Connect with us

Security

13 BIG CYBERSECURITY IDEAS FOR THE CISO BY CISOS

Published

on

Peers are a great source of information for the CISO because they are tackling the same security problems in different ways. Taking note of what they are doing is useful for replicating their successes in your own organization.

We recently sifted through dozens of interviews with, and reports about, CISOs, to uncover several knowledge gems. The emphasis highly effective CISOs place on the less tangible aspects of the job – leadership, culture and business savvy for example – is readily apparent.

What follows below is a roundup of useful comments, facts, and statistics – big cybersecurity ideas – for the CISO by CISOs.

1) Businesses do not exist to provide information security

It’s all too easy for security leaders to forget that the business of their business isn’t security – it’s to fulfill customer-demand for products or services:

“It is very easy to fall into a myopic view and focus strictly on information security without taking into consideration what is it ultimately that the organization is trying to accomplish strategically. So, keeping that front and center for our teams helps not only enable the business but keeps us all grounded because we, as a company, we exist because we sell toothpaste and tennis shoes and all of those things that customers count on us to provide. At the end of the day, we’re not in the information security business. So, the day that information security makes that prohibitively difficult, there is really no reason for us to be here, so we have to keep that organizational mission front and center.”

– Jerry Geisler, SVP & Global CISO, Walmart; source: Walmart’s Jerry Geisler on the CISO position, retail challenges by Kathleen Richards.

2) Understanding how IT supports the business

More than just understanding the IT infrastructure, security leaders need to understand how that infrastructure supports the business. While this comment stems from a healthcare security leader, it has broader applicability for any vertical market:

“CISOs need to know the entire architecture of a healthcare organization’s IT environment and how it supports each line of business. They need to fully understand the environment’s technological composition and nature of all the data contained therein, the process for storage and transmission, as well as the process of all critical and sensitive data and the complete flow of data in and out of the organization.”

– Mark Beckmeyer, Director of IT Security, Binary Fountain; source: Securing healthcare organizations: The challenges CISOs face by Zeljka Zorz.

3) Articulating the value of cybersecurity to the business

In business, cybersecurity is often seen as a cost. Yet one security leader found his experiences in government helped him translate the value of security in business:

“Cybersecurity is all about the management of enterprise risk. The value a CISO and security department provides to the company is the continuous management of this risk so the business units that directly generate revenue can focus on being innovative and helping the company meet its strategic objectives. So my value is risk management as a service: We support the business units so they can focus on what the business needs, and together we are all successful.”

– Gary Hayslip, CISO, Webroot; source: A Career CISO’s 7 Observations on Public vs. Private Sectorvia TechWire

Note: Mr. Hayslip co-authored a two-volume CISO Desk Reference Guide.

4) Managing security to your organization’s tolerance for risk

Experts say cybersecurity boils down to an exercise in risk management – the probability of an event – combined with the severity of impact. Investors might add another factor in tolerance, which is why this commentary from a CISO at a big investment bank is so relevant:

“To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the ‘Are we secure?’ question is somewhat misguided. The question should be: ‘Are we managing risk according to our risk profile?’ To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.”

– Israel Bryski, Vice President, technology risk, Goldman Sachs; source: 8 Tough Questions Every CISO Should Be Ready to Answer by Joan Goodchild.

5) Translating security risk into business decisions

Some researchers say the best CISOs learn to lead without authority. It’s a nod to the idea that ultimately, successful security leaders identify and articulate the risks to business leaders so they can make the right decisions:

“It’s very important that the CISO take the time to translate the enterprise security/risk/compliance needs into what executives can assimilate and make the decision.”

– Rebecca Wynn, Head of Information Security and DPO, Matrix Medical Network; source: Leading Cyber Security Execs Describe CISO ‘Toolkits’ by Dan Gunderman.

 

6) Security leaders and technology leaders need leadership parity

Business wants to innovate – to deliver a service or make a product better and faster. Yet faster comes with risks and someone needs to examine those risks and pump the brakes when the risk exceeds the business’ tolerance level:

“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play.”

