CSO:CYBER

Na visão de Rangel Rodrigues, advisor em Segurança da Informação, autenticação robusta, arquitetura adequada, políticas, criptografia e conscientização são alguns dos controles mandatórios para assegurar a proteção do bem mais valioso das empresas Não há como proteger algo que você não conhece. Talvez esta frase faça ou não sentido para você, mas a grande verdade é que muitas organizações falham nesse ponto. Ou ainda não o entenderam. É evidente que se todos da cadeia produtiva compreendessem, de alguma forma, que a cibersegurança faz parte de suas vidas, os CISOs teriam ao alcance a maturidade que todos precisam. E somente por meio de ações como a estratégia de conscientização podemos mudar a forma como os colaboradores pensam. Aliás, tudo está ligado à maneira como o ser humano pensa. Vamos à prática: proteger uma organização com recursos de cibersegurança começa em analisarmos que tipo de informação precisamos proteger. Esse dado precisa atender um requerimento regulatório? Estar em...

Why Is 'Pay the Ransom' In Next Year's Budget? This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Les McCollum, managing vp, CISO, ICMA-RC. All three of us discussed: Are you taking into account all variables when considering to pay the ransom? With a whopping 25 percent of all ransomware victims paying the ransom, paying the ransom has become part of the security plan. But does doing that actually accomplish anything? Ransomware is not just encrypting your data, but it's also data theft and public exposure. Have you calculated the reputational risk of paying the ransom will cost? Also, after you've paid you're a known entity that will pay. You will be a target to get hit again and again. Most companies upgrade their security programs after an attack. Do you know how much you'll be spending on that? How do you create a culturally sane group that's diverse? I always hear forward thinking managers ...

This week's episode of CISO/Security Vendor Relationship Podcast Why Don't Cybercriminals Attack When It's Convenient for Me? This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Margarita Rivera, vp of information security, LMC. All three of us discussed: It's never TGIF for those who work in cybersecurity. Cybercriminals know when our guard is down and it's usually late on a Friday or just before a holiday. At these times, coworkers shift into half-work speed and half cybervigilance. It would be annoying to remind people every Friday to be on guard for cyberattacks, but it's worth it to remind your staff just before a big holiday. Show support for those still out of work. We talked about a very emotional post of someone who was suffering a six month streak of rejection. When rejection becomes that overwhelming, it can definitely cause one to start questioning whether you made the right decision to do wha...

A new issue of Intelligent CISO Issue 31 publication has been published. - Cloud sock - Spike in cloud attacks shows businesses were not prepared to work remotely. - Threat evolution - McAfee report explores how cybercriminals have exploited the pandemic. - Cyberthreat impact - Industry experts discuss the major cyberthreats to the North America region. - Safe Bet - Killian Faughnan, Group CISO at William Hill, discusses his role at the bookmakers and some of the driving factor behind its ambition to continuously strengthen its cybersecurity posture. - Infographic - Study reveals 94% of global organizations suffered one or more business-impacting cyberattacks. - Latest updates from North America and APAC. - Understanding Ransomware in the Enterprise. - What are the major cyberthreats to the North America Region? Read more: https://view.joomag.com/intelligent-ciso-issue-31/0252261001604323146?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb29tYWciLCJpYXQiOjE2MDQzMjQ2NjAsImV4cCI6...

This week's episode of Defense in Depth Leaked Secrets in Code Repositories This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our sponsored guest is Jérémy Thomas, CEO, GitGuardian. All three of us discussed: Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out. Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub. Exposed credentials can appear in SIEMS as it's being exported from the developers' code. There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility. Scanning public code repositories should be your first step. You don't want to be adding code that has known issues. Next step is to scan your own code...

This week's episode of CISO/Security Vendor Relationship Podcast Can a Robot Be Concerned About Your Privacy? This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our sponsored guest is Rebecca Weekly, senior director of hyperscale strategy and execution, senior principal engineer, Intel. All three of us discussed: Privacy as competitive advantage. For years, it seemed the corporate norm was to push users to relinquish their privacy for additional functionality. This would give the business more insight into user behavior to be able to sell more products. But now privacy is hip and something companies want to promote. For example, Apple is spending advertising dollars to promote their privacy controls. If you're creating an AI/ML engine, what information could be anonymized and/or thrown out after use? Lack of diversity didn't happen overnight. We're in this lack of diversity issue today because of years of ignoring it. That...

