Category: Cyber Security

Of all the certifications represented annually in the Global Knowledge IT Skills and Salary Report, ISACA is more prominent in our top-paying certifications list than any others. This year, ISACA occupies five spots in the top 20, including three in the top six worldwide.

ISACA is associated with two important truths for business technology professionals:

1. Enhancing a wide range of careers
2. High salaries

ISACA’s certifications in cybersecurity and governance produce the highest salaries. This is in line with our overall salary data, as governance ranks second and security fifth in average global salaries by category.

Here’s a list of the five top-paying ISACA certifications for 2018 (average salaries are for North America):

1. CGEIT: Certified in the Governance of Enterprise IT

Average salary: $117,544
CGEIT is the top-paying certification in the United States and ranks third worldwide ($92,821). Its North American salary is 34% higher than the average for all certified professionals. This certification is designed for individuals who manage, advise or provide assurance services around enterprise IT governance.

Tenure is among the reasons CGEIT-certified professionals typically have higher salaries. To take the exam, an individual needs at least five years of experience in at least three of the five domains the certification covers, including at least one year in the IT governance framework area.

2. CRISC: Certified in Risk and Information Systems Control

Average salary: $107,968
CRISC ranks sixth in North America and second worldwide in average salary. Its average salary is 23% higher than the average for certified professionals. CRISC is a risk management and security credential designed for IT professionals, project managers and others whose job it is to identify and manage IT and business risks through information systems controls.

Globally, six security certifications made our top-20 list, with CRISC trailing only CISSP in average salary. Cybersecurity positions in general pay well, with the average among North American respondents at $101,083, which is more than $13,000 above the average.

Related training: CRISC – Certified in Risk and Information Systems Control Prep Course

3. CISM: Certified Information Security Manager

Average salary: $105,926
CISM ranks seventh in North American salary and sixth globally. It’s aimed at information security management professionals, focusing on security strategy and assessing the systems and policies in place. To take the exam, certification candidates are required to have at least five years of experience in IS, with at least three as a security manager.

It’s now common that many government agencies require their IS and IT professionals to have a CISM certification.

Related training: CISM – Certified Information Security Manager Prep Course

4. COBIT 5 Foundation

Average salary: $102,112
This premier governance credential has a North American salary that tops $100,000 and a worldwide salary that ranks 11th overall ($77,300). COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.

ISACA’s governance credentials (COBIT 5 Foundation and CGEIT) are two main reasons why governance certifications have the second highest average salary globally ($84,420).

Related training: COBIT 5 Foundation

5. CISA: Certified Information Systems Auditor

Average salary: $97,117
CISA ranks 13th in the US and globally in average salary. It’s also the most popular certification amongst our survey respondents, with 1,923 CISA-certified professionals. The CISA is perfect for individuals whose job responsibilities include auditing, monitoring, controlling and assessing IT and business systems. The exam tests the ability to manage vulnerabilities.

Originating in 1978 and now in its 40th year, CISA is ISACA’s oldest certification. It requires at least five years of experience in information systems auditing, control or security.

Check out these additional Global Knowledge resources to learn more:

• How to Select the Right Certification for You
• How to Convince Your Manager of the Benefits of Training
• 2018 IT Skills and Salary Report

Ryan Day, Content Marketing Manager, Global Knowledge

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1063

GDPR: An acronym and a buzzword that has set many of us into “alert mode.” Since it was set in motion more than two years ago, thousands of people worked hard to ensure their organizations were prepared by the set enforcement deadline of 25 May, 2018, and continue doing so. But among the good guys and gals, there were also some “louche” (a French adjective that means “shady” characters, and was used in CNIL’s video on GDPR. These are people who had no ethical problems in providing misleading guidance and wrong answers to the many questions concerning GDPR).

Unfortunately, Poland was among those countries where this phenomenon grew to be a danger to the whole idea of protection of personal data. Here are just a few examples of the consequences of the created havoc:

• Hospitals refused to inform parents whether their children were admitted after a serious bus accident with many schoolchildren injured;
• Teachers started calling out pupils by their assigned numbers instead of their names;
• Closure of a cemetery, because some gravestones had names of living persons on them; and
• Offers of special GDPR-compliant filing cabinets.

