business - All Articles - CISO Platform2024-03-29T06:19:44Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/businessKeynote: Critical Infrastructures Are Under Attack From Aggressive Nation Stateshttps://www.cisoplatform.com/profiles/blogs/keynote-critical-infrastructures-are-under-attack-from-aggressive2024-02-19T22:55:55.000Z2024-02-19T22:55:55.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12385096096?profile=RESIZE_400x&width=400"></div><div><p><iframe title="YouTube video player" src="https://www.youtube.com/embed/SNANAfdBtjs?si=VYPA3R7JlDFzUhQD" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p>
<p class="graf graf--p">Critical Infrastructures are under attack from aggressive nation states! Governments must step forward to help protect these crucial sectors and the services they provide to citizens.</p>
<p class="graf graf--p">My cybersecurity keynote from the InCyber North American conference is now available for the public to watch!</p></div>The Cybersecurity Vault #27 - Incident Materiality and Meeting New SEC Requirements with Malcolm Harkinshttps://www.cisoplatform.com/profiles/blogs/the-cybersecurity-vault-27-incident-materiality-and-meeting-new-s2024-02-13T02:40:14.000Z2024-02-13T02:40:14.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12378848456?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/bNSaj8tE00o?si=4c4N-mkK6GqcQYp5" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p>
<p style="text-align:left;">The new SEC requirements for public companies includes reporting within 4 days of determining that a cybersecurity incident is ‘material’ to the company. But what is materiality? In this episode, I talk with Malcolm Harkins, the Chief Security and Trust officer at HiddenLayer, former CISO at Intel, and fellow at the Institute for Critical Infrastructure Technology (ICIT).</p>
<p> </p></div>Carta's Reputation Crisis: How they can Rebuild Trusthttps://www.cisoplatform.com/profiles/blogs/carta-s-reputation-crisis-how-they-can-rebuild-trust2024-01-08T19:34:41.000Z2024-01-08T19:34:41.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12347836060?profile=RESIZE_400x&width=400"></div><div><p><iframe title="YouTube video player" src="https://www.youtube.com/embed/x1VEk5Z4Ezo?si=jJ2wQ3EmBmRh5nLT" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p"><a class="markup--anchor markup--p-anchor" href="https://carta.com/" target="_blank">Carta</a> has a full blown reputation crisis underway, but all is not lost, if the company acts in a meaningful and ethical way!</p><p class="graf graf--p">In today’s video, I give my take on how they can recover and rebuild trust!<br /> <br /> <br />Referenced TechCrunch Article: <a class="markup--anchor markup--p-anchor" href="https://techcrunch.com/2024/01/07/carta-the-cap-table-management-outfit-is-accused-of-unethical-tactics-by-a-customer-after-it-tries-broker-a-deal-for-a-startups-shares-without-consent/" target="_blank">https://techcrunch.com/2024/01/07/carta-the-cap-table-management-outfit-is-accused-of-unethical-tactics-by-a-customer-after-it-tries-broker-a-deal-for-a-startups-shares-without-consent/</a></p><p class="graf graf--p">For more Cybersecurity Insights, be sure to subscribe to the channel: <a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/CybersecurityInsights" target="_blank">https://www.youtube.com/CybersecurityInsights</a></p><p class="graf graf--p">Follow me on LinkedIn: <a class="markup--anchor markup--p-anchor" href="https://www.linkedin.com/in/matthewrosenquist" target="_blank">https://www.linkedin.com/in/matthewrosenquist</a></p></div>SEC Cybersecurity Disclosure Rules Take Effecthttps://www.cisoplatform.com/profiles/blogs/sec-cybersecurity-disclosure-rules-take-effect2023-12-18T20:08:10.000Z2023-12-18T20:08:10.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12328507653?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">So, it begins! The <a class="markup--anchor markup--p-anchor" href="https://www.sec.gov/news/press-release/2023-139" target="_blank">SEC cybersecurity disclosure requirements</a> take effect today for public companies, requiring them the report material cybersecurity events to the SEC and investors. I can simultaneously hear both a waterfall of tears and a resounding applause coming from the cybersecurity sectors as this has serious ramifications to how many companies chose to handle such notifications (if they did so at all in the past).</p><p class="graf graf--p">Henceforth, investors should consistently get the benefit of being informed in a timely manner for material incidents that now include cyber-attacks! They have this right, to understand issues with their investments, and material cyber events were often missing from the picture until now.</p><p class="graf graf--p">The genesis of this requirement was due to many organizations choosing to delay for unreasonably long periods or find excuses to not report such issues to the public. In fact, many such admissions only occurred after security researchers or attackers themselves when public first, thereby forcing the victim organization to communicate to its shareholders, partners, and customers. Sadly, many games were being played and the requirement to report material issues was played fast-and-loose, to the detriment of investors and consumers.</p><p class="graf graf--p">Not any longer. Now the decision is to either lawfully comply or potentially be prosecuted by the SEC and perhaps in related class action sized litigation. The masquerade party is over.</p><p class="graf graf--p">These requirements represent an additional benefit to cybersecurity. As companies come forth to report significant digital attacks, it will reveal the true nature, scale, and maturity of cybersecurity across the landscape of public companies. No more hiding, concealing, or minimizing cyber-attacks. We will get to see a clearer picture of the aggressive nature of attackers, the scale of malfeasance, and the incompetence of organizations to manage risk in a reasonable way.</p><p class="graf graf--p">It is time for transparency. Today represents a new dawn that will drive positive changes — including increased accountability, investment, and prioritization for protecting our digital world.</p></div>Cybersecurity Insurance is Missing the Riskhttps://www.cisoplatform.com/profiles/blogs/cybersecurity-insurance-is-missing-the-risk2023-11-25T01:51:09.000Z2023-11-25T01:51:09.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12300627891?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">First published by <a class="markup--anchor markup--p-anchor" href="https://www.helpnetsecurity.com/2023/08/25/cyber-insurance-industry" target="_blank">HelpNetSecurity</a> — Matthew Rosenquist</p><p class="graf graf--p">Cybersecurity insurance is a rapidly growing market, swelling from approximately $13B in 2022 to an estimated $84B in 2030 (26% CAGR), but insurers are struggling with quantifying the potential risks of offering this type of insurance.</p><p class="graf graf--p">The traditional actuary models do not apply well to an environment where highly motivated, creative, and intelligent attackers are dynamically pursuing actions that cause insurable events. Accurate estimation of losses is key to determining customer premiums. But even after two decades, there’s a wide range of loss ratios between insurers (-0.5% to 130.6%). The underwriting processes are not robust enough to properly estimate the losses and accurately price reasonable premiums.</p><h3 class="graf graf--h3">Why is the insurance industry struggling with this?</h3><p class="graf graf--p">The problem is with the nature of the threat. Cyber attackers escalate and adapt quickly, which undermines the historical-based models that insurance companies rely on. Attackers are continually shifting their maneuvers that identify victims, cause increasing loss, and rapidly shift to new areas of impact.</p><p class="graf graf--p">Denial of service attacks were once popular but were superseded by data breaches, which cause much more damage. Recently, attackers expanded their repertoire to include ransomware-style attacks that increased the insurable losses ever higher.</p><p class="graf graf--p">Trying to predict the cornerstone metrics for actuary modelers — the Annual Loss Expectancy and Annual Rate of Occurrence — with a high degree of accuracy is beyond the current capabilities of insurers. The industry currently conducts assessments for new clients to understand their cybersecurity posture to determine if they are insurable, what should be included/excluded from policies, and to calculate premiums. The current process is to weigh controls against best practices or peers to estimate the security posture of a policyholder.</p><p class="graf graf--p">However, these rudimentary practices are not delivering the necessary level of predictive accuracy.</p><p class="graf graf--p">The loss ratio for insurance firms has been volatile, in a world where getting the analysis wrong can be catastrophic. Variances and unpredictability make insurers nervous. At maximum, they want a 70% loss ratio to cover their payouts and expenses and, according to the National Association of Insurance Commissioners Report on the Cyber Insurance Market in 2021, nearly half of the top 20 insurers, representing 83% of the market, failed to achieve the desired loss ratio.</p><p class="graf graf--p">In response to failures to predict claims, insurers have been raising premiums to cover the risk gap. In Q4 2021 the renewals for premiums were up a staggering 34%. In Q4 2022 premiums continued to rise an additional 15%.</p><p class="graf graf--p">There are concerns that many customers will be priced out of the market and the insurance industry and left without a means of transferring risk. To the detriment of insurers, the companies may make their products so expensive that they undermine the tremendous market-growth opportunity. Additionally, upper limits for insurability and various exception clauses are being instituted, which diminish the overall value proposition for customers.</p><h3 class="graf graf--h3">The next generation of cyber insurance</h3><p class="graf graf--p">What is needed are better tools to predict cyber-attacks and estimate losses. The current army of insurance actuaries has not delivered, but there is hope. It comes from the cyber risk community that looks to manage these ambiguous and chaotic risks by avoiding and minimizing losses.</p><p class="graf graf--p">These cybersecurity experts are motivated by optimizing limited resources to prevent or quickly undermine attacks. As part of that continuous exercise, there are opportunities to apply best practices to the insurance model to identify the most relevant aspects that include defensive postures (technology, behaviors, and processes) and understanding the relevant threat actors (targets, capabilities, and methods) to determine the residual risks.