This week's episode of Defense in Depth Measuring the Success of Your Security Program This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our sponsored guest is Chad Boeckmann, CEO, TrustMAPP. All three of us discussed: The process is very systematic. Start with knowing your risks, how you're going to track them, and the controls you're going to put them in place to manage them. Simple to say, hard to do. Security risk is just one of a multitude risks a business faces. Data's whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk. Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines. Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can...

Privacy Is An Uphill Battle This week's episode of Defense in Depth This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our guest is Dave Bittner, host, The CyberWire Podcast. All three of us discussed: Marketers, the ones often collecting the data, have no incentive to not gather more. The only thing holding them back, barely, are newly growing privacy regulations. Security professionals are tasked with protecting privacy but they're not usually on the front lines of data collection and are often brought in after the data has been collected. The public has become numb to the abuse of their privacy. A little is being chipped away at the time that they either don't know they're being abused or it appears to be so slight they don't even care. They see the benefits of sharing far outweighing the negatives. GDPR is large and very difficult to comply with. And although it only affects site visitors from Europe, most site owner...

A new issue of Intelligent CISO Issue 30 publication has been published. - Secure automation - Experts discuss using automation technology securely for business - Rise in ransomware - Why creating a comprehensive cybersecurity and Disaster Recovery plan is a ‘Must have’ - Powering security - How to ensure score operations and manage risk in the energy supply chain - Remote Protection - Cyber trends - How to adapt to phishing trends and keep cybercriminals at bay - Infographic - 84% of businesses will likely increase WFH capacity beyond pandemic despite security concerns - Threats updates - Latest updates from across the globe, the UK and Europe - Editor’s question - What are the advantages for enterprises and how are such capabilities secure? - Predictive Intelligence - How to fight back against the rise of ransomware - Feature - Securing connections in the cloud and across IoT Devices Read more: https://view.joomag.com/intelligent-ciso-issue-30/0425437001601973540?token=eyJ0eXAiOiJKV...

O advisor em Segurança da Informação, Rangel Rodrigues, relata em seu artigo como é viver a terrível experiência de ter membros queridos da família infectados com COVID-19 e faz uma analogia de como empresas podem se proteger de um ciberataque mitigando riscos que estão dentro de casa Em meu último artigo, descrevi alguns pontos de como devemos nos armar para desmascarar o inimigo. Agora, no final de uma crise que vivenciei com o COVID-19 com a minha esposa e minhas filhas, achei interessante compartilhar como foi se proteger de uma contaminação mitigando o risco quando o inimigo está dentro de casa. Olhando para isso sob outra perspectiva, comecei a comparar como seria viver com o inimigo dentro do seu ambiente de trabalho, seja uma contaminação de um ransomware, uma botnet oculta em um servidor ou um vazamento de dados na cloud. A criatividade dos atacantes tem sido cada vez mais invasiva. No começo de setembro, me deparei com a minha esposa e minhas filhas com testes positivos do CO...

This week's episode of CISO/Security Vendor Relationship Podcast I Want to, but... I Just Can't Trust Your Single Pane of Glass This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Joshua Scott, former CISO, Realtor.com . All three of us discussed: Is there a future for the integrated suite? For years, the selling point of the pane of glass was go with the integrated suite because it would cut down on time and cost of integration. But with the API first mentality, best of breed has become even easier to use making integration of disparate solutions into a single pane of glass very possible. This effectively eliminates the integrated suite's "pane of glass" advantage. Setting up security guardrails for developers. This is a prime spot for innovation. Many have discussed how can we create an environment where developers can stay within the confines of appropriate security while still having the freedom to inno...

This week's episode of Defense in Depth Calling Users Stupid This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our guest is Dustin Wilcox, CISO, Anthem. All three of us discussed: Security people have notoriously had a "better than them" attitude towards their users who they view as the ones causing all the problems and making their lives more difficult. Calling users stupid for making a "mistake of effort" even if it's behind their back does not foster a bond with the security team. It fosters the us vs. them attitude. Security professionals will have a lot more success if they understand why users do the things they do. Once there is that understanding, then cybersecurity will better be able to design systems that accommodate users. About a third of your users confidently believe they're following the right cybersecurity procedures. That discrepancy is not the fault of the users, it's the fault of cybe...