These situations were widely described and discussed on the internet in Poland, raising concern. To counteract this, in June this year, the Minister of Digital Affairs empowered Mr. Maciej Kawecki, the Director of the Department of Data Management at the Ministry, to create a special task force to deal with the worst absurdities. Mr. Kawecki is a top data protection specialist who is coordinating the work done in Poland to adapt Polish law to GDPR. The mission is very challenging; there are about 800 regulations that need to be revised. In the next few weeks, the Polish Parliament will debate the first package of legislative changes.

Mr. Kawecki posted a call for volunteers to work in the group. This proved to be a very sought-after, widely appreciated initiative, and the response was huge. From the several hundred candidates, 93 people were picked to work in five groups on issues concerning specific topics: health, education, finance/telecomms, public administration and general issues.

I had the pleasure to be selected to be a member of the education team. We come from a mix of different professions and different involvement in day-to-day school activities. This creates additional value as we have different perspectives and experience that enable us as a team to take a much broader look at GDPR issues.

In the first stage, we were asked to compile replies to seven especially pressing questions concerning schools. We came to the conclusion that each question should have two answers:

1. A short one, of the “YES /NO” type with just a brief added comment, so that headmasters and headmistresses would know right away what they can or cannot do, and
2. A long one, with legal reference to the applicable regulations concerning school and pre-school education and some practical advice for all concerned.

We already have noted our first success. Part of our work has been used in the GDPR guide for schools, just published by the Ministry of Education together with the Polish supervisory authority.

Creating a GDPR task force by the Ministry of Digital Affairs is a highly recommended approach. It gives the opportunity for data protection professionals to get involved in supporting GDPR compliance at the national level. It also creates opportunities for an exchange of knowledge and experience between practitioners and government officials in charge of developing regulations and recommendations. The Ministry intends to continue using our group to obtain practical and up-to-date information on issues and problems concerning GDPR implementation and to develop appropriate guidelines. This also gives us the opportunity to share our ideas and thoughts with our peers and to disseminate best GDPR practices to stakeholders both in the public and private sectors.

A good example of the usefulness of guidelines developed by official organizations are the “Guidelines on the protection of personal data in IT governance and IT management of EU institutions” published by the European Data Protection Supervisor (EDPS). These good practices are based on ISACA’s COBIT 5 and describe the data protection aspects related to the processing of personal data. With just a few minor changes that basically come down to replacing “EU institutions” with “data controllers,” this document can easily serve large and small organizations from the public and private sector in the European Union and outside in their efforts to achieve GDPR compliance.

Joanna Karczewska, CISA, ISACA GDPR Working Group

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1062

Tony Vizza, CISSP, is the newest addition to the (ISC)² Cybersecurity Advocacy team! Based in Sydney, Australia, Tony works with corporations, government agencies and academic institutions to encourage collaboration across the industry, effective cybersecurity curriculums and strong legislation to attract and enable the workforce we need to manage the Asia-Pacific region’s most critical security issues. Tony has worked in the field for more than 25 years and has earned the CISSP certification, as well as the CRISC, CISM and is certified as an ISO/IEC 27001 Lead Auditor. To get to know Tony a bit better, we asked him five questions …

• What brought you into the profession we now know as “cybersecurity?”

I started at a young age “discovering vulnerabilities” in my school’s network systems. From there, I went on to study computer science at university. IT has always been in my blood and over the past ten years, network security and cybersecurity have been the core of my professional career.

• What career accomplishment are you most proud of?

Far and beyond all else – even both of my university degrees – I am most proud of achieving my CISSP certification. It was a culmination of months of study and preparation, on top of years of experience, and it finally made me feel proven to work in the field of information security. I had fantastic mentors and supporters who helped me through the process and I felt both disbelief and on top of the world when I passed my exam!

• What is something about cybersecurity that you wish those outside of the field had a better understanding of?

Like many other industries portrayed in the media, our reality is much more mundane than the fictionalized version the rest of the world is presented with. The most effective protection against “hackers” isn’t what you see on CSI, but rather understanding the value of your own personal data. It’s important to understand how IT devices share information and remember to be mindful of what you post on social media. Human education is infinitely important. In fact, it is the most important factor in ensuring good cybersecurity.

• What are you most looking forward to in your role as a Director of Cybersecurity Advocacy at (ISC)²?