</p><p class="graf graf--p">The goal would be to develop a unified standard for qualifying for cyber insurance that would adapt to the rapid changes in the cyber landscape. More accurate methodologies will improve assessments to reduce insurers’ ambiguity so they may competitively price their offerings.</p><p class="graf graf--p">In the future, such calculations will be continuous and showcase how a company will benefit by properly managing security in alignment with shifting threats. This should bring down overall premium costs.</p><p class="graf graf--p">The next generation of cyber insurance will rise on the foundations of new risk analysis methodologies to be more accurate and sustain the mutual benefits offered by the insurance industry.</p></div>Caesars Bungling Notice of Data Breachhttps://www.cisoplatform.com/profiles/blogs/caesars-bungling-notice-of-data-breach2023-11-04T01:17:43.000Z2023-11-04T01:17:43.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12283562262?profile=RESIZE_400x&width=400"></div><div><p class="pw-post-body-paragraph so sp or sq b sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl jl bj">Caesars Rewards Members are receiving notice of the data breach that occurred more than a month prior. The breach occurred in August 2023, but Caesars did not report it to regulatory officials until September 2023 and is finally notifying victims in mid-October 2023. The loss of data includes victim’s names, driver’s licenses, or other government-issued ID numbers. A separate legal filing is claiming that Caesars actually exposed consumers’ names, mailing addresses, telephone numbers, email addresses, dates of birth, driver’s license numbers, and Social Security numbers.</p><p class="pw-post-body-paragraph so sp or sq b sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl jl bj">The attackers demanded money after they were in possession of the data and Caesars decided to pay the ransom.</p><p id="f5b2" class="pw-post-body-paragraph so sp or sq b sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl jl bj">I cannot express how disappointed and frustrated I am with Caesars response!</p><p class="pw-post-body-paragraph so sp or sq b sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl jl bj"><a href="{{#staticFileLink}}12283564090,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12283564090,RESIZE_710x{{/staticFileLink}}" width="586" alt="12283564090?profile=RESIZE_710x" /></a></p><h1 id="ec3d" class="agf agg or be agh zz agi aba abd abe agj abf abi adg agk adh adi adj agl adk adl adm agm adn ado agn bj">Takeaways:</h1><ol><li id="f253" class="so sp or sq b sr ago st su sv agp sx sy sz agq tb tc td agr tf tg th ags tj tk tl agt agu agv bj">Caesars cybersecurity posture was unable to prevent or quickly detect and contain the data breach — which shows immaturity in their investment and operational procedures</li><li class="so sp or sq b sr agw st su sv agx sx sy sz agy tb tc td agz tf tg th aha tj tk tl agt agu agv bj">Caesars failed to protect, encrypt, or delete unnecessary data. — showcasing a failure in management to properly respect acceptable data collection, destruction, and privacy practices</li><li class="so sp or sq b sr agw st su sv agx sx sy sz agy tb tc td agz tf tg th aha tj tk tl agt agu agv bj">Caesars paid extortion money to untrustworthy criminals, who may be working for an aggressive nation-state that is committing atrocities — which makes them unethical</li><li class="so sp or sq b sr agw st su sv agx sx sy sz agy tb tc td agz tf tg th aha tj tk tl agt agu agv bj">Caesars took over a MONTH to inform victims that their data was exposed, giving that window of time to criminals and allowing greater victimization — showing that Caesars does not really care about its customers, but rather how well it can control negative brand implications</li></ol><h1 class="agf agg or be agh zz agi aba abd abe agj abf abi adg agk adh adi adj agl adk adl adm agm adn ado agn bj">Infuriating statements in the notification letter:</h1><p id="df85" class="pw-post-body-paragraph so sp or sq b sr ago st su sv agp sx sy sz ahb tb tc td ahc tf tg th ahd tj tk tl jl bj">“<em class="ahe">We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.</em>” — You paid the ransomware extortion and you are not ensuring anything! The data is exposed and in the hands of unscrupulous cybercriminals who are motivated by money. They will sell it as many times as they can because well, money!</p><p id="b905" class="pw-post-body-paragraph so sp or sq b sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl jl bj">“<em class="ahe">…recently identified suspicious activity…</em>” — that was well over a month ago?!? News agencies have been reporting this for weeks. Your delay is inexcusable. This is why the industry is supporting the SEC reporting requirements of 4 days!</p><p id="c6ff" class="pw-post-body-paragraph so sp or sq b sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl jl bj">“<em class="ahe">While we do not have any specific reason to believe that you are at risk of identity theft or fraud as a result of this incident…</em>” — so a criminal that breached your security, stole sensitive data, and extorted money from you is not considered a specific reason for the risk of identity theft or fraud? Absurd, incompetent, and flat-out insulting.</p><p id="cf62" class="pw-post-body-paragraph so sp or sq b sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl jl bj">This is the wrong way to handle data breaches! It is what happens when corporate lawyers and marketing people are allowed to decide how a cybersecurity crisis response should proceed.</p><p class="pw-post-body-paragraph so sp or sq b sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl jl bj">Not surprisingly, Caesars is already facing class action lawsuits. Where do I sign up?</p></div>Debating the SEC Charges Against SolarWinds CISOhttps://www.cisoplatform.com/profiles/blogs/debating-the-sec-charges-against-solarwinds-ciso2023-11-04T00:24:09.000Z2023-11-04T00:24:09.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12283380258?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/s4lG_9r3uEA?si=2kmFTQeJ-9_Smsyq" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">New podcast episode on a hot cybersecurity topic! Ira Winkler and I discuss the SEC case against SolarWinds and their CISO, from different perspectives! We cover a lot of ground. Listen at your own risk!</p><p class="graf graf--p">The U.S. Securities and Exchange Commission is charging SolarWinds and its CISO with fraud and Internal Control Failures!</p><p class="graf graf--p">This will have a ripple effect on the cybersecurity industry!</p><p class="graf graf--p graf--empty"> </p><p class="graf graf--p">SEC official announcement: <a class="markup--anchor markup--p-anchor" href="https://www.sec.gov/news/press-release/2023-227" target="_blank">https://www.sec.gov/news/press-release/2023-227</a></p><p class="graf graf--p">SEC Complaint (.pdf) <a class="markup--anchor markup--p-anchor" href="https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf" target="_blank">https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf</a></p><p class="graf graf--p">Ira Winkler’s LinkedIn Profile: <a class="markup--anchor markup--p-anchor" href="https://www.linkedin.com/in/irawinkler/" target="_blank">https://www.linkedin.com/in/irawinkler/</a></p><p class="graf graf--p">Follow Matthew on LinkedIn: <a class="markup--anchor markup--p-anchor" href="https://www.linkedin.com/in/matthewrosenquist/" target="_blank">https://www.linkedin.com/in/matthewrosenquist/</a></p><p class="graf graf--p">Subscribe to the Cybersecurity Insights channel: <a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/CybersecurityInsights" target="_blank">https://www.youtube.com/CybersecurityInsights</a></p></div>Striking the Balance: Effective Cybersecurity Visualization for Informed Decision-Makinghttps://www.cisoplatform.com/profiles/blogs/striking-the-balance-effective-cybersecurity-visualization-for-in2023-10-20T00:59:43.000Z2023-10-20T00:59:43.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12260318298?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">In the complex and ambiguous realm of cybersecurity, the power of visualization tools cannot be overstated. When employed judiciously, they serve as invaluable assets, offering crucial data in a readily comprehensible manner. Conversely, when inundated with superfluous information, these tools become distractions that obscure the very insights they aim to illuminate. In this sophisticated landscape, aesthetics must never overshadow utility, and focus on what truly matters remains important.</p><p class="graf graf--p">The underlying purpose of metrics and visualizations is the transformation of raw data into actionable information through astute analysis. The value of such information lies in its ability to drive decisions, even if the decision’s outcome is non-action. Any metric or visualization that fails to facilitate decision-making is, by definition, frivolous — an unproductive diversion that squanders valuable time.</p><p class="graf graf--p">Consider, for a moment, the stark, bare, and very industrial interiors of warships — a deliberate design choice. Such environments are purposefully devoid of distractions and embellishments, fostering an unwavering focus on the mission at hand, especially during moments of crisis. This approach, applied to cybersecurity visualizations, conveys only essential information, omitting extraneous elements that could mask critical issues or distract operators from their core objectives.</p><p class="graf graf--p">Regrettably, vendors often opt for entertainment over substance. One of the worst and most widespread offenses is the global attack map. These mesmerizing displays show a global map surface that often features streaks or lines representing near real-time attacks traversing geographic regions. They often captivate onlookers and are popular in the lobbies of security service companies as well as their products. However, they ultimately serve no practical purpose, offering no actionable insights. When a cybersecurity analyst witnesses a sudden surge of malicious packets emanating from a neighboring country, it won’t evoke any meaningful action. The notion of shutting down border connections or blocking vast ranges of IP addresses is absurd. Such visualizations, while perhaps impressive, are designed for marketing rather than operational utility. At the least, they are trivializing significant matters and at worst, they are distracting operators from activities that will initiate a specific response.