Business Security Weekly #226
Segments
1. OT Security for Critical Infrastructure and Why It Is Not “Intuitive” – Edward Liebig – BSW #226
The IT and operational technologies of critical infrastructure are under attack. The "general expectation" from the public and lawmakers is "fix it already" but we will discuss why this expectation is yet to be fully met.
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Guest
With more than four decades in IT and over three of those decades spent in Security, Mr. Liebig is highly experienced executive leader well trained at establishing threat metrics/risk profiles and strategizing their IT and cybersecurity solutions from idea through implementation. Skillful negotiator of multi-million-dollar contracts boosting infrastructure, organizational efficiency, and eliminating down time. Metrics driven, with a pinpoint in problem solving acumen.
Hosts
2. The State of Cybersecurity & Destigmatizing Reporting Security Vulnerabilities – BSW #226
In the Leadership and Communications section for this week: 10 security tools all remote employees should have, 1 in 4 security teams report to CIOs, but would benefit from CISO leadership, state of cybersecurity survey results, destigmatizing reporting security vulnerabilities and more!
Announcements
CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
Hosts
- 1. 10 security tools all remote employees should haveThis article has an interesting mix of both personal and enterprise recommendations, which seems appropriate, given that the lines have blurred for remote and hybrid employees. 1. Cybersecurity training 2. Digital wallets 3. Credit/digital identity monitoring 4. Password managers 5. Two-factor tokens 6. Antimalware software 7. VPN services 8. Backup solutions 9. Privacy screens 10. Laptops, phones, network hardware
- 2. 1 in 4 security teams report to CIOs, but would benefit from CISO leadership: surveyThere appears to be a bit of a disconnect between how CIOs and CISOs perceive security prioritization, according to this survey of 3000+ security professionals. The clearest insight coming out of this article is that nothing is clear when it comes to the ideal placement of the CISO within an org structure, because business needs can vary so wildly. "Sixty-one percent of the CIOs surveyed believe their board of directors prioritizes cybersecurity, whereas only 47% of CISOs say the same." "When the CISO is at the top of the security reporting structure, companies likely have greater executive buy-in for risk assessments and cybersecurity-business goals alignment."
- 3. Preparedness, checklists, leadership buy-in: How to build a rapid IT responseThe article fails to achieve what it suggests in the title, but rightly puts a lot of emphasis on preparedness and practice. Instead, I want to share some interesting insights from a recent post on LinkedIn from Ian Amit. He observed a cyber crisis simulation that was part of Israel's annual CyberWeek events. His observations: 1. "Processes are completely lacking... Experts were sidelined by more vocal people" 2. "Business interests... sidelined the discussion... causing delays in decision making" 3. "3 key individuals were professional and backed by a methodical process... were overrun by others... 2 of which were women... men were cutting them off and offering an explanation to what they were saying" The original post is here: https://www.linkedin.com/posts/iamit_observing-a-cyber-crisis-simulation-as-part-activity-6822882236627464192-0QYL
- 4. CSO Global Intelligence Report: The State of Cybersecurity in 2021"Any lingering indifference to cybersecurity risk has evaporated in the face of spiking ransomware attacks, software supply chain threats, and the challenges of securing remote workers." So... what do we do next? According to the results of a wide-ranging survey (2741 respondents): 1. spend more, particularly in "attack prevention"! 2. half of respondents are either just getting started with security awareness programs, or haven't started yet 3. double down on what they've been doing already
- 5. See something, say something: How to destigmatize reporting security vulnerabilitiesKaseya employees tried to blow the whistle on internal security risks but were ignored and mistreated. Many quit or were fired as a result. How can organizations usher in a culture that can accept criticism without angrily lashing out? How should employees deal with this: is it worth getting fired over? Should they risk going outside the company to report serious issues?
