Shared Responsibility in Cybersecurity

Sober strategic thought suggests that if you cannot immediately defeat and subdue an adversary through immediate and overwhelming strength, by using surprise, speed, and violence of action, your best course of action is to bleed your adversary, over time and through asymmetry, by attacking their strengths. In the case of the West, our strengths are two: the economy and our democratic institutions (the latter of which we will not discuss in depth in this piece, as we are primarily focusing on the private sector).

The safety of the Internet is at stake.  A relatively obvious comment, but one which is neither unfounded, nor wrapped up in the auto-hysteria, as so many cybersecurity conversations are today.  Why do we say this?  A simple reason really: because the Internet is no longer used as it was originally designed – a benign information-sharing tool, used primarily for knowledge and research, by a select group users.  Today, but also arguably for the last 15 or so years, the Internet is a “wild west” with more and more actors entering it every day.  Intent of these actors may be fairly obvious – we want to order something online and have it shipped to our door – or it may be shrouded in controversy and obfuscation, making attribution a seemingly impossible task.

Despite this environment, we still must go on about our daily lives, unless of course we are willing to change our daily lives, which would almost certainly result in a lower standard of living. Continue reading “Shared Responsibility in Cybersecurity”

The Cybersecurity Disclosure Act of 2017 (S 536) – What’s New?

Whether this bill passes, in this form or another, this year or another, you should ensure that your company or organization is taking cybersecurity seriously and actively engaged in managing cyber risks. This starts at the top, the very top, from the board of directors, to the C-suite, and should cascade (not just trickle) all the way down to every employee (via security awareness and appropriate testing/feedback of employee behaviors).

As March 2017 comes to a close, the news from US Capitol outlets reads: “Oversight Transparency Of Cyber Risks At Publicly Traded Companies Addressed In New Bill” (src: Homeland Security Today).

Who: Senators Jack Reed (D-RI), Susan Collins (R-ME) and Mark Warner (D-VA) introduced the bipartisan Cybersecurity Disclosure Act of 2017 (S 536), whose purpose is to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.”

Scope: Publicly traded companies would be in the scope of this bill. Continue reading “The Cybersecurity Disclosure Act of 2017 (S 536) – What’s New?”

Three Lessons From Test-Driven Development

“If it’s worth building, it’s worth testing. If it’s not worth testing, why are you wasting your time working on it?” — Scott Ambler, Enterprise Agile Coach

In 1999, Kent Beck’s “Extreme Programming Explained: Embrace Change,” became an inspiration for rethinking the way software was developed. Three years later, his “Test-Driven Development: By Example” further elaborated on the need to reconsider the way software is planned, how teams operate and, most importantly, the way software is tested. To date, there are over 170 books on Amazon about test-driven development (TDD). Continue reading at

The CISO as a Digital Trust Diplomat

“Each person’s behavior toward the other determines whether the relational dimension leads to a conversation that is rich or poor. In other words, what you do will influence what they do: if you confront them, they may confront you; if you try to appease them, they may take advantage of you and then feel aggrieved if you then change tack and become more assertive.” — “Talking the Walk,” a publication of The Partnering Initiative.

Why should chief information security officers (CISOs) consider themselves as digital trust diplomats? It is undeniable that today’s CISOs have to play multiple roles. They must be able to converse about deeply technical and complex issues one minute and translate how all these issues can impact the company’s bottom line the next.

One of the skills that is becoming more necessary for CISOs is diplomacy. However, diplomacy isn’t confined to the simplistic idea of endless meetings, tit-for-tat swaps and complex, multiparty negotiations. CISOs are at the center of a conflict of unprecedented scale and significance. And yet, as digital trust diplomats, CISOs have a lot to offer, and many professionals have a lot to learn. Continue reading at

Five Ways to Improve the CISO-Board Relationship

“Security and risk management must become part of every business decision, and nobody within the enterprise is better positioned to advocate for those issues than the CISO.” — Fast Company

The relationship between the chief information security officer (CISO) and the board of directors is a topic that has received increased visibility in the past few years. The 2017 edition of the “Director’s Handbook on Cyber Risk Oversight,” published by the National Association of Corporate Directors (NACD), is full of insights on the CISO-board relationship and provides updated recommendations for board directors to follow regarding oversight of cyber risks. Continue reading at

Bringing Clarity to Really Really Big Data: A Case for AI and Machine Learning to Help Crunch and Protect Our Data

Let’s start with this basic concept: today, “data” is everything. Both personally and professionally, much of our lives have been converted into a bunch of zeroes and ones. Our reliance on data has never been greater and is only certain to grow, especially with the explosion of the Internet of Things (IoT).

