CSO:CYBER

Cybersecurity and CxOs: How Can I Get Buy-In From The C-Suite? As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost. This is easier said than done, especially now that organizations around the world are facing budget cuts in the wake of COVID-19. But, security is business-critical. So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? 1. Familiarize yourself with overall business objectives 2. Create specific “what-if” scenarios 3. Work closely with the security vendor 4. Collaborate and align with other departments 5. Consider how much the executive(s) really know about security 6. Use analogies to put costs into perspective 7. Invite key stakeholders to events or webinars 8. Prepare concise and personalized briefin...

It’s never the data breach -- it’s always the cover-up The felony charges levied against former Uber CSO paints him as actively masterminding and executing a plan to cover up a major data breach. This serves as a reminder that CSOs and CISOs must consider how decisions made in the moment can be interpreted, construed, or proven to be criminal after the fact. The obstruction of justice and misprision of a felony charges levied against Joseph Sullivan, former Uber chief security officer (CSO), sent shock waves through the cybersecurity community. CSO and chief information security officers (CISOs) rightfully wondered what these charges mean in terms of their own culpability for decisions made on the job. CSOs and CISOs handle sensitive data, make difficult decisions, and consider their responsibility to the company and its shareholders when making those decisions. Legal, regulatory, and privacy issues also feature heavily in these decisions. The narrative in the charging documents (Note...

This week's episode of Defense in Depth What Cyber Pro Are You Trying to Hire? This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our guest is Liam Connolly, CISO, Seek. All three of us discussed: The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company's information security program. We often see management cyber jobs asking for engineering skills and vice versa. Job listings can also portray the "last guy" syndrome. Those are the job listings that tack on desired skills the last person did not have. When you see too many requirements it comes off as a wish list. It's not what is required, it's more of a question as to how many boxes can a candidate check off. There can be serious harm to a company's ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never a...

  LGPD entra em vigor nesta quinta-feira (27), após Senado retirar de MP artigo que adiava a vigência Texto coloca em vigência imediata a Lei Geral de Proteção de Dados (LGPD) O Senado Federal aprovou nesta quinta-feira (26), por 74 votos, o texto da Medida Provisória (MP) 959/2020, mas removeu o artigo que prorrogava o início da vigência da Lei Geral de Proteção de Dados (LGPD) para 1º de janeiro de 2021. O presidente do Senado, Davi Alcolumbre, rejeitou o artigo 4º da MP, que visava adiar a lei para o início do ano que vem, como justificativa que a matéria já havia sido votada no plenário do Senado meses atrás. Com a rejeição do artigo, a LGPD passa a vigorar a partir desta quinta-feira (27). Leia mais:  https://www.infomoney.com.br/politica/lgpd-entra-em-vigor-nesta-quinta-feira-apos-senado-retirar-de-mp-artigo-que-adiava-a-vigencia/ Tags 🏷  #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cyberattacks #threats #malware #cibercrime #exploi...

Câmara votou MP 959 e Lei Geral de Proteção de Dados deve ir para 31 de dezembro de 2020, texto precisa ser aprovado hoje (26) no Senado. Na visão dos CISOs ouvidos pela Security Report, LGPD deveria entrar em vigor no ano que vem A base do governo na Câmara dos Deputados obteve sucesso no acordo com o deputado Damião Feliciano (PDT-PB), relator do projeto sobre a Lei Geral de Proteção de Dados (LGPD), e a legislação entra em vigor em 31 de dezembro de 2021 após aprovação da Medida Provisória 959/20 na noite de hoje (25). O líder do governo na Câmara, Ricardo Barros (PP-PR) negociou essa proposta. A MP será encaminhada ao Senado e perderá a vigência se não for votada pelos senadores até a meia-noite desta quarta-feira (26). Originalmente, a MP adiava a vigência para maio de 2021, mas o relator da MP, deputado Damião Feliciano retirou esse trecho do texto. Se a MP caducar, a LGPD entra em vigor a partir de 28 de agosto de 2020. O setor empresarial defende o adiamento da vigência da LGPD...

