Day: June 6, 2017

Posted on

The Cybersecurity Canon: Cybersecurity for Business Executives Toward an Era When Everything Is Connected

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Executive Summary. This is noteworthy as the first cybersecurity book written in Japanese to target government leaders and C-suites to convince them that cybersecurity is a business management issue, not just a technical one. It is also the first Japanese book about cybersecurity to be translated into English.

The authors aim to share with domestic and global audiences what a Japanese company thinks about cybersecurity and what kinds of cybersecurity professionals the company has, because such openness is the only way to obtain feedback from global audiences, build confidence and enhance the company’s cybersecurity capabilities. This is unusual in Japanese business practice, which discourages companies from doing things differently from other companies or breaking with tradition.

The book has three key messages: first, we need to reposition cybersecurity from a technical issue to a business management challenge, as cybersecurity requires a whole-company approach to protect trust. Second, cybersecurity is about everything, and cybersecurity professionals are diverse. Third, the industry needs to work together on cybersecurity, not just leave it to the government and tech companies to solve these issues. These may not sound new to non-Japanese governments and companies. Yet, they show the strong will of Japanese business people to break the silence and reach out to global thought leaders to collaborate on cybersecurity.

Review. This is an epoch-making book in two ways: it is the first one written in Japanese to target government leaders and C-suites to convince them that cybersecurity is not just a technical issue but one of business management; and it is the first Japanese cybersecurity book to be translated into English to reach out to global experts and show Japanese businesspeople are ready for international collaboration. Before this book, cybersecurity books in Japanese had been either technical or national security-focused.

The authors belong to the NTT Cybersecurity Study Group, which consists of Senior Managers from NTT Group companies, including public advocacy personnel. NTT is one of the biggest telecom companies in the world, one of only four such companies globally with annual returns over US$100 billion. The Study Group aims to serve as an information hub for the NTT Group to enhance internal cybersecurity capabilities. Members regularly meet to discuss cybersecurity challenges and share their updates with other Group companies.

The Study Group decided to share what a Japanese company thinks about cybersecurity, as well as information about the kinds of cybersecurity professionals they have, with domestic and global audiences in order to obtain feedback from global audiences, build confidence, and enhance the company’s technical and non-technical cybersecurity capabilities. This is unusual in Japanese business practice, which encourages companies to avoid doing something different from others and from tradition.

When I first found this book, I was pleasantly surprised by the authors’ willingness to change the Japanese mindset, to be open in terms of how their company and cybersecurity professionals think about cybersecurity, and to be game-changing in creating social capital such as trust and norms. Japanese businesses tend to evaluate employees by giving demerit scores. When a new employee starts working for a company, he or she has a full score. As long as the employee performs in line with his or her predecessor, this score remains intact. However, if the employee decides to challenge the company’s traditional approach and try something new, but fails to achieve visible positive results, the score is reduced. Courage is rarely appreciated. This culture discourages employees from testing new approaches and encourages them to stay in a safe zone.

I was also amazed that this book came out two months before the Japanese government issued the Cybersecurity Guidelines for Business Leadership Ver. 1.0 to urge Japanese executives to invest more in cybersecurity as part of their business strategy. Traditionally, Japanese companies have not been proactive about informing the government about what Japan should do, unlike American companies.

The book has three key messages. First, we need to reposition cybersecurity from merely a technical issue to an important business management challenge, as cybersecurity requires a whole-company approach to protect trust. The authors point out that cybersecurity cannot be left solely to several experts because this does not allow an organization to take cybersecurity measures to meet organization-wide needs. Every employee uses information and communications technology these days. Cybersecurity is needed for everybody, yet resources are not limitless. The whole-company approach is crucial to decide how to optimize and prioritize the allocation of limited budgets and manpower.

Second, cybersecurity is about everything, and cybersecurity professionals are diverse. There is a wide variety of cybersecurity skillsets, such as knowledge about cyberattacks and defenses, risk analysis and business strategy, and education and training. Chapter 2 introduces 14 cybersecurity professionals, both Japanese and American, from different parts of NTT Group: white hat hackers, consultants, security operations center personnel, and others from financial security, internal defense, managed security service, hardware security, and encryption.

