Jul 18 2022

Virtual CISOs Are the Best Defense Against Accelerating Cyber-Risks

Category: CISO,Information Security,vCISODISC @ 11:17 am
A poor, permanent hire can be a very expensive error, whereas a mis-hire on a virtual CISO can be rapidly corrected.
CISO

The cybersecurity challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmaneuver security controls effortlessly.

As technology races forward, companies without a full-time CISO are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.

How a vCISO Works
Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.

The best vCISO engagements are long-term contracts, such as 12 to 24 months. Typically, there’s an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.

What to Expect From a vCISO
When bringing a vCISO on board, it’s important that person has three key attributes: broad and extensive experience in addressing cybersecurity challenges across many industries; business acumen and the ability to rapidly absorb complex business models and strategies; and knowledge of technology solutions and dynamics that can be explored to meet specific organizational needs.

The first thing a vCISO will focus on is prioritization, beginning with understanding a company’s risks. They will then organize actions that provide the greatest positive influence on mitigating these risks while ensuring sustainability in the program. The goal is to establish a security approach that addresses the greatest risks to the business in a way that has staying power and can provide inherent value to additional downstream controls.

Having extensive experience in the technical space, a vCISO can take into consideration the full spectrum of options — those existing within the business environment, established products and services in the marketplace, and new solutions entering the market. Just within that context, a vCISO can collaborate with the technical team to take advantage of existing solutions and identify enhancements that can further capabilities in a cost-efficient manner.

The Value of a vCISO
One of the most common findings is that companies often have a large portfolio of cybersecurity technology, but very little is fully deployed. Additionally, most tech teams are not leveraging all of the capabilities, much less integrating with other systems to get greater value. Virtual CISOs help companies save money by exploiting existing technical investments that dramatically improve security. And, since the improvement is focused on existing tools, the transition for the IT and security staff is virtually eliminated due to established familiarity with the environment.

Another essential value point of a vCISO is access to an informed and well-balanced view on risk and compliance. While cybersecurity is dominated by technical moving parts, the reality is the board, executive leadership, and management team needs to incorporate cyber-risks and related liabilities into the overall scope of risk across the business at an executive level. In this sense, leadership has a vast array of competing challenges, demands, and risks and some can be even more impactful than cybersecurity.

How to Convince the Executive Team
A CEO is under a constant barrage of challenges, problems, risks, and opportunities. Cybersecurity needs to be part of that formula. If one of the core values of having a vCISO is getting meaningful cyber-risk insights, then trust and confidence in that person is paramount and needs to be established from the beginning.

Another challenge is the team dynamic — at the heart of being a CEO is their success as a leader. Introducing what is essentially a consultant can be an adjustment for the team. It’s important that the vCISO hire fits the culture and can easily integrate with everyone on the team including the CIO, CTO, CPO, CRO, etc.

The conversation with the CFO will understandably have a heavy financial tone. For companies debating between a full-time CISO or a vCISO, it’s clear a poor permanent hire can be a very expensive error, whereas a mis-hire on a vCISO can be rapidly corrected.

As organizations continue to come to grips with the byproducts of digitization and new security challenges that often seem insurmountable, a vCISO can be an enormous value. Beyond offering an efficient and cost-effective model, they bring many advantages to businesses with fewer risks than a dedicated resource.

Source: https://www.darkreading.com/careers-and-people/virtual-cisos-are-the-best-defense-against-accelerating-cyber-risks

Ransomware’s Silver Bullet – The Virtual CISO Publication Series: Cybersecurity

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: CISO, vCISO, Virtual CISOs

Jul 11 2022

The CISO MindMap

Category: CISO,vCISODISC @ 10:05 am

The CISO MindMap (with Rafeeq Rehman)

This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:

1.  Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.

2.  Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.

3.  To serve your business better, train staff on business acumen, value creation, influencing and human experience.

4.  Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.

5.  Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.

6.  Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.

This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:

Links:

  • CISO MindMap Link
  • CISO MindMap 2022 Recommendations Link
  • Information Security Leaders Handbook Link
  • Cybersecurity Arm Wrestling Link

CISO – Chief Information Security Officer

Tags: Chief Information Security Officer, CISO, CISO Chief Information Security Officer

Jun 01 2022

Questions a CISO should be able to answer

Category: CISO,vCISODISC @ 1:44 pm
Photo by James Lee on Unsplash

“Wise is not the one who knows all the answers but the one who knows what questions to ask”

More than an article, this is a conversation starter for the CISO and his/her team: What are your answers for this list of essential question that any information security department must deal with?

Obviously there are many other questions, these are just the foundation for a security program.

These questions are ordered, it will be hard to answer the last ones without having answers for the first ones.

For your organization:

  • Who are the clients of the information security team?
  • What are the drivers for security? This will include Business, Technical and Compliance aspects.
  • What are the business significant security objectives? Have these been agreed with the clients of the information security team?
  • How do you model your organization and the systems it relies on?
  • What are the third parties you exchange information with?
  • What is the list of assets that need to be protected? Who owns them? Who controls them?
  • What are the threats or risks?
  • What is the list of security controls or processes you have in place? What is the success criteria for each? How frequently do you check that they are not just effective but successful?
  • What is the list of non-compliances that need to be remediated?
  • What is your level of compliance?
  • What is the list of vulnerabilities that need to be remediated?
  • What is your level of security (or risk)?
  • How do you maintain your knowledge base?
  • What is your level of security maturity? This measures not your security but your ability to maintain and improve your security.
  • How do you report the activity of the information security team?
  • How do you report the value of security to your clients?
  • How do you prove to third parties your level of security?
  • What do you plan to do to improve the level of security (or decrease risk)?

How easy or difficult was for you and your team to formulate an answer?

If you find these questions too easy, either you are truly great CISO (please share answers) or your suffer a severe case of Duning-Kruger. I will leave to those readers to find out which.

Source: Questions a CISO should be able to answer

Chief Information Security Officer latest Titles

Tags: CISO

May 05 2022

7 threat detection challenges CISOs face and what they can do about it

Category: CISO,vCISODISC @ 8:45 am
7 threat detection challenges CISOs face and what they can do about it

Security operations (SecOps) teams continue to be under a constant deluge of new attacks and malware variants. In fact, according to recent research, there were over 170 million new malware variants in 2021 alone. As a result, the burden on CISOs and their teams to identify and stop these new threats has never been higher. But in doing so, they’re faced with a variety of challenges: skills shortages, manual data correlation, chasing false positives, lengthy investigations, and more. In this article, I’d like to explore some of the threat detection program challenges CISOs are facing and provide some tips on how they can improve their security operations.

CISOs ensure the security operations program for threat detection, investigation and response (TDIR) is executing at peak performance. Let’s look at seven key issues that can affect TDIR programs and some questions CISOs should consider asking their organization, security operations team, and the vendors providing solutions to resolve them.

1. There are too many indicators of compromise (IoCs) or security events happening across a network to properly identify malicious activity. As a result, CISOs are looking for advanced tools that can correlate and analyze this data effectively to eliminate false positives. The last thing any CISO wants is for his/her team to waste time on an event that might simply be a failed login associated with a user incorrectly typing their password multiple times.

Questions to ask: Can I correlate data from any source (such as logs, cloud, applications, network, endpoints, etc.), no matter what it is? Can I fully monitor all these systems, ingest all the telemetry needed, and perform correlation automatically? And what is it costing me to correlate all that data (i.e., what is my solution provider charging)?

2. Correlating data over time is hard. It’s like putting puzzle pieces together from a box filled with multiple puzzles. An attack that occurs once can be difficult enough to identify. But once threat actors are inside an environment, they’ll often do a little activity spread over a longer period (sometimes days, weeks or months later). This makes is almost impossible for a human analyst to take these seemingly disparate events across time and connect them to complete the puzzle.

Most tools also struggle to correlate those seemingly independent events as part of the same attack because they seem unrelated over time. CISOs are responsible for making sure the team has everything it needs (based on constrained budgets) to put that puzzle together before damage is done.

Questions to ask: Do I have a wide variety of data sources and analytics that can process events and correlate them across time effectively? Is out-of-the-box threat content included for real-time attack detection?

3. When piecing together an attack campaign, manual correlation and investigation of disparate security sources drastically extends the time and resources required from a CISO and his/her team. Pulling data from several systems at once is necessary to get the contextual information needed to find out what’s wrong (and how to respond). But in the time this takes, the damage could already be done. This challenge can easily frustrate CISOs that have invested so much time and money in building up the security operations program.

Questions to ask: Does your current team have to do a lot of manual correlation, and how are they able to accomplish that with events that span weeks or even months? Does your team have to search through multiple tools and put together context on their own to see patterns that will help formulate a better response when working with other IT teams?

4. The skills gap remains a problem. However, as more seasoned practitioners who were fundamentally trained across networking, servers, and other aspects of IT are aging out of the workforce, CISOs are being forced to hire more security focused analysts, but with less broad practitioner experience. This is impacting the amount of on-the-job training and experience required (and offered) for them to be effective. There are just not enough skilled cybersecurity professionals in the market today.

Questions to ask: How can my TDIR platform automate certain tasks and bring the right context to the forefront. How can it provide the necessary context that can help a less experienced analyst learn over time and increasingly add value?

5. Vendors are overpromising and underdelivering. When it comes to threat detection, too many vendors falsely claim or exaggerate that they have machine learning (ML), artificial intelligence (AI), multicloud support, and/or apply risk metrics. CISOs are barraged with vendors claiming to offer a silver bullet at worst or using questionable marketing claims at best. Neither delivers what’s promised.

Questions to ask: Does the solution use rule-based ML/AI (which is important to understand considering it’s static in nature, requires updating, and is ineffective at identifying new attacks and variants)? Does multicloud just do correlation (leaving it up to the analyst to determine if an attack is occurring across multi-cloud)? Is risk scoring just aggregated scores from public sources (not leveraging an enterprise-class risk engine powered by analytics)?