This week's episode of CISO/Security Vendor Relationship Podcast Enjoying My Blissful Ignorance of Cyber Vulnerabilities This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Dustin Wilcox, CISO, Anthem. All three of us discussed: Propagating and believing in InfoSec myths can be dangerous to your cyber health.Believing that you can spot a phishing scam and that you're safe just as long as you go to mainstream sites are both fallacies. Ever been tricked by a magician? Then guess what, you can be tricked by a phishing email. They're designed to look just like normal emails. And mainstream sites have modules of third parties that may not have such stringent security standards. Sell your company in your job description. A lazily written job description will speak poorly to your company's employer brand. Far too many job descriptions are an amalgamation of previous jobs, stolen from other job descriptions with poor to ...

LGPD | Não há uma área resposável por ela, mas sim toda a organização Por Rodrigo Magdalena Sempre que algo relacionado aos temas Privacidade de Dados ou Segurança da Informação se torna evidente, como a implementação de uma regulação (que é o caso da LGPD), muito se questiona sobre quem é, de fato, o responsável pela sua implementação e manutenção. Mas antes mesmo da disseminação da cultura de proteção de dados a área de Tecnologia da Informação sempre sofreu com este estigma quando qualquer aspecto que envolvesse tecnologia fosse necessário e, consequentemente, acabou por acumular funções que extrapolavam suas atribuições e, pior do que isso, colocou em risco as operações das organizações. pois pessoas sem a devida qualificação funcional operavam funções sensíveis. Um grande exemplo disso, e já misturando Tecnologia da Informação, Segurança da Informação e Privacidade de Dados são os poderes que um administrador de redes possuía há até pouco tempo atrás (senão até hoje em determinada...

This week's episode of Defense in Depth Is College Necessary for a Job in Cybersecurity? This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our guest is Dan Walsh, CISO, Rally Health. All three of us discussed: Years ago most would say a college degree is necessary, but it appears the ROI for exorbitant college education simply doesn't deliver like it used to. Tons of valuable online courseware can deliver a targeted education for individuals wanting to start a career in cybersecurity. If organizations believe these first two statements to be true, then why are they putting down a college degree as a requirement for jobs in cybersecurity? Is requiring a college degree a false and elitist narrative that doesn't drive better cybersecurity talent? With such a stringent requirement, it detracts many people, including women and minorities, who may not have college degrees to pursue cybersecurity roles. Most college courseware in comp...

Why CISOs Need Cloud to Secure the Network CISOs need a new way to secure networks.  Martha, a salesperson, prides herself on being an “always on the move” digital worker. She often accesses sensitive data on her managed device at airport lounges while she gears up for the next meeting. She also surfs the internet, checks her social media updates and updates her personal blog. This type of connected employee, while a boon to the organization, can be a nightmare to the chief information security officer (CISO). Martha is not only exposing critical data to unknown networks while using WiFi services in public spaces, she is also exposing her company’s network to possible threat exposures through external websites. In a modern cloud-centric digital business, the need to access information anywhere and everywhere is a top priority. Due to the recent shifts in the technology landscape, the adoption rate for SASE offerings is as low as 1% “Secure access service edge, or SASE, supports ...

This week's episode of CISO/Security Vendor Relationship Podcast Tell Me We're Secure So I Can Go Back to Ignoring Security This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Dan Walsh, CISO, Rally Health. All three of us discussed: The "are we secure" question is loaded with anxiety. Before addressing the literal nature of the question, "Are we secure?", try to understand why the question was asked. Diffuse the anxiety to see if they're concerned about a certain type of attack and then you can explain the types of protections and safeguards you have in place for that specific attack. Or, turn this into a discussion of risk and how a certain kind of attack would change the company's risk profile. A security force multiplier for DevOps. Educate key developers to be security champions and focus on automation and quality which are two efforts that ring true with DevOps engineers. It's simply...

Working in Cybersecurity, Steps to consider for Developing your Cyber Career Plan (Part 4 of 4)] I originally envisioned writing a series of pieces detailing some of the steps people would take if they were interested in a cybersecurity career. My goal was to develop a resource that would not only be used by people seeking entry-level positions but could also be used by seasoned professionals who needed to update their resume, search for a new job, or prepare for an interview. For those of you who may have missed the previous articles, they are as follows: 1. Writing a Cybersecurity Resume 2. Conducting a Cybersecurity Job Search 3. Preparing for Your Cybersecurity Job Interview The final chapter in this series is focused not on getting a job but building a career. It is my hope as you read these paragraphs, you have been selected for the job you interviewed for, and it's time for you to develop your career roadmap. I have spoken on numerous occasions about how I stu...

