Rafeeq Rehman CISO MindMap 2021: What do InfoSec professionals really do?
The CISO Evolution: Business Knowledge for Cybersecurity Executives
Mar 13 2022
How the CISO has adapted to protect the hybrid workforce
Many organisations have been considering a network transformation initiative to support the adoption of SaaS, cloud-based applications, and an increasingly remote workforce. Given the connectivity needs of a remote workforce – and knowing a hybrid workforce is here to stay – many IT teams have had to make sudden changes in the way workers connect to corporate systems that could introduce new cyber risks and vulnerabilities.
When developing a security strategy for supporting a hybrid workforce, it is essential to identify risks, as well as any potential blind spots. As CISOs embark on their transformational journeys, identifying these areas of weakness should be the top priority. Keeping business data safe everywhere is crucial to enabling employees to work anywhere. However, enforcing the same policies consistently from the endpoint, network, web, and cloud requires a new approach.
Cloud dominance
For instance, cloud vulnerabilities and misconfigurations continue to be a concern, particularly as the demand for more cloud integration has increased. This has led to CISOs shifting how they approach protecting the corporate perimeter with additional controls and monitoring tools being used to scan any access to the network. Security leaders are beginning to understand that legacy detection tools that would have traditionally been used for data centres, do not extend to the cloud which is why a shift in strategy is required. As a result, identifying and remediating cloud system vulnerabilities and misconfiguration errors is a top priority for the modern CISO when protecting the remote workforce.
Security landscape requires adaptation
Keeping up with security threat landscape is another area in which CISOs have had to adapt. Hackers have evolved in their tactics to evade detection while using techniques that require less effort and reap a higher reward. Their end result is to obtain money or steal sensitive data which normally involves ransomware schemes, state-sponsored methods or just nefarious individuals looking to make a name for themselves in the online underworld. Either way, they are more devious and better equipped than 12 months ago. Cybercrime has become commercialised, with many cybercriminals selling their tools, stolen details and ransomware kits across the dark web which is giving easy access for others to replicate and cause more disruption.
With the ability to launch cyberattacks more quickly with little effort, we are witnessing CISOs and security teams adopting a proactive mindset to cybersecurity. This approach helps to avoid being overwhelmed by the number of threats, especially those targeting workers who are outside the traditional perimeter and are accessing corporate files remotely.
Those that are not taking a proactive stance are at risk as even the most sophisticated defence strategies will become ineffective if they’re not regularly tested and kept current. While being able to mimic human behaviour with artificial intelligence, hackers are outpacing many organisations when it comes to the technology and hacking techniques used to attack them.
Other security initiatives to leverage
The job is never finished when it comes to the cybersecurity of an organisation. This means staying one step ahead of the next potential threat. Looking ahead now means better preparation for the future. Mitigating third-party risk, embedding security into the development process, and defending against ransomware attacks are just a few things that CISOs should be incorporating as part of the future-proofing cybersecurity strategy for a hybrid workforce.
Key initiatives should include adopting multi-factor authentication, achieving greater response time through automation, and extending Zero Trust to applications. The rapid adoption of cloud services, IoT, application containers, and other technologies is helping drive organisations forward. However, it also means that security teams must work harder to maintain visibility. To do so, they need to continuously see and catalogue every asset in their environments and accurately determine the security status of their devices.
In addition to the initiatives mentioned, secure access service edge (SASE) is a framework that CISOs are beginning to embrace as it is a convergence of key security capabilities including software-defined area networking (SD-WAN), Firewall-as-a-Service (FWaaS), Secure Web Gateway (SWG), Cloud-Access Security Brokers (CASB) and Zero-Trust Network Access (ZTNA). It supports the organisation’s cloud-based computing environments while providing security professionals the necessary information to secure the digital transformation journey as well as its remote workforce.
