Lessons From the Marsh ‘Global Cyber Risk Perception Survey’: Disconnects Persist Despite Increased Executive Involvement

“Most organizations now rank cybersecurity among their highest risk management priorities.” — Marsh’s “Global Cyber Risk Perception Survey”

In February 2018, Marsh and Microsoft released a new report titled “By the Numbers: Global Cyber Risk Perception Survey” based on a survey of over 1,300 risk professionals and other senior executives, including chief executive officers (CEOs), chief financial officers (CFOs), chief technology officers (CTOs), chief risk officers (CROs) and board directors, across 26 industries.

Participants came from organizations located around the globe. More than 30 percent of respondents’ organizations did business in Europe, the U.K. and/or Ireland, North America and Asia. In terms of organization size, their revenues ranged from less than $10 million (about 20 percent) to over $1 billion (over 22 percent). Continue reading at SecurityIntelligence.com

Cybersecurity experts talk about the digital world

Security comes from policy as much as technology

“Every element of company operations has a cyber aspect,” Brooks says. “It’s not just the technical. It’s the policies….So it’s really important to have that working relationship across the organization, and that’d be the recommendation I’d make to any C-suite. If you don’t have your CSO and CIO and CTO involved directly with the leadership of the company — or agency if you’re in government — then you’re going to run into issues.” Read more at AT&T Business.

10 Takeaways From the ISO 31000:2018 Risk Management Guidelines

“Dealing with risk is part of governance and leadership, and is fundamental to how an organization is managed at all levels.” — International Organization for Standardization

In February 2018, the International Standards Organization (ISO) released an updated version of its risk management guidelines, ISO 31000:2018, which can be purchased for about $95. The 2018 update, which replaced the prior version from 2009, provides:

  • Updated and simplified language and reference structures;

  • A renewed focus on the key leadership role that boards and top management must play in ensuring that risk management is fully integrated at all levels of the organization; and

  • Greater attention to the cyclical and iterative nature of risk management, which underscores the notion that organizations must evaluate their risk management process in light of new information or in response to feedback about gaps that might be present in the current risk process or associated controls. Continue reading at SecurityIntelligence.com

Ask Yourself: Why Do You Amass Data?

Remember: the system worked exactly as it was designed to. Some don’t like the fact that Bob had access to the data. But keep this mind: it’s quite possible that we haven’t yet heard of an Alice, Joe, and Sally who had access to similar, or even more, data

Unless you have been living under a rock, you may have noticed that a growing number of people are not too pleased with Facebook and Alphabet Inc., parent of Google and developers of the mobile operating system, Android.

What started the recent frustrations are the revelations from an employee of Cambridge Analytica and how the company harvested information from 50 million Facebook users.  I want to skip over the part about how the data was used, because that’s the fog in this storm and the distraction is entering “funny cat video” territory.

Where we should be focusing our thinking is here: that the data was harvested in the first place, in one central repository.  That’s the issue. Continue reading “Ask Yourself: Why Do You Amass Data?”

Putting the ‘I’ in CISO: Why the Security Leader Must Become an Influencer

As an influencer, the CISO can play a key role in shaping the organization’s cybersecurity risk strategy. When the security leader’s influence reaches all the way into the boardroom, that influence can actually help save the organization money in the aftermath of a data breach.

One of the most important attributes of a chief information security officer (CISO) is the ability to govern by influence rather than edict. This skill is especially important given that, according to an August 2017 Ponemon report, many organizations struggle with conflicts related to turf and silo issues — nearly half of CISOs still report to chief information officers (CIOs) — and the lines of responsibility for cybersecurity are not always clearly defined.

To resolve these problems, CISOs must explore ways to become influencers within their organizations. But this doesn’t mean the security leader should have absolute authority and total control over the security program. As many CISOs have realized, the cybersecurity function is much more likely today to have veto power over projects, especially IT projects, than ever before. However, veto power can be a double-edged sword that (if abused) can halt innovation and influence employees to turn to shadow IT. Continue reading at SecurityIntelligence.com

When It Comes to Cyber Risks, 2018 Is No Time to Play Games

Before the year is up, organizations should focus on improving their game. That means figuring out which activities yield the most positive results — or best help reduce negative outcomes. With the cybercrime landscape evolving at breakneck speed, security teams had best bring their A-game to compete with ever-more sophisticated threat actors in 2018.