I am looking forward to making a difference in the lives of many people in the APAC region, by helping to empower our members. When our members are able to succeed in their own endeavors, that is the best way to magnify our message of creating a safe and secure cyber world.

• When not advocating for the cybersecurity professional – and the profession itself – where might our members find you?

You will most likely find me playing with my two toddler children, helping my partner with housework, studying law at university, or (hopefully) catching up on sleep! I also enjoy watching live stand-up comedy, taking a relaxing walk along the beautiful coastline of Sydney or attending a great music festival with my family.

Tony joins John McCumber, our director of cybersecurity advocacy for North America, in working for you, the cybersecurity professional. You’ll be hearing even more from Tony in this blog, our InfoSecurity Professional magazine and at cybersecurity events around the Asia-Pacific region.

[(ISC)² Blog]

Source: http://blog.isc2.org/isc2_blog/2018/08/meet-your-cybersecurity-advocate-5-questions-with-tony-vizza.html

If you are a netizen, you must have already noticed how certain ads pop up while you are surfing videos on YouTube. Most of the times, these advertisements have close connections to the products and brands you have been searching recently. However, this is not the case always! Finding fake ads of reputed brands like Mercedes-Benz and Waitrose is not uncommon at all. According to reports from The Times of London, several reputed brands have found their advertisements among objectionable and explicit content.

Why should you care about online ad fraud?
If you are an advertiser, this should be a cause of concern for you. According to a recent study, over 20% of the clicks you are getting on your ads can be from bots and tricksters. Censoring the internet and running the entire web without advertisement is impossible. In short, good content and commendable user experience require sponsorship.

Sadly, advertisers are pouring money into digital ads, but they are not receiving the returns they expect. The advent of various smart devices may have expanded the scope of viewing content, but they have done little to ensure that the content is genuine.

According to the Association of National Advertisers, entrepreneurs are wasting over $7 billion on online adverts people do not see. The experts expect the numbers to grow beyond $335.5 billion in the next two years. When companies are ready to spend billions on online advertisements, it is understandable why malicious activities are always around the corner, waiting.

We have seen the likes of Meth-bot that cost the ad industry around $5 million per day. They used bots to mimic human data, created over 250,000 individual domains. These new sites had a resemblance to big fish like ESPN and Vogue.

Digital ad fraud is a serious concern for advertisers and users, too. While the fraudsters use bots to mimic human behavior, trace cursor movements, and hack social media accounts, they fake their geo-location data to avoid detection. As a result, along with regular display ads, the premium online video advertisements are also taking a hit. Digital fraudsters are messing up analytical data, upturning the KPIs and disrupting online campaigns of many of the more reputable brands in the world.

Blockchain as a potential solution to online fraud
Is there any current technology that can prevent pixel stuffing, ad stacking, search ad frauds and affiliate ad frauds? Experts say that it’s possible. They believe that advertisers can prevent similar frauds by turning to blockchain. We are not talking about cryptocurrencies, but the decentralized open-source ledgers.

A fusion of existing ad technology and blockchain can give advertisers the power to keep an eye on each impression and eliminate the fear of fraud. Leading advertising research firms like Interactive Advertising Bureau’s Tech Lab and Data & Marketing Associations already are working on creating a blockchain solution that can help advertisers detect and prevent fraudulent activities. However, the wide variety of online ad frauds make the task of developing a uniform system difficult.

Below are the major use cases of blockchain that can be implemented to prevent online ad frauds:

Ethereum-based ready solutions – Several startups and advertising research companies have been working on blockchain systems that can stop bots and impostors. Ethereum is the best-known blockchain right after Bitcoin. Instead of a central ad server, it offers a decentralized system to advertisers to monitor the activity of their partners. Google, Amazon, Twitter, YouTube, Facebook, and Snapchat have adopted similar history-proof, decentralized ledgers.

Blockchain counterattack – This mechanism adopted by the Ads.txt DApp allows publishers and content owners to list the authorized sellers of their inventory in a .txt file. This file is served from within the root path of their domain’s web server.

Blockchain-based exchange for traders – A combination of the financial matching engine and the latest blockchain technology allows advertisers to enable transparent transactions. It is a NASDAQ Inc. initiative that aims to provide advertisers and publishers a completely secure platform that supports buying, selling and re-trading advertising contracts.