Organisations are feeling a shift in networking and security with the realities of mobile working, particularly as they rapidly adopt and embrace the cloud. With this, CISOs are seeking further efficiency, visibility, and stronger security for their enterprises. SASE and Zero trust implementations can provide more comprehensive security capabilities to support digital transformations.
Bindu Sundaresan, director at AT&T Cybersecurity
Jan 05 2022
CISO guide to bolstering cyber defenses
Why CIOs Should Report to CISOs – If the CISO is responsible for the security of the organization, then that same person also should be responsible for both security and IT infrastructure.
CISO Desk Reference Guide: A Practical Guide for CISOs
Jan 03 2022
A CISO’s guide to discussing cybersecurity with the board
To get the assets needed for CISOs to properly do their jobs, business leaders need to invest time, attention, and money in cybersecurity. Here are helpful ways that CISOs can discuss cybersecurity with their C-suite and board members.
Work your way to the table
As a newer role within organizations, CISOs may not yet be understood by leadership teams or have a seat at the executive table. Some CISOs may also be managed by other IT leaders such as a CIO and CTO, making it difficult to build trust among the rest of the C-suite and board. Even if you have a good relationship with your supervisors, some of the messaging might change as it goes through the chain of command.
It’s frustrating to not have a seat at the table, but there are other ways to be heard.
One way is to start building relationships with other members of leadership. You can try meeting one-on-one with business shareholders to share ideas, enjoy informal conversations or identify an ally.
In my own companies, I encourage these types of meetings. When team members want to run ideas by me, I’m happy to listen — regardless of their titles. If they bring in some good thoughts, I usually think them over and may follow up if the employees present compelling ideas. Building this trust may lead to me bringing these ideas to the board or even inviting the employees to present themselves.
Of course, it’s ideal to always have a seat at the table, but if that’s not possible, work your way up. Anyone can make an impact, but you must put yourself out there and build trust with your leadership.
Focus your message
When you get a chance to speak with executives, you typically don’t have much time to discuss details. And frankly, that’s not what executives are looking for, anyway. It’s important to phrase cybersecurity conversations in a way that resonates with the leaders.
Messaging starts with understanding the C-suite and boards’ priorities. Usually, they are interested in big picture initiatives, so explain why cyber investment is critical to the success of these initiatives. For example, if the CEO wants to increase total revenue by 5% in the next year, explain how they can prevent major unnecessary losses from a cyber attack with an investment in cybersecurity.
Once you know the executive team and board’s goals, look to specific members, and identify a potential ally. Has one team recently had a workplace security breach? Does one leader have a difficult time getting his or her team to understand the makings of a phishing scheme? These interests and experiences can help guide the explanation of the security solution.
Lose the tech jargon
If you’re a CISO, you’re well-versed in cybersecurity, but remember that not everyone is as involved in the subject as you are, and business leaders probably will not understand technical jargon. Conversations leading with highly technical terms are unlikely to kindle and keep a C-suite or board member’s attention.
CISOs are the translators that explain cybersecurity needs to leadership in a way they understand — through real-life examples and business metrics outlining risk. If you speak their language, executive leaders will be more willing to consider a proposal.
There’s more to being a CISO than keeping track of evolving risks and staying up to date on technological advancements. You are also an advocate for cybersecurity initiatives that protect the company, convincing executives to invest in cybersecurity. Working up to the board room might not be easy, but with clear and relevant messaging, you can be a champion for a strong cybersecurity strategy.
Information Security Governance: Framework and Toolset for CISOs and Decision Makers
Nov 10 2021
Most CIOs and CISOs underestimate the risk of an OT breach
“Not only do enterprises rely on OT, the public at large relies on this technology for vital services including energy and water. Unfortunately, cybercriminals are all too aware that critical infrastructure security is generally weak. As a result, threat actors believe ransomware attacks on OT are highly likely to pay off,” said Skybox Security CEO Gidi Cohen. “Just as evil thrives on apathy, ransomware attacks will continue to exploit OT vulnerabilities as long as inaction persists.”