</p><p class="graf graf--p">In contrast, a visualization that brings attention to a system that is actively being exploited, so an operator can isolate it from other assets and begin remediation, is far more useful, but less likely to impress onlookers.</p><p class="graf graf--p">The true potential of visualization in cybersecurity lies in its alignment with the needs of expert practitioners. They require a rapid synthesis of data presented in a way that is easy on the eyes and directs a laser focus on issues in need of urgent attention. Achieving the optimal balance necessitates a strategic approach, beginning with a clear understanding of the tactical objectives of operators and working backward to determine the most effective visualization methods. In this manner, we can ensure that our cybersecurity visualization tools serve as potent aids, enhancing our ability to make timely and informed decisions to safeguard critical systems in an increasingly complex digital landscape.</p></div>Cybersecurity Regulations Will Force Companies to be Trustworthyhttps://www.cisoplatform.com/profiles/blogs/cybersecurity-regulations-will-force-companies-to-be-trustworthy2023-10-05T02:19:11.000Z2023-10-05T02:19:11.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12239694684?profile=RESIZE_400x&width=400"></div><div><p>I think the list of executives and board members genuinely interested in cybersecurity will increase greatly as regulations, such as the US SEC cybersecurity reporting requirements and the European Union's proposed Cyber Resilience Act (CRA), are established to correct longstanding financial incentives that do not benefit the customers or investors. </p><p>These are requirements, for those under their oversight, that force a level of transparency that creates accountability for company’s cybersecurity posture and management. Such strong catalysts will drive recognition across the top tiers of business leadership for the importance and necessity to commit resources to develop and actively maintain the security of their digital products and services.</p><p>Needless to say, such regulations are unpopular with many organizations as they greatly narrow down the options of concealing security issues and, therefore represent an undesirable forcing function to invest more in cybersecurity and maintain executive oversight.</p><p>I see this as a strategically important shift that strengthens the trust in digital technology. </p></div>Why I'm in Favor of the EU Cyber Resilience Act and You Should Be Toohttps://www.cisoplatform.com/profiles/blogs/why-i-m-in-favor-of-the-eu-cyber-resilience-act-and-you-should-be2023-10-05T01:37:34.000Z2023-10-05T01:37:34.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12239685455?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">I like the EU Cyber Resilience Act! There, I said it! Yes, this will make companies nervous in the short term, but this regulation is a watershed moment that will fundamentally shift how digital products are secured and maintained! This will FORCE the industry to adapt in more transparent and accountable ways.</p><p class="graf graf--p">I don’t like regulations in the tech world but will support such extreme measures when companies are not doing what is best for their customers. In this case, the industry has chosen not to voluntarily support good security practices such as these in the past. They often keep customers in the dark when attackers are running rampant and exploiting weaknesses in their products until they have a fix ready. Customers, if informed in a timely way, may be able to mitigate risks in other ways while waiting for a patch. But not if the company purposely chooses to keep them in the dark. So now, customers may be able to hold manufacturers accountable if they choose not to be forthcoming.</p><p class="graf graf--p">There are several aspects to this act which is designed to inform and protect consumers of digital products:</p><p class="graf graf--p">1. Notification of exploitation (when vulnerabilities are being used by attackers to victimize targets)</p><p class="graf graf--p">2. Security patching support for the lifetime of the product</p><p class="graf graf--p">3. Differentiation between security and functionality updates where feasible</p><p class="graf graf--p">Those companies who are worried about reporting, when attackers are exploiting vulnerabilities in their products, are basically saying they don’t want their customers to be aware.</p><p class="graf graf--p">I find the <a class="markup--anchor markup--p-anchor" href="mailto:https://www.scmagazine.com/news/eu-urged-to-reconsider-cyber-resilience-acts-breach-reporting-within-24-hours" target="_blank">arguments against this act</a> are outdated. My favorite illogical argument is that “if we report when our products are exploited, then attackers will exploit them more” Um, the genie is already out of the bottle. How about doing the decent thing and informing your customers that they are at serious risk of being victimized!</p></div>Initiative is the Key to Successhttps://www.cisoplatform.com/profiles/blogs/initiative-is-the-key-to-success2023-10-02T18:32:20.000Z2023-10-02T18:32:20.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12238204881?profile=RESIZE_400x&width=400"></div><div><p>A forward-thinking college student decides to reach out to local business professionals to organize an in-person Q&A panel for fellow students and entrepreneurs. Aili Vaananen called several successful businesspeople and assembled a great panel who shared their knowledge and recommendations.</p><p><a href="{{#staticFileLink}}12238212265,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12238212265,RESIZE_710x{{/staticFileLink}}" alt="12238212265?profile=RESIZE_710x" width="710" /></a><br /> The event was a success! Dozens of attendees soaked in the guidance and asked serious questions regarding ways they can succeed and thrive as professionals. I was honored to be among the esteemed panelists that included Sherry Chang, Will Ferrier, Ray Bryant, Vitaliy Panych, and John Whitman who provided such good insights and experiences.</p><p><a href="{{#staticFileLink}}12238212461,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12238212461,RESIZE_710x{{/staticFileLink}}" alt="12238212461?profile=RESIZE_710x" width="710" /></a></p><p><br /> This type of event is something that every community should pull together to help the next generation of professionals.</p><p><a href="{{#staticFileLink}}12238212291,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12238212291,RESIZE_710x{{/staticFileLink}}" alt="12238212291?profile=RESIZE_710x" width="710" /></a></p><p><br /> A special call-out to the cybersecurity students who were in attendance! I hope you found the discussion enlightening!</p></div>Cybersecurity is Approaching a Crisishttps://www.cisoplatform.com/profiles/blogs/cybersecurity-is-approaching-a-crisis2023-08-21T19:00:43.000Z2023-08-21T19:00:43.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12201693474?profile=RESIZE_400x&width=400"></div><div><p><iframe title="YouTube video player" src="https://www.youtube.com/embed/gL2NsL4_G1M" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="pw-post-body-paragraph lc ld fw le b lf lg lh li lj lk ll lm ln lo lp lq lr ls lt lu lv lw lx ly lz fp bj">Cybersecurity has a growing problem that will force an evolution in the industry — it must deliver more recognizable value!</p><p id="abb1" class="pw-post-body-paragraph lc ld fw le b lf lg lh li lj lk ll lm ln lo lp lq lr ls lt lu lv lw lx ly lz fp bj">Cybersecurity must re-envision itself to both protect and become an active contributor to the overarching business goals. Embracing this transformation is crucial for long-term success in the ever-changing cybersecurity landscape.</p><p class="pw-post-body-paragraph lc ld fw le b lf lg lh li lj lk ll lm ln lo lp lq lr ls lt lu lv lw lx ly lz fp bj"> </p><p class="pw-post-body-paragraph lc ld fw le b lf lg lh li lj lk ll lm ln lo lp lq lr ls lt lu lv lw lx ly lz fp bj">Like and subscribe! <a class="af ma" href="https://www.youtube.com/CybersecurityInsights" target="_blank">https://www.youtube.com/CybersecurityInsights</a><br />Follow me on LinkedIn <a class="af ma" href="https://www.linkedin.com/in/matthewrosenquist" target="_blank">https://www.linkedin.com/in/matthewrosenquist</a></p><p class="pw-post-body-paragraph lc ld fw le b lf lg lh li lj lk ll lm ln lo lp lq lr ls lt lu lv lw lx ly lz fp bj">Learn about the most pervasive cybersecurity mistakes in the LinkedIn Learning Course: “Five Biggest Mistakes of Cybersecurity Programs” <a class="af ma" href="https://www.linkedin.com/learning/five-biggest-mistakes-of-cybersecurity-programs/learn-from-others-mistakes" target="_blank">https://www.linkedin.com/learning/five-biggest-mistakes-of-cybersecurity-programs/learn-from-others-mistakes</a></p></div>New SEC Rules Mandate Cybersecurity Transparency and Oversighthttps://www.cisoplatform.com/profiles/blogs/new-sec-rules-mandate-cybersecurity-transparency-and-oversight2023-07-28T02:45:09.000Z2023-07-28T02:45:09.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12163574698?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">The new SEC Rules establish a framework that requires rapid disclosure of material cybersecurity incidents (4 days), companies will need to be able to explain their cybersecurity posture to manage risks, and for boards to describe their oversight and expertise for cybersecurity.</p><p class="graf graf--p">This is a major leap forward for securing US public companies! The new regulation drives transparency of incidents, risk management processes, and board accountability. It may be the most impactful cybersecurity event this year that shifts the trajectory of how cyber risks are managed!</p><p class="graf graf--p">The new SEC Rules establish a framework that requires:</p><ol class="postList"><li class="graf graf--li">Rapid disclosure of material cybersecurity incidents (4 days)</li><li class="graf graf--li">Companies will need to be able to explain their cybersecurity posture to manage risks</li><li class="graf graf--li">Boards of Directors must describe their oversight and expertise in cybersecurity</li></ol><p class="graf graf--p">These three simple rules will shake the current inconsistent foundations across every sector, which are often flimsy, and force companies to build strong programs, integrated with board support, to protect customers’ and shareholders’ interests!</p><p class="graf graf--p">Overall, I very much like this requirement! Historically I have despised tech regulations, except when financial incentives fail to drive the industry to serve the best interests of the public, shareholders, or customers. It was true for Sarbanes Oxley, privacy, and now cybersecurity.