey found that 43 percent of cloud adopters lack of visibility into infrastructure security, 38 percent report compliance troubles and 35 percent struggle to consistently enforce security policies.

    Learn more about how to secure your hybrid cloud

    Misconfigured cloud servers and other improperly configured systems were solely responsible for the exposure of 2 billion data records tracked by IBM X-Force researchers last year. In addition, inadvertent insider error has contributed to an over 400-percent year-over-year growth in cloud security risks, due in large part to misunderstandings about shared responsibility models to protect data in the cloud. Ultimately, if a data breach or disruption occurs, the organization is liable for the loss of customer trust, regulatory fines and other expensive consequences.

    By rushing cloud adoption, business are more likely to generate risks than gain a competitive advantage. In fact, 74 percent of organizations reported that they likely experienced a data breach in the past year due to a lack of secure cloud migration processes. Secure cloud design, a full understanding of responsibility models and solutions for proactive risk management are critical to realizing cloud benefits.

    How to Adopt Hybrid Cloud With Confidence

    The organization’s ability to develop a successful cloud migration strategy depends, in part, on the IT team’s ability to effectively manage competing priorities of speed, cost efficiency and security. Across industries, hybrid cloud adoption is a necessary tool to balance expanding workloads and data assets. As cloud threats increase, managing hybrid cloud infrastructures requires the enterprise to develop new processes and adopt new solutions for visibility and control.

    Strive for True Hybrid Cloud Visibility

    Hybrid cloud environments can host a wide array of resources and application programming interfaces (APIs), which can make it challenging to orchestrate effective security controls.

    The need for visibility necessitates management solutions designed to capture a diverse view of storage, networking and provisioning activities across public and private cloud environments. Cloud security services should offer visibility and analytics to proactively manage compliance, identify threats and accelerate remediation activities.

    Proactively Manage the Cloud Life Cycle

    Effective data governance in a hybrid cloud infrastructure requires comprehensive security policies that are proactively and consistently implemented across apps, services, databases, users and endpoints. Cloud security tools should support the organization’s transition to a DevSecOps model where security works alongside DevOps so that proper security controls are built into the design process from the beginning. In turn, this simplifies the process of access management, authentication and authorization in native and migrated cloud apps. To manage threats and compliance risks, organizations need solutions that automate policy enforcement and strengthen compliance posture in a hybrid cloud environment post-deployment.

    Why the Enterprise Is Responsible for Protecting Customer Trust in the Hybrid Cloud

    The revolution toward a digital economy is underway, and organizations recognize the potential of the hybrid cloud to introduce agility and scale. As IT teams face pressure to deploy a hybrid cloud infrastructure that supports digital transformation activities, many are rushing to the cloud without a comprehensive approach to protecting critical data by design and default.

    To fully realize the potential benefits of the secure hybrid cloud, organizations must recognize and understand that the responsibility for protecting customer data and a secure move to the cloud continues to rest with their organization and IT teams. Implementing secure processes during migration and adoption can reduce the costs and risks that result from treating security as an afterthought. Cloud security services for visibility and orchestration are a necessity to proactively manage policy, compliance and access across cloud apps and services.

    Learn more about how to secure your hybrid cloud

    The post Succeed in Your Cloud Migration With a Secure Hybrid Cloud Strategy appeared first on Security Intelligence.

    10 Cybersecurity Conference Trips You Should Make Time for This Year

    Cybersecurity remains a top priority for chief information security officers (CISOs) worldwide, but it’s easy to get out of touch as the industry evolves at breakneck speed and attackers discover new and innovative ways to compromise corporate networks. That’s why it’s worth investing in cybersecurity conference trips to help IT professionals stay up-to-date by networking with vendors, thought leaders and colleagues.

    Top Cybersecurity Conference Trips You Should Book in 2019

    Not sure where to distribute your IT budgets for ideal returns? Here’s a roundup of some of the top cybersecurity conferences happening this year.

    Cybertech Israel

    Cybertech Israel will once again descend on Tel Aviv from Jan. 28-30. One of the premier B2B networking conferences for security professionals, Cybertech offers both a major exhibition and full conference schedule over the course of three days. This year, speakers will include Prime Minister of Israel Benjamin Netanyahu, Professor Dieter Kempf, president of the Federation of German Industries, and Dr. Sridhar Muppidi, IBM fellow and chief technology officer at IBM Security.

    HIMSS 2019

    Up next for the new year is HIMSS19, which will take place from Feb. 11–15 in Orlando, Florida. This year’s theme, “Champions of Health Unite,” will bring together insights from trailblazers, game-changers and strategizers to help health IT professionals set the stage for a secure and successful 2019. Topics will range from privacy and telehealth to care culture and clinician engagement. Given the critical role of technology in delivering and empowering health services, HIMSS19 promises to be a great starting point for this year’s conference lineup in the U.S.

    Think 2019

    IBM Think 2019, happening Feb. 12–15, is making the move this year to San Francisco. With more than 160 security-focused sessions across the conference’s dedicated Security and Resiliency Campus, there’s something for everyone. Key offerings include sessions on making security relevant to the C-suite, understanding the value of collaborative defense and transforming the role of incident response (IR) with new technologies such as IBM’s Watson.

    View the Think 2019 security and resiliency curriculum roadmap

    RSA Conference

    One of the industry’s biggest annual conferences, RSAC is also held in San Francisco and will run from March 4–8. This year’s theme is “Better” — building better solutions, creating better connections and developing better responses. From securing robot-designed code to measuring data breach impacts and examining the value of human risk management, this massive conference (40,000+ attendees) always delivers value.

    Cyphercon 4.0

    Demonstrating that bigger isn’t always better, Cyphercon 4.0 will be held in Milwaukee from April 11–12. This cryptography and information security-focused offering strives to create an informal, welcoming environment that offers benefits for experts and beginners alike. All session abstracts are reviewed without speaker names attached, ensuring that only high-quality (not merely high-profile) presentations make the cut.