The research unearths the uphill battle that OT security faces – comprised of network complexity, functional silos, supply chain risk, and limited vulnerability remediation options. Threat actors take advantage of these OT weaknesses in ways that don’t just imperil individual companies – but threaten public health, safety, and the economy.
Key takeaways
Organizations underestimate the risk of a cyberattack
Fifty-six percent of all respondents were “highly confident” their organization will not experience an OT breach in the next year. Yet, 83% also said they had at least one OT security breach in the prior 36 months. Despite the criticality of these facilities, the security practices in place are often weak or nonexistent.
CISO disconnect between perception and reality
Seventy-three percent of CIOs and CISOs are highly confident their OT security system will not be breached in the next year. Compared to only 37% of plant managers, who have more firsthand experiences with the repercussion of attacks. While some refuse to believe their OT systems are vulnerable, others say the next breach is around the corner.
Compliance does not equal security
To date, compliance standards have proven insufficient in preventing security incidents. Maintaining compliance with regulations and requirements was the most common top concern of all respondents. Regulatory compliance requirements will continue to increase in light of recent attacks on critical infrastructure.
Complexity increases security risk
Seventy-eight percent said complexity due to multivendor technologies is a challenge in securing their OT environment. In addition, 39% of all respondents said that a top barrier to improving security programs is decisions are made in individual business units with no central oversight.
Cyber liability insurance is considered sufficient by some
Thirty-four percent of respondents said that cyber liability insurance is considered a sufficient solution. However, cyber liability insurance does not cover costly “lost business” that results from a ransomware attack, which is one of the top three concerns of the survey respondents.
Exposure and path analysis are top cybersecurity priorities
Forty-five percent of CISOs and CIOs say the inability to conduct path analysis across the environment to understand actual exposure is one of their top three security concerns. Further, CISOs and CIOs said disjointed architecture across OT and IT environments (48%) and the convergence of IT technologies (40%) are two of their top three greatest security risks.
Functional silos lead to process gaps and technology complexity
CIOs, CISOs, Architects, Engineers, and Plant Managers all list functional silos among their top challenges in securing OT infrastructure. Managing OT security is a team sport. If the team members are using different playbooks, they are unlikely to win together.
Supply chain and third-party risk is a major threat
Forty percent of respondents said that supply chain/third-party access to the network is one of the top three highest security risks. Yet, only 46% said their organization as a third-party access policy that applied to OT.
CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers
Nov 03 2021
A ransomware reality check for CISOs
The dilemmas organizations must deal with are dizzying:
- To pay a ransom or not?
- Will cyber insurance provide adequate shelter?
- What’s the role of government?
- Are new mandates and penalties on the horizon?
- How are adversaries evolving their tactics?
To make sense of it all, let’s first focus on the adversaries and their playbook. Cyber criminals have a well-developed business model and carefully contemplated financial calculus of ransomware. They have determined whether they will launch a direct attack to maximize profits or offer Ransomware-as-a-Service, complete with a help desk and other support services, to supplement their income while enabling malicious actors with less technical skill.
They have researched their victims and targeted organizations based on their ability to pay. All these tactics are developed and executed in concert to make paying the ransom the path of least resistance – financially and logically.
Every aspect of a ransomware campaign is calculated to elicit an emotional response from the target such that it is easier to pay the ransom than to bear the costs and delays of trying to recover on their own.
Let’s start with what we shouldn’t do
Ransomware Protection Playbook
Oct 25 2021
CISO Interview Series: Investing in Frameworks, Humans, and Your Technical Skills
The journey for someone to the role of Chief Information Security Officer (CISO) isn’t often straightforward. Take Sandy Dunn, for example. Per SailPoint, Sandy started as a paper delivery kid at 10 years old. She then worked her way through software sales, insurance, and even horses before becoming the CISO of a health insurance provider in Idaho.
All these “entry-level” jobs share one thing in common. They gave Sandy the experience to fulfill a CISO’s multifaceted responsibilities. But don’t just take my word for it. Check out my conversation with Sandy below.
