Launching Your First Cyber Risk Assessment? 4 Golden Tips To Make It Effective

 

I mentioned in yesterday’s blog how AI is one the biggest buzzwords in the Cyber world today.  But there are many others, and one of them, which quite honestly, I get tired of hearing about all the time is that of risk. 

You hear it all the time, and I have even been asked what is risk?  Well, it can have different meanings for different people.  A lot of the definition really depends upon on how much of a gamble you are willing to take if you are hit by a security breach.

You can Google this term, but in my books, I define risk as how much of a financial loss you can tolerate before the real pain hits the bottom line.  Of course, no business wants to lose money on anything, but it is a part of what capitalism is all about.  You won’t gain anything until you risk.  But in Cybersecurity, we are all prone to becoming victims of an attack.

This is where the monetary part plays a key role.  For example, are your bank coffers large enough that you can sustain some downtime for a little while?  Or are you an SMB that after one day, you could go out of business. 

That is what you need to figure out.  Obviously, common thinking dictates that a business would want to mitigate that risk as much as possible.  But believe it or not, there are plenty of them out there who feel that they have a much bigger appetite for this.

Before you get into any component of Cybersecurity, it if first very important to conduct what is known as a “Risk Assessment Study”.  Essentially, this is where you are grouping all of your assets, both digital and physical, and examining just how prone they are to a security breach. 

Very commonly,  an IT  Security team would make use of a categorization scale, such as 1 – 10, where “1” would have the least amount of vulnerability, and “10” would have the most.

But depending on the size of your business, and what industry you are in, conducting a Risk Assessment Study can actually be quite a complex undertaking.  In order to make sure that you are doing right from the get go, it is wise you a Cyber vendor who has extensive experience in doing this to help you out.

But if you want to strike it out on your own, there are plenty of templates that you can use for free on the Internet. Some of the most reliable ones to are those from NIST and CISA.  In this regard, the following are some tips that you use to conduct your study:

1)     Use a hybrid approach:

I have been asked in the past, what approach is better to use?  A quantitative or a qualitative one?  Once again, a lot depends upon what assets you have.  Although I would err more towards the quantitative approach at first because numerical values are easier to understand, you really need to take into account both.  This is the only way to get a true sense as to what you risk posture is, and how much of it you can actually tolerate.  That is what I mean by this “hybrid approach.”

2)     Need to get all members on board:

Conducting a Risk Assessment is not all about the IT Department.  You probably have others as well, and the input that they provide to you is extremely important in order to calculate your overall risk score.  But, getting other departments involved is by no means an easy task to do, because they probably don’t understand what the real meaning behind risk is, and how it can also affect their jobs.  Rather than spending hours teaching the importance of it, perhaps you can use the concepts of gamification and even use a rewards system to get them involved to provide their needed input.  In other words, it should not all be up to the IT Security team to do this.  Each and every employee in your business has a stake in this.

3)     Look at impact also:

As I mentioned previously, one of the primary goals of a Risk Assessment Study is to see how vulnerable your assets are.  But there is also another key area that you need to factor in as well.  And that is “Impact”.  For example, if your database server is ranked as being vulnerable, you also need to assess as to what the impact will be if it is indeed targeted and breached.  What are the far-reaching implications of this?  Who will be affected? Customers? Employees? Key Stakeholders? So the equation here is that your overall risk posture will be a culmination of Vulnerability + Risk Impact.

4)     Keep your Study updated:

Your will probably want to run your first Risk Assessment manually.  Although it will be a pain to do, at least you will have a firm understanding of what is happening.  But doing this is not a one-time deal.  Your Risk Assessment Study needs to be updated as much as possible, preferably on a real-time basis.  But this does not mean you and your team have to do it manually all the time.  Given the advances in AI and ML, you can these updates done on an automated basis, and you can even see everything in one central location.