While some organizations have spent decades fine-tuning their ability to respond to and manage cyber risks, far too many are still playing games with their security strategy.

From a cybersecurity perspective, 2017 will go down as a record year for data breaches. The Identity Theft Resource Center (ITRC) reported 1,579 breaches, up 45 percent from 2016. By itself, 2017 accounted for over 22 percent of all the data breaches tracked by the ITRC between 2005 and 2017. Over 50 percent of those breaches exposed Social Security numbers, and nearly 20 percent leaked credit and debit card numbers. Hacking accounted for 940 breaches, or 60 percent of successful compromises. While the ITRC only tracked five industry categories, over 55 percent of breaches targeted the business sector, followed by the medical/healthcare industry at over 23 percent. Continue reading at SecurityIntelligence.com

Practicing Your Crisis Response: How Well Can You Handle Right of Boom?

Ultimately, a crisis simulation enables an organization to pressure-test its incident response plans — including who has decision-making authority and who communicates what to whom — identify gaps, and improve strategy and tactics accordingly. After all, it’s much better to go through a series of practice runs than to be thrown to the wolves when the real crisis happens.

If there’s one thing 2017 taught us, it’s that we need to get ready for the inevitable data breach — especially regarding how we respond once we know about the “boom,” which is the time we first learn of a security event.

A new report by IBM’s Institute for Business Value (IBV), “Beyond the Boom: Improving Decision Making in a Security Crisis,” emphasized the value of conducting crisis response simulations for top leadership. The report comes amid increased global awareness about the likelihood and impact of cyberattacks, as evidenced by the World Economic Forum (WEF)’s “2018 Global Risks Report.”

Another positive development is the shift from a primarily defense-oriented mindset to a more agile approach to cyber resilience. Continue reading at SecurityIntelligence.com

Why “Security” and “Efficiency” Should Never Be Used in the Same Sentence

Efficiencies in business are great, but in order for them to be effective, a precondition needs to exist: nothing goes wrong. We’re finding out in the cybersecurity world – something that touches everything – a lot is going wrong.

Marching along well into 2018 and I think it’s safe to say we’re not experiencing a cybersecurity revolution.  Sure, there has been some great advancement in tech, with AI and blockchain applications beginning to steam roll.  It seems if you add “blockchain” to whatever you’re doing, you’ll get a bump in business.  Really, this happened in late 2017. Continue reading “Why “Security” and “Efficiency” Should Never Be Used in the Same Sentence”

Data Integrity: The Next Big Challenge

Data integrity is an important issue to keep an eye on because of that entire confidence thing we talked about earlier. Without confidence, we’re going to run into a lot of problems that will not be easy to untangle. And that untangling will be mega-expensive.

Many of us in the cybersecurity world have followed this general mantra: protect the data, protect the data, protect the data. It’s a good mantra to follow, and ultimately that is what we are all trying to do.

But there are different ways to protect data. The obvious method is to make sure it doesn’t get ripped off, but as we have noted in previous pieces, the lexicon we use can be troublesome at times. This is particularly true when there is room for cultural interpretation (that’s one of the reasons why curbing international cybercrime is real hard).

That lexicon problem extends into many different areas, including what “protecting” the data means. “Protecting” data goes well beyond making sure it doesn’t get stolen. It means the data isn’t tampered with and is still usable, as it was originally intended to be used. That data can be financial statements, design schematics, or RFP bids.

Here’s the key that makes the world go around and around: confidence. If counterfeit data starts to circulate widely, our confidence in the data begins to diminish. Therefore, it’s just a matter of time before I start asking: do I really trust this financial statement, design schematic – whatever really – to be legitimate? If I don’t, I got a problem. And if I no longer want to accept the data you’re giving me as legitimate, you got a problem, too. Continue reading “Data Integrity: The Next Big Challenge”