10 Takeaways From the ISO 31000:2018 Risk Management Guidelines

“Dealing with risk is part of governance and leadership, and is fundamental to how an organization is managed at all levels.” — International Organization for Standardization

In February 2018, the International Standards Organization (ISO) released an updated version of its risk management guidelines, ISO 31000:2018, which can be purchased for about $95. The 2018 update, which replaced the prior version from 2009, provides:

  • Updated and simplified language and reference structures;

  • A renewed focus on the key leadership role that boards and top management must play in ensuring that risk management is fully integrated at all levels of the organization; and

  • Greater attention to the cyclical and iterative nature of risk management, which underscores the notion that organizations must evaluate their risk management process in light of new information or in response to feedback about gaps that might be present in the current risk process or associated controls. Continue reading at SecurityIntelligence.com

SEC Releases Updated Guidance For Cybersecurity Disclosure

Overall, the updated SEC guidance set the bar a little higher and provided clear reminders — or, when needed, warnings — about the responsibilities of management and the board regarding cybersecurity disclosure.

“Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” — SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures

On Feb. 21, 2018, the U.S. Securities and Exchange Commission (SEC) released updated guidance on cybersecurity disclosure for public companies. The agency updated the document’s previous language, which was released in 2011, regarding cyber risks and their impact on investment decisions. Continue reading at SecurityIntelligence.com.

Local LinkedIn pick as cybersecurity guru talks trends

I think government is traditionally been way behind on procurement issues and recently, enactment of legislation for modernization has taken place. They’re trying to replace a lot of legacy systems.

Our guest today was recently named by LinkedIn as one of the top five people to follow in cybersecurity issues among their 500 million members. He was also just selected as LinkedIn to be an advisor on cybersecurity and emerging technology issues, and we’re lucky enough to have him here in the studio– Chuck Brooks of Chuck Brooks Consulting. Chuck, thanks for joining us. Continue reading “Local LinkedIn pick as cybersecurity guru talks trends”

Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy

If you’re unsure an email is legitimate, take the 30 seconds to call your colleague, friend, or family member and say, “did you really send me this?” That call could save you millions of dollars, your job, and avoid an avalanche of bad PR.

In our previous article, we started to lay out some important social engineering terms, such as phishing, spear-phishing and pretexting. We even introduced to you what we call “Potentially Unwanted Leaks” (PUL) as tidbits of information that, when out in the wild, become valuable nuggets to be used against you in a social engineering attack.

This last installment in our ICS/SCADA series shows how social engineering was used to cause a blackout, the first known case of a cyberattack being directly responsible for a power outage.

On December 23, 2015, at 3:35 pm local time, in Ivano-Frankivsk Oblast (a southwestern region of the Ukraine that borders Romania and is in close proximity to the borders of Hungary, Slovakia, and Poland), seven 110 kV and twenty-three 35kV substations were disconnected for three hours.

The power outage, which took out 30 substations, could have impacted up to three different energy distribution companies, causing 225,000 customers to lose power. Shortly thereafter, Ukraine’s SBU state security service responded by blaming Russia, not an unreasonable assertion given that plenty of lead time was required to conduct this operation.

How was this allowed to happen? Continue reading “Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy”

Understanding the COSO 2017 Enterprise Risk Management Framework, Part 2: Combining Apples With Oranges

There has never been a better time to understand the linkage between cyber risks, business strategy and performance, and to ensure that at all levels of the organizations are making the best decisions possible — for both today’s world and tomorrow’s cyber earthquakes.

This past September, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand the risks their organizations face and evaluate their impact on business performance.

While the COSO ERM guidance is designed to simplify risk management at an enterprise level, organizations can derive even more value from the framework by coupling it with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which is geared more toward day-to-day, ground-level risk management. Continue reading at SecurityIntelligence.com

Understanding the COSO 2017 Enterprise Risk Management Framework, Part 1: An Introduction

On a more serious note, the COSO ERM also underscores the relationship between risk and value. It elevates the discussion of strategy and risk, looking at the possibility that strategy and business objectives are not in strong alignment with the organizational mission, vision and values. It allows for deep insight into the implications of the various strategies that management is contemplating and the risks that stem from executing a chosen strategy.

If oversight of cyber risks was trivial, it wouldn’t be an issue anymore. But it is still an issue because cyber risks are a business concern, and making smart business decisions is a nontrivial issue.

In September 2017, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand and prioritize the risks their organizations face and measure how these risks impact business performance. Continue reading at SecurityIntelligence.com

An Eye on GDPR

Think Equifax. Think Uber. Now think about how to notify those tens and hundreds of millions within 72 hours. That is the sort of headache you are going to have to deal with.

There is a lot of talk about the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679).  And rightly so, because it will impact a great many organizations, many of which reside in the U.S.  Set to come fully into effect May 25, 2018, the GDPR has understandably caused a lot of headaches because it is wide-sweeping and costly regulation, especially if you are in violation.

Clearly, the first question to ask is if the GDPR applies to you. If it doesn’t, you are in the clear (but that is not an excuse to relax your data protection measures).  If it does, well, you have work to do if you haven’t been on top of your GDPR compliance. This is especially true if you are a big organization, are not based in the EU, and have a lot of EU customers and clients. Continue reading “An Eye on GDPR”

2018 & Beyond – Cybersecurity’s Future

Market forces are at play here, and with a global market, it’s tough to control what gets built, to what specifications, and then find an appropriate way to share that information with potential buyers.

Perspectives From 3 Of The Top SMEs In Information Security

As we approach the new year, I, Chuck Brooks, am very pleased to have a discussion with four of the most prominent technical SMEs in the world of cybersecurity; Kenneth Holley, George Platsis,  and Christophe Veltsos.  Their answers that follow offer practitioner perspectives and advice on some of the key issues and technologies that encompass the future of information security. It is worthwhile keeping their comments as a source reference for the C-Suite and anyone concerned about protecting their identities and data. Continue reading “2018 & Beyond – Cybersecurity’s Future”

60 Cybersecurity Predictions For 2018

And one from the #CyberAvengers all on Forbes

Attacks on the US government and critical infrastructure

A nation-state sponsored group will commence a 5-day long DDoS attack against a critical US government (non-DoD) agency, shutting it down in order to show their strength—The Cyber Avengers

Read the entire list on Forbes

A National Cybersecurity Action Plan is a Serious Priority

We cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them.

Expectedly, our cybersecurity issues are growing.  We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.

What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.

The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering. Continue reading “A National Cybersecurity Action Plan is a Serious Priority”