My Thoughts On This:

If your company is new to Cybersecurity, and you want to get started with conducting your first Risk Assessment Study, the following, recommended frameworks you can use (and for free) can be seen at the links below:

https://www.darkreading.com/risk/how-to-choose-the-right-cybersecurity-framework

https://www.darkreading.com/risk/nist-risk-management-framework-aims-to-improve-trustworthiness-of-artificial-intelligence

But before you embark on all of this, you must first have an understanding of what risk is all about.  I have actually written and published a book on this some time ago, and you can see it here at this link:

https://www.routledge.com/Assessing-and-Insuring-Cybersecurity-Risk/Das/p/book/9780367903077

 

 

The 3 Types Of AI Bias You Need To Know About & How To Fix Them

 

AI, AI, AI, blah, blah, blah.  These are the hot buzzwords in Cyber today, and it will be for some time yet to come.  I have blogged about this I think rather extensively, and this is what I am going to do today as well.  But this time, I am taking a different angle. 

I am going to talk about the errors that AI can actually make.  One such area is what is known as “bias”.  We pretty much all know what this term means, but when it comes to AI, it can be defined as follows:

“Machine learning bias, also known as algorithm bias or AI bias, is a phenomenon that occurs when an algorithm produces results that are systemically prejudiced due to erroneous assumptions in the machine learning (ML) process.”

(SOURCE:  https://www.techtarget.com/searchenterpriseai/definition/machine-learning-bias-algorithm-bias-or-AI-bias#:~:text=Machine%20learning%20bias%2C%20also%20known,machine%20learning%20(ML)%20process.)

Simply put, this is where your output gives you something else, because it has been slanted, or even favored in one direction or another.  Heck, even human bias can be a huge factor, as we will later see.  In general, there are three types of AI Bias, which are:

1)     In the Training Data:

AI systems need a lot of data at first in order to for it to learn, and make predictions.  If this initial training data is not a representative set or is skewed in some fashion, all of the other subsequent outputs will also be “biased” to some degree or another.  It is important to note that the training data is the foundation for all of the other datasets that will be collected and used.

2)     In the Algorithms:

This can be considered to be at the heart of any AI system.  This is where the data is processed, and from there, the outputs will be derived.  If the algorithms are not fine-tuned and optimized after the initial training run, there will be a certain level of skewness in later runs, which of course is not wanted.

3)     In our own Minds:

This is technically referred to as “Cognitive Bias”.  This is where human prejudice comes into play, and you either consciencely or subconsciously favor the datasets you are selecting, or in the way you design your algorithms.  The basic premise here is that you want a certain outcome to happen, and you will feed in the data that way in order for it to happen.

But the fear here is that these kind of AI biasness, if not corrected, can lead to some grave security consequences, especially as businesses today are making a full force move to the Cloud (such as Azure or AWS).  Here is a sampling of some of these fears:

1)     The correct types of warnings and alerts will not be sent:

AI is being used heavily today to help filter out false positives and present only the real ones to the IT Security team for appropriate triaging.  But if there is a certain level of bias the AI system could either overstate or even understate the actual severity level of a threat.  As a result, the IT Security team may respond to the wrong alerts and warnings, thus leading to a cataclysmic security breach.  Worst yet, if the IT Security team is implicitly trusting the AI system in this regard, it could even lead to greater cases of what is known as “Alert Fatigue”.  AI systems have been created in order to prevent this exact thing from happening but once again, any kind of biasness can defeat this whole purpose all together.

2)     The inability to see new threat variants:

One of the greatest benefits of an AI system in Cybersecurity is its ability to try to project what the future threat landscape could potentially look like.  But once again, any form of biasness, whether it is in the data or the algorithms, could make the AI system lose this kind of effectiveness very quickly, thus giving the IT Security team an extreme false sense of security.

3)     Less compliance with the data privacy laws:

Another key area where AI is being used in Cybersecurity is in detecting potential leaks.  If a biased AI system cannot get the clues in time, your company will be faced with yet another kind security breach that you don’t want to happen, because if it does, you will fall in the crosshairs of regulators, and possibly face very harsh penalties and fines, as mandated by the GDPR and the CCPA.

My Thoughts On This:

At this point, you are probably wondering what can be done to help mitigate AI biasness.  Here are some quick tips for you:

1)     Educate:

To truly understand what AI biasness is all about, you have to teach it to your IT Security team.  As much as security awareness training is important, so is this area also, at least for those employees of yours that are helping to fortify the lines of defenses for your business.

2)     Run QA checks on the datasets:

Although this might be a time-consuming process, it will pay its dividends in the end.  As it was stated earlier, the first datasets you feed into your AI system  is the most important.  So make sure all of the data that you feed into it is optimized and cleansed as  much as possible.

