I have just finished reading the CSX Fundamentals Study Guide, which ISACA provides for the CSX Fundamentals exam. I am impressed. When I hire entry level individuals to work for my company, I look for someone who has familiarity with the topics outlined in the guide. I don’t expect them to be an expert, but when we are tackling a subject as a team, I expect my employees to know the topic being discussed.
Over the years, my employees have been exposed to many cyber security issues, and for the most part, they understand the new ideas and are able to conduct research on them. This helps improve our company’s awareness of critical cyber security issues and what we can expect with the next issue we will have to evaluate or the next solution that we will have to implement. What I like about the CSX Fundamentals Study Guide is that it outlines those very key topics we are in the throes of working on every day.
Everything changes rapidly in technology; however, companies are not always on the cutting edge, and the subjects covered in the guide are works in progress. That means the guide and courses are preparing someone who is entertaining a cyber security career so that they can be versed in what is currently going on. I appreciate that as a hiring manager. I don’t expect an entry-level person to be certified with high-end skills or have extensive experience in a particular area. I do expect them to come on board and be able to acclimate to our environment and be part of the team working on such things as data loss prevention (DLP), mobile technologies and their use within the corporation.
I have expertise in forensics and encryption on my team; however, I need new hires to know the basics of why and how to use these technologies. The guide provides a good base of knowledge for these and other technologies where the expectation that an entry-level hire would be able to work with another team member and provide value in taking over some of the tasks.
Naturally, a new hire would need further training, that goes without saying, but the CSX Fundamentals Study Guide helps to put that person on the same page as the rest of a team in the cyber security community. I would also recommend using the guide in preparing for the exam. After instructing CISA and CISM courses for years, this guide seems to hit the fundamentals right on and would benefit the exam taker.
The CSX program is very meaningful to the cyber security field and I expect the courses ISACA is creating will boost the numbers in the profession.
The intent to enforce… something quite significant actually.
A first read and review of the news coverage around the United Kingdom’s (U.K.) new Cybersecurity Strategy earlier this month left many believing that there is little to report on cybersecurity from their new government. The initiatives articulated and the funding levels had already been publically discussed throughout the year, while any new intentions expressed in the strategy lacked detail.
My initial reaction was disappointment that Teresa May’s government did not see fit to add new funds to the £1.9 billion committed by the previous Chancellor in November last year. Given that Ms. May had been Home Secretary and her new Chancellor, Philip Hammond, Secretary of State for Defence, they clearly bring an informed view of how threats are evolving. Mr. Hammond even highlighted the elevated level of threats coming from state actors and terrorism in particular in his speech.
I have since had the chance to spend time absorbing the new strategy, and looking back to what was said in the original five-year plan, the difference is astonishing. Today, we have a narrative that reflects a much clearer understanding of the scope of the task ahead, something (ISC)² as a professional body has been working to articulate for some time. The government has also clearly laid out what it believes its job should be, and what it expects of the rest of us as professionals, businesses, innovators, and individual citizens. It is interesting that Hammond chose a technology innovation event – Microsoft’s Future Decoded conference – to announce the strategy, clearly working to reach an audience that is to be held accountable.
“Technology companies – many of whom are represented here today – must take responsibility for incorporating the best possible security measures into the design of their products.
Getting this right will be crucial to keeping Britain at the forefront of digital technology security – itself a growing business sector,” he said on the day.
The report itself details far more and specific expectations:
“Organisations and company boards are responsible for ensuring their networks are secure. They must identify critical systems and regularly assess their vulnerability against an evolving technological landscape and threat. They must invest in technology and their staff to reduce vulnerabilities in current and future systems, and in their supply chain, to maintain a level of cybersecurity proportionate to the risk. They must also have tested capabilities in place to respond if an attack happens.”
With reference to incident response, expectation is repeated again:
“It is the responsibility of organisation and company management, in both the public and private sector, to ensure their networks are secure and to exercise incident response plans.”
And again with reference to skills:
“…. employers also have a significant responsibility to clearly articulate their needs, as well as train and develop employees and young people entering the profession.”
Perhaps most crucially, the government laid out an intent to enforce what is expected. The document states unequivocally that market forces have not been and will not be enough to ensure the action required, and that government will work “in partnership with departments and regulators, who will assure whether cyber risk is being managed in their sectors to the level demanded by the national interest.” Further, the EU General Data Protection Regulation (GDPR) to be in force by May 2018 is cited as an effective lever to drive up standards and there is an intent to ensure that the industry acts and becomes “outcome” rather than “compliance” focused.
Cyber and information security professionals have been asking organisations for such a mandate for over two decades. The U.K. government has now given it to us. I encourage our membership and the cybersecurity community in general, whether they are working within the U.K. or not, to take the time to read the new U.K. Strategy; understand its intent, and take on an active role in assuring their organisations can do their part.
As I read through the document, I stopped wondering whether the Government thinks their budget commitments to cybersecurity are adequate. I don’t believe that they do. I suspect we didn’t see more funding because the government doesn’t yet know how much it will cost; because much of what they are doing should come with the evolution of the economy in a digital age; and because we need to see greater value from what has been committed to date to justify any increases in budget: There seems little justification to add to the public investment before the private sector begins to assume its role more definitively. I suspect we will see more public funds to committed this strategy, but not before fines for lack of action fuel public coffers.
By Adrian Davis, CISSP, Managing Director EMEA, (ISC)²
Findings Come on the Heels of Successful CSA APAC Congress in Bengaluru
Bengaluru, India – November 22, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, successfully hosted its 4th CSA APAC Congress on 22nd-23rd November in Bengaluru, India. This two-day event hosted delegates from over 300 international government organizations, industry, academia, and professionals attending with compelling presentations and interesting discussions about research, development, practice and trends related to cloud security.
