Risky Business (With Less Resources), Or: Know the CISO Job Search – BSW #208
In the leadership and communications section, Risky business: 3 timeless approaches to reduce security risk in 2021, Why Less Can Be More When It Comes to Cybersecurity, CISO job search: What to look (and look out) for, and more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
- 1. Risky business: 3 timeless approaches to reduce security risk in 2021 – Help Net SecuritySteps to reduce security risk in 2021: A summary of the tactical and strategic moves CISOs can make to reduce security risk: 1. Look to reduce your “haystack” of threat avenues through smart policy enforcement. Consider DNS as a vector – for both attack and detection 2. Ensure that your cloud adoption strategy is coupled with sound cloud security policy and design 3. Educate your leadership team. “We aren’t a target” is equivalent to sticking your head in the sand.
- 2. Reducing Cybersecurity Risk With Minimal ResourcesHow do you think about attacking the problem of reducing risk? Short answer: use an enterprise, holistic, Risk-Based Security Strategy (RBSS). Risk is a combination of threat, vulnerability, likelihood and impact/consequences, along with asset values. The main activities needed in what really matters are: 1. Cyber Education and Awareness Training Program: educate users with periodic training courses, email notes on security topics, posters, frequent phishing exercises, etc. 2. Tightly manage access controls: use multi-factor authentication (MFA) everywhere, strictly control privileged account management (PAM), monitor access changes (active directory, etc.). 3. Excel at TVM and cyberhygiene overal: go beyond just patching (yet that must be a top priority!), assess your status in the CIS items 1-6, then fix the gaps. 4. Data protection approach: endeavor to encrypt everywhere (it’s easiest in the long run), control data and classify it, and use a tailored identity access management. Combine with privacy elements as you can. Get cyberinsurance. 5. Third-party/vendor risk management: go beyond the paper drill (NDAs, Ts&Cs, SLAs, etc.) and actually have a risk assessment — lack of this causes over half of all data breaches — and start with a detailed questionnaire, then ask what certs they have. 6. Partner with a managed detection and response (MDR) provider: 24/7 coverage, gain extensive threat intel reach back, enhance your threat hunting, and reduce the alert fatigue of the security folks.
- 3. Why Less Can Be More When It Comes to Cybersecurity – Security BoulevardOrganizations frequently end up building complex security stacks thinking that more solutions equate to better security. Unfortunately, while the average CISO can point to anywhere between 35 to 65 different security technologies in their environment, complexity does not mean safety. Instead, overly complicated security stacks can increase vulnerability by hiding critical security weaknesses while simultaneously draining vital organizational resources. Simple can be better: 1. Overly Complicated Security Stacks Incur a High Cost 2. A Simplified Approach to Cybersecurity Makes Business Sense 3. Leveraging OS Native Controls Should Be a Cornerstone of Your Security Posture
- 4. Why Do Chief Security Officers Leave Jobs So Often?In both public and private organizations, chief information security officers have shorter tenures than CIOs. Why do cybersecurity heads so quickly leave jobs — or get forced out? Here a few reasons that CISOs are moving on: 1. Change in top company or government leadership. 2. Differences in technology security philosophy, including resources allocated for cybersecurity. 3. Personality conflicts.
- 5. CISO job search: What to look (and look out) forSometimes a CISO isn't really a CISO, or the role does not have the authority or resources it needs. Here's how those seeking CISO roles can avoid the wrong employer: 1. Does the role lack C-level status? 2. A poorly-defined CISO job description 3. Why are they hiring a CISO? 4. Who’s on the security team? 5. What are they paying?
- 6. Virginia data protection bill signed into lawThe state is the second in the nation to enact a consumer data protection law along the lines of the EU's GDPR. Here's what businesses need to know about Virginia's CDPA: 1. CDPA mandates how larger companies control or process data 2. CDPA combines CCPA, CPRA and GDPR 3. Other states may quickly adopt data protection laws