It’s funny how kids have an affinity for toys we enjoyed as kids – like Legos. They will spend hours creating the biggest “thing,” often leading to a parent’s near universal response, “Johnny! That is the biggest tower I have ever seen! Great job!” Children (and we) love Legos because they foster imagination, offering a limitless way to create something “gigantic!” And in a more practical sense, Legos sometimes give us a great perspective on the important concept of “scale.”

As counsellors and consultants, replicating the “scale” issue as it relates to the respective data, information and network security problems is a challenge. Unfortunately, “layperson” directors and officers of public companies, along with executives in government, tend to view “scale” (as it pertains to data protection) as a bad thing (and even a scary thing). Part of the challenge here is that there are few practical ways to explain to those holding these positions that an organization’s security operations center may receive upwards of one million “incidents “every day and, at the same time, adequately deal with, and investigate, the potential peril inherent in such incidents, and reasonably assure that not even one of these small incidents slips between the cracks. Continue reading “Bringing Clarity to Really Really Big Data: A Case for AI and Machine Learning to Help Crunch and Protect Our Data”

No time to read? Listen to the podcasts instead

For those of you who might not have the time to read (it’s only 150 pages), here’s another option: IBM was kind enough to offer to record a series of podcasts with Paul and I.

In January 2017, Paul Ferrillo and I released our new book, “Take Back Control of you Cybersecurity Now — Game Changing Concepts on AI and Cyber Governance for Executives.” Continue reading “No time to read? Listen to the podcasts instead”

Building a Cybersecurity Culture Around Layer 8

“Cybersecurity must accommodate and address the needs of people through process and cultural change.” — Gartner press release dated June 6, 2016

The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7. Continue reading at

What If “Cyber” Is The Wrong Word?

The word “cyber” means different things to different people. In virtually every training session I put on, one of my first actions is to go around the room and ask people what “cyber” means to them. If I am lucky, perhaps two or three people will have a similar answer, but in most cases, the definitions vary, even when people share similar job titles and roles.

Often, how you characterize a problem will determine your plan of attack to solve the problem. To illustrate, I often use this example with both clients and friends.

If I were to ask you: “How long can you and your business survive without your computer?” your answer would likely be something along the lines of “I need my computer to do everything!” While I suspect this is most likely true, such a response does very little for your resilience. Should such a case ever arise in your life, you would be left scrambling to find some sort of solution to keep your business operations going.

But what if I were to ask you: “You don’t have your computer for three days, a week, or even two weeks…what do you do?”  By asking the question in this manner, you are undoubtedly forced to look at the problem in a very different way. In fact, you have to look at the problem in a very different way because your survival depends on it. Continue reading “What If “Cyber” Is The Wrong Word?”

Meeting Security Challenges Through Vigilance, Readiness and Resilience

Because society is undergoing such a rapid technological change, the traditional paradigms for addressing threats are evolving with the security challenges. Two particular security challenges characterize the current and future connective landscape in both the public and private sectors: protecting critical infrastructure, and protecting the Internet of Things (IoT) and Smart Cities.

In 2017 we are facing a new and more sophisticated array of physical security and cybersecurity challenges that pose significant risk to people, places and commercial networks. The nefarious global threat actors are terrorists, criminals, hackers, organized crime, malicious individuals, and, in some cases, adversarial nation states. Everyone and anything is vulnerable, and addressing the threats requires incorporating a calculated security strategy.

According to Transparency Market Research, the global homeland security market is expected to grow a market size of $364.44 billion by 2020. A large part of the spending increase over the past year is directly related to cybersecurity in both the public and private sectors. Continue reading “Meeting Security Challenges Through Vigilance, Readiness and Resilience”