CSO:CYBER

Jimmy Xu, Director of DevSecOps & Cloud Security at Trace3, recently presented “Mastering DevSecOps.” Jimmy’s presentation generated lots of great questions, which he graciously answered below. If you missed his presentation or would like to watch it again, you can view it below. With small Security and Dev teams, how do you manage segregation of duties? This is a great question, and a common one. If done correctly, this is where the value of DevOps comes in. Consider these two options: 1. Leverage existing source code management platforms such as GitHub to enforce manual code review and approval before allowing new code to be merged into the main branch. You could enforce this as a mandatory gate as part of the code merge Pull Request, along with the requirement that code must pass all the build checks. I’ve seen the use of 1 to 2 mandatory approvers (another peer or manager on the dev team) but this depends upon the size of your dev team. If you leverage Infrastructure as Code (...

This week's episode of Defense in DepthJunior Cyber People On this episode of Defense in Depth:Co-host Allan Alford and Naomi Buckwalter, director of information security & privacy at Energage, discussed: There are tons of newbies eager to work in cybersecurity. The shortcoming is not the available pipeline, but a lack of headcount and managers' willingness to train and find appropriate assignments. Because headcount is often the limitation to hiring, leaders will opt to hire the most senior person they can get. Common feeling is hire one experienced person and stress them out rather than hire three junior people and train them. Problem with the former is if you stress that experienced person they will leave and tell others not to work there. There is plenty of good junior-level cybersecurity work, such as asset management cleanup, PII discovery, procedure documentation, filling out security questionnaires, scrubbing and tuning out false positives from alerting systems, re...

"Cybersecurity is a supply chain problem." This statement, in one form or another, is increasingly making its way into headlines around the world. And efforts like COVID-19 vaccine research have made the vulnerabilities of the healthcare supply chain, in particular, shockingly personal.  From medical records and payment systems to research and the medical devices themselves - the healthcare supply chain is a vast web of complex hardware, software, processes and paperwork. Yet few industries hold the level of personal, and even physical, risk should compromises occur via a cyber attack. The problem is almost too big for organizations to get full visibility into using traditional means -- so why would they? IronNet's Collective Defense model creates a secure sharing ecosystem among all entities of a supply chain in order to increase visibility into the threat landscape, detect attacks that go unnoticed by other tools, and share those attacks as an early warning system among...

Here’s How New CISOs Set a Course for Success CISO Perspectives , Bryan Kissinger Shipping companies hire captains to get cargo from Point A to Point B. The captain is expected to deliver the cargo safely and efficiently. The captain has a number of tools at his disposal including a ship, a crew, a map, and a lot of trust, to ensure success. Naturally, the captain’s success depends on the quality of the tools as well as the conditions of the waterway. The best captain in the world won’t succeed unless his boat is seaworthy, his maps are accurate, and his crew is experienced. This should sound pretty familiar for CISOs. When a CISO starts a new job, she naturally wants to build a cybersecurity program of which she and her employer can be proud. But her success depends largely on the tools she has, including people, tools, and processes. If her new company is small or recently established, she will start from scratch. If however her company is established, has a dedicated team and a hist...

This week's episode of CISO/Security Vendor Relationship Podcast Set It. Forget It. Reset It. Repeat. This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Brett Conlon, CISO, Edelman Financial Engines. All three of us discussed: The "set it and forget it" attitude towards security is a path to insecurity.Maintenance and situational awareness is the key to security. If you become complacent and think everything's OK, that's when you get into trouble. Given that the industry is constantly changing and in flux, even your ethics can't be set it and forget it. Those need to change as well. The best thing you can do when your company is suffering a known vulnerability is to be available. The most frustrating aspect of security is the unknown. The more information you can provide customers even when you've had to admit a failure is valuable. Silence brews mistrust, and trust can be more powerful than a prod...

As today’s highly competitive and hyper-connected digital marketplace is driving new trends in networking and security, including the rapid adoption of cloud services and IoT devices, Jonathan Nguyen-Duy, Vice President, Global Field CISO Team, Fortinet, explains the importance of securing IoT and cloud connections. The hyper-connected, global marketplace of the 21st century has shifted the landscape for networking and security. Two prevalent trends in this area — cloud adoption and the rise of the Internet of Things (IoT) — are seemingly two different components of Digital Transformation, with separate purposes and scope. However, they actually work together, fuelling one another in the digital ecosystem. This symbiotic relationship has important implications when it comes to deploying, using and securing cloud services and the IoT. As the number of IoT devices grows, so does the amount of data they generate. This is in addition to the massive stores of data that are already being am...

Como se tornar um bom profissional de Red Team? A área de segurança da informação possui uma alta demanda de profissionais qualificados e conforme os dias vão passando, novas vagas vão surgindo tanto na área de segurança defensiva como segurança ofensiva. E com certeza uma das demandas que existem é de profissionais de segurança que trabalham com Red Team. Mas antes, o que é um profissional Red Team? Qual é a necessidade de uma equipe de Red Team na sua empresa? Como se tornar um bom profissional de Red Team Leia mais: https://www.linkedin.com/pulse/como-se-tornar-um-bom-profissional-de-red-team-dos-santos/?trackingId=MKZNQQe%2Fy87EsCFlGhIB1w%3D%3D Tags 🏷 #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cyberattacks #threats #malware #cibercrime #exploit #hackers #hacker #breach #mitreatt&ck #pentesting #cloudsecurity #cyberwar #datasecurity #ethicalhacking #hacking #cloud #informationsecurity #securitymanagement #infosec #ransomware #datasecurity #red...