Author Archives: Artificialcybernet

CISOs: Embrace a common business language to report on cybersecurityThe U.S. Securities and Exchange Commission (SEC) recently issued updated proposed rules regarding cybersecurity risk management, program management, strategy, governance and incident disclosure for public companies subject to the reporting requirements of the Securities Exchange Act of 1934. As a result, the SEC may be amending previous guidance on disclosure obligations relating to cybersecurity risks and cyber incidents to include processes that require organizations to inform investors about a company’s risk management, strategy and governance in a timely manner with any material cybersecurity incidents.Over the past two years, security breaches have been on the incline as digital transformation has rapidly increased, expanded and affected business models, customer experiences, products and operations. Now a top business risk category for many companies, cybersecurity is increasingly a focus and conversation at the board and C-suite level.And, since the role of the chief information security officer (CISO) has grown dramatically from not only protecting the technology, but all of the supporting data, intellectual property and business processes, companies are recognizing the need for the CISO to have increased access to the C-level and board to help with business decisions.The challenge, however, is that often security leaders traditionally communicate in technical and operational terms that are challenging for business leaders to understand. For CISOs to be effective, they must adopt a holistic security program management (SPM) strategy. This approach will support the ability to communicate and report on cybersecurity efforts consistently in business terms, using outcome-based language, and connect security program management to their business’ key priorities and objectives.What is cybersecurity security program management (SPM)?SPM reflects modern cybersecurity practices and supporting domains. This approach supports a common language that can be applied across industries and understood by both technical and nontechnical executives — while adapting and shifting in business outcomes, technology and the threat landscape. However, for SPM to be successful, the security industry needs to refocus from centering on compliance frameworks to SPM methodologies that are continuously updated and managed throughout the year. This approach will broaden business insight into key elements and technologies of a modern cybersecurity program such as application security, cloud security, account takeover and fraud.SPM has been proven effective in guiding security leaders to continuously measure, optimize and communicate their program needs and results. In fact, consistency of SPM has proven to provide continuity in security programs — even as people may change roles — and for reporting, ensuring that metrics are accurate and reliable.Despite the elevation of cybersecurity as a top board priority and concern, businesses need to address the “elephant in the room” — the failure of communication and common understanding between the CISOs, security programs, and their boards’ understanding of SPM. Organizations are recognizing that only a small percentage of their security teams are being effective when communicating security program strategies and risks to the board, according to a Ponemon study.CISO: Cybersecurity support starts at the topThis can be described in two parts. First, the board needs to understand the biggest risks to revenue — cyberattacks are not cheap. Cyberattacks can be an expensive threat to companies. Yet, few companies can communicate their security program effectiveness to executives and the board in business terms that can be quickly understood.Second, communication has to be consistent across the organization. We must embrace business language and terms from one business unit to another. For example, in comparing two business units, one may generate revenue but the other may not because the second business unit may be a support role for the company. The security program may prove to be optimal in the first business unit yet not in the second. Why not? In speaking with the executives and board, the security leader must speak at a level that their stakeholders understand in order to be aware of what a comprehensive security program will reveal. Providing relevant, digestible information on SPM and its progress both up and down the ladder — to peers, team(s), the C-suite and board — is critical.There is no one quick fix to address and remediate all security issues. Over the years, organizations have implemented various strategies to remain compliant. Though compliance is not as comprehensive as a security program: it may only focus on certain pieces of people, processes, technology and assets that are in scope for a particular compliance effort. Others have implemented SPM to increase transparency and help C-level and the board better understand and assess the maturity and comprehensiveness of a company’s cybersecurity program, and therefore the relative levels of risk exposure that companies face.The bottom line is that CISOs are hired to protect the company’s data, applications, infrastructure and intellectual property (IP). As companies move forward in the 2000s, the focus is on data being the new currency — we must embrace SPM in order to be successful in reporting on our cybersecurity efforts.Making a difference for the businessGartner predicts that by 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member. At the board, management and security team levels, this is one of the several organizational changes that Gartner forecasts will expand due to the greater exposure of risk resulting from the digital transformation during the pandemic. To effectively lead, the security leader must have decades of security program experience, have previously reported directly to a board, become an advisor or an independent board observer and have reputable security certifications. With those qualifications covered, the CISO will have the business acumen and support to get the job done. As a key advisor to the board, a security leader will help increase the awareness of the financial, regulator, and reputational consequences of cyberattacks, breaches and data loss and be central to risk and security planning. These discussions will ensure risks are reviewed, funded or accepted as part of the organization’s business strategy.Demetrios “Laz” Lazarikos is a 3x CISO, the president and cofounder of Blue Lava.

