Do You Trust Your Network?

Therefore, if your IT department says to you, “we’re confident we do not have any malware on our network” ask how they came to that conclusion. If instead they say, “we do not have any malware on our network, honest, trust us!” then raise an eyebrow and get your hands dirty, because you have work to do.

The question seems simple enough, doesn’t it?  But have you asked the question?  My feeling is that not enough people actually do.  Of course, a natural response may be: isn’t that a question for my IT department to answer?

Yes and no (more on that in a moment).  And I promise I am not trying to play word games, but words and their meanings matter, and am therefore placing particular focus on the word trust.  Trust is different than confidence.  Trust is different than transparency.  Trust has a much more “personal” element than the others.  And so much of what we do in the world today is based on trust. Continue reading “Do You Trust Your Network?”

Main Takeaways for CIOs from the Global C-Suite Study

Technological advances are transforming the way we connect, disrupting the status quo and creating huge turbulence. Industries are converging, and new opportunities and threats are emerging, as never before.

— ­IBM IBV 2016 Global C-suite Study – The CIO Point of View

The pace of change is top of mind for CIOs. We live in an age where technology is nearly obsolete by the time it has been implemented and deployed. Gone are the days of 5-year and 7-year technology deployment plans, instead CIOs must oversee a near-continuous digital transformation of their enterprise, constantly. Add to that the critical nature of today’s technology infrastructure — i.e. can your business run without computers, networks, or the Internet — and you get a good sense for the level of stress CIOs are facing today. Continue reading at IT Biz Advisor

Board Directors Need to Get Involved With Cyber Risk Governance

Board directors are under a lot of pressure. They know that it’s only a matter of time before their organization suffers a cyber incident, and all eyes will naturally be on the directors themselves to see if they were properly exercising their risk oversight.

Directors also know that all interactions with the CISO will be subject to close scrutiny in the aftermath of a breach. But with the right mix of security education, communication and help from outside experts, executives can fill cyber risk awareness gaps and achieve compliance with a growing number of privacy and risk regulations. Continue reading at SecurityIntelligence.com

Cybersecurity Valuation and Your Organization

Put a number on what you value even if that number has to be arbitrary, especially those intangible things, like client records, intellectual property, goodwill, and brand.

Cybersecurity is everywhere. Everybody is talking about it. Everybody is worried about it. And everybody thinks they need to do something about it.

The problem is that everywhere we look, we get this general feeling that we are failing. One report suggests that only 1 in 5 organizations are “very mature” in adoption of the NIST Cybersecurity Framework. GDPR is around the corner (May 2018) but some estimates show only 25% of EU countries are ready for it. Good luck to the rest when those astronomically heavy fines kick in.  And how long until so many non-New York State entities are forced to follow the NY Department of Financial Services new cybersecurity regulations, just so they can keep doing business in NY? The transitional period for covered entities ends on August 28th, 2017, so you better be ready! Continue reading “Cybersecurity Valuation and Your Organization”

Ransomware Heists are Only Part of the Board’s Problems

Your job isn’t done by completing vulnerability assessment. You actually have to do something about those vulnerabilities you have found.

It’s 10:00 am Monday morning and management is in the hot seat. The stock has lost 15 points since the opening bell and is going in a downward spiral. The company is being maligned on the news and trolled on social media. Shareholders are demanding to know how the company allowed a breach to happen over the long weekend, exposing 100 million pieces of personally identifiable information. An emergency meeting with all available board members is called for 1:00 pm to discuss the state of affairs and the question, “What do we do now?”

Ready to present, management and IT hastily put together a presentation of what happened. As soon as the presentation starts, the unthinkable occurs: ransomware takes control. Its demands are simple: $50 million in Bitcoins within one hour, or at 2:00 pm the hacker group dumps corporate R&D and emails from the last year into the public domain. There is no way for the company to recover once this information goes public. Continue reading “Ransomware Heists are Only Part of the Board’s Problems”

Independence Day from Hacking

Unfortunately, professionals in industry and government still think they are not a target. And what is worse is that many of them are still convinced that the means they used to protect their networks five years ago still apply today.

