Tuesday, December 3, 2019

#wsjcyber security executive forum

Fully day of rich content, journalism and networking of cybersecurity trends, strategy, privacy and operations that cross public/government sectors and culture. Some highlights and unedited notepad takeaways:

  1. Security should be embedded in company DNA, where security is first on all design and throughout entire lifecycle (build, transference and expiration of products/services); and deliberate in transparency.
  2. Threats move laterally including popular ransomware and botnets; and while backups and good hygiene are essentials, factoring in credentials, threat matrix including personal use of PC inevitable, transition points particularly in cloud transformation presents most risks. Controls can be relinquished but control assurances and assessment is necessary.
  3. The role of the CISO continues to be mandatory particularly advisory capacity (advocate for security and intelligent based risk advocate) in addition to operational effectiveness. Reporting to Executive ensures success and demonstrates commitment / investment in the function which can support but separate from the CIO traditional responsibilities.
  4. Resolve to a breach occurring regardless of preventative controls but effective response / remediation can/is more important - along with crisis management, design communication (externally/PR) and adequate updates stakeholders/leadership.
  5. Social interference / manipulation, human errors and machine vulnerabilities add to risks and surface vectors so data set diversity, database poison detection.
  6. It's forgiven that degree of inconvenience is expected with security particular in remote and traveling situations so key tips: proper risk policy, adequate guidance for business travelers, exercise good hygiene, risk adverse mentality is good and thorough investigation of incidents should not be ignored.
  7. Always be sure to relate use-cases, understand the high risk factors i.e. who's the competitor, what asset is at risk; proper user profiling should vary, patching effectiveness.
  8. Roadmapping communication to stakeholders, legal, briefing and debriefing is valuable and continuous metrics and auditing is a must
  9. Basic travel practices is essential to understand target value, devices security (encryption, unattended, locking passwords), internet/wi-fi safety and link/attachment awareness and trusting instincts.
  10. Ransomware and botnet will be prevalent in IoT so automated consequence management and planning should be played out in addition to toolset building e.g. endpoint security and NAC (network access control) to web security.
  11. Third party assurance and due diligence is a must and many lessons can be learned from tiering to proper usage of questionnaires (or similar/external services that leverage audits) but then ensure follow up, establish lifecycle vendor management, perhaps onsite visits and even holding back rewards or penalizing partners for non-compliance.
  12. Whether foreign nation of different sector, the principles are people, process and technology – which should be based respectively on, knowing data on devices to steal, getting to systems of high value, and understanding disruption and threats. Mitigating or preventative controls including DLP (Data Loss Prevention), network segmentation and continuous redundancy / backup.
  13. Planning for cloud transformation is key, pre-configuration landing zones should be created and transition/collaborate of controls to monitoring.
  14. Geopolitical attacks require understanding security risks, collaborating with government as well as private sectors, and quantifying reputation risks, mitigating strategy and impact.
  15. Area of key disruptive nations include: China for technological advances as advertised, North Korea for crypto-currency and financial institution threats, Iran for regional pursue of dominance, and Russia for using non-government entity to focus on influences and trying to shake up confidence.
  16. While improving 60% of boards have no cybersecurity experience based on survey but translation of technical concepts to business or boards are paramount – in establishing confidence, advocating for security and sustained level of investment.
  17. Taking advantages of networking peers for alignment in strategy, position, and elevating understanding of security dynamics.
  18. Some trends have been seen in BoD hiring external penetration testing to report directly results.
  19. Limits of cyber insurance can revolve around circumstances of the incident and declaration of such event or the challenges is when it's declared which is proposal to the coverage language – which should/can be negotiated.
  20. Big data sharing and balancing comes with collection and so does privacy and deliberate security practices to ensure protection.
  21. Advancement in technology also provide opportunity / requirement to deliver HIPAA records to patients more quickly to be compliance but more importantly critical uses of their own personal data / diagnosis. HIPAA, OCR and BAA all spell out requirements and instructions to protect medical and health information.
  22. A number of stats: 90% of breaches start from human error; 3.5 million more jobs than cyber experts to be filled by 2021; 74% of breaches involved access to a privileged account; 70% of organizations feel more concerned about breach than they did last year; 24% of asset managers believe that 80% of their assets have the latest patches and updates; 30% believe they've never been breach; 1/5 breaches have a cost in excess of $50 million; 61% of enterprises report that they can't prevent breaches without the us of AI; 2/3 of executives report cost of detection and response is lower with AI.
  23. Artificial intelligence requires contextual analysis and brings together: behavior, model performance, static analysis to build stories, and roll back capabilities.

Thanks Wall Street Journal for an great conference!

Wednesday, April 17, 2019

Security Breach: Contract Terms and Vendor Due Diligence

Having worked in the IT and Business Process Outsourcing spectrum for years and for multiple companies / programs, this article struck a cord. While making others aware, did put a disclaimer that security breaches are mainstream (unfortunately); and aside from sound security controls and adequate business processes, vendor management during post-breach will often fall back on the CONTRACT terms / agreements / penalties negotiated.

Evolving story and under current investigation / forensics, Wipro confirmed a security breach of its corporate mail system via phishing campaign that lead to exploits of nearly a dozen clients i.e. we're all connected. Since company filing, a number of exchange between cause (zero-day vulnerability) and mentions of state-sponsored multi-month intrusion, the topic is quickly turning into credibility (of company's accountability / communication), liability and contractual provisions or privacy laws.

Makes you think about contractual provisions / penalties clauses, GDPR, "air-gapped" network, VDI / thin-clients, vendor due diligence, and anomaly detection and response (EDR/UBA) for starters...

Friday, January 25, 2019

Cyber Salary Survey 2019 USA Report

According to Beecher Madden, cybersecurity salaries have dramatically increased and talent gap continues to grow. Some key results:
  • All salary levels increased particularly the architect role
  • Retention is a problem with more than half look and find jobs that pay 10% more compared to 6% for those who stay with current employer
  • "those responding feel very positive about the outlook for cybersecurity jobs in 2019"
  • Salary ranges for Analyst with 2-5 years experience is $90K-$130K, Architect $120K-$210K, Manager $105K-$210K, Director with 8-12 years experience is $150K-$280K and CISO $180K-$1Million
  • San Francisco and New York offer lightly higher rates than Washington based on the study
  • Bonus payout ranged from 0-5% receiving 35%, 16-20% receiving 15% and 31-40% receiving 5%
  • Other benefits include guaranteed bonus, flexi-working, over 25 PTO days
  • 86% of those surveyed expect to move roles -- with 26% able to find new roles in 2 weeks and 11% within 3-6 months
  • Typical salary increase resulted in 16%-20% while 6% that stay get 10% increase with current roles
  • 59% of candidates would use a specialist recruitment company, followed by industry specific job board 50% and own network 45%, otherwise internal promotion 32%, generic job board 31% and company website 29%
Retention results from: allowing project work outside the day job, ensuring cybersecurity is taken seriously by the business, strong leadership, demonstrate a route for career progression, and ironically also waiting for employees to become fatigued with moving.

www.beechermadden.com