No Log4j, 2021 Recaps, or 2022 Resolutions! – BSW #245

Ultimately, the responsibility for security decisions is vested in the CEO, while it is the CISO’s role to influence and inform. Pitched at the right level and conciliatory in tone, this close engagement will enable information security teams to react in real time – not just to evolving threats, but also to a shifting operating environment that is dictated by external pressures outside an organisation’s control.

A CIO incentivized by short-term productivity is likely to make poor security decisions. When the CIO has incentives tied to output, security often takes a backseat. This puts the CISO, and the organization as a whole, in jeopardy. The CISO who reports to the CIO has no control over decisions that impact security risk. Having a CISO as a peer to the CIO alleviates this conflict of interest. It also holds true to the original meaning of “C-level” leadership, creating an executive team that advocates for the different priorities and policies that keep a business on the right track.

The case can be made that the emergence of the CISO role — and its separation from IT operations — is a primary reason for many of today’s cybersecurity failures. I’ve seen the approach of combining operations and security deliver distinct benefits for security when I was in the public sector. It’s something organizations in every sector now needs to consider returning to. The current environment calls for combining IT and security functions, with the CIO reporting to the CISO.

The report highlighted six C-suite-level strategies that security leaders believe could help reduce cyber risk, including: 1. Discuss cybersecurity prominently in board meetings (79%) 2. Thoroughly evaluate the business risks of cyber threats (64%) 3. CEOs should assume overall responsibility for organizational cybersecurity (63%) 4. Increase cybersecurity budgets (62%) 5. Develop long-term cybersecurity strategies (57%) 6. Amend reporting structures to give security direct board access (50%)

It's time to review (or create) your travel security program now that more people are traveling for work and pleasure. Here's what it should include: - Does this program include a list of countries posed as high risk or extreme risk to those employees or executives who travel or work outside the country of origin? - Does your travel security program require these risk countries to be communicated to the executive team and the personnel responsible for travel? - Does your travel security program identify expatriates working in high-risk countries? - Do you have a traveler briefing program required before every trip to a high-risk environment? - Do your employees understand never to leave confidential material unattended and to keep devices with them while traveling? - Does your travel program monitor and debrief personnel having traveled to high-risk environments? - Does the company’s security awareness and education program include a segment on travel? - Does your travel program brief on the data aggregation capabilities of social networks? What about how the sharing of an itinerary can permit an adversary to document and collate travel plans? - Does your travel program implement a sterile device program for high- or extreme-risk locales (e.g., throwaway mobile phones, sterile laptops)? - Are these sterile devices reviewed for compromise upon the traveler’s return? - Are all travelers issued cable locks and laptop privacy screens for their devices? - If key executives are traveling, are checks put in place concerning any expenditures they authorize be double-checked for authenticity, to avoid CEO/CFO business email compromise. - Does the program include the need for travelers to file itineraries with the company, sharing passport data page and have a daily “all safe” call into the company while employees travel?

Are cybersecurity jobs a profession or a vocation? When we consider the current workforce shortage in cybersecurity, our existing assumptions about the nature of cybersecurity jobs may be exacerbating the shortfall. For this reason, we may need to consider new ways of thinking about jobs within the cybersecurity field and the appropriate institutional structures that need to be in place to rapidly increase the available workforce.