Kết quả trận kịch chiến sáng nay đã làm bao trái tim người hâm mộ đội Đức tan vỡ, nhưng thật ra đó cũng là điều bình thường. Cuộc sống đã chỉ ra rằng không phải lúc nào người chơi giỏi hay hay hơn sẽ thắng. Vẫn còn những điều mà ta không thể hiểu được vẫn diễn ra, và ta gọi đó là số mệnh hay định mệnh. Sáng nay định mệnh đã ưu ái cho đội Pháp với thần tài Antoine Griezmann, nên các bạn hâm mộ Đức cũng không cần phải đau buồn thêm nữa, cũng giống như tôi cũng đã không đau buồn khi đội tuyển của các bạn chiến thắng đội bóng Màu-Thiên-Thanh mà tôi yêu quý.
Cũng vừa hay, một bạn trẻ nhắn trên FB hỏi tôi liệu có cách nào để vượt qua nỗi buồn của việc thi hỏng. Thật ra thi hỏng hay thi trượt là điều rất bình thường trong cuộc sống, nhưng áp lực của cái tôi đã đè nặng lên mỗi chúng ta vì phải giữ thể diện với những người chung quanh. Kiểu như: “Ơ, lại thi hỏng cơ à? Giỏi thế mà cũng thi hỏng à? Đề thi dễ mà, thế mà cũng hỏng!“…vâng vâng và vâng vâng. Tôi có thể nói với bạn rằng tôi thi hỏng như cơm bữa và tần suất thi hỏng của tôi là gấp đôi so với thi đậu. Lần đầu thi hỏng (một kỳ thi rất quan trọng), tôi buồn không thể tả, chẳng thiết cơm nước và thu lu mình vào 1 góc, nước mắt nước mũi đầm đìa, tự nhủ: Thôi, đời mình thế là hết!. Nhưng qua hết cơn đó, lại tự nhủ, phải học hành lại để thi tốt hơn thôi, và thế lại chuyên tâm ôn luyện, và cuối cùng cũng vượt qua được kỳ thi.
Tôi học được một điều quan trọng từ chuyện này: việc thi hỏng hay thi trượt (tạm gói gọn chung là thất bại) cũng có giá trị riêng của nó. Lúc đó bạn sẽ phải xem xét, học hành hay ngâm cứu kỹ càng hơn, cẩn thận hơn và qua đó cũng nhớ & khắc ghi lâu hơn. Và nếu có thể được, lâu lâu cũng nên tự mình thi trượt, thi hỏng để tự nhắc nhở mình phải luôn nỗ lực và cố gắng hơn.
Thất bại là điều cần thiết, vấn đề là chúng ta nhìn nhận như thế nào từ thất bại đó. Mỗi thất bại luôn đi kèm với 1 thử thách để chúng ta vượt lên chính bản thân mình. Và mỗi lần chúng ta vượt lên chính bản thân mình, chúng ta lại thấy mình tiến bộ hơn và vững bước hơn để đi về phía trước. Và sau khi trải qua cả thất bại và thành công, bạn sẽ thấy rằng sự thất bại cũng đẹp đẽ và giá trị không thua kém gì thành công, dĩ nhiên chỉ có bạn mới có thể thấy được sự đẹp đẽ và giá trị này. Nhưng có sao đâu, hãy để sự thành công cho người ngoài thấy, còn tự mình, hãy chiêm ngưỡng sự thất bại cùng vẻ đẹp riêng của nó.
“Không bao giờ là thất bại, tất cả chỉ là thử thách”
– Chung Ju-Yung, Founder and honorary chairman of Hyundai.
As a young man growing up in the Pittsburgh, Pennsylvania area working in steel mills, (ISC)2 CEO David Shearer learned early on that a strong work ethic and collaborative spirit were important factors to being successful in business. David met fellow Safety Harbor, Florida-based CEO of PivotPoint Risk Analytics Julian Waits, who was originally a budding saxophone player performing in his hometown of New Orleans, Louisiana at the first annual conference for the International Consortium of Minority Cybersecurity Professionals (ICMCP). After realizing that they both resided in the same town in Florida and worked for organizations that could be mutually beneficial, the two leaders began a business partnership to help advance the automation of cyber insurance decisions in an effort to protect businesses from financial risk in the event of a breach.
