Lost in so much of the cybersecurity conversation is that protection rarely offers a return on investment. Protection is a tax on business and a tax on individuals. So unless we start “feeling” this theft on a more personal level and take the steps to properly educate ourselves of the human dimension, we are going to run out of money to invest in protection real fast.
When did cyberattacks truly begin to concern us? Was it the Morris worm of 1988? One would have wished it was, but clearly this is not the case. How about the 2008 cyberattack on USCENTCOM? That worm, likely injected into the DoD system through a single USB key, took about 14 months to clean up by some estimates. Fast forward nine years, Equifax. 145 million records stolen. Have we learned yet? I wish I could say “okay, this time we will do something about it!” but I am not too optimistic.
Because I feel we have slipped into a dangerous area: we have allowed the normalization of data theft. And today, data theft means anything from personally identifiable information to R&D/intellectual property to good old fashioned money. My feeling is that because we don’t “feel” data the same way we would, oh a stack of $20s, we don’t really appreciate what is being lost. Continue reading “Have We Normalized Theft?”
Much like when a CFO presents a financial statement to the board, the advisor ensures that cybersecurity is always framed in terms of what it actually means for the business. The advisor can make sure that the current cybersecurity posture is well-articulated and that the target state is achievable given the organizational culture.
What makes a good cyber risk advisor? What skills do they need to help board directors address cybersecurity? According to a report by BayDynamics, board directors “may not be experts in security, but they do know how to steer a business away from risk and toward profit by listening to subject matter experts. However, they expect those experts to frame that advice around relevant business concerns.”
In addition to being able to communicate effectively, cyber risk advisors should have a solid understanding of the technical weaknesses of the organization and how those weaknesses can impact business objectives. While it may be simple to find someone with technical savvy, that doesn’t necessarily mean you can put that person in front of a business leader. As BayDynamics noted, “You’re not going to impress a board with how smart you are by throwing technical jargon at them that will go over their heads.” Continue reading at SecurityIntelligence.com
The Non-Technical, No Nonsense Guide For Directors, Officers, and General Counsels
Cybersecurity, as many organizations practice it today, is broken. Everybody is feeling the pressure as competitors and partners alike dread a breach. Leadership can’t be left in the dark due to technobabble, a lack of resources, or excuses as to why cyber risk cannot be measured.
FireEye is proud to support the new eBook, The #CyberAvengers Playbook: Doing the Little Things (and Some of the Big Things) Well (2017 Edition). This short guide is designed to give you actionable items that could help any organization improve its cybersecurity posture.
Download the eBook and pick up the following tips from the #CyberAvengers:
- Oversight duties: Learn to view risk from an enterprise perspective in an era where accountability and fallout costs are surely going to grow.
- Cyber risk: Why it matters and how to wisely spend your limited resources.
- Communication gaps: Cybersecurity is not an IT-only issue, so do not be afraid to speak your mind. We show you which questions to ask.
- Response and continuity: Even the best-tested plans can go out the window during a time of crisis. Learn to minimize the fallout.
- What’s happening in 2017 and what to expect in 2018: From the ransomware scare to the General Data Protection Regulation (GDPR) coming into effect, business is becoming more expensive. We try to help you save wherever you can.
Every CEO needs a Spock or a Data. In this era of monthly breaches, the importance of a good cyber risk advisor cannot be overstated. The ultimate decision is yours, Captain, but at least you’ve been forewarned.
Many people in the security industry today grew up watching “Star Trek,” from the original episodes to Next Generation, Deep Space Nine, Voyager, Enterprise and the many other series that followed. In anticipation of the upcoming “Star Trek: Discovery” series, we thought it would be a good time to remind our readers that, beyond the entertainment value, “Star Trek” also provides useful metaphors to help security professionals communicate with executives and fellow staffers.
Eight Cybersecurity Lessons for Your Security Starfleet
When it comes to security, the typical enterprise is really not so different from the USS Enterprise. Without proactive risk management, savvy threat identification and effective incident response, neither a business nor an intergalactic vessel can survive. Below are eight cybersecurity lessons that security professionals can take away from “Star Trek.” Continue reading at SecurityIntelligence.com
Much the same way you wouldn’t go do a podiatrist for your dental issues (despite increased cases of foot-in-mouth syndrome, particularly over social media), you shouldn’t be using real estate counsel to handle a cyber breach.
Intelligent responses depend on three elements:
- Incident Response Planning
- Business Continuity Planning
- Crisis Communication Planning
There are numerous articles and memos deal with the topic of incident response, business continuity, and crisis communication plans. Many have been distributed through media outlets even. So you may be asking: why us, why now, and what more could we possible offer in this space?
Continue reading “3 keys to responding intelligently, publicly to a cyberattack”
Remember, these are just tools, not crutches, and humans are still needed at the helm.
In the midst of the recent devastating cybersecurity news from Equifax it would not be unreasonable for Americans to think: What’s next?
Let’s be candid: The status quo is not working. Traditional perimeter defenses are becoming sieves. Password policies and practices are weak. Over-privileging is a self-induced wound. And the timely patching of critical vulnerabilities continues to be a major issue despite months of discussion and thousands of written words on the topic.
So what will work? Getting back some of the basics would be a good start. Taking advantage of some current and next-generation technologies would be another good step. What follows are a few such suggestions, in no particular order.
Continue reading “Five Lessons on Cybersecurity Survival”
Directors are under pressure to ensure that they are dutifully discharging their duties of care and due diligence.
Board directors have very little patience for technical jargon. Given the tremendous pressure executives are under to avoid headline-grabbing data breaches, CISO reports should align enterprise risks with their potential impacts on business objectives in terms that nontechnical board members can easily understand.
An EY report titled “The Evolving Role of the Board in Cybersecurity Risk Oversight” stated that board directors “seek assurances from management that their cyber risk management programs will reduce the risk of attacks and, when necessary, will detect, respond and recover from any attack that does happen.” Continue reading at SecurityIntelligence.com
Therefore, if your IT department says to you, “we’re confident we do not have any malware on our network” ask how they came to that conclusion. If instead they say, “we do not have any malware on our network, honest, trust us!” then raise an eyebrow and get your hands dirty, because you have work to do.
The question seems simple enough, doesn’t it? But have you asked the question? My feeling is that not enough people actually do. Of course, a natural response may be: isn’t that a question for my IT department to answer?
Yes and no (more on that in a moment). And I promise I am not trying to play word games, but words and their meanings matter, and am therefore placing particular focus on the word trust. Trust is different than confidence. Trust is different than transparency. Trust has a much more “personal” element than the others. And so much of what we do in the world today is based on trust. Continue reading “Do You Trust Your Network?”
It’s not about what you do right, as much as what you do not do wrong.
The SecureWorld News Team talked with Shawn Tuma about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article at SecureWorldExpo.com :
- We need a uniform national breach notification law in the United States.
- When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
- A mega breach keeps going, and going, and going.
Technological advances are transforming the way we connect, disrupting the status quo and creating huge turbulence. Industries are converging, and new opportunities and threats are emerging, as never before.
— IBM IBV 2016 Global C-suite Study – The CIO Point of View
The pace of change is top of mind for CIOs. We live in an age where technology is nearly obsolete by the time it has been implemented and deployed. Gone are the days of 5-year and 7-year technology deployment plans, instead CIOs must oversee a near-continuous digital transformation of their enterprise, constantly. Add to that the critical nature of today’s technology infrastructure — i.e. can your business run without computers, networks, or the Internet — and you get a good sense for the level of stress CIOs are facing today. Continue reading at IT Biz Advisor