Tag Archive for: CSuite

How to ask the board and C-suite for security funding

/in


Recent guidance published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance instructs board members to drive “a culture of corporate cyber responsibility” by empowering CISOs with the influence and resources they need to drive decisions where cybersecurity is effectively prioritized and not subordinated to cost, performance, and speed to market.

Although this sounds like a CISO’s dream come true, it doesn’t mean that boards will suddenly open the purse strings. Responsible to their shareholders, boards and executives will always be hyper-focused on the bottom line. Only now, with liability bearing down on them, they require accurate, risk-based funding requests qualifying the need, total cost of ownership, effectiveness, breach exposure and likelihood, and cost to the business should a breach occur.

Traditionally, CISOs haven’t communicated this information well enough to their boards, Chris Hetner, special advisor for Cyber Risk at the NACD, tells CSO. Hetner, who is also council member on the NASDAQ Center for Board Excellence, points to the July-updated SEC rules for cyber risk management implicating senior leaders in breaches. Board liability for risk is sinking in, he says, and as a result, board directors are rallying around cyber threats.

This trend definitely impacts how CISOs articulate the need for funding their security programs, Hetner continues. “As an investor, I need to know how you’re treating this risk compared to any other risk and why it matters. Juxtapose that with a CISO bringing in highly technical metrics and reports not understood by the board and you see the disconnect. You want to prepare a tailored, business-focused cyber risk report, ideally on a quarterly basis, that converts technical metrics into understandable, business-aligned metrics. Then, you’ll get your funding.”

Don’t go it alone when asking for cybersecurity funding

When it comes to funding requests, CISOs shouldn’t operate in a vacuum. Hetner suggests seeking allies on the board and executive team, including the CFO, and CEO. These people can help CISOs understand the business risk to frame their funding requests around…

Source…

Product Security Needs A C-Suite Champion

/in


Chief Product Officer at GrammaTech, where he leads product strategy for the company’s application security testing product portfolio.

Five years ago, Congress was concerned enough about the safety of devices in the emerging Internet of Things that it considered creating ratings to show the security level of connected products. The law proposed a scale like the Energy Star efficiency ratings to validate products that are designed to minimize their vulnerability to hacking and protect users’ privacy and safety.

While that legislation may have been ahead of its time, not much has developed since to give users visibility into the security of devices that are everywhere today, from the camera in your smart doorbell to the critical infrastructure in the power grid.

One development is encouraging: the evolution of product security executives (PSE), the professionals responsible for the security of cyber-physical products. They are the ones who ensure the software inside these devices is secure and not vulnerable to cyberattacks.

PSEs share some responsibilities with the chief information security officer (CISO), but they have very different functions. PSEs focus on the digital security of products, including software, firmware or other products embedded in hardware. They implement a product security program that addresses cybersecurity throughout the product life cycle. In short, they are responsible for keeping bad actors from breaking into their products via the software.

Just like the role of CISO grew in response to the explosion of data breaches in the first wave of digital disruption, the PSE has been a response to the growth of “phygital” operations, where many processes that were once manual are now digital and controlled by networked devices. Everything from pacemakers to cars can be vulnerable to hackers if the code inside them is compromised, but the security of these devices has not always been top-of-mind.

Even organizations that take information security seriously may need to put more focus on the security of the code inside the products they make, as can be seen by the size of the teams and the number of resources dedicated to one versus the other. The hack

Source…

Watering-hole in Hong Kong. US, EU join Paris Call. NSO C-suite turnover. ICS advisories. Rising tensions in Eastern Europe.

/in


Attacks, Threats, and Vulnerabilities

COVID-19: North Korean hackers detected searching for vaccine manufacturing secrets (Sky News) The cyber campaign comes despite the regime in Pyongyang claiming that there are no COVID-19 cases in the country and declining three million vaccine doses from UNICEF.

North Korean hackers target the South’s think tanks through blog posts (ZDNet) Responsibility for new attacks has been laid at the feet of the Kimsuky threat group.

Lazarus hackers target researchers with trojanized IDA Pro (BleepingComputer) A North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with a trojanized pirated version of the popular IDA Pro reverse engineering application.

South Korean Users Targeted with Android Spyware ‘PhoneSpy’ (SecurityWeek) Researchers find Android malware with extensive spyware capabilities, including data theft, GPS monitoring, and audio and video recording.

PhoneSpy: The App-Based Cyberattack Snooping South Korean Citizens (Zimperium Mobile Security Blog) Zimperium has discovered the active malware campaign PhoneSpy, a spyware aimed at South Korean residents with Android devices.

macOS zero-day deployed via Hong Kong pro-democracy news sites (The Record by Recorded Future) A suspected state-sponsored threat actor has used Hong Kong pro-democracy news sites to deploy a macOS zero-day exploit chain that installed a backdoor on visitors’ computers.

Google Caught Hackers Using a Mac Zero-Day Against Hong Kong Users (Vice) “The nature of the activity and targeting is consistent with a government backed actor,” the Google researchers say.

This new Android spyware masquerades as legitimate apps (TechCrunch) The spyware has already ensnared over a thousand victims.

FBI: Iranian threat actor trying to acquire leaked data on US organizations (The Record by Recorded Future) The US Federal Bureau of Investigation says that a threat actor known to be associated with Iran is currently seeking to acquire data from organizations across the globe, including US targets.

PA alleges: NSO Group spyware used to hack foreign ministry workers’ phones (Times of Israel) Palestinian Authority asserts it has proof of…

Source…

C-Suite Beware: You are the latest targets of cybercrime, warns Verizon 2019 Data Breach Investigations Report – Verizon Communications

/in
  1. C-Suite Beware: You are the latest targets of cybercrime, warns Verizon 2019 Data Breach Investigations Report  Verizon Communications
  2. Verizon Data Breach Report: Espionage, C-Suite and Cloud Attacks on the Rise  Threatpost
  3. Data breaches a ‘time bomb’, warns security report  BBC News
  4. 2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways  Security Boulevard
  5. Nation state actors, affiliates behind increasing amount of data breaches  ZDNet
  6. View full coverage on read more

“data breach” – read more