CISO Dojo

With tensions building in the Ukraine, it's a good time to take a step back and look at what actions a CISO should be considering if this is an area of concern.   In this episode Joe Sullivan and Stacy Dunn cover the following topics: News Resources: SANS ISC and Webinars Business Analysis: PEST Analysis Team Analysis: SWOT Analysis Technical Controls: Firewalls, Geolocation Blocking, and MFA Administrative Controls: Travel/Evacuation, Asset Disposal, and Crown Jewels Executive Briefings: History of the Russia/Ukraine cyber attacks Board Briefings: State of security and action plans

In this episode we recap some of the bad things that happened in 2021 and theorize what could be in store during 2022.

 Harshil Parikh, CEO of Tromzo, discusses application and how to eliminate developer/security friction by using context to sort through the noise and empower developers to fix what matters. Find Harshil online at: https://www.linkedin.com/in/harshil/ https://www.tromzo.com/  

Tanner James started his career in IT after graduating with an MIS degree from OU in 2016. Since then, Tanner has worked for a telecommunications consulting firm and is currently employed as the IT manager for LuGreg Trucking. At this point in his career, he is wanting to develop his security skillset to take on a role in information security. When he isn't working with technology, he enjoys lots of time outdoors with his family.     You can find Tanner James online at:  https://www.linkedin.com/in/tanner-james-6a0748119/    This episode is sponsored by AntiCrysys When you need post breach crisis management AntiCrysys can help you get your security program back on track. https://www.anticrysys.com

Russell Eubanks started shares his story about transitioning from factory work, breaking into information security, becoming a CISO, and starting his own consulting practice. Russell shares some good advice, guidance, and tips for others looking to further their career, lead teams, and personal development in your information security career. You can find Russell Eubanks online at: https://securityeverafter.com/ SANS: https://www.sans.org/profiles/russell-eubanks/ LinkedIn: https://www.linkedin.com/in/russelleubanks/ Twitter: https://twitter.com/russelleubanks

Steve Ginty Director of Threat Intelligence at RiskIQ joins us on this episode to discuss detecting risks your organization might not be aware of. Steve also talks about how RiskIQ contributes to the detection of Cobalt Strike, ransomware actor activity, supply chain attacks, and how RiskIQ can help with vendor management. Website: https://www.riskiq.com/ LinkedIn: https://www.linkedin.com/in/sginty/  

Jerich Beason is a cyber security hobbyist turned professional who holds Bachelors and Masters degrees in Cyber Security. He has served in progressive roles at some of the most respected companies within the cyber security industry including Lockheed Martin, RSA and Deloitte where he was a trusted advisor to executives within the federal government and fortune 500 organizations. Jerich advised these companies on cyber security strategy, architecture and program development. In his most role as Deputy CISO at AECOM, he was responsible for security architecture, risk management, compliance, and the overall security strategy. As a thought leader in cyber security, Jerich has been invited to sit on panels, speak at conferences and events contribute to white papers and security. Jerich is currently the host of Epiq's new podcast, Cyberside Chats which has the mission of increasing knowledge and awareness of cyber security within the legal industry At Epiq, Jerich serves as Sr. Vice President and Chief Information Security officer where he leads the Global enterprise and Product Security organizations. @blanketSec https://www.linkedin.com/in/jerich-beason-874b908/  

AJ Yawn joins us for this episode of the CISO Dojo Podcast. AJ Yawn is a seasoned cloud security professional that possesses over a decade of senior information security experience with extensive experience managing a wide range of cybersecurity compliance assessments (SOC 2, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers. AJ advises startups on cloud security and serves on the Board of Directors of the ISC2 Miami chapter as the Education Chair, he is also a Founding Board member of the National Association of Black Compliance and Risk Management professions, regularly speaks on information security podcasts, events, and he contributes blogs and articles to the information security community including publications such as CISOMag, InfosecMag, HackerNoon, and ISC2. https://www.linkedin.com/in/ajyawn/ @AjYawn

In this episode Joe Sullivan and Stacy Dunn discuss approaches for developing a risk appetite statement and how to implement security based on the stated risk appetite.

