Cybersecurity thrives on networking and collaboration. It’s crucial to interact with peers to share critical information, attack vectors and things you’ve experienced.

Peer networking groups are a great way to do that. They allow you to understand what great looks like, and to identify things that you can take back to your own organization to improve what you do.

In our industry, you can always reach out to peers for lessons and insights. But larger peer networking groups allow you to do that in a much more consolidated space where you can get opinions and thought leadership from lots of different people  – and share the lessons you’ve learned throughout your career. 

One of the reasons I decided to get involved with CISOs Connect in particular was because I found it to be an exceptional peer networking group that was focused on helping CISOs explore things outside of their day-to-day responsibilities. I like that you can learn about how to manage various legal challenges, how to deal with various regulatory issues, how to navigate aspects of your career and how to negotiate your compensation.

I don’t think there’s any other industry that thrives on shared experience and lessons learned more than the technology industry, because there are 500 ways to do what we do. There’s no one right way to solve a problem. And for that reason I think it’s critical that people take the time to network with peers and learn from their experiences, mistakes and successes.

When I think about what makes for a good peer networking group, I think diversity is Number 1.  A diverse group will give you insights from different people and different ideas and different industries. It also offers opportunities to learn from people at different stages of their careers.

For me, networking is part of the continuous learning we should all be involved in. I know some people say, how can I justify spending tens of thousands of dollars a year on this? You can justify it because it’s essential training not only for you, but also for your organization. If you have a budget for continuous learning – and you definitely should – there should be a provision for helping top performers in your shop attend networking events and trainings.

Insights gleaned from these peer networking meetings should be taken back to your board or other executives. It’s one thing to tell people you believe a certain track is the right way to go. It’s another to be able to share someone else’s experience. If you can take the experiences of others and relate them to something meaningful for your organization, there’s nothing more powerful.

The potential outcomes will help the company be able to better protect itself.

Peer networking groups also help companies by giving them exposure. Exposure makes hiring easier and also opens new pools of candidates. I can say for a fact that I see more women and more minorities in our industry thanks to these networking groups.

And of course, networking is always useful in moving along a career path. Peer groups give you an idea of the networks you need to build to potentially get to your next job – and to help non-executives in your shop progress on their growth cycle.

Presenting future leaders in our organizations with ways to interact with other professionals who could help their careers progress is a responsibility we all have as leaders. It’s painful to lose a great employee, but providing them with that sort of support is really important.

While industry groups are great, the wider tech and security peer networking groups are the most powerful. Sometimes your best ideas on how to execute a technology plan or solve a technology problem or manage a certain aspect don’t come from your industry.

Getting involved in a peer group that brings people together from different industries makes it possible for you to get ideas and thoughts outside of the everyday space that you operate in. And there’s a lot of power in that.

The post Peer Networking: It Helps You Understand What Great Looks Like appeared first on Security Current.

Shadow IT presents a grab bag of risks, and artificial intelligence is only making it riskier.

Shadow IT refers to employees implementing tools that their IT department isn’t working with and doesn’t know they’re using. Because the company isn’t monitoring or managing these tools, if they’re attacked, your company’s IT department won’t even know because it has no controls around them.

AI has compounded that risk because it is present in applications that companies didn’t even expect it to be in.

A prime example is LinkedIn, which now has an AI feature that lets people write articles and create copy. But users have to create prompts that enable the AI to do its thing, and they could easily embed confidential information in those prompts, which are being stored who knows where. They could be offering information to third parties without your company knowing.

I worry that in the future, we’re going to have a massive breach of ChatGPT data because it was stored somewhere in the cloud, and ended up unsecured through misconfiguration, which happens all the time.

The potential for a significant security breach is huge because there are no controls in this case. Users will be blissfully unaware, because as far as they’re concerned, the product is doing what they expected it to.

Security practitioners have been dealing with the issues around shadow IT for a while, and it’s a main reason why the average company doesn’t allow individual employees to be administrators of their own machines. That way they can’t install software.

