Month: June 2016

By Patrick Craven, director, Center for Cyber Safety and Education

As the new director for the Center for Cyber Safety and Education, I’m proud to announce that we’re launching the latest edition of the (ISC)² global information workforce survey. The biennial survey provides an in-depth look at the current state of the cybersecurity workforce – examining trends in pay, training, hiring, budgets and more. The latest edition is now open for responses until September 30, 2016. I’m asking for about 20 minutes of your time to offer your personal insights for the survey, which dives into various issues facing the workforce.

Conducted since 2004, the survey is known for providing the most comprehensive snapshot of the unique position of the information security workforce worldwide. Your responses to the survey will be compiled and released early next year as the 2017 Global Information Security Workforce Study (GISWS). The GISWS is conducted by Frost & Sullivan, a global analyst firm, and is distributed to members of (ISC)², as well as other cybersecurity professionals. Referenced by governments, employers, professionals, and industry stakeholders, the GISWS has been a respected global benchmark for 12 years. In 2015, the United Kingdom’s Cabinet Office referenced the results in their review of the national cybersecurity spending commitments and in a speech delivered by the country’s Chancellor of the Exchequer.

I also want to share that we listened to the respondents from the last survey and reduced the time commitment to participate in this important research. Two years ago, nearly 14,000 (ISC)² members and nonmembers around the world participated in the nearly hour-long survey. The time commitment has been reduced to only 20 minutes for this year’s survey. We ask for your help to sustain the historically high response rate that distinguishes this vital research.

Key findings from the 2015 survey included the continuation of the security workforce shortage, as 62 percent of respondents indicated that their organizations have too few security professionals. This number was up from 56 percent in 2013, and the reasons appear to be less about money (as more organizations are making the room in their budget to hire), but rather an insufficient pool of suitable candidates.

As the field of cybersecurity grows due to the ever-expanding nature of the Internet of Things (IoT), cloud-based services and mobile devices, the demands on the information security workforce will continue to build. Training and educating existing staff is a priority for organizations worldwide, but the talent pipeline also needs to be addressed as the workforce ages.

Don’t miss your chance to be a part of the largest information security workforce survey worldwide. If you’re an (ISC)² member, you will receive an email from Frost and Sullivan with a unique link, created just for you, that will look something like this: {thepowerofhybrid.frost.com/……}. Alternatively, you may go directly to http://www.isc2cares.org to access the general survey link.

I know that your time is valuable, and I appreciate your attention to this relevant industry research. I look forward to sharing the global results of the study in February. Thank you in advance for your participation!

(ISC)² Management

[(ISC)² Blog]

If I had a £1 for every time a client said “it won’t happen to us,” I would be a very rich man and probably would not be writing this blog!

Risk management is about minimizing the chance that it will happen to us, by anticipating what might occur to affect the successful delivery of an enterprises’ business goals or objectives and to implement an appropriate risk response to minimize the risk of an adverse business impact materializing.

This is how risk management is usually seen. However, a good risk management process can also be used to help achieve the successful delivery of a business goal or objective.

In life, we all make mistakes, but the important thing is to learn from the experience. Even better is to learn from the mistakes of others. The use of risk scenarios in an enterprise’s risk management process helps us do just that.

Building a library of risk scenarios will help an enterprise foresee potential risk and select suitable risk responses to reduce the impact to within its risk appetite and risk tolerance. The ISACA publications COBIT 5, COBIT 5 for Risk, and Risk Scenarios for COBIT 5 for Risk provide some very helpful tools to the risk practitioner.

COBIT 5 defines two risk-related process enablers:  EDM03, a governance process, and APO12, a management process.

COBIT 5 for Risk Expands on Process Enablers
A key tool in the risk management process is the use of risk scenarios. COBIT 5 for Risk, which expands upon EDM03 and APO12 process enablers, also has a small section providing some generic risk scenarios. However, the risk professional should arm themselves with Risk Scenarios Using COBIT 5 for a comprehensive library of risk scenarios.

Risk Scenarios Using COBIT 5
But what is a risk scenario? A risk scenario is a description of a possible event that, if it occurs, will have an uncertain impact on the enterprise. The core of a risk management process requires risk to be identified and assessed and a suitable risk response to be implemented. Well-developed risk scenarios support these activities and make them realistic and relevant to the enterprise.

Source: ISACA, COBIT 5 for Risk, USA, 2013

Scenarios Inform on Suitable Risk Response
The risk scenario then provides some guidance on a suitable risk response. When a risk assessment identifies that risk is not within the risk appetite and tolerance of the enterprise, then one of four risk responses is required:

• Avoid:  Stop doing that activity.
• Mitigate:  Implement mitigation actions to reduce the inherent risk.
• Share/Transfer:  Transfer the risk, such as the use of insurance.
• Accept:  Do nothing and live with the risk.

If the selected risk response is mitigate, then the risk scenario gives some pointers to the COBIT 5 process enablers that could be implemented to appropriately manage the risk.