By (ISC)² CEO David Shearer
(ISC)² and PivotPoint Risk Analytics have signed a business agreement with the goal of empowering chief information security officers (CISOs) to make more effective security business operations and cyber insurance decisions. The solution, called ‘cyber value-at-risk analytics’ (CyVaR™), aims to support CISOs and information security professionals with the information they need to make more strategic business decisions and mitigate risks.
Some may wonder why we’re venturing into this type of relationship as a longstanding vendor-neutral certification body. Our education and certification programs are based on a Common Body of Knowledge (CBK) and will remain vendor-neutral; however, I’m open to fostering relationships with organizations and companies that can provide benefits to our international membership. We’re doubling up our thought leadership efforts in areas where we see potential blind spots within our membership and the industry.
Simply stated, we know we must do more for our members. When it comes to our certified members, we realize that they use tools and programs for their organizations as part of their jobs. As CEO, I believe that I have an obligation to our members to negotiate discounts—where possible—for existing and/or new offerings that we believe can be helpful in advancing their organizations’ cyber, information, software and infrastructure security. This certainly includes tools and services that can better position their organizations’ ongoing cyber insurance requirements. We are open to discussing opportunities for our membership with any organization or company that wants to present how their offerings can add value to our members, their career development and their respective jobs.
This new partnership provides (ISC)² members with a 35 percent discount for the first year of a CyVaR subscription. The benefit provides our members with another way to demonstrate value to their organization, while also making the job of the CISO more efficient.
Information security professionals can sometimes speak a different language than the leadership they answer to, be it a board of directors, CEO or other executives. The business impact of decisions made by the cybersecurity team needs to be quantified, which is the problem that cyber value-at-risk solutions solves. By changing the conversation from a technical discussion about cybersecurity threats to a business discussion about the potential financial impact of cyber risk, members of the C-suite and board can better position their organizations for increasingly sophisticated cyber threats.
“By quantifying the risk to the most critical corporate information assets and associated software and infrastructure, cyber value-at-risk helps CISOs secure the value of their business and bolster their respect in the boardroom,” said Julian Waits, CEO, PivotPoint RA. “We are excited about this collaboration with (ISC)², a recognized organization that is committed to enhancing the security posture of global organizations.”
CyVaR can help determine, for example, how much money an organization could lose to a cyberattack, how investing in security can reduce their risk and what types of cyber insurance would be advisable to transfer financial risks. The CyVaR approach is endorsed by The World Economic Forum’s “Partnering for Cyber Resilience” initiative and is the common risk quantification for its members.
A webinar will be available on July 12 for (ISC)² members and cybersecurity professionals alike to learn more about the partnership, program and what it can mean for them and their organizations. For more information about the CyVaR solution, please visit http://pivotpointra.com/.
Boring training videos, box-ticking to meet regulations, blacklisting software at the expense of productivity: large enterprise has been reliant on these methods of “cyber security control” for too long. They are outdated and don’t work. Cyber criminals don’t follow the steps outlined in a training video from 2006—they innovate, manipulate, penetrate and steal information in many different ways and by many different means.
Internally, employees can also represent a real and significant danger to corporate information—whether by accident or design—they are the insider threat. Think about it this way. Dropbox might be an easy way to transfer a file to a client—but has it been sanctioned by IT? Ask every knowledge worker in a company that question, and you can guarantee you won’t get a single, clear cut answer. In fact, according to Code42’s 2016 Datastrophe Study, 22% of knowledge workers surveyed said their IT department doesn’t know they use third-party cloud sharing solutions.
So in 2016, what are the right ways to educate your employees about data security from both an internal and external perspective?
Shock therapy We briefly covered that training videos and generic presentations don’t work that well. Within 10 minutes, staff will have switched off and words will be going in one ear and out of the other—unless you’ve invited Snowden himself to present the training.