But now, it doesn’t even matter. Most applications are being delivered via the cloud, and you can’t block the internet. So now you have users who have access to a wide swath of applications that help them do their work, but create unmeasured IT risk for the company.

Imagine a Zoom call between a lawyer and client, and the lawyer decides to use Zoom’s AI to capture the contents of what should be a privileged attorney-client conversation. It gets stored at some unknown location. And tomorrow Zoom has a security breach that includes AI transcripts, and data from people who used the translate feature.

You have all of this data that could get stolen. And if an IT organization isn’t aware that their users are using that feature, there’s no way to monitor the risk.

Companies are embedding AI in their applications to beat the competition to the punch, often without regard for the security implications. For CISOs, that means another layer of block and tackle.

The typical controls you can put in place to prevent users from leveraging unapproved apps on their machines won’t work anymore. You have to find other methods. These include:

* Initiate conversations and training
* Check if the AI can be turned off
* Articulate the risk to the executive team so you can consider other technologies
* Take the time to catalog products
* Have conversations with management about the risks of those products
* Understand the security controls that are in place, and be able to articulate those controls so you have at least a basic understanding of how risky those applications are to your organization.

The biggest part of all this is actually on your CIO and IT department. When users have to find another piece of software to do their work, it’s because the product suite they’ve been offered doesn’t work for them. To be clear, shadow IT is a result of tools deployed to the user base that either does not fit their workstyle or lacks features and functionality that they need to be productive. This is one area where CIOs and CISOs can work together to understand the needs of the user base and deploy solutions (or create pathways for secured alternatives) that meet users where they are. This is especially true given today’s remote work reality.

For example, I used Canva often, which is a very popular marketing application, instead of the tools offered by a former employer, because the tools they offered weren’t as good. I wanted to use something more effective. I needed to use something that improved my personal productivity instead of having to work through tools that didn’t meet my needs. 

So if users don’t want to use the tools the company is providing – the tools that are secured and get the attention of the security organization — the company needs to change course. 

I believe that we are just a quarter or two away from a major security breach involving captured data used for AI translation purposes. I’m sure it’s going to occur, and a lot of people are going to be shocked that their information was leaked in a way they didn’t foresee.

CISOs and CIOs, therefore, have to work together closely to ensure that applications and tools meet users’ needs to reduce shadow IT as much as possible, and to introduce AI to the organization in a secure and consumable way.

The post Artificial Intelligence: Making Shadow IT Riskier Than Ever appeared first on Security Current.

October is cybersecurity awareness month. I think taking this occasion to extend cybersecurity awareness outside of company offices and into the home is really important.

With so many people working remotely or in hybrid situation, there are many opportunities for a home network to get compromised and impact your corporate network. By helping employees improve the security posture of their homes, you will also demonstrate value to your organization.

Start by showing employees how they can improve the security of their internal wifi, and protect IOT devices that they have.

Help them understand what a good wifi password looks like. One of the easiest things attackers can put on a wifi network once they’ve figured out the password is a packet sniffer, which tells them what websites you go to, and what things you search for.

What’s more, the average person has 25 or more devices at home connected to their wifi without even realizing it. They’re mostly IoT devices – things like doorbell cameras, refrigerators and microwaves, phones, watches and TVs. And when your car is parked in your garage, it connects to your wifi network for software updates.

With all this vulnerability, you have to help your employees do the best possible job of securing their wifis to protect their home networks from outside harm. When you consider that most attacks are beginning to happen outside the office, it’s no small thing to make sure people are as well prepared outside of their offices as they are inside.

Another helpful thing you can do is describe some of the different types of attacks to your users. Account takeover is one that’s been talked about a lot lately. It’s a very broad term with different manifestations. But it’s a good move to explain it to your users so they know what it looks like in all its different forms.