6. The tradeoff of cost and budget versus better security visibility can be a painful choice. CISOs often are presented with platforms (like a SIEM) that charge organizations based on volume of data ingested. As an organization grows, charging by data ingested is unpredictable and can quickly lead to rapidly escalating costs in licensing and storage. As a result, CISOs should be looking for solutions that reduce this cost burden, while still allowing the organization to pull in and ingest as much data as possible. The result is better SOC visibility and more effective TDIR.

Questions to ask: For a solution that employs true machine learning, the more data that can be pulled in the better. Does my solution penalize me for bringing in more data? Or does it embrace more data ingestion to offer better visibility and do so by providing flexible licensing? How can my provider help reduce storage costs?

7. Automation can drive efficiency and speed threat detection. This can free up security team members to focus their attention on more intensive tasks. When done effectively, this provides OPEX savings – which means less time and resources spent on simple and manual tasks of low value, while also shrinking the time for high-value tasks. It can also provide better experience for junior analysts, especially when your analytics and automation are transparent, allowing them to learn and improve.

But not all automation is created equal. Solutions that produce too much noise and too many false positives make it difficult to prioritize investigation and automate responses. The more accurate the threat detection is, the more targeted the automated response can be.

Questions to ask: Is automation in the solution inherent across my entire SOC lifecycle? If so, how do I know it’s working and how can I trust that it’s optimizing my operations (for example, can it show that I’m stopping threats earlier in the kill chain)?

As CISOs and their security operations teams look to improve threat detection they’ll face a variety of issues around visibility, cost, flexibility (especially into cloud environments), analytics, prioritization, contextual data and much more. But by working together to understand these challenges – and by arming ourselves with knowledge and the right questions – our industry can continue to evolve and deliver better security operations for our organizations.

organize

Latest CISO’s titles…..

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: CISO

Apr 06 2022

The CISO as brand enabler, customer advocate, and product visionary

Category: CISO,vCISODISC @ 8:38 am
The CISO as brand enabler, customer advocate, and product visionary

Just over a quarter-century ago, the first Chief Information Security Officer (CISO) was minted in the financial vertical, and everyone lived happily ever after. The End.

Why Your CISO is Ineffective and What You Can do About it | Cyber Defense Group

If only this story was that simple and straightforward! The CISO role has never been cut-and-dry. Despite its longevity, this role is still in its adolescence – full of promise, mostly headed in the right direction, but not quite fully formed.

If you’re a CISO today, or have worked for or watched one from afar, you have felt the reality of the goalposts continually shifting over time, and you have experienced some of the tough questions that may not yet be answered. Where should the CISO report for maximum effect? How does the CISO gain that valuable seat at the executive table, and a regularly scheduled time slot every quarter in front of the board? Is it possible that broad technical competency may be superior to deep technical expertise for this C-level role? And if you are the CISO who thought you signed up for an IT-centric, inward-facing role, I have a few nation-state and cybercriminal actors to introduce to you.

But there are several other less obvious roles that the CISO should consider taking on to help the organization reach its goals, whether its customers are external or internal.

The CISO as brand enabler

Quantifying the value of a corporate brand is tough. But it’s clear that your organization’s brand is as much an asset as the devices and networks that the CISO is charged with protecting – in fact, the brand may be your organization’s largest single asset. A recent Forbes/MASB report states that brand assets drive approximately 20% of enterprise value on average. Doesn’t that sound like something worth protecting?

Yes, the creation and growth of the brand is typically the responsibility of the marketing organization and the CMO (chief marketing officer). But it’s not unusual for marketing to feel like it’s outracing the other business functions, including the CISO, and they are anxious for everyone to “catch up” and join them. The CISO can act as a useful counterweight to help marketing achieve its goals safely, in good times and bad. For example, isn’t it important to fully coordinate a breach response between these two groups in a way that best preserves the value of your brand? Those brands that emerge out of a high-profile information security incident stronger don’t get there by accident.

This is a missed opportunity in many organizations. When was the last time your CISO and CMO sat down alone to discuss each other’s long-term initiatives? And no, the sometimes recurring conversation between these two parties about how the marketing team is leveraging shadow IT doesn’t count here.

The CISO as customer advocate

If the CISO is considered an inward-facing resource only, your organization may be leaving some significant value on the table. Is your CISO considered and leveraged as an extended member of your customer-facing teams? There is often nothing more compelling to a prospect or a customer than the opportunity to hear from a true CISO practitioner about her experiences in the industry around a common challenge.

Another way to bring the CISO closer into the customer orbit: you have some customers who due to their size or potential are at the very top of your essential, must-not-lose list. Your CISO may be more than willing to act as an executive sponsor for the overall relationship between the two organizations. This is a great way to cement that bond with your truly key and strategic customers. You may also discover that same hugely important customer is willing to share details with the CISO that would never be shared with the sales team.

The CISO as product visionary

In many ways, your CISO may be an ideal prospect, a research partner, and a sounding board for new products, services or features your organization plans to introduce. Think about all the angles a CISO deals with every day: B2B connections and data flowing amongst third parties; identifying and securing B2C data and connectivity; monitoring an infrastructure round the clock to recognize and remediate tactical, strategic and regulatory risks; signing off on your organization’s ISO 27001 certification or SOC 2 attestation, and more!

For bonus points, if you are that CISO of today or the aspirational CISO of tomorrow, don’t settle for approaching your job solely in pursuit of how to best secure your organization – ask yourself how you can make your own customers more secure. Sometimes a new feature or service might pop out from that alternative angle, from a perspective that only the CISO can see.

Whether you are the CISO or are a colleague of the CISO, think outside the box. CISOs can absolutely be leveraged in these and other non-traditional roles, to the greater benefit of your organization.

The CISO Evolution: Business Knowledge for Cybersecurity Executives

Tags: CISO, The CISO Evolution

Mar 23 2022

CISO mind map

Category: CISO,vCISODISC @ 1:10 pm

CISO-mind-map-1Download
CISO_mindmap_2020_recommendationsDownload

Rafeeq Rehman CISO MindMap 2021: What do InfoSec professionals really do? 

CISO MindMap 2021: What do InfoSec professionals really do?Rafeeq Rehman | Cyber | Automation | Digital

The CISO Evolution: Business Knowledge for Cybersecurity Executives

Tags: CISO

Mar 13 2022

How the CISO has adapted to protect the hybrid workforce

Category: CISO,vCISODISC @ 9:24 pm
How the CISO has adapted to protect the hybrid workforce

Many organisations have been considering a network transformation initiative to support the adoption of SaaS, cloud-based applications, and an increasingly remote workforce. Given the connectivity needs of a remote workforce – and knowing a hybrid workforce is here to stay – many IT teams have had to make sudden changes in the way workers connect to corporate systems that could introduce new cyber risks and vulnerabilities.  

When developing a security strategy for supporting a hybrid workforce, it is essential to identify risks, as well as any potential blind spots. As CISOs embark on their transformational journeys, identifying these areas of weakness should be the top priority.  Keeping business data safe everywhere is crucial to enabling employees to work anywhere. However, enforcing the same policies consistently from the endpoint, network, web, and cloud requires a new approach.  

Cloud dominance 

For instance, cloud vulnerabilities and misconfigurations continue to be a concern, particularly as the demand for more cloud integration has increased. This has led to CISOs shifting how they approach protecting the corporate perimeter with additional controls and monitoring tools being used to scan any access to the network. Security leaders are beginning to understand that legacy detection tools that would have traditionally been used for data centres, do not extend to the cloud which is why a shift in strategy is required. As a result, identifying and remediating cloud system vulnerabilities and misconfiguration errors is a top priority for the modern CISO when protecting the remote workforce. 

Security landscape requires adaptation 

Keeping up with security threat landscape is another area in which CISOs have had to adapt. Hackers have evolved in their tactics to evade detection while using techniques that require less effort and reap a higher reward. Their end result is to obtain money or steal sensitive data which normally involves ransomware schemes, state-sponsored methods or just nefarious individuals looking to make a name for themselves in the online underworld. Either way, they are more devious and better equipped than 12 months ago. Cybercrime has become commercialised, with many cybercriminals selling their tools, stolen details and ransomware kits across the dark web which is giving easy access for others to replicate and cause more disruption.  

With the ability to launch cyberattacks more quickly with little effort, we are witnessing CISOs and security teams adopting a proactive mindset to cybersecurity. This approach helps to avoid being overwhelmed by the number of threats, especially those targeting workers who are outside the traditional perimeter and are accessing corporate files remotely. 

Those that are not taking a proactive stance are at risk as even the most sophisticated defence strategies will become ineffective if they’re not regularly tested and kept current. While being able to mimic human behaviour with artificial intelligence, hackers are outpacing many organisations when it comes to the technology and hacking techniques used to attack them. 

Other security initiatives to leverage 

The job is never finished when it comes to the cybersecurity of an organisation. This means staying one step ahead of the next potential threat. Looking ahead now means better preparation for the future. Mitigating third-party risk, embedding security into the development process, and defending against ransomware attacks are just a few things that CISOs should be incorporating as part of the future-proofing cybersecurity strategy for a hybrid workforce.  

Key initiatives should include adopting multi-factor authentication, achieving greater response time through automation, and extending Zero Trust to applications.  The rapid adoption of cloud services, IoT, application containers, and other technologies is helping drive organisations forward. However, it also means that security teams must work harder to maintain visibility. To do so, they need to continuously see and catalogue every asset in their environments and accurately determine the security status of their devices. 

In addition to the initiatives mentioned, secure access service edge (SASE) is a framework that CISOs are beginning to embrace as it is a convergence of key security capabilities including software-defined area networking (SD-WAN), Firewall-as-a-Service (FWaaS), Secure Web Gateway (SWG), Cloud-Access Security Brokers (CASB) and Zero-Trust Network Access (ZTNA). It supports the organisation’s cloud-based computing environments while providing security professionals the necessary information to secure the digital transformation journey as well as its remote workforce. 

Organisations are feeling a shift in networking and security with the realities of mobile working, particularly as they rapidly adopt and embrace the cloud. With this, CISOs are seeking further efficiency, visibility, and stronger security for their enterprises. SASE and Zero trust implementations can provide more comprehensive security capabilities to support digital transformations. 

