The State of Cybersecurity & Destigmatizing Reporting Security Vulnerabilities – BSW #226
In the Leadership and Communications section for this week: 10 security tools all remote employees should have, 1 in 4 security teams report to CIOs, but would benefit from CISO leadership, state of cybersecurity survey results, destigmatizing reporting security vulnerabilities and more!
CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
This article has an interesting mix of both personal and enterprise recommendations, which seems appropriate, given that the lines have blurred for remote and hybrid employees.
1. Cybersecurity training
2. Digital wallets
3. Credit/digital identity monitoring
4. Password managers
5. Two-factor tokens
6. Antimalware software
7. VPN services
8. Backup solutions
9. Privacy screens
10. Laptops, phones, network hardware
There appears to be a bit of a disconnect between how CIOs and CISOs perceive security prioritization, according to this survey of 3000+ security professionals. The clearest insight coming out of this article is that nothing is clear when it comes to the ideal placement of the CISO within an org structure, because business needs can vary so wildly.
"Sixty-one percent of the CIOs surveyed believe their board of directors prioritizes cybersecurity, whereas only 47% of CISOs say the same."
"When the CISO is at the top of the security reporting structure, companies likely have greater executive buy-in for risk assessments and cybersecurity-business goals alignment."
The article fails to achieve what it suggests in the title, but rightly puts a lot of emphasis on preparedness and practice. Instead, I want to share some interesting insights from a recent post on LinkedIn from Ian Amit. He observed a cyber crisis simulation that was part of Israel's annual CyberWeek events. His observations:
1. "Processes are completely lacking... Experts were sidelined by more vocal people"
2. "Business interests... sidelined the discussion... causing delays in decision making"
3. "3 key individuals were professional and backed by a methodical process... were overrun by others... 2 of which were women... men were cutting them off and offering an explanation to what they were saying"
The original post is here: https://www.linkedin.com/posts/iamit_observing-a-cyber-crisis-simulation-as-part-activity-6822882236627464192-0QYL
"Any lingering indifference to cybersecurity risk has evaporated in the face of spiking ransomware attacks, software supply chain threats, and the challenges of securing remote workers."
So... what do we do next? According to the results of a wide-ranging survey (2741 respondents):
1. spend more, particularly in "attack prevention"!
2. half of respondents are either just getting started with security awareness programs, or haven't started yet
3. double down on what they've been doing already
Kaseya employees tried to blow the whistle on internal security risks but were ignored and mistreated. Many quit or were fired as a result. How can organizations usher in a culture that can accept criticism without angrily lashing out? How should employees deal with this: is it worth getting fired over? Should they risk going outside the company to report serious issues?
Infrastructure-as-code (IaC) allows for quick and consistent configuration and deployment of infrastructure components because it’s defined through code. It also enables repeatable deployments across environments. IaC is seeing significant attention in the cloud security space, but why now? This conversation will dig into how Infrastructure-as-code...
Information Security is often seen as a cost center and drain on the revenue of a company. It may be seen as necessary to protect the company, but the value is not always understood by leadership and peers to the CISO. Taken from personal experience, in this talk, we will explore some suggestions on how CISOs can bring and show value to their compa...
In the leadership and communications section, Is Your Board Prepared for New Cybersecurity Regulations?, 32% of cybersecurity leaders considering quitting their jobs, 40 Jargon Words to Eliminate from Your Workplace Today, and more!