Monthly Archives: October 2020

5 strategies for CISOs during a time of rapid business transformation

A survey of business leaders by PwC finds the pandemic is causing rapid changes in the roles CISOs play, and offers five tips for ensuring that security remains stable as we enter a new normal.

A study of business leaders by PwC has found that the role of chief information security officers (CISOs) have grown considerably due to the COVID-19 pandemic, with 40% saying they’re now having to fill both an operational role and the role of a digital transformation leader.

One of the major reasons CISOs are being pushed so hard could be because PwC found 40% of businesses have sped up digital transformation efforts due to pandemic shutdowns, with many having already advanced to year two or three of their five-year transformation plans.

All of these changes call for new modes of leadership and a complete transformation of organizational cybersecurity models, PwC argues, and it uses its survey’s findings to provide five moves CISOs should take to be sure cybersecurity keeps up with the evolution of the enterprise.

1. New strategies, and new modes of security leadership, are needed

Ninety-six percent of respondents said they’re adjusting their cybersecurity plans due to COVID-19, and the biggest evolution in security strategies seems to be baking security and privacy into every business decision.

Other security strategies that CISOs said they’re considering are new processes for budgeting, more granular quantification of risks, increasing interactions between CISOs and CEOs/boards, and increasing resilience testing for low-likelihood, but high-impact, events.

Increasing confidence, PwC said, requires putting a dollar amount on cyber risks. “The economics of cybersecurity has long focused on the cost side (compliance, updating capabilities, and so on). This must change,” the report said.

Costs should instead be considered as part of the overall business budget “in a strategic, risk-aligned, and data-driven way.” Evaluate the costs of security projects, the costs of compliance, the costs of risk reduction, and the value of cybersecurity investments in order to build a prioritized list of what needs to be done first in order to meet business objectives.

“This kind of rigor and sophistication will be increasingly demanded—especially as the markets and regulators hold CEOs and board members more accountable for cybersecurity and privacy,” the report said.

3. Do everything possible to level the playing field against attackers

Investing in cybersecurity innovation is essential, PwC said. Zero trust architecture, real-time threat intelligence, endpoint solutions, and other tools have all grown in recent years, and getting in on the ground floor with new security products can be the key to closing the gap between rapidly-evolving cyberthreats and security.

The next major evolution in security will be cloud products, the report found, with 76% of respondents saying they’ve already moved their security operations to the cloud. Cloud products, PwC said, are dynamic, nimble, and are secure by design, while in-house legacy systems are static and insecure in their default state.

“CISOs who transition their organization to the cloud are able to build-in hygiene mechanisms from the beginning—in automated ways. They’re also able to eliminate friction from the system and simplify service delivery to their customers,” the report said.

4. Account for every possible scenario

Resiliency plans need to account for everything, PwC said, from highly likely, low-impact attacks to unlikely but devastating ones.

The report recommends drawing up a likelihood-impact grid (axes from low to high likelihood, and low to high impact) and using that to allocate your efforts and budget. Don’t ignore lower risk attacks, but plan according to the threats most devastating to your industry and company.

“More than three-quarters of executives in our Global DTI 2021 survey say that ‘assessments and testing, done right, can help them target their cybersecurity investments,'” the report said.

5. Build security teams with the future in mind

Fifty-one percent of respondents said they plan to increase the size of their cybersecurity teams in the next year, to which PwC said it’s essential to hire for 21st-century skills.

The most sought-after traits that respondents cited were analytics skills, communication skills, critical thinking, and creativity: “Shaping the future of cybersecurity — one that is in step with the business — means hiring the people who are ready to work collaboratively with others to tackle new, as-yet-undiscovered problems and analyze information,” the report said.

Hiring from within by training existing employees should be considered as well, and the report also found that managed security services providers can be a good solution when talent is hard to find as well, with 90% of respondents saying they use or plan to use managed service providers in the future.

via:  techrepublic.

Amazon Discloses Security Incident Involving Customers Email Addresses

Amazon informed some of its customers about a security incident that involved the unauthorized disclosure of their email addresses.

News of the security incident emerged over the weekend of October 23 when multiple users took to Twitter to voice their confusion over an email they had received from Amazon.

In an email notification obtained by Bleeping Computer, the tech giant explained that it had fired an employee after they unlawfully disclosed some customers’ email addresses to a third party.

Screenshot of Amazon’s email message obtained by Bleeping Computer.

We are writing to let you know that your e-mail address was disclosed by an Amazon employee to a third-party in violation of our policies. As a result, we have fired the employee, referred them to law enforcement, and are supporting law enforcement’s criminal prosecution.

No other information related to your account was shared. This is not a result of anything you have done and there is no need for you to take any action. We apologize for this incident.

At the time of writing, there was some confusion about how many former Amazon employees had been responsible for the security incident.

Motherboard wrote that it had obtained another statement from Amazon. In it, the tech giant explained that more than one insider had perpetrated the disclosure.

“The individuals responsible for this incident have been fired,” the statement read. “We have referred the bad actors to law enforcement and are supporting their criminal prosecution.”

Neither statement indicated how many customers the security incident is believed to have affected.

The event described above wasn’t the first time Amazon fired some of its employees for improper data disclosure. Back in January 2020, for instance, TechCrunch reported that Amazon had terminated a number of employees for sharing customers’ phone numbers and email addresses with a third party.

News of this latest incident highlights the need for organizations to defend themselves against insider threats. To do this, they need to focus on taking proactive measures for the purpose of deterring malicious insiders as well as detecting malicious insider activity while it’s in progress.

via:  tripwire