What's the strangest thing you've encountered with a new hire? In this episode we talk about the time an evil twin with no experience managed to get an IT position and how scammers with no experience are landing multiple work from home tech jobs just to collect a paycheck until they get terminated. The rabbit hole goes even deeper with fake sites being set up as past employers and answering services attempting to make them look legitimate. We also talk about how to combat these attempts and weed out the scammers from the legitimate applicants.

In this episode Joe Sullivan and Stacy Dunn talk about who should be held responsible for breaches and what needs to be done to reduce consecutive breaches in an organization.

There's a been a lot of discussion around Apple scanning for CSAM images. Joe Sullivan and Stacy Dunn talk about the pros and cons of this and how it affects privacy of iPhone users.  

In this episode I talk about an approach to deal with burn out on your team. This is based on a study located here. I also look at the GPEN versus the OSCP certification in this episode.

Paul Tucker CISO of Bank of Oklahoma joins us for this episode of the CISO Dojo Podcast. Paul Tucker is Senior Vice President and Chief Information Security and Privacy Officer at BOK Financial. In this role Tucker leads the cybersecurity team responsible for the banks efforts to protect information important to the banks operation, while ensuring the overall cyber resiliency and privacy of the bank.

Joe Sullivan and Stacy Dunn wrap up the the third part of their cloud security series. The episode extends into current events with casino ransomware attacks, supply chain attacks, and why casinos should not be getting breached. We also talk about Social Media happenings like INFOSEC Bikini, the negative element on Twitter, and haters of pants.

Alex Tarter joins us on the podcast to discuss attack surface management and threat intelligence. Alex is one of the founding members of TurgenSec which has recently had an interesting string of responsible disclosures related to: Virgin Media The Gates Foundation Charity 190+ Law Firms The Philippines Government Check out Alex at: www.turgensec.com security@turgensec.com  

Part 3: Action items and actionable information; Give insights into how to support marginalized people and adopt better hiring practices.  Sources: https://www.thisishowyoucan.com/post/__wheel_of_power_and_privilege  https://www.forumone.com/ideas/why-and-how-to-prioritize-dei-at-your-organization/  http://greenlining.org/wp-content/uploads/2018/03/DEI-Framework.pdf  https://globewomen.org/globaldiversity/wp-content/uploads/2020/03/Korn-Ferry-Diversity-and-Inclusion-Maturity-Model-2020-Andres-Tapia.pdf  https://www.diversitybestpractices.com/sites/diversitybestpractices.com/files/attachments/2018/01/kaiser_final_part_2_3.pdf  http://www.triangledei.org/blog/the-deloitte-diversity-and-inclusion-model  https://www.slideteam.net/six-months-diversity-and-inclusion-initiative-competition-strategy-roadmap.html  https://www.businessinsider.com/free-online-courses-diversity-equity-inclusion-2020-10  https://www.microsoft.com/en-us/inclusion-journey https://blogs.microsoft.com/blog/2021/02/18/include-2021-a-global-event-to-engage-on-challenging-topics-to-accelerate-diversity-and-inclusion/ https://blog.powertofly.com/diversity-conferences-2021  https://www.cio.com/article/3564791/professional-organizations-focused-on-diversity-in-tech.html  https://blog.techinclusion.co/25-organizations-bringing-diversity-and-inclusion-to-tech-1c0dec0e151d  https://mdciowa.org/

Chad Kliewer, CISO of Pioneer Telephone shares his journey in information security where he overcame nearly insurmountable challenges.  Chad has faced broad use of credential sharing, placing the mouse on the monitor, because this is how it's supposed to work right? Chad has survived Sox audits and even the SolarWinds attack. There's so much to learn from this episode from a CISO and information security perspective! Connect with Chad on Twitter @ChadKliewer  

The White House just release a special document to the private sector about responsibility and steps to prevent ransomware. Quoting directly from the document: Companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively. The document goes on to talk about best practices such as: Utilizing Multifactor Authentication Endpoint Detection and Response Threat Hunting Utilizing Threat Intelligence Backing up your data and keeping it offline Updating and patching systems Testing your incident response plan Penetration Tests Segmenting Networks These are all basic activities organization need to start implementing now. The ransomware threat is escalating, and your organization can be a target.

