Cybersecurity has changed more in the last five years than it has in the ten years preceding it. Cyberattacks are constantly changing and evolving, but cybersecurity professionals must have structure and strategy; without structure and a plan, cybersecurity professionals will continue aimlessly in their pursuit of protecting the organizations they serve.
All this change is chaos and disorder, a new form of fear, uncertainty, and doubt (FUD), one, although backed by facts, fails to have direction or a documented strategy.
If it is so difficult for us to document our cyber assets and identify those assets that have an impact on our organization's revenue, how in the world are we going to do anything about the threats we face?
We can’t, it’s that simple. And any CISO call to arms that suggest we can is a stopgap measure, a call to disillusionment and ultimate disaster because our stopgaps are not solutions.
Fortunately, there are tools to assist us with strategy...
With laws and regulations increasingly requiring organizations to demonstrate that mission or business-critical information systems and IT infrastructures are protected; the challenge becomes, with over 164,000 known vulnerabilities in the Common Vulnerability Exposure (CVE) database and 546 attack patterns, so far identified and documented by Common Attack Patterns Enumeration and Classification (CAPEC), where do you start?
In a study that became known as the “Jam Experiment,” Iyengar and Lepper (2000) were the first to demonstrate the choice overload effect, referring that large choice sets attract people. Still, at the same time, these wide choice sets increase the choice difficulties. As we draw a parallel, cybersecurity professionals face many vulnerabilities (>164,000) and many assets to protect against, leading to unsatisfactory solutions.
Most guidance offered to Subject Matter Experts (SMEs) or organizations for that matter, lead them to identify the...
President Biden stated, “If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.”
However, the real question is, are organizations ready to implement cyber defenses? The basis for this rhetorical question is that with the speed of change, IT transformations, new mandates, and the great resignation, among others, organizations may be challenged to implement cybersecurity strategically. There’s no lack of guidance for Critical Infrastructure or Corporate Infrastructure, with standards and frameworks, such as:
ISO 27001 is one of the most widely used information security standards in the world today. Certification of the Standard by a third-party accrediting body is accepted all across the globe. Certifications have increased by more than 450% in the last decade.
In order to comply with regulations like the EU GDPR and the NIS (Network and Information Systems) Regulations, the ISO27001 must be implemented. Using this method reduces the risks of data breaches.
Learn more by checking out our resources, including our ebooks and podcasts!
Money, reputation, and data are just a few of the things that must be safeguarded while doing business. Protecting customer information is a top priority for the business. Defective techniques of protecting data may put it in greater danger. Some of the most prevalent cybersecurity blunders may be avoided. Here are some of the most prevalent mistakes:
Threat notifications are often ignored by certain individuals. People's personal information has been compromised in numerous high-profile identity theft incidents in the United States. It will take a long time to find these breaches, and by the time they are, the harm has already been done.
Another common mistake in cybersecurity is underestimating the threat of an attack. There have been several examples of email scams that have resulted in millions of dollars in losses for both people and businesses. You become susceptible if you don't scan emails for viruses.
Don't underestimate cyber attacks. Educate yourself by following Executive...
Today I’ll discuss risk probability and impact and give you some examples to build your own impact and probability table.
Dr. Bill Souza
E|CE - Executive Cyber Education
First, the objective of improving cybersecurity is vague and broad. Sometimes organizations struggle on how to measure any improvements to their cybersecurity posture or post-investment. What is even worst, it’s that you may be measuring the wrong thing. In 2015, the Global Information Security Workforce Study (GISWS) conducted a survey of more than 14,000 security professionals, of which 1,800 were federal employees. The survey concluded that we are not just getting better, but we are going backward.
Although it seems pessimistic, it is supported by facts; in 2014, one billion records were compromised the year before the survey, which triggered Forbes magazine to refer to 2014 as “the year of the data breach.” If you jump forward to 2021 and benefit from hindsight, we can confirm that the GISWS survey’s conclusion that we are going...
I read an article the other day titled, “Global utilities lacking basic cybersecurity practices.” Although the article was focused on utilities, the guidance applies to every industry, so I will touch on a few recommendations that could be useful to you as well, regardless of industry.
The article was based on an interview with Rafael Narezzi, Chief Technology Officer at CF Partners. In the webinar, Narezzi urged energy companies to increase investments in cybersecurity and be proactive. In addition to investments, he encouraged companies to make cybersecurity a main driving force of the business.
Let’s reflect on this statement; it says to increase investment in cybersecurity, which would be wise for any organization; however, increasing investment without a strategy would be detrimental to any business, especially small to medium-sized companies. Perhaps I’m taking this statement out of context, and Narezzi’s audience knew what he meant with it, but let...
We are so focused on the threats and the vulnerabilities that allowed a hack to occur that we forget the basics. The protection necessary to prevent or slow down these attacks already exists, and they exist for a long time.
Welcome to the Executive Cyber Education podcast, cyber risk management driving real impact; I am Dr. Bill Souza. As I mentioned in my previous episode, today we will discuss exceptions tracking and expirations.
Exceptions to any cybersecurity policy or standards must be reviewed and approved by management and then tracked for expiration and mitigation. Here are a few elements you should have in your exception record:
These elements are the minimum required from the individual entering the exception; everything else will be entered by the cybersecurity department, such as inherent risk, residual risk, expiration date, security control, and who in the organization will be signing/accepting the risk. The rule of thumb is the following: