No time to read? Listen to the podcasts instead

For those of you who might not have the time to read (it’s only 150 pages), here’s another option: IBM was kind enough to offer to record a series of podcasts with Paul and I.

In January 2017, Paul Ferrillo and I released our new book, “Take Back Control of you Cybersecurity Now — Game Changing Concepts on AI and Cyber Governance for Executives.” Continue reading “No time to read? Listen to the podcasts instead”

Building a Cybersecurity Culture Around Layer 8

“Cybersecurity must accommodate and address the needs of people through process and cultural change.” — Gartner press release dated June 6, 2016

The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7. Continue reading at

What If “Cyber” Is The Wrong Word?

The word “cyber” means different things to different people. In virtually every training session I put on, one of my first actions is to go around the room and ask people what “cyber” means to them. If I am lucky, perhaps two or three people will have a similar answer, but in most cases, the definitions vary, even when people share similar job titles and roles.

Often, how you characterize a problem will determine your plan of attack to solve the problem. To illustrate, I often use this example with both clients and friends.

If I were to ask you: “How long can you and your business survive without your computer?” your answer would likely be something along the lines of “I need my computer to do everything!” While I suspect this is most likely true, such a response does very little for your resilience. Should such a case ever arise in your life, you would be left scrambling to find some sort of solution to keep your business operations going.

But what if I were to ask you: “You don’t have your computer for three days, a week, or even two weeks…what do you do?”  By asking the question in this manner, you are undoubtedly forced to look at the problem in a very different way. In fact, you have to look at the problem in a very different way because your survival depends on it. Continue reading “What If “Cyber” Is The Wrong Word?”

Meeting Security Challenges Through Vigilance, Readiness and Resilience

Because society is undergoing such a rapid technological change, the traditional paradigms for addressing threats are evolving with the security challenges. Two particular security challenges characterize the current and future connective landscape in both the public and private sectors: protecting critical infrastructure, and protecting the Internet of Things (IoT) and Smart Cities.

In 2017 we are facing a new and more sophisticated array of physical security and cybersecurity challenges that pose significant risk to people, places and commercial networks. The nefarious global threat actors are terrorists, criminals, hackers, organized crime, malicious individuals, and, in some cases, adversarial nation states. Everyone and anything is vulnerable, and addressing the threats requires incorporating a calculated security strategy.

According to Transparency Market Research, the global homeland security market is expected to grow a market size of $364.44 billion by 2020. A large part of the spending increase over the past year is directly related to cybersecurity in both the public and private sectors. Continue reading “Meeting Security Challenges Through Vigilance, Readiness and Resilience”

Take Back Control of Your Cybersecurity – The Podcast Series

Today, I’m sharing the list of the first five podcasts (with a few more to come in the next month). Paul and I want to thank the IBM Security team, and Mitch Mayne (of IBM Security) for their support in making this podcast series happen, and indirectly for helping get the word out about our book.

As many of you know, in January 2017, Paul Ferrillo and I released our new book, Take Back Control of Your Cybersecurity Now. Around the same time, the folks at IBM Security, the masterminds behind where over 40 of my blog articles are posted, agreed to record a series of podcasts with Paul and I. Continue reading “Take Back Control of Your Cybersecurity – The Podcast Series”

NACD Publishes Five Cybersecurity Principles Every Board Director Needs to Know

“Directors don’t need to be technologists to play an effective role in cyber risk oversight — but every board can take the opportunity to improve the effectiveness of their cyber oversight practices.” — Peter Gleason, NACD President

In January 2017, the National Association of Corporate Directors (NACD) released an updated edition of its “Director’s Handbook on Cyber Risk Oversight.” In light of increasing pressures from regulators and ongoing cyberattacks, board directors have a key role to play to ensure proper oversight of cyber risks for their organizations.

The 2017 edition improves on the 2014 version by clarifying several points for board directors to help them understand the strategic importance of cyber risks and the complexity of threats. It also includes several appendices that both chief information security officers (CISOs) and directors will find useful when preparing for mergers and acquisitions (M&A). The appendices also contain information about metrics and dashboards, and the relationship between boards and CISOs. Continue reading on

Highlights From the World Economic Forum’s ‘Global Risks Report 2017’

The report emphasized that cyberattacks and breaches have led many countries to enact tough national security and counterterrorism measures. That changes the rights of citizens and alters how governments work in the 21st century.

On Jan. 11, the World Economic Forum (WEF) published “The Global Risks Report 2017.” As we did for the 2016 edition, we dug in this year’s report to analyze key findings as they relate to cybersecurity. Continue reading at

Five Ways to Be a More Effective CISO in 2017

The security officer’s role is mentioned alongside other technology roles such as head of IoT strategy, chief data officer and chief digital officer.

The new year is here, and with it comes another fresh wave of attacks, continued strain on resources and the hubbub of everyone returning to the office after a long, much-needed break. The chief information security officer’s (CISO’s) time is as stretched as it has ever been and, most likely, so is his or her attention span. Here’s a short list of priorities for CISOs to keep running in the background. Continue reading at

The Priority of the Government/Industry Cybersecurity Partnership

Information sharing to risk management will help allow both government and industry to keep abreast of the latest viruses, malware, phishing threats, ransomware, insider threats, and especially denial of service attacks. Information sharing also establishes working protocols for lessons-learned and resilience that is critical for the success of commerce and the enforcement against cyber-crimes.

The change in the cyber risk environment coinciding with a heightened need for procurement of new technologies and services has created a new paradigm for a cybersecurity partnership between government and industry. The prioritization of that special partnership appears to be in the immediate plans for the new Trump Administration. Continue reading “The Priority of the Government/Industry Cybersecurity Partnership”

Charisma Killed the Cat: Fostering an Effective Cybersecurity Leadership Style

Competing in the global marketplace in 2017 doesn’t come easy. Today’s organizations must deal with global competition and innovation, workforce gaps, a pace of disruption that shows no signs of slowing down and the ever-increasing frequency and maturity of cyberattacks. These factors translate into a lot of stress and very little time to determine the best cybersecurity leadership style to keep the organization safe from the barrage of cyberattacks. Continue reading at