3)     Don’t depend alone on technology:

As much as we would like to think that AI systems don’t humans, the bottom line is that it does,  and this will always be the case.  So make sure to get your IT Security involved in all aspects of the AI system development and deployment.

4)     Use multiple AI systems:

Remember, you don’t have to use just one AI system.  You can use multiple ones, and it is even recommended that you do so to help eliminate the possibility of bias.  This can be likened  to having multiple layers of security in order to decrease the odds of the Cyberattacker breaking through to your crown jewels.

5)     Use biasness technology:

As much as AI is advancing, so are the tools that are being used to support them.  So in this regard, be on the lookout for any kind of AI biasness components that you can integrate into your AI system.

In the end, there will always be some biasness in AI systems, that is just the nature of it.  But the trick here is to mitigate that level as much as possible, in a way that is similar to mitigating the risks of being a victim of a Cyberattack. 

But remember, AI systems are nothing but garbage  in and garbage out.  It is only as good as the data that you need!!!

Why The CISA Needs To Be Transformed Into The Department Of Cybersecurity

 

One of the biggest complaints in Cybersecurity today (among many others) is that the Small to Medium Sized Business (SMB) community is that trying to procure services that are needed to protect the lines of defenses are simply too expensive for them to afford.  While I can see this to a certain extent, the truth of the matter is that Cyber services are now getting very affordable to the SMB owner.

But, it takes some work and research to find these vendors.  So, in an effort to help out the smallest of the small businesses, people are now calling upon the US Cybersecurity and Infrastructure Security Agency (CISA) to aid in this effort, and to provide a central place where the business owners can get access to the information to whatever they may need.

Here is what is being proposed for the CISA:

1)     Create a centralized approach for membership:

At the present time, many people feel that joining the CISA is too expensive.  There are many cries out there for them to lower the price, so that all businesses can afford it.  In a worst case scenario, there should be at least a tiered level membership.

2)     Expand the use of Albert Sensors:

Truth be told, this is the first time that I have heard of this technology.  These are actually intrusion detection systems, and there are currently about 800 of them being used across local and state governments all over the country.  It has been estimated that they have generated over 250,000 alerts and warnings on annual basis.  The nice thing here is that are provided for and funded by CISA.  The thinking here is that if CISA can do it this for the government, why can’t they do this also for the smallest of the small?  Or if not, at least give them access to the information and data that is generated from it?  More information about Albert Sensors can be seen at this link below:

https://sos.oregon.gov/elections/Documents/vote-systems/albert-sensor-february-2022.pdf

3)     More involvement from the Cyber community:

There has always been a need for this, and many people have voiced their support for this.  But however, it is a lot easier said than done.  Unfortunately, many Cyber vendors still view the SMB market as not enough money to be made off of, but IMHO, they need to get away from this kind of thinking.  I really don’t see the harm in offering some pro bono services, giving back what you have been given goes a long way, I have been taught.  But for this instance, people want the MSPs and the MSSPs do take a much bigger role in this effort, led by CISA.

4)     Have a better portal:

At the present time, I don’t think that CISA has an actual portal for members to log into, and get the latest updates.  Because of this, people want CISA to create and deploy a Cyber portal for all members to access, and which can also be customized to their own requirements.  But the most important thing that is needed right now is for intelligence gathering and sharing, and making it as easy as possible to access.

5)     Have a quicker time to report:

 

Right now, there is a lot of effort on part of the regulatory bodies (such as the SEC) to mandate upon companies that they must report a security breach within a certain timeframe.  People now want CISA to do the same thing, but for all businesses, no mater how large or small they might be, or the industry that they are in.

My Thoughts On This:

The point of all this is to have a central point of control, so that everything will follow in a streamlined process.  But in my view, it is going to take much more than this.  We need a federal agency to do all of this, such as a Department of Cybersecurity.  This needs to be set up in way as to how the DHS was set up right after 9/11.

I am actually going to be writing a whitepaper on this, so stay tuned!!!

