In this interview with Kelly York, security awareness manager at the McDonald's Corporation, she discusses the state of attracting and retaining talent in information security and also provides some helpful tips that could get you and your business over the hump when it comes to the topic.
The modern-day CISO faces a multitude of challenges they must face head-on to build a sense of leadership and vision within the security and risk department. InfoSec Insider caught up with CISO Spotlight's Todd Fitzgerald, who offered up concrete tips up-and-coming security leaders can leverage when it comes to achieving organizational effectiveness.
Knowing how to approach buying cybersecurity vendors is a difficult task. There’s a lot to manage internally (budget, needs, fit) and it’s hard to know what kind of vendors or solutions would serve your organization best. The fear, uncertainty, and doubt (FUD) experienced by cybersecurity vendors are especially troubling.
Cybereason CSO Sam Curry shares how “black propaganda” is leveraged by foreign adversaries, why 2016 was a failure of imagination from a cyber standpoint, and what we should be prepared for leading into the 2020 presidential elections.
InfoSec Insider caught up with Cylance's Chief Security and Trust Officer, Malcolm Harkins, who shared why he believes leadership in information security today is sorely lacking, but more importantly, what needs to be done in order for today's security leaders to create an "ideal state" for their departments.
Security departments have evolved tremendously over the years, but so have cyber threats. As organizations become more aware that nearly no one can be trusted, whose job is it to watch the watchers? At this year’s RSA Conference in San Francisco, InfoSec Insider caught up with Forcepoint's Dr. Richard Ford who dives into the topic.
In the latest edition of InfoSec Insider’s DeMISTIfying Security series, veteran experts Ed Moyle and Raef Meeuwisse discuss the state of cybersecurity as it relates to executive support within the business.
Cyber swindlers are continually looking to reinvent themselves, and their methods are becoming savvier. InfoSec Insider caught up with Digital Shadows CISO Rick Holland on the recent research that his team has conducted on cybercrime extortion, and how security practitioners can secure their organizations don't fall prey to these attacks.
Cybersecurity remains a persistent challenge in information technology, and for IT security professionals, AI and other tools are valuable for organically managing cybersecurity without depending on vendors that might have more sophisticated tools and experience using them.
By Steve Black, Professor of Law, Texas Tech University
March 26, 2019
Cyber law is focused on bringing more clarity to privacy questions that new technology introduce. It’s important for all security professionals to have a basic understanding of current and potential future cyber law concepts in order to stay compliant and ensure sensitive data stays safe.
By Paul Rohmeyer, Program Director MS Information Systems, Stevens Institute of Technology
March 12, 2019
Today, there are highly specialized training options offered both in-person and online in the form of meetups, webinars, formal courses, and in-house and external conferences. The attractiveness (cost, convenience, and specialty) of these alternative options has driven cybersecurity talent to steer towards education avenues outside of traditional academia.
When you’re talking information security among your peers, it sounds like a totally different language than the rest of your organization speaks. This puts infosec professionals in a bind. On the one hand, security vulnerabilities exist throughout the company. Yet you, alone, are carrying the burden of knowing just how serious it can get. That’s why it’s up to you to create an information security communication strategy.
Cybersecurity awareness training is a critical component to your security hygiene. The most effective training programs are offered frequently and use available frameworks, focus points, tools, and tactics to build a culture where cybersecurity is embraced, not avoided or shunned.
Last week we shared the first part of this two-part series on cyber threats in 2019. This week we wrap up the remainder of the insights we shared thanks to our conversation with subject matter expert Adrian Sanabria, VP of strategy and product at NopSec.
InfoSec Insider caught up with one SME that helped us put together a list of the looming threats your company should keep an eye on and how organizations can defend themselves accordingly. Here's a look at what you should have on your radar.
The term threat hunting has been tossed around a lot, but what does it actually mean and can your cybersecurity playbook benefit from it? Many organizations are tapping into its benefits, so we've decided to provide you with a breakdown in this feature article.
Social engineering is unique in the cybersecurity world as its scope of influence can vary widely on the software, hardware, and even psychological level. In this article, we’ll cover social engineering attacks and help you learn from recent developments in the space.
In last week's segment, Ed and Raef discussed some of the major developments in infosec in 2018. This week, they take out their crystal ball and look into 2019, sharing their thoughts on what many practitioners could expect.
In the latest installment of InfoSec Insider’s DeMISTIfying Security series, security experts Ed Moyle and Raef Meeuwisse return to review the major breaches, developments, and takeaways that you can get from information security events in 2018.
Like it or not, the digital transformation era is here. But what does that actually mean--and more importantly--what does that mean to you? We caught up with Zscaler's Business Value Consulting Leader, Jason Georgi, who broke it down for InfoSec Insider.
As 2018 wraps up, InfoSec Insider looks back at some of the most popular articles we've produced for our loyal audience. From communicating security metrics to the board and making sense of attack patterns, to key areas that you should focus your cybersecurity strategy on, here's a list of the top 10 articles.
The idea behind collaborative security is to change the security and threat landscape from the daunting “one vs. many” to “many vs. many,” embracing the power of knowledge and collaboration to protect valuable data.
