Category: #IT/CYBER/TECHNOLOGY

In April, I presented at and attended the NIST Privacy Engineering Workshop on behalf of ISACA.

Throughout two days of sessions, attendees explored the Fair Information Practice Principles, privacy/technology research efforts, and the need to address privacy risks—to consider privacy from the planning stage of projects and close the longstanding communications gap between legal and engineering areas.

We joined breakout sessions to discuss the frameworks engineers use, explore privacy case studies, and determine ways in which engineering methods can address privacy risks. On day two of the event we focused on drone use, which prompted some lively, thought-provoking discussions.

My takeaways from the workshop:

• Huge gaps in communication between the engineering areas and legal/policy areas need to be closed. Each group needs to listen to the other when it comes to privacy discussions. Each side has much to learn from the experiences of the other.
• Privacy engineering is much more than a policy issue and much more than just getting software or systems to meet existing legal requirements for data protection. Because those laws/regulations were created in a reactionary atmosphere, they will always lag behind a significant number of new and emerging privacy risks. Engineers will be key in mitigating those privacy risks through the use of an effective privacy-engineering framework, and through the use of a catalog of vetted and reasonable privacy-use cases.
• Engineers already have frameworks they have used for many years to build software and systems. Instead of trying to get them to use something completely different, efforts should be made to establish privacy standards that are integrated within these established frameworks, written in language appropriate for engineers.
• Privacy engineering is not just for large organizations. There are many small and mid-size organizations that create software and systems; they must also know how to engineer privacy into their products. Often there is an even greater need for such organizations to practice privacy engineering for all the software and systems they create.

Naomi Lefkovitz, NIST senior privacy policy advisor who presided over the two-day event, indicated that NIST plans to produce a report based on the information, recommendations and comments collected during the workshop. NIST will host further workshops to refine what will likely become the privacy portion of the Cybersecurity Framework.

I found this workshop beneficial—an important first step toward identifying actionable privacy standards to include within the Cybersecurity Framework, which engineers will be able to effectively utilitize within their current frameworks to help build in the (currently missing) controls that are needed to help to protect privacy.

Rebecca Herold, CISM, CISA, CISSP, CIPP/US, CIPP/IT, CIPM, FLMI
CEO, The Privacy Professor®

[Source: ISACA]

Last month I had the great pleasure to speak at the 2014 ISACA Nordic Conference, where I shared my passion for security culture and how to build it.

In my view, security culture is, simply, about building and maintaining measures to help your employees feel safe and free from danger.

But let’s back up a bit to get a clearer picture. It helps to understand the origins of this culture. In this sense, culture is the collected security information in a society that is passed from one generation to the next. It can consist of norms, knowledge, tools, etc.

Naturally, this culture can be modified and transformed to suit each organization. Norms—the regulations, policies and other rules (written or not) that regulate how people in your organization function, from when and how they drink coffee to how they interact with their passwords—are malleable. They work best when they are adjusted for each enterprise and each situation.

Tools used with computers, information systems and software are most commonly considered “technology.” Much like their ancestors, such as the hammer, technology tools make it easier to reach a goal, such hammering a nail or ensuring proper security within a system.

Knowledge is the third piece of the puzzle, binding technology and norms together. Knowledge guides people in interacting with technology in the right manner. Knowledge enables people to understand why norms force them to do things according to the rules.

Culture is a critical part of society. It helps define a people. This holds true within the narrower scope of security culture. By taking what you have already—technology and norms—and adding knowledge to your organization, you are moving in the right direction. You are moving to a security culture.

Kai Roer
President of Cloud Security Alliance Norway Chapter
Founder of the Security Culture Framework
Member of the Security Culture Framework Community

[Source: ISACA]

Today marks one of the most meaningful milestones of my tenure as ISACA international president. Today ISACA introduces Cybersecurity Nexus.

Developed in collaboration with chief information security officers and cybersecurity experts from leading companies around the world, Cybersecurity Nexus—CSX—fills an unmet need for a single, central location where security professionals and their enterprises can find cybersecurity research, guidance, certificates and certifications, education, mentoring and community.