What The US Can Learn From Dubai For Cyber Proactiveness

When we hear about Cyber threats and attacks happening, we often think about where the breach has actually occurred at.  Most often, we think of the United States, Europe being impacted, and the culprit being from China, North Korea, or Russia.  But there is one part of the world which we often don’t think about, and that is the Middle East.  I have seen Saudi Arabia come out in the news a little bit more often, but there is one particular region that made headlines today.

That is Dubai, home of the previous World Cup.  This city (which is quite a beautiful one also), has actually seen its fair share of Cyber-attacks.  According to IBMs report, entitled:  “The Cost Of A Data Breach Study” claims that Dubai has lost well over $32 Million because of security breaches from 20180-2022.  This is illustrated in the diagram below:

(SOURCE:  https://www.darkreading.com/dr-global/overview-dubais-first-and-second-cybersecurity-strategy)

The IBM Report can actually be downloaded at this link:

http://cyberresources.solutions/blogs/IBM_Report.pdf

One of the primary reasons cited why Dubai is starting to become a target in the crosshairs of the Cyberattacker is that it is leading the way in digital innovation in that part of the Gulf region.  In fact, it can be considered to be one of the most modern “Smart Cities” in the world.  At the heart of this is of course both the IIoT and the IoT. 

In fact, Dubai started its full force venture into Cybersecurity, when it launched what it known as the “Dubai Electronic Security Centre”, or “DESC” for short. From here, this then became the launching pad for Dubai to launch its first Cybersecurity strategy, which involved the entire city, not just businesses or individuals.  More details on that can be seen at this link here:

http://cyberresources.solutions/blogs/Dubai_Strategy.pdf

Just recently, the Crown Prince of Dubai, Sheikh Hamdan bin Mohammed bin Rashid Al Maktoum, launched the next part of their Cybersecurity strategy on July 12^th, 2023.  The first part of it can be seen in the above-mentioned report.  Here are the major components of this new phase:

1)     Creating a Cybersecurity Culture:

The goal is to give every citizen and business of Dubai access to any and all access to Cyber resources as they are needed.  It is hoped that this will lead to a proactive Cybersecurity society.

2)     Being the Incubator For Innovation:

The intent here is to expand upon the security center as just described, and update with the latest technologies so that Cybersecurity professionals can use the latest tools in figuring out ways to combat the latest threats.

3)     A Strong Cyber City:

Here, it is intended that Dubai will further enhance its reputation as being one of the safest Smart Cities in the world.

4)     A Place For Information Sharing:

Of the chief objectives of the Sheik of Dubai is to allow for the free flow of information and data between the government, businesses, and the people (and even vice versa).  The intent here is that by sharing these kinds of assets, Dubai will become much more proactive in fending off any kinds of Cyber threats and attack vectors.  Also, people will be highly encouraged to report any suspicious behavior, on an anonymous basis.

My Thoughts On This:

The city of Dubai has taken other steps as well to be the Gulf’s center for Cybersecurity.  For example:

*It is now sponsoring the various “Hack The Box” competitions, making a return after an 8-year halt.

*It is hosting other Cyber-related events as well, bringing in people from all over the world.

*The Sheik of Dubai just launched what is known as the “Dubai Cyber Index” to reflect the city’s level of resilience and readiness in the case of a large-scale attack.  More information about this can be seen at the link below:

https://gulfbusiness.com/sheikh-hamdan-launches-dubai-cyber-index-to-enhance-cybersecurity-among-government-entities/

In my opinion, I think it is great how the City of Dubai is coming together to bring its people, businesses, and even culture into a proactive mindset.  It is truly amazing what people can do when they all come together for a common cause.  Here in the United States, we can learn so much from this.

Why OT Is A Huge Cyber Risk For The Maritime Industry

 

One term that you many have heard on and off in the world of Cyber is that of “Operational Technology”, also known simply as “OT” for short.  It has been used in conjunction with “IIoT”, which stands for the “Industrial Internet of Things”.  So, you may be wondering what exactly is OT?  Well, a technical definition of it as follows:

“It is the practice of using hardware and software to control industrial equipment, and it primarily interacts with the physical world.”

(SOURCE:  https://www.redhat.com/en/topics/edge/what-is-ot)

So as you can see, it pretty much deals with anything technological related to equipment that is involved in heavy industrial usage.  Some examples of this would include car assembly lines, logistics/supply chains, trucking, aviation, etc.  But the problem here is that these pieces of equipment are actually pretty archaic in nature.  Thus, they have become a prime target for the Cyberattacker because modern day software patches and upgrades simply will not work for them.