This week's episode of CISO/Security Vendor Relationship PodcastThe "Do What We Tell You" Technique Isn't Working This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Michelle Valdez, CISO, OneMain Financial. All three of us discussed: Care more about users. We spend far too much effort trying to communicate the importance of security and getting people to care about it, that we lose sight of the need to secure users and data. What if we cared more about users and understood why they don't embrace security as much as they should? How can we sympathize with what they're doing so that we can work security into their flow, rather than getting them to operate into security's flow? Minimize the surprises before you accept a job. You're not going to know everything about the security environment you inherit even if you ask all the right questions. But, first do ask questions. Don't leave it up to s...

Security Vendors Needs CISOs Too! Por Gary Hayslip I remember saying those words while at a security conference several years ago. I was sitting with peers, and we were discussing recent moves within the security community by vendors. It was remarked that as the current CISO for Webroot, did I consider myself a real CISO. Of course, I was shocked; what do you mean, did I consider myself to be a real CISO? Did I no longer qualify as a senior security professional because I now worked to protect a cybersecurity vendor? Was I now a fake CISO? As we finish our discussion, I think it’s essential not to segregate the men and women who serve as CISOs into specific business or vendor type security leaders. Cybersecurity, its lifecycle, and many of its fundamental concepts and best practices are relatively the same no matter the industry, country, or organization. Now I am not naive to suggest there are no differences in laws, regulations, scale, or culture that impact CISO roles. However, many...

The cybersecurity talent gap is real. The 2019/2020 Official Annual Cybersecurity Jobs Report predicts that there will be 3.5 million security jobs left unfilled globally by 2021. The cybersecurity profession hit a 0% unemployment rate and the pay is good. So, why are security leaders struggling to fill positions? It could be because they are looking for the perfect candidate that doesn’t exist. Meanwhile, their newest security team member may already be working in their company. Unrealistic Guidelines for Cybersecurity Professional Careers Traditionally, the standard for entry-level cybersecurity professionals was five years of experience and several certifications, most specifically the Certified Information Systems Security Professional (CISSP) certificate. Even interns, who work with a company, have a tough time getting hired. Those who put in five years in the field and gained the certification typically aren’t looking for entry-level jobs. Job descriptions also don’t match the ...

Jimmy Xu, Director of DevSecOps & Cloud Security at Trace3, recently presented “Mastering DevSecOps.” Jimmy’s presentation generated lots of great questions, which he graciously answered below. If you missed his presentation or would like to watch it again, you can view it below. With small Security and Dev teams, how do you manage segregation of duties? This is a great question, and a common one. If done correctly, this is where the value of DevOps comes in. Consider these two options: 1. Leverage existing source code management platforms such as GitHub to enforce manual code review and approval before allowing new code to be merged into the main branch. You could enforce this as a mandatory gate as part of the code merge Pull Request, along with the requirement that code must pass all the build checks. I’ve seen the use of 1 to 2 mandatory approvers (another peer or manager on the dev team) but this depends upon the size of your dev team. If you leverage Infrastructure as Code (...

This week's episode of Defense in DepthJunior Cyber People On this episode of Defense in Depth:Co-host Allan Alford and Naomi Buckwalter, director of information security & privacy at Energage, discussed: There are tons of newbies eager to work in cybersecurity. The shortcoming is not the available pipeline, but a lack of headcount and managers' willingness to train and find appropriate assignments. Because headcount is often the limitation to hiring, leaders will opt to hire the most senior person they can get. Common feeling is hire one experienced person and stress them out rather than hire three junior people and train them. Problem with the former is if you stress that experienced person they will leave and tell others not to work there. There is plenty of good junior-level cybersecurity work, such as asset management cleanup, PII discovery, procedure documentation, filling out security questionnaires, scrubbing and tuning out false positives from alerting systems, re...