    40th IEEE Symposium on Security and Privacy

    With the General Data Protection Regulation (GDPR) now in full effect and privacy legislation a top priority for many countries, enterprises would be well served by any cybersecurity conference that tackles this increasingly complex field. The Institute of Electrical and Electronics Engineers (IEEE)’s 40th symposium will take place in San Francisco from May 20–22 and wil lbring together some of the industry’s leading researchers and practitioners to help organizations evaluate their current privacy policies and prepare for the next generation of personal data defense.

    Gartner Security and Risk Management Summit

    Happening in National Harbor, Maryland, from June 17–20, Gartner’s yearly conference includes sessions about emerging information security priorities such as machine learning, analytics and blockchain. More generally, the conference tackles the critical need to make security and risk top organizational priorities by offering a combination of meaningful networks, expert guidance and real-world scenarios.

    Black Hat

    One of two premier hacker conferences taking place in Las Vegas each summer — DEF CON is the other — Black Hat is more formal and also one of the most popular conferences every year. This year, the conference will be held from Aug. 3–8. Topics are wide-ranging; last year’s event examined the potential of voting machine compromise, and in 2015, researchers hacked a moving Jeep.

    BSides

    BSides, scheduled for Aug. 6–7 in Las Vegas, is a free conference that will celebrate its 10th year in 2019 and offers the benefit of small-group participation for all attendees. Walk-in passes are snapped up quickly, so if you’re in town for Black Hat or DEF CON, make sure to stop by the Tuscany Suites; this year, BSides has the entire hotel booked.

    GrrCon

    Rounding out the year is the more informal GrrCon, scheduled for Oct. 24–25 in Grand Rapids, Michigan. This conference is small — just 1,500 attendees — and focuses on creating a fun atmosphere where executives, security professionals, students and hackers can exchange ideas and uncover new insights.

    Start the Year Off Strong

    Less than 24 hours after the ball dropped in Times Square, this year saw its first data breach: As reported by CBR Online, more than 30,000 Australian civil servants had their data stolen. It’s a bellwether for 2019 — a not-so-subtle sign that threat actors will continue to compromise corporate data to leverage or generate profit. More importantly, it’s a reminder to start the year off strong — to revisit existing security polices, design more holistic defenses and make time for the best cybersecurity conference offerings of 2019.

    The post 10 Cybersecurity Conference Trips You Should Make Time for This Year appeared first on Security Intelligence.

    Protecting privileged access in DevOps and cloud environments

    While security strategies should address privileged access and the risk of unsecured secrets and credentials, they should also closely align with DevOps culture and methods to avoid negatively impacting developer velocity and slowing the release of new services. Example of tools in the DevOps pipeline Despite this, 73 percent of organizations surveyed for the 2018 CyberArk Global Advanced Threat Landscape report have no strategy to address privileged access security for DevOps. Key recommendations The report … More

    The post Protecting privileged access in DevOps and cloud environments appeared first on Help Net Security.

    Board Directors Can’t Afford to Ignore Cybersecurity Risk

    As organizations rush to adopt new digital channels, big data, advanced analytics, and emerging technologies such as blockchain, artificial intelligence (AI) and quantum computing, they face new risks that may be difficult to quantify today.

    The obvious challenge with emerging risk is the lack of historical perspective and measurement. Position credit risk against cyber, for example, and you’ll realize that credit professionals have the benefit of leveraging time-tested practices and numerous economic cycles as a basis for understanding risk quantification in familiar metrics. Credits that score a 6.2 (expected frequency of default) will, on average, lose a greater percentage of principle balance as compared to credits scoring 3.2, and this is a known quantity.

    Now consider cyber risk in light of the imperative to embrace new technologies to remain competitive and the gradual emergence of risk mitigation strategies to match new technologies. Put simply, the unmanaged cybersecurity risk of tomorrow is the unintended consequence of today’s revolution.

    Weighing the Benefits of Technology Against Cybersecurity Risk

    New technology enables value creation, generates process efficiencies, and allows companies to assimilate and analyze information at an unprecedented speed. This creates numerous opportunities to drive substantive improvement for the public good. For instance, AI tools enable health care professionals to quickly and accurately assist doctors in their diagnosis and treatment of serious illnesses. Similarly, AI applications in the financial industry help mitigate bank fraud and other financial crimes and combat cyber risk.

    However, cybercriminals have access to this same technology, which they use to launch attacks and breach corporate networks to steal or damage information. This, combined with the mass digitization of data, growth of internet of things (IoT) deployments and widespread adoption of AI, is straining security resources like nothing we’ve ever seen. Juniper Research forecast the number of records stolen by cybercriminals to reach 5 billion in 2020, and Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.

    Continuous improvement has never been more crucial to cybersecurity risk management. The worst thing you can do is remain static or get comfortable with the status quo. The failure to reassess and invest in your strategy, evolve your practices, educate leaders and employees, and advance risk technology in lockstep with new business applications puts companies and even national economies at risk.

    Cybercrime has evolved into a well-organized, well-funded industry that focuses all its attention on penetrating enterprise networks to disrupt, steal, extort and exploit sensitive data. That said, many of the incidents that have made the news have nothing to do with threat actors; instead, they are the result of human error or malicious insiders, which presents a unique type of risk management challenge.

    Either way, a reactive and siloed approach to cyber risk management limits effectiveness. The increasing volume and spectrum of threats necessitates detection, management and mitigation strategies that are proactive, adaptable and offensive in nature. Most importantly, these strategies must engage all elements of senior leadership.

    Part of the problem is that technology has advanced faster than risk mitigation practices and investments. In many instances, cyber risk management is compartmentalized with technology functions, not widely understood by senior leadership or overtly linked to business strategy. Confronting this new risk means that every member of the senior leadership team, board of directors and company staff must make an investment in understanding and managing cyber risk.

    Do You Understand the Risks Facing Your Business?

    The more aggressive a firm’s digital and data-driven business strategies are, the greater the need to ensure that cyber risk is understood at the senior executive and board levels. This is the only way to facilitate a healthy and informed dialogue about business strategies and technology deployments with the appropriate risk appetite, safety considerations and governance. Of course, this task becomes more complicated as more technologies are adopted and integrated into the IT environment.

