Cyber Risk Quantification, Enterprise Security Metrics, & Fixing Hiring – BSW #256

Companies need their CIOs to act as proactive decision-makers, leading shifts in IT architecture and guiding the tech product roadmap. Below are the three critical priorities the modern CIO must consider this year as the role continues to carry more responsibility within the business: 1. Increase your cybersecurity savvy 2. Boost tech retention amid 'work from anywhere' 3. Accelerate IT architecture and develop product roadmaps

The US Government advises eight key steps that all businesses should take immediately to protect themselves from any pressing threat: 1. Mandate the use of multi-factor authentication for all computer/system logins to make it harder for attackers to get onto your system. 2. Deploy modern security tools on your computers and devices to continuously look for and mitigate threats (virus software, security updates). 3. Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors. 4. Back up your data and ensure you have offline backups beyond the reach of malicious actors. 5. Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack. This is especially key for broadcasters in case your signal is hacked. 6. Encrypt your data so it cannot be used if it is stolen. 7. Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly. 8. Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of the FBI and CISA where they will find technical information and other useful resources.

Cyber Risk Quantification (CRQ) is to prioritize risks according to their potential for financial loss, thus allowing responsible people to create budgets based on mitigation strategies that afford the best protection and return on investment. CRQ is not an end to itself, it exists to compel some action, including: - CRQ must be interpreted and communicated for both technical and non — technical audiences. Establish a common risk language: If everyone in the organization has a different definition for IT asset, threat, or vulnerability, you’ll find it difficult to communicate and defend your risk decisions. Standardize the risk nomenclature as much as possible. - Risk is managed by experienced people with judgement using data, not by the data alone. Risk managers must look ta multiple streams of data before making a decision. - Risk quantification as to exist in feedback loops (both positive and negative). CRQ techniques need to be constantly refined to ensure their accuracy. - Automate wherever possible: Manual cyber risk quantification processes can be both complex and time-consuming. Find a solution that can help you automate workflows, and measure risks faster. - Risk quantification is a multi-disciplinary activity. CRQ approaches should not exist in isolation. Its value is best realized when complemented with risk monitoring, qualitative assessments, internal audits, and issue management processes.

From my humble learning from CISO tenures and numerous CISO interaction, here are some key considerations to building high quality Enterprise Security Metrics: - Architecture: Build them right with the following components, and even if some of them are blank for a while — remember, information gaps tell a story as well. - Modular: They should represent all major security domains whether you use ISO 27001, NIST, ISF, PCI-DSS or any other major global framework or industry standard. - Hierarchical: There should be multiple layers of details — at least 2, preferably 3 or more. The highest layer would be suitable for executive consumption and lower layers for the lower levels of management. One should be able to dive deep into the data to the level of raw data from the contributing platform where relevant. - Growing: They should have a means of demonstrating growth in maturity of the Enterprise Security program whether on CMM or any customized maturity level program — which should be elaborately documented. - Threshold: Each metric should be able to be compared against a known good or expected threshold to indicate basic success and desirable levels of success. This is also connected to the previous aspect of Growth. - Customized: There should be a way to customize on all the four aspects above — i.e. add/delete/modify a domain, a layer of detail, and a level of maturity. - User Interface: Make them easy to consume, attractive, intuitive, and help them tell a story to a variety of user groups — Board of Directors, executive leadership, senior management, auditors, operational management, business functions and user cohorts.

M&A activity in the cybersecurity industry is at record levels, and that could have a negative impact on your investment in tools and platforms. Jeff Pollard, an analyst with Forrester Research, and others identified six questions that security leaders need to ask if their vendor is acquired: 1. Will the product be continued or integrated? 2. To whom will your vendor's founder/CEO and other top executives report? 3. What is the acquiring company's talent retention record? 4. Will the brand continue? 5. Is the acquiring company a private equity firm? 6. What is the acquiring company's culture?

Nearly every hiring manager has a blind spot that, if left unidentified, can lead to devastating outcomes even within well-planned systems. Over time, the author has identified five common blind spots that corrode recruitment outcomes — and how to correct them. - First, they assume they can fix issues they identify in a candidate during the recruitment process. - Second, they signal a culture of micromanagement. -Third, in attempting to telegraph empathy, they actually signal a lack of professional boundaries. - Fourth, they overlook contrarian candidates. - Finally, by trying to convey a culture of autonomy, they inadvertently suggest that they’re totally emotionally hands-off.

Companies have trouble retaining workers, with almost two-thirds of business reporting unfilled positions and massive unmet demand for technical cybersecurity professionals, study shows. According to ISACA's State of Cybersecurity 2022 report, based on a survey of more than 2,000 cybersecurity professionals: - 60% of companies had problems retaining cybersecurity specialists in 2021, up from 53% of companies at the start of the pandemic in 2020 - Businesses continue to have to adapt to the expectations of workers, including allowing more remote work and the time for continuing education, or else lose workers to other companies because of poor financial incentives, limited promotion opportunities, and high stress - Overall, demand has increased for every level of cybersecurity worker, but especially for technical practitioners