Bindu Sundaresan, director at AT&T Cybersecurity 

The Evolving Role of the CISO | Threatpost

Cybersecurity Career Master Plan: Proven techniques and effective tips to help you advance in your cybersecurity career

Tags: CISO, vCISO

Jan 05 2022

CISO guide to bolstering cyber defenses

Category: CISO,Information Security,vCISODISC @ 9:27 am

CISO-guide-to-bolstering-cyber-defenses-1Download
CISO-mind-mapDownload

Why CIOs Should Report to CISOs – If the CISO is responsible for the security of the organization, then that same person also should be responsible for both security and IT infrastructure.

CISO Desk Reference Guide: A Practical Guide for CISOs

Tags: CISO, CISO guide

Jan 03 2022

A CISO’s guide to discussing cybersecurity with the board

Category: CISO,vCISODISC @ 5:23 pm
A CISO’s guide to discussing cybersecurity with the board

To get the assets needed for CISOs to properly do their jobs, business leaders need to invest time, attention, and money in cybersecurity. Here are helpful ways that CISOs can discuss cybersecurity with their C-suite and board members.

Work your way to the table

As a newer role within organizations, CISOs may not yet be understood by leadership teams or have a seat at the executive table. Some CISOs may also be managed by other IT leaders such as a CIO and CTO, making it difficult to build trust among the rest of the C-suite and board. Even if you have a good relationship with your supervisors, some of the messaging might change as it goes through the chain of command.

It’s frustrating to not have a seat at the table, but there are other ways to be heard.

One way is to start building relationships with other members of leadership. You can try meeting one-on-one with business shareholders to share ideas, enjoy informal conversations or identify an ally.

In my own companies, I encourage these types of meetings. When team members want to run ideas by me, I’m happy to listen — regardless of their titles. If they bring in some good thoughts, I usually think them over and may follow up if the employees present compelling ideas. Building this trust may lead to me bringing these ideas to the board or even inviting the employees to present themselves.

Of course, it’s ideal to always have a seat at the table, but if that’s not possible, work your way up. Anyone can make an impact, but you must put yourself out there and build trust with your leadership.

Focus your message

When you get a chance to speak with executives, you typically don’t have much time to discuss details. And frankly, that’s not what executives are looking for, anyway. It’s important to phrase cybersecurity conversations in a way that resonates with the leaders.

Messaging starts with understanding the C-suite and boards’ priorities. Usually, they are interested in big picture initiatives, so explain why cyber investment is critical to the success of these initiatives. For example, if the CEO wants to increase total revenue by 5% in the next year, explain how they can prevent major unnecessary losses from a cyber attack with an investment in cybersecurity.

Once you know the executive team and board’s goals, look to specific members, and identify a potential ally. Has one team recently had a workplace security breach? Does one leader have a difficult time getting his or her team to understand the makings of a phishing scheme? These interests and experiences can help guide the explanation of the security solution.

Lose the tech jargon

If you’re a CISO, you’re well-versed in cybersecurity, but remember that not everyone is as involved in the subject as you are, and business leaders probably will not understand technical jargon. Conversations leading with highly technical terms are unlikely to kindle and keep a C-suite or board member’s attention.

CISOs are the translators that explain cybersecurity needs to leadership in a way they understand — through real-life examples and business metrics outlining risk. If you speak their language, executive leaders will be more willing to consider a proposal.

There’s more to being a CISO than keeping track of evolving risks and staying up to date on technological advancements. You are also an advocate for cybersecurity initiatives that protect the company, convincing executives to invest in cybersecurity. Working up to the board room might not be easy, but with clear and relevant messaging, you can be a champion for a strong cybersecurity strategy.

Information Security Governance: Framework and Toolset for CISOs and Decision Makers

Tags: CISO

Nov 10 2021

vCISO as a service

Category: Information Security,vCISODISC @ 10:05 pm

Virtual CISO

Ransomware's Silver Bullet - The Virtual CISO Publication Series: Cybersecurity: Publication #1 Ransomware by [Virtual CISO]

Tags: vCISO as a service

Nov 10 2021

Most CIOs and CISOs underestimate the risk of an OT breach

Category: CISO,OT/ICS,vCISODISC @ 10:27 am
Most CIOs and CISOs underestimate the risk of an OT breach

“Not only do enterprises rely on OT, the public at large relies on this technology for vital services including energy and water. Unfortunately, cybercriminals are all too aware that critical infrastructure security is generally weak. As a result, threat actors believe ransomware attacks on OT are highly likely to pay off,” said Skybox Security CEO Gidi Cohen. “Just as evil thrives on apathy, ransomware attacks will continue to exploit OT vulnerabilities as long as inaction persists.”

The research unearths the uphill battle that OT security faces – comprised of network complexity, functional silos, supply chain risk, and limited vulnerability remediation options. Threat actors take advantage of these OT weaknesses in ways that don’t just imperil individual companies – but threaten public health, safety, and the economy.

Key takeaways

Organizations underestimate the risk of a cyberattack

Fifty-six percent of all respondents were “highly confident” their organization will not experience an OT breach in the next year. Yet, 83% also said they had at least one OT security breach in the prior 36 months. Despite the criticality of these facilities, the security practices in place are often weak or nonexistent.

