Year: 2018

Posted on

Need a CISO? Then Have Good Answers to These Four Questions

Demand for top-level security professionals continues to exceed supply. Recent data from the job site Indeed shows that “severe cyber security skills shortages persist in every country.” In fact, in only two countries—the U.S. and Canada—does the supply of job seekers exceed even 50% of employer demand.

In this environment, the best security professionals can be selective in choosing where to apply their talents. It is, therefore, important for corporate management and board members to get inside the heads of these leaders and understand what factors make them satisfied and successful in their jobs.

To help, we have identified four overarching questions CISO candidates typically ask when evaluating an opportunity. As you look at the questions below, it is worth thinking about how your organization stacks up—and what actions you might be able to take to make improvements.

  • “Who is my sponsor and how much influence does he or she have?”

This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, while the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information-security function to which the CISO will not be privy. As a result, the CISO will have to rely on his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she must be confident that there will be support in high places.

  • “How deep is the organization’s commitment to information security?”

This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information-security function and the need to make everyone in the organization—top to bottom—responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy, both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises that reflexively cycle through security teams.

  • “What key performance indicators will I be measured against?”

Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if,” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as those about resources, reporting lines, and compensation.

  • “Where will I be in five years?”

Those who lead the information-security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader position in organizational leadership. It is important to understand each candidate’s desires vis a vis what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.

Conclusion

In today’s environment, board members cannot afford to be complacent in their oversight of cybersecurity issues and, in particular in helping the organization hire the right people for the most critical positions. A big step is to understand the issues that are of the most importance to today’s CISOs.

Source: https://www.securityroundtable.org/need-ciso-good-answers-four-questions/

Posted on

The Emerging Role of the Chief Information Security Officer in the C-Suite

Today, no business executive would disagree with the statement that cybersecurity is a business issue, not just a technology issue.   An increasing number of businesses and governments experience cyber incidents and the way they handle such incidents can have a significant effect on their reputation.

A cyber incident can cause a number of damages for companies.   One is damage to business continuity.   If a company’s IT system or operation system is compromised, the company may need to make a judgment to stop operations of those systems.   The second type is loss of stakeholder trust.   Today, business transactions are conducted under the assumption that information provided by companies is accurate and reliable.   If a company’s IT system or operation system is compromised and information is manipulated and the company cannot guarantee integrity of the information it provides, then the company is unqualified as a trusted business partner.

Along with this, digital innovation is emerging as a new reason why cybersecurity is a business issue.  Many innovations are taking place in all parts of the world in the form of AI, big data, robotics, fin-tech, biometrics, etc.  Unless a company is digitally secure, it cannot internalize digital innovations into its business system and leverage them for value creation.   In the age of digital innovations, cybersecurity is becoming an imperative for business growth, presenting a new challenge for the C-Suite.

Cybersecurity has traditionally been a topic that only a few executives are expected to understand.  However as additional security concerns spread across a business, cybersecurity is now a topic that concerns all members of the C-Suite.  For example:

  • A Chief Financial Officer needs to ensure secure transactions between financial institutions or business partners.
  • A Chief Marketing Officer needs to master how to ensure cybersecurity in marketing activities via digital and social media, and
  • A Chief Human Resources Officer needs to ensure that digital recruiting processes are secure in a competitive market.

A New Opportunity for the CISO

How cybersecurity is addressed with regard to each managing function needs to be harmonized under company-wide priorities and principles.  This presents a new opportunity for Chief Information Security Officers (CISOs).  Traditionally, a CISO has been a supporting role for the Chief Information Officer or the Chief Risk Officer.   However, a CISO now needs to interact directly with all C-suite members.  The C-Suite needs to agree on what the company wants to protect from a holistic perspective and the CISO needs to facilitate these discussions.

To facilitate these discussions, a CISO should ask below questions to C-suite.

  • “What are our crown jewels that we want to protect with top priority?”
  • “What are business consequences if those crown jewels were damaged?”
  • “How much investment are we willing to make to mitigate those risks?”

Across an organization, there are many solutions to ensure cyber resilience.  As a technology solution there are Managed Security Services.   As a financial solution there is cyber insurance.   An operational solution may be a Computer Security Incident Response Team (CSIRT) or employee training.   A legal solution may be fiduciary actions based on a lawyer’s advice.  The key is to integrate these solutions into a cybersecurity strategy that supports the business priorities of the company.  Who leads this effort is not defined in many companies.  This is a new space in corporate business management and a new opportunity for the CISO.   By taking on such a role, a CISO can provide company-wide impact and contribution because if CISO plays such as role, cybersecurity strategy becomes a comprehensive and integrated package rather than an aggregation of independent tactics.  It is owned by entire C-suite and woven into company-wide business strategy.