In fact, this is the problem that Critical Infrastructure is having.  Much of the technology that underlays our water supplies, oil/natura gas pipelines, and even the national power grid is also outdated.  And these too have become prime targets.  Probably one of the best examples of this is the Colonial Gas Pipeline attack, where the CEO ended  up making a payment of $4.4 Million.

This outdated OT is also starting to impact another industry, in which the entire world is dependent upon.  These are the cargo vessels that transport goods and supplies to all places.  This is technically known as the maritime industry.

So far in the news, we have not heard too much about Cyber attacks to these kinds of vessels.  But given their increased dependence upon them, they too will become a prized target.  Also note that these ships also use a wide myriad of electronic components, primarily to help them with navigation.  Some  of these include the following:

*Radar

*Electronic Charts

*Engine Monitoring

*The GPS System

One of the other biggest weaknesses facing the maritime industry is that they often still use weak and  easy to guess passwords.  Don’t forget to also take into consideration that these vessels carry hundreds of containers, and they are inherent risks with them also, especially when it comes to physical based security.

So, what are some of the Cyber risks that the maritime industry actually faces? Here is a sampling of them:

1)     High economic costs:

Because the OT that is used is so old, simply upgrading them to newer standards will not happen.  The primary reason for this is that many of these components are simply not available anymore.  IF anything, they have to be custom-made, which can take a very long time to achieve.  The only other option is to totally gut the old OT, and put in a new one.  But this would be too cost prohibitive for the shipping lines.

2)     Using the Cloud:

Although the vessels OT systems might be outdated, as mentioned, they make use of sophisticated electronics to keep them on their course.  These devices too can be prone to a Cyberattack.  But the good news here is that these kinds of devices should be upgraded, given that they are still new.

3)     Password Hacking:

Also as described, cargo vessels still use very weak passwords.  Advocates are claiming that it is time for them now to upgrade their process in this regard, and start using a password manager of sorts.  It would be even better if some sort of Privileged Access Manager could be put in place, and the Cloud would be a great option for this to happen.

4)     Third party risk:

Maritime transportation is of course heavily dependent upon third party suppliers  in order to deliver the cargo.  So, there is a lot of risk here as well.  The need for third party vetting now becomes crucial, but this is far easier said than done.  When you consider literally the hundreds of people involved with getting a cargo ship ready this process would take a long time to complete.  Also,  it should not be up to the cargo lines to do this.  It should be the countries from where they originate  that should take the ultimate responsibility for this happening.

My Thoughts On This:

IMHO, it may be time for these cargo vessels to upgrade their OT systems now finally.  But again, this will be a very expensive and time-consuming process.  But in the long run, these benefits will outweigh the costs of having to keep repairing and upgrading systems.  Also, many Cyber pundits feel that the maritime industry should also adopt the kinds of standards that Corporate America must adopt.

Some of these include:

*Intrusion Detection Systems

*Network Segmentation

*Zero Trust Framework Implementation

*Deploying EDR and XDR systems

*The use of AI and SIEM to keep track of the latest warnings and  alerts

More Information about the kinds of controls that should be implemented can be seen here at this link:

https://www.darkreading.com/ics-ot/4-big-mistakes-to-avoid-in-ot-incident-response

The concern over the security of the maritime industry both from a physical and Cyber one is nothing new.  As far as my remember, it goes back even as far as  after the 9/11 events took place.  But rather than waiting another twenty years to do something, the time to act is now.

Need To Get Cyber Insurance? Here Is A 9 Point Checklist

 

There is no doubt that the world of Cybersecurity is a highly complex, not only navigate through, but to fend off the Cyberattackers from attacking your business.  But now, there is another looming headache on the horizon, and it is a huge one.  This has to do with Cybersecurity Insurance.  Essentially, this is where you have a financial blanket if you are impacted by a security breach, much like if you have a car accident, or have a major medical mishap.

The thinking here is that if you are hit with a security breach, all you have to do is file a claim, and voila, you get your payout days later.  But unfortunately, the world is not working like that at all today.  Insurance carriers have really clamped down on making payments, and worst yet, they are  even being pickier as to who they will accept as a policy holder.