The most common form is when someone poses as a help desk or bank or something of that sort to trick someone to divulge information they can use to access your account. The romance scam is another popular mode, where someone insinuates themselves into your confidence to “borrow” a seemingly innocuous account. But because the average person uses the same password for everything, giving someone your Netflix password usually gives them access to your bank account, too.

Awareness month is also a great time for your security teams to leverage popular tools like Canva and SharePoint to make infographics that are relevant to your business and industry. Nothing beats the infographic for providing a condensed amount of information in a visually appealing way that’s easy to absorb.

I also think that videos are a great way of improving awareness. I like to make scenario videos, and the cheesier the better – it’s part of the charm.  You get people to act out different types of security scenarios, giving them an opportunity to enjoy the joke and learn at the same time.

Competitions during cybersecurity month are another fun and effective tool. It’s a way to give away prizes, extend learning, and get people engaged.

It’s absolutely key to remember that the point of all this is to educate through engagement. Cyber awareness programs offer the opportunity to engage everyday employees who would otherwise see the security department as something they don’t know, don’t understand, don’t have to worry about it, or don’t want to hear from.

Drive that level of engagement among employees during cybersecurity awareness month and beyond to show the efficacy and value of your program to your board of directors. These programs and a new focus on improved home security will demonstrate how you’re helping your organization by providing the tricks, tips and tools that employees need to secure themselves in today’s liquid workplace.

The post Cybersecurity Awareness Month: An Opportunity to Better Secure Home Networks appeared first on Security Current.

CISOs need to measure themselves to further develop their programs. Assessments help to make the case for the success of an existing program, while supplying the data necessary to get executive support for its improvement.

Regardless of what size shop you are, I think it is essential to do both internal and external assessments.

Internal assessments are important because they help to gauge the relative risk across the entire organization. Things like business email compromise, or account hijacking or impersonation all start with a cyber genesis. So it’s the security department’s purview to look at the various business units’ processes to figure out whether any of them are unnecessarily risky or can be improved.

Once you’ve done the internal work and assessed your risk, then you mitigate it.

The internal assessment is something the security department should formulate, onboarding the different departments inside the organization and publishing to the board of directors. Sharing that information helps to level set everyone on the preparedness and awareness of departments in the organization around their security risks. This is critical to drive a security-centric culture.

The more mature organizations do internal assessments and benchmarking annually to see whether things backslid or improved.

The internal assessment is also important because external assessors don’t know how your company operates. The external assessor’s value is in taking a look at how well your mitigations worked.

I advise companies to change their assessor every couple of years – and to use different vendors for different types of assessments. While that might seem more expensive, it actually isn’t, and you end up with better results by leveraging different partners.

Those different vendors would cover:

* Cybersecurity assessment: External cybersecurity assessment should look at your company’s ability to handle external cybersecurity attacks. This would be more comprehensive than a pen test, expanding beyond attack surfaces to checking wi-fi, socials and people to get a 50,000-foot view of your company’s ability to manage and mitigate cyber threats.

*Network security assessment: The network security assessment is there to evaluate how much damage could be done if someone got in, and what mitigations and controls you put in place to limit damage.
Network security assessments tend to look deeper at internal things you might not think about, like printers and copiers that can add vulnerabilities onto your network. They also tend to look at IoT devices and other internal controls that would not be examined in a cybersecurity assessment. You can have great external controls and a great cybersecurity posture, but a user can inadvertently allow something into your network.

* Cybersecurity risk: This is going to validate the internal assessments you did earlier. A third party will measure you against your own findings and the things you’ve mitigated. How well did you actually improve your posture based on the things you found during the internal assessment? How much further can you go?

* Data management assessment: This is crucial for any company that handles consumer data in any way, shape or form. More and more states are starting to adopt privacy legislation. But before these rules and regulations were put in place, companies amassed tons of data that have never been assessed. So take time to work with a third party to assess your data structures, storage mechanisms, and processes related to access and authentication. Look at the technologies that interact with data and at your communication protocols. Can you stop a flood of information from being able to leave, and detect malicious or unusual activity? These assessments can be expensive, but it’s money you need to spend.