CISO disconnect between perception and reality

Seventy-three percent of CIOs and CISOs are highly confident their OT security system will not be breached in the next year. Compared to only 37% of plant managers, who have more firsthand experiences with the repercussion of attacks. While some refuse to believe their OT systems are vulnerable, others say the next breach is around the corner.

Compliance does not equal security

To date, compliance standards have proven insufficient in preventing security incidents. Maintaining compliance with regulations and requirements was the most common top concern of all respondents. Regulatory compliance requirements will continue to increase in light of recent attacks on critical infrastructure.

Complexity increases security risk

Seventy-eight percent said complexity due to multivendor technologies is a challenge in securing their OT environment. In addition, 39% of all respondents said that a top barrier to improving security programs is decisions are made in individual business units with no central oversight.

Cyber liability insurance is considered sufficient by some

Thirty-four percent of respondents said that cyber liability insurance is considered a sufficient solution. However, cyber liability insurance does not cover costly “lost business” that results from a ransomware attack, which is one of the top three concerns of the survey respondents.

Exposure and path analysis are top cybersecurity priorities

Forty-five percent of CISOs and CIOs say the inability to conduct path analysis across the environment to understand actual exposure is one of their top three security concerns. Further, CISOs and CIOs said disjointed architecture across OT and IT environments (48%) and the convergence of IT technologies (40%) are two of their top three greatest security risks.

Functional silos lead to process gaps and technology complexity

CIOs, CISOs, Architects, Engineers, and Plant Managers all list functional silos among their top challenges in securing OT infrastructure. Managing OT security is a team sport. If the team members are using different playbooks, they are unlikely to win together.

Supply chain and third-party risk is a major threat

Forty percent of respondents said that supply chain/third-party access to the network is one of the top three highest security risks. Yet, only 46% said their organization as a third-party access policy that applied to OT.

CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

Nov 03 2021

A ransomware reality check for CISOs

Category: CISO,Ransomware,vCISODISC @ 10:00 pm
A ransomware reality check for CISOs

The dilemmas organizations must deal with are dizzying:

  • To pay a ransom or not?
  • Will cyber insurance provide adequate shelter?
  • What’s the role of government?
  • Are new mandates and penalties on the horizon?
  • How are adversaries evolving their tactics?

To make sense of it all, let’s first focus on the adversaries and their playbook. Cyber criminals have a well-developed business model and carefully contemplated financial calculus of ransomware. They have determined whether they will launch a direct attack to maximize profits or offer Ransomware-as-a-Service, complete with a help desk and other support services, to supplement their income while enabling malicious actors with less technical skill.

They have researched their victims and targeted organizations based on their ability to pay. All these tactics are developed and executed in concert to make paying the ransom the path of least resistance – financially and logically.

Every aspect of a ransomware campaign is calculated to elicit an emotional response from the target such that it is easier to pay the ransom than to bear the costs and delays of trying to recover on their own.

Let’s start with what we shouldn’t do

Ransomware Protection Playbook

Tags: CISO, ransomware attacks, Ransomware Protection Playbook, vCISO

Oct 25 2021

CISO Interview Series: Investing in Frameworks, Humans, and Your Technical Skills

Category: CISO,vCISODISC @ 7:24 am
CISO Interview Series: Investing in Frameworks, Humans, and Your Technical Skills

The journey for someone to the role of Chief Information Security Officer (CISO) isn’t often straightforward. Take Sandy Dunn, for example. Per SailPoint, Sandy started as a paper delivery kid at 10 years old. She then worked her way through software sales, insurance, and even horses before becoming the CISO of a health insurance provider in Idaho.

All these “entry-level” jobs share one thing in common. They gave Sandy the experience to fulfill a CISO’s multifaceted responsibilities. But don’t just take my word for it. Check out my conversation with Sandy below.

“One skill I think every CISO needs is business acumen.”

Joe Pettit: Thanks for taking the time to speak with me today, Sandy. I would love to hear some of your views on the role of the modern CISO. How is it changing, and what are the essential skills that a CISO should have now?

Sandy Dunn: The required skills for a CISO is an interesting question. Every business is different, so really every CISO role will be slightly different with different expectations for where they fit in the organization. One skill I think every CISO needs is business acumen. You need to be able to understand how security fits into that specific business. Having some level of technical skills is important, too. It helps you with effective communication with your cybersecurity team about issues, tools, proposed remediation, and then to be able to explain everything they just told you back to the business or put it into a business context. Technical knowledge will benefit you in understanding the severity of a problem, too (independent of the volume of the voice who is bringing it) and determine if a situation is a one-alarm fire or a five-alarm fire.