“One skill I think every CISO needs is business acumen.”
Joe Pettit: Thanks for taking the time to speak with me today, Sandy. I would love to hear some of your views on the role of the modern CISO. How is it changing, and what are the essential skills that a CISO should have now?
Sandy Dunn: The required skills for a CISO is an interesting question. Every business is different, so really every CISO role will be slightly different with different expectations for where they fit in the organization. One skill I think every CISO needs is business acumen. You need to be able to understand how security fits into that specific business. Having some level of technical skills is important, too. It helps you with effective communication with your cybersecurity team about issues, tools, proposed remediation, and then to be able to explain everything they just told you back to the business or put it into a business context. Technical knowledge will benefit you in understanding the severity of a problem, too (independent of the volume of the voice who is bringing it) and determine if a situation is a one-alarm fire or a five-alarm fire.
“…one of the things I really had to (Read more…)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Joe Pettit. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/ciso-interview-series-investing-in-frameworks-humans-and-your-technical-skills/
The 5 Roles of Leadership: Tools & best practices for personable and effective leaders
Jul 23 2021
Questions that help CISOs and boards have each other’s back
The ransomware threat posed by organized crime groups is considerable, and its impact can be devastating and threaten the entire business. This makes it imperative for boards to ensure the company has taken necessary cybersecurity precautions to resist the threat. Additionally, executives have seen the value of efficient infosec firsthand over the last eighteen months. The efforts security teams have made to keep businesses safely functioning during a global pandemic have been impressive, if not heroic.
Regardless of why the C-level is focusing on IT infrastructure and strategy, this interest presents an opportunity for security teams. I know this is true because over the last few years F-Secure’s board has been refining how we cooperate to make better decisions about our security posture and risk appetite.
At the core of this process has been the creation of questions we use to make the best use of our time together. When approached holistically and answered honestly, these queries allow us to understand if we are focused on the right things, whether we are achieving our goals, and where our gaps are.
Since we would have benefited by having a list to start with, we’re sharing five of ours now to help other organizations.
Start with the easier ones
Here are the first three questions that I expect board members to ask me whenever they get a chance:
- What are the key threats against your top assets?
- How do you protect your assets from cybersecurity threats?
- Whose responsibility is it to implement protections?
Questions that help CISOs and boards have each other’s back
Chief Information Security Officer
Jul 11 2021
Three security lessons from a year of crisis
When Pindrop surveyed security and fraud professionals across vital sectors including banking and healthcare, we discovered hundreds of teams that had made heroic efforts to continue operating in the face of huge obstacles. We were also reminded of the many ways that fraud threatens businesses and individuals facing turmoil.
Spikes in call volume left contact center agents overextended while lockdown protocols forced reorganizations and remote work; well-intentioned and generally beneficial programs like PPP loans provided new avenues for fraud; and fraud attempts shifted to new venues, like banks’ prepaid card divisions.
More time on the line
Today, we live our lives—and conduct our business—online. Our data is in the cloud and in our pockets on our smartphones, shuttled over public Wi-Fi and company networks. To keep it safe, we rely on passwords and encryption and private servers, IT departments and best practices. But as you read this, there is a 70 percent chance that your data is compromised . . . you just don’t know it yet.
Cybersecurity attacks have increased exponentially, but because they’re stealthy and often invisible, many underplay, ignore, or simply don’t realize the danger. By the time they discover a breach, most individuals and businesses have been compromised for over three years. Instead of waiting until a problem surfaces, avoiding a data disaster means acting now to prevent one.
No matter who you are or where you work, cybersecurity should be a top priority. The information infrastructure we rely on in every sector of our lives—in healthcare and finance, for governments and private citizens—is both critical and vulnerable, and sooner or later, you or your company will be a target. This book is your guide to understanding the threat and putting together a proactive plan to minimize exposure and damage, and ensure the security of your business, your family, and your future.