"Cybersecurity is a supply chain problem." This statement, in one form or another, is increasingly making its way into headlines around the world. And efforts like COVID-19 vaccine research have made the vulnerabilities of the healthcare supply chain, in particular, shockingly personal.  From medical records and payment systems to research and the medical devices themselves - the healthcare supply chain is a vast web of complex hardware, software, processes and paperwork. Yet few industries hold the level of personal, and even physical, risk should compromises occur via a cyber attack. The problem is almost too big for organizations to get full visibility into using traditional means -- so why would they? IronNet's Collective Defense model creates a secure sharing ecosystem among all entities of a supply chain in order to increase visibility into the threat landscape, detect attacks that go unnoticed by other tools, and share those attacks as an early warning system among...

Here’s How New CISOs Set a Course for Success CISO Perspectives , Bryan Kissinger Shipping companies hire captains to get cargo from Point A to Point B. The captain is expected to deliver the cargo safely and efficiently. The captain has a number of tools at his disposal including a ship, a crew, a map, and a lot of trust, to ensure success. Naturally, the captain’s success depends on the quality of the tools as well as the conditions of the waterway. The best captain in the world won’t succeed unless his boat is seaworthy, his maps are accurate, and his crew is experienced. This should sound pretty familiar for CISOs. When a CISO starts a new job, she naturally wants to build a cybersecurity program of which she and her employer can be proud. But her success depends largely on the tools she has, including people, tools, and processes. If her new company is small or recently established, she will start from scratch. If however her company is established, has a dedicated team and a hist...

This week's episode of CISO/Security Vendor Relationship Podcast Set It. Forget It. Reset It. Repeat. This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Brett Conlon, CISO, Edelman Financial Engines. All three of us discussed: The "set it and forget it" attitude towards security is a path to insecurity.Maintenance and situational awareness is the key to security. If you become complacent and think everything's OK, that's when you get into trouble. Given that the industry is constantly changing and in flux, even your ethics can't be set it and forget it. Those need to change as well. The best thing you can do when your company is suffering a known vulnerability is to be available. The most frustrating aspect of security is the unknown. The more information you can provide customers even when you've had to admit a failure is valuable. Silence brews mistrust, and trust can be more powerful than a prod...

As today’s highly competitive and hyper-connected digital marketplace is driving new trends in networking and security, including the rapid adoption of cloud services and IoT devices, Jonathan Nguyen-Duy, Vice President, Global Field CISO Team, Fortinet, explains the importance of securing IoT and cloud connections. The hyper-connected, global marketplace of the 21st century has shifted the landscape for networking and security. Two prevalent trends in this area — cloud adoption and the rise of the Internet of Things (IoT) — are seemingly two different components of Digital Transformation, with separate purposes and scope. However, they actually work together, fuelling one another in the digital ecosystem. This symbiotic relationship has important implications when it comes to deploying, using and securing cloud services and the IoT. As the number of IoT devices grows, so does the amount of data they generate. This is in addition to the massive stores of data that are already being am...

Como se tornar um bom profissional de Red Team? A área de segurança da informação possui uma alta demanda de profissionais qualificados e conforme os dias vão passando, novas vagas vão surgindo tanto na área de segurança defensiva como segurança ofensiva. E com certeza uma das demandas que existem é de profissionais de segurança que trabalham com Red Team. Mas antes, o que é um profissional Red Team? Qual é a necessidade de uma equipe de Red Team na sua empresa? Como se tornar um bom profissional de Red Team Leia mais: https://www.linkedin.com/pulse/como-se-tornar-um-bom-profissional-de-red-team-dos-santos/?trackingId=MKZNQQe%2Fy87EsCFlGhIB1w%3D%3D Tags 🏷 #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cyberattacks #threats #malware #cibercrime #exploit #hackers #hacker #breach #mitreatt&ck #pentesting #cloudsecurity #cyberwar #datasecurity #ethicalhacking #hacking #cloud #informationsecurity #securitymanagement #infosec #ransomware #datasecurity #red...

