The State of Cybersecurity & Destigmatizing Reporting Security Vulnerabilities – BSW #226

This article has an interesting mix of both personal and enterprise recommendations, which seems appropriate, given that the lines have blurred for remote and hybrid employees. 1. Cybersecurity training 2. Digital wallets 3. Credit/digital identity monitoring 4. Password managers 5. Two-factor tokens 6. Antimalware software 7. VPN services 8. Backup solutions 9. Privacy screens 10. Laptops, phones, network hardware

There appears to be a bit of a disconnect between how CIOs and CISOs perceive security prioritization, according to this survey of 3000+ security professionals. The clearest insight coming out of this article is that nothing is clear when it comes to the ideal placement of the CISO within an org structure, because business needs can vary so wildly. "Sixty-one percent of the CIOs surveyed believe their board of directors prioritizes cybersecurity, whereas only 47% of CISOs say the same." "When the CISO is at the top of the security reporting structure, companies likely have greater executive buy-in for risk assessments and cybersecurity-business goals alignment."

The article fails to achieve what it suggests in the title, but rightly puts a lot of emphasis on preparedness and practice. Instead, I want to share some interesting insights from a recent post on LinkedIn from Ian Amit. He observed a cyber crisis simulation that was part of Israel's annual CyberWeek events. His observations: 1. "Processes are completely lacking... Experts were sidelined by more vocal people" 2. "Business interests... sidelined the discussion... causing delays in decision making" 3. "3 key individuals were professional and backed by a methodical process... were overrun by others... 2 of which were women... men were cutting them off and offering an explanation to what they were saying" The original post is here: https://www.linkedin.com/posts/iamit_observing-a-cyber-crisis-simulation-as-part-activity-6822882236627464192-0QYL

"Any lingering indifference to cybersecurity risk has evaporated in the face of spiking ransomware attacks, software supply chain threats, and the challenges of securing remote workers." So... what do we do next? According to the results of a wide-ranging survey (2741 respondents): 1. spend more, particularly in "attack prevention"! 2. half of respondents are either just getting started with security awareness programs, or haven't started yet 3. double down on what they've been doing already

Kaseya employees tried to blow the whistle on internal security risks but were ignored and mistreated. Many quit or were fired as a result. How can organizations usher in a culture that can accept criticism without angrily lashing out? How should employees deal with this: is it worth getting fired over? Should they risk going outside the company to report serious issues?