Year: 2018

Recent surveys and studies have emerged that show interest in cybersecurity as a potential career field at uncomfortable lows. In fact, a recent ProtectWise report showed that only 9 percent of millennials indicate cybersecurity is a career they are interested in pursuing at some point in their lives. This disturbing finding has far-reaching potential consequences in a field that desperately needs a stronger workforce.

To understand these findings, the study posits several factors that could be to blame for the low level of interest, from lack of exposure to cybersecurity in school curricula, to lack of personal connections, such as relatives, in the relatively new field of cybersecurity. However, another element, often hushed, and rarely acknowledged, lurks throughout the field’s perception – lack of fun. Sadly, many people don’t consider cybersecurity as a “fun” field – and that’s a false assumption, as there are multiple elements that make cybersecurity an enjoyable career path. Considering the level of engagement cybersecurity professionals enjoy, the evolving nature of the profession, its constant relevance, growth rate, and pay, cybersecurity can be a fun field, as long as individuals give it a chance.

One of the most enjoyable aspects of cybersecurity is the level of engagement it requires of an individual. Many jobs are comprised of the day-to-day grind of waking up, performing the same task several times, eating lunch, performing the same task, and going home. Little-to-no engagement occurs in these job roles, resulting in a bored and ineffective workforce. However, cybersecurity is quite the opposite. As seen in several reports, including ISACA’s 2018 State of Cybersecurity research, cyber-attacks are constant and growing in frequency. As a result, many incident responders and cyber teams find themselves immersed in their job, engaged in the dissection, analysis, and evaluation of attacks to better protect their organization. Oftentimes, this takes the full attention of these individuals, who lose track of time and realize they’ve been actively engaged in their work all day, resulting in very little boredom.

These growing attacks also are constantly evolving. Many of the day-to-day attacks against an organization vary in shape, size, and composition, and require an engaged workforce to actively combat them. These individuals act as live guardians in a digital world, identifying each potential attacker and assailant by cross-referencing them against previous attacks and exploitation. Oftentimes, this can be the hardest part of the job, as attack mechanisms such as worms and viruses are like hydras, with two different variants appearing once one variant is killed. In fact, one such type of attack, a polymorphic virus, makes slightly different copies of itself each time it infects a system in an effort to throw scanners off of its trail. Hunting these changing malicious codes and actors often brings a smile to the face of cyber professionals, as each time an attack changes and the responder stops it, the responder becomes that much stronger and more experienced.

These constant attacks also contribute to another element that makes cybersecurity fun: its relevance.  Since new attacks and attack vectors are always emerging, cybersecurity professionals must stay up to date on all the potential exploitations that are discovered to meet their responsibilities of protecting the business operations of an organization. This, in turn, makes cybersecurity professionals incredibly relevant to the business and the field overall. Relevance in an organization oftentimes translates to respect and recognition. This is reinforced by the rise of the CISO and CIO roles in Fortune 500 companies. No longer are these individuals relegated to the back row by other executives; instead, they are more commonly brought to board of directors meetings to discuss the organization’s security stance.

While the relevance of the cybersecurity field is important, it does not amount to much if there is nobody to staff the workforce. As seen in the 2018 State of Cybersecurity research, there are not nearly enough cybersecurity professionals in the field to keep up with the explosive growth and need. As a result, cybersecurity professionals are valuable diamonds to be cherished and cultivated within the organization. Thanks to this growth, cybersecurity professionals enjoy the fruits of a seller’s market – and that can be pretty fun.

Finally, something which all millennials should consider as they chart their future careers: pay.  Everybody wants a career that will pay well, and cybersecurity offers that opportunity. The Robert Walters Salary Survey of 2018 indicated that cybersecurity pay will rise by an additional 7 percent around the world in 2018, outpacing all information technology roles, which on average will see about a 2 percent increase. Although having an engaging, evolving, relevant job in a growing field is fun, knowing that it pays well is another cause to smile.

Everyone is different and defines job fulfillment through their own personal lens. However, if finding a job enjoyable, engaging, and fun is a top priority, it’s worth considering cybersecurity as a potential career. On the outside, it may seem bland, but taking a closer look reveals that working in cybersecurity can be much more fun than most people think.

Editor’s note: For more of Frank Downs’ thoughts on the fun side of cybersecurity and relevant industry trends, listen to the recent ISACA Podcast, The State of Cybersecurity.

Frank Downs, Director and SME, ISACA Cyber Security Practice

[ISACA Now Blog]

An attacker gained access in June to Reddit users’ data, including usernames, passwords, email addresses and private messages from 2005-2007. The attacker also gained access to more recent data, including current usernames and emails.

This data allows hackers to try to break into sites where users might still be using the same passwords. Although the compromised passwords were encrypted, they are likely crackable using today’s tools.

Because the email digests also include current usernames and emails, this linkage could allow attackers to determine the actual identity of users. If those users have been receiving content or engaged in posts that could be embarrassing, this may lead to blackmail; hackers might threaten to make private messages public or share them with family or friends.

Reddit users should ensure that, across platforms, they are not still using any passwords from the breached timeframe. Users should also consider passwords that are in line with NIST’s recent guidance.

What your organization can do to prevent a similar breach
Periodic password changes and secure password choices are good practices for Reddit users and non-users alike. Additionally, there are system-wide changes that organizations can make to protect against breaches.

Employees with access to sensitive systems or with powerful privileges, like admin accounts, represent a high-value target for attackers, so organizations should pay particular attention to the security of such accounts.

One way to improve account security is the implementation of strong multifactor authentication. SMS is often used for consumer user account two-factor authentication, but can be compromised with some effort by attackers as occurred with the admin accounts in the Reddit breach.