Oakland, Mich., Schools Consult Industry for Cybersecurity EdThe district’s CTE campuses have been working with technology leaders from the county and private sector in recent years to ensure cybersecurity course curricula are aligned with ever-changing workforce needs.July 20, 2022 by Brandon PaykamianWith cyber criminals fighting constantly to stay one step ahead of IT security professionals, staying up-to-date on changes in the field of cybersecurity is vital for school districts and workforce training programs preparing students for jobs in the industry. Seeing the need for industry insights, Oakland Schools in Michigan has been working with county technology leaders, private companies and other industry partners to align its cybersecurity curricula with the needs of employers.According to Jarrad Grandy, executive director of student services at Oakland Schools, the district’s technical educators meet with employers at least twice a year as part of a cybersecurity education advisory committee for Oakland Schools Technical Campuses, the district’s career technical education schools, to evaluate their cybersecurity courses.“In the 2018-2019 school year, we switched to a model that was much more employer-driven. Their role is to consistently and constantly give us what they’re seeing in the field,” Grandy said, noting that the advisory committee is just one of several that guides technical programming at Oakland Schools.“They help us figure out what we need to teach kids,” he added. “They give us advice on what’s coming, what we should focus on, or what we should focus on less, and we must combine that with state standards.”Grandy said much of the cybersecurity course content, tech equipment purchases and assessments are regularly evaluated and adjusted as needed with the help of said industry partners, who collaborate with educators and administrators to align courses with workforce trends. He added that employers also work with the district to guide activities such as cybersecurity simulations, wherein students get hands-on experience dealing with cyber attacks and data breaches.“This is an employer-driven process … We’re driven by what the industry needs,” he said. “If we’re doing what we’re supposed to do and you like the output in the long run, then the goal is to get every kid who is interested and meets the employer standards to be gainfully employed.“You need to have employers who say, ‘This is something to actually pursue and invest in,’” he continued. “For us, in the last five years or so, we’ve really focused as an organization on making sure that what we do is employer-driven from the programs we offer, to the processes we use, to the systems we design and develop.”According to a 2020 analysis by the Bureau of Labor Statistics, demand for IT security professionals is expected to grow 33 percent by 2030 amid an increase in cyber attacks against public- and private-sector organizations with growing network vulnerabilities, due in part to the rise of telework during COVID-19.While employers’ specific IT needs can vary from company to company and industry to industry, Grandy said, most are in need of workers with at least some degree of IT security knowledge as workplaces become increasingly digitized.“Depending on the partner you talk to, many times what we end up hearing is you need kids with soft skills. That’s one part of it,” he said. “The basics are the basics — how you handle data protocols, how you handle data from one server to the next … Our kids work on the fundamentals of cybersecurity, but while they’re working on the fundamentals, they’re getting work-based learning opportunities where they get to see in real time where there may be a data breach, or an employer says, ‘Here was a data breach we had in the past, and here’s how we approached it.’”Noting that IT skill sets have become increasingly integral to operations across industries today, Grandy said one of the committee’s main focuses recently has been to integrate the district’s cybersecurity programming at its Southwest and Southeast campuses with other technical courses.“I see cybersecurity becoming more and more attached to all of our programs. IT, in many ways — and cybersecurity as a subgroup — is an enabler industry,” he said of the district’s tech ed plans moving forward. “There’s cybersecurity in construction, cybersecurity in health, cybersecurity in auto. For our system, what we’ll be doing over the next few years is much more collaboration in our programs we offer to give students a realistic view of how their work is going to impact other industries … In general, we will see more integration of our programs across industries.”

Nowadays it is clear that Python is the go-to language for AI, more than R. But have you ever wondered what contributed to this? I lived the transition from R to Python in the industry. Let me tell you the story.R to PythonI joined Microsoft in 2016, and back then it wasn´t clear whether AI will be in R or in Python. The only big company interested in R was Microsoft, they had a product called R Server and they acquired a company called Revolution Analytics, so Microsoft had many top R developers. Other big techs like Google, Amazon, or Facebook were not interested in R at all, they were already using Python. Around 2018, it was clear that Python was becoming the language for AI, and R lost the race. Microsoft decided to focus all its efforts on Python first, instead of having two languages.R for statistics, Python for machine learningR has a long tradition in statistics, whereas Python was more popular in machine learning. Python took the lead thanks to two libraries, sklearn for general ML, and OpenCV for computer vision. While R users were more interested in statistical packages, Python users were more interested in machine learning packages. This is key because machine learning is better suited for products that solve business problems than statistics, therefore, machine learning got more support from the big techs. Big techs can afford to put developers into open source (I was one of them), so machine learning got more open source supporters than statistics.R community was not interested in deep learningIn my view, the battle of R vs Python was lost in the deep learning space. R users were just not interested in deep learning at all, it was mostly statistics. I know this very well because I was one of the few R users pushing for deep learning in R. Between 2016 and 2017, I spent a lot of my time contributing to MXNet in R, which was the only deep learning library supporting R. While the Python package of MXNet had hundreds of supporters, R package had just a few. The consequence was that R was not able to follow up with the trend of modern AI that was being done with deep learning.Nowadays it is clear that AI is written in Python, but it’s a pity because I love R, it’s a great language.I think one interesting lesson to get from the evolution of R vs Python is that the power of the open source community is much stronger than the industry. Microsoft (and other companies) put millions of dollars to support R, but the community was not interested in machine learning or deep learning.In the end, the lesson is the same as in other industries, the customer (in this case the user) is the king. This article was written by Miguel Fierro.If you like it, please consider to show ❤️