Part of being an effective security leader is understanding and including people from all types of backgrounds. Usually, it's talk tech, security, and strategy, but for these episodes, it's time to discuss the 8th layer and how acceptance is not just 1's and 0's. In this short solo three-parter, Stacy will take you through the who, what, when, and why of Diversity, Equity, and Inclusivity. (DEI) Sources for Part 2: https://www.hrc.org/resources/hate-crimes-timeline  https://www.aaaed.org/aaaed/History_of_Affirmative_Action.asp#:~:text=Kennedy's%20Executive%20Order%20(E.O.),1964.  https://historyengine.richmond.edu/episodes/view/1161  https://www.mentalfloss.com/article/71353/8-things-women-used-be-banned-doing  https://www.encyclopedia.com/social-sciences-and-law/law/crime-and-law-enforcement/domestic-violence  https://www.washington.edu/doit/what-individuals-disabilities-education-act  https://adata.org/learn-about-ada  https://www.encyclopedia.com/finance/finance-and-accounting-magazines/equal-employment-opportunity-act-1972  https://en.wikipedia.org/wiki/LGBT_employment_discrimination_in_the_United_States  https://lgbtbar.org/programs/advocacy/gay-trans-panic-defense/  https://sloanreview.mit.edu/article/the-trouble-with-homogeneous-teams/  A link to my own Medium Article: https://findstacyhere.medium.com/an-open-letter-from-a-woman-in-tech-f552628565c9

In this episode Stacy Dunn talks about Diversity, Equity, and Inclusivity and how we can get better at improving the culture of the information security workplaces and community. Part of being an effective security leader is understanding and including people from all types of backgrounds. Usually, it's talk tech, security, and strategy, but for these episodes, it's time to discuss the 8th layer and how acceptance is not just 1's and 0's. In this short solo three-parter, Stacy will take you through the who, what, when, and why of Diversity, Equity, and Inclusivity. (DEI) Sources for Part 1: https://globaldiversitypractice.com/what-is-diversity-inclusion/  https://www.thisishowyoucan.com/post/__wheel_of_power_and_privilege  https://builtin.com/diversity-inclusion  https://medschool.duke.edu/sites/medschool.duke.edu/files/field/attachments/explaining_white_privilege_to_a_broke_white_person.pdf  http://eprints.lse.ac.uk/73664/ and https://blogs.lse.ac.uk/politicsandpolicy/  https://pubmed.ncbi.nlm.nih.gov/30765101/  https://hbr.org/2018/07/the-other-diversity-dividend  https://www.forbes.com/sites/paologaudiano/2020/07/13/how-inclusion-improves-diversity-and-company-performance/?sh=152da2e56a65  https://www.mckinsey.com/~/media/mckinsey/business%20functions/organization/our%20insights/delivering%20through%20diversity/delivering-through-diversity_full-report.ashx

Chris Elgee is a senior security analyst and Core NetWars Tournament design lead for Counter Hack, and commander of the Army National Guard's 126th Cyber Protection Battalion. At Counter Hack, Chris is responsible for the design and implementation of NetWars challenges and has created some of the player-favorite challenges throughout NetWars and the Holiday Hack Challenge. Chris also teaches SEC560 for the SANS Institute. Read more about Chris Elgee at: https://www.sans.org/profiles/christopher-elgee/ Follow Chris on Twitter: @chriselgee  

Lenny is the CISO at Axonius, which is a cybersecurity tech company. Lenny has also helped build anti-malware software at an innovative startup and oversaw security services at a Fortune 500 technology company. He has also lead the consulting practice at a leading cloud services provider. Lenny is also a Fellow Instructor at SANS and is the primary author of FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques.  Lennny maintains a popular malware analysis tool kit called Remnux as well. REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. Lenny is also the author of the SEC402: Cybersecurity Writing: Hack the Reader which is designed exclusively for cybersecurity professionals, that teaches the key topics to address in security reports and other written communications and how to pick the best words, structure, look, and tone. Catch Lenny on Twitter at: https://twitter.com/lennyzeltser

In this episode we discuss concerns with security in the cloud that organizations need to be aware of. Moving to the cloud doesn't automatically mean it's more secure. We'll take a look at the CIS Controls and how you can implement them in a cloud environment to better secure your networks and data. The topics discussed in this episode are: Malware Defenses in the Cloud Limiting Network Protocol Ports and Services Cloud Security Data Recovery Capabilities Cloud Security Configurations

In this episode we discuss concerns with security in the cloud that organizations need to be aware of. Moving to the cloud doesn't automatically mean it's more secure. We'll take a look at the CIS Controls and how you can implement them in a cloud environment to better secure your networks and data.