Jul 06 2021
CISO implementation guide: 10 ways to ensure a cybersecurity partnership will work
Capitalizing on the urgency companies have to launch new digital businesses, cybersecurity vendors create partnerships to close product gaps quickly. An understanding of how the new alliances can deliver results must be part of every CISO’s purchasing decision process. But partnerships can be something of a slippery slope.
Today, CISOs face the conflicting problem of securing operations while supporting business growth. IT and cybersecurity teams are stretched thin attempting to scale endpoint security for virtual workforces, while securing their customer identities and transactions. CIOs and CISOs are turning to vendors they rely on for immediate help. In turn, cybersecurity vendors’ quick fix is to create as many partnerships as possible to close product gaps and close the upsell or new sale.
What’s driving market demand is the pressure CIOs and CISOs have to deliver results. Companies’ boards of directors are willing to double down on digital business plan investments and accelerate them. According to the 2021 Gartner Board of Directors’ survey, 60% of the boards rely on digital business initiatives to improve operations performance, and 50% want to see technology investments deliver improved cost optimization.
Company boards have a high level of enthusiasm for technology spending in general and cybersecurity especially. As a result, Gartner predicts the combined endpoint security and network access market will be a $111 billion opportunity. For such cybersecurity companies, partnerships are a quick path to lucrative deals and higher profits.
Partnerships alone will not solve the conflicting demands for IT resources to secure a business while driving new business growth. They are not a panacea for the biggest challenges facing IT today. Trusting the wrong partnerships can cost millions of dollars, lose months of productive time, and even cause a new digital venture to fail. Due diligence of nascent cybersecurity partnerships needs to go beyond comparing partners’ financial statements and into the specifics of how multiple technologies are performing in actual, live scenarios today. Ten ways stand out as means to guide decision making.
10 ways to truth-test cybersecurity partnerships
Previous CISO related articles
Jun 12 2021
Certified Information Systems Security Professional (CISSP) training course
Certified Information Systems Security Professional (CISSP) training course
If you’re building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.
This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.
Duration: 5 days
“I would highly recommend the course to a friend, and in fact I already have! I’d also recommend it to a security team within an organization, even if they’re not specifically targeting a CISSP certification as it teaches a broad range of best practices and will help instill a culture of security and best practice in any organization.”
Who should attend?
This training course is intended for professionals who have at least 5 years of recent full-time professional work experience in 2 or more of the 8 domains of the CISSP common body of knowledge (CBK), such as:
- Security consultants
- Security managers
- IT directors/managers
- Security auditors
- Security architects
- Security analysts
- Security systems engineers
- Chief information security officers
- Security directors
- Network architects
Please note: A one year experience waiver is available with a 4-year college degree, or regional equivalent, or additional credentials from the (ISC)² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK.
Don’t have 5 years of experience? – Become an Associate of (ISC)²
Certified Information Systems Security Professional (CISSP) training course
Official (ISC)2® Guides
7 tips for CISSP Success
May 28 2021
The evolution of the modern CISO
The modern CISO
The role of CISO first emerged as organizations embraced digital revolutions and began relying on new data streams to help inform business decisions. As technology continued to advance and became more complex, so too did threat actors who saw new opportunities to disrupt businesses, by stealing or holding that data hostage for ransom.
As the years have gone by and cyberattacks have become more sophisticated, the role of the CISO has had to advance. The CISO has evolved from being the steward of data to also being a guardian for availability with the emergence of more destructive and disruptive attacks. The CISO also must be highly adaptable and serve as the connective tissue between security, privacy and ultimately, consumer trust.
The changing threat landscape
Previous blogs on CISO & vCISO
Related latest CISO and vCISO titles
Apr 13 2021
ISO 27002 major revision
ISO is shaking up the familiar structure of the ISO 27001/27002 control framework after over 20 years of stability.