This is probably the first time any Japanese end-user company has revealed a list of their cybersecurity talent to third parties. Because hackers, even white hats, do not necessarily have a positive image in Japan due to the scarce information available about them, this book must have been encouraging to white hat hackers in Japan.

The examples also would have been useful for other end-user companies to learn what kinds of cybersecurity skillsets and professionals exist. NTT is one of three companies (in addition to Hitachi and NEC) that launched the Industrial Cross-Sectoral Committee for Cybersecurity Human Resources Development in June, 2015, to create an ecosystem between schools, universities, companies and the government to educate, recruit, hire and retain cybersecurity professionals.

Third, the authors argue that the industry needs to work together on cybersecurity and should not just leave issues to the government and tech companies to solve. These points may not sound new to non-Japanese governments and companies, yet they show the strong willingness of Japanese businesspeople to break the silence and reach out to global experts to collaborate on cybersecurity.

The authors use Chapter 3 to show how determined they are to be a game changer in the 21st century, in which cyberattackers tend to have the upper hand over defenders. The authors recognize the importance of a multi-stakeholder approach and public-private partnerships, and they have faith in end-user companies to play proactive roles in cybersecurity to change the game. End-user companies fight cyberattacks on a daily basis and own their defense strategy.

Chapter 3 also introduces examples of U.S. cybersecurity efforts, including the White House’s Summit on Cybersecurity and Consumer Protection in February 2015, and Information Sharing and Analysis Centers (ISACs). This aims to help Japanese readers learn lessons from the U.S. about how ISACs’ cyberthreat intelligence sharing helps the critical infrastructure sector and how U.S. leadership is committed to being involved in cybersecurity discussions and sharing personal experiences.

Conclusion. The message about cybersecurity as business management issue is not new. Global experts, especially Americans, are already familiar with ISACs and the NIST Framework, as mentioned in the closing chapter. Why, then, did the authors translate the book into English and post the translation for free on the NTT Group website?

They did it because this book is not just about cybersecurity for leaders. It is also about public advocacy, which the Japanese do not usually practice in the global community. The authors are aware that the cybersecurity described in this book is not perfect, but they are willing to take any feedback, because openness is the only way to break the current wall and grow out of it.

English speakers will find the book demonstrates how Japanese companies are developing a foundation for global collaboration. After reading how cybersecurity professionals in Japan struggle with, and try to overcome, various challenges, global experts will see how they can work with Japan more closely.

[Palo Alto Networks Research Center]

Posted on

Cloud Security Alliance Announces “Grand Opening” of Its New Third-Party Global Consultancy Program

Selected Inaugural Providers BH Consulting, KPMG, Optiv and Securosis Ready to Help Organizations Ensure Secure Cloud Implementation Best Practices

SEATTLE, WA – June 5, 2017 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the launch and immediate availability of the CSA Global Consultancy Program (CSA-GCP). The new professional services program, developed and managed by the CSA, has been established to support the growing global demand from organizations in need of improved cloud security posture and high standards of compliance and assurance. The CSA-GCP is grounded with CSA’s industry-leading and widely accepted best practices in cloud security and is being offered by a highly-vetted, trusted network of organizations and professionals with the first being BH Consulting, KMPG, Optiv and Securosis.

“For many organizations, adopting the cloud can seem like a monumental task, and it can be difficult to know where to begin as there are too many and often too complex series of business and technology decisions that must be understood and weighted,” said Daniele Catteddu, CTO of the CSA. “The Cloud Security Alliance Global Consulting Program has been created with precisely this in mind and supports our ongoing mission of providing best practices and education for secure cloud computing. These first four program providers are among the most trusted and recognized in the industry and bring with them a broad understanding of the challenges organizations face when moving to the cloud. We are excited and fortunate to have them on board.”

The first four providers making up the initial program network are:

BH Consulting is an independent advisory firm, specializing in information security consulting, ISO 27001, cybersecurity, risk assessment, cloud security, incident response, cloud and digital forensics, and training.

KPMG is one of the largest professional services companies in the world, providing audit, tax and advisory services. KPMG works closely with their clients, helping them to mitigate risks and grasp opportunities.