Timetables for doing the various assessments can vary from organization to organization. But I would say the overall cybersecurity assessment is something you should do toward the end of the year because that provides all of the data for your end-of-year reporting to the board.

Business changes around us on a routine basis, making annual assessments a critical benchmark to ensuring we’re protected. And more important than just being protected is the need to articulate just how well we’re protected. It’s critical to take this data and use it for value creation and articulation.

Probably the easiest line in your budget could be a line for assessment services. No executive doubts the value of pen testing any more. The same should hold for assessments if you make your case properly. I think it’s an easy value statement to be able to make.

The post Creating the Measuring Stick for Self-Awareness appeared first on Security Current.

There are a lot of women out there with tech backgrounds. So why aren’t there more women in cyber?

I think it comes down to hiring practices, and which companies tend to look for diverse candidates in the first place.

Job descriptions and automated talent systems are doing our industry a disservice. Typically, when companies are looking for cybersecurity and technology talent, they’re looking for generalized experience that people just don’t have because technology stacks are tailored to specific organizations.

As a result, HR folks who don’t get enough input from technology leaders inside the company are liable to pass over worthy female candidates, because the job description lists very generalized requirements.

What’s more, most HR departments make the mistake of using automated talent systems that scan resumes for keywords and scores them on that basis. I think ATS is probably the worst technology ever created because it has cultivated a hiring environment that’s mostly based on referrals. As a result, the men who are typically in charge end up hiring the sons of people who golf with them, or went to college with them, or are in the same club as them.

If I were to challenge people to write down the names of 20 people they would reach out to when they had a really important hire, I’ll bet the average person is going to struggle to come up with the names of more than two minorities or women.

Tenure is another issue: Women tend to stay longer in jobs because they don’t have access to the same networks, so it’s harder for them to find the next position. By being tethered to a job for seven or eight years, women fall behind from a technical standpoint and don’t improve their skills.

This situation also contributes to the pay gap and suppresses upward mobility because historically for technical roles, if you want a raise you’ve got to go somewhere else.

There’s also the issue of which companies are hiring women. I’ve noticed that it tends to be the larger companies that hire more diverse candidates because they purposefully have diverse hiring campaigns.

But the smaller companies tend to be the more interesting places to work because they have better tech. Better tech tends to be cheaper, and it also allows these smaller companies to be more nimble.

The combination of lack of access to networks and less opportunity to gain experience with new technology makes it harder for women to find positions. The same holds for minorities, too, but I think you’re more likely to find a man of color in a cybersecurity position than you are a woman, white or of color.

Two things must happen for this situation to change.

First of all, HR departments have to get better at hiring tech people. They have to lose the ATS and find better ways of recruiting besides referrals. It wasn’t until later in my career that I realized I could get better quality talent if I went out and searched for the right candidate myself. Not just because I knew what I was looking for from a technical standpoint, but because I didn’t rely on resumes.

Instead, my focus was on the candidate’s aptitude to be an innovator and problem solver, and their willingness to tackle challenges and the chaos that tends to swirl around cybersecurity and tech in general. These are the things we should be hiring for.

Tech executives have to work more closely with their HR counterparts to make sure they have the know-how to source for technology candidates. HR doesn’t know what a network engineer does versus a systems engineer versus a security engineer versus a SOC analyst. Executives have to give HR examples of what a good candidate looks like, what skills they absolutely must have and how to gauge aptitude. Execs also have to get more involved in building job descriptions.

The other piece that needs to happen is for smaller companies to focus more on diversity. There’s nothing wrong with setting a target number for female candidates.

It’s not that there’s a limited pool of women with tech backgrounds. There’s a limited pool of jobs that will even accept them in the first place. We need to change this situation now if we want to cultivate the type of talent we need.

The post Why Aren’t There More Women in Cyber? appeared first on Security Current.

New rules published by the Securities and Exchange Commission require public companies to have someone responsible for cybersecurity.

What worries me is that some companies are going to be handing out CISO titles just to tick a box, and aren’t really taking cybersecurity as seriously as they should.

I’ve seen a number of instances where companies are looking at a mixed chief risk officer and CISO role. While the disciplines are definitely related, I think that is an inefficient approach, and when you see companies doing that, it’s because they just want to say they have a CISO.

Other companies are thinking about making their CIO their chief security person, too. I would caution that these CIOs are basically being put in a ring of fire, because cybersecurity is a discipline of its own.

For the most part, a lot of the knowledge cybersecurity professionals have comes from being practitioners for years. People who’ve never been focused on security before do not make great first-time security executives.

It’s something we shouldn’t have to say, but companies don’t seem to understand the difference. Many CEOs seem to be focused on the title instead of role, responsibility and capability.

How companies address this new SEC rule, then, will say a lot about how they view corporate responsibility when it comes to cybersecurity.

The advice I would give to organizations getting a first-time CISO or CSO is to enlist the support of third companies that are skilled in hiring and obtaining executives with cybersecurity expertise.

Second, it’s important for companies to identify up front what type of CISO they want. There are various types, some more appropriate for a certain company or industry than others, and we should probably be more honest in the industry and admit this.

As a prime example, there is still a need for CISOs who have strong technical backgrounds and who are able, in smaller companies, to roll up their sleeves and assist an operations team, or look at code, or work in applications or directly with developers.

In larger organizations, you benefit more from a true executive who can translate things to the board, and help drive metrics and KPIs that show value to the organization. The folks who are in between need to figure out the right mix for what they’re able to support.

Companies that are looking to fill first-time CISO roles need to have a solid understanding of what they’re looking for and what their needs are, and be willing to put things in place to provide support and ensure success. The idea that you can hire a person and just turn them loose is untenable. They need budgets, and they need to know what roles are going to support them and how they are going to be leveraged inside the organization.

Candidates, on the other hand, have to be on the lookout for companies clearly checking a box. It’s OK to say no to a job offer if it isn’t aligned to promote their success.

Being able to walk away from opportunities that don’t make sense is something that security people in general need to get more comfortable with, because we are starting to exist in a space where there is more personal and professional risk than ever for security personnel.

The post Resist the Impulse to Window Dress appeared first on Security Current.

As CISOs, we’re trained that when things happen to our organizations, it’s supposed to stay inside, close to the vest. 

I say we need to be more open about what’s happening on our turfs. I think our industry would dramatically benefit by the creation of information-sharing networks that enable CISOs to work together and form a unified defense around their organizations.

Informally, CISOs should be reaching out to one another, building networks so they can find backchannel ways to share digital information related to attack vectors, bad IPs and bad actors.  This is the sort of thing that should be formalized inside the organization so other executives know it’s happening. I think it makes sense for companies to create multiparty NDAs that allow their CISOs to work together.

The idea behind it should be information-sharing for the common good.

Take the medical community as a model. If you have an odd patient outcome, or even death, there would be a case study on that. There would be a conversation among doctors on how to prevent that from happening again. We do not do that in the cybersecurity industry, But I think that sort of information sharing would go a long way to reducing the effectiveness of attacks that do occur, and making it harder for cybercriminals to be successful.

Obviously we have to be mindful of risk and liability issues, but I would compare this to how intelligence agencies and governments share information. They formulate memorandums of understanding that delineate what sort of information will be shared, who’s allowed to have access to it, who’s allowed to action it, and so on.

With CISOs, it should be pretty simple. It should be the CISOs and maybe their deputies. The group could set up a secured space where information is shared. Perhaps the information that’s shared is anonymized data that consists of IP addresses and other information that shows where those attackers are originating. Or maybe it’s a dossier on how an attack was executed and your team’s response, or how an attack was averted. It could also include reviews of products or services, or a recommendation of a candidate for a job.

You’re not sharing company secrets, but presenting an opportunity for your companies to work together in thwarting different types of attack vectors. Sharing that kind of information is invaluable for an industry that is under constant attack.

Work with your competitors and your partners, too. CISOs often buy software and services, but don’t align themselves with the vendors. I think that’s a missed opportunity to network and gain deeper insights into the operations of some of these organizations for the purposes of information sharing.

CISOs also have to do a better job of collaborating with government and law enforcement – no matter how small or big your shop is.

If an attack shuts down your organization, law enforcement would get involved. But if you don’t have relationships upfront, it’s hard to figure out a process. So take the time to align yourself with local and federal resources. Reach out to their computer science groups to figure out who would be your key contact if something goes wrong, and develop a rapport. Understand the numbers to call, how information ingestion proceeds, and what details they’ll be looking for.

Another key point is the ability to align teams. Companies, even of equal size, won’t necessarily have the same level of security staffing. The proactive thing to do is to develop relationships so that in times of crisis, you can use the assistance of other people in your network. It really is a team sport.

The one thing that we know is that the criminals are working together.  I think it’s time that CISOs start to do the same thing.

The post Information Sharing for the Common Good appeared first on Security Current.

Sticking with this topic of hiring entry level candidates, let’s talk about training. Companies will use entry level as a way to hire lower-cost resources to help them stretch their resource dollars. But that could backfire if they don’t provide the environment for entry-level talent to succeed. Fact is, talent development demands a thoughtful training program no matter what size organization you hail from.

It is the job of the executive to ensure that when people come into an organization, that they have a good idea of how things work there. The executive needs to spell out what the different groups are, what the tech stack is, how different technologies are connected to each other, what applications are used, and how they are used and by whom. Those things have to be laid out so employees are well onboarded and not in the dark when they start.

If you’re bringing in entry-level talent, there also needs to be a pre-designed training discipline, and I would tie it to compensation for performance. There are good resources out there that provide technology and security training. It’s important to set up a training discipline and make that part of the job.

I recommend compensating people for staying on top of their training because the idea should be to develop them into a fully functional security engineer or senior analyst, or whatever role you need that person to fill that aligns with their personal goals.

If your security department is good, not a lot is going on, so there needs to be a lab environment for stimulation and sharpening an entry-level employee’s skills. There are great resources out there to build one. Take the time to develop that in the regimen for training your entry-level personnel.  There also have to be metrics and shadowing.

Your program should have everything in it for entry level personnel to grow with the company. That’s how you’ll keep them. The average security person doesn’t stick around in a job for more than two or three years. There’s dysfunction in the industry, and companies have to start changing that by being more serious about cybersecurity as a discipline.

In my view, entry level roles in an organization that is tight on resources simply doesn’t make sense. If you can’t train them properly, the risk is that you end up with people who are not game-time ready. And when something happens, those cracks in the façade turn an incident that could be easily managed into an event that requires recovery.

It’s the job of security leaders to fight fires and prevent the destruction of the structure. They have to minimize damage. It’s essential to have trained and ready people in place in order to do that. If you’ve got a team of five or six people in your organization, you probably don’t have any entry level roles.

Larger organizations that do have space to develop a training regimen must also ensure there are opportunities for those workers to attend conferences, be involved in peer groups, and network with other senior professionals, both inside the company and outside. That helps to build the overall discipline and is essential to the community.

Unlike other industries, cybersecurity thrives on the community approach, and one of the reasons for that is there are lots of things that people don’t get to see every day. Having folks in the discipline that you can talk to and can explain things that they’ve seen and how they handled it, is essential to ensuring you can continue to build your repertoire.

I feel that’s a step that often gets missed. But in my view, ensuring your entry level people are engaged is extremely important. We’re a community that has so much to give.

The post You’re Setting Up Entry Level Hires to Fail If You Don’t Train Them appeared first on Security Current.

Big breaches are still happening, even if they’re not making headlines anymore. I’d like to identify five things we can do to mitigate the risk.

1) PEOPLE

In a lot of companies, employees have not been enrolled as part of the solution. Companies have to put more energy and effort into making sure employees understand risk and the dangerousness of the data they’re working with.

There are lots of ways to reduce the risk that employees pose. Some are technical, but most are conversational – namely, taking the time to help employees understand the risks and understand the value of the information that they access every day. When people don’t understand the extent of risk, they are inherently more risky.

2) LEADERSHIP

At the end of the day, the CISO is accountable. So there need to be strong policies – and disciplinary action to enforce them. When someone breaches a policy, the response shouldn’t be a slap on the wrist; it should be termination. If we’re serious about managing risk upfront, we might be able to prevent it altogether. When it comes to CISO accountability, make sure your policies are strong, your administrative safeguards are strong, your controls are strong, and your ability to audit is strong.

You should also know who has what roles, and review this continuously and consistently. There should be safeguards for permissioning so access isn’t just authorized by one person. While that might slow down the process of getting people access to what they need, if you’re in an environment where data is sensitive, it’s a requirement. The organization has to be aligned with the level of accountability required for the type of information it has.

3) THE CUSTOMER

Customers are often unaware of risky behavior that could affect their own information. Sometimes a customer breach can cascade into other breaches if customers are interconnected. And then the next thing you know, you have a whole host of people who have been compromised and might not even know it. Customers do bear some responsibility to ensure that their information is kept safe.

The company must share tools and resources that help prevent customers from having their accounts taken over, or their emails from being compromised. But you can’t cover everything, and that is one of the reasons why these breaches are going to continue to happen. Between employees and customers, you’re fighting an uphill battle.

4) LAW ENFORCEMENT 

Law enforcement, both on the national and global level, is almost non-existent when it comes to cyber events. They save themselves for the highest-profile cases, and even in those instances, recovery after the fact almost never happens. One of the main reasons is because CISOs do not do a great job of sharing information. IC3  — the Internet Crime Complaint Center – exists for web reporting, but not a lot of people know about it or report to it regularly. And the sharing that happens there is post-event. There’s no central place for CISOs to share the information they receive, or the intelligence they develop from what they see against their own edge.

Technology moves so fast that law enforcement never catches up with attackers. Cybercrime is one of the easiest crimes to commit if you have the aptitude, and it’s a crime that criminals get away with more often than not. There needs to be more partnership between private companies and law enforcement with regard to sharing information, pre- and post-event. We will never see controls around cyber crime until we get real law enforcement and real consequences for people who perpetrate these crimes.

5) DESIGN

We’ll continue to see these large breaches because we continue to design our applications and our technology the same way: a single database with hundreds of thousands, if not millions of records in it.

We have the technology to design these platforms better, but we haven’t. This insistence on data warehouses, and putting everything in one place to make it easier to analyze the data, is more of a lazy design function than a secure one. The fact that security is usually brought into those decisions after the architecture has been built is problematic. I think we will continue to see these breaches happen because the design side insists on aggregating information instead of atomizing it. Why does a person need to exist in the same database with her age, address and the fact that she drives a black Maserati? We make it easier for attackers because we’re so busy making it easy for ourselves.

Designers don’t spend enough time trying to figure out how to design securely and proactively to ensure the company never ends up on the news. Instead, they hire a CISO after the fact and ask them to clean up the problem. So it’s no surprise that the average tenure of CISOs is between 18 and 26 months.

When I think about why these breaches keep happening and will continue to keep happening, it’s these five dynamics that make products and services fertile ground for cyber criminal activity. 

The post Five Ways to Mitigate the Risk of Large Breaches appeared first on Security Current.

I hear from entry level candidates that it’s impossible to find a job. And then I hear from employers that the quality of entry level candidates is not great. Part of the disconnect stems from conflicting concepts of what entry level means. Another contributor is that not every organization has the bandwidth or willingness to take on entry level candidates.

From my viewpoint, entry level in cybersecurity is being able to understand security concepts while having a grasp of technical innerworkings. Entry level candidates have to know how a network works, how computers work, how applications talk to each other via the network, etc. They have to understand ports and the OSI model. They need a really clear understanding of how people use computers in a work environment. And they have to have some level of understanding about major security issues like malware, ransomware, viruses and social attacks.

Notice – I mentioned the need for entry level security candidates to understand concepts, not to be experts. I struggle with the idea that you can have a cyber security professional who doesn’t have those base levels of knowledge. 

Lots of people will disagree with me on that. They say cybersecurity is one of those things that you can learn on the job. But I think that would only work in very large companies with security departments of 30, 40 people where you have experienced practitioners who are working as analysts, in engineering, and are in the trenches dealing with vulnerability management, controls management, appsec, etc. In that kind of organization, it probably does make sense to bring in entry level people with fresh eyes. Diversity of thought, background and experience is enriching and can enhance departments where resource constraints are minimal.

But I am confident that entry level roles simply will not work in smaller environments where you need to squeeze as much value out of every security resource that you can hire.

I also struggle with the idea that some business leaders are advertising for people with 10 years of networking experience and eight years of server experience, and calling that an entry level job. Who’s going to apply? What’s more, using a person with that experience in an entry level job would be a waste of their talent and skills.

There are 750,000 unfilled cybersecurity positions in the U.S. And the reason we have so many unfilled jobs is because companies reacted at the same time to a couple of really high-profile incidents that made companies realize they had to spend money on cybersecurity. But no one has time or room for entry level. CISOs want people who are ready to go from day one, and as a result, you have an industry where it’s hard to get hired in.  

The jobs gap is more of a skills gap, in my opinion. When the industry began, you saw organic moves from IT personnel to security personnel. Today, we don’t have a shortage of IT personnel. But we are not empowering people who are in IT to think about being in security careers. Companies are inflexible about hiring across disciplines and industries.

There needs to be an overall shift in the industry to change what our idea of entry level means and to start steering some of our IT people into cybersecurity roles, because there are lots of them. And that’s how we’ll start to solve the problem.

I do think there’s a place for CISOS to take the initiative and recruit internally from IT departments to fill some of these entry level roles. Executives have to present the case that yes, this is entry level, but you’ll be able to develop at a much more senior level and contribute at a higher level to the organization. These roles have to be aspirational for folks inside the organization. This also means that entry level in cybersecurity should not mean entry level pay. Even entry level cyber security professionals are providing 6-figures of value to their organizations and should be compensated accordingly.

Now let’s talk about education – the average company is unwilling to take on people who don’t have college degrees (especially in 6-figure jobs), but I would argue that aptitude is more important than anything else when it comes to technical disciplines, any discipline, really. People who are good in technical disciplines like to pick something apart, understand how it works, and then be able to diagnose issues along the way. They are naturally curious. They’re lifelong learners who focus on learning in areas of relevance.

Four-year colleges have started to come up with cybersecurity degrees, but these programs aren’t doing much to address the skills gap. They devote very little time to cybersecurity, and most of what they teach is theoretical rather than practical. I have yet to see a school offer a degree concentration in cyber risk, which is where the real-life work is. They spend more time on the reactive side of cybersecurity – what to do when something breaks – and not so much on the proactive side, with risk management and vulnerability management and controls. I’m not belittling college by any stretch of the imagination, but I think the degree requirement is silly.  Aptitude and a basic understanding of security and technology concepts are what count in cyber disciplines.

I think employers need to go back to the days of behavioral interviews that are focused on a person’s aptitude and the way that they approach situations and solve problems. They should be looking to determine whether an entry-level candidate is a go-getter who is willing and able to innovate and raise their hand. Leadership should be looking for people who aren’t afraid to think outside of the box, and who aspire to be leaders themselves down the road.

The post Entry-Level Hiring Strategies for CISOs appeared first on Security Current.