</p><p class="graf graf--p">There will be concerns about the definition of ‘materiality’ and the 4-day reporting requirement.</p><p class="graf graf--p">So first, as a former Incident Commander for a F100 tech firm, yes businesses can report material breaches within 4 days. Typically, you understand how hot the fire may get in the first few hours. If you know the CEO will need to be briefed, it may be ‘material’, so the regulatory reporting team can get ready. This is doable.</p><p class="graf graf--p">Will a clear picture be determined of the root cause, scope of impacts, final damage tally, and every entity identified?</p><p class="graf graf--p">No. Not in 4 days. Incident response teams will not have all the final details or scope when they make the initial report. Those details will eventually come. The first thing is to notify shareholders. Keep in mind, if it is ‘material’ and you don’t make it public, how many insiders are going to SELL their stock/options because they know something that the public does not! Yeah, insider trading is bad.</p><p class="graf graf--p">Will companies ignore the requirements or try to game the system by fudging the data when they realized it was ‘material’?</p><p class="graf graf--p">Overall, public companies go to tremendous lengths to not violate SEC rules. Additionally, they really don’t like strong shareholder lawsuits that specify failures in the Board of Directors’ due care and diligence. If companies choose not to comply, then shareholders will have a very durable suit when they sue for damages.</p><p class="graf graf--p">The SEC can fine the company and sanction board members. And public sentiment may shift even more negatively, as news outlets will clearly cover such aspects in their reporting of incidents.</p><p class="graf graf--p">It would not surprise me if companies may try to small liberties in the interpretation of when they realized an incident was ‘material’. Taking an extra day might go under the radar, but that is still a tremendous gain for investors who are often shut out from such events for long periods of time. In fact, many data breaches and cyber-attacks are revealed by security researchers or customers first. Only then do companies feel compelled to make a public announcement.</p><p class="graf graf--p">Anything more than a day will probably be scrutinized. It would be hard for a company to claim that they didn’t believe it was material at a point when everyone is on red alert, they called in major forensic and incident vendors, production is stopped, millions of sensitive customer records are on the darknet, or their customer support boards are lit up like a Christmas tree on fire. Those will be the details that are brought up in the lawsuits and SEC investigation.</p><p class="graf graf--p">So overall, the 4-day notification rule is reasonable.</p><p class="graf graf--p">I believe all these requirements will force transparency for incidents, commitment to cybersecurity risk management, and board responsibility/expertise!</p><p class="graf graf--p">Ironically, many of the companies who will voice opposition will likely also take advantage of such public data to understand the security posture and board expertise when they evaluate business partnerships, M&A deals, define supplier requirements, and make vendor selections. Customers, investors, insurance providers, and potential business partners will want to know if a company they are financially tied to, has a mature cybersecurity program that is overseen by savvy board members.</p><p class="graf graf--p">The ripples of this SEC requirement will drive significant and fundament improvements to cybersecurity, that help everyone!</p><p class="graf graf--p">SEC Press Release: <a class="markup--anchor markup--p-anchor" href="https://www.sec.gov/news/press-release/2023-139" target="_blank">https://www.sec.gov/news/press-release/2023-139</a></p></div>Cybersecurity Aspires to Be a Competitive Advantagehttps://www.cisoplatform.com/profiles/blogs/cybersecurity-aspires-to-be-a-competitive-advantage2023-05-31T05:12:31.000Z2023-05-31T05:12:31.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p>The game is changing as cybersecurity groups must justify their growing costs and importance during the economic downturn. CISOs are under pressure to do more with much less and need to adapt to show clear competitive advantages. </p><p>Cybersecurity must grow beyond regulatory compliance and controls protecting from possible attacks to also enable the business success and contribute directly to the core goals of the organization. It is a natural progression, an evolution that will leave behind those who cannot adapt.</p><p><strong>Full Article: <a href="https://matthew-rosenquist.medium.com/cybersecurity-aspires-to-be-a-competitive-advantage-88771d030eab" target="_blank">https://matthew-rosenquist.medium.com/cybersecurity-aspires-to-be-a-competitive-advantage-88771d030eab</a> </strong></p><p><a href="https://i.postimg.cc/GtWpsbBQ/Cybersecurity-Transfomation-for-Competitive-Advantage-2.png" target="_blank"><img class="align-center" src="https://i.postimg.cc/GtWpsbBQ/Cybersecurity-Transfomation-for-Competitive-Advantage-2.png" alt="Cybersecurity-Transfomation-for-Competitive-Advantage-2.png" /></a></p></div>Cybersecurity and Privacy Are Needed for Trust – Podcast panel discussionhttps://www.cisoplatform.com/profiles/blogs/cybersecurity-and-privacy-are-needed-for-trust-podcast-panel-disc2023-04-25T17:21:00.000Z2023-04-25T17:21:00.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/11036090470?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/-fO1t-gJn9c" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p>Cybersecurity and Privacy are both necessary for organizations to earn and maintain trust with their partners and customers.</p><p>This lively discussion brings together privacy, cybersecurity, and business leadership experts to unravel the benefits, risks, and challenges that digital organizations must navigate.</p><p><strong>Panelists:</strong></p><p>Michelle Dennedy and Bryan Lee - privacy experts from Privatus Consulting</p><p>Michael Gurau and Ben Matthews - business strategy consultants from Altman Solon</p><p>and Matthew Rosenquist - cybersecurity expert from Eclipz</p></div>Cyber Insurance Needs to Grow Uphttps://www.cisoplatform.com/profiles/blogs/cyber-insurance-needs-to-grow-up2023-02-27T20:36:28.000Z2023-02-27T20:36:28.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10973925095?profile=RESIZE_400x&width=400"></div><div><p><a href="{{#staticFileLink}}10973922862,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10973922862,RESIZE_710x{{/staticFileLink}}" width="710" alt="10973922862?profile=RESIZE_710x" /></a></p><p class="graf graf--p">You can’t insure, what you don’t understand.</p><p class="graf graf--p">The cybersecurity insurance industry is in a tumultuous period, with skyrocketing deductibles, new limitations, hidden assumptions, and suffering from a slew of lawsuits from customers. The market is hot, with many companies now seeking cyber insurance policies, but some insurers are pulling back because of unexpectedly high payouts leading to losses, while others are blindly diving in to get a piece of the action. The insurance industry has a reputation for being stable and predictable over time but has failed to grasp the ambiguity and unpredictable nature of cyber.</p><p class="graf graf--p">I will outline what it will take for insurance companies to succeed, but first, a story:</p><p class="graf graf--p">I remember, well over a decade ago, speaking to the insurance industry about the need and challenges for the emerging cybersecurity insurance market. I had just published my Return on Security Investment (ROSI) paper and annually recurring cybersecurity predictions. With a refreshed understanding of the difficulties in foretelling the risks and likelihoods of cyber-attacks, I warned the insurance community that their normal actuary methods would not work over time and they would need to approach the growing chaotic uncertainty and radical shifts, driven by the intelligent attackers who take advantage of rapid technology innovation and adoption, in entirely different ways.</p><p class="graf graf--p">I was summarily dismissed time and again with comments like “<em class="markup--em markup--p-em">you don’t know insurance</em>”, “<em class="markup--em markup--p-em">we are the experts</em>”, “<em class="markup--em markup--p-em">we do this type of work all the time</em>” and my favorite “<em class="markup--em markup--p-em">we have algorithms that can predict this type of activity</em>”.</p><p class="graf graf--p">WRONG!</p><p class="graf graf--p">Cybersecurity insurance has struggled with inconsistency and a high degree of variability — not the attributes that are conducive to the insurance industry. Only now are they realizing the challenges and their inability to get ahead of the problems. In December, Mario Greco the CEO of Zurich Insurance, one of Europe’s biggest insurance companies, <a class="markup--anchor markup--p-anchor" href="https://www.reinsurancene.ws/cyber-attacks-set-to-become-uninsurable-suggests-zurichs-greco/" target="_blank">stated that as cyber-attacks grow, they “will become uninsurable”.</a></p><p class="graf graf--p">Well, that is not exactly the truth. If the industry’s inability to predict losses continues, then yes, insurance companies will not be able to charge correct premiums that cover community losses. But, if they do get a better grasp, then they can run the business to properly insure against catastrophic events while simultaneously making a decent profit.</p><p class="graf graf--p">So, I am happy to see that some insurance companies are realizing they didn’t know, what they didn’t know, and are building specialized centers of excellence to better understand the nuances which make insuring against cybersecurity incidents so difficult. Liberty Mutual Insurance recently <a class="markup--anchor markup--p-anchor" href="https://www.libertymutualgroup.com/about-lm/news/articles/liberty-mutual-announces-creation-global-cyber-office-and-appointments-key-leaders" target="_blank">announced the opening of a Global Risks Solutions Cyber office</a>. Perhaps a decade late, but this is a necessary step.</p><p class="graf graf--p"><a href="{{#staticFileLink}}10973925253,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10973925253,RESIZE_710x{{/staticFileLink}}" width="507" height="304" alt="10973925253?profile=RESIZE_710x" /></a></p><p class="graf graf--p">Now, my advice to you <em class="markup--em markup--p-em">(listen up cyber insurance companies)</em> is to bring in real cybersecurity experts!</p><p class="graf graf--p">No, you don’t have them in-house.