– Anthony Belfiore, CSO, Aon PLC; source: Companies Unleash CISOs from Ties to Tech Chiefs by Kate Fazzini

7) A “security first” culture is a path to business efficacy

A “security first” approach is derived from culture and a security-conscious culture may enable a business to favor efficacy over stronger prohibitions and rigid policies:

“We’re not a blocker unless it’s absolutely essential. What I’m aiming for is when security does ‘say no’, the people take it seriously, because it’s so rare that they know it’s a serious occurrence.”

– Kevin Fielder, CISO, Just Eat; source: Just Eat’s first CISO is building security in from the ground up by Tom Allen.

8) Best-of-breed tools may help ward off future threats

The security tools fielded yesterday were designed to defend against yesterday’s threats. That’s why cybersecurity inherently involves economics. It’s may also part of the case for best of breed tools aimed at modern threats:

“As the threat landscape changes, some of the things that we think are a priority today may have a different priority tomorrow. And that’s part of the reason why when we have a vendor come in and do our security operations center, we will have the best-of-breed tools that will allow us to evolve in the next five years to deal with the current threats.”

– Marcelo Peredo, CISO, City of San José; source: San Jose’s first CISO braces for ubiquitous connectivity by Colin Wood.

9) The toughest questions a CISO must answer

Security leaders are often faced with difficult questions. A group of CISOs narrowed down what is surely a long list to the top five – as compiled by Kudelski Security:

> “Are we secure?”
> “How do we know if we have been breached?”
> “How does our security program compare to peers within the same industry?”
> “Do we have enough resources for our cybersecurity program?”
> “How effective is our security program, and is our current investment strategy aligned to it properly?”

– Survey of CISOs; source: The 5 most challenging questions CISOs face and how to answer themby Macy Bayern.

10) The 4 “Tribes” of CISOs

Personality tests strive to group people into categories based on characteristics, habits and communication style. Doing so is intended to provide insight into our preferences and weak spots so we can improve. A research project by Synopsys did something similar for the CISO “based on factors related to workforce, governance, and security controls.”  The research found CISOs can be used to grouped into one of four tribes:

> Tribe 1: Security as an Enabler;
> Tribe 2: Security as Technology;
> Tribe 3: Security as Compliance; and
> Tribe 4: Security as a Cost Center.

– CISO research project; source: Which CISO ‘Tribe’ Do You Belong To? by Kelly Sheridan

11)  What CISOs think makes CISOs successful

New York University Professor Nasir Memon once observed that security isn’t just a technical problem, but a legal problem, a policy problem and perhaps most importantly, a human behavior problem. CISOs it seems, agree with that assessment, according to a survey of CISOs by the Enterprise Strategy Group and ISSA.  The top skills CISOs say influence the success of a CISO are as follows:

> 54% say leadership skills;
> 49% say communications skills;
> 44% say strong relationships with executives;
> 33% say management skills; and
> 21% say upon technical skills.

– Survey of CISO; source: What makes CISOs successful? by Jon Oltsik

12) Individual consequences for getting phished?

While attacks have grown more sophisticated, many being with the same initiation stage: phishing emails. The organization can pay a heavy price when an individual gets phished and some say the risk and consequences should be shared:

“Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government. You have clearly demonstrated that you are not responsible enough to responsibly handle that information.”

– Paul Beckman, CISO, U.S. Department of Homeland Security; source: DHS infosec chief: We should pull clearance of feds who fail phish test by Sean Gallagher.

13) One upside to a breach:  a learning moment 

Once a breach has occurred, the dynamics between security and business may change. A breach is a learning moment, that makes conveying the message about the importance of security easier.

“One of the things that I really love about being a CISO in a post-breach environment is it gives you such an immense opportunity to drive fundamental, meaningful change in a very short timeframe. I felt like I did good things when I was at Los Alamos or at NASA, but it takes so frickin’ long to push some of this stuff. The barriers you face at any company not post-breach is you’re always fighting for budget, you’re always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you’re in a post-breach environment, everyone already knows that it’s critically important.”