    The widespread adoption of big data and advanced analytics will make it increasingly difficult for companies to manage or govern the volume of data they are trying to utilize. This is already a problem for some regulated financial market data providers; datasets and the products derived from them have outrun firms’ ability to map, manage and quality-control the data.

    Cloud is another notable example. Many firms are rushing to move workloads to a hybrid cloud environment, which introduces new risks in multiple forms and raises myriad questions, including:

    • Where is the data?
    • What controls will be provided by each cloud service provider (CSP) and what must be provided by the firm?
    • How can the firm risk-assess and performance-manage each CSP?
    • How can the firm implement an effective risk dashboard across data types and providers, both on and off premises?
    • How can the firm demonstrate regulatory compliance effectively amid rapid change in the industry?

    In addition, digital channels, bots and robo-advisors are being used at an accelerating pace. Like other emerging technologies, these expose consumers to new risks, and providers face scrutiny for poor outcomes. Understandably, consumers are not ready for these risks, and they simply do not know how to protect themselves in a world of connected devices, smart appliances and mobile banking. In response to this demand for open banking, and to stimulate competition in payments, the European Union (EU) issued a new Payment Service Directive (PSD2), which requires all financial institutions to share their customer and payment data in a standardized format. This open banking era introduces new obstacles to effective implementation and meeting both regulators’ and customers’ expectations of availability and ease of use.

    Finally, the IoT brings countless new endpoints — and countless new microvulnerabilities — to the enterprise. It also exponentially multiplies the volume of data to be handled, complicates operating models, and makes it hard to map concerning data and risks. Consider technologies such as smart homes, connected cars and power grids; attacks on these systems could have physical, even life-threatening consequences that go far beyond the cost of noncompliance and disruption.

    The New Regulatory Landscape Demands More of Leadership

    The level of regulatory scrutiny and public awareness of cyber risk is rising and, along with it, expectations that companies will appropriately address these risks. Consider the General Data Protection Regulation (GDPR), which gives consumers more control over their personal data, mandates that vendors build data protection safeguards into products and services, and places strict requirements on companies that manage EU citizens’ personal data. Failure to comply could carry fines up to 20 million euros or 4 percent of total worldwide turnover.

    Another example is the New York State Department of Financial Services (NYDFS) regulation 23 NYCRR Part 500, which holds the board responsible for overseeing and certifying compliance with appropriate security standards. As mentioned above, PSD2 addressed payment systems and their security requirements for registration under a new set of conditions and other criteria enacted by member states on Jan. 13, 2018. Finally, the California Legislature recently approved the California Consumer Privacy Act (CCPA), which will take effect in 2020. This new legislation, the strictest in the U.S., gives consumers rights related to how their data is managed and sold and imposes obligations on the holders of this data.

    As you can see, cybersecurity risk is a real business risk and must be managed holistically as enterprise risk rather than delegated to technical functions. Chief information security officers (CISOs), risk and compliance officers, technology managers and line-of-business leaders must own risk collectively, and it must be built into and considered a crucial component of the business strategy.

    To accomplish this, top management and the board must engage in regular dialogue around cyber risks and business strategy and recognize them as inextricably linked. Investment in one necessitates investment in the other. This approach enables business and security leaders to replace defensive strategies with offensive capabilities and maintain an open, honest and direct dialogue about risk. Most importantly, it helps these leaders coordinate and prepare to play their roles when a security incident strikes.

    The post Board Directors Can’t Afford to Ignore Cybersecurity Risk appeared first on Security Intelligence.

    The Success of Your Business Depends on Digital Trust. Here Is How to Measure It

    Most people can name a recent example of online data being compromised, and consumers have become more concerned about how organizations protect their data. Whether the data in question is a physical location, credit card numbers or buying preferences, modern, tech-savvy consumers are thinking long and hard about digital trust risks and the privacy of their data.

    “It’s not now just about price, feature, and benefits, it’s not even about history and legacy, it is about trust,” said researcher Mark McCrindle on behalf of Blackmores, an Australian vitamin company, according to CMO. “Every brand must build and maintain trust, particularly because the customer is more skeptical and empowered.”

    In This Article

    The Consumer Confidence Crisis

    Consumer confidence in brands has dropped to a historic low. According to the “2018 Edelman Trust Barometer,” 7 in 10 industries are solidly in “distrust territory.” Customers are increasingly aware that their decision to share personal data with brands could have significant implications, and new legislation backs the customer’s right to opt out of untrustworthy brand engagements.

    As organizations work to build customer-focused, digital business models, it’s critical to consider the role of trust and privacy in the customer journey. Delivering digital trust isn’t a matter of propping up a secure website or app, or avoiding a costly, embarrassing data breach. It’s about creating a digital experience that exceeds customer expectations, allows frictionless access to goods and services, and protects customers’ right to privacy while using the data they share to create customized, valuable experiences.

    Learn how to deliver digital trust

    Why Failure to Build Trust Is Risky

    There are clear risks facing organizations that fail to deliver trust-inspiring digital experiences. The staggering reputational costs to brands that suffer a data breach underline how easily trust is broken and how difficult it can be to restore. However, even without security incidents, there could be significant consequences for brands that don’t transform the customer experience.

    Customers who experience friction as part of the digital experience may choose to go elsewhere, impacting profitability. Brands that lack transparent data privacy practices could struggle to build strong customer relationships if the consumer feels that the interaction is “sketchy” or too invasive. There’s also risk for the organization: If it can’t tell the difference between legitimate customer transactions and costly fraud, it may throw up frustrating security barriers or risk loss due to account compromise or other fraudulent activities.

    How to Measure Digital Trust With Business Outcomes

    “Digital trust is not a method, product or service,” wrote IBM security orchestration, automation and response leader Matthew Konwiser. “It’s a philosophy that acknowledges why … businesses stay in business; their clients trust them.”

    Digital trust can be measured in business outcomes. While these aspects are more complex than security metrics or compliance, they are critical. Digital trust results from a shift in how the organization approaches the customer journey, which can be measured in the following business outcomes.