Stalking- What is it, exactly? And, more importantly, what do you do if it happens to you? What are the steps you can take and how can you understand ways to better protect yourself? What are the avenues for reporting stalking? How has technology impacted stalking and what can we do, as a society, to keep these behaviors from perpetuating?  National Resources:  https://www.thehotline.org/ (1-800-799-SAFE) https://victimsofcrime.org/  https://www.stalkingawareness.org/ https://www.ywca.org/ https://www.justice.gov/ovw/stalking  https://www.womenshealth.gov/relationships-and-safety/other-types/stalking Local Resources:   https://palomarokc.org/  https://www.ywcaokc.org/  https://www.oag.ok.gov/victims-services-resources  https://oklegalconnect.org/#/login  Stalking definition: The Department of Justice defines stalking as "A perpetrator engaging in a course of conduct directed at a specific person that would cause a reasonable person to fear for their safety or the safety of others or suffer substantial emotional distress."    The Office on Women's Health defines stalking as "Any repeated contact that makes you feel afraid or harassed."   This communication or behavior could involve repeated visual, physical, verbal, written, or implied threats, nonconsensual communication, or a combination of these measures.    Stalking is against the law. Stalking is a crime.  Stalking can be charged as a state or a federal crime, and depending on the case, it can be: Misdemeanor - punishable by imprisonment for up to 1 year or a fine that cannot exceed $1,000, or both. Felony - for aggravated stalking, punishable with up to 5 years in prison or a fine of maximum $10,000, or both. Who can be stalked: Anyone. However, 1 in 6 women experience stalking their lifetime and women are twice as likely to be stalked as men are. (This is according to the National Center for Victims of Crime.)   Stalking falls into three broad categories: Intimate or former intimate partner stalking- The stalker and victim may be in a relationship, may have lived together, may be serious or casual partners, or former partners to some facet. Acquaintance stalking- The stalker and victim may know one another casually, such as a coworker, neighbor, or something similar.  Stranger stalking- The stalker and victim do not know one another. This usually includes cases where the victim may be a celebrity.  Examples of stalking:  Following you around or spying on you Befriending or manipulating your family, friends, or coworkers to intrude on your inner circle  Sending you unwanted emails, messages, or letters Calling you often Harassing you on social media Creating fake profiles to keep tabs on you Attempting to gain access to your computer, email, or social media accounts Tracking your computer or internet use Using technology such as GPS to track your location Showing up uninvited to your house, school, work, or places you frequent Leaving you unwanted gifts or tokens of affection Damaging your home, car, or other property Threatening you, your family, your friends, or your children and pets with violence Misconceptions about stalking:  "Stalking is only stalking if they keep doing it after you've asked them to stop or have confronted them in some way." -I hear this sentiment a lot. If someone has been following you, tracking you, or harassing you and you're just discovering it, it's been stalking the whole time. They don't get a magical free pass to do so until you've said no, it's stalking regardless. And, confronting the perpetrator can often be dangerous. "Only celebrities are stalked." -As previously mentioned, anyone can be stalked. In fact, 1.4 million people are stalked every year in the United States.  "If you ignore the stalker, they will go away." -If only this were true. Each case varies, but stalking is dangerous, it's against the law, and anyone that experiences stalking should seek help. "You can't be stalked by someone you're dating." -Big huge nope. Biggest nope. You absolutely can. If an intimate partner is tracking your location, following you around, and making you feel smothered and afraid, that is stalking. It doesn't matter your relationship with the person.  