–  Jamil Farshchi, CISO, Equifax; source: Equifax’s Security Overhaul, a Year After Its Epic Breach by Lily Hay Newman.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Microsoft is bringing its Defender antivirus software to the Mac

Published

on

By

Microsoft is bringing its Windows Defender antivirus software to macOS today. The software giant is renaming Windows Defender Advanced Threat Protection (ATP) to Microsoft Defender Advanced Threat Protection (ATP) as a result. Microsoft has created a dedicated Defender ATP client for Mac, and it offers full virus and threat protection mixed with the usual ability to perform quick or full scans.

A limited preview will be available for businesses to try out the antivirus protection in environments that have a mix of both Windows PCs and Macs. Microsoft is using its AutoUpdate software on macOS to keep the client up to date, and it will be available on devices running macOS Mojave, macOS High Sierra, or macOS Sierra.

As ATP is limited to businesses, it’s not clear if Microsoft is also planning to bring a consumer version of Microsoft Defender over to the Mac. Defender is currently built into Windows 10, offering antivirus protection by default. Either way, Microsoft is offering a limited preview to Microsoft Defender ATP customers, and you can sign up here.

Continue Reading

Internet

The number of mobile malware attacks doubles in 2018, as cybercriminals sharpen their distribution strategies

Published

on

By

Four African countries made the list in terms of top 10 countries by share of users attacked by mobile malware; Nigeria climbs from fifth place in 2017 to third in 2018.

Kaspersky Lab (www.Kaspersky.co.za) researchers have seen the number of attacks using malicious mobile software nearly double in just a year. In 2018 there were 116.5 million attacks, compared to 66.4 million in 2017, with a significant increase in unique users being affected. Despite more devices being attacked, the number of malware files has decreased, leading researchers to conclude that the quality of mobile malware has become more impactful and precise. These and other findings are unveiled in Kaspersky Lab’s report Mobile malware evolution 2018.

As the world becomes more mobile, the role of smartphones in business processes and day to day life is growing rapidly. In response, cybercriminals are paying more attention to how they are distributing malware and the attack vectors used. The channels through which malware is delivered to users and infects their devices is a key part of the success of a malicious campaign today, taking advantage of those users who do not have any security solutions installed on their phones.

The success of the distribution strategies is demonstrated not only by the increase in attacks, but also the number of unique users that have encountered malware. In 2018 this figure rose by 774,000 on the previous year, to 9,895,774 affected users. Among the threats encountered, the most significant growth was in the use of Trojan-Droppers, whose share almost doubled from 8.63% to 17.21%. This type of malware is designed to bypass system protection and deliver there all sorts of malware, from banking Trojans to ransomware.

“In 2018, mobile device users faced what could have been the fiercest cybercriminal onslaught ever seen. Over the course of the year, we observed both new mobile device infection techniques, such as DNS hijacking (http://bit.do/eKudD), along with an increased focus on enhanced distribution schemes, like SMS spam. This trend demonstrates the growing need for mobile security solutions to be installed on smartphones – to protect users from device infection attempts, regardless of the source,” said Viсtor Chebyshev, security expert at Kaspersky Lab.

Four African countries made the list in terms of top 10 countries by share of users attacked by mobile malware – Nigeria in 3rd place at 37.72%, Algeria in 5th place (35.06%), Tanzania in 8th place (31.34%) and Kenya in 9th place with 29.72%.

Other findings in the mobile malware evolution 2018 report include:

  • In 2018 Kaspersky Lab products protected 80,638 users in 150 countries against mobile ransomware, with 60,176 mobile ransomware Trojans samples detected
  • In 2018, a fivefold increase in attacks using mobile malicious crypto currency miners was observed
  • In 2018, 151,359 installation packages for mobile banking Trojans were detected, which is 1.6 times more than in the previous year

In order to protect your devices, Kaspersky Lab security experts advise the following:

  • Only install mobile applications from official app stores, such as Google Play on Android devices or the App Store on iOS
  • Block the installation of programmes from unknown sources in your smartphone’s settings
  • Do not bypass device restrictions as this might provide cybercriminals with limitless capabilities to carry out their attacks
  • Install system and application updates as soon as they are available — they patch vulnerabilities and keep devices protected. Note that the mobile OS system updates should never be downloaded from external resources (unless you are participating in official beta-testing). Application updates can only be installed through official app stores
  • Use reliable security solutions for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud(http://bit.do/eKurx)

To learn more about threats to mobile devices, please read the blog post available at Securelist.com. (http://bit.do/eKuiq)

Distributed by APO Group on behalf of Kaspersky.