    Outcome No. 1: Build User Trust

    Organizations should transform digital customer experiences to create a secure and seamless customer journey across digital products. This reinforces customer trust while providing internal visibility into customer behavior. Increased trust should result in greater customer loyalty and greater share of wallet.

    Outcome No. 2: Drive Growth

    Organizations that focus on digital trust continuously work to improve user experience and strengthen internal security safeguards. By utilizing security solutions that assess risk and only add verification when needed, there are fewer false positives and security teams can focus where needed. Automation and authentication based on risk scoring can streamline customer access and reduce workload for already over-tasked IT/security staff.

    Outcome No. 3: Create Efficiency

    Brands should continuously work to offer an improved user experience and strengthen internal security safeguards. Leaders at trust-driven organizations prioritize operational efficiency gains and risk reduction.

    Why You Should Shift to a Trust-Focused Model

    While digital trust isn’t the exclusive goal or responsibility of the security department, the CISO is a diplomat in the transformation process. At a trust-focused organization, security risk is recognized as business risk. Business leaders should actively support the need for persistent visibility into digital customer behavior, even as the cybersecurity team works to strengthen safeguards against threat actors and data privacy risks.

    Trust should feel seamless for trusted customers with barriers only appearing to threat actors. Cognitive solutions and analytics can provide visibility into a customer’s movements across digital platforms and identify risks by comparing real-time data to a baseline of known threats. When an abnormal pattern of customer logins, transactions or behavior is identified, the system should automate an immediate response to further authenticate users or isolate risks.

    The process of delivering digital trust is about more than security and technology, however. It’s a shift in leadership that places the customer experience at the center of digital transformation. Trust-focused organizations adopt design thinking processes to create digital products based on the customer journey and architect secure DevOps. Baked-in security offers greater assurance against risks and creates a more seamless digital experience across channels.

    Empathy Is at the Core of Trust Delivery

    Digital trust is a moving target, like any other strategic business goal. Your organization can’t rely on stagnant strategies to grow profitability or address risks. To build lasting customer relationships, organizations must understand that trust is a dynamic pursuit that requires agility.

    Empathy toward the customer is at the core of trust delivery. As customer attitudes about privacy and behaviors shift, enterprise practices and technology must keep up with evolving data privacy threats, compliance requirements and client behaviors. The importance of trust is unlikely to diminish, but delivering trust-inspiring customer experiences requires a culture of design thinking, continuous improvement and security by default.

    Read the e-book: Deliver Digital Trust

    The post The Success of Your Business Depends on Digital Trust. Here Is How to Measure It appeared first on Security Intelligence.

    Stay Ahead of the Growing Security Analytics Market With These Best Practices

    As breach rates climb and threat actors continue to evolve their techniques, many IT security teams are turning to new tools in the fight against corporate cybercrime. The proliferation of internet of things (IoT) devices, network services and other technologies in the enterprise has expanded the attack surface every year and will continue to do so. This evolving landscape is prompting organizations to seek out new ways of defending critical assets and gathering threat intelligence.

    The Security Analytics Market Is Poised for Massive Growth

    Enter security analytics, which mixes threat intelligence with big data capabilities to help detect, analyze and mitigate targeted attacks and persistent threats from outside actors as well as those already inside corporate walls.

    “It’s no longer enough to protect against outside attacks with perimeter-based cybersecurity solutions,” said Hani Mustafa, CEO and co-founder of Jazz Networks. “Cybersecurity tools that blend user behavior analytics (UBA), machine learning and data visibility will help security professionals contextualize data and demystify human behavior, allowing them to predict, prevent and protect against insider threats.”

    Security analytics can also provide information about attempted breaches from outside sources. Analytics tools work together with existing network defenses and strategies and offer a deeper view into suspicious activity, which could be missed or overlooked for long periods due to the massive amount of superfluous data collected each day.

    Indeed, more security teams are seeing the value of analytics as the market appears poised for massive growth. According to Global Market Insights, the security analytics market was valued at more than $2 billion in 2015, and it is estimated to grow by more than 26 percent over the coming years — exceeding $8 billion by 2023. ABI Research put that figure even higher, estimating that the need for these tools will drive the security analytics market toward a revenue of $12 billion by 2024.

    Why Are Security Managers Turning to Analytics?

    For most security managers, investment in analytics tools represents a way to fill the need for more real-time, actionable information that plays a role in a layered, robust security strategy. Filtering out important information from the massive amounts of data that enterprises deal with daily is a primary goal for many leaders. Businesses are using these tools for many use cases, including analyzing user behavior, examining network traffic, detecting insider threats, uncovering lost data, and reviewing user roles and permissions.

    “There has been a shift in cybersecurity analytics tooling over the past several years,” said Ray McKenzie, founder and managing director of Red Beach Advisors. “Companies initially were fine with weekly or biweekly security log analytics and threat identification. This has morphed to real-time analytics and tooling to support vulnerability awareness.”

    Another reason for analytics is to gain better insight into the areas that are most at risk within an IT environment. But in efforts to cull important information from a wide variety of potential threats, these tools also present challenges to the teams using them.

    “The technology can also cause alert fatigue,” said Simon Whitburn, global senior vice president, cybersecurity services at Nominet. “Effective analytics tools should have the ability to reduce false positives while analyzing data in real-time to pinpoint and eradicate malicious activity quickly. At the end of the day, the key is having access to actionable threat intelligence.”

    Personalization Is Paramount

    Obtaining actionable threat intelligence means configuring these tools with your unique business needs in mind.

    “There is no ‘plug and play’ solution in the security analytics space,” said Liviu Arsene, senior cybersecurity analyst at Bitdefender. “Instead, the best way forward for organizations is to identify and deploy the analytics tools that best fits an organization’s needs.”

    When evaluating security analytics tools, consider the company’s size and the complexity of the challenges the business hopes to address. Organizations that use analytics may need to include features such as deployment models, scope and depth of analysis, forensics, and monitoring, reporting and visualization. Others may have simpler needs with minimal overhead and a smaller focus on forensics and advanced persistent threats (APTs).

    “While there is no single analytics tool that works for all organizations, it’s important for organizations to fully understand the features they need for their infrastructure,” said Arsene.

    Best Practices for Researching and Deploying Analytics Solutions

    Once you have established your organization’s needs and goals for investing in security analytics, there are other important considerations to keep in mind.

    Emphasize Employee Training

    Chief information security officers (CISOs) and security managers must ensure that their staffs are prepared to use the tools at the outset of deployment. Training employees on how to make sense of information among the noise of alerts is critical.

    “Staff need to be trained to understand the results being generated, what is important, what is not and how to respond,” said Steve Tcherchian, CISO at XYPRO Technology Corporation.

    Look for Tools That Can Change With the Threat Landscape

    Security experts know that criminals are always one step ahead of technology and tools and that the threat landscape is always evolving. It’s essential to invest in tools that can handle relevant data needs now, but also down the line in several years. In other words, the solutions must evolve alongside the techniques and methodologies of threat actors.

    “If the security tools an organization uses remain stagnant in their programming and update schedule, more vulnerabilities will be exposed through other approaches,” said Victor Congionti of Proven Data.

    Understand That Analytics Is Only a Supplement to Your Team

    Analytics tools are by no means a replacement for your security staff. Having analysts who can understand and interpret data is necessary to get the most out of these solutions.

    Be Mindful of the Limitations of Security Analytics

    Armed with security analytics tools, organizations can benefit from big data capabilities to analyze data and enhance detection with proactive alerts about potential malicious activity. However, analytics tools have their limitations, and enterprises that invest must evaluate and deploy these tools with their unique business needs in mind. The data obtained from analytics requires context, and trained staff need to understand how to make sense of important alerts among the noise.

    The post Stay Ahead of the Growing Security Analytics Market With These Best Practices appeared first on Security Intelligence.

    The New Currency for Business is Security Culture

    As you are no doubt aware, 2018 was yet another banner year for cybercrime. IBM Security Vice President Caleb Barlow recently reflected on the historic data breaches, widespread vulnerabilities and unprecedented onslaught of data privacy regulations affecting businesses across geographies. In such a fast-paced industry where technology — not to mention the threat landscape — is evolving daily, security culture is now a key determinant of success.

    In my own experience, security teams are more likely to succeed when they’re viewed as an integral part of the business. Mature organizations recognize the direct connection between trust, user experience and revenue and place the chief information security officer (CISO) or chief security officer (CSO) on equal footing with other C-level executives.

    Don’t Put the Chief Security Officer at the Kids Table

    If you’re wondering why it matters who the CSO reports to, picture this: You’ve been invited to a holiday dinner with your extended family of 15 adults, but the dining room table only seats 14, and it’s already a tight squeeze. Ultimately, someone will need to sit at the kids table. And while that may be a lot more fun, the conversations that take place there will surely be very different than at the main table.

    The same dynamic exists in organizations that do not consider the CSO to be integral to the company’s success. If security is involved in senior leadership activities on an invite-only basis, the organization is only inviting trouble down the road. Security needs to be a part of the larger, mature conversations that take place around the health and state of the business. For instance, what happens when a vulnerability scan turns up high-risk flaws? Are there processes in place to ensure good communication? Who decides who is responsible for the fix? Who validates it? Is the report seen as crucial to ensure overall quality for a release, or is it considered a nuisance, a necessary evil?

    Business success is directly tied to great user experiences and protecting sensitive data. Today, most organizations can see a point-in-time view of their security posture and threat landscape, but they need more real-time information about the risks they face to keep up with the threat landscape in 2019. Customers today expect, demand and even assume security is present in the applications they use. Meeting that demand requires high degrees of collaboration and communication, so don’t make it more difficult by relegating security to an island.

    Everyone Plays a Role in Security

    In today’s software world, where there is growing, extensive use of devices, microservices, components, containers and open-source tools, the potential for things to go wrong is increasing proportionally. For this reason, every department and executive throughout the organization needs to play a role in securing enterprise data.

    One of the main problems is that people don’t really know what they have in their environment. If you walk into a development shop and ask five people how many applications their organization supports, you’ll likely get five different answers. And just see what happens if you ask for a full inventory of the services, libraries and components associated with those applications. Any information developers do have is often inconsistent across different departments. For instance, I’ve seen situations where IT had one list, security had another, and the two were never consolidated or cross-referenced. The impact of such a disconnect can be devastating.

    What if your organization is using a lot of open-source components and a critical vulnerability emerges for one of them? If your enterprise is reliant on a central IT team but you have inconsistent departmental software inventories, how can you really be sure you’ve identified all the affected systems? And if you depend on employees to manually initiate patching efforts, how can you confirm they actually happened? Too often, the patch management process is a mix of automated efforts for some systems and an honor system for others. When this happens, inconsistent lists, inaccurate inventories and unclear, unenforced policies can easily leave critical systems exposed.

    Today, the critical systems that might be left exposed could be sitting in the pockets of your employees — I’m talking about the personal devices they use every day. How aware are your employees of your organization’s policies and procedures? Are they enforced? Are the devices they use to access enterprise data in hotels, coffee shops and in transit secure? Making the problem worse is the often blurred line between personal and professional use. How can you know that all the apps downloaded to these devices are safe? Do you rely solely on your employees to secure their own devices?

    The industry has moved beyond simply enforcing password policies. Today, nontechnical employees must play a critical role in security strategy and act as the first line of defense. Take the time to educate them on your policies and, most importantly, how they impact the business. Then, take the necessary steps to enforce them. The policy you implement and enforce today just might prevent a breach tomorrow.

    Security Culture Delivers Real Business Value

    Security culture is becoming a sort of currency for organizations. Studies such as IBM Security’s “Future of Identity Report” have shown that consumers are prioritizing security over privacy and convenience for nearly all application types. It’s no longer acceptable to simply add in or account for security during the development life cycle; it must be part of the initial design and conception.

    For that to happen, security needs to be ingrained in organizational culture, perceived as critical to the company’s success, and inclusive of all departments and employees across the enterprise. Organizations that do this well will be better positioned to build trust among their user base and provide the exceptional user experience that customers demand.

    The post The New Currency for Business is Security Culture appeared first on Security Intelligence.

    Need a Sounding Board for Your Incident Response Plan? Join a Security Community

    Incident response teams face myriad uphill battles, such as the cybersecurity skills shortage, floods of security alerts and increasing IT complexity, to name just a few. These challenges often overwhelm security teams and leave security operations center (SOC) directors searching for strategies to maximize the productivity of their current team and technologies to build a capable incident response plan.

    One emerging solution is a familiar one: an ecosystem of developer and expert communities. Collaborative online forums have always been a critical part of the cybersecurity industry, and communities dedicated to incident response are growing more robust than ever.

    How to Get Involved in a Developer Community

    Incident response communities can be a crucial resource to give security analysts access to hands-on, battle-tested experience. They can deliver highly valuable, lightweight, easy-to-use integrations that can be deployed quickly. Community-driven security can also provide playbooks, standard operating procedures (SOPs), best practices and troubleshooting tips. Most importantly, they can help foster innovation by serving as a sounding board for your team’s ideas and introduce you to new strategies and techniques.

    That all sounds great, but how do you know what community can best address your incident response needs? Where do you begin? Below are a few steps to help you get started.

    1. Find the Communities That Are Most Relevant to You

    To combat new threats that are being coordinated in real time, more and more vendors and services are fostering their own communities. Identify which ones are most relevant to your industry and business goals.

    To start, narrow down your search based on the security products you use every day. In all likelihood, you’ll find users in these product-based communities who have faced similar challenges or have run into the same issues as your team.

    Once you’ve selected the most relevant communities, make sure you sign up for constant updates. Join discussion forums, opt in to regular updates, and check back frequently for new blogs and other content. By keeping close tabs on these conversations, you can continuously review whether the communities you’ve joined are still relevant and valuable to your business.

    2. Identify Existing Gaps in Your Security Processes

    Communities are disparate and wide-ranging. Establishing your needs first will save you time and make communities more valuable to you. By identifying what type of intelligence you need to enhance your security strategy and incident response plan ahead of time, you can be confident that you’re joining the right channels and interacting with like-minded users.

    Discussion forums are full of valuable information from other users who have probably had to patch up many of the same security gaps that affect your business. These forums also provide a window into the wider purpose of the community; aligning your identified gaps with this mission will help you maximize the value of your interactions.

    3. Contribute to the Conversation

    By taking part in these conversations, you can uncover unexpected benefits and give your team a sounding board among other users. As a security practitioner, it should be a priority to contribute direct and honest information to the community and perpetuate an industrywide culture of information sharing. Real-time, responsive feedback is a great tool to help you build a better security strategy and align a response plan to the current threat landscape.

    Contributing to a community can take various forms. Community-based forums and Slack channels give developers a voice across the organization. By leveraging this mode of communication, you can bring important intelligence to the surface that might otherwise go under the radar. Forum discussions can also expose you to new perspectives from a diverse range of sources.

    A Successful Incident Response Plan Starts With Collaboration

    For its part, IBM Security gathers insights from experienced users across all its products in the IBM Security Community portal. Through this initiative, IBM has expanded its global network to connect like-minded people in cybersecurity. This collaborative network allows us to adapt to new developments as rapidly as threats evolve.

    Collaboration has always been cybercriminals’ greatest weapon. It creates massive challenges for the cybersecurity industry and requires us to fight back with a united front of our own. With the support of an entire security community behind you, incident response tasks won’t seem so overwhelming and your resource-strapped SOC will have all the threat data it needs to protect your business.

    Discover Community Day at Think 2019

    The post Need a Sounding Board for Your Incident Response Plan? Join a Security Community appeared first on Security Intelligence.

    Protect Your Critical Assets in a Landscape of Expanding Attack Surfaces

    Imagine: You just received an alert that threat actors infiltrated your network, leaked mission-critical data and posted it in publicly accessible forums on the dark web. What do you do?

    As a security leader, you knew that a breach was inevitable. Your data, applications and endpoints were expanding at an alarming rate — far faster than your organization’s ability to track and control its critical assets. Still, you never imagined you’d find out about the leak via a third-party notification, or just how frightening it would be to learn that your cyber resiliency strategy was insufficient to protect customer data.

    If this scenario is familiar, don’t worry — you’re not alone. Traditional approaches to asset identification and protection have failed businesses around the world and across verticals as security leaders struggle to address challenges such as lack of visibility into enterprise data, outdated risk frameworks and the mind-bending acceleration of the threat landscape. To keep pace with opportunistic bad actors looking to take advantage of these security gaps, chief information security officers (CISOs) must implement more sophisticated controls before it’s too late.

    Learn more about protecting critical assets

    Attack Surfaces Are Expanding Faster Than IT Awareness

    With critical assets channeled between multiple clouds, on-premises systems, and multiplatform applications on both company-owned and personal endpoints, it’s no wonder security leaders are stuggling to see the full security picture. And this lack of visibility into enterprise data is more expensive than ever: The cost of a successful endpoint attack now exceeds $5 million, according to The Ponemon Institute, and the compromise rate of enterprise systems has more than doubled in the past five years, according to McKinsey & Company.

    CISOs are increasingly called upon to report on security risks in business terms to the board. However, security leaders struggle to speak to invisible data risks, since not all business applications in use are known to IT security. In fact, 57 percent of CISOs said a lack of visibility into the location and protection of sensitive data is “what keeps them up most at night,” as reported by Forbes.

    New Frameworks for Asset Protection

    Traditional asset protection frameworks have involved time-consuming work to catalog assets, evaluate controls, assign risks and create remediation plans.

    “In an increasingly digitized world, protecting everything equally is not an option,” wrote Piotr Kamiski, Chris Rezek, Wolf Richter and Marc Sorel of McKinsey & Company. “The digital business model is, however, entirely dependent on trust.”

    Today’s security leaders need new frameworks to find, use and manage critical assets in an evolving enterprise security landscape. Failure to adapt to the new realities of data risk has weighty consequences. The Ponemon Institute’s “2018 Cost of a Data Breach” study, sponsored by IBM, reported an average cost of $3.86 million, a 6.4 percent increase from the previous year. The cost of noncompliance with data security and privacy standards, meanwhile, has risen 45 percent since 2011 to a staggering $14 million, according to SC Magazine. Security leaders must also consider the weightiest consequence of failure to protect sensitive data and assets: loss of consumer trust.