In this walkthrough, InfoSec Insider experts Ed Moyle and Raef Meeuwisse demonstrate one useful exercise that can aid security practitioners in getting a lay of the land in their organization, serving as the perfect first step in ultimately measuring and reducing information security risks.
InfoSec Insider SMEs Ed Moyle and Raef Meeuwisse are back, but this time they're talking fundamentals. If you're an up-and-coming security warrior, you'll definitely want to heed this advice from the two infosec experts.
Cyber threats are top of mind for board members, but communicating cyber threat intelligence may not be the easiest task for security leaders. In this recent interview with Tim Callahan, senior vice president and global security officer at Aflac provides some helpful tips that could go a long way.
Threat intelligence has transformed the information security world for the better but it’s not always leveraged in the best way possible by organizations and departments. InfoSec Insider spoke to threat intel expert Karl Sigler to get a sense of how organizations can maximize threat intelligence for their organization.
InfoSec Insider catches up with cybersecurity experts on the lessons learned from the 2016 election hacks, and what the security practitioner of today could learn from those events. With early voting already in full swing, we take a brief look back at what occurred.
Ntrepid Corporation’s Chief Scientist Lance Cottrell chats with InfoSec Insider and offers up the major dos and don’ts tied to password management, as well as pinpoints the significant weaknesses in some of the systems we’ve come to rely on heavily.
Data privacy and protection is an often underappreciated aspect of information security, but in many ways, it provides the foundational groundwork for a well-established security environment that offers internal and external reassurance. Here's why and how you should train up your team.
enSilo CEO Roy Katmor sits with InfoSec Insider to discuss how security automation is impacting the time and duties of the modern day security professional, and how the skills they need to succeed will change as a result of the technology.
InfoSec Insider takes a first-hand look at Trustwave’s new SpiderLabs Fusion Center in Chicago and speaks with Chris Schueler, senior vice president of managed security services, on the purpose behind its creation.
Forcepoint’s Dr. Richard Ford discusses the impact that the 2016 election meddling had on the cybersecurity community, and the lessons learned that security practitioners should take note of, but most importantly, act on.
Cybrary COO Kathie Miley pinpoints the real issues organizations face when it comes to the cybersecurity talent shortage, why employers are doing a good job of finding the right talent only in certain circumstances, and the impact the cybersecurity solutions market is having on the talent shortage.
Bugcrowd Founder Case Ellis discusses the evolution of bug bounty programs and their impact on information security, in addition to providing tips on the key areas to focus on when it comes to developing a bug bounty program at your organization.
Given the skills gap in information security, it's important for cybersecurity managers to diversify and expand the skill base of their team members. Here, we highlight how they can do it from a practical point of view.
The Cyber Threat Alliance’s Chief Analytic Officer Neil Jenkins provides update on the state of information sharing in 2018 and provides some insight on the steps security practitioners can take if they’re interested in sharing their threat data.
Cybereason’s Israel Barak discusses the approach that far too many businesses take when it comes to their security strategy and highlights the steps that security professionals should be seeking to rethink the programs and challenges they face tied to measurably reducing risk within the business.
CA Veracode’s Chris Wysopal discusses how the 2016 presidential election hack broadened the horizon on how security warriors think about defending their data and offers up advice on what they should consider when it comes to protecting sensitive information.
SAP CSO Justin Somaini discusses how the role of the CISO has evolved into what it is today, and what up and coming security leaders should prepare for once they take charge of a security program at a major organization.
ISACA’s Rob Clyde discusses what’s leading cybersecurity to be at negative unemployment, but also shares how addressing issues in diversity, training, and education could go a long way in closing that talent gap.
Cisco's Edna Conway shares her insight on what infosec leaders can do to ensure that security becomes an active discussion about the way you operate within the business, rather than an added bolt-on feature.
When a company falls victim to a cyber incident, security personnel are often in the line fire--especially when they've focused only on the technical side of the job. Here we provide some tips that can lessen the chances that any one person will bear the absolute blame.
What do running and your career in information technology/information security have in common? At first glance, not a whole lot. But with a couple of quick examples, I think we will find some similarities.
To help security leaders find new ways to better align with business colleagues, we turned to two experts to find out how they’re constantly maneuvering between technical requirements and fueling business priorities.
You picked them! Here's a look at the most read articles published on InfoSec Insider in 2017. From CASB to threat intelligence, you'll find a unique mix of some engaging content that answers some of your pressing questions.
After conducting 80 interviews with security leaders and board members, these two experts discuss the findings of their research and offer a rare window into how each group viewed progress and setbacks in their oversight of cyber risk.
Trustwave Threat Intelligence Manager Karl Sigler discusses the non-traditional devices that security professionals should have on their radar and how thermostats can figuratively turn up the heat for infosec pros, and literally for the enterprise.
We’ve all heard about the security staffing shortage; it attracts a lot of press and is hard to ignore. If you’re currently working for an organization that is not hiring, you, yourself, might be receiving regular calls from recruiters about one of the estimated 1 million open positions. Maybe you’re even covertly scoping out your next job opportunity.
Depending on your source, insider threat accounts for anywhere from 27% - 77% of all breaches. Despite the disparity in agreement about size of the problem, most security practitioners agree that the difficulty identifying insider threat is greater than identifying external threats.
In biology, it is well known that genetic diversity creates strength in that it helps build resilience to disease, disorders, and other human ailments. At a community level, we also find strength in diversity.
While some security professionals have climbed the ranks based on their technical know-how, it’s the transition into the business leadership role that tends to present the challenges for chief security officers.
Leadership is a lot like playing in an orchestra. For those less familiar with an orchestra setting, let me explain. The basics: A traditional orchestra is made up of strings, woodwinds, brass, and percussion, plus keyboards.
The President of the United States is apparently using an Android phone, and likely an outdated version, at that. Despite reports that the newly inaugurated president was, in typical fashion, offered a “secure, encrypted device approved by the Secret Service,” it appears Mr. Trump prefers his own personal device. Don’t we all?
As we continue to ramp up our efforts in providing you with a resourceful library of content you can rely on, we’ve decided to reflect on some of the top InfoSec insider articles of 2016, based on the engagement we’ve received from our readers.
Security teams fight many battles. There are threats, vulnerabilities, exploits, improperly configured systems, legacy equipment, lean budgets, staffing shortages, and users who are fallible. Any of these things, alone, add up to challenge, but possibly the biggest challenge security teams face is the battle between the security department and the CIO.
Remember the “telephone game” played at parties when you were a kid? One person would make up a sentence or phrase which she or he then whispered into the ear of the person sitting next to him/her in a circle. That person would, in turn, whisper what he/she had heard into the ear of the next person in the circle.
Defining a “good” chief information security officer is difficult. On one side, many CISOs have risen through the security ranks due to their technical prowess and were thus handed a “business position,” asked to manage a team, and required to start briefing the executive suite on the state of the company’s security.
Rumblings about the security talent deficit are pervasive. Just like news of recent breaches, it’s hard to get through a week without reading an article, viewing a webcast, or attending a conference during which the subject is not addressed.
Hiring security staff is a big challenge. Not only does the industry need more people to fill the open positions than it currently has, but to complicate matters further, hiring managers aren’t necessarily security professionals themselves; many organizations’ security teams report to IT, operations, or even finance.
By many estimates, the demand for information security practitioners far exceeds availability. As security becomes an appreciable concern for large and small companies alike, it stands to reason that the industry is going to face a serious shortage in the coming years if new practitioners aren’t found or cultivated.
Unless you're oblivious to the news, you're well aware that the information security industry is getting a lot of attention. Be it the headline-grabbing breaches taking place on a seemingly frequent basis, or the fact that the number of digital internet-connected devices per capita is increasing constantly.
Information security teams face a serious problem when they are unable to detect the presence of a threat actor inside organizational systems. Knowing who has access to key applications is an imperative for trying to protect the company, yet according to a new report published by Okta that may not be a case.
The term “hacker” is thrown around liberally nowadays. It’s a surefire traffic-boosting headline, and the media seizes any opportunity to publish a story with a hacker connection, often positioning the word as a synonym for “malicious attacker.”
The role of the CISO is changing. We hear about it every day: CISOs must become more business oriented and fine-tune communication skills so other executives consider heads of security business equals.
“A lot of security departments are swimming in the wrong direction,” says Raef Meeuwisse, Director of Cybersecurity at Cyber Simplicity Ltd. By this, Meeuwisse means that companies haven’t yet redirected the scope of their security programs—the tools, technologies, and processes—to reflect current threats.
For security practitioners, the name of the game is risk management. These risks come in all shapes and sizes, from system vulnerabilities and the onslaught of evolving malware, to threats posed by insiders.
Several years after the introduction of DevOps, the security community continues to laud the method while scant few developers are hopping on the bandwagon. One of the issues is that “security” isn’t part of DevOps.
Cloud Security World 2016 finished up on Wednesday evening after two days of conversation around all-things-cloud security. “We’ve seen this before,” was a common refrain, and thankfully attendees have moved past the points of denying the existence of cloud services connected to their organizations and saying that cloud is “the largest” security concern.
During the recent EuroCACS conference Raef Meeuwisse, Director of Cybersecurity & Data Privacy Governance at Cyber Simplicity Ltd., referred to the CISO as the “Chief Information Scapegoat Officer,” based on an article posted on Infosecurity Magazine.
The entire security industry knows we have a staffing problem. With demand for security talent far greater than supply, companies with the right resources are positioned to lure top talent from competitors while everyone else is scrambling to find anyone with adequate technical acumen to learn the craft.
Technology is an inescapable part of our lives. Unless you live completely off the grid—grow your own food, never drive a car, transact with only the cash kept under your mattress inside your built-by-your-own-hands house—your personal information is collected, tracked, and exchanged by and among businesses.
By Michael Santarcangelo, founder, Security Catalyst
February 14, 2016
A few decades ago, we advanced information security with a simple phrase: "the Internet is bad, a firewall is good." We linked the dangers of connecting to others online with a simple method of protecting our companies. Now our ever-changing networks face dynamic, evolving threats.