</p><p class="graf graf--p">No, you cannot simply slap ‘cyber’ on the title of an actuary person or executive and expect them to understand the important nuances of cyber.</p><p class="graf graf--p">No, those guys in IT and Engineering are not cybersecurity experts either.</p><p class="graf graf--p">You need people who have actually been in the trenches, shown proficiency and thought leadership, and wear the scars earned over the years, with pride.</p><p class="graf graf--p">Here are your simple criteria: Find people that have a strong history of PREDICTING cybersecurity macro trends. That is the key to algorithmic foundations that integrate the right aspects of risk over time. That is what it will take to build a robust, fair, profitable, and competitive cybersecurity industry business that will superbly service customers over time.</p><p class="graf graf--p">The cybersecurity insurance industry must transform itself in order to survive. Success requires it shed legacy preconceptions and evolve its practices to adapt to the shifts that govern risks and losses in the cyber world.</p><p class="graf graf--p"> </p></div>Recognizing Cybersecurity WINS for 2022https://www.cisoplatform.com/profiles/blogs/recognizing-cybersecurity-wins-for-20222023-02-21T02:57:27.000Z2023-02-21T02:57:27.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10970668491?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/z_rukJuGg70" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p>Far too often we focus only on the doom-and-gloom of our industry. Let's take a moment to recognize how our efforts have made a difference in avoiding or minimizing the risks of cyber losses.</p><p> </p><h1><span style="font-size:10pt;">Please click the Like button if you found this insightful and subscribe to the Cybersecurity Insights channel for more interviews, best-practices, rants, and strategic viewpoints. <a href="https://www.youtube.com/c/CybersecurityInsights">https://www.youtube.com/c/CybersecurityInsights</a> </span></h1><h1><span style="font-size:10pt;">Follow me on:<br />LinkedIn:</span> <a style="font-size:10pt;" href="https://www.linkedin.com/today/author/matthewrosenquist">https://www.linkedin.com/today/author/matthewrosenquist</a><span style="font-size:10pt;"> <br /></span><span style="font-size:10pt;">Medium: <a href="https://medium.com/@matthew.rosenquist">https://medium.com/@matthew.rosenquist</a></span></h1><p><span style="font-size:10pt;"> </span></p><p>To learn about some of the biggest failures in cybersecurity organizations, consider taking the LinkedIn Learning course: <strong>The Five Biggest Mistakes of Cybersecurity Programs</strong></p><p><a href="https://www.linkedin.com/learning/five-biggest-mistakes-of-cybersecurity-programs/learn-from-others-mistakes">https://www.linkedin.com/learning/five-biggest-mistakes-of-cybersecurity-programs/learn-from-others-mistakes</a></p></div>The Rise of Chief Trust and Security Officershttps://www.cisoplatform.com/profiles/blogs/the-rise-of-chief-trust-and-security-officers2022-11-08T19:23:30.000Z2022-11-08T19:23:30.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10877232261?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/1VSNW6r6YV8" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p>In this episode of the Cybersecurity Vault, I talk with Malcolm Harkins (Chief Security & Trust Officer at Epiphany Systems) and Robb Reck (Chief Trust and Security Officer at Red Canary) for a deep dive exploration of why the role exists, and how it can play a crucial part in the future of tech companies.</p></div>3 Tips to Maximize Cybersecurity Valuehttps://www.cisoplatform.com/profiles/blogs/3-tips-to-maximize-cybersecurity-value2022-07-11T18:33:22.000Z2022-07-11T18:33:22.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10638867854?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/ZvIC7XBB7dA" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">Delivering maximum value is a momentous challenge for cybersecurity organizations. It takes a decisive effort to organize and prioritize the proper goals that are meaningful to the business, and establish operational excellence to deliver effectiveness and efficiency. But running a good risk program that manages the defensive posture by addressing internal vulnerabilities is not enough. There are external factors that have a profound impact on the likelihood of attack and business factors that matter to the executive suite which could represent a competitive advantage to the corporate bottom line.</p><p class="graf graf--p">Here are my 3 tips to strategically enhance a cybersecurity team’s long-term value-proposition to the organization.</p><p class="graf graf--p">It comes down to three tiers of progress. Build, Compare, and Compete.<br />First, we must build a sustainably effective, comprehensive, and highly efficient cybersecurity capability. This is the most important step that every cybersecurity leader works towards on a daily basis.</p><img class="graf-image" src="https://cdn-images-1.medium.com/max/800/1*ORMERmT4p7HDHUMIQdCABA.png" alt="1*ORMERmT4p7HDHUMIQdCABA.png" /><p class="graf graf--p">Although the core of this work is fundamental to our operational existence, we need to pay attention to aspects often ignored, including the concept of aligning efficiency to financial optimizations and disproportionate resource allocation weighted to the most likely attacks. It is also crucial to see cybersecurity as a never-ending endeavor that must be incorporated into the overall everyday business processes and goals.</p><p class="graf graf--p">Sustainability is another key objective that is often overlooked while distracted by short-term battles. CISOs must plan for financial constraints, evolving threats, shifting technology landscapes, confusing regulations, and rising expectations of security to ensure longevity. Cybersecurity cannot continue to impose ever greater expense, friction, and frustration on the organization. A breaking point will be reached if proper strategic planning is not employed.</p><p class="graf graf--p"><br />Second, and this is where we diverge from what most CISOs focus upon, is about Comparing your organization to others in your sector. We must understand the attacker’s perspective. When they look for their next victim, they are evaluating who is best to target. By looking at your organization in contrast to others, you can understand how you appear in the landscape, and if you are in the pack or falling behind. You don’t want to be the easy prey.</p><p class="graf graf--p">Third, cybersecurity in operations, products, and services is becoming a Competitive advantage in many fields. The expectation of digital security, privacy, and safety, is rising as a purchase and loyalty factor with consumers. This is where cybersecurity can help the organization compete and therefore contribute to fulfilling the business goals (like revenue, market share, upselling, and more).</p><p class="graf graf--p">Cybersecurity can be a differentiating factor in many ways, including non-traditional competition. Savvy companies like Apple and Microsoft are maneuvering to improve their bottom line! Cybersecurity has the opportunity to not only enable, but contribute to corporate goals. Explore the potential and align as necessary to deliver value in new ways!</p><p class="graf graf--p"><br />Those are my 3 high-level tips to maximize cybersecurity value. By achieving success in these domains, you will be far ahead of others in being able to communicate sustainability and value for your cybersecurity program.</p><p class="graf graf--p graf--empty"> </p><p class="graf graf--p">Drop me a note if you need help or have questions. To learn more in-depth about each area, subscribe to my <a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/c/CybersecurityInsights" target="_blank">Cybersecurity Insights channel</a> where I will be posting videos and interviews that detail the challenges and best practices.</p><p class="graf graf--p graf--empty"> </p></div>Biggest Challenge in Cybersecurityhttps://www.cisoplatform.com/profiles/blogs/biggest-challenge-in-cybersecurity2022-06-27T18:35:04.000Z2022-06-27T18:35:04.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10599452666?profile=RESIZE_400x&width=400"></div><div><p class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj" style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/jjmWbOQ5iQw" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">In the next few years, the biggest challenge in cybersecurity won’t be dealing with a specific threat, but rather conveying a meaningful value proposition throughout the organization, and especially to the C-suite and board. It is key to the sustainability of cybersecurity and perhaps our biggest blind spot!</p><p id="c929" class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">Articulating value has always been hard, but two major factors are emerging to exacerbate the problem.</p><p id="e277" class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">First, the economy is in a downturn. We can expect a tightening of budgets and spending not related to revenue generation. This is a problem for cybersecurity and privacy, which are often seen as a cost center or an expense, that can be trimmed during lean budgetary times.</p><p id="b03d" class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">Secondly, the cost of cybersecurity continues to rise every year. We typically see 12% to 20% annual budget increases, and now a recent study showed a shocking 60% growth in budgets last year. This financial demand is not sustainable year-over-year for businesses. And realistically we don’t see an end in sight.</p><p class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">Quantifying the value of security has always been difficult, but now more than ever cybersecurity must align itself to enable and deliver meaningful contributions to the overall business goals and definitively convey this value to secure continued investment and support.</p><p id="f3de" class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">Failure to do so will undermine executive backing and that is a downward spiral when faced with ever-growing threats. It is a road that will lead to disaster, disillusionment, blame, and further disruption to the capacity to prevent future from future cyber-attacks.</p><p class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">That is why the cybersecurity leadership, across all sectors, needs to begin maneuvering to optimize efficiencies, align to deliver outcomes that contribute to the business goals, and clearly articulate the overall value proposition.</p><p id="cd27" class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">Those who fail will be fighting an uphill battle for funding and executive support that only shifts when really bad things happened. And that is not a good business model.