To encourage employees to take responsibility and ownership of sensitive corporate data, a more direct approach is needed. Fortunately, cybersecurity consultancy and threat-based penetration testing is something we’re well versed in at First Base Technologies, and we’d recommend the following to drive employee awareness:
Faking data loss—by targeting specific departments (or even the entire company) with a well-designed program of phishing attacks, you can easily demonstrate the real risk to the business and start the process of education. No information is actually compromised, and the affected employees are told it’s been a simple training exercise. I can guarantee that over time, with the right messages it’ll hammer home the importance of double-checking whether to click that link, install that file, or respond to that unknown request in the future. Think of it as the cyber security equivalent of regular fire drills.
Physical penetration testing—this involves hiring third-party security consultants to visit an office disguised as “help-desk” computer engineers, visitors or even cleaners. In actuality, they are penetration testers evaluating both the physical security of an organization and its network infrastructure, with the goal of demonstrating unauthorized access to sensitive information. The resulting report, often accompanied by video footage of the exercise, provides valuable guidance on security weaknesses and remediation. Staff is briefed on what happened and the potential gravitas of the situation—providing another important lesson as a result.
Company-wide warnings—as information security professionals, we are well versed in the latest threats and the results of high-profile breaches. And thanks to the recent media agenda, it does seem to be filtering down to non-IT folk too. According to Datastrophe, 74% of knowledge workers say that IT staff’s ability to protect corporate and customer data is very important to their company’s brand and reputation. To communicate these facts to the remaining 26% of employees, breach and security risk information should be regularly delivered to staff at all levels.
Education. It really is the most important weapon in IT and security professionals’ arsenals. It’s a fact that in 2016 and beyond, organizations are under attack pretty much constantly, and if employees aren’t wise to this, the insider threat they present is realized with devastating results. With Datastrophe highlighting that 36% of knowledge workers think the business they work for may be at risk of a public data breach in the next year, it seems people are fortunately starting to understand the threat. And by IT and senior management enacting some of the training methodology above, knowledge workers will start getting well versed in information security practices too.
Registration Now Open for the Industry’s Premier Gathering for Cloud Education and Best Practices
San Jose, CA – July 6, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced that Gerhard Eschelbeck, Vice President, Security & Privacy Engineering at Google will present the opening keynote at the upcoming CSA Congress USA at thePrivacy.Security.Risk 2016 (P.S.R.) conference taking place September 13-16th in San Jose, CA.
As Vice President of Security & Privacy Engineering at Google, Eschelbeck leads the teams that ensure data and systems security, as well as user privacy. Gerhard admittedly has a passion for championing new technologies and is a trusted advisor to a number of early stage startup companies. He has published the “Laws of Vulnerabilities” and is one of the inventors of the Common Vulnerability Scoring System (CVSS), and holds numerous patents in the field of managed network security.
“Google is a critical part of the cloud computing ecosystem and we are very excited to have Gerhard kick off this year’s event to share best practices, proven approaches and lessons learned with our conference attendees,” said Jim Reavis, CEO of the Cloud Security Alliance. “Whether you are a long time user of cloud technology or a relatively new adopter, this year’s conference is guaranteed to take your knowledge to a new level with new ideas that attendees can readily walk away with and apply to their own organization.”
Presented by the IAPP Privacy Academy and CSA Congress, the P.S.R. Conference, now in its third year, is expected to draw approximately 1,500 privacy and cloud security professionals. The event brings together two related fields—privacy and security – with important perspective to help practitioners excel in their role. The event aims to deliver the most thought-provoking speakers and sessions led by the foremost experts and provides invaluable opportunities to connect and share ideas. The join event will provide attendees with more than double the education and networking opportunities with the leading innovators and practitioners in technology, security and privacy for the price of a single conference.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the “Security Guidance for Critical Areas of Focus in Cloud Computing”, the “Cloud Controls Matrix”, “Top Threats to Cloud Computing” and 50 other cloud security research artifacts. For further information, visit us atwww.cloudsecurityalliance.org.
About the IAPP
The International Association of Privacy Professionals is the world’s largest association of privacy professionals with more than 20,000 members across 83 countries. The IAPP is a not-for-profit association that helps to define and support the privacy profession globally. More information about the IAPP is available at www.privacyassociation.org.
Media Contact
Kari Walker
ZAG Communications
703.928.9996
kari@zagcommunications.com
Today, with a plenary vote in the European Parliament, the EU took the near-final step in enacting its groundbreaking cybersecurity legislation, the Network and Information Security (NIS) Directive. This is the result of more than three years of effort by the European Commission, Council and Parliament, working with stakeholders from Europe and around the world. Proposed in response to growing concerns about cyberthreats, and in an attempt to raise the cybersecurity and resilience of network and information systems in EU member states, this is the first time the EU has legislated specifically on cybersecurity. Notably, the Directive frames cybersecurity in an economic and societal context, observing its importance in underpinning economic activities and growth as well as user confidence in online activities, and thus also in facilitating the internal EU market. The Directive will soon be published in the Official Journal of the European Union and will come into force 20 days after that. EU member states will then have 21 months to transpose it into national laws.
With implications for both industry and member states, the Directive establishes security and incident notification requirements for “operators of essential services” (e.g., providers of energy, transportation, healthcare services) and, to a less stringent extent, “digital service providers” (online marketplaces, online search engines, and cloud service providers). It requires member states to adopt national NIS strategies; to designate national competent authorities; and to have “well-functioning” computer security incident response teams (CSIRTs) to detect, prevent, and respond to cyber incidents and risks. It emphasizes coordination among member states, setting up a CSIRT network (also to include CERT-EU) to promote swift and effective operational cooperation, and a “cooperation group” to support and facilitate strategic cooperation and information exchange.
Although today’s vote is a milestone, the next steps matter more. In turning the Directive’s prose into action through national implementation, member states must prioritize consistency. Operators of essential services and digital service providers need a sense of regulatory predictability. Under the Directive, member states determine which entities meet the criteria for “operators of essential services.” The Directive provides a common methodology to do so and directs member states to consult with each other when looking at companies serving multiple EU markets, which so many do. This is key—disparate methodologies or divergent views of what constitutes an “operator of essential service” could lead to confusion and possible misallocation of security resources. The same goes for member states’ authority to further define the security and incident notification requirements for operators of essential services: despite the flexible implementation allowed for by the Directive, consistency should be the goal.
Harmonized approaches to cybersecurity are an essential ingredient in improving cybersecurity worldwide. Cybersecurity resources are scarce in both government and industry and any redundant or inconsistent activities or requirements could divert resources from where security is needed and from the ability to develop responses to constantly evolving cybersecurity threats. Coordination is needed not just within the EU. We urge member states, the Commission, Parliament, and the EU Agency for Network and Information Security (ENISA) to continue to engage with governments and industry outside of Europe to ensure maximum alignment as the NIS Directive is fleshed out.
Many actions EU member states must take in terms of their own strategies and activities would, if implemented and resourced sufficiently, have great potential in raising the cybersecurity bar. For example, the CSIRT network is an important addition to the international CSIRT (CERT) community. Palo Alto Networks works with many CSIRTs across the EU and NATO. We look forward to working with others as they get up and running and to helping them start off strongly. Significantly, the Directive encourages member states’ CSIRTS to participate in international cooperation networks in addition to the CSIRT network established in the Directive. Cybersecurity threats are global, and cooperation among CSIRTs around the world helps pool knowledge and resources to address these common threats. In another example, the Directive requires member states to have national NIS strategies that include cyber education and raising awareness, which plays an important role in helping companies to assess and manage their cyber risks and citizens to better protect themselves when online.
The Directive instructs member states to ensure competent authorities have adequate technical, financial, and human resources to carry out their tasks effectively and efficiently. Cybersecurity resources are tight for governments everywhere, but we hope member states allocate what they can. To this end, partnerships are key. The Directive gives ENISA a variety of roles, such as, if needed, helping member states develop their strategies and establish CSIRTs. If member states also take advantage of the considerable industry expertise that exists, we can all improve cybersecurity more quickly.
We commend European policymakers for taking steps to put cybersecurity front and center. Moving forward, member states’ activities to implement the Directive will vary, given their different levels of preparedness. Some, notably Germany, France and the Netherlands, have worked on cybersecurity for years and introduced or passed their own cybersecurity laws in advance of the NIS Directive. They may need only to make small adjustments to align with the Directive’s minimum requirements, if at all. Other member states will benefit more substantively from the Directive’s guidance. Ultimately, the more all EU member states can raise the collective bar the more the global digital infrastructure will benefit.
