SEC Is Serious, CISA’s Bad Practices, & What Tech Workers Really Want – BSW #231

We wanted to know, first and foremost, is there any career path left for a CISO; or is there nowhere else to go. Is being a CISO effectively a dead-end job? The concept of risk management – something all CISOs must understand – is the important element. We have seen many times in this series that the modern CISO needs to understand and be fully immersed in the business side of the organization. So, the modern CISO needs to be technically minded, deeply involved in all aspects of the business, and conversant with the principles and practice of risk management. That is almost a job-description for a Chief Risk Officer – and CRO, one of the most senior positions in any company, is certainly a potential aspiration for any career-minded CISO.

The SEC has signaled that it has started taking cyber vulnerabilities much more seriously than it has in the past. Two recent fines signal that the agency views lax cybersecurity as an existential threat to businesses and is willing to penalize companies who fall short. This, of course, is reasonable: Cyber threats pose as significant a danger to businesses (and their shareholders) as supply-chain vulnerabilities or natural disasters. To make sure they’re compliant, companies should: 1) create a disclosure committee composed of director and senior director level employees, 2) be sure to disclose cybersecurity risks, incidents, and their business impacts in a timely manner, 3) build more visibility into their processes to better understand their weaknesses, 4) conduct regular forensic assessments of the company’s cybersecurity systems, and 5) be prepared to disclose incidents before they’re fully understood.

Executives can be reluctant to free up budget to fund cybersecurity. Here's how to convince them that spending money on securing the business is the right thing to do. 1. To get the board's full attention, explain, in plain language, the potential threats out there. It could even be a good idea for a CISO to run an exercise to demonstrate the potential impact of a cyber incident. 2. Once CISOs have the board's attention, they should back it up with a plan. They need a strategy for the security budget, and a clear idea of the tools, personnel and training it will purchase.

The link between technology investments and long-term cost savings isn't always linear. Not every technology gain will directly affect the budget. Generating cost savings from technology requires buy-in from stakeholders across the business, and an IT leadership team privy to the importance of effective, not just money-saving, investments.

CISA has listed certain bad practices that are extremely risky for organizations that support critical infrastructure for the nation. These include: - The use of unsupported (or end-of-life) software in service of NCF is dangerous. It significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet. - Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and NCF. - The use of single-factor authentication for remote or administrative access to systems supporting Critical Infrastructure and NCF is risky and increases the chance of hacker intrusions. Threat actors could easily obtain access to critical systems with poor authentication. Weak or easy-to-guess passwords can be guessed with different hacking tactics like phishing, credential stuffing, keylogging, social engineering, and brute-force attacks.

Technical skills gaps among employees have grown as more employees work from home, according to a Pluralsight survey of more than 600 technology executives and practitioners. Four in 10 found increased gaps in cybersecurity and cloud computing.

A new study from HP has highlighted the precarious -- and often contentious -- situations IT teams are facing when trying to improve cybersecurity for remote workers. The study found that IT workers often feel like they have no choice but to compromise cybersecurity in order to appease workers who complain about how certain measures slow down business processes. Some remote workers -- particularly those aged 24 and younger -- outright reject cybersecurity measures they believe "get in the way" of their deadlines.

The demand for talent far exceeds supply, giving technology workers the power to choose their employer. Technology workers want higher pay and flexibility, a readily accessible combination in the remote and hybrid work era. Flexibility extends to job responsibilities, as employees take advantage of chances to learn new skills and work with top-of-the-line technology stacks. These are all factors IT candidates take into account when searching for their next role.