A good example  of this is n if a company pays the ransom if they become a victim of a Ransomware attacks.  Given the frequency by how this threat variant is occurring, many carriers are now fully denying a payout for these types of claims that are made.  Just consider some of these other stats:

*27% of all companies that filed a claim did not receive a full payout (in fact, some were even denied all together).

(SOURCE:  https://www.nedaglobal.com/ned-insights/publications/willis-towers-watson-cyber-claims-analysis-report/)

*The average cost of a data breach is now pegged at over $9 million for just one incident, and globally it has reached a staggering $4,25 million (on a per incident basis).

(SOURCE:  https://www.verizon.com/business/resources/reports/dbir/)

Here are some other examples of what an insurance carrier can do to you to deny coverage, or just make a partial payout:

*100% deny coverage if you do not have the required kinds and types of controls in place.

*If you are selected to be a policy holder, you premiums could be tied to how they view your security posture.  For example, if it is mediocre to average, you will then pay a might higher premium versus a business who has a much stronger posture.

*Impose other kinds of limitations on both coverage and payouts until you security posture has reached a level that is deemed to be acceptable.

So given that the screws are really starting to tighten up now, what can a company do to not only ensure that they can a reasonably good policy, but also be somewhat guaranteed of getting a payout?  Here are some quick tips that you can follow:

*Implement MFA, but to the point where you are no longer using passwords.  Anything but that.

*Segment out your IT and Network Infrastructures, in this regard, your best friend will be the Zero Trust Framework.

*Make sure that you are backing up data on a regular basis, and make sure also that you have multiple copies of them (both on site and offsite).  In this regard, using the Cloud, such as Azure, will be your best bet.

*Have an effective PAM strategy in place.

*Deliver security awareness training programs to your employees, on a regular basis (at least once a quarter is considered to be the bare minimum).

*Make sure you deploy anti virus and anti malware software on all of your endpoints.

*To whatever degree you can, try to have some sort of Security Operations Center in place.  Obviously, this is probably not affordable by many SMBs, but I think you can actually create a virtual one for a very affordable price by using Azure.

*Always make use of a SIEM.  This will show that you are being proactive by monitoring all of the real alerts and warnings that are coming in.  But even importantly, have an effective triaging strategy in place also.

*If you do make use of Azure, make sure that the Azure Active Directory (AAD) that you configure is airtight as possible, in order to avoid any data leakages.  All the controls that you will need for this reside within the Azure Portal.

My Thoughts On This:

Cybersecurity Insurance has always been a gray and murky area to deal with.  It is by no means an easy process to accomplish; it is nothing like shopping for car insurance, or even medical insurance for that matter.  Simply getting a policy is not enough, there are many other add ons and riders that you will need to explore in order to get the exact coverage that you need.  

But honestly, the best way to get started in the application process is to ask for a risk assessment questionnaire from the insurance provider with whom you are trying to get coverage with.  This is a few pages, and simply asks if you have the needed controls in place.  If you do, you can simply check off “Yes”, and if not, you will have some work to do before you can submit it back.

However, it is very important to remember that you cannot attest to the questionnaire your self.  It has to be validated by another person as well, such as your compliance officer or even a vCISO.  This also comes down to another point.  You shouldn’t maintain a strong security posture just to get Cybersecurity Insurance, you should have one to begin with.

Once you have submitted the questionnaire, the insurance company may even come out to an audit before they award a policy, and heck, there is nothing from stopping in doing that as well even after you become a policy holder.  It probably is in your best interest to get some sort of Cybersecurity Insurance now, if you don’t have one.

The reason for this is quite simple:  The cost of data breaches will soon far exceed the costs of what the insurance industry can offer.  For more information on this, click on the link below:

https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf

The Real World Perspective Of Why SMB Cybersecurity Is So Important

 

In the world today, Cybersecurity has become a household term.  Hearing and talking about it is one thing, but actually taking the needed, proactive steps to secure your business is entirely a different matter.  Many business owners have their reasons for not taking a stronger stance, but one of the biggest reasons is that of cost. 

Many SMB owners cite the cost is too staggering.  While this may have been true some time ago, now the bottom line is that it is very affordable.  There are many Cyber vendors out there who now offer services just dedicated to serving the SMB market, and giving them enterprise class service, in a way that a Fortune 500 company would. 