    As the risks associated with critical assets continue to shift, a proactive response is necessary to keep up with the evolving threat landscape. The new standard for critical asset protection is a three-part framework to achieve intelligent visibility, proactive mitigation and continuous control.

    Intelligent visibility means unified oversight across data, cloud networks and endpoints, with insight into the most critical risks and assets. Proactive mitigation is defined by the ability to create, apply and enforce security across endpoints, apps and data at scale. Continuous control is the ability to create security policies at scale, optimize asset protections, and comply with regulatory requirements and policies.

    Smarter Security for Critical Assets: 5 Use Cases

    An Aberdeen Group study sponsored by IBM revealed that best-in-class firms are 74 percent more likely than others to view asset statuses via real-time dashboards. These industry leaders are also 40 percent more likely to connect disparate systems for end-to-end control of sensitive data. Use cases for artificial intelligence (AI), cognitive computing, extensibility, automation and human intelligence demonstrate the value of a comprehensive security immune system.

    1. Artificial Intelligence

    The average security operations center (SOC) logs 200,000 events each day, according to IBM research. Separating false positives from significant risks is a real challenge for overworked and understaffed SOC teams.

    Applied AI excels at analyzing structured and unstructured data assets to prioritize risks, classify critical assets and detect anomalies. Integrating AI solutions for testing and compliance enables DevOps to achieve privacy by default and design.

    2. Cognitive Computing

    Critical asset protection requires the organization to fight false positives and respond immediately to significant threats. Cognitive computing, an advanced application of AI, machine learning and deep learning networks, augments human intelligence and grows smarter with use. Organizations can automatically investigate and respond to indicators of compromise (IoCs) to reduce the workload on SOC analysts.

    3. Extensibility

    Even with dozens of security solutions, enterprises are struggling to achieve the integration needed for true asset transparency. Over 58 percent of IT executives recently cited a lack of infrastructure-agnostic visibility as their primary challenge, according to Security Boulevard.

    By investing in a collaborative threat sharing platform, organizations can scale the capabilities of security solutions in nearly real time and exchange knowledge with a vibrant collective of partners and peers.

    4. Automation

    One of the most significant risks facing the enterprise is innocent and malicious insider threats. Insider-caused incidents are nearly twice as costly as the average global data breach, according to a Ponemon Institute study. There’s a need for solutions to introduce total transparency and automated action against the most critical risks. An adaptive security ecosystem of solutions can intelligently uncover insights into external and internal threats, orchestrate responses and share actionable threat intelligence.

    5. People

    SOC analysts must be knowledgeable to defend against evolving threats. CISOs can improve internal skill sets and outsource critical capacities by partnering with managed security services providers (MSSPs). These experts can provide training and expertise to SOC analysts while delivering endpoint and data protection services for a resilient enterprise. Offensive security partnerships can offer expert penetration testing, vulnerability analytics and threat intelligence.

    Protecting Customer Trust

    Unlocking the ability to find and secure critical assets with leading security solutions can enable the enterprise to achieve regulatory compliance, reduce operational costs and improve security talent retention. Most importantly, critical asset protection is a tool for securing customer trust. Trust is a currency, and solutions for data protection can provide a remarkable advantage for customer confidence.

    Read the e-book: Protect Critical Assets

    The post Protect Your Critical Assets in a Landscape of Expanding Attack Surfaces appeared first on Security Intelligence.

    All I want for Christmas: A CISO’s Wishlist!

    As Christmas fast approaches, CISOs and cyber security experts around the world are busy putting plans in place for 2019 and reflecting on what could have been done differently this year. The high-profile data breaches have been no secret - from British Airways to Dixons Carphone to Ticketmaster - and the introduction of GDPR in May 2018 sent many IT professionals into a frenzy to ensure practices and procedures were in place to become compliant with the new regulation.

    What the introduction of GDPR did demonstrate was that organisations should no longer focus on security strategies, which protect the organisation’s network, but instead focus on Information Assurance (IA) which protects an organisation’s data. After all - if an organisation’s data is breached, not only will it face huge fallouts of reputational damage, hits to the organisation’s bottom line and future prospecting difficulties, but it will also be held accountable to regulatory fines - up to as much as €20 million, or 4% annual global turnover under GDPR. Stolen or compromised data is, therefore, an enormous risk to an organisation.

    So, with the festivities upon us and many longing to see gifts under the tree, CISOs may be thinking about what they want for Christmas this year to make sure their organisation is kept secure into the new year and beyond. Paul German, CEO, Certes Networks, outlines three things that should be at the top of the list. 

    1. Backing from the Board
    Every CISO wants buy-in from the Board; and there’s no escaping from the fact that cyber security must become a Board-level priority. However, whilst the correct security mindset must start at the top, in reality it also needs to be embedded across all practices within an organisation; extending beyond the security team to legal, finance and even marketing. The responsibility of securing the entirety of the organisation’s data sits with the CISO, but the catastrophic risks of a cybersecurity failure means that it must be given consideration by the entire Board and become a top priority in meeting business objectives. Quite simply, a Board that acknowledges the importance of having a robust, innovative and comprehensive strategy in place is a CISO’s dream come true.

    2. A Simple Approach
    A complicated security strategy is the last thing any CISO wants to manage. The industry has over-complicated network security for too long and has fundamentally failed. As organisations have layered technology on top of technology, not only has the technology stack itself become complex, but the amount of resources and operational overhead needed to manage it has contributed to mounting costs. A much more simple approach is needed, which involves starting with a security overlay with will cover the networks, independent of the infrastructure, rather than taking the narrow approach of building the strategy around the infrastructure. From a data security perspective, the network must become irrelevant, and with this flows a natural simplicity in approach.