</p><p id="c5e0" class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">I’m going to be talking more about the challenges of communicating cybersecurity value in articles, blogs, videos, and when speaking at conferences, like I did recently during the SPHERE2022 conference, because it is so crucial to the durability of cybersecurity. This will be the next big challenge for CISO’s and there is a lot to unpack around the risks and opportunities.</p><p class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">As always, come join me on the Cybersecurity Insights channel for more discussions and industry analysis. The link is below.</p><p class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj"><a href="{{#staticFileLink}}10599452891,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10599452891,RESIZE_710x{{/staticFileLink}}" width="710" alt="10599452891?profile=RESIZE_710x" /></a></p><p id="a5d4" class="pw-post-body-paragraph kn ko il kp b kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ie gj">Link to the Cybersecurity Insights channel: <a class="au tl" href="https://www.youtube.com/c/CybersecurityInsights" target="_blank">https://www.youtube.com/c/CybersecurityInsights</a></p></div>Cybersecurity Costs Skyrocket 60%https://www.cisoplatform.com/profiles/blogs/cybersecurity-costs-skyrocket-602022-05-19T01:36:24.000Z2022-05-19T01:36:24.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10499592088?profile=RESIZE_400x&width=400"></div><div><p>Per the 2022 Hiscox Cyber Readiness report (survey), #cybersecurity spending increased 60% and median costs of incidents have risen 29% in the past year! This is not sustainable! Something must give if organizations are degrading at these rates. </p><p> </p><p>It is unavoidable that the cybersecurity industry will face many hard discussions regarding the showing and maximizing value to an organization. </p><p> </p><p><a href="https://www.hiscoxgroup.com/cyber-readiness">https://www.hiscoxgroup.com/cyber-readiness</a></p></div>Hiring Desperation May Create Cybersecurity Riskshttps://www.cisoplatform.com/profiles/blogs/hiring-desperation-may-create-cybersecurity-risks2021-09-18T04:44:26.000Z2021-09-18T04:44:26.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9578929660?profile=RESIZE_400x&width=400"></div><div><p><a href="{{#staticFileLink}}9578929464,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}9578929464,RESIZE_710x{{/staticFileLink}}" width="710" alt="9578929464?profile=RESIZE_710x" /></a></p><p>With 11 million job openings in the U.S., the most ever, how desperate will organizations be to hire personnel? I am concerned that cybersecurity risks of insiders will increase if processes for proper vetting and background checks become lax for new-hires.<br /> <br /> I suggest my fellow Chief Information Security Officers (CISO’s) have a discussion with the head of their Human Resources to understand if the cyber risks are going to increase in the organization due to more 'flexible' hiring practices.</p></div>4 Phases of Cybersecurity Maturityhttps://www.cisoplatform.com/profiles/blogs/4-phases-of-cybersecurity-maturity2021-09-16T01:29:35.000Z2021-09-16T01:29:35.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9571585076?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/y6LcEPdSiEM" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">There are four typical evolutionary maturity levels for cybersecurity programs. The benefits and drawbacks of each phase creates a natural tension that pulls organizations forward to become better at managing risks, costs, and the friction that accompanies digital protection.</p><p class="graf graf--p">A company’s cybersecurity goals, strengths, weaknesses, and challenges can often be quickly ascertained by simply recognizing where they are on the evolutionary scale.</p><p class="graf graf--p">In today’s video I explore the phases in depth.</p><p class="graf graf--p">…Let me know what you think and if you admire a particular organization that has achieved the highest phase of maturity.</p><p class="graf graf--p graf--empty"> </p><p class="graf graf--p">Please click the Like button if you found this insightful and subscribe to the Cybersecurity Insights channel for more best-practices, rants, and strategic viewpoints. <a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/c/CybersecurityInsights" target="_blank">https://www.youtube.com/c/CybersecurityInsights</a></p><p class="graf graf--p">Follow me on:</p><ul class="postList"><li class="graf graf--li">LinkedIn: <a class="markup--anchor markup--li-anchor" href="https://www.linkedin.com/today/author/matthewrosenquist" target="_blank">https://www.linkedin.com/today/author/matthewrosenquist</a></li><li class="graf graf--li">Medium: <a class="markup--anchor markup--li-anchor" href="https://medium.com/@matthew.rosenquist" target="_blank">https://medium.com/@matthew.rosenquist</a></li><li class="graf graf--li">Twitter (@Matt_Rosenquist): <a class="markup--anchor markup--li-anchor" href="https://twitter.com/Matt_Rosenquist" target="_blank">https://twitter.com/Matt_Rosenquist</a></li></ul></div>Cybersecurity Progresses from Mitigating Risks to Deliver Profit Opportunitieshttps://www.cisoplatform.com/profiles/blogs/cybersecurity-progresses-from-mitigating-risks-to-deliver-profit-2021-09-09T00:28:18.000Z2021-09-09T00:28:18.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9547617257?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/eC8RhusATgU" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">Cybersecurity is breaking out from just preventing risk of loss! Forward thinking companies are showing leadership by leveraging cybersecurity capabilities to contribute to market position and profitability opportunities. In today’s video I cover some of the ways cybersecurity is being leveraged for the bottom line.</p><p class="graf graf--p graf--empty"> </p><p class="graf graf--p">Please click the Like button if you found this insightful and subscribe to the Cybersecurity Insights channel for more best-practices, rants, and strategic viewpoints. <a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/c/CybersecurityInsights" target="_blank">https://www.youtube.com/c/CybersecurityInsights</a></p><p class="graf graf--p">Follow me on:</p><ul class="postList"><li class="graf graf--li">LinkedIn: <a class="markup--anchor markup--li-anchor" href="https://www.linkedin.com/today/author/matthewrosenquist" target="_blank">https://www.linkedin.com/today/author/matthewrosenquist</a></li><li class="graf graf--li">Medium: <a class="markup--anchor markup--li-anchor" href="https://medium.com/@matthew.rosenquist" target="_blank">https://medium.com/@matthew.rosenquist</a></li><li class="graf graf--li">Twitter (@Matt_Rosenquist): <a class="markup--anchor markup--li-anchor" href="https://twitter.com/Matt_Rosenquist" target="_blank">https://twitter.com/Matt_Rosenquist</a></li></ul></div>Top Tip for New Managershttps://www.cisoplatform.com/profiles/blogs/top-tip-for-new-managers2021-08-14T21:47:46.000Z2021-08-14T21:47:46.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9426228483?profile=RESIZE_400x&width=400"></div><div><p style="font-weight:400;">The single most important tip for aspiring managers is to learn to be a good leader. </p><h3><strong>Managers vs Leaders</strong></h3><p style="font-weight:400;">A manager is a functional role that ascribes responsibility for a team and an outcome. It is an organizational assignment that may or may not be based upon skills or a desire for responsibility. Managers often prioritize the pursuit of short-term goals and are willing to sacrifice team growth that is necessary for long-term success. A leader is someone who is well suited to support the individual team members and organize them for maximum benefit of achieving the goals. Leaders help individuals work together in optimal ways for the common objective and are often recognized by their outstanding sustainable results.</p><h3><strong>Leadership Requires Effort</strong></h3><p style="font-weight:400;">Although many new managers exhibit raw leadership talent, it is never polished in the beginning. It takes knowledge, hard work, and experience to refine someone into a good leader. Leadership is a skill - one that can be taught but ultimately must be learned through tempering and experience by the individual.</p><p style="font-weight:400;">Famous leaders throughout history had to work to become great but they didn’t start out that way. The results they accomplished are what they are remembered for. It is the teamwork they fostered that makes such great successes possible. Managing a staff is far different than leading a team. Knowing the difference is important.</p><h3><strong>Advice to Managers</strong></h3><p style="font-weight:400;">Every manager should aspire to become a good leader. It will improve your personal competencies, enhance the skills of whom you manage, strengthen the results that the team can deliver, and improve the overall long-term capability of the organization. Learn the skills, adopt relevant tools, and gain personal experience through mentors. Becoming a good leader is a journey. It starts with understanding your strengths and weaknesses, then those of the team. It requires the knowledge and passion to address behavioral, technical, and process issues that support success. </p><p style="font-weight:400;">There are many great leadership programs available. To complement education, mentorship can be a great accelerator. Mentors who are great leaders have a wealth of insights, experiences, and tools that can be passed to others. The journey can be tough and fraught with pitfalls. Having a good mentor can ease the difficulty and help avoid the biggest problems.</p><p style="font-weight:400;">Leaders are valued and appreciated because they not only deliver exceptional results, but they do so without causing damage to the people in the organization. They help inspire, lead, and train others to make outstanding contributions. They recognize and celebrate success, protect individuals from caustic situations, help team members grow, and take overall responsibility for failures. </p><p style="font-weight:400;">Being a good leader is both tough and tremendously rewarding. If you aspire to be a great manager, then seek to become a capable leader.</p></div>Where Should a CISO Report Into?https://www.cisoplatform.com/profiles/blogs/where-should-a-ciso-report-into2021-05-03T16:31:04.000Z2021-05-03T16:31:04.