Originally published as British Standard BS 7799 Part 1 and 2 in the late 1990s, adopted as the ISO 17799 standard in 2000, and then renumbered as ISO 27001/27002, the name has changed a few times but the structure of the controls has remained intact until now.
Historically ISO has resisted major changes given that so many organizations globally have adopted ISO 27001/27002 for their security policies, security programs and certifications, and considering that numerous countries have adopted or incorporated them into their own national standards.
Publication of the final standard is expected to occur in the next year.
What is changing with the update to ISO 27002?
Apr 13 2021
With ISO27001 how you should choose the controls needed to manage the risks
Introduction and Background
As required by ISO27001 the risks identified in the risk assessment need to be ones that if they happened would result in the loss of Confidentiality Integrity and/or Availability (CIA) of information in the scope of the ISMS. As also required by ISO27001 those controls that are necessary to modify each risk need to be determined. Each risk gets a list of one or more controls.
This article gives some advice about how to choose/determine the controls for each risk and how control sets (e.g. Annex A, ISO27017, ISO27018, NIST CSF, CSA) can be used to help with this and as a quality check on the risk assessment.
What do we mean by necessary?
A good question!
“Needed to manage the risk”. Yes, I know that this just rephrases the word “necessary”….
In many cases this is a simple (or perhaps tricky!) matter of judgment but each control should be checked if it is necessary by asking questions like these:
- what effect this control has on the likelihood or impact of this risk? Only controls that have more than a negligible effect on the likelihood or impact should be designated as “necessary”.
- what would happen to this risk if this control is not in place or stops working properly? Your answer should be “the business continues to operate and deliver all its services but we have just increased the likelihood and/or impact of something going wrong that stops us delivering this service and/or gets in the way of meeting our objectives”. If this is not your answer then this control is unlikely to be “necessary” and should not be included.
Source: Main approaches to determining controls.
![Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own: The Plain English, Step-by-Step Handbook for Information Security Practitioners by [Dejan Kosutic]](https://m.media-amazon.com/images/I/51BN2rT3+yL.jpg)
Mar 30 2021
Five signs a virtual CISO makes sense for your organization
Here are five signs that a virtual CISO may be right for your organization.
1. You have a lot to protect
Companies produce more data than ever, and keeping track of it all is the first step to securing it. A virtual CISO can identify what data needs to be protected and determine the negative impact that compromised data can have, whether that impact is regulatory, financial or reputational.
2. Your organization is complex
Risk increases with employee count, but there are many additional factors that contribute to an organization’s complexity: the number of departments, offices and geographies; how data is used and shared; the distribution of architecture; and the life cycle of applications, data and the technology stack.
A virtual CISO offers an unbiased, objective view, and can sort out the complexity of a company’s IT architecture, applications and services. They can also determine how plans for the future add complexity, identify and account for the corresponding risk, and recommend security measures that will scale to support future demand.
3. Your attack surface is broad
For many organizations, potential vulnerabilities, especially those that share a great deal of data within the organization, may not be obvious at first glance. Virtual CISOs can identify both internal and external threats, determine their probability and quantify the impact they could have on your organization. And at a more granular level, they can determine if those same threats are applicable to competitors, which can help maintain competitiveness within your market.
4. Your industry is highly regulated
Organizations in regulated industries like healthcare, finance, energy/power and insurance will have data that is more valuable, which could make them a bigger target for bad actors. Exposure is even more of a concern due to potential noncompliance. Virtual CISOs bring a wealth of expertise on regulatory standards. They can implement processes to maintain compliance and offer recommendations based on updates to applicable rules and regulations.
5. Your risk tolerance is low
An organization without a great deal of sensitive data may have a much greater tolerance for risk than a healthcare provider or a bank, but an honest assessment is important in determining how much risk each organization should accept. A virtual CISO can coordinate efforts to examine perceived and actual risk, identify critical vulnerabilities and provide a better picture of risk exposure that can inform future decisions.
Cybersecurity is growing more complex, and organizations of all sizes, especially those in regulated industries, require a proven security specialist who can address the aforementioned challenges and ensure that technology and processes are in place to mitigate security risks.