“…one of the things I really had to (Read more…)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Joe Pettit. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/ciso-interview-series-investing-in-frameworks-humans-and-your-technical-skills/

The 5 Roles of Leadership: Tools & best practices for personable and effective leaders

Tags: CISO, Fractional CISO, vCISO

Jul 23 2021

Questions that help CISOs and boards have each other’s back

Category: CISO,vCISODISC @ 11:27 am
Questions that help CISOs and boards have each other’s back

The ransomware threat posed by organized crime groups is considerable, and its impact can be devastating and threaten the entire business. This makes it imperative for boards to ensure the company has taken necessary cybersecurity precautions to resist the threat. Additionally, executives have seen the value of efficient infosec firsthand over the last eighteen months. The efforts security teams have made to keep businesses safely functioning during a global pandemic have been impressive, if not heroic.

Regardless of why the C-level is focusing on IT infrastructure and strategy, this interest presents an opportunity for security teams. I know this is true because over the last few years F-Secure’s board has been refining how we cooperate to make better decisions about our security posture and risk appetite.

At the core of this process has been the creation of questions we use to make the best use of our time together. When approached holistically and answered honestly, these queries allow us to understand if we are focused on the right things, whether we are achieving our goals, and where our gaps are.

Since we would have benefited by having a list to start with, we’re sharing five of ours now to help other organizations.

Start with the easier ones

Here are the first three questions that I expect board members to ask me whenever they get a chance:

  • What are the key threats against your top assets?
  • How do you protect your assets from cybersecurity threats?
  • Whose responsibility is it to implement protections?

Questions that help CISOs and boards have each other’s back

Chief Information Security Officer

Tags: CISO, CISO implementation guide, Fractional CISO, vCISO

Jul 06 2021

CISO implementation guide: 10 ways to ensure a cybersecurity partnership will work

Category: CISO,vCISODISC @ 2:04 pm
CISO implementation guide: 10 ways to ensure a cybersecurity partnership will work

Capitalizing on the urgency companies have to launch new digital businesses, cybersecurity vendors create partnerships to close product gaps quickly. An understanding of how the new alliances can deliver results must be part of every CISO’s purchasing decision process. But partnerships can be something of a slippery slope.

Today, CISOs face the conflicting problem of securing operations while supporting business growth. IT and cybersecurity teams are stretched thin attempting to scale endpoint security for virtual workforces, while securing their customer identities and transactions. CIOs and CISOs are turning to vendors they rely on for immediate help. In turn, cybersecurity vendors’ quick fix is to create as many partnerships as possible to close product gaps and close the upsell or new sale.

What’s driving market demand is the pressure CIOs and CISOs have to deliver results. Companies’ boards of directors are willing to double down on digital business plan investments and accelerate them. According to the 2021 Gartner Board of Directors’ survey, 60% of the boards rely on digital business initiatives to improve operations performance, and 50% want to see technology investments deliver improved cost optimization.

Company boards have a high level of enthusiasm for technology spending in general and cybersecurity especially. As a result, Gartner predicts the combined endpoint security and network access market will be a $111 billion opportunity. For such cybersecurity companies, partnerships are a quick path to lucrative deals and higher profits.

Partnerships alone will not solve the conflicting demands for IT resources to secure a business while driving new business growth. They are not a panacea for the biggest challenges facing IT today. Trusting the wrong partnerships can cost millions of dollars, lose months of productive time, and even cause a new digital venture to fail. Due diligence of nascent cybersecurity partnerships needs to go beyond comparing partners’ financial statements and into the specifics of how multiple technologies are performing in actual, live scenarios today. Ten ways stand out as means to guide decision making.

10 ways to truth-test cybersecurity partnerships

Previous CISO related articles

CISOs library

Tags: CISO implementation guide

Jun 12 2021

Certified Information Systems Security Professional (CISSP) training course

Category: CISO,CISSP,Information Security,vCISODISC @ 6:22 pm

Certified Information Systems Security Professional (CISSP) training course

If you’re building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.

This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.

Duration: 5 days

“I would highly recommend the course to a friend, and in fact I already have! I’d also recommend it to a security team within an organization, even if they’re not specifically targeting a CISSP certification as it teaches a broad range of best practices and will help instill a culture of security and best practice in any organization.”

Who should attend?

This training course is intended for professionals who have at least 5 years of recent full-time professional work experience in 2 or more of the 8 domains of the CISSP common body of knowledge (CBK), such as:

  • Security consultants
  • Security managers
  • IT directors/managers
  • Security auditors
  • Security architects
  • Security analysts
  • Security systems engineers
  • Chief information security officers
  • Security directors
  • Network architects

Please note: A one year experience waiver is available with a 4-year college degree, or regional equivalent, or additional credentials from the (ISC)² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK.

Don’t have 5 years of experience? – Become an Associate of (ISC)²

Certified Information Systems Security Professional (CISSP) training course

Official (ISC)2® Guides

7 tips for CISSP Success

Risk Management Training

ISO 27001:2013 Lead Auditor

Tags: CISSP book, CISSP book recommendation

May 28 2021

The evolution of the modern CISO

Category: CISO,vCISODISC @ 2:17 pm
The evolution of the modern CISO

The modern CISO

The role of CISO first emerged as organizations embraced digital revolutions and began relying on new data streams to help inform business decisions. As technology continued to advance and became more complex, so too did threat actors who saw new opportunities to disrupt businesses, by stealing or holding that data hostage for ransom.