Source: https://www.securityroundtable.org/the-emerging-role-of-the-chief-information-security-officer-in-the-c-suite/

Posted on

From Cyber Czar to Risk Officer: The CISO’s Next Evolution

Over the last several years, the role of the chief information security officer (CISO) has undergone a critical transformation from technical guru to core member of anorganization’s senior leadership team. But in highly regulated, complex industries such as financial services and healthcare that harbor large amounts of personal information, the role is undergoing a further evolution as sensitive data takes on an increasingly central role in all parts of the business.

This more information-centric environment, which is still taking shape, calls for a different way of thinking about and managing risks within the organization (see Figure 1). This change in thinking includes:

  • A move away from the traditional cybersecurity focus on tactical elements like email hygiene and firewalls to a more strategic view centered on the data itself.
  • Less emphasis on responding to threats and more on instilling appropriate behaviors and managing perceptions of risk.
  • A shift from building higher walls and deeper moats that prevent intrusion to ensuring customized value-based risk management that protects each information asset.

A new profile for a more strategic role

The CISO thus will evolve from the unsustainable “cyber czar” position to become responsible for managing the organization’s information risks, supporting and sustaining the appropriate risk management culture and engaging with the C-suite regarding the use of new technologies and the information-risk implications of entering new businesses. Indeed, we can see the beginning of this shift as some sophisticated organizations (especially in financial services) adopt titles such as “Chief Information Risk Management Officer.” This is a welcome development, given that making cybersecurity everyone’s responsibility has been a longstanding goal of the information security community.

In the years ahead, the new breed of information security leaders will need to focus on:

  • Establishing uniform perspectives and behaviors that can crystallize into social norms regarding the use and handling of information at work – even when those norms are different than those governing how people handle personal information at home.
  • Managing the uncertainty and ambiguity that comes from the shift to a front-line, decentralized approach to information security
  • Having exceptional strategic orientation and the ability to communicate and influence outside of one’s chain of command.
  • Technical savviness and broader business understanding, as the role expands from just addressing cybersecurity threats to the broader mandate of managing information risk.

These changes will only take place, however, after the necessary perception and behavior regarding information risk and security becomes broadly ingrained throughout the organization. Until then, information security leaders will have their hands full creating that consensus and nudging us to a more secure future.

Source: https://www.securityroundtable.org/from-cyber-czar-to-risk-officer-the-cisos-next-evolution/

Posted on

Traits of a Successful Threat Hunter

Threat hunting is all about being proactive and looking for signs of compromise that other systems may have missed. As defenders, we want to cut down the time it takes to detect attackers. To accomplish this, we assume the bad guys have penetrated our defenses, and then proceed to look for traces that their activities have left behind.

Putting aside the technical details, it is extremely important to consider the person, or perhaps the team, who is doing the hunting. I describe a good threat hunter as a person with a wide skill set who has “been there and done that” in multiples areas of IT and security. There are four main dimensions that help shape a good hunter:

Curiosity
A threat hunter needs to be patient, highly motivated, and driven by a desire to know more. The person needs to start asking questions such as why in order to understand whatever activity may be under analysis. In order to be able to answer the why, the drive to go deep into the rabbit hole is essential.

Critical thinking
Being able to analyze and solve problems also is important. The hunter must always keep an open mind and be able to consider alternative solutions to the problem. Thinking like an attacker usually helps frame an investigation from a different angle and could be the key to uncovering evil within your systems.

Technical expertise
A wide array of technical knowledge is essential. A person who is an expert in network and knows very little about other disciplines such as forensics, applications, databases, etc., may not be able to see the big picture. Ideally, the hunter has cross-discipline knowledge and knows who to reach out to when more in-depth analysis is required.

Ability to connect the dots
This is one of the most important aspects. Many analysts struggle when presented with multiple sets of information and therefore are unable to connect the dots and put together the puzzle. An efficient hunter should be able to understand the data and its business context, perform the appropriate correlations, and reach conclusions.

Professionals with this sort of talent and skill are scarce. Remember that in many cases it makes perfect sense to develop hunting talent in-house. An employee who has worked in a few IT or information security disciplines who knows your business brings great value to the table. Look around and see who is up to the challenge.

