Security Weekly
Business Security WeeklySubscribe
Leadership, Security Staff Acquisition & Development

Business Security Weekly #226

View Show Index

Segments

1. OT Security for Critical Infrastructure and Why It Is Not “Intuitive” – Edward Liebig – BSW #226

The IT and operational technologies of critical infrastructure are under attack. The "general expectation" from the public and lawmakers is "fix it already" but we will discuss why this expectation is yet to be fully met.

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Edward Liebig
CISO at Delviom LLC

With more than four decades in IT and over three of those decades spent in Security, Mr. Liebig is highly experienced executive leader well trained at establishing threat metrics/risk profiles and strategizing their IT and cybersecurity solutions from idea through implementation. Skillful negotiator of multi-million-dollar contracts boosting infrastructure, organizational efficiency, and eliminating down time. Metrics driven, with a pinpoint in problem solving acumen.

Hosts

Principal Researcher at The Defenders Initiative
Chief Operating Officer at Envision Technologies
Founder at Guardedrisk

2. The State of Cybersecurity & Destigmatizing Reporting Security Vulnerabilities – BSW #226

In the Leadership and Communications section for this week: 10 security tools all remote employees should have, 1 in 4 security teams report to CIOs, but would benefit from CISO leadership, state of cybersecurity survey results, destigmatizing reporting security vulnerabilities and more!

Announcements

  • CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey

  • In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.

Hosts

Principal Researcher at The Defenders Initiative
  1. 1. 10 security tools all remote employees should have
    This article has an interesting mix of both personal and enterprise recommendations, which seems appropriate, given that the lines have blurred for remote and hybrid employees. 1. Cybersecurity training 2. Digital wallets 3. Credit/digital identity monitoring 4. Password managers 5. Two-factor tokens 6. Antimalware software 7. VPN services 8. Backup solutions 9. Privacy screens 10. Laptops, phones, network hardware
  2. 2. 1 in 4 security teams report to CIOs, but would benefit from CISO leadership: survey
    There appears to be a bit of a disconnect between how CIOs and CISOs perceive security prioritization, according to this survey of 3000+ security professionals. The clearest insight coming out of this article is that nothing is clear when it comes to the ideal placement of the CISO within an org structure, because business needs can vary so wildly. "Sixty-one percent of the CIOs surveyed believe their board of directors prioritizes cybersecurity, whereas only 47% of CISOs say the same." "When the CISO is at the top of the security reporting structure, companies likely have greater executive buy-in for risk assessments and cybersecurity-business goals alignment."
  3. 3. Preparedness, checklists, leadership buy-in: How to build a rapid IT response
    The article fails to achieve what it suggests in the title, but rightly puts a lot of emphasis on preparedness and practice. Instead, I want to share some interesting insights from a recent post on LinkedIn from Ian Amit. He observed a cyber crisis simulation that was part of Israel's annual CyberWeek events. His observations: 1. "Processes are completely lacking... Experts were sidelined by more vocal people" 2. "Business interests... sidelined the discussion... causing delays in decision making" 3. "3 key individuals were professional and backed by a methodical process... were overrun by others... 2 of which were women... men were cutting them off and offering an explanation to what they were saying" The original post is here: https://www.linkedin.com/posts/iamit_observing-a-cyber-crisis-simulation-as-part-activity-6822882236627464192-0QYL
  4. 4. CSO Global Intelligence Report: The State of Cybersecurity in 2021
    "Any lingering indifference to cybersecurity risk has evaporated in the face of spiking ransomware attacks, software supply chain threats, and the challenges of securing remote workers." So... what do we do next? According to the results of a wide-ranging survey (2741 respondents): 1. spend more, particularly in "attack prevention"! 2. half of respondents are either just getting started with security awareness programs, or haven't started yet 3. double down on what they've been doing already
  5. 5. See something, say something: How to destigmatize reporting security vulnerabilities
    Kaseya employees tried to blow the whistle on internal security risks but were ignored and mistreated. Many quit or were fired as a result. How can organizations usher in a culture that can accept criticism without angrily lashing out? How should employees deal with this: is it worth getting fired over? Should they risk going outside the company to report serious issues?
Chief Operating Officer at Envision Technologies
Founder at Guardedrisk

Related