Connect with us

Security

13 BIG CYBERSECURITY IDEAS FOR THE CISO BY CISOS

Published

on

Peers are a great source of information for the CISO because they are tackling the same security problems in different ways. Taking note of what they are doing is useful for replicating their successes in your own organization.

We recently sifted through dozens of interviews with, and reports about, CISOs, to uncover several knowledge gems. The emphasis highly effective CISOs place on the less tangible aspects of the job – leadership, culture and business savvy for example – is readily apparent.

What follows below is a roundup of useful comments, facts, and statistics – big cybersecurity ideas – for the CISO by CISOs.

1) Businesses do not exist to provide information security

It’s all too easy for security leaders to forget that the business of their business isn’t security – it’s to fulfill customer-demand for products or services:

“It is very easy to fall into a myopic view and focus strictly on information security without taking into consideration what is it ultimately that the organization is trying to accomplish strategically. So, keeping that front and center for our teams helps not only enable the business but keeps us all grounded because we, as a company, we exist because we sell toothpaste and tennis shoes and all of those things that customers count on us to provide. At the end of the day, we’re not in the information security business. So, the day that information security makes that prohibitively difficult, there is really no reason for us to be here, so we have to keep that organizational mission front and center.”

– Jerry Geisler, SVP & Global CISO, Walmart; source: Walmart’s Jerry Geisler on the CISO position, retail challenges by Kathleen Richards.

2) Understanding how IT supports the business

More than just understanding the IT infrastructure, security leaders need to understand how that infrastructure supports the business. While this comment stems from a healthcare security leader, it has broader applicability for any vertical market:

“CISOs need to know the entire architecture of a healthcare organization’s IT environment and how it supports each line of business. They need to fully understand the environment’s technological composition and nature of all the data contained therein, the process for storage and transmission, as well as the process of all critical and sensitive data and the complete flow of data in and out of the organization.”

– Mark Beckmeyer, Director of IT Security, Binary Fountain; source: Securing healthcare organizations: The challenges CISOs face by Zeljka Zorz.

3) Articulating the value of cybersecurity to the business

In business, cybersecurity is often seen as a cost. Yet one security leader found his experiences in government helped him translate the value of security in business:

“Cybersecurity is all about the management of enterprise risk. The value a CISO and security department provides to the company is the continuous management of this risk so the business units that directly generate revenue can focus on being innovative and helping the company meet its strategic objectives. So my value is risk management as a service: We support the business units so they can focus on what the business needs, and together we are all successful.”

– Gary Hayslip, CISO, Webroot; source: A Career CISO’s 7 Observations on Public vs. Private Sectorvia TechWire

Note: Mr. Hayslip co-authored a two-volume CISO Desk Reference Guide.

4) Managing security to your organization’s tolerance for risk

Experts say cybersecurity boils down to an exercise in risk management – the probability of an event – combined with the severity of impact. Investors might add another factor in tolerance, which is why this commentary from a CISO at a big investment bank is so relevant:

“To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the ‘Are we secure?’ question is somewhat misguided. The question should be: ‘Are we managing risk according to our risk profile?’ To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.”

– Israel Bryski, Vice President, technology risk, Goldman Sachs; source: 8 Tough Questions Every CISO Should Be Ready to Answer by Joan Goodchild.

5) Translating security risk into business decisions

Some researchers say the best CISOs learn to lead without authority. It’s a nod to the idea that ultimately, successful security leaders identify and articulate the risks to business leaders so they can make the right decisions:

“It’s very important that the CISO take the time to translate the enterprise security/risk/compliance needs into what executives can assimilate and make the decision.”

– Rebecca Wynn, Head of Information Security and DPO, Matrix Medical Network; source: Leading Cyber Security Execs Describe CISO ‘Toolkits’ by Dan Gunderman.

 

6) Security leaders and technology leaders need leadership parity

Business wants to innovate – to deliver a service or make a product better and faster. Yet faster comes with risks and someone needs to examine those risks and pump the brakes when the risk exceeds the business’ tolerance level:

“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play.”

– Anthony Belfiore, CSO, Aon PLC; source: Companies Unleash CISOs from Ties to Tech Chiefs by Kate Fazzini

7) A “security first” culture is a path to business efficacy

A “security first” approach is derived from culture and a security-conscious culture may enable a business to favor efficacy over stronger prohibitions and rigid policies:

“We’re not a blocker unless it’s absolutely essential. What I’m aiming for is when security does ‘say no’, the people take it seriously, because it’s so rare that they know it’s a serious occurrence.”

– Kevin Fielder, CISO, Just Eat; source: Just Eat’s first CISO is building security in from the ground up by Tom Allen.

8) Best-of-breed tools may help ward off future threats

The security tools fielded yesterday were designed to defend against yesterday’s threats. That’s why cybersecurity inherently involves economics. It’s may also part of the case for best of breed tools aimed at modern threats:

“As the threat landscape changes, some of the things that we think are a priority today may have a different priority tomorrow. And that’s part of the reason why when we have a vendor come in and do our security operations center, we will have the best-of-breed tools that will allow us to evolve in the next five years to deal with the current threats.”

– Marcelo Peredo, CISO, City of San José; source: San Jose’s first CISO braces for ubiquitous connectivity by Colin Wood.

9) The toughest questions a CISO must answer

Security leaders are often faced with difficult questions. A group of CISOs narrowed down what is surely a long list to the top five – as compiled by Kudelski Security:

> “Are we secure?”
> “How do we know if we have been breached?”
> “How does our security program compare to peers within the same industry?”
> “Do we have enough resources for our cybersecurity program?”
> “How effective is our security program, and is our current investment strategy aligned to it properly?”

– Survey of CISOs; source: The 5 most challenging questions CISOs face and how to answer themby Macy Bayern.

10) The 4 “Tribes” of CISOs

Personality tests strive to group people into categories based on characteristics, habits and communication style. Doing so is intended to provide insight into our preferences and weak spots so we can improve. A research project by Synopsys did something similar for the CISO “based on factors related to workforce, governance, and security controls.”  The research found CISOs can be used to grouped into one of four tribes:

> Tribe 1: Security as an Enabler;
> Tribe 2: Security as Technology;
> Tribe 3: Security as Compliance; and
> Tribe 4: Security as a Cost Center.

– CISO research project; source: Which CISO ‘Tribe’ Do You Belong To? by Kelly Sheridan

11)  What CISOs think makes CISOs successful

New York University Professor Nasir Memon once observed that security isn’t just a technical problem, but a legal problem, a policy problem and perhaps most importantly, a human behavior problem. CISOs it seems, agree with that assessment, according to a survey of CISOs by the Enterprise Strategy Group and ISSA.  The top skills CISOs say influence the success of a CISO are as follows:

> 54% say leadership skills;
> 49% say communications skills;
> 44% say strong relationships with executives;
> 33% say management skills; and
> 21% say upon technical skills.

– Survey of CISO; source: What makes CISOs successful? by Jon Oltsik

12) Individual consequences for getting phished?

While attacks have grown more sophisticated, many being with the same initiation stage: phishing emails. The organization can pay a heavy price when an individual gets phished and some say the risk and consequences should be shared:

“Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government. You have clearly demonstrated that you are not responsible enough to responsibly handle that information.”

– Paul Beckman, CISO, U.S. Department of Homeland Security; source: DHS infosec chief: We should pull clearance of feds who fail phish test by Sean Gallagher.

13) One upside to a breach:  a learning moment 

Once a breach has occurred, the dynamics between security and business may change. A breach is a learning moment, that makes conveying the message about the importance of security easier.

“One of the things that I really love about being a CISO in a post-breach environment is it gives you such an immense opportunity to drive fundamental, meaningful change in a very short timeframe. I felt like I did good things when I was at Los Alamos or at NASA, but it takes so frickin’ long to push some of this stuff. The barriers you face at any company not post-breach is you’re always fighting for budget, you’re always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you’re in a post-breach environment, everyone already knows that it’s critically important.”

–  Jamil Farshchi, CISO, Equifax; source: Equifax’s Security Overhaul, a Year After Its Epic Breach by Lily Hay Newman.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Nokia Reveals Plans to Ensure 5G Security

Published

on

By

Nokia has announced plans to address the critical security needs of 5G networks, unveiling an enhanced security programme and advanced security testing and verification laboratory.

The new initiatives, which will extend the network provider’s commitment to ensuring the highest standards of security, are set to focus on end-to-end (E2E), mission critical networks that “will define the 5G era”.

Building on the success of its “industry-leading” Design for Security (DFSEC) process, Nokia has launched the upgraded DFSEC 2.0 to carry out additional verification work in areas such as E2E identity management and network slicing.