    3. A Future-Proof Solution
    The cyber landscape is constantly evolving; with new threats introduced and technology appearing that just adds to the sophisticated tools that hackers have at their disposal. What a CISO longs for is a solution that keeps the organisation’s data secure, irrespective of new users or applications added, and regardless of location or device. By adopting a software-defined approach to data security, which centrally enforces capabilities such as software-defined application access control, data-in-motion privacy, cryptographic segmentation and a software-defined perimeter, CISOs can ensure that data is protected in its entirety on its journey across whatever network it goes across while hackers are restricted from moving laterally across the network once a breach has occurred. Furthermore, the solution can protect an organisation’s data not only in its present state, but into the future. By enforcing a solution that is software-defined, a CISO can centrally orchestrate the security policy without impacting network performance, and changes can be made to the policy without pausing the protection in place. 

    Three Simple Wishes
    High-profile data breaches won’t go away any time soon, so it is the organisations that have the correct mindset, with Board-level buy-in and a unified approach to securing data that will see the long-term advantages. Complicated, static and siloed approaches to securing an organisation’s data should be a thing of the past, so the good news is that, in reality, everything on a CISOs Christmas wish list is attainable (although not able to be wrapped), and should become a reality in the new year.

    Paul German, CEO, Certes Networks

    Insurance Occurrence Assurance?

    You may have seen my friend Brian Krebs’ post regarding the lawsuit filed last month in the Western District of Virginia after $2.4 million was stolen from The National Bank of Blacksburg from two separate breaches over an eight-month period. Though the breaches are concerning, the real story is that the financial institution suing its insurance provider for refusing to fully cover the losses.

    From the article:

    In its lawsuit (PDF), National Bank says it had an insurance policy with Everest National Insurance Company for two types of coverage or “riders” to protect it against cybercrime losses. The first was a “computer and electronic crime” (C&E) rider that had a single loss limit liability of $8 million, with a $125,000 deductible.

    The second was a “debit card rider” which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

    According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E rider. The insurance company said the bank could not recover lost funds under the C&E rider because of two “exclusions” in that rider which spell out circumstances under which the insurer will not provide reimbursement.

    Cyber security insurance is still in its infancy and issues with claims that could potentially span multiple policies and riders will continue to happen – think of the stories of health insurance claims being denied for pre-existing conditions and other loopholes. This, unfortunately, is the nature of insurance. Legal precedent, litigation, and insurance claim issues aside, your organization needs to understand that cyber security insurance is but one tool to reduce the financial impact on your organization when faced with a breach.

    Cyber security insurance cannot and should not, however, be viewed as your primary means of defending against an attack.

    The best way to maintain a defensible security posture is to have an information security program that is current, robust, and measurable. An effective information security program will provide far more protection for the operational state of your organization than cyber security insurance alone. To put it another way, insurance is a reactive measure whereas an effective security program is a proactive measure.

    If you were in a fight, would you want to wait and see what happens after a punch is thrown to the bridge of your nose? Perhaps you would like to train to dodge or block that punch instead? Something to think about.

    Leaping Forward – Telling the Story of How InfoSec Has Matured into Cyber Risks

    Readers of this blog know that I've spent nearly the past decade curating some of the best quotes about information security and related topics. What started as a self-serving repository of good material for my own use eventually grew into this blog. I owe a big thank you to all of those who, over the course of the years, have shared this site with others around them.

    However, in the past year, I have to admit that I've been much more active on a different blog, that of the IBM sponsored SecurityIntelligence blog. Which brings me to this post.

    Just this week, the IBM site published my 30th article, "Five Signs the CISO Who Got You Here Isn’t the Best One to Get You There," whose topic relates nicely to the evolution of the field of information security -- let's admit, security was never really just an IT issue -- and the evolution of the role of CISO.

    Just as businesses have had to evolve in order to thrive, or even just to survive, so must we evolve, as information security professionals, in the face of a changing reality. We now have the attention that we've been asking C-Suite executives and board directors for. We must now step up to fulfill this new role, to meet these new expectations. The stakes are high -- businesses everywhere are getting hammered by attackers, some after a quick buck, others after the company's crown jewels.

    In pitching and developing these 30 articles, I've always sought to bring value to the reader, primarily aimed at CISOs or aspiring CISOs. I'm including below the full set of links to these 30 articles (in ascending chronological order). And since IBM's blog doesn't allow for comments, I'm inviting readers everywhere to leave comments on this post instead.

    Again, thank you for your support, and for your readership.


    As an Information Security Professional, Are You Having the Right Conversations?
    Improving Your Security Awareness Campaigns: Examples From Behavioral Science
    Cyber Risks: From the Trenches to the Boardroom
    CISO Influence: The Role of the Power Distance Index and the Uncertainty Avoidance Dimensions
    How Helping Educators Is Good for the Cybersecurity Industry
    Addressing the Information Security Skills Gap in Partnership With Academia
    Why Is Your Board of Directors Finally Asking About Cyber Risks?
    What Cybersecurity Questions Are Boards Asking CISOs?
    Five Must-Read Articles on the Cybersecurity Skills Gap
    What Can CISOs Take From the New NYSE Cybersecurity Guide?
    How Are US Armed Forces Closing the Cyber Skills Gap?
    How Should CISOs Report Cyber Risks to Boards?
    Beyond Tech Skills: Leadership Qualities for CISOs
    Get the Most Out of Your Recent Security Hires With Soft Skills
    Get the Most Out of Your Recent Security Hires: The Value of Professional Development
    New Year’s Resolutions for the Effective CISO
    Cyber Risks: Three Areas of Concern for 2016
    Highlights From the World Economic Forum’s Global Risks Report 2016
    2015: The Year Feds Warned About Cyber Risks
    Is Your CISO Ready to Be a Risk Leader?
    Is Your CISO Out Of Place?
    FTC Studying Practices of Nine PCI Companies
    C-Suite Dynamics Can Impact The Organization's Cybersecurity
    It's Not Too Late to Correct Your Security Posture
    Securing the C-Suite, Part 1: Lessons for Your CIO and CISO
    Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs
    Securing the C-Suite, Part 3: All Eyes on the CEO
    Engaging Conversations Key to Improving Cyber Risk Decisions
    How to Make the Most of Your Pen Test
    Five Signs the CISO Who Got You Here Isn't The Best One To Get You There