Editor’s note: Roger O’Farril will be presenting further insights on this topic at ISACA’s CSX North America conference, to take place 15-17 October in Las Vegas, Nevada, USA.

Roger O’Farril, Information Security Team Lead, Federal Reserve Bank of Chicago

[ISACA Now Blog]

Posted on

Cloud Security Alliance Releases Malaysia Financial Sector Cloud 
Adoption Report

KUALA LUMPUR, MALAYSIA – August 20, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, and Malaysia Digital Economy Corporation (MDEC) today released the results of a joint survey, Cloud Adoption in the Malaysia FSI Sector, which surveyed IT and security professionals in Malaysia’s FSI about their cloud service adoption plans and priorities. The results were announced in Kuala Lumpur at the inaugural CSA Malaysia Summit, where Dato’ Ng Wan Peng, COO of MDEC; Jim Reavis, co-founder & CEO of CSA; and Ramesh Narayanaswamy, CIOO of CIMB Group Holdings were among the keynote speakers.

As a part of the Summit, CSA also organized a Roundtable on “Banking 4.0 – Digital Transformation, Opportunities & Challenges” aimed to work on the next level study of the survey conducted. This Roundtable was sponsored by Microsoft.

Although heavily regulated internationally, today’s financial services institutions (FSI) face similar pressures experienced by their compatriots in lesser-regulated sectors. There is an urgent need to embrace digital transformation to leapfrog competitors, enhance agility, and increase efficiency to better serve the modern digital consumer in this fast-paced economy. Significantly higher confidence levels in cloud security today have rendered the cloud a key enabler in overcoming these challenges. Seeing this trend, CSA and MDEC jointly conducted the “Cloud Adoption in the Malaysia FSI Sector” survey to gain a deeper understanding of the current and future state of cloud adoption in the region.

“Besides raising awareness of cloud adoption in the FSI sector, the survey also aimed to uncover obstacles that may have impeded cloud adoption by the banking sector within Malaysia,” said Dr. Lee Hing-Yan, Executive Vice President, CSA Asia Pacific. “Although separate studies have shown that the Malaysian government has done well in putting strong e-government plans in place, the government can further accelerate cloud adoption by introducing progressive guidelines. The increased clarity will help FSIs to continue reaping the benefits of cloud, while maintaining adherence to regulations.”

MDEC’s Director/Enabling Ecosystem Wan Murdani Wan Mohamad, Ir, commented:

“Malaysia’s shift towards becoming a developed, sustainable digital economy requires the transformative use of a secure and robust cloud ecosystem. As indicated by the study, a vital aspect of Malaysia’s transformation encompasses successful cloud adoption, which means that we must prioritise the future-proofing of our cybersecurity sector as an important aspect of our drive to build on the growth of cloud adoption by the FSI and, indeed, all sectors of our economy.”

The report published key findings in the areas of cloud adoption, IT security budgets, cloud computing, and cyber security skills, as well as cloud service compliance and regulations. Among the main findings:

  • Sixty five percent (64.7 %) of the FSI in Malaysia said they are developing a cloud strategy, while 17.6 percent have already developed a cloud strategy. The remaining 17.6 percent have a strict no-cloud policy.
  • Twenty four percent (23.5 %) of respondents mentioned that no cloud service data security and compliance regulations are predetermined in their organization, while 11.7 percent mentioned that their organizations have some form of cloud service data security and compliance management.
  • The majority of the survey respondents pay considerable attention to international standards when selecting a cloud service provider (CSP). This suggests that certification should be an important benchmark for CSPs as a measure and demonstration of their compliance with industry standards.
  • Fifty three percent (52.9%) of the respondents said that the top cloud threat in their organization is the lack of security assessments on cloud services provided by CSPs. In other words, there is a lack of necessary knowledge to properly address the challenges, with some being unaware even when these threats occur.
  • Due to the lack of commitment at the senior level, 58.8 percent of all cloud computing and cybersecurity professionals indicated they have never participated in nor organized any cloud application development or cloud-security-related training.

“We would like to thank MDEC for their ongoing support and contributions to this survey and to our broader efforts to understand and educate the market on cloud adoption in APAC,” added Dr. Lee.

CSA has conducted similar adoption studies in China (https://www.csaapac.org/fsisurvey.html) and India (https://www.csaapac.org/2016-cloud-adoption-and-security-in-india-survey-report.html). Cloud Adoption in the Malaysia FSI Sector paper is a free resource. Download the full survey report now.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

English
English
Exit mobile version