1 Cybersecurity Challenge Is Inadequate Identification of Key RisksJuly 13, 202240% of chief security officers say their organizations are not well prepared for today’s rapidly evolving threat landscapeNews summary25% increase in 2021 in material cybersecurity breaches – those generating a large loss, compromising many records, or having a significant impact on business operationsTop 4 causes of breaches are avoidable, according to cybersecurity researchers48% of organizations with no breaches in 2021 were risk-based cybersecurity leadersSAN JOSE, Calif.–(BUSINESS WIRE)–Skybox Security released new findings from the largest cybersecurity benchmarking study of global executives. The research reveals that traditional security approaches that rely on reactive, detect-and-respond measures and tedious manual processes can’t keep pace with the volume, variety, and velocity of current threats. As a result, 27% of all executives and 40% of chief security officers (CSOs) say their organizations are not well prepared for today’s rapidly shifting threat landscape.“What\On average, organizations experienced 15% more cybersecurity incidents in 2021 than in 2020. In addition, “material breaches” — defined as “those generating a large loss, compromising many records, or having a significant impact on business operations” — jumped 24.5%.Human errorUnknown assets”What’s notable about this list is that all of these conditions result from mistakes or manual processes inside organizations — which means they are all in principle avoidable,” said Ran Abramson, threat intelligence analyst, Skybox Research Lab. “The clear implication is that, however pernicious external threats have become, cybersecurity teams still have the power to repel them. And that’s the good news: With the right practices and tools – including automation to maximize efficiency and get the most out of limited staff – breaches can be prevented.”The study surveyed executives and analyzed the cybersecurity investments, practices, and performance of 1,200 companies and public-sector organizations in 16 countries and a wide range of industries. It’s the largest cybersecurity benchmarking study with C-level decision-makers ever undertaken. The research findings uncovered that conventional cybersecurity approaches are falling short, and organizations that shift to modern, risk-based strategies are more successful in preventing breaches.Though organizations, on average, saw a significant uptick in incidents and material breaches in the past two years, a distinct subset had few or no breaches at all. So, what sets these exceptional organizations apart? The researchers found that firms with fewer breaches were different from the rest of the pack in two fundamental respects:Organizations that prevented breaches ranked higher in cybersecurity progress as measured by the NIST framework. The framework, developed by the National Institute of Standards and Technology, provides guidelines that help companies evaluate and improve their cybersecurity maturity in activities such as detecting and responding to incidents.Beyond the NIST framework, organizations with no breaches took what the researchers call “a risk-based approach” to cybersecurity. Forty-eight percent of organizations with no breaches in 2021 had implemented risk-based cybersecurity management strategies. They also performed better in key cybersecurity metrics: 46% were top performers in time to respond to a breach, and 50% were top performers in time to respond.Looking more closely at the ingredients of a risk-based approach and the specific practices that distinguish risk-oriented organizations from their less proficient peers, the benchmark study found that risk-based leaders excelled in key areas beyond the NIST framework, including:Attack simulationRisk scoringResearch (threat intelligence)Technology assessments and consolidation”You must take a risk-based approach because you can’t secure everything a hundred percent. There are a lot of questions to ask: What is the business of the business? What does the risk profile look like? What are the threats? What are the implications? And what is the governance process an organization goes through to make risk-based decisions?” stated Gary McAlum, Board Director, National Cybersecurity Center.The business impact of successful risk-based security management — versus the old status-quo, detect-and-respond approach — is measured in this research. By preventing or mitigating breaches, risk-based methods could have saved companies millions of dollars annually and prevent untold damage to reputation, customer trust, company morale, and market standing.”The cybersecurity industry is witnessing a paradigm shift in cyber risk. To prevent breaches, CISOs must make a strategic shift – from the traditional volume play of identifying vulnerabilities and merely adhering to cybersecurity frameworks – to taking a strategic risk-based view of reducing actual exposure,” said Gidi Cohen, CEO and Founder, Skybox Security. “At the board level, leaders want to understand their risk profile rather than how many vulnerabilities were patched each month. CISOs need to validate and report on how they’re taking measurable, proactive steps to reduce risk systematically and reduce the financial impact a breach could have on their company.”Read the full paper, underpinned by research conducted by ThoughtLab: Reduce cybersecurity risk with security posture managementOver 500 of the world’s largest and most security-conscious enterprises rely on Skybox for the insights and assurance required to stay ahead of dynamically changing attack surfaces. Our Security Posture Management Platform delivers complete visibility, analytics, and automation to quickly map, prioritize, and remediate vulnerabilities across your organization. The vendor-agnostic solution intelligently optimizes security policies, actions, and change processes across all corporate networks and cloud environments. With Skybox, security teams can now focus on the most strategic business initiatives while ensuring enterprises remain protected.https://www.skyboxsecurity.com/© 2022 Skybox Security, Inc. All rights reserved. Skybox Security and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners. Product specifications subject to change at any time without prior notice.ContactsAshley NakanoCorporate Communications Directormedia-relations@skyboxsecurity.com

Design a site like this with WordPress.com
Get started