Optiv is a provider of end-to-end cybersecurity solutions to help companies plan, build and run successful cybersecurity programs in any technology environment, whether on premise, cloud or a hybrid of both.

Securosis is an information security research and advisory firm that has the field-tested techniques, frameworks, and programs to be “more” secure in the cloud than in data-centers, without sacrificing agility.

The CSA-GCP will initially focus on consultancy support in the areas of secure cloud design, cloud architectures, secure cloud implementation, cloud information security programs, cloud assessment and compliance, risk management, and cloud security governance. The following CSA best practices will be included as a reference body of knowledge: CSA Security Guidance, Cloud Control Matrix, Consensus Assessment Initiative, Open Certification Framework and STAR Program, Enterprise Architecture, and Software-Defined Perimeter.

Only organizations with a broad understanding of CSA best practices and values are eligible to be recognized as a qualified source of professional services based on CSA best practices. Provider fees for consultancy work are set independently by each authorized partner and are based on the individual program scope and support required. Organizations interested in working with one of the CSA-GCP providers may visit https://cloudsecurityalliance.org/global-consultancy/#_contact.

For more information on the CSA Global Consultancy Program, please visit https://cloudsecurityalliance.org/global-consultancy/.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Posted on

Threat Landscape Demands Action from Enterprise Leaders

In today’s climate, it is fully apparent organizations must treat cyber security as a central business priority.

While awareness about cyber security’s importance is spreading among enterprise leaders – and how could it not, given the way cyber threats have dominated many of our recent news cycles? – ISACA’s State of Cyber Security 2017: Current Trends in the Threat Landscape report suggests that the growing awareness must lead to addressing unsettling gaps in many organizations’ security programs.

The report shows that only 53 percent of organizations have a process in place to handle and recover from ransomware incidents – a very concerning statistic, but perhaps one that will change markedly in the aftermath of the massive WannaCry attacks. The enormous scope of those global attacks made it clear that any organization unprepared for ransomware is in need of “a rapid rethink,” as my ISACA colleague, Raef Meeuwisse, noted.

Concerns about the security of Internet of Things (IoT) devices also show no signs of abating. The majority of enterprises said they are concerned about IoT devices in the workplace, which surely factors into the 4 in 5 respondents who consider it likely or very likely that their enterprise will experience a cyberattack this year.

Not all is gloomy – there were some encouraging findings, as well. The State of Cyber Security 2017 report finds that exploits resulting from mobile device loss is down significantly, which aligns with the recent Study on Mobile Device Security from the US Department of Homeland Security, in conjunction with NIST. That report indicates that mobile device security is generally improving, noting, however, that “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”

ISACA’s 2016 State of Cyber Security report showed that 50 percent of the responding organizations had CISOs. This year, 65 percent have them, which reinforces that executive leadership is making security a priority. Still, budgets are not keeping up with the rapidly expanding threat landscape; only half of organizations expect an increase in their security budgets in the coming year, 11 percentage points fewer than those who said they expected an increase in last year’s report.

If enterprises are going to be prepared for the mounting challenges, investing in a strong cyber security workforce is a must. Security professionals must not only be trained, but have their skills developed and refreshed using hands-on technical training and performance-based assessment, which is why this year ISACA developed the Cybersecurity Nexus (CSX)™ Training Platform. This focus on skills development must occur while assuring that professionals understand the nature of the enterprises for which they work.

There is much that must be done – urgently – as ISACA’s State of Cyber Security 2017 makes clear. Consider that fewer than half of security leaders said they are confident in their team’s ability to handle anything beyond simple cyber incidents. In today’s threat landscape, that is unacceptable.

By now, the importance of bolstering cyber security capabilities is clear to all responsible enterprises. The ones who commit to developing a strong culture of cyber security – and providing the resources necessary to build skilled and well-trained security teams – are the ones that will thrive in today’s global economy.

Editor’s note: Current Trends in the Threat Landscape is the second installment in ISACA’s State of Cyber Security 2017 report. The first installment focused on workforce trends and challenges. Both reports are available at www.isaca.org/state-of-cyber-security-2017.

Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA’s Board of Directors and group director of Information Security for INTRALOT

[ISACA Now Blog]

English
English
Exit mobile version