The Behemoth – BSW #222

Because board members are paying close attention to security, security leaders must be able to respond to and alleviate their concerns with data. CISOs and IT leaders need to report, in quantifiable business terms, the value the organization's security program delivers based on continuous testing, optimization, and proof of effectiveness. Below are three steps CISOs should take to accomplish this and report in terms that the board and C-suite understand. 1. Let Intelligence Lead the Way 2. Validate With Proof of Effectiveness 3. Report With Confidence

BSI’s Mark Brown discusses current infosec challenges, the need for diversity in cybersecurity recruits, and how he picked up his tech flair from his dad.

NIST has released a preliminary draft that is open for public comments to address the Ransomware Risk Management issue. The comment period closes on July 9, 2021. According to NIST, the said Ransomware Profile is intended and applicable for organizations that: - Have already adopted the Cybersecurity Framework. - Are familiar with the Cybersecurity Framework and want to improve their risk posture. - Are unfamiliar with the Cybersecurity Framework but need to implement a risk management framework to meet ransomware threats.

The business continuity, disaster recovery and resilience professions have matured, and face a challenging future. Resilience has taken on various forms, and an evolving set of potential disruptive events face business continuity managers. For those already in a business continuity manager role or looking into one, the following skills are essential: 1. communication of BCDR plans and standards; 2. collaborating through diverse channels; 3. business impact and risk analysis; 4. project management; 5. IT skills; 6. measuring risk; 7. auditing across a range of BCDR areas; 8. financial analysis; 9. emergency management; 10. consensus-building, for programs and tools; 11. adaptability to advance BCDR goals; and 12. empathy.

Companies often search for the right leadership-ready-yet-technically-savvy successor to the CIO in the final months of an executive's tenure — despite the advantages of succession planning. Organizations lean toward selecting outside candidates to fill CIO roles. Four in five organizations selected external CIOs in 2020, according to data from SIM. But tapping a successor internally can ensure preparation and built-in knowledge about business needs without the onboarding outside candidates require.

For those that spend every day as a security professional and for anyone who truly appreciates the demands applied to these essential security team members, burnout is a harsh reality. Successful CISOs have a few proactive steps the help prevent burnout: 1. The CISO makes it clear that the SOC/IR team is empowered to focus on identifying and dismantling adversaries, full stop 2. The CISO selects security solutions not only based on technology, but also by how the vendor understands his or her challenges and will partner with them 3. The CISO ensures the SOC/IR team has access to experts when it counts

The Colorado State Senate approved the “Colorado Privacy Act” on June 8, becoming only the third state after California and Virginia to have a comprehensive data privacy law. The Senate Bill/Act 190 has now been sent to Governor Jared Polis, whose signatures will seal the fate of this act, which would then come into effect on July 1, 2023, unless he uses his veto to stop its enforcement within 10 days of transmission. The privacy act will not apply to all businesses operating in Colorado but only to the ones that: - Store or process personal data of more than 100,000 consumers annually, or - Sell personal data and process or control the personal data of 25,000 or more Colorado resident consumers. The Colorado Privacy Act has been drafted in a manner that grants the residents of the state five key rights: 1. Right to opt-out of the sale of their personal data. 2. Deny processing of personal data for targeted advertising purposes. 3. Opt-out of automated profiling that produces legal or similarly significant effects. 4. Right to access and correct their personal data for any inaccuracies held by the data controller. 5. Right to get their data in a portable and ready-to-use format and the privilege to erase this personal data from the data controller’s database whenever they wish to.