Risk Mitigation in an Elevator
One final thought:  even risk professionals get it wrong. Risk Scenarios for COBIT 5 for Risk was developed by a group of nine risk professionals from around the world. Just imagine that these nine arrive at ISACA headquarters 08.00 one Sunday morning and all step into the same elevator to go up the 10th floor. There is no one else expected in the building until 07.00 the following morning.

These nine highly experienced risk professionals failed to effectively assess the risk of all getting into the same elevator, and, yes, you’ve guessed it—the elevator jammed just past the 2nd floor. Fortunately, after only few minutes (which seemed a lot longer) of panic, they were able to pry open the doors and the lift so everyone was able to easily step out. But like all good risk professionals, they then learned from their experience and broke into two groups and took two separate lifts to continue their journey to the 10th floor.

How do I know? I was one of the nine! If only we had had a book of risk scenarios we could have consulted.

As part of your member benefits, Risk Scenarios Using COBIT 5 for Risk is available as a no cost pdf download.

Editor’s Note:  Risk Scenarios Using COBIT 5 for Risk is the ISACA Bookstore’s June Book of the Month. Click here to download.

Mike Hughes, CISA, CGEIT, CRISC, ISACA Central UK Immediate Past President, Principal Director, HWgrc

[ISACA Now Blog]

The 2016 Verizon Data Breach Investigations Report (DBIR) paints a grim picture of the unavoidable enterprise data breach. But accepting the inevitability of breaches doesn’t mean accepting defeat. It’s like severe weather: you can’t prevent a tornado or hurricane. But with the right visibility tools, you can recognize patterns and mitigate your risk.

Likewise with data security, visibility is critical. “You cannot effectively protect your data if you do not know where it resides,” says Verizon.

Most enterprises plagued by poor data visibility
The report shows that most organizations lack the data visibility tools for effective breach remediation. Hackers gain access more easily than ever, with 93 percent of attacks taking just minutes to compromise the enterprise ecosystem. Yet without the ability to see what’s happening on endpoint devices, 4 in 5 victimized organizations don’t catch a breach for weeks—or longer.

Here’s a look at how data visibility solves many of the major threats highlighted in the 2016 DBIR:

Phishing: See when users take the bait
The report showed users are more likely than ever to fall for phishing. One in ten users click the link; only three percent end up reporting the attack. Instead of waiting for the signs of an attack to emerge, IT needs the endpoint visibility to know what users are doing—what they’re clicking, what they’re installing, if sensitive data is suspiciously flowing outside the enterprise network. The “human element” is impossible to fix, but visibility lets you “keep your eye on the ball,” as Verizon put it, catching phishing attacks before they penetrate the enterprise.

Malware and ransomware: Encryption + endpoint backup
With laptops the most common vector for the growing threats of malware and ransomware, Verizon stresses that “protecting the endpoint is critical.” The report urges making full-disk encryption (FDE) “part of the standard build” to gain assurance that your data is protected if a laptop falls into the wrong hands. Continuous endpoint backup is the natural complement to FDE. If a device is lost or stolen, IT immediately has visibility into what sensitive data lived on that device, and can quickly restore files and enable the user to resume productivity. Plus, in the case of ransomware, guaranteed backup ensures that you never truly lose your files—and you never pay the ransom.

Privilege abuse: “Monitor the heck” out of users
Authorized users using their credentials for illegitimate purposes “are among the most difficult to detect.” There’s no suspicious phishing email. No failed login attempts. No signs of a hack. And for most organizations, no way of knowing a breach has occurred until the nefarious user and your sensitive data is long gone. Unless, of course, you have complete visibility into the endpoint activities of your users. Verizon urges enterprises to “monitor the heck out of authorized daily activity,” so you can see when a legitimate user is breaking from their use pattern and extricating sensitive data.

Forensics: Skip the hard part for big cost savings
The most costly part of most enterprise data breaches—accounting for half of the average total cost—involves figuring out what data was compromised, tracking down copies of files for examination, and other forensic tasks required for breach reporting and remediation. Most often, an organization must bring in legal and forensic consultants—at a steep price. If you have complete visibility of all enterprise data to begin with, including endpoint data, you can skip much of the hard work in the forensics phase. If you already have continuous and guaranteed backup of all files, all your files are securely stored and easily searchable. Modern endpoint backup solutions go a step further, offering robust forensic tools that make it easy and cost-effective to conduct breach remediation, forensics and reporting tasks without eating up all of IT’s time, or requiring expensive ongoing consultant engagement.

See your data, understand your patterns, mitigate your risk
The whole point of the DBIR is to shed light on data to see the patterns and trends in enterprise data security incidents—to mitigate risk through greater visibility. So read the report. Understand the common threats. But make sure you apply this same methodology to your own organization. With the right data visibility tools in place, you can see your own patterns and trends, learn your own lessons, and fight back against the inevitable data breach.

Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]