Nova edição da Intelligent CISO - Issue 29 A nova edição da Intelligent CISO foi publicada nesta semana e conta com alguns tópicos bem interessantes: Cyberthreat awareness Identity era Ransomware prevention Constructing a Cyber Strategy 2020s: The decade that tears down LANs, WANs, VPNs and Firewall Vendors unveil solutions to improve endpoint protection capabilities Read more: https://view.joomag.com/intelligent-ciso-issue-29/0126444001599150295?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb29tYWciLCJpYXQiOjE1OTkyMDIyMDMsImV4cCI6MTkxNDczNTAwMywic3Vic2NyaWJlcklEIjo1MTgyNzYxLCJjcmVhdGVfZGF0ZSI6IjIwMjAtMDktMDQgMDY6NTA6MDMiLCJ1bmlxdWUiOiJpUUtmVWF0aUtIOEhLRXdRV0RadUh5Yk84VVQ4clhuYSIsInR5cGUiOjN9.SDmDnXLtDSR6me47VfMcNFJukkCZAxWQNaUafWnQbSY&ref=email Tags 🏷 #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cyberattacks #threats #malware #cibercrime #exploit #hackers #hacker #breach #mitreatt&ck #pentesting #cloudsecurity #cyberwar #datasecurity...

This week's episode of Defense in Depth When Red Teams Breakdown This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our sponsored guest, Dan DeCloss, founder and CEO, PlexTrac. All three of us discussed: Don't make the mistake of red teaming too early. If you don't have your fundamental security program in place, you'll be testing out non-existing defenses. If you're just starting to build up your security program, conduct a vulnerability scan and do some basic patch management. A red team exercise exists to discover risks you didn't even know about and couldn't have predicted in your threat model exercises. Have a plan of what you're going to do after the red team exercise. Just discovering you've got problems with no plan to remediate them will not only be a waste of money, but will also breed discontent. Don't red team just to fill out an audit report. You can do a vulnerability scan for that. Cons...

This week's episode of CISO/Security Vendor Relationship PodcastRequest a Demo of Our Inability to Post a Demo This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Ross Young, CISO, Caterpillar Financial Services Corporation. All three of us discussed: Lose the "Request a Demo" button and upload a demo video. It's an extremely high bar to get an interested buyer to simply click the "Request a Demo" button. But, it's an extremely low bar to get an interested buyer to watch a demo video of your product or an even more elaborate walk through where they can self-select options. If they like what they see, don't worry, the interested buyer will request a demo. CEOs expect CISOs to lead the entire company in security. It's their most-desired CISO need. At the bottom of the priority list is leadership training. CEO's would rather have CISOs getting the whole company on board with security firs...

Cybersecurity and CxOs: How Can I Get Buy-In From The C-Suite? As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost. This is easier said than done, especially now that organizations around the world are facing budget cuts in the wake of COVID-19. But, security is business-critical. So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? 1. Familiarize yourself with overall business objectives 2. Create specific “what-if” scenarios 3. Work closely with the security vendor 4. Collaborate and align with other departments 5. Consider how much the executive(s) really know about security 6. Use analogies to put costs into perspective 7. Invite key stakeholders to events or webinars 8. Prepare concise and personalized briefin...

It’s never the data breach -- it’s always the cover-up The felony charges levied against former Uber CSO paints him as actively masterminding and executing a plan to cover up a major data breach. This serves as a reminder that CSOs and CISOs must consider how decisions made in the moment can be interpreted, construed, or proven to be criminal after the fact. The obstruction of justice and misprision of a felony charges levied against Joseph Sullivan, former Uber chief security officer (CSO), sent shock waves through the cybersecurity community. CSO and chief information security officers (CISOs) rightfully wondered what these charges mean in terms of their own culpability for decisions made on the job. CSOs and CISOs handle sensitive data, make difficult decisions, and consider their responsibility to the company and its shareholders when making those decisions. Legal, regulatory, and privacy issues also feature heavily in these decisions. The narrative in the charging documents (Note...

This week's episode of Defense in Depth What Cyber Pro Are You Trying to Hire? This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our guest is Liam Connolly, CISO, Seek. All three of us discussed: The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company's information security program. We often see management cyber jobs asking for engineering skills and vice versa. Job listings can also portray the "last guy" syndrome. Those are the job listings that tack on desired skills the last person did not have. When you see too many requirements it comes off as a wish list. It's not what is required, it's more of a question as to how many boxes can a candidate check off. There can be serious harm to a company's ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never a...