EB Solution, based in Canada is one of those companies that offers such affordable services.  Although they are in a different country, their reach is quite global.  In this podcast, we have the honor and privilege of interviewing Johny Bogard, the CEO of this company.  Listen in to see how you can take advantage of not only their expertise, but also their very affordable SMB services.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB1476DC6FJQ2Z

Learn How To Ramp Up Your Cyber Awareness Training

 

One of the key mantras in the world of Cybersecurity is that of security awareness and training.  Although it may sound simple enough to do, it can actually be quite a difficult task to actually accomplish.  For example, whoever you are training, you have to hold their interest and attention so that they apply what the have learned in order to improve their current level of “Cyber Hygiene”.

Secondly, gone are the days of just giving a straight lecture for one hour.  The human attention span is simply not that long, and most importantly, you have to also engage your audience by keeping them engaged with various activities.

How can all of this be done?  In today’s podcast, we have the honor and privilege of interviewing Chris Ellis of Circadence.  They are globally known for developing effective strategies in creating and developing effective Cyber training strategies.  They are the pioneers in Gamification and other Real Time-based activities.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB1475785SSI7K

How You Can Protect Your Data With The CA Delete Act

 

As I mentioned in the blog post from yesterday, data privacy is now becoming one of the main de facto standards in the world of Cybersecurity today.  Some of the most well-known ones in this regard are the GDPR and the CCPA.  But, as I was perusing the Cyber news headlines this morning, I came across an article which discusses how California is about to set a new version of its current CCPA.

So far, it is the proposed bill status, and it is entitled the “California Delete Act”.  It is geared primarily towards the data brokers that collect large amounts of consumer data, but don’t vet what is collected to protect the privacy of the consumer.  While the CCPA gives you the power to have data deleted from any company, this new bill will actually give you the ability to delete this data on your own authority.

The exact wording of the bill can be seen at this link:

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362

The details on the privacy risks that are brought on by the data brokers can be seen at this link:

https://www.darkreading.com/risk/the-danger-of-online-data-brokers

Some of the provisions of the proposed bill include the following:

*Require that all data brokers that collect data from California based consumers register with the CCPA.

*Provide opt out procedures for consumers.

*Keep a public listing of all of the consumers that have want to have their data deleted.

*In a manner similar to the “Do Not Call List”, provide a “No Consumer Tracking List”.

In order to facilitate these provisions in a quick manner all data brokers will be required to maintain an online portal where consumers can log in and immediately delete any data they want to. 

Some of the FAQs so far are as follows:

1)     Will this bill pass?

It is expected that it will pass by a wide margin, given that data privacy is such a hot topic issue today.

2)     How will it impact the data brokerage industry?

If this bill does indeed pass, it will be the first warning of its kind to the industry that they need to keep their guards up for any data leakages that could potentially happen.  They will also be audited,  and fined $200 per day per affected consumer until the proper remediations and controls have been established.

3)     How will compliance be enforced?

This is the part where there will be the most controversy.  If the bill passes, the state of California simply will not have all of the manpower that it needs to enforce each and every provision for every data broker.  This means that the industry will have to be on the honor system.  The only compliance efforts that will happen will come from the office of the Attorney General, and just like for the CCPA, this will only happen if there are a large number of complaints from the consumers.

My Thoughts On This:

Believe it or not, it was the passage of the CCPA that was the catalyst for the other states to create their own data privacy laws.  Once this new bill passes and becomes law, it is expected that the same will also happen.  But the problem now is that you are going to have fifty states with their own delete and opt out laws, which can be a nightmare for businesses to come into compliance with.

This is made only worse if they transact business in other states.  There will be a huge cost that will be borne to keep up with compliance, and this could even shut some businesses down, especially the SMBs.  Because of this, Congress has even looked into creating a federal version of the proposed California bill, so that there will be a sense of uniformity.

The details of this can be seen at the link below:

https://www.congress.gov/bill/117th-congress/senate-bill/3627

All of this reaffirms my belief yet once again that the United States needs a Department of Cybersecurity, so that any laws or bills will impact everybody across all of the fifty states in the same manner, nothing more and nothing less.  In fact, I will be writing a whitepaper on this very topic, so stay tuned!!!

