Do You Trust Your Network?

Therefore, if your IT department says to you, “we’re confident we do not have any malware on our network” ask how they came to that conclusion. If instead they say, “we do not have any malware on our network, honest, trust us!” then raise an eyebrow and get your hands dirty, because you have work to do.

The question seems simple enough, doesn’t it?  But have you asked the question?  My feeling is that not enough people actually do.  Of course, a natural response may be: isn’t that a question for my IT department to answer?

Yes and no (more on that in a moment).  And I promise I am not trying to play word games, but words and their meanings matter, and am therefore placing particular focus on the word trust.  Trust is different than confidence.  Trust is different than transparency.  Trust has a much more “personal” element than the others.  And so much of what we do in the world today is based on trust. Continue reading “Do You Trust Your Network?”

Main Takeaways for CIOs from the Global C-Suite Study

Technological advances are transforming the way we connect, disrupting the status quo and creating huge turbulence. Industries are converging, and new opportunities and threats are emerging, as never before.

— ­IBM IBV 2016 Global C-suite Study – The CIO Point of View

The pace of change is top of mind for CIOs. We live in an age where technology is nearly obsolete by the time it has been implemented and deployed. Gone are the days of 5-year and 7-year technology deployment plans, instead CIOs must oversee a near-continuous digital transformation of their enterprise, constantly. Add to that the critical nature of today’s technology infrastructure — i.e. can your business run without computers, networks, or the Internet — and you get a good sense for the level of stress CIOs are facing today. Continue reading at IT Biz Advisor

Rising Tides and Higher Stakes – High Performance Counsel Interview with Chuck Brooks

The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency.

What are the new Cybersecurity Stakes – What are vulnerabilities and risks?

We live in world of algorithms; x’s and o’s. Our digital world is ripe for access and compromise by those who want do harm from just a laptop and server. A myriad of recent breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.

In the past year, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware. We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain. Continue reading “Rising Tides and Higher Stakes – High Performance Counsel Interview with Chuck Brooks”

Board Directors Need to Get Involved With Cyber Risk Governance

Board directors are under a lot of pressure. They know that it’s only a matter of time before their organization suffers a cyber incident, and all eyes will naturally be on the directors themselves to see if they were properly exercising their risk oversight.

Directors also know that all interactions with the CISO will be subject to close scrutiny in the aftermath of a breach. But with the right mix of security education, communication and help from outside experts, executives can fill cyber risk awareness gaps and achieve compliance with a growing number of privacy and risk regulations. Continue reading at SecurityIntelligence.com

A Quick Summary of Recent Trends & Developments That Businesses and Law Firms Should Know

“Nearly 60 percent of small businesses have to close shop after a data breach, which costs, on average, about $32,000 per attack.”

Cybersecurity Spending Soaring:

According to market research firm Gartner, global spending on information security is expected to reach nearly $87 billion in 2017 — an increase of around 7 per cent over 2016 – and is expected to top $113 billion by 2020.  Also according to Gartner, by 2020, 40 percent of all managed security service (MSS) contracts will be bundled with other security services and broader IT outsourcing (ITO) projects, up from 20 percent today. Continue reading “A Quick Summary of Recent Trends & Developments That Businesses and Law Firms Should Know”

Cybersecurity Valuation and Your Organization

Put a number on what you value even if that number has to be arbitrary, especially those intangible things, like client records, intellectual property, goodwill, and brand.

Cybersecurity is everywhere. Everybody is talking about it. Everybody is worried about it. And everybody thinks they need to do something about it.

The problem is that everywhere we look, we get this general feeling that we are failing. One report suggests that only 1 in 5 organizations are “very mature” in adoption of the NIST Cybersecurity Framework. GDPR is around the corner (May 2018) but some estimates show only 25% of EU countries are ready for it. Good luck to the rest when those astronomically heavy fines kick in.  And how long until so many non-New York State entities are forced to follow the NY Department of Financial Services new cybersecurity regulations, just so they can keep doing business in NY? The transitional period for covered entities ends on August 28th, 2017, so you better be ready! Continue reading “Cybersecurity Valuation and Your Organization”

Testing Top Leadership’s Muscle Memory With Data Breach Simulations

How would your organization’s leadership fare in its response to a full-on data breach? Regular and ongoing training can improve top leaders’ ability to respond to a cybersecurity breach and avoid doing additional damage to the reputation of the company as they deal with the repercussions.

Organizations simply cannot afford to be lax about their level of preparation to a cybersecurity event: Shareholders, government regulators and consumers won’t be keen on businesses who take a weak approach to cybersecurity. A data breach is something that has to be not simply considered and discussed a couple of times a year, but actively prepared for and drilled against. Obviously, incident response teams must practice and fine-tune their responses on a near-continuous basis, but many organizations don’t realize that executives should do the same. Continue reading at SecurityIntelligence.com

Multilateral Cyber Interests Will Rarely Align

The human-technology cyber conflict cannot be solved, but instead is a fact not to be solved but to be coped with over time.

Previously, I proposed that security and economy are inextricably linked and that such a link has the potential to increase both national and personal prosperity. If you are a student of history, I do not believe you will have any difficulty accepting this hypothesis, particularly when you put aside any consideration of cultural and societal issues or constructs.

A sovereign entity can potentially achieve national prosperity through security and economy, but that construct may not be tenable over time. Therefore, how prosperity is achieved is where it gets tricky. Why? Because people see the world in different ways and people want to live their lives differently. Continue reading “Multilateral Cyber Interests Will Rarely Align”

US Legislators Wising Up About Cybersecurity?

Forgive the security lingo, but if legislators can speak vulnerabilities, two-factor auth, and hard-coded credentials, then it’s a big moment that should be acknowledged.

A recent article by Brian Krebs caught my attention: New Bill Seeks Basic IoT Security Standards. The bill “to improve the cybersecurity of Internet-connected devices” was authored by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-OR) and Steve Daines (R-MT) on August 1, 2017. This is so recent that a search on August 3 for the bill on GovTrack returned only the most generic of messages saying this bill was in the “first stages of of the legislative process” so in the meantime, the full text of the bill can be found on Scribd (posted by Senator Warner). Continue reading “US Legislators Wising Up About Cybersecurity?”

Before You Declare Your Enemy, Be Sure of Your Interests

Set aside all politics and details for a moment and begin with this premise: are my interests being met? If you take that as your starting point, the fog will begin to clear for you. Of course, reasonable people can have an informed debate over what “correct” interests are, but that is what we try to do in democracies. Interest is the overriding factor here.

In my previous article, I discussed the clash of systems we currently are in. Super quick recap: in one corner, we have the Westphalian nation-state system that’s been around since 1648 and is built on the principles of sovereignty, legal equality and a policy of non-interventionism; in the other corner, we have the Internet, which has no established sovereignty, is marred by legal blurring, and by virtue is interventionist and disruptive in nature.

Ultimately, what we have is a system clash where our original intent – free flow of information but with positive control of the Internet in our lives – has been flipped on its head, where the Internet effectively controls our lives. Continue reading “Before You Declare Your Enemy, Be Sure of Your Interests”