  LGPD entra em vigor nesta quinta-feira (27), após Senado retirar de MP artigo que adiava a vigência Texto coloca em vigência imediata a Lei Geral de Proteção de Dados (LGPD) O Senado Federal aprovou nesta quinta-feira (26), por 74 votos, o texto da Medida Provisória (MP) 959/2020, mas removeu o artigo que prorrogava o início da vigência da Lei Geral de Proteção de Dados (LGPD) para 1º de janeiro de 2021. O presidente do Senado, Davi Alcolumbre, rejeitou o artigo 4º da MP, que visava adiar a lei para o início do ano que vem, como justificativa que a matéria já havia sido votada no plenário do Senado meses atrás. Com a rejeição do artigo, a LGPD passa a vigorar a partir desta quinta-feira (27). Leia mais:  https://www.infomoney.com.br/politica/lgpd-entra-em-vigor-nesta-quinta-feira-apos-senado-retirar-de-mp-artigo-que-adiava-a-vigencia/ Tags 🏷  #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cyberattacks #threats #malware #cibercrime #exploi...

Câmara votou MP 959 e Lei Geral de Proteção de Dados deve ir para 31 de dezembro de 2020, texto precisa ser aprovado hoje (26) no Senado. Na visão dos CISOs ouvidos pela Security Report, LGPD deveria entrar em vigor no ano que vem A base do governo na Câmara dos Deputados obteve sucesso no acordo com o deputado Damião Feliciano (PDT-PB), relator do projeto sobre a Lei Geral de Proteção de Dados (LGPD), e a legislação entra em vigor em 31 de dezembro de 2021 após aprovação da Medida Provisória 959/20 na noite de hoje (25). O líder do governo na Câmara, Ricardo Barros (PP-PR) negociou essa proposta. A MP será encaminhada ao Senado e perderá a vigência se não for votada pelos senadores até a meia-noite desta quarta-feira (26). Originalmente, a MP adiava a vigência para maio de 2021, mas o relator da MP, deputado Damião Feliciano retirou esse trecho do texto. Se a MP caducar, a LGPD entra em vigor a partir de 28 de agosto de 2020. O setor empresarial defende o adiamento da vigência da LGPD...

This week's episode of CISO/Security Vendor Relationship PodcastThe "Do What We Tell You" Technique Isn't Working This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Michelle Valdez, CISO, OneMain Financial. All three of us discussed: Care more about users. We spend far too much effort trying to communicate the importance of security and getting people to care about it, that we lose sight of the need to secure users and data. What if we cared more about users and understood why they don't embrace security as much as they should? How can we sympathize with what they're doing so that we can work security into their flow, rather than getting them to operate into security's flow? Minimize the surprises before you accept a job. You're not going to know everything about the security environment you inherit even if you ask all the right questions. But, first do ask questions. Don't leave it up to s...

Security Vendors Needs CISOs Too! Por Gary Hayslip I remember saying those words while at a security conference several years ago. I was sitting with peers, and we were discussing recent moves within the security community by vendors. It was remarked that as the current CISO for Webroot, did I consider myself a real CISO. Of course, I was shocked; what do you mean, did I consider myself to be a real CISO? Did I no longer qualify as a senior security professional because I now worked to protect a cybersecurity vendor? Was I now a fake CISO? As we finish our discussion, I think it’s essential not to segregate the men and women who serve as CISOs into specific business or vendor type security leaders. Cybersecurity, its lifecycle, and many of its fundamental concepts and best practices are relatively the same no matter the industry, country, or organization. Now I am not naive to suggest there are no differences in laws, regulations, scale, or culture that impact CISO roles. However, many...

The cybersecurity talent gap is real. The 2019/2020 Official Annual Cybersecurity Jobs Report predicts that there will be 3.5 million security jobs left unfilled globally by 2021. The cybersecurity profession hit a 0% unemployment rate and the pay is good. So, why are security leaders struggling to fill positions? It could be because they are looking for the perfect candidate that doesn’t exist. Meanwhile, their newest security team member may already be working in their company. Unrealistic Guidelines for Cybersecurity Professional Careers Traditionally, the standard for entry-level cybersecurity professionals was five years of experience and several certifications, most specifically the Certified Information Systems Security Professional (CISSP) certificate. Even interns, who work with a company, have a tough time getting hired. Those who put in five years in the field and gained the certification typically aren’t looking for entry-level jobs. Job descriptions also don’t match the ...