As the years have gone by and cyberattacks have become more sophisticated, the role of the CISO has had to advance. The CISO has evolved from being the steward of data to also being a guardian for availability with the emergence of more destructive and disruptive attacks. The CISO also must be highly adaptable and serve as the connective tissue between security, privacy and ultimately, consumer trust.

The changing threat landscape

Previous blogs on CISO & vCISO

Virtual CISO - Virtual Chief Information Security Officer (vCISO)

Related latest CISO and vCISO titles

Tags: CISO, Fractional CISO, vCISO

Apr 13 2021

ISO 27002 major revision

Category: CISO,ISO 27k,vCISODISC @ 4:22 pm

ISO is shaking up the familiar structure of the ISO 27001/27002 control framework after over 20 years of stability. 

Originally published as British Standard BS 7799 Part 1 and 2 in the late 1990s, adopted as the ISO 17799 standard in 2000, and then renumbered as ISO 27001/27002, the name has changed a few times but the structure of the controls has remained intact until now.  

Historically ISO has resisted major changes given that so many organizations globally have adopted ISO 27001/27002 for their security policies, security programs and certifications, and considering that numerous countries have adopted or incorporated them into their own national standards.

Publication of the final standard is expected to occur in the next year.  

What is changing with the update to ISO 27002?

Tags: ISO 27002 revision

Apr 13 2021

With ISO27001 how you should choose the controls needed to manage the risks

Category: CISO,ISO 27k,vCISODISC @ 8:47 am

Introduction and Background

As required by ISO27001 the risks identified in the risk assessment need to be ones that if they happened would result in the loss of Confidentiality Integrity and/or Availability (CIA) of information in the scope of the ISMS. As also required by ISO27001 those controls that are necessary to modify each risk need to be determined. Each risk gets a list of one or more controls.

This article gives some advice about how to choose/determine the controls for each risk and how control sets (e.g. Annex A, ISO27017, ISO27018, NIST CSF, CSA) can be used to help with this and as a quality check on the risk assessment.

What do we mean by necessary?

A good question!

“Needed to manage the risk”. Yes, I know that this just rephrases the word “necessary”….

In many cases this is a simple (or perhaps tricky!) matter of judgment but each control should be checked if it is necessary by asking questions like these:

  • what effect this control has on the likelihood or impact of this risk? Only controls that have more than a negligible effect on the likelihood or impact should be designated as “necessary”.
  • what would happen to this risk if this control is not in place or stops working properly? Your answer should be “the business continues to operate and deliver all its services but we have just increased the likelihood and/or impact of something going wrong that stops us delivering this service and/or gets in the way of meeting our objectives”. If this is not your answer then this control is unlikely to be “necessary” and should not be included.

Source: Main approaches to determining controls.

Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own: The Plain English, Step-by-Step Handbook for Information Security Practitioners by [Dejan Kosutic]

Mar 30 2021

Five signs a virtual CISO makes sense for your organization

Category: CISO,Information Security,vCISODISC @ 11:59 am
Five signs a virtual CISO makes sense for your organization

Here are five signs that a virtual CISO may be right for your organization.

1. You have a lot to protect

Companies produce more data than ever, and keeping track of it all is the first step to securing it. A virtual CISO can identify what data needs to be protected and determine the negative impact that compromised data can have, whether that impact is regulatory, financial or reputational.

2. Your organization is complex

Risk increases with employee count, but there are many additional factors that contribute to an organization’s complexity: the number of departments, offices and geographies; how data is used and shared; the distribution of architecture; and the life cycle of applications, data and the technology stack.

A virtual CISO offers an unbiased, objective view, and can sort out the complexity of a company’s IT architecture, applications and services. They can also determine how plans for the future add complexity, identify and account for the corresponding risk, and recommend security measures that will scale to support future demand.

3. Your attack surface is broad

For many organizations, potential vulnerabilities, especially those that share a great deal of data within the organization, may not be obvious at first glance. Virtual CISOs can identify both internal and external threats, determine their probability and quantify the impact they could have on your organization. And at a more granular level, they can determine if those same threats are applicable to competitors, which can help maintain competitiveness within your market.

4. Your industry is highly regulated

Organizations in regulated industries like healthcare, finance, energy/power and insurance will have data that is more valuable, which could make them a bigger target for bad actors. Exposure is even more of a concern due to potential noncompliance. Virtual CISOs bring a wealth of expertise on regulatory standards. They can implement processes to maintain compliance and offer recommendations based on updates to applicable rules and regulations.

5. Your risk tolerance is low

An organization without a great deal of sensitive data may have a much greater tolerance for risk than a healthcare provider or a bank, but an honest assessment is important in determining how much risk each organization should accept. A virtual CISO can coordinate efforts to examine perceived and actual risk, identify critical vulnerabilities and provide a better picture of risk exposure that can inform future decisions.

Cybersecurity is growing more complex, and organizations of all sizes, especially those in regulated industries, require a proven security specialist who can address the aforementioned challenges and ensure that technology and processes are in place to mitigate security risks.

Tags: auditing CISO compliance, CISO, vCISO

« Previous PageNext Page »