About Kaspersky Lab:
Kaspersky Lab (www.Kaspersky.co.za) is a global cybersecurity company which has been operating in the market for 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.Kaspersky.co.za.

source: Africanews

Continue Reading

Security

The Ultimate Beginners Guide to GDPR Compliance in 2019

Published

on

By

What is GDPR?

By now you’ve probably all heard the term GDPR. Up until 25th May 2018 the guidelines surrounding personal information, in relation to privacy, were a bit wishy-washy. The Data Protection Directive (1995) did provide some basic guidelines but it simply wasn’t good enough.

We’ve always taken a keen interest in GDPR as many VPN’s have had to make serious changes to the way they operate inc some of the major players like Avast and NordVPN.

The monitoring and sharing of information is now covered under the General Data Protection Regulation (GDPR). This aims to ensure that information is handled responsibly, by any company that deals with personal information and privacy.

According to ICO, there are 7 key principles that GDPR sets out. These are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

The principles outlined aren’t rules as such, but more so an outline of fundamentals that should be followed when creating good data protection practice. If individuals or companies fail to comply with the principles, they could be fined up to €20 million, or 4% of your total worldwide annual turnover (whichever is higher).

What was before GDPR?

GDPR is applied throughout Europe, with each country having it’s own amount of control regarding certain aspects of the regulation. The U.K. has implemented the Data Protection Act (2018) which replaces the 1998 Data Protection Act.

The new act was passed through the House of Commons and House of Lords shortly before GDPR came into force.

Impact on businesses

Whether you’re an individual, organisation or company, you may be branded as a ‘controller’ or ‘processor’ of personal data. The Information Commissioners Officer (ICO) outlines exactly what the difference is between controllers and processors.

Businesses who monitor or obtain personal information on a large scale should employ a Data Protection Officer (DPO). The officer’s role should ensure that the company in question complies with GDPR. Any questions or queries regarding data protection should be directed to them.

GDPR applies to businesses that process personal data of EU citizens. This is the case even with businesses who employ less than 250 employees. As previously mentioned, any breach which could impact the rights of data subjects should be reported to the Information Commissioner’s Office (ICO).

If possible, a breach should be logged and reported within a 24 hour period, or 72 hours at the most. Details of the breach and how it is going to be contained and resolved must be outlined to the ICO.

GDPR will give individuals control on how businesses use their data. This also applies to businesses that already have your data. For example, individuals will have the ‘right to be forgotten’. So, if you’re a customer and no longer want a business to hold your personal data, you have a legal right to retract your data.

Helpful checklist for small businesses

GDPR is undoubtedly confusing, and understandably quite stressful! I thought it would be pertinent to put together a checklist for UK small businesses so you know what to expect, and what’s expected of you.

Your small business GDPR checklist should consider past and present employees, suppliers, and customers. It should also consider anyone’s data that you’re processing, collecting, storing, or recording, and using by any means.

1| Understand your data

You will need to understand and demonstrate your understanding of the types of personal data you and/or your business holds. For example, names, addresses, IP addresses, bank details, etc. This also includes sensitive data like religious views and health details. You’ll need to demonstrate that you understand where they come from and how you will be using such data.

2| Think about consent

Does your business require consent to process personal data? Some marketing techniques require consent which makes things much more difficult under GDPR. Consent must be extremely clear and specific, so unless you 100% know what you’re doing tt may be worth avoiding the need to rely on consent unless it’s crucial to your business model.

3| Consider security measures

Your security measures and policies that are in place must be updated to be GDPR compliant. What’s more, if you don’t have any in place already, you should get them pretty quickly! Although there are more specific demands regarding security, as a broad precaution, you could use encryption.