Mar 10 2021
Boards: 5 Things about Cyber Risk Your CISO Isn’t Telling You
As Jack Jones, co-founder of RiskLens, tells the story, he started down the road to creating the FAIR™ model for cyber risk quantification because of “two questions and two lame answers.” As CISO at Nationwide insurance, he presented his pitch for cybersecurity investment and was asked:
“How much risk do we have?”
“How much less risk will we have if we spend the millions of dollars you’re asking for?”
To which Jack could only answer “Lots” and “Less.”
“If he had asked me to talk more about the ‘vulnerabilities’ we had or the threats we faced, I could have talked all day,” he recalled in the FAIR book, Measuring and Managing Information Risk.
In that moment, Jack saw the need for a way that cybersecurity teams could communicate risk to senior executives and boards of directors in the language of business, dollars and cents.
Some CISOs are still in the position of Jack pre-quantification – talking all day and delivering lame answers, from the board’s point of view. Here’s a short guide to what they’re not saying – and how RiskLens, the analytics platform built on FAIR, can provide the right answers.
1. I don’t really know what our top risks are
I can ask a group of subject matter experts in the company to vote on a top risks list based on their opinions, but that’s as close as I can get.
Top Risks is the first report that many new RiskLens users run, and it only takes minutes, using the Rapid Risk Assessment capability of the RiskLens platform. The platform guides you through properly defining a set of risks (say, from your risk register) for quantitative analysis according to the FAIR standard. To speed the process, the platform draws on data from pre-populated loss tables. The resulting analysis quickly stack-ranks the risks for probable size of loss in dollar terms, across several parameters.
2. I can’t give you an ROI on the money you give me to invest in cybersecurity
You see, cybersecurity is different from other programs you’re asked to invest in – it’s constantly changing and never-ending. You never really hit a point of success; you just chip away at the problem.
With Top Risks in hand, RiskLens clients can dig deeper on individual scenarios and run a Detailed Analysis to expose the drivers of risk to see, for instance, what types of threat actors account for the highest frequency of attacks or what classes of assets account for the highest probable losses. Then they can run the Risk Treatment Analysis capability of the platform to evaluate controls for their ROI in risk reduction.
3. I can’t really tell you if things are getting better on cyber risk.
I can show you our progress with compliance checklists and maturity scales, and I hope you’ll assume that’s reducing risk.
While compliance with NIST CSF, CIS Controls, etc. is good and useful, these frameworks don’t measure performance outcomes in reducing risk – that takes a quantitative approach. The RiskLens platform can aggregate risk scenarios to generate risk assessment reports showing risk across the enterprise or by business unit, in dollar terms – and to show risk exposure over time. It’s easy to update and re-run risk assessments, thanks to the platform’s Data Helpers that store risk data for re-use. Update a Data Helper, and all the related risk scenarios update at the same time – and so do the aggregated risk assessments.
4. I can’t help you set a risk appetite.
I don’t really know how much risk we have and am pretty much operating on the principle that no risk is acceptable.
Boards should have a strong sense of their appetite for risk in cyber as in all fields, but qualitative (high-medium-low) cyber risk analysis only supports vague appetite statements that are difficult to follow in practice. On the RiskLens platform, a CISO can input a dollar figure for “risk threshold” as a hypothetical, and run the analyses to rank how the various risk scenarios stack up against that limit, making a risk appetite a practical target.
5. I don’t know how to align cyber risk management with the other forms of risk management we do.
Enterprise risk, operational risk, market risk, financial risk—I’ve heard their board presentations in quantitative terms. But cyber is just different.
Quantification is the answer – reporting on cyber risk in the same financial terms that the rest of enterprise risk management programs employ finally gives the board what it wants to hear on cyber risk management. ISACA, the National Association of Corporate Directors and the COSO ERM framework have all recommended FAIR for board reporting. As an ISACA white paper said,
The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk…FAIR can enable the economic representation of cybersecurity risk that is sorely missing in the boardroom, but can illuminate cybersecurity exposure.