Watching the news and the debates during the past week felt pretty deflating. You must have heard about the entire who knew what when regarding the attempted Russian interference during the election. Much of what was said was fairly well known but with the new drips and drabs of information coming out into the open the past few days, political opportunism was bound to happen.

Despite this expected response, finger-pointing provides no true help to anybody in the world (and if we are being candid, not even within the Beltway). Sure, it is all interesting. And all of this chatter even provides a good spectacle. We even agree there are some serious questions that need to be answered, like who did know what when and why did they do (or not do) something about it. Continue reading “Independence Day from Hacking”

Explaining Cybersecurity through Cars: Get Yours Inspected or Get It Off the Road

The #CyberAvengers want to make cybersecurity unintimidating. Isn’t it a liberating feeling to know when your mechanic is running a fast one on you? It is. And you do that because you build up your knowledge and are unafraid to say, “why are you trying to get me replace my entire axle when all I need is a control arm?”

We are pointing out the obvious, but the obvious needs to be pointed out these days: How you view the world impacts your decision-making. And equally as important is how you view yourself. Therefore, if you see the world as a relatively benign place and feel for the most part you are well prepared for whatever challenge you will face, it is quite likely you will do little to change your behavior.

But if you view the world as a more hostile place and think of yourself and us as unprepared, chances are you will either wither away into a corner, frightening yourself into hysterical paranoia, or you will do something rational to prepare yourself for whatever challenge comes your way.

Let us start with this basic premise: The internet is inherently vulnerable. It was designed that way because the debate—about 40 plus years ago—focused on open access and free flow of information versus security. The former won, but we are paying the price today. So, if the information highway (the internet) is all banged up and falling apart, it does not matter how safe your car is because the road is still a mess. Continue reading “Explaining Cybersecurity through Cars: Get Yours Inspected or Get It Off the Road”

Five Whys: Lessons From the World of Incident Investigations

“If you do not ask the right question, you will not get the right answer.” — Olivier Serrat, “The Five Whys Technique”

In the 21st century, cybersecurity is paramount to an organization’s survival. Yet many organizations have managed to get by with poor cybersecurity practices, which then only serves to reinforce the illusion that things are under control. Security leaders, C-suite executives and board directors tend to interpret near misses that go uninvestigated as evidence of the organization’s ability to successfully protect or react to security incidents. Continue reading at SecurityIntelligence.com

Cyber Resilience Tools and Principles for Boards of Directors

“Cyber resilience in an organization must extend beyond the technical IT domain to the domains of people, culture and processes. A company’s protective strategies and practices should apply to everything the company does — to every process on every level, across departments, units and borders — in order to foster an appropriately security-conscious culture.” – Walter Bohmayr and Alexander Türk, The Boston Consulting Group

The World Economic Forum (WEF) is known for its yearly meetings of the global elite held in Davos, Switzerland, as well as its “Global Risks Report,” which is typically released around the same time. Recently, the WEF has taken on a new role on the global scene and is spearheading a global effort to help organizations become more cyber resilient. In January 2017, the WEF released a report entitled “Advancing Cyber-Resilience: Principles and Tools for Boards.” Continue reading at SecurityIntelligence.com

Five Ways to Improve the CISO-Board Relationship

“Security and risk management must become part of every business decision, and nobody within the enterprise is better positioned to advocate for those issues than the CISO.” — Fast Company

The relationship between the chief information security officer (CISO) and the board of directors is a topic that has received increased visibility in the past few years. The 2017 edition of the “Director’s Handbook on Cyber Risk Oversight,” published by the National Association of Corporate Directors (NACD), is full of insights on the CISO-board relationship and provides updated recommendations for board directors to follow regarding oversight of cyber risks. Continue reading at SecurityIntelligence.com