When is stalking categorized as cyberstalking?:   Nowadays, stalking usually includes cyberstalking. As security professionals, we have to be cognizant of how people use technology in a way that's malicious.  Cyberstalking falls under the stalking umbrella. It's yet another form of stalking and is widely used among perpetrators because it gives them a relatively easy way of monitoring someone, particularly if their "digital footprint" is very wide.  Cyberstalking is the use of the internet or other electronic means to stalk or harass an individual, group, or organization.  As mentioned, cyberstalking is often accompanied by real-time or "offline" stalking, but may be exclusively used as the primary or only means of stalking.  Physical or real-time stalking is not necessary for the act to be considered a crime. Cyberstalking, in of itself, is also a crime.  Something to note: States vary in how they categorize offenses. By 2009, 14 states adopted legislation on high-tech stalking, punished by up to 18 months imprisonment and a $10,000 fine for a fourth-degree charge to 10 years in prison and a $150,000 fine for a second-degree charge.   What to do if you're being stalked:   The obvious answer may be to blanketly tell everyone to call 911 or contact the authorities. However, the unfortunate truth is that not all law enforcement officers are trauma-informed nor are all of them equipped to handle stalking. And, sadly, some of them may not take the case seriously. Even with that, I highly suggest reporting, if you feel safe to do so.    Sometimes, your stalker may even be a police officer or someone that is powerful. It's not always easy to go to the authorities, particularly if you have been let down in the past or get grilled by law enforcement as if the stalking is your own fault.    Here are a few other suggestions of who to contact to assist you: National Domestic Violence or Victim Resources such as The Hotline Dot Org, Victims of Crime Dot Org, Stalking Awareness Dot Org, and so on. We will link all of these resources in the show notes.  Local Domestic Violence Coalitions such as YWCA, Palomar, and other non-profits that may be exclusive to your area. Legal Resources or Lawyers that are trauma-informed specialize in domestic violence, sexual assault, and stalking cases.  A trusted friend, family member, mentor, teacher, counselor or therapist.  Some steps you can take to help protect yourself and mitigate a stalker's ability to gather more information about you:   In an ideal world, we would want to stop the stalkers from stalking. The onus is on them. It's not your fault you're being stalked, and these preventative measures do not suggest that this is in any way your fault, but please- Take these measures into consideration if you are being stalked. Document everything. Record dates. Take screenshots and keep everything organized. Describe the actions as well as how they made you feel in the moment. Keep a running timeline, if possible.  Inform someone you trust of the stalking.  Carry your cell phone with you and inform your trusted friend or family member on your whereabouts, especially if the person is capable of physically finding you.  On the topic of your cellphone, ensure that it does not have any unknown applications, tracking, or compromised accounts on it. Review your installed applications, accounts, and enable multi-factor authentication where possible.  Use unique and secure passwords for all of your accounts. (Make sure your passwords are not easily "guessable." Depending on the situation, stopping all communication with the stalker is ideal. Your circumstances may dictate that completely cutting them off is actually less safe, so trust your instincts and document your decision.  That said, block the stalker on all platforms, if it is safe to do so. Limit your social media posts to friends and family. Avoid posting anything publicly. Be cognizant of sharing, tagging, and what is shown in images. Minimize mutual contacts.  Do not share your home address or place of work online. Additionally, do not share when you're at home, and when you are not.  If physical stalking is present: Vary your travel schedule, try not to use the same route or routine every day if travel is required. 