Feb 24 2021
6 free cybersecurity tools CISOs need to know about
6 free cybersecurity tools for 2021
1: Infection Monkey
Infection Monkey is an open source Breach and Attack Simulation tool that lets you test the resilience of private and public cloud environments to post-breach attacks and lateral movement, using a range of RCE exploiters.
Infection Monkey was created by Israeli cybersecurity firm Guardicore to test its own segmentation offering. Developer Mike Salvatore told told The Stack: “Infection Monkey was inspired by Netflix’s Chaos Monkey.
“Chaos Monkey randomly disables production instances to incentivize engineers to design services with reliability and resilience in mind. We felt that the same principles that guided Netflix to create a tool to improve fault tolerance could be applied to network security. Infection Monkey can be run continuously so that security-related shortcomings in a network’s architecture can be quickly identified and remediated.”
The company recently added a Zero Trust assessment, as well as reports based on the MITRE ATT&CK framework.
Source: 6 free cybersecurity tools CISOs need to know about
Feb 14 2021
Want to become a CISO
CISO role is not only limited to understanding infrastructure, technologies, threat landscape, and business applications but to sway people attitude and influence culture with relevant policies, procedures and compliance enforcement to protect an organization.
#CISO #vCISO
Explore more on CISO role:
Feb 11 2021
Cost Effective Cyber Security
DISC InfoSec provides cost effective Cybersecurity: CISO as a Service (CISOaaS)
A Chief Information Security Officer (CISO) is an executive responsible for cybersecurity. Many medium-sized organizations need a CISO but don’t have the budget for one. A Fractional CISO/ vCISO can deliver the value of a full-time CISO without the same level of investment.
Why do you may need one?
- Lower your organizational cybersecurity risk with industry expert leadership.
- Supplement your team with InfoSec program, policy and process experts to solve your most pressing needs.
- Prioritize your cybersecurity investments with quantitative decision making.
- vCISO for your Interim CISO needs.
- vCISO program can put you on a path to success with your compliance initiatives, such as a NIST CSF compliance or ISO 27001 certification.
DISC InfoSec also performs technical control assessment such as (Web Application testing) which is imperative to your compliance and ISO 27001 certification process.
In short, as a CISOaaS we do all the legwork so you can focus on running your business.
Our vCISO advisory services are available to support the security/ technology leadership of your organization to implement and improve security and risk posture in today’s heightened security averse landscape.
If you are interested to know more about how can we assist you in your latest InfoSec and compliance project, schedule a short call on our calendar.
Latest DISC InfoSec blog feed
Chief Information Security Officer
Contact DISC InfoSec for any question
Jul 17 2020
Twitter stepped up search to fill top security job ahead of hack
Search for a chief information security officer
Twitter Inc had stepped up its search for a chief information security officer in recent weeks, two people familiar with the effort told Reuters, before the breach of high-profile accounts on Wednesday raised alarms about the platform’s security. Twitter said hackers had targeted employees with access to its internal systems and “used this access to take control of many highly-visible (including verified) accounts.”
The second and third rounds of hijacked accounts tweeted out messages telling users to send bitcoin to a given address in order to get more back. Publicly available blockchain records show the apparent scammers received more than $100,000 worth of cryptocurrency.
The U.S. House Intelligence Committee was in touch with Twitter regarding the hack, according to a committee official who did not wish to be named.
Source: Twitter stepped up search to fill top security job ahead of hack
Twitter says 130 accounts were targeted in hack
httpv://www.youtube.com/watch?v=4pquwx-doYg
Explore latest CISO Titles at DISC InfoSec
Download a Security Risk Assessment Steps paper!
Subscribe to DISC InfoSec blog by Email
Take an awareness quiz to test your basic cybersecurity knowledge
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
« Previous Page — Next Page »