Top 3 CISO Personality Types You Need To Know

 

Let’s admit it, one of the toughest jobs in Cybersecurity today has to be that of being a CISO.  To formally define, this is a role in which the designated person is hired on as full time, with a huge salary as well as a fat bonus package.  Btu behind all of this glitz and  glamor, the CISO is in a position where he or she is damned if they do  and damned if they don’t. 

There is no thanking or praise in this position.  The CISO is faced with a double-edged sword:  Not only do they have to keep in pace with the other members of the C-Suite, but they are in the perfect firing rage  in front of their Board  of  Directors. 

They literally have to do everything in their power to please them, because after all, their budget is literally in their hands.

The second part of the sword is in dealing with the members of the IT Security team with whom he or she is charged with leading.  Not only do they have to keep them motivated, but they have to listen, or at least make an attempt to do so.  In fact this is one of the areas that CISOs are blamed on. 

Many people feel, even outside of the IT Security team, that CISOs do a very poor job of both listening and  communicating.

While it is up to the CISO to change their personality traits, you can take some steps to help them listen to you better.  It all comes down to understanding the language they can understand and speak.  So, this is where you sort of have to figure out what kind of communication personalities they have.  Psychological research has shown that there are three distinct types,  which are as follows:

1)     The Business Minded One:

For this kind of CISO, all that matters to them (and rather unfortunately so) is the dollars and cents.  While they realize they have to maintain a strong security posture, they want to do it at the cheapest price possible.  While they make look good to their Board of Directors with this kind of personality, it often comes with a price:  Poor security.  Remember that old proverb, “You get what you pay for”?  Well, that certainly applies to this kind of situation.  Every recommendation or idea that you come up with and present will be countered with the question:  “How does this affect the bottom line”? 

2)     The Data Compliance Minded One:

There is no doubt that Data Privacy has become a huge concern today.  To make sure that businesses are compliant to protect their datasets, laws such as the GDPR and the CCPA have been created as a result.  If the right controls are not in place, there are very sharp financial penalties that can be imposed.  There are both civil and criminal  penalties that can also be imposed.  Because of this, the CISO has every right to be afraid.  After all, if there are any problems with auditors, it will be their heads that will roll.  Because of this, many CISOs have been now to take their fear to the extreme, and become totally obsessed by this.  Whie in a way this is good, because you will at least know your business will be compliant, it is also bad because the CISO will quickly lose sight of the other things that they are responsible for.  So in one end you will have some higher levels of protection, but on the other, your company could become more prone to security breaches because the CISO has not been able to keep up with the latest happenings in the Cyber Threat Landscape.

3)     The Technical Minded One:

These are the CISOs that have been brought up in the world of Geekdom.  All they have ever held were pure technical roles, and nothing else.  While you want a CISO that can understand and speak the techie side of things, this can also be a dangerous proposition if this is all they think about.  As a result, they cannot understand very easily the people side of things, and when they do communicate with other employees or their Board of Directors, it is often at a level that nobody can really understand.  Also, they will have a hard time communicating any kind of business to their higher ups, especially when it comes to getting an increased budget.  This kind of CISO personality also exhibits a very micro view of looking at things, because they want  to know about all of the moving parts that are happening.  Because of this, they can lose sight of the big picture very quickly.

My Thoughts On This:

Keep in mind that this is not an all-inclusive list.  There are other personality types that could potentially exist, but these are the three main ones that research has proven.  In an ideal world, you will want your CISO to speak through all three of these personalities.  But it is very difficult to find a person that can understand both the technical and business side of the Cyber world.

For this reason and  many others, many CISOs of today simply do not last long in their roles.  The average tenure these days is at best 1.5 years.  For this, as well as the current economic situation, many companies are now doing away with hiring full time, direct hire CISOs. 

Instead, they are opting much more favorably to what is known as the vCISO, where you hire a former CISO on a contract basis, for a fraction of the cost. 

But whatever route you go, keep in mind that the CISO or even vCISO is the ultimate reporting authority for the IT Security team.  If you want your ideas to be heard and even implemented, it is important to make some good efforts and try to understand not only if they fit in with any of the above-mentioned personality traits, but to try to speak their language as well.