Like many CISOs, Christina Quaine's team is supporting the payment processor's work-at-home employees and managing internal pandemic-specific risks. It also helps its mid-market customers meet new security challenges. CSO caught up with Christina Quaine, the CISO of AvidXchange, a North Carolina-based payments processor that focuses on mid-market companies. We talked to her about how this mid-sized company, with 1,400 or so employees, has dealt with the changes wrought by the COVID pandemic. Given the company’s role in financial transactions, we were particularly keen to hear how the rise in coronavirus fraud instances were affecting her job. Below is a transcript of our conversation, edited for length and clarity. 1.What should CISOs focus on in the pandemic environment? 2.What are the particular security challenges of your mid-market customers? 3.You have to protect yourself by protecting your customers 4.When did you first recognize the new risk potential and start executing...

CIOs and CISOs must engage executive decision makers to change how cybersecurity is treated in the organization and drive security investments that directly impact business outcomes. Cybersecurity has been on board agendas for at least a decade, but the recent coronavirus outbreak puts a spotlight on the disconnect between executive understanding of cybersecurity and their organization’s actual capabilities. “The stories that we’ve seen during the COVID-19 outbreak are the latest example highlighting the failed approach to cybersecurity that many organizations take,” says Paul Proctor , Distinguished VP Analyst, Gartner. “While executives were focused on ensuring compliance and stopping hackers, simple opportunities like enabling secure remote access technologies — which have a much larger business impact — were ignored. Now, organizations are scrambling to catch up.” 1. Societal perception is that cybersecurity is a technical problem, best handled by technical people. 2. Organizations...

This week's episode of Defense in DepthTrusting Security Vendor Claims On this episode of Defense in Depth:Co-host Allan Alford and Lee Parrish, CISO, Hertz, discussed: From those surveyed by Valimail survey, a third to a half didn't believe that vendors did a good job explaining what their product does, or that the product actually performed, or there was any way to actually measure that performance. Many questioned those numbers because they feel many security buyers still fall for security vendors' boastful claims. Both can actually be true. Stunned behavior at a trade show is not the indicator of knowledge and susceptibility to vendor pitches. When you're under the gun as a security professional to produce results you often become victim to security vendor claims because you want to deliver on demands from the business. By nature, CISOs should be skeptical about vendor claims and information within their own environment. There's a battle between those vendors t...

We ‘Go Phish’ with Chris Hodson, CISO, Tanium, who explains why distributed working is unquestionably the major talking point of the industry. We took the decision to build a global cybersecurity team at Tanium, so my role has grown over the past 12 months. While most vendor CISOs are external-facing only, focused on customer advisory engagements, we have put everything related to security under one team. This centralisation has allowed us to define an overarching strategy for cybersecurity. Read more: https://www.intelligentciso.com/2020/08/11/go-phish-we-get-to-know-chris-hodson-ciso-tanium/ Tags 🏷 #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cyberattacks #threats #malware #cibercrime #exploit #hackers #hacker #breach #mitreatt&ck #pentesting #cloudsecurity #cyberwar #datasecurity #ethicalhacking #hacking #cloud #informationsecurity #securitymanagement #infosec #ransomware #datasecurity #intelligentciso

Zukis: Many CISO's were front and center during the height of the pandemic, and they've gotten more boardroom exposure than they've ever had. What's been the most significant adjustment from both perspectives?  The role of the CISO has never been more appreciated by the boardroom because of Covid. As companies moved to work-from-home practices, hackers worked overtime to capitalize on the chaos, and the CISO was front and center with many corporate boards. Because of this, the role of the CISO has evolved from a cost-center to a critical business value protector. While many directors have received a crash course in cybersecurity during Covid, their long-term approach to cyber risk needs to continue its evolution. Rishi Tripathi, CISO of the NBA, recently shared his advice with me for corporate directors and what CISO's want from their boards as cybersecurity risk oversight continues to develop. 1.You hear the phrase "protecting the crown jewels" a lot reg...

