Year: 2018

Posted on

What To Expect and Consider When Hiring A CISO

The market for top-tier CISOs is now highly competitive. Information cybersecurity has become a high-profile corporate concern, and the bar has been raised on the pool of qualified candidates. By one estimate there were 2,700 CISO job openings in the United States in June 2015. So even if organizations are able to effectively evaluate candidates against current and future requirements, they must also be prepared from the start to actively sell the opportunity to an audience that is naturally skeptical.

In our experience, every CISO candidate asks four overarching questions when evaluating an opportunity:

1. “Who is my sponsor and how much influence does he or she have?”

This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, although the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information security function to which the CISO will not be privy. As a result, the CISO will have to rely his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she has to know there will be support in high places.

2. “How deep is the organization’s commitment to information security?”

This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information security function and the need for making everyone in the organization, top to bottom, responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises who reflexively cycle through security teams.

3.”What key performance indicators will I be measured against?”

Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as the ones about resources, reporting lines, and compensation.

4. “Where will I be in five years?”

Those who lead the information security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader role in organizational leadership. It is important to understand each candidate’s desires against what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.

For more information on what to expect and consider while hiring a CISO, download your copy of Navigating the Digital AgeGet the book here.

Source: https://www.securityroundtable.org/what-to-expect-and-consider-when-hiring-a-ciso/

Posted on

Cybersecurity is a Proactive Journey, Not a Destination

Cybersecurity continues to grab spotlight and mindshare as it pertains to computing and social trends.

The topic itself is broad and expansive, and the true impact of this segment of computing will be around for generations to come. For strong perspective on where the industry stands in its current state, ISACA’s State of Cybersecurity 2018 research is a must-read. This report provides a great assessment of what needs to happen in the cybersecurity field to move from reactive to proactive.

Challenges around cybersecurity are not new and have actually been around since the dawn of computing. However, it is now a topic that everyone talks about. It is a board topic, it is a public safety and livelihood topic, and it is a personal topic. Hitting this trifecta of impact has finally created the sense of urgency and the attention that is needed. Now, the key is that as an industry, as a country, and as a world of over 7 billion people, we need to effectively address these industry challenges to preserve the computing environment for the future.

Today, most cybersecurity efforts are focused on what is referred to as the “EMR” model of educate, monitor, and remediate. This approach is effective but is essentially like the game of “whack-a-mole,” where the core underlying risks and issues are never solved and keep popping up.

So, how does the governing of cybersecurity become proactive?

While EMR is essential, the core foundation of a more secure and trustworthy computing experience requires being more proactive. Proactive means ongoing, real-time, continuous self-testing and self-assessment, and a laser focus on education as it pertains to best practices. This, combined with a continued evolution on the new SaaS (security-as-a-service), will help mitigate and ensure more trust in the future. Still, it will be very difficult to solve all cybersecurity challenges due to the technical debt that exists and will exist for the immediate future.

Safe and secure computing can occur with a connected, comprehensive approach to security embedded in each of the leading digital disruption levers, from the Internet of Things, to conversational artificial intelligence, to blockchain and distributed ledger technology, to wearables and mobility. Industry focus, industry standards, close adherence to best practices, and the constant ability to randomize to protect digital identities is on the horizon and needs to continue to gain acceleration.

However, first and foremost, security best practices begin at the code level. As software engineers and as an innovation industry, we must make sure this is well-executed in each and every opportunity we have.

Author’s note: Mike Wons is the former CTO for the state of Illinois and is now serving as Chief Client Officer for Kansas City, Missouri-based PayIt. Mike can be reached at mwons@payitgov.com

Mike Wons, Chief Client Officer, PayIt

[ISACA Now Blog]

Posted on

The AI Calculus – Where Do Ethics Factor In?

While artificial intelligence and machine learning deployment are on the rise – and generating plenty of buzz along the way – organizations face difficult decisions about how, where and when to introduce AI.

In a session Tuesday at the 2018 GRC Conference in Nashville, Tennessee, USA, co-presenters Kirsten Lloyd and Josh Elliot laid out many of the ethical considerations that should be part of those deliberations.

The pair detailed several instances of high-profile AI events over the past decade that highlighted the need to give ethical components of AI deployment a high level of focus early in a product or service’s design, as opposed to risking unforeseen fallout. The examples included the development of a controversial algorithm that predicted higher rates of recidivism for black defendants in the judicial system and a Stanford University study exploring how often AI could determine a person’s sexual orientation based on photos of their faces.

Yet, for all of the questionable or even potentially malicious use cases of AI, Lloyd and Eliot highlighted an extensive list of powerfully compelling uses for AI, such as advancing new medical treatments, preventing cyber attacks, improving energy efficiency and increasing crop yields. Elliot, Booz Allen Hamilton’s director of artificial intelligence, noted that AI also may prove transformative in missing person crises, such as being able to swiftly locate missing children in AMBER Alert child abductions.

Whether the potential ethical implications of AI and machine learning outweigh the good that can be accomplished is very much a case-by-case judgment call, Elliot said, requiring a holistic evaluation of the possible outcomes through a risk management lens. Successful, ethical implementation of AI and machine learning also call for strong governance, with emphasis on benefits realization, risk optimization and resource optimization. Elliot and Lloyd said organizations should identify and engage key stakeholders in AI projects, including the creation of an ethical review board and a chief ethics officer. Some high-impact deployments might also require direct access to the C-Suite for input on risk considerations.

Elliot and Lloyd suggested that organizations consider the following questions when deciding how they might want to deploy AI and machine learning:

  1. What are our goals?
  2. How much risk are we willing to tolerate?
  3. What is the state of our data assets?
  4. What talent assets do we have?
  5. What are our values?

From a people talent standpoint, Elliot noted there is a serious shortage of professionals with the expertise to help enterprises effectively and securely implement AI and machine learning, causing many organizations to turn to the ranks of academia and research to fill in the personnel gaps. Lloyd, an AI strategist with Booz Allen Hamilton, acknowledged the workforce worries many harbor regarding the potential for AI and machine learning to displace large numbers of practitioners, but said that there will remain an enduring need for humans’ critical thinking skills, while machines continue to introduce process improvements in computational thinking.

Taking the long view, Elliot and Lloyd said AI and related disciplines have transitioned from their previous state of simple task execution to the current era of pattern recognition, with a future that will be reshaped by added capabilities of contextual reasoning. Elliot said many of today’s common uses, such as robotic process automation (RPA), are a mere “gateway drug” to more sophisticated technologies and applications that are being aggressively researched in Silicon Valley and beyond.

[ISACA Now Blog]

Posted on

Four Unit 42 Vulnerability Researchers Make MSRC Top 100 for 2018

Palo Alto Networks Unit 42 is proud to announce that four of our researchers were named to the Microsoft Security Response Center (MSRC) “Top 100 Security Researchers List” for 2018. This is the third year Unit 42 researchers have been included in this prestigious list, which is announced every year at Black Hat. This year’s Unit 42 winners are:

 

Rank Name
10 Gal De Leon
13 Hui Gao
73 Tao Yan
79 Jin Chen

 

Palo Alto Networks is a regular contributor to vulnerability research in Microsoft, Adobe, Apple, Android and other ecosystems. By proactively identifying vulnerabilities, developing protections for our customers, and sharing them with Microsoft for patching, we are removing weapons used by attackers that compromise enterprise, government and service provider networks.

Below is the full list of this year’s top 100. To better understand how this recognition is both important and an honor, this posting by Phillip Misner of the MSRC gives you an idea of what’s behind the program.

[Palo Alto Networks Research Center]

Posted on

In OT Environments, Security Must Not Be an Afterthought

The dream of a cloud-enabled operational technology, or OT, environment is becoming a reality thanks to daily innovations in technology, which have the potential of turning legacy control systems into integrated IIoT instances. These changes are happening at a fast pace, and are often extraordinary in scale. Large scale ICS SCADA systems, such as those found in oil and gas are evolving; however, one thing remains constant: poor security.

 

Why Security Is a Challenge

As IT security professionals know, security must adapt to an ever-changing threat landscape. A fluid model does not play well with most current ICS and SCADA systems. These systems depend on availability first, making the application of security measures challenging to implement and even harder to maintain. For OT operators, security must support a model that allows technicians to connect devices first to configure and fine-tune them, and then later lock them down. There must be enough security in place to protect both the business and the process control environment from attacks, but with just enough protection that it neither overcomplicates the automation groups workflows nor stops, blocks or disrupts production.

Purpose-built and expensive to update or replace, these systems and networks do not conform to the equipment lifecycle of an IT network. The majority of oil and gas field networks and remote process control networks are archaic, but also happen to be the systems we take for granted on a daily basis. Attackers know that, when and if these systems fail, they can affect our daily lives.

 

What’s Next?

It is time we change our beliefs on what a secure network looks like and how it should work? As organizations adopt cloud-based infrastructures and other IIoT technologies, security does not have to be an afterthought. Our Security Operating Platform secures control system networks in several ways, including automatically preventing new and unknown threats, providing virtual network segmentation and offering role-based network access.

Learn more about how to protect your controls environment against sophisticated cyberattacks by downloading our Cybersecurity for Oil and Gas Solutions Brief.

[Palo Alto Networks Research Center]
English
English
Exit mobile version