According to Trend Micro Chief Cybersecurity Officer Tom Kellermann, it’s important for a chief information security officer (CISO) to have a “broad mandate over security and risk management across all operational silos, not just the datacenter” in an organization in an ever-growing cyber threat environment. Kellermann argues that companies are not investing enough in security, furthering the risk of reputational damage from breaches, and that all corporate leaders, not just those working in IT, “should be held accountable for their cybersecurity posture.” He recommends that organizations include cybersecurity as an operational and risk management priority and practice “proper due diligence.”
DHS Offers Free Cyber-Attack Drills for Private Companies
According to KrebsOnSecurity, the U.S. Department of Homeland Security (DHS) has been offering companies free penetration testing of their cybersecurity defenses. DHS does testing through two programs – a risk vulnerability assessment and a cyber hygiene evaluation – which help organizations understand their abilities to resist cyber attacks. Elliot Maras of Hacked.com discusses the programs, how they work to test vulnerabilities and what their reports indicate about organizations’ cybersecurity postures; additionally, Maras includes feedback from industry experts on the program.
When Ethical Hacking Can’t Compete
Although many “white hat” hackers – ethical hackers who expose “vulnerabilities in computer systems to improve cybersecurity, rather than compromise it – have emerged in recent years (and despite the profession becoming more lucrative over time), the industry of white hat hacking needs to go a “long way,” according to the Atlantic’s Donna Lu. The U.S. director of national intelligence found in a 2015 report that cyber attacks were first among global threats, and cyber attacks are expected to continue over time and bring costs for the U.S. economy and national security. Lu says that white-hat hacking can be a hard way to earn a living and that hackers “present a quandary for the tech industry: Ensuring a company’s cybersecurity requires the same skills as destroying it.” She shares insight from hackers on the profession and its benefits and challenges.
Where We’ve Been. Where We’re Going.
CSO VP/Publisher Bob Bragdon examines the security happenings of 2015 and what “could happen” in 2016; he calls out boards’ increased attention to cyber-risk, the growing influence of CISOs in their organizations, changing roles of government and regulators, big breaches at Sony Pictures, the U.S. Office of Personnel Management (OPM) and other organizations, and other trends. Additionally, Bragdon looks ahead to 2016 with predictions like IT security moving “out from under the shadow of the CIO,” boards continuing to tighten focus on security and IT risk and mobile device risk.
To Better Defend Yourself, Think Like a Hacker
According to Danelle Au of DarkReading.com, the primary performers of cyber war exercises are governments and large corporations; however, as cyber attacks grow in prevalence and sophistication, all organizations have an increasing need to “at some level understand and experience the mind and method of hackers.” Au discusses specific characteristics of hackers, including persistence and patience, limited breach methods and phased attack approaches. She argues for a more offensive approach to security that looks at the mindset of hackers.
Creating a Cybersecurity Center of Excellence
Jon Oltsik, a principal analyst at Enterprise Strategy Group, discusses the growing shortage of IT security talent in the workforce – citing a 2015 Raytheon-NCSA survey in which 69 participants of high school respondents did not have access to classes that could help prepare them for cyber careers – and argues that the best way to draw cybersecurity talent is to “build a ‘cybersecurity center of excellence.’” Oltsik outlines a few steps organizations can take to build these centers, including establishing strong cybersecurity cultures, partnering with local colleges and universities, promoting career development through training and mentoring programs, offering continuing education benefits, encouraging employees to participate in the cybersecurity industry and promoting process automation to allow for better focus on important responsibilities and goals.