A security leader shares tips for adopting a CISO mindset, creating risk management strategies, and "selling infosec" to IT and executives. "If you demonstrate clearly [that] they are capable of making mistakes, they'll be angry at first, but generally if they're professionals, they'll get over it and want it to be better," he explained. CISOs don't want to bring IT concerns to audit or management unless they absolutely have to. Modern security leaders find themselves at the crossroads between business and technology, selling the importance of security to all levels of an organization while helping them maintain efficiency, create a risk management strategy, and prepare for the inevitability of a cyberattack. This idea of "selling information security" is the area where security leaders struggle most, said Peter Keenan, CISO of a financial services company, in a DEF CON talk. As security practitioners transition from roles as technical anal...

A crise causada pela pandemia da COVID-19 alterou o modo de vida em todos aspectos possíveis da humanidade, passando também, fortemente, pelo campo profissional, onde as mudanças têm causado um aceleramento da cultura do home-office e outras medidas antes existentes, mas em estágios anteriores, de forma muitas vezes desordenada, caótica e... bem-sucedida. Por mais que tenhamos necessidade (e deve ser assim mesmo) de planejamento, controle e gestão de riscos, muitas vezes as coisas acontecem por força das circunstâncias e elementos diretos e indiretos acabam acomodando e gerando cenários que se tornam nosso padrão. Na primeira onda deste assunto, e falando estritamente no modo profissional, a preocupação das organizações passou pela saúde de seus funcionários, terceirizados, parceiros e clientes para a questão da portabilidade das operações a partir de casa, o que já tem ocorrido há alguns meses na maioria das corporações com relativo sucesso. Agora, com esta situação ainda em evidência...

This week's episode of Defense in Depth How Vendors Should Approach CISOs On this episode of Defense in Depth:Co-host Allan Alford and Ian Amit, CSO, Cimpress, discussed: All CISOs are different so any advice we provide will vary from CISO to CISO. Plus, we have an entire other show, CISO/Security Vendor Relationship Podcast, dedicated to this very topic. We acknowledge that this is tough because to be really on target you need to know what the CISO has, what their mix of products are, and how your product could work in their current security maturity and mix of security products and processes. It's all a very tall order for a security vendor. Vendors must stop thinking of themselves as point solutions, but rather how they fit into the overall makeup of a security program. You're not coming in with a blank slate. How do you interoperate with what's existing? There's unfortunately the trend of the people who make the contact, then initiate a meeting, and hand off to...

A nova edição da Intelligent CISO foi publicada nesta semana e conta com alguns tópicos bem interessantes: .Incident response course prepares attendes for cybersecurity readiness .Security budget - Experts discuss how to manage security budgets for peak performance .Cyberskills challenge - How do close the cyberskills gap while COVID-19 drives workforce cuts .On-Trend Cybersecurity E muito mais.. Leia mais: https://view.joomag.com/intelligent-ciso-issue-28/0562325001596723402?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb29tYWciLCJpYXQiOjE1OTY3MjM5NTgsImV4cCI6MTkxMjI1Njc1OCwic3Vic2NyaWJlcklEIjo1MTgyNzYxLCJjcmVhdGVfZGF0ZSI6IjIwMjAtMDgtMDYgMTQ6MjU6NTgiLCJ1bmlxdWUiOiJETTdtQUxHR0poaFI5QUJtY1hPeThvYXNBSWVycFpucSIsInR5cGUiOjN9.yhR8xuvzGfcusXe7JRQ-SUL_vLBBiH3hnsvmnaUoM3g&ref=email Tags 🏷 #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cyberattacks #threats #malware #cibercrime #exploit #hackers #hacker #breach #mitreatt&ck #pentesting #cloudsec...

Cyber Chiefs Watch Their People for Burnout as Pandemic Rolls On Work that seeps into home life, a reluctance to take vacation and a barrage of online attacks put heavy strain on cyber workers At Nasdaq, managers noticed pressures gathering on their cyber teams, in particular, open-ended work. “They were working round the clock as needed,” said Lou Modano, chief information security officer. Read more: https://www.wsj.com/articles/cyber-chiefs-watch-their-people-for-burnout-as-pandemic-rolls-on-11596533400 Tags 🏷 #cissp #cciso #cism #isc2 #isaca #malware #cyberattack #threats #ransomware #cyberrisks #iot #itsecurity #cloud #cloudsecurity #infosecurity #securitymanagement #itriskmanagement #awarenesssecurity #top10vulnerabilities #carreira #career #darkweb #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cibercrime

Intelligence is our first line of defense, and we must improve the collection capabilities and analysis of intelligence to protect the security of the United States and its allies.  Organizations must prepare for collecting, processing, analyzing, and acting upon terabytes of security data. CISOs should internalize this quote from the former Senator from Georgia, extrapolating its focus toward cybersecurity defense. In other words, all decisions about cybersecurity strategies, program priorities, investments, etc. should be made based upon analysis of real-time and historical data. What types of data? EDR data, network meta data, cloud logs, identity data, threat intelligence, and so on. Read more: https://www.csoonline.com/article/3568184/bracing-for-the-security-data-explosion.html Tags 🏷 #cissp #cciso #cism #isc2 #isaca #malware #cyberattack #threats #ransomware #cyberrisks #iot #itsecurity #cloud #cloudsecurity #infosecurity #securitymanagement #itriskmanagement #awarenesss...

This week's episode of CISO/Security Vendor Relationship Podcast Best Condescending Techniques to Placate Minority Groups This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Matt Conner, CISO, National Geospatial Intelligence Agency. All three of us discussed: Avoid diversity theater performances. After being caught poorly investing in black-owned businesses and having few if no African Americans in leadership roles, venture capital firms have made quick reactionary attempts at diversifying so as not to appear tone deaf. They've opened tiny funds (comparative to their other funds) for black-owned businesses and have been accused of inflating titles of African American employees. Black entrepreneurs want substantial, not reactionary, changes by VC firms. Even if you have a password manager, you still have to memorize a few strong passwords. At bare minimum, we all need to know at least three passwords: One to unlock our c...

Jim Eckart, former Chief Information Security Officer (CISO) of The Coca-Cola Company and current Chief Security Advisor at Microsoft shares his advice for relieving stress in today’s CISO Stressbuster post. If you are a CISO, it can feel like the responsibility for keeping the company secure rests solely on your shoulders. This may be an attitude that’s shared by your organization or a mindset based on your own sense of duty, but either way, it can cause a tremendous amount of stress—and it may not make your organization more secure. Although I currently work as a Chief Security Advisor at Microsoft, I’ve spent the last decade of my career as a CISO in companies like Eli Lilly and Coca-Cola. I know first-hand how stressful this role can be. Distributing accountability can alleviate some of the pressure. It can also help you bring in new ideas and build a security culture. For the third blog in the CISO stressbusters series, here are three tips for sharing security accountability withi...

Global cyber leader Natalia Oropeza works as chief cyber security officer for Siemens, seen here speaking at Web Summit 2019 in Lisbon, Portugal. Much like Randori’s Wolpoff, Oropeza believes that the best CISOs understand the strategy and objectives of the company. (Photo by Sam Barnes/Sportsfile for Web Summit via Getty Images) As someone regularly hired to lead red-team engagements that hack into Fortune 500 organizations, I’ve had the opportunity to work with – and go up against – many different types of security leaders. Some are technical, others thrive on adrenaline. Some dig deep into the weeds, and still others prefer the C-suite. Each type brings something unique to the table. Over my long career breaking into companies as a red team leader, I’ve found that the most formidable CISOs share five critical traits: 1. Protect their crown jewels. 2. Understand what’s valuable and what defines failure. 3. Speak the language of business. 4. Prioritize security fundamentals. 5. Measu...