According to a statement, another key advance which is expected to drive this movement is Software Defined Networking (SDN) – with distributed cloud infrastructure and augmented intelligent control systems – as it will allow networks to scale in the 5G era.

In order to support the collaborative research taking place as part of DFSEC 2.0, Nokia will also open the “Future X Security” (FXSec) Lab.

The facility, to be established as an extension of Nokia’s Future X network lab, will facilitate the joint testing and verification of industrial automation solutions in private local area networks (LANs), as well as trials across public wide area networks (WANs).

Marcus Weldon, Corporate Chief Technology Officer and President of Nokia Bell Labs, said: “End-to-end 5G networks will fundamentally transform societies by providing ultra-high-speed wireless connectivity allowing massive, low latency ultra-reliable streaming data that will drive intelligent automation for a wide array of infrastructure, industries and enterprises.

“But with great opportunity comes significant security risk that must be addressed end-to-end, using an array of novel techniques and technologies.

“As the most trusted end-to-end solution provider in the 5G era, Nokia is taking a leadership position in defining and building advanced security solutions that will meet mission-critical needs, leveraging the deep and extensive security research and disruptive innovations from Nokia Bell Labs.”

Source: https://www.porttechnology.org/news/nokia_reveals_plans_to_ensure_5g_security

Continue Reading

Security

Peak gamer bling achieved with Swarovski-encrusted WASD keys

Published

on

By

I’ve seen a whole bunch of keyboards this week at Computex Taipei, but none quite so opulent as this exclusive offering from HyperX. As part of a collaboration with Swarovski, which it should be noted is far from a newcomer to the whole stickingcrystalsonrandomgadgets thing, the gaming accessory maker has designed a keyboard with bedazzled WASD and number keycaps.

I used the keyboard briefly and I don’t know if I’d say that the crystal glass felt particularly premium, but the jewel-encrusted keycaps did have a nice grip to them, if that’s what you’re into. If you wanted to experience an even greater rush of superiority after headshotting an opponent in Overwatch, I suppose this might do the job.

HyperX also made a matching headset, as well as one for the PS4:

And there’s also a mouse to go with the keyboard, though I’m not convinced the crystals are located in the most comfortable spot.

HyperX told me they made this gear for this year’s Taipei Game Show and don’t currently have plans to put it on regular sale, but they’d consider it if there turns out to be a lot of interest. I’m not sure there will be, but with the money pouring into esports these days, who knows? Maybe this could be someone’s aesthetic.

Source: https://www.theverge.com/2019/5/29/18642129/hyperx-swarovski-crystal-mouse-keyboard-headphones

Continue Reading

Security

Firefox Quantum Offers Anti-Cryptojacking Feature

Published

on

By

Firefox Quantum, the latest version of open-source internet browser Firefox, has a new privacytoggle that protects against cryptojacking, according to a blog post by Mozilla on May 21.

Mozilla previously warned official blog post that websites can deploy scripts that launch a crypto miner on a user’s machine without them being aware — a practice known as cryptojacking.

To combat these exploitative practices, Mozilla partnered with online privacy company Disconnect to create a crypto mining blocker for their browser. Users can now toggle an opt-in feature, that purportedly blocks would-be cryptojackers from taking advantage of spare computing power to mine cryptocurrencies.

Mozilla initially announced that it would block cryptojacking in new browser releases in August 2018. As per a report by Cointelegraph, Firefox featured cryptojacking protection in its Firefox Nightly 68 and Beta 67 versions this April, just prior to the launch of Quantum.

Firefox Quantum also aims to mitigate the practice of so-called “fingerprinting,” which makes a sort of digital fingerprint of a user that is employed to monitor their activities on the internet.

Cryptojacking at the consumer level was called “essentially extinct” by cybersecurity company MalwareBytes on April 23. According to the report:

“Marked by the popular drive-by mining company CoinHive shutting down operations in early March, consumer cryptomining seems to have gone the way of the dodo. Detections of consumer-focused bitcoin miners have dropped significantly over the last year and even from last quarter, while business-focused miners have increased from the previous quarter, especially in the APAC region.”

According to the report, consumer malware detections have gone down by approximately 40%. Businesses, however, are being targeted more heavily by cryptojacking attempts, with

Business detections increasing by about 7% during the first quarter of 2019.

Source: https://cointelegraph.com/news/firefox-quantum-offers-anti-cryptojacking-feature

Continue Reading
Advertisement

Trending

%d bloggers like this: