CSO:CYBER

Cybersecurity and CxOs: How Can I Get Buy-In From The C-Suite? As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost. This is easier said than done, especially now that organizations around the world are facing budget cuts in the wake of COVID-19. But, security is business-critical. So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? 1. Familiarize yourself with overall business objectives 2. Create specific “what-if” scenarios 3. Work closely with the security vendor 4. Collaborate and align with other departments 5. Consider how much the executive(s) really know about security 6. Use analogies to put costs into perspective 7. Invite key stakeholders to events or webinars 8. Prepare concise and personalized briefin...

It’s never the data breach -- it’s always the cover-up The felony charges levied against former Uber CSO paints him as actively masterminding and executing a plan to cover up a major data breach. This serves as a reminder that CSOs and CISOs must consider how decisions made in the moment can be interpreted, construed, or proven to be criminal after the fact. The obstruction of justice and misprision of a felony charges levied against Joseph Sullivan, former Uber chief security officer (CSO), sent shock waves through the cybersecurity community. CSO and chief information security officers (CISOs) rightfully wondered what these charges mean in terms of their own culpability for decisions made on the job. CSOs and CISOs handle sensitive data, make difficult decisions, and consider their responsibility to the company and its shareholders when making those decisions. Legal, regulatory, and privacy issues also feature heavily in these decisions. The narrative in the charging documents (Note...

This week's episode of Defense in Depth What Cyber Pro Are You Trying to Hire? This week's episode is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our guest is Liam Connolly, CISO, Seek. All three of us discussed: The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company's information security program. We often see management cyber jobs asking for engineering skills and vice versa. Job listings can also portray the "last guy" syndrome. Those are the job listings that tack on desired skills the last person did not have. When you see too many requirements it comes off as a wish list. It's not what is required, it's more of a question as to how many boxes can a candidate check off. There can be serious harm to a company's ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never a...

  LGPD entra em vigor nesta quinta-feira (27), após Senado retirar de MP artigo que adiava a vigência Texto coloca em vigência imediata a Lei Geral de Proteção de Dados (LGPD) O Senado Federal aprovou nesta quinta-feira (26), por 74 votos, o texto da Medida Provisória (MP) 959/2020, mas removeu o artigo que prorrogava o início da vigência da Lei Geral de Proteção de Dados (LGPD) para 1º de janeiro de 2021. O presidente do Senado, Davi Alcolumbre, rejeitou o artigo 4º da MP, que visava adiar a lei para o início do ano que vem, como justificativa que a matéria já havia sido votada no plenário do Senado meses atrás. Com a rejeição do artigo, a LGPD passa a vigorar a partir desta quinta-feira (27). Leia mais:  https://www.infomoney.com.br/politica/lgpd-entra-em-vigor-nesta-quinta-feira-apos-senado-retirar-de-mp-artigo-que-adiava-a-vigencia/ Tags 🏷  #cybersecurity #cso #ciso #infosec #hacker #itriskmanagement #ciberseguranca #cyberattacks #threats #malware #cibercrime #exploi...

Câmara votou MP 959 e Lei Geral de Proteção de Dados deve ir para 31 de dezembro de 2020, texto precisa ser aprovado hoje (26) no Senado. Na visão dos CISOs ouvidos pela Security Report, LGPD deveria entrar em vigor no ano que vem A base do governo na Câmara dos Deputados obteve sucesso no acordo com o deputado Damião Feliciano (PDT-PB), relator do projeto sobre a Lei Geral de Proteção de Dados (LGPD), e a legislação entra em vigor em 31 de dezembro de 2021 após aprovação da Medida Provisória 959/20 na noite de hoje (25). O líder do governo na Câmara, Ricardo Barros (PP-PR) negociou essa proposta. A MP será encaminhada ao Senado e perderá a vigência se não for votada pelos senadores até a meia-noite desta quarta-feira (26). Originalmente, a MP adiava a vigência para maio de 2021, mas o relator da MP, deputado Damião Feliciano retirou esse trecho do texto. Se a MP caducar, a LGPD entra em vigor a partir de 28 de agosto de 2020. O setor empresarial defende o adiamento da vigência da LGPD...

This week's episode of CISO/Security Vendor Relationship PodcastThe "Do What We Tell You" Technique Isn't Working This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Michelle Valdez, CISO, OneMain Financial. All three of us discussed: Care more about users. We spend far too much effort trying to communicate the importance of security and getting people to care about it, that we lose sight of the need to secure users and data. What if we cared more about users and understood why they don't embrace security as much as they should? How can we sympathize with what they're doing so that we can work security into their flow, rather than getting them to operate into security's flow? Minimize the surprises before you accept a job. You're not going to know everything about the security environment you inherit even if you ask all the right questions. But, first do ask questions. Don't leave it up to s...

Security Vendors Needs CISOs Too! Por Gary Hayslip I remember saying those words while at a security conference several years ago. I was sitting with peers, and we were discussing recent moves within the security community by vendors. It was remarked that as the current CISO for Webroot, did I consider myself a real CISO. Of course, I was shocked; what do you mean, did I consider myself to be a real CISO? Did I no longer qualify as a senior security professional because I now worked to protect a cybersecurity vendor? Was I now a fake CISO? As we finish our discussion, I think it’s essential not to segregate the men and women who serve as CISOs into specific business or vendor type security leaders. Cybersecurity, its lifecycle, and many of its fundamental concepts and best practices are relatively the same no matter the industry, country, or organization. Now I am not naive to suggest there are no differences in laws, regulations, scale, or culture that impact CISO roles. However, many...