In the digital era, online ads are an important channel for brands to use to reach out to their target audience. Ad fraud not only puts a hole in the pocket of the brands but also harms the end users, who need reliable information to make the right decisions. With the ability to impart transparency to the system and trace an online asset, blockchain can surely help reduce, if not completely stop digital fraud.

Ankit Shrivastav

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1061

After decades of presentations and prayers, security has finally become a business imperative for executives and boards alike. Business leaders are speaking publicly about championing security investments, as it’s important for shareholder value and future expectations. In fact, evidence-based security effectiveness measures are finding their way into annual reports (10-Ks), committee charters, and corporate governance documents.

Because of the spotlight that is on security, your business leaders are demanding security effectiveness evidence from you. This evidence is similar to the data-driven measurements and KPIs seen in other strategic business units such as shareholder return, client assets, financial performance, client satisfaction, and loss-absorbing resources.

Your leaders are making decisions predicated on these non-security measures every day to increase value for their shareholders, address stakeholder requirements, and mitigate business risks. Security is simply another variable in the business risk equation. In fact, your security program isn’t about security risk in and of itself, but rather, the financial, brand, and operational risk from security incidents.

One area where the need for security effectiveness evidence is profusely obvious is around rationalization. For example, many auditors no longer ask, “Do you have security tools in place to mitigate risk?” because the answer is always, “Yes, but we need more tools, training, and people anyhow.” Now auditors are asking for rationalization in terms of, “Can you prove, with quantitative measures, that our security tools are adding value? And can you supply proof regarding the necessity for future security investment?”

This evidence-based, rationalization methodology, often characterized as security instrumentation, aligns with the reality that your organization has finite resources to invest in security and that all investments need to be prioritized. Every dollar invested in security is a dollar not applied to other imperatives.

Measuring your security effectiveness: where you’ve been
The sad truth is that most security effectiveness measures are assumption-based instead of evidence-based. Because of a lack of ongoing security instrumentation, you assume your tools and configurations are doing what is needed and incident response capabilities are a well-choreographed integration of people, processes, and technologies. You know that assumption-based security is flawed. But historically, you haven’t had a way to empirically measure security effectiveness. You get some value from penetration testing, the endless march of scan-patch-scan, surveys, and return on security investment calculations, but these approaches don’t truly measure your security effectiveness. As a result, your business leaders are relying on incomplete and/or inaccurate data to make their decisions.

Where you need to be
You need to know if your security tools are working as intended. Once they are, you can optimize those tools to get the most value, rationalize, and prioritize where greater investment is required, and retire tools no longer needed. Then you can monitor for environmental drift so that when a tool is no longer working as needed, you are alerted to the drift and how to fix it. Finally, from a leadership perspective, your team can consider security effectiveness measures when calculating the business risks.

How to get there
By safely testing your actual, production security tools with security instrumentation solutions, not scanning for vulnerabilities, not looking for unpatched systems, and not launching exploits on target assets, but actually testing the efficacy of the security tools protecting your assets, you can start measuring security effectiveness of individual tools as well as security effectiveness overall. When gaps are discovered, you can use prescriptive instrumentation recommendations to address those gaps. Then you can apply configuration assurance to retest the security tools to validate that the prescriptive changes implemented resulted in the desired outcome. Once you have your security tools in a known good state, automated testing can continue validation in perpetuity, alerting you when there is environmental drift.

The end result of security instrumentation is security effectiveness that can be measured, managed, improved, and communicated in an automated way. Your security teams are armed with evidence-based data that can be used to instrument security tools, prioritize future investments, and retire redundant tools. This newfound ability to communicate security effectiveness and trends based on actual proof allows your decision-makers to incorporate security effectives measures when making business decisions.

Author’s note: Brian Contos is the CISO & VP Technology Innovation at Verodin. He is a seasoned executive with over two decades of experience in the security industry, board advisor, entrepreneur and author. After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, he began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents. He has authored several security books, his latest with the former Deputy Director of the NSA, spoken at leading security events globally, and frequently appears in the news. He was recently featured in a cyberwar documentary alongside General Michael Hayden (former Director NSA and CIA).

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1060