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/8889297884?profile=RESIZE_400x&width=400"></div><div><p> </p><p><iframe title="YouTube video player" src="https://www.youtube.com/embed/kImvw3Mosns" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p>Where should a CISO report into within an organization? No common standard exists as we can find them operating under many different organizations, including IT, Legal, the CTO, and CEO just to name a few. </p><p>In today’s video, I break down some of the considerations that impact where the CISO can be most effective.</p><p>Be sure to share your insights regarding this ongoing debate. Where do you think CISO’s should report into?</p><p> </p><p> </p><p>Interested in more cybersecurity insights, rants, and strategic viewpoints? </p><p>Subscribe to the Cybersecurity Insights channel on YouTube: <a href="https://www.youtube.com/c/CybersecurityInsights">https://www.youtube.com/c/CybersecurityInsights</a></p><p>Follow me on:</p><ul><li>LinkedIn: <a href="https://www.linkedin.com/today/author/matthewrosenquist">https://www.linkedin.com/today/author/matthewrosenquist</a></li><li>Medium: <a href="https://medium.com/@matthew.rosenquist">https://medium.com/@matthew.rosenquist</a></li><li>Twitter (@Matt_Rosenquist): <a href="https://twitter.com/Matt_Rosenquist">https://twitter.com/Matt_Rosenquist</a></li></ul></div>What’s Broken with M&A Cybersecurityhttps://www.cisoplatform.com/profiles/blogs/what-s-broken-with-m-a-cybersecurity2021-04-27T00:07:53.000Z2021-04-27T00:07:53.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/8838591454?profile=RESIZE_400x&width=400"></div><div><p><iframe title="YouTube video player" src="https://www.youtube.com/embed/A8tsWZEPjmU" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p>Cybersecurity for Mergers and Acquisitions is a mess. There are a surprising number of significant unforeseen risks that can wreak havoc on M&A deals. In this week’s fireside chat, I am joined by Justin Daniels, General Counsel/Cybersecurity/Data Protection SME at Baker Donelson, and Alex Rayter, Principal at Phoenix 2.0 Inc, to discuss the due diligence, risks, and recommendations to better understand and manage the challenges.</p><p>I spent several years involved with Intel Corp. M&A projects, led the cybersecurity team, and built the processes to evaluate and manage cyber risks. Justin and Alex are currently working to help clients understand the challenges and deal with the repercussions. In our chat, we share our insights, experiences and provide insights to how acquiring companies should carefully maneuver.</p><p>Let us know your experiences and if your organization is taking cybersecurity seriously when dealing with mergers, acquisitions, and divestitures.</p><p> </p><p>Interested in more cybersecurity insights, rants, and strategic viewpoints?</p><p>Subscribe to the Cybersecurity Insights channel on YouTube: <a href="https://www.youtube.com/c/CybersecurityInsights" target="_blank">https://www.youtube.com/c/CybersecurityInsights</a></p><p>Follow me on:</p><ul><li>LinkedIn: <a href="https://www.linkedin.com/today/author/matthewrosenquist" target="_blank">https://www.linkedin.com/today/author/matthewrosenquist</a></li><li>Medium: <a href="https://medium.com/@matthew.rosenquist" target="_blank">https://medium.com/@matthew.rosenquist</a></li><li>Twitter (@Matt_Rosenquist): <a href="https://twitter.com/Matt_Rosenquist" target="_blank">https://twitter.com/Matt_Rosenquist</a></li></ul></div>Disaster Recovery and Business Continuity Managementhttps://www.cisoplatform.com/profiles/blogs/disaster-recovery-and-business-continuity-management2013-06-06T06:30:00.000Z2013-06-06T06:30:00.000ZRam Mohan Chttps://www.cisoplatform.com/members/RamMohanC<div><p>Today enterprises live in a world where natural or man made disasters can crumble a business to its knees. It is therefore critically important for these enterprises to recognise the fact that disasters are real and happen and it is essential they have a structured programme to protect the information from external and internal threats and disasters.</p><p><b>Common Disasters</b>:</p><p> </p><table border="1" cellspacing="0"><tbody><tr><td valign="top" width="185"><p><b>Natural</b></p></td><td valign="top" width="185"><p><b>Human</b></p></td><td valign="top" width="185"><p><b>Technical</b></p></td><td valign="top" width="185"><p><b>Proximity</b></p></td></tr><tr><td valign="top" width="185"><p>Floods</p></td><td valign="top" width="185"><p>Terrorism</p></td><td valign="top" width="185"><p>Virus Attack</p></td><td valign="top" width="185"><p>Nuclear Reactors</p></td></tr><tr><td valign="top" width="185"><p>Hurricane</p></td><td valign="top" width="185"><p>War</p></td><td valign="top" width="185"><p>Power Failure</p></td><td valign="top" width="185"><p>Railway Tracks</p></td></tr><tr><td valign="top" width="185"><p>Earth Quake</p></td><td valign="top" width="185"><p>Vandalism/Riots</p></td><td valign="top" width="185"><p>HVAC Failure</p></td><td valign="top" width="185"><p>Airports</p></td></tr><tr><td valign="top" width="185"><p>Wild Fires</p></td><td valign="top" width="185"><p>Burglary</p></td><td valign="top" width="185"><p>Network Failure</p></td><td valign="top" width="185"><p>Electrical Stations</p></td></tr><tr><td valign="top" width="185"><p>Epidemics</p></td><td valign="top" width="185"><p>Data Theft</p></td><td valign="top" width="185"><p>Building Problems</p></td><td valign="top" width="185"><p>Military Bases</p></td></tr><tr><td valign="top" width="185"><p>Tsunami</p></td><td valign="top" width="185"><p>Fraud</p></td><td valign="top" width="185"><p>Hardware Failure</p></td><td valign="top" width="185"><p> </p></td></tr><tr><td valign="top" width="185"><p> </p></td><td valign="top" width="185"><p>Accidents</p></td><td valign="top" width="185"><p> </p></td><td valign="top" width="185"><p> </p></td></tr></tbody></table><p> </p><p>These are the potential threats to an organisation and if realised may impact business operations, reputation and brand image. As you see, the threats are both internal and external.</p><p>A holistic management process that identifies these potential threats and provides a framework for building organisational resilience with capability for an effective response to safeguard the interests of its key stake holders, reputation, business operations and brand image is called Business Continuity Management.</p><p>Generally, most enterprises need to be back on business with minimum downtime after a disaster.</p><p>There is no “one size suits all” generic BCM and disaster recovery plan. Each enterprise needs to have their own customised plan to bring them back to business. Nevertheless, there are useful guidelines available to manage the disaster and The British Standards Institution (BSI) has released a new independent standard for BCP — BS 25999-1. Prior to the introduction of BS 25999, BCP professionals relied on BSI information security standard BS 7799, which only peripherally addressed BCP to improve an organisation's information security compliance. BS 25999's applicability however extends to organisations of all types, sizes and missions whether governmental or private, profit or non-profit, large or small, or industry sector. Using these guidelines, each enterprise then needs to develop their own customised BCP.</p><p>(Read more: <span style="color:#3366ff;"><a href="http://www.cisoplatform.com/profiles/blogs/how-to-build-your-personal-brand"><span style="color:#3366ff;"><b>5 easy ways to build your personal brand</b> !</span></a></span>)</p><p><br /> A well defined BCM has the following essential components:</p><ul><li>Vision</li><li>BCM Strategy</li><li>Organisation wide awareness</li><li>Identification of Information assets</li><li>Risk assessment</li><li>Impact Analysis</li><li>Risk mitigation</li><li>Business Continuity Planning</li><li>DR site strategy and implementation</li><li>DR drills</li><li>Audit and continuous improvement</li></ul><p><b>(Read more: <span style="color:#3366ff;"><strong><a href="http://www.cisoplatform.com/profiles/blogs/rest-apis-and-next-generation-threats-part-1" target="_blank"><span style="color:#3366ff;">REST APIs and Next Generation Threats: Part 1</span></a></strong></span></b><b>)</b></p><p><b><br /> Vision:</b></p><p>The structured programme to secure an organisation’s business operations starts with a clearly articulated vision. At Mindtree, we believe that this vision should come from none other than the CEO and that the initiatives should be driven from the top. The vision need to be then adapted to all the departments. When a disaster strikes, it may not spare any department. It is also critical to articulate this vision to be board and incorporate as a part of corporate governance.</p><p><b>BCM Strategy:</b></p><p>The next stage is to define a well articulated strategy for recovery from disaster, the essential functions that need to be recovered, time lines for recovery. The strategy should clearly focus on recovery of business operations, brand image, and reputation</p><p>The strategy typically should be in lines mentioned below:</p><p> </p><ul><li>A BCP budget should be formalised and approved by senior management.</li><li>Disaster declaration authorities, who will be responsible for implementing the continuity strategies in the event of a disaster or business interruption, should be identified.</li><li>Incident management system or process for monitoring, recovering and stabilising from a disaster or business interruption should be identified.</li><li>The plan should be reviewed periodically and benchmarked against industry standard practices and other similar organisations’ best practices.</li></ul><p><b>Organisation wide awareness:</b></p><p>One of the main challenges of BCM is lack of interest. BCM is always treated as an initiative of either IS or Security Department. It is important to create awareness among the employees, partners and vendors of the organisation on the BCM initiatives and their role and responsibilities for this initiative. The training plan should be developed and the training should be conducted on regular and defined intervals.</p><p><b>Identification of information assets:</b></p><p>The information resides everywhere in an organisation, in printed sheets, in files, in computers, in storage racks, in offsite data centers, in tapes stored in a remote location and, even in employees’ heads. All these sources of information are vulnerable to external and internal threats. The damages can be significant. These information assets need to be identified along with their location. Once the assets are located and identified, the criticality of these assets need to be documented.