Recent legal actions against CISOs have spawned a debate on whether security leaders should be held accountable for security incidents. CISOs should manage this shifted liability through real-time documentation and collaboration with law enforcement, said attorney Stephen Reynolds.
Grant Bourzikas shared his experience as the new CISO at Cloudflare, highlighting a 90-day period during which he engaged with customers, internal nonsecurity personnel, executives and his team to gather insights on Cloudflare's security landscape.
Changing technologies and markets require adapting an organization's overall cybersecurity strategy, including the scope of our risk management, and then reviewing and adjusting our operational program to deliver the revised vision, said Akm Hasan, head of cybersecurity at Hays PLC.
Security is about more than technology, said Paul Watts, a distinguished analyst at the Information Security Forum. It's also about people and process, he said, with the ultimate goal of adding value to what the business is trying to do. Watts discussed how security leaders can achieve this goal.
Today's CISO must have close communication with the C-suite, understand the business needs of the organization as well as its objectives and risks, and to be able to articulately translate those business objectives into technology, said Dion Alexopoulos, head of security at Camelot.
Why are so many fresh zero-day vulnerabilities being exploited in the wild? Google reported that attackers often discover variants of previously exploited flaws, which suggests that vendors aren't doing enough to fix the root cause of flaws - or to avoid introducing fresh ones with their fixes.
Kevin Mitnick, the self-described "world's most famous hacker" - thanks in no small part to his being featured on the FBI's Most Wanted list during a two-year manhunt - has died at the age of 59. After serving time in prison, Mitnick went legit, warning others about the dangers of social engineering.
While IT-OT convergence is accelerating, awareness and maturity of OT technologies still have a long road ahead. In this transition, organizations need to ensure the safety and health of workers is always the top priority for OT security, said Andre Shori, CISO, APAC with Schneider Electric.
In the drive to build a more diverse workforce, security organizations are progressing in many ways, such as ensuring that required skills in job descriptions are more inclusive, said Ed Parsons of (ISC)². But he added that job recruiters need to "meet underrepresented groups where they are."
In the latest weekly update, ISMG editors discuss the complex task of phasing out magnetic stripe payment cards and why the United States lags behind, the great debate over best of breed vs. a single platform vendor approach, and AI insights from Palo Alto CIO Meerah Rajavel.
Operationalizing security comes down to making it part of the business process, and everyone in the organization must be responsible. Goals and the objectives must be clearly spelled out, including lines of accountability and ownership, said Jason Hart, chief technology officer for EMEA at Rapid7.
Information security is no longer confined to the tech domain, and instead must align with business outcomes, adapted to suit an organizations' risk appetite, said Matt Gordon-Smith, former CISO at Gatwick Airport. Security teams often must balance competing needs and risks.
In the latest weekly update, ISMG editors discuss the potential fallout from an SEC investigation of SolarWinds and its CFO and CISO, why the number of individuals affected by Clop's campaign against MOVEit is on the rise, and highlights from InfoSecurity Europe.
The first step in managing risk is recognizing it as a boardroom matter, and it demands that directors be prepared to understand and discuss the cyber issue and strategically guide C-level executives on this complex topic. It requires cyber competence in the boardroom, said CISO Marco Túlio Moraes.
CISOs need to bridge the gap between security concerns and business outcomes to ensure everyone plays an active role in third-party risk management. But effectively communicating that risk comes down to knowing your audience - from employees to the board, said CyberGRX's Caitlin Gruenberg.
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.