This is a groundbreaking program. This is a critical time.

Several universities have good cybersecurity programs in place, but even these are not enough. With every employee and endpoint at risk of being exploited by cybercriminals, security is everyone’s business. At the root of ISACA’s new, comprehensive CSX program is the knowledge that there is a great need to make cybersecurity education and ongoing training as accessible as possible to the next generation of defenders and those already in the field.

Student interest in cybersecurity careers is strong. A recent global poll of ISACA student members found that 88 percent plan to work in a position that requires some level of cybersecurity knowledge. However, fewer than half say they will have the adequate skills and knowledge they need to do the job when they graduate. CSX aims to help address this imbalance.

CSX marks the first time in ISACA’s 45-year history that the association will offer a security-related certificate. The association’sfour certifications—including the Certified Information Security Manager (CISM) credential—require both an exam and proof of work experience. The Cybersecurity Fundamentals Certificate is different. It is ideal for recent university graduates and IT professionals seeking to change fields because it requires applicants to pass a knowledge-based exam that provides objective proof of subject mastery to potential employers. This certificate will empower young professionals while providing assurance to employers that they are hiring knowledgeable individuals.

In addition to the Cybersecurity Fundamentals Certificate, CSX includes career-development resources, frameworks, community and research guidance such as Responding to Targeted Cyberattacks and Transforming Cybersecurity Using COBIT 5. There is guidance for cybersecurity professionals at all stages of their careers.

And there are exciting offerings in the near future, including a mentoring program, a practitioner-level cybersecurity certification, SCADA guidance, training courses, implementation guidance related to the US Cybersecurity Framework developed by NIST and the EU Cybersecurity Strategy, and teaching materials for professors.

This is a comprehensive program and I am excited to be involved with it. I invite you to explore the many facets of CSX, consider ways that you can take advantage of offerings within, view related news and graphics, and share your thoughts with me in this space.

Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute

[Source: ISACA]

The business landscape has changed beyond recognition since I started working, way back in 1969. Every business is now reliant on IT systems and the Internet in order to function. (Just see what happens if your email systems are unavailable for an hour!) New technologies and working practices are introduced at a prodigious rate, as globalisation and consumerisation drive transformation and innovation.

As a result of our dependence on IT systems and connectivity, information and cybersecurity are being pushed up the corporate agenda. This is a good thing. However, information security and its practitioners are still seen as risk-averse business inhibitors who stifle innovation, limit agility and slow efficiency with their strict controls and policies.

Meanwhile, information security teams grapple with the challenges of securing increasingly complex and ever-changing threat landscapes, while attempting to secure increasingly diverse and poorly-understood sets of technologies.

With heightened attention at the board-level, information security professionals have an opportunity to reimagine information security as an enabling function, supporting and adding value to the business as it transforms and innovates. The challenge for many security people is that their passion and enthusiasm can be difficult to communicate to the senior level. We are asked to present arguments in a language business leaders can understand—to remove technobabble from our presentations. Oftentimes we struggle to properly express our concerns and we fail to engage these audiences.

Our information security functions must evolve to become business-led. We must bring business knowledge to security teams and educate security practitioners about the implications of threats. The perception of risk within information security must be changed. Information security must get management/stakeholder buy-in and become fundamental to enterprises, rather than a mere compliance issue. And the language used in this process must improve to ensure effective communication of risk intelligence without instilling fear, uncertainty and doubt.

My keynote panel session at next week’s Infosecurity Europe will explore how information security practitioners can position security as an enabling function and truly support the business. We will consider:

• How to integrate security into agile business practices
• New strategies to enable security teams to understand enterprise objectives and speak the language of business
• How security can help the business collaborate internally, with suppliers and with customers
• How the security function can inform and contribute to business decision-making
• What skills are required for an effective security professional and what this all means for the role of the CISO

Peter Wood
Chief executive officer, First Base Technologies, LLP
Member—ISACA London Chapter Security Advisory Group

[Source: ISACA]