Data governance is a huge undertaking when you don't build it in at the start. In this episode Stacy and Joe discuss data governance programs, the NIST Privacy Framework, and how to build a successful data governance program.

This week's episode acts as a follow up to provide answers to your burning questions following the interview of our special guest, Gordon Rudd of Stone Creek Coaching, who trains and coaches aspiring and current CISO's.    But, how do you know if you want to be a CISO. Heck- What is a CISO? It's in the name, right?    How do we know exactly what a Chief Information Security Officer is? Does the definition change between organizations? Are the expectations the same?    Listen as Joe and Stacy give the ins and outs of what it takes to get the title, what to expect, and why it's needed. 

Gordon Rudd joins us for this week's episode of the podcast. Gordon Rudd is a former CISO, executive coach, author, keynote speaker, and teacher with Stone Creek Coaching. Gordon founded the CISO Mentoring Project in 2012 and is an engaged mentor to many aspiring and active CISOs around the world. He founded Stone Creek Coaching in 2019 to help create world-class, cybersecurity leaders. Gordon is a regular instructor with (ISC)2 an international, nonprofit association for information security leaders, creating educational videos, leading educational events, and creating content for their members. Gordon served as the thought leader in residence for Venminder utilizing his 40+ years of third-party risk management, information technology, information security, third-party risk management and GRC (Governance, Risk Management and Compliance) program development experience. Gordon worked with clients as a third-party risk management and cybersecurity subject matter expert in residence. Gordon began his cybersecurity career while working as a contractor for the defense industrial base in America.  He was instrumental in the formation of the cybersecurity program for a Fortune 50 oil and gas company. Gordon has consulted with some of the world’s largest financial services organizations on cybersecurity and business continuity management preparedness. He has created dozens of business continuity plans for organizations in manufacturing, oil & gas, health care and banking.  He joined Venminder from RCB Bank where he held the position of Vice President, Chief Information Security Officer (CISO). Gordon implemented and managed both their cybersecurity program and third-party risk management program, including managing internal audits, external audits, and regulatory examinations.   Gordon is a recognized cybersecurity expert, and is frequently sought to speak at industry events on information security, GRC and enterprise risk management. Gordon received his B.B.A. in Finance from the University of Oklahoma and an M.B.A. from West Texas A&M University. Gordon was instrumental in my transition from security technologist to security leader and it would have been a rough journey without his coaching, guidance, and mentoring. You can find Gordon online at https://www.linkedin.com/in/gordonrudd.  

In this episode of CISO Dojo, Stacy outlines how she broke through into the field of Information Technology, and, subsequently, Cyber Security. How does one connect the dots from being a Retail Store Manager with an Associate's in Fine Arts to becoming an aspiring Security Engineer with one of the world's largest security companies? Stained shirts and socks with sandals, that's how! What...? Wait just a minute...? Yeah, that's right! But, what does that have to do with IT!? Listen for the full story, down to the dirty details, and gain some insights in how to better build yourself up to take control of your career. 

This episode starts a new series about non traditional paths to information security. This series will post every Monday when we don't have a guest on the show. In this series we will look at ways to get into information security and how to progress in your career.  This pilot starts out with my own path in information security from auto technician, to CISO, to consultant.