4| Subject access rights

Individuals have the right to access their personal data. You’ll need to ensure that your business is ready to provide this information within a short timeframe if necessary. Individuals may wish to obtain their personal data in order to rectify any issues, simply to have it, or they may wish to erase it altogether. All requests carry a timeframe of one month.

5| Train employees

Employees within your business should be trained in personal data. They will need to understand what constitutes personal data, as well as processes to identify any data breaches. Employees should be aware of who your Data Protection Officer (DPO) is, and any team or individuals related or responsive for data protection compliance.

6| Supply chain

All suppliers and contractors within your business need to be GDPR compliant. This is to ensure that they are not going to cause any breaches and pass any penalties or fines onto you. You will need to make sure that your contracts with your suppliers are updated too, so make sure you obtain a copy of this.

7| Fair processing

As part of GDPR, you must now be able to explain to individuals what you’re using their personal data for. This shouldn’t be a difficult task or one to worry about if you’re using their data fairly and correctly.

8| Data Protection Officer

It’s time to decide whether you need to employ a DPO or not. Small businesses are likely to be exempt, but larger businesses may not. It’s worth checking out to make sure you’re not in breach of any GDPR rules.

Defining consent

As an individual, you may be familiar with pre-ticked boxes when signing up for online accounts, purchasing products, registering for newsletters etc. These boxes were often pre-ticked and somewhat hidden, giving companies access to your personal data. Now, gone are the days of being bombarded by unwanted marketing emails and random phone calls.

Consent has been redefined under the new GDPR rules. Gone are the days of small print and hidden messages where individuals ‘accidentally’ or involuntarily sign up to marketing emails, texts, etc. Policies must be made abundantly clear now and be presented in such a manner.

Rules around pre-existing personal data are a little different. You may not require consent for this, but there must be a legal basis that’s compliant with the Data Protection Act (DPA). The main thing here is to remember that these legislations apply to businesses and consumers!

GDPR statistics 2018

  • Around 59% of UK businesses know the implications that GDPR will have on them.
  • On average, 73% felt that they were prepared when it came to documents and print management.
  • Only 6% of UK businesses made GDPR a priority. This is compared to 30% in France.
  • CNIL (French data protection regulator) reported a 50% increase in the number of complaints since GDPR came into force on 25th May.

Right of Access

Right of access (or subject access) allows an individual the right to obtain their own personal data. Right of access gives individuals the ability to understand how their data is being used and why their data is being used in such a way. This ensures that their data is being used in a lawful manner.

Individuals have the right to obtain certain information from companies, which includes:

  • a copy of an individual’s personal data
  • confirmation that an individual’s personal data is being processed
  • supplementary information (mainly corresponds to information provided in a privacy notice)

An individual, as we know, is entitled to their own personal data. However, they are not entitled to information about other people. On the other hand, if the information they are trying to obtain is about them as well as someone else, this is acceptable.

As an individual, it’s recommended that you ascertain whether the information you’re requesting is defined as personal data or not. You can check to see what’s classed as personal data (to be sure) here.

Am I a Data Controller or Data Processor?

GDPR applies to data controllers and data processors, but what does this actually mean? Data processors refer to operations performed on data, so when data is stored, collected, recorded, shared, etc. Data controllers are also data processors, the difference being is that they decide what the purpose or reason for processing data activities actually is.

Data Processors

As a data processor, there are legal obligations that GDPR require you to do:

  • Keep and maintain up-to-date personal data records. This includes outlining the details of processing activities and data subject categories. Categories refer to customers, employees, suppliers, and the types of processing – transferring, receiving, disclosing etc.
  • Keep and maintain details of transfer to countries that are outside of the European Economic Area (EEA)
  • Implement and maintain security measures that are appropriate, e.g. encryption

If a data processor is responsible for a data breach, they will have a lot more legal liability compared to the DPA. Individuals can make a direct claim against the data processor, so it’s imperative that you understand your responsibilities as one.

Data Controllers

As a data controller, you are by nature a data processor too. The same GDPR requirements therefore apply. However, the GDPR obligations are placed on you and your business to ensure that contracts with processors are compliant and standards are met.

Continue Reading
Advertisement

Trending

Copyright © 2018 Inventrium Magazine

%d bloggers like this: