How to Get Your Organization to “Own” Security – First Steps

Many companies grapple with integrating cybersecurity awareness into the organizational culture. After many years as a CISO and cybersecurity consultant, I believe the answer to this perennial problem is to encourage the organization to “own” security. The first step towards this goal is to establish a cybersecurity council composed of representatives from various business units. Some organizations already have…

Details

Former U.S. government cyber-czar says cyberwar is a huge security threat but it can be combatted

Companies need to embed cybersecurity into the DNA of their organizations to combat potentially disastrous cyber threats by state actors and individuals. This is the message that Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-Terrorism for the United States, gave cybersecurity executives at CISOs Connect San Diego 2019. Clarke told CISOs attending the conference about the chilling…

Details

CISOs Investigate: Vulnerability Management Released to CISOs

A Vulnerability Management Program is made up of a complex matrix of policies, processes and tools that enable security professionals to turn a detective control into an ongoing risk-management operation. Effective risk management is a function of the organization’s ability to manage vulnerabilities. That makes managing vulnerabilities a particularly crucial part of the CISO role.…

Details

The Obsolescence of Passwords

Passwords as a means of authentication have been around for a long time. Their existence is based on the fundamental premise that it is only the consumer or user who has the secret. And in these past 60 years, passwords have served us well. But the premise is becoming less and less true. These days,…

Details

Solving the security fear of commitment

  Here is a fun exercise if you are bored. Go into any grocery or superstore. If you prefer online shopping, log onto your favorite retailer and find/pick any one category of products. Next, count how many brands there are in that one category. Then, count how many different options or different stock keeping units…

Details

Security status unknown

Do CEOs and Boards have any idea what the company’s cybersecurity status is? Cybersecurity and privacy compliance should be a top priority of the Board of Directors and senior management of any publicly traded company, right? Not so fast, kemo sabe. The problem is, everyone thinks that their problems, their issues, their topics should be…

Details

The link between self-control and security

It’s no secret that all it takes is the weakest human link to compromise a company’s cybersecurity. To mitigate this risk, companies need to understand their employees’ habits and behaviors; they need to be aware of their people’s self-control levels when implementing security programs. In a study of 6,000 participants in the Netherlands, a team…

Details

A seat at the table

I’m sometimes asked if I ever experienced difficulties being a woman in the male-dominated cybersecurity field. My answer: “I could write a book on it!” I remember very clearly an incident that took place in a former role when, as a cybersecurity professional, I had to deliver a presentation to a group of men at…

Details

What would the enemy do?

To better train and prepare their company’s employees for cyber attacks, CISOs need to put themselves in the attackers’ shoes to anticipate their motives, means and actions. In a KnowBe4 webinar last week, hacker turned pentesting professional Kevin Mitnick talked about real-life cases of human vulnerability that threat actors could exploit for their benefit and…

Details