The conference featured some of the region’s and world’s most influential minds in information security and cloud computing including:
Shri. Ajay Kumar, Additional Secretary at Ministry of Electronics & Information technology
Rajiv R. Chetwani, Director Information Systems Programme Office at ISRO
Sri. Raj Kumar Srivastava, IFS , Managing director , Karnataka State Electronics,Development Corporation Limited
Dr. Amar Prasad Reddy , Director General at National Cyber- Safety & Security Standards
Jim Reavis, Co-founder & CEO of Cloud Security Alliance
Dr. Meng Chow Kang, Chief Information Security Officer, APJC Region at Cisco Systems, Inc.
Juanita Koilpillai, Founder & CEO of Waverley Labs
Rudra Murthy, CISO, Digital India at Ministry of Home Affairs
Debabrata Nayak, Chief Security Officer at Huawei
Dr. Vikram Sharma, Founding Director & Chief Executive Officer at Quintessence Labs
Clayton Jones, Managing Director Asia- Pacific, (ISC)2
Cloud Security Alliance also announced the release of the survey report State of Cloud Adoption in India. This report is part of an ongoing series of research initiatives, to provide insights on cloud adoption across the APAC region, to recognize APAC countries leading the cloud adoption trend, as well as to identify countries with opportunities for cloud computing adoption. The State of Cloud Adoption in India report posed two key findings for the region:
A lack of established industry standards within the Indian cloud computing industry is a lingering problem the country faces. Public cloud services offered in India by local providers are commonly proprietary to a great extent, which may pose challenges for cloud consumers in case they wanted to develop a global IT strategy; not to mention moving from one cloud provider to another. In addition, the current state of relevant national standards in India is not compatible and aligned with global standards.
Indian organizations are extremely concerned about security, especially data sovereignty. Organizations are most worried about their data on the cloud. Data breach and data loss are major concerns of organizations from a cloud security perspective.
Aloysius Cheang, Executive Vice President and Managing Director APAC of the Cloud Security Alliance said, “This study is critical for us to understand the current landscape in India. The results are both expected and shocking. It is expected that data sovereignty and data breach will continue to toe the top line concerns of senior management in companies in India and other parts of the world. But it is shocking to find that while there is an increase usage of cloud services in India, but the maturity and the strategic use of cloud services lags where behind other countries that we have surveyed. Coming from the ICT capital of the world, that is shocking”.
Speaking at the launch, Sandip Kumar Panda, CEO – InstaSafe said “While Cloud adoption in India is on the rise, security concerns still dominate a lot of discussions about movement to cloud. The objective of conducting this survey, in conjunction with CSA, was to understand the Indian CIO’s mindset, the current adoption status, unearth gaps in widespread adoption and work with the industry to help assuage those fears. It would be imperative for Indian CIO’s to read the report to understand where they are on the adoption cycle and work with their vendors in asking the right questions.”
In addition to the other conference highlights, CSA announced the release of a new research working group SaaS Governance.
SaaS Governance Working Group
The SaaS Governance Working Group aims to benefit all parties in the Software-as-a-Service (SaaS) ecosystem by supporting a common understanding of SaaS related risks from the perspectives of the cloud customer and cloud service provider. Security and privacy are the primary concerns for organizations considering SaaS adoption, and recent research indicates that 77% of SaaS-adopting organizations have experienced SaaS-specific security incidents. SaaS services account for the bulk of the cloud industry market, and any security incident could critically impact cloud customers. SaaS services present unique risks to their cloud customers such as highly business process specific, handle and store critical business and personal data, and much more. Due to heavy competitive pressure in the SaaS market today, security is too often not a top priority for SaaS providers – especially for the smaller providers that may not have the necessary security expertise to identify and manage the risks that could impact cloud customers and the cloud provider’s own operations.
For more information on on the SaaS Governance Working group along with other CSA research initiatives, events and education, visit https://cloudsecurityalliance.org.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the “Security Guidance for Critical Areas of Focus in Cloud Computing”, the “Cloud Controls Matrix”, “Top Threats to Cloud Computing” and 50 other cloud security research artifacts.
It’s time to flip our thinking about enterprise information security. For a long time, the starting point of our tech stacks has been the network. We employ a whole series of solutions on servers and networks—from monitoring and alerts to policies and procedures—to prevent a network breach. We then install some antivirus and malware detection tools on laptops and devices to catch anything that might infect the network through endpoints.
But this approach isn’t working. The bad guys are still getting in. We like to think we can just keep building a bigger wall, but motivated cybercriminals and insiders keep figuring out ways to jump over it or tunnel underneath it. How? By targeting users, not the network. Today, one-third of data compromises are caused by insiders, either maliciously and unwittingly.
Just because we have antivirus software or malware detection on our users’ devices doesn’t mean we’re protected. Those tools are only effective about 60% to 70% of the time at best. And with the increasing prevalence of BYOD, we can’t control everything on an employee’s device.
Even when we do control enterprise-issued devices, our security tools can’t prevent a laptop from being stolen. Or keep an employee from downloading client data onto a USB drive. Or stop a high-level employee from emailing sensitive data to a spear phisher posing as a co-worker.
We need to change our thinking. We need to admit that breaches are inevitable and be prepared to quickly recover and remediate. That means starting at the outside, with our increasingly vulnerable endpoints.
With a good endpoint backup system in place, one that’s backing up data in real time, you gain a window into all your data. You can see exactly where an attack started and what path it took. You can see what an employee who just gave his two weeks’ notice is doing with data. You can see if a stolen laptop has any sensitive data on it, so you know if it’s reportable or not.
By starting with endpoints, you eliminate blind spots. And isn’t that the ultimate goal of enterprise infosec?
