To ensure that the CISO is so empowered, top leadership must view and treat security as a strategic element of the business. In other words, they must view cyber risks as strategic risks. Internal collaboration with the security function should be supported and strongly encouraged at all levels of the organization.
In early 2016, boards were starting to take cybersecurity more seriously and, in the process, increasing their interactions with chief information security officers (CISOs). How much has changed in the past two years? To whom do CISOs report today, and why does it matter?
The State of the Security Org Chart in 2018
In the latest edition of its “Global State of Information Security Survey,” PricewaterhouseCoopers (PwC) found that 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO), 17 percent report to a CSO and 15 percent report to a chief privacy officer (CPO). Since PwC’s numbers add up to more than 100 percent and the actual survey questions aren’t provided, these numbers likely include dotted lines of reporting in addition to direct reports. Continue reading at SecurityIntelligence.com
Does your company truly care about cybersecurity, or is it just going through the motions and asking you to check off the boxes?
Cybersecurity attorney Shawn Tuma tells us that courts and attorneys are getting pretty good at determining the difference—which can impact the cost of litigation in a major way after a cyber incident.
It is 2018 and you must be able to show your work toward “reasonable cybersecurity.” In part 1 of this report, Tuma shared the high-level answer to what “reasonable cybersecurity” is. Now, in part 2, he offers specifics on what you must be doing, at a minimum, to secure your business.
Continue reading to watch the video. Continue reading “How Courts & Attorneys View ‘Reasonable Cybersecurity’ in 2018”
But what, exactly, is the standard for reasonable cybersecurity? What does that look like or feel like within an organization?
The term “reasonable cybersecurity” gets batted around all the time.
We’ve heard InfoSec leaders talking about it at SecureWorld cybersecurity conferences across the United States.
And we know that if you have it, it can help limit liability damages after a breach.
We asked well-known cybersecurity attorney Shawn Tuma, of Scheef & Stone, LLP, what you should be aiming for in 2018. Here is his 90-second answer: Continue reading “What Is Reasonable Cybersecurity?”
As we turn the page to 2018, organizations and their CISOs should commit to improving the way they consider, manage, communicate and respond to cybersecurity issues. That means introducing cognitive technology into the security environment, educating top leadership about cyber risks, promoting a culture of security awareness throughout all levels of the organization, conducting data breach simulations and tabletop exercises to hone incident response capabilities, and measuring the progress and maturity of security activities.
If you survived 2017 — a year full of data breaches, ransomware, distributed denial-of-service (DDoS) attacks and a multitude of other high-profile security incidents — you deserve a pat on the back. Some of us weathered the storm thanks to our careful preparations, the security controls we deployed, the incident response strategies we practiced and the recovery mechanisms we put in place. The rest of us can thank our lucky stars that things didn’t turn out for the worse.
Five Enterprise Security Resolutions for 2018
No matter how you navigated the treacherous threat landscape during the past year, it’s time for all of us in information security to make our New Year’s resolutions. If you’d rather not leave the fate of your organization to luck in 2018, here are five resolutions for chief information security officers (CISOs) to apply in the new year. Continue reading at SecurityIntelligence.com
In many organizations, the executives need to increase the frequency and quality of interactions with the CISO and adopt a more hands-on approach to improving the way cyber risks are managed and governed. In companies where the cybersecurity function still reports to IT, dotted lines of reporting should be created to ensure direct access to top leadership.
If it appears to you that 2017 was a dismal year for cybersecurity, join the club: According to the latest edition of EY’s “Global Information Security Survey,” most security leaders feel they are more at risk today than they were 12 months ago.
The report surveyed chief information officers (CIOs), chief information security officers (CISOs) and other executives from 1,200 organizations around the world. More than 50 percent of survey responses came from small and midsized organizations with fewer than 2,000 employees. Although the top five sectors by respondents were banking and capital markets, consumer products and retail, government, insurance, and technology, other sectors, such as health, power and utilities, and real estate, were also included.
The report shed light on the state of cybersecurity and resilience, which is especially relevant since the global cost of cybersecurity breaches is estimated to reach $6 trillion by 2021. Cyberattacks are becoming more sophisticated, and new and disruptive technologies such as the Internet of Things (IoT) are rapidly increasing the level of connectedness across organizations, thus increasing the attack surface. Continue reading at SecurityIntelligence.com
If you’re unsure an email is legitimate, take the 30 seconds to call your colleague, friend, or family member and say, “did you really send me this?” That call could save you millions of dollars, your job, and avoid an avalanche of bad PR.
In our previous article, we started to lay out some important social engineering terms, such as phishing, spear-phishing and pretexting. We even introduced to you what we call “Potentially Unwanted Leaks” (PUL) as tidbits of information that, when out in the wild, become valuable nuggets to be used against you in a social engineering attack.
This last installment in our ICS/SCADA series shows how social engineering was used to cause a blackout, the first known case of a cyberattack being directly responsible for a power outage.
On December 23, 2015, at 3:35 pm local time, in Ivano-Frankivsk Oblast (a southwestern region of the Ukraine that borders Romania and is in close proximity to the borders of Hungary, Slovakia, and Poland), seven 110 kV and twenty-three 35kV substations were disconnected for three hours.
The power outage, which took out 30 substations, could have impacted up to three different energy distribution companies, causing 225,000 customers to lose power. Shortly thereafter, Ukraine’s SBU state security service responded by blaming Russia, not an unreasonable assertion given that plenty of lead time was required to conduct this operation.
How was this allowed to happen? Continue reading “Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy”
There has never been a better time to understand the linkage between cyber risks, business strategy and performance, and to ensure that at all levels of the organizations are making the best decisions possible — for both today’s world and tomorrow’s cyber earthquakes.
This past September, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand the risks their organizations face and evaluate their impact on business performance.
While the COSO ERM guidance is designed to simplify risk management at an enterprise level, organizations can derive even more value from the framework by coupling it with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which is geared more toward day-to-day, ground-level risk management. Continue reading at SecurityIntelligence.com
Nothing is completely un-hackable, but there is a myriad of emerging technologies that can help us navigate the increasingly malicious cyber threat landscape.
Cybersecurity is at a tipping point, the sheer volume of breaches, attacks, and threats has become overwhelming. Juniper Research, suggests that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019. About 1.9 billion data records got exposed in the 918 data breaches that occurred in the first half of 2017—up 164 percent from the last half of 2016. According to a recent AT&T Cybersecurity Insights report, some 80 percent of the IT and security executives surveyed said their organizations came under attack during the previous 12 months.
This rising threat trend, coupled with the rapid growth of sophistication in malware, ransomware, DDoS, and social engineering attacks has created a conundrum. How do we protect ourselves in an increasingly connected world? Continue reading “Emerging Technologies and the Cyber Threat Landscape”
How do you protect yourself? One clue for detection is to monitor if your computer is running slower. Also implement regular computer scans, keep your security software and patches up to date, and clear your browser cache often. In practicing cybersecurity, it is prudent to be vigilant because everyone is vulnerable.
Last week it was disclosed that almost 4,700 bitcoins crypto currency valued at $64m were stolen by hackers who broke into Slovenian-based bitcoin mining marketplace called NiceHash. The NiceHash marketplace matches people looking to sell processing time on their computers for so called miners to verify bitcoin users’ transactions in exchange for the bitcoin. From the forensic incident analysis it appears to be a breach exploited by sophisticated hackers.
This is not the first time that bitcoin has been targeted. Recently, around $30 million worth Ethereum cryptocurrency was stolen by hackers through a cyber-attack. And In 2014, hackers stole about $350 million in bitcoins from Tokyo’s’ Mt. Gox Exchange.
Bitcoin is the first, and the largest of cryptocurrencies, 21 million of them were released in 2009. The common definition of bitcoin is that is a type of digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank. Functionally, it is a decentralized tradable digital asset that recorded publically by a Block Chain ledger. Continue reading “Cyber Securing Crypto Currencies”
On a more serious note, the COSO ERM also underscores the relationship between risk and value. It elevates the discussion of strategy and risk, looking at the possibility that strategy and business objectives are not in strong alignment with the organizational mission, vision and values. It allows for deep insight into the implications of the various strategies that management is contemplating and the risks that stem from executing a chosen strategy.
If oversight of cyber risks was trivial, it wouldn’t be an issue anymore. But it is still an issue because cyber risks are a business concern, and making smart business decisions is a nontrivial issue.
In September 2017, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand and prioritize the risks their organizations face and measure how these risks impact business performance. Continue reading at SecurityIntelligence.com