Risk Assessments, Frameworks, and Approaches Risk Assessments are the topic for this episode of the CISO Dojo Podcast. What is a risk assessment: The identification, evaluation, and estimation of the levels of risks involved in a situation, with comparisons against benchmarks or standards, and determination of an acceptable level of risk. There are two types of risk assessments we discuss in this episode: Quantitative Risk Assessment: This one uses actual data and amounts during the risk assessment. Qualitative Risk Assessment: “Relative measure of risk or asset value based on rankings such as low, medium or high; not important, important very important, or on a scale from 1 to 10.” Risk Assessment Frameworks We are going to discuss two commonly use frameworks often utilized for risk assessments: FAIR (Factor Analysis of Information Risk) Defines value/liability as: Criticality Cost Sensitivity Embarrassment Competitive advantage Legal/regulatory General FAIR also defines six kinds of loss: Productivity Response Replacement Fines and judgments Competitive advantage NIST Special Publication 800 – 30 Risk Assessment Framework: NIST 800-30 is a 9 step approach to risk assessments that includes: Step 1: System Characterization   Step 2: Threat Identification   Step 3: Vulnerability Identification   Step 4: Control Analysis   Step 5: Likelihood Determination   Step 6: Impact Analysis   Step 7: Risk Determination   Step 8: Control Recommendations   Step 9: Results Documentation Types of Risk Assessments In this episode we briefly cover a few common types of risk assessments: RIA: Risk Impact Assessment This is the initial risk assessment that classifies the risk level of the system (Low, Moderate, High, Very High) and mitigating controls. BIA: Business Impact Assessment This is usually used during BPC/DR planning and determines the impact of losing your business-critical systems. PIA: Privacy Impact Assessment This one identifies PII that is collected; why the information is collected; and how the data will be used, shared, stored, and protected. DRIA: Detailed Risk Impact Assessment This one is more detailed than a regular risk assessment and outlines more robust security controls that are commensurate with the inherent risks of the system. We aren’t going to get into Risk Analysis, because there’s a larger conversation that needs to be had here. An organization needs understand what their top risks are so they can know here to start the risk assessment process. Top security risks for businesses Let’s take a look at where a lot of organizations are incurring the greatest amount of risk with their security posture, or lack of security posture. Your Organization is a Target Traditionally smaller businesses weren’t an appealing target for threat actors. That changed when ransomware arrived on the scene. Smaller organizations are a more appealing target for ransomeware because they typically have less budget to spend on backing up their data, business continuity, and disaster recovery. When a small business experiences ransomware, more often than not , they are forced to pay the ransom to recover their data and return to normal operations. If it’s not ransomware, the second favorite cyber attack of threat actors is crypto mining malware that runs silently on the systems consuming resources and mining cryptocurrency for the attacker. Cyber Security Budget Many of the organizations aren’t aware if they are over invested or under invested in security. Over investments takes funds away from other strategic business objectives, while under investment incurs too much risk for the organization. Over investment isn’t a difficult problem to solve, but under investment can be challenging to rectify. The best approach to determining where you stand is to map out the maturity of your organization in relation what the industry is doing. I’ll use the NIST Cybersecurity Framework functions to measure the maturity of the security program: Identify Protect Detect Respond Recover Next, map the maturity levels of 0-5 using the Capability Maturity Model. 0 is the least mature and 5 is the most mature. Most organizations should strive for a maturity level of 3 across the five functions of the NIST CSF. If you are not at level 3, you are under invested in that particular function. If you are at a 4-5 maturity level for a particular function, you might be over invested in that function. Patching and Vulnerability Management Risk Assessments An effective cyber security program includes patching and vulnerability management. Unpatched vulnerabilities provide opportunities for threat actors to compromise your systems and networks. Even in the best organizations achieve about a 75% success rate. In an organization that lacks patching and vulnerability management the risk for a breach is considerable. A successful patching and vulnerability management program starts with asset inventory. You need to know what assets you have and then you need a way to identify and monitor your patching and vulnerability exposure and remediation progress. Email Security Risk Assessments Breaches often start with malware, phishing, or spam as the entry point into the organization. This indicates a lack of technical controls at the email server, as well as the administrative control of a security awareness program. If you are hosting email in house with no spam filtering, anti-malware, or other technical controls, now is a good time to consider outsourcing email to Office 365 or Google Apps. The benefits are less maintenance, more security, reduced costs and administration time. Data Backup, Testing, and Recovery A lot of organizations lack a backup plan, back up retention, and testing of backups. The problem is usually a lack of understanding of what their mission critical data is. This goes back to the lack of a mature security program. Organizations that are backing up their data usually fail to test their backups due to a lack of time and lack of staff. This is something that should also be addressed in the over all security program for the organization or perhaps outsourced to a third party for business continuity and disaster recovery purposes. BYOD Cyber Security Risk Assessments Mobile devices are growing in popularity as an entry point for threat actors and careful consideration should be given to BYOD programs. While there is a lot of benefit to BYOD (bring your own device) there are also a lot of risks. The main issues are co-mingling of data, eDiscovery, terminations, data security, and mobile device management. Mobile device manage is critical if you allow employees to utilize their own mobile devices for work purposes. You should also include and mobile device threat prevention solution that detects and prevents malware, phishing over text message (smishing), and rooting or jail breaking of mobile devices. Also consider a VPN for secure connections from the mobile device back to the corporate network. No Cyber Security Program This by far is one of the most common problems I encounter when consulting with small, medium, and even large enterprise level businesses. There should be an overarching policy from the executive level that the organization understands the importance of cyber security and will have a cyber security program. A typical cyber security program should include: Security Awareness Business Continuity and Disaster Recovery Physical Security Acceptable use policies for email, Internet, and mobile devices Password policy Encryption Policy Cloud Storage and provisioning policy Incident response policy Vendor Management Policy Cyber Risk Appetite Statement The above is not a comprehensive list and will differ from organization to organization. Preventing breaches, business impact, and security incidents starts with risk assessments and a cyber security program. Having a formal security program also means having someone in charge of security to drive it forward. This is usually a CISO or VCISO depending on the size of the organization. The post Risk Assessments, Frameworks, and Approaches appeared first on CISO Dojo.

Employee Retention Strategies for CISOs Employee retention of top talent should be on the mind of every CISO today. Recruiters are focused on coaxing the best employees away from organizations due to the perceived skills shortage in the information security industry. When an employee approaches you about an offer from another company, how should you handle that situation as a […] The post Employee Retention Strategies for CISOs appeared first on CISO Dojo.