A  cryptographic token system is a more secure alternative to the SMS two-factor authentication method that was compromised in the Reddit breach. Tokens take more effort to implement than SMS two-factor authentication, but they are also difficult to spoof. Authentication tokens are generated cryptographically and often have limited lifetimes: sometimes, as little as one or two minutes.

Many organizations have been using strong authentication based on physical or software tokens for decades. For particularly sensitive accounts like admin accounts, this has long made sense and is hardly a new idea.

Other detection tools your organization should use for breach prevention
Organizations should also use auditing and intrusion detection tools to quickly alert them to a situation when such an account is engaged in abnormal behavior.

Since admin accounts are very powerful, the information security team and IT auditors should carefully review the protection for these types of accounts, including the use of multifactor authentication, and determine if audit trails and intrusion detection tools can be turned off or tampered with by the admin accounts in question. Otherwise, attackers who breach such admin accounts will have the ability to simply bypass the monitoring. In many cases, the underlying operation system or application does not provide tamper-proof audit trails and intrusion detection; third-party tools will need to be implemented.

Organizations should also discover and find old files that contain personally identifying information, like email addresses, usernames or encrypted passwords. These files should be securely deleted or protected in some fashion. In many cases, it is older files that were not well protected, copied and then forgotten about, often due to employee turnover, that potentially pose regulatory compliance risks.

Proactive data governance measures are more important than ever in today’s landscape, as the Reddit breach and countless others attest.

Rob Clyde, ISACA board chair, executive chair of the board of directors for White Cloud Security and independent board director for Titus

[ISACA Now Blog]

Imagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted.  You are going to own this.

At first, you ask yourself – should I get going on this now? The answer is yes; the reality is you won’t. A year passes and the media pipes up about the clock ticking. You start to hear in your peer groups that people are starting to think about what they are going to do, but there’s little action. The clock strikes Q4 2017, your anxiety elevates, the consulting firms and professional organizations inundate your inbox with updates, trainings, services, etc., so you start your journey (late). You get organized, start reaching out to HR, IT, anyone who could be impacted. Crickets. A month passes. Two months pass, and it’s Q1 2018. You follow up. Finally, a response, maybe two come in. Finally, some momentum!

You re-engage your stakeholders, you email, call, try and set up meetings. Crickets. Q1 earnings come around. Analysts are asking. Your CEO says you are all over it and ready for the go live. Senior leadership is looking for an update. You’re working on it as best you can. The emails get responded to, finally. It’s a fire drill. You work tirelessly. GDPR goes live. You’re not quite there, but close enough that you finish by your Q2 earnings release. It’s been a disaster, but it’s over (until the next time).

GRC professionals, a lot of them, live this awful cycle every time there’s a new regulation, accounting standard, etc. Why is this? Our jobs should be simple. We carry the big stick! Most of what we support is tied to law, standards and regulations. Our organizations have to comply or face potentially stiff penalties and reputational damage. Why don’t they? They claim no resources, or budget, or time.  We’ve heard it all.

Why aren’t they listening? I argue that we don’t leverage persuasion and build the skills to persuade.

The reality we live in as GRC professionals is that we simply can’t be successful in our job if we don’t persuade, and if we can’t persuade, we risk insufficiently addressing or failing to address risks to the organization. The repercussions could be severe. We could hinder our own and our teams’ careers and damage our reputations. In the narrative above, we all know who’s going to be on the hook if there’s a problem. And it won’t be those who ignored us for the better part of a year.

Persuasion is a skill. Some of it can be taught; most of it we already know (or could be defined as common sense). We simply need to be aware of this and implement some simple (in most cases) techniques to tilt the scales:

1. Rapport is critical. If they don’t like you, send in someone else they do.  We can’t persuade someone who doesn’t like us.
2. Acknowledge the stigma that may be attached to your title and role. Let’s be honest – colleagues not may really enjoy getting a visit from a GRC colleague. Acknowledging this might help remove the first barrier.
3. Recognize the impact of mood. Having a bad day? Your counterpart having a bad day? Move the meeting; it simply won’t be productive.
4. Get out of a negative environment. The workplace can be a source of stress, so go grab a coffee or lunch or a drink. This is the real reason so many folks utilize “let’s grab a coffee” or similar approach to get things done.
5. In person is always better. Smile a lot and use your colleagues’ name when you see them – people like hearing their name. Keep your tone of voice positive and upbeat. And while you’re at it, avoid using the word “I” – it will turn them off.
6. Use how, not why, when requesting support. To most people, “why?” feels like an accusation.  Don’t believe me? Think about how you feel when your boss or your spouse ask “why” you didn’t do something. It puts most people right on the defensive. “How” invites both parties to strive toward a common goal. The simple statement “GDPR goes live in 6 months – how do we ensure our organization is prepared?” invites both potential solutions and a sense of ownership in both parties.
7. Listen. I mean it. Really listen. Can you do it? I can’t. Why? Because when I’m not talking, I’m thinking about what I am going to say next. Is that really listening? Bring someone with you to important meetings, and make it their job, and only job, to listen (take note of tone), watch body language, take notes, etc. Review that feedback after the meeting.

This seems easy enough, but the reality is if you don’t thoughtfully leverage some of these steps routinely, you’ll never reap the rewards. These won’t work all the time, but they’ll help increase the chance of success in your GRC role.
Have they helped me? You tell me – ever convinced a subsidiary to upgrade their ERP as part of an audit report? I have. And it was by using these tactics.

I’ll be discussing this topic further at the GRC conference next week in Nashville, Tennessee, USA. Track me down at GRC; I’d love to speak about these topics and lend a hand if I can.

Brian Tremblay, Chief Audit Executive, Acacia Communications

[ISACA Now Blog]