</p><p><b>Risk Assessment:</b></p><p>Two important characteristics of risks are: </p><ol><li>Probability of occurrence of risk (low, medium and High)</li><li>Severity of the risk (low, medium and high)</li></ol><p>Develop a risk table by </p><ul><li>List all the risks</li><li>Categorise the risks</li><li>Analyse the probability</li><li>Analyse the severity</li><li>Sort the risks and identify the risks to be managed</li></ul><p> (Watch more : <b><span style="color:#3366ff;"><a href="http://www.cisoplatform.com/video/an-approach-to-present-it-risk-as-business-risk"><span style="color:#3366ff;">An approach to present IT Risk as Business Risk</span></a></span> )</b></p><p><b>Impact analysis:</b></p><p>Risk analysis need to be undertaken to cover the impact of the risk.</p><p>For example:</p><p>An earthquake of Ritcher scale 8.0 is low probability in London, but high impact to your information assets. On the other hand a virus attack can be high probability but low impact if all the secure measures are taken to prevent a virus attack</p><p>This impact analysis should also cover the financial / brand and other damages should be clearly quantified.</p><p>Identify key business processes and critical dependencies. The impacts of potential business interruptions should be identified.</p><p><b>Risk Mitigation:</b></p><p>Once the impacts are analysed, MindTree recommends a mitigation strategy need to be developed for each category of risk. The next step is to take measures to manage the risk.</p><p>Risk mitigation involves:</p><ul><li>Analysis of threats most likely to occur</li><li>Identifying threats makes most impact</li><li>Minimising service disruptions and financial loss</li><li>Having a contingency plan for mitigating risks</li></ul><p>For example, the risk mitigation strategy for hardware failure of a mission critical server is to have spares onsite so that the down time is minimised</p><p><b>Business Continuity Plan:</b></p><p>The business continuity plan should have the optimum business recovery time for your business. For example, if it is acceptable for your business recovery time to be measured in days then you may opt for just offsite tape storage. However, if the acceptable business recovery time is just a few hours, then a hot standby system at a disaster recovery site may be needed.</p><p>BCP need to cover the following aspects:</p><p> </p><ul><li>Identify process specific Recovery Time Objective (RTO)</li><li>Identify minimum capacity requirement to run the business operations at acceptable level</li><li>Calculate recovery efforts based on RTO</li><li>Review Service Level Agreements between the organisation and external partners</li><li>Identify critical information resources</li><li>Prioritise these resources in order of recovery</li><li>Identify procedure for acquiring critical resources in the event of disaster</li><li>Identify contact information and procedures for disaster authorities</li><li>Identify and keep ready a disaster recovery site</li><li>Conduct a cost benefit analysis of moving the business processes to DR site</li><li>Define standard procedures for response, recovery and restoration</li><li>Develop procedures for relocating the business processes to DR site</li><li>Define emergency response procedures that are<ul><li>Time based</li><li>Team Based</li><li>Checklist based</li><li>Chronological</li></ul></li><li>Identify ER team members with contact information</li><li>Create response, recovery and restoration processes for security and safety</li><li>Document and train crisis communication procedures</li></ul><p><strong style="font-size:10pt;">(MORE: <span style="text-decoration:underline;"><span style="color:#3366ff;"><a href="http://www.cisoplatform.com/profiles/blogs/vulnerabilities-in-security-products-increasing-at-37-cagr" target="_blank"><span style="color:#3366ff;">Vulnerabilities in Security Products increasing at 37% CAGR !</span></a></span> )</span></strong></p><p> <br /> <br /> <b>DR site strategy and implementation:</b></p><p>If the primary site of business has a major impact due to a disaster, the business processes may have to be located to an alternate site. The business processes may include people, machinery, and IT assets. The location of the DR site has to be carefully selected such that the same disaster should not affect the DR site at the same time when an event of disaster strike at the primary site.</p><p>Eg: If the probability of forest fire spreading in the entire location is very high, then the disaster site should be located several hundreds of miles away from the primary site.</p><p>It is also important to identify minimum capacity operations to be duplicated at the disaster recovery site to enable acceptable level of business continues until the primary site becomes functional again.</p><p><b>Disaster Recovery Drills:</b></p><p>Disaster recovery drills need to be drawn and tested at regular intervals in order to ensure your preparedness for a disaster.</p><p>BCP and DR should cover all aspects of business from sales to operations and from people functions to IT…. specifically information management. Testing approaches like top down drill and full plan tests should be conducted.</p><p>The drills often take care of only certain aspects of the business and our view is that it is likely to be worthwhile to create disaster simulation models to test the DR drills in areas where an actual drill cannot be taken care of.</p><p>The drill should involve all critical business units, departments and functions. The roles and responsibilities for BCP testing should be assigned in advance.</p><div><p>(More: <b><span style="color:#3366ff;"><a href="http://www.cisoplatform.com/page/top-100-ciso-awards-2014"><span style="color:#3366ff;">Have you nominated yourself for Top 100 CISO Awards? Click here to nominate</span></a></span> )</b></p></div><p><b>Audit and continuous improvement</b></p><p>A post test review and analysis process need to be created.</p><p>The BCM process needs to be periodically audited to ensure compliance with company standards.</p><p>Specific time lines need to be defined to update the BCM based on the change management process of the organisation.</p><p>Though BCM is absolute necessity for every enterprise, implementation often is faced with several challenges. Some of them are:</p><p> </p><ul><li>BCM doesn’t have ROI</li><li>BCM does not generate revenue</li><li>Can BCM be replaced by insurance?</li><li>Planners’ overkill budget</li><li>Lack of interest from senior management</li><li>No budget for BCM</li><li>It will not happen to us</li></ul><p> </p><p>It is important to make sure that the BCM is lean and mean and only need minimum capacity requirement to run the business operations at acceptable level in the event of disaster. It is also important to quantify the impact to the business, brand and image of the company in the event of a disaster.</p><p>This was brought home to one of the MindTree’s customers very recently when Hurricane Ike struck their Houston Data Center. Yet, with the help of a well planned and articulated BCP and BCM plan, MindTree IMTS engineers were able to ensure recovery from the disaster within 48 hours without disrupting the client’s business. This was only possible because of several months of planning and implementation of BCP and DR. The critical business operations were moved to a disaster site without any physical movement of people, hardware or software within 24 hours.</p><p> </p><p class="tabletext">By Ram Mohan, Executive Vice President and Head of <b>Infrastructure Management and Tech Support at Mindtree Ltd.</b></p><p></p><p>More: <b><a href="http://www.cisoplatform.com/main/authorization/signUp"> <span style="color:#3366ff;">Join the community of 1400+ Chief Information Security Officers.</span></a><span style="color:#3366ff;"> <a href="http://www.cisoplatform.com/main/authorization/signUp"><span style="color:#3366ff;">Click here</span></a></span></b></p><p><span style="text-decoration:underline;" class="font-size-3"><span style="font-size:13px;"> </span></span></p></div>Aligning security objectives with business objectiveshttps://www.cisoplatform.com/profiles/blogs/aligning-security-objectives-with-business-objectives2016-09-01T06:30:00.000Z2016-09-01T06:30:00.000ZSyed Azherhttps://www.cisoplatform.com/members/SyedAzher<div><p style="text-align:left;"></p><p style="text-align:left;">This is about developing information security master plan, the concept is the fact that when you develop a plan you begin by starting risk assessment, not a risk assessment from security stand point but from a business standpoint. You go through that process by interviewing various executive getting their input and understand what they believe are the risks that the business is exposed to. Then you take that way and evaluated risk and see what you can do to develop a plan to mitigating those risk, sometime the plan requires disciplines outside of security which you can’t ignore and you make sure you adopt total business approach and also involve other groups such as HR, IT, marketing/business areas.</p><p style="text-align:left;"></p><p dir="ltr"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/5-tips-evaluate-readiness-implementing-data-loss-prevention-dlp">5 Tips To Evaluate Your Readiness Before Implementing Data Loss Prevention (DLP) Solution</a> )</span></p><p dir="ltr"></p><p style="text-align:left;">It is important to put together a total plan and then you go back to executive.Present to them how you might mitigate those risk and in some case, you might be able to eliminate but usually can eliminate risk by outsourcing particular issue to somebody else. At least you should develop a plan and based on that you can define cost vs benefit involved.</p><p style="text-align:left;">You should always do a master plan of 12-18 months or as frequently as you do your business plan and based on the priority you can split the cost on the year to year or month by month basis. The key important aspect is to tie the plan to the risk and demonstrate how your spending is reducing the risk. By doing that you are not just getting management to approve the expenditure of the money, you are getting them to approve reduction of risk, which something they understand much better than addressing by technology needs (e.g. asking to by security camera for data center or adding DLP technology).</p><p style="text-align:left;">It is important to have annual risk analysis conducted before your budget cycle so that if there are any new risks identified, you have time to put together a plan to address that. If there are no new risks at least you are reminding the executive that why you are spending the money.</p><p style="text-align:left;"></p><p dir="ltr"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/top-it-security-conferences-in-the-world">Top IT Security Conferences In The World</a> )</span></p><p dir="ltr"></p><p dir="ltr"><em>What are your thoughts on Aligning Security Objectives with Business Objectives? Share in comments below</em></p><p dir="ltr"></p></div>