Resume Reviews, Interviewing, and we have a co-host! Meet Stacy Dunn in this episode of the CISO Dojo podcast. Stacy has been working in INFOSEC for the past 4 years in various roles and was a guest on the show previously. In this episode Stacy and I discuss a lot of different topics that include: Culture Diversity Women in Tech Interviewing Resume prep […] The post Resume Reviews, Interviewing, and we have a co-host! appeared first on CISO Dojo.

Resume Reviews, Interviewing, and we have a co-host! Meet Stacy Dunn in this episode of the CISO Dojo podcast. Stacy has been working in INFOSEC for the past 4 years in various roles and was a guest on the show previously. In this episode Stacy and I discuss a lot of different topics that include: Culture Diversity Women in Tech Interviewing Resume prep […] The post Resume Reviews, Interviewing, and we have a co-host! appeared first on CISO Dojo.

Managing Teams Remotely Managing teams remotely is a real challenge in this environment. As leaders and managers we need to make sure we are taking the right approach to managing our teams when they are remote. We’ve lost a lot of the daily context of what our team members are facing, how to motivate them, and the convenience […] The post Managing Teams Remotely appeared first on CISO Dojo.

Managing Teams Remotely Managing teams remotely is a real challenge in this environment. As leaders and managers we need to make sure we are taking the right approach to managing our teams when they are remote. We’ve lost a lot of the daily context of what our team members are facing, how to motivate them, and the convenience […] The post Managing Teams Remotely appeared first on CISO Dojo.

Working Remotely During a Pandemic One of the challenges many organizations are facing right now is: how do we secure a remote workforce? In this episode I discuss some of the tough questions organizations face and how they are approaching them. A lot of vendors are stepping up offer free products such as Google, Cisco, and Zoom. We also need […] The post Working Remotely During a Pandemic appeared first on CISO Dojo.

Working Remotely During a Pandemic One of the challenges many organizations are facing right now is: how do we secure a remote workforce? In this episode I discuss some of the tough questions organizations face and how they are approaching them. A lot of vendors are stepping up offer free products such as Google, Cisco, and Zoom. We also need […] The post Working Remotely During a Pandemic appeared first on CISO Dojo.

Pandemic Policies With the Corona Virus spreading, now is a good time to check your Pandemic Policy. Pandemic Policies help you plan for a large part of your workforce being unable to work due to illness. In this episode I’ll cover some key points from a Pandemic Policy Template available from SANS. If you are considered critical […] The post Pandemic Policies appeared first on CISO Dojo.

Pandemic Policies With the Corona Virus spreading, now is a good time to check your Pandemic Policy. Pandemic Policies help you plan for a large part of your workforce being unable to work due to illness. In this episode I’ll cover some key points from a Pandemic Policy Template available from SANS. If you are considered critical […] The post Pandemic Policies appeared first on CISO Dojo.

Strategy Versus Culture It’s been said that culture eats strategy for breakfast, but what does that mean? If your policies, procedures, and strategic plan do not align with the culture, your risk offending the organization and will fail to execute your strategic plan. The post Strategy Versus Culture appeared first on CISO Dojo.

Strategy Versus Culture It’s been said that culture eats strategy for breakfast, but what does that mean? If your policies, procedures, and strategic plan do not align with the culture, your risk offending the organization and will fail to execute your strategic plan. The post Strategy Versus Culture appeared first on CISO Dojo.

Iran Cyber Threat CISO Action Items Iran Cyber Threat President Trump ordered an airstrike that killed the Iranian General Soleimani in Baghdad. Soleimani was suspected of “plotting attacks” against Americans in the region. The Department of Homeland Security issued a bulletin stating that Iranian leadership and several affiliated violent extremist organizations publicly stated they intend to retaliate against the United States. […] The post Iran Cyber Threat CISO Action Items appeared first on CISO Dojo.

Iran Cyber Threat CISO Action Items Iran Cyber Threat President Trump ordered an airstrike that killed the Iranian General Soleimani in Baghdad. Soleimani was suspected of “plotting attacks” against Americans in the region. The Department of Homeland Security issued a bulletin stating that Iranian leadership and several affiliated violent extremist organizations publicly stated they intend to retaliate against the United States. […] The post Iran Cyber Threat CISO Action Items appeared first on CISO Dojo.