Loading...

Follow (ISC)2 Blog on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Cybersecurity concerns remain top of mind for global CEOs as they weigh the challenges their organizations will face in the next five to 10 years. A new report by global management consultancy EY reveals that cybersecurity tops the list of concerns for CEOs, along with income inequality and job loss caused by technology advances.

The findings in EY’s 2019 CEO Imperative Study confirm earlier research showing that chief executives view cybersecurity threats as one of their most daunting challenges. Adding to the problem, the EY study reveals that CEOs lack confidence in the C-suite’s ability to address these challenges. Only about one-third of respondents (34%) said they believe the current C-suite model is “well-suited to the demands and opportunities of the next decade.”

In January, CEOs in a study by The Conference Board ranked cybersecurity as their biggest “external concern” for 2019. This followed an earlier finding by the World Economic Forum that cybersecurity attacks are the top risk of doing business in North America. And in June, a report by KPMG based on a poll of 400 CEOs revealed that they view cybersecurity as one of the greatest threats to business growth.

Cyber risks are especially daunting for organizations because they create issues of trust. And as Gil Forer, EY Global Markets Digital and Business Disruption Lead Partner, argues in an article about the report, “Future corporate growth depends on trust, whether between corporations and customers, people and technology, or management and employees.”

Gearing Up

The EY study, which polled 200 CEOs, 100 senior institutional investors and 100 independent board members, offers some hope that CEOs are preparing to deal with cybersecurity risks and other challenges. They plan to accomplish this by bringing change to the C-suite.

The study says 72% of CEOs and 82% of boards plan to add positions or change roles in the executive ranks. The management model has already undergone some modifications in recent years, according to the report, as organizations have added new positions such as chief innovation officer, chief digital officer and chief strategy officer.

Going forward, organizations are trying to beef up their capabilities in several areas – digital transformation (55%); innovation (53%); artificial intelligence (43%); data science (33%); and behavioral science (25%).

“We have arrived at a tipping point in corporate action on global challenges which will have a powerful impact,” the report says. “The world’s largest companies are set to undertake a range of meaningful actions to address global challenges such as income inequality, the ethics of AI, cybersecurity and climate change.”

How cybersecurity threats are addressed will remain a challenge for CEOs in the foreseeable future, especially considering the difficulty of filling cybersecurity positions. (ISC)² research has revealed that currently there is a shortage of nearly 3 million cybersecurity workers worldwide.

This means that while changing the character of the C-suite will help with some corporate challenges, it won’t be enough to address cyber concerns. Corporations will need to work with the cybersecurity industry and educational institutions to address the skills gap and, by extension, the overall cybersecurity challenge.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
(ISC)2 Blog by (isc)² Management - 3d ago

With half the year already in the rearview, it’s a great time to reflect on your goals. Is achieving the CISSP, CCSP, SSCP or another elite (ISC)² certification part of your plans? If so, do you have a winning strategy in place? Here are three tips to help you get – and stay – on track as you pursue next steps.

  1. Set an exam date. Registering now can keep you motivated and focused on your certification goals. And the sooner you pass the exam, the sooner you’ll prove your cybersecurity expertise to employers and peers!
  2. Develop a study plan. Work backward from your exam date to create a study plan, setting a routine with time dedicated to studying each day. Download our FREE Certification Prep Kit for fast facts on (ISC)² training and study tools, a peek into official courseware, plus pointers to help you move forward.
  3. Train with confidence. (ISC)² Official Training helps you prepare at a pace that suits your schedule and in the format that helps you learn best. We offer exam preparation classes and courseware for cybersecurity professionals directly, as well as through an exclusive network of Official Training Providers around the world.

Keep your eyes on the prize to stay inspired throughout your certification journey. (ISC)² certifications can catapult your career, leading to more credibility, better opportunities and increased earning potential. You’ll expand your skills, knowledge and network of experts, so you always remain at the forefront of your craft. When you pass one of our rigorous exams, you join and draw continuing inspiration from an elite network of peers and partners across the globe.

Need some extra motivation at the midyear checkpoint? Reach out to our team for guidance or to set up a consultation:

  • North America: +1.866.331.4722 ext. 2 | training@isc2.org
  • EMEA: +44 203 960 7804 | info-emea@isc2.org
  • Latin America: +55 21 3174 4613 | connectlatam@isc2.org
  • Asia-Pacific: +852.2850.6951 | isc2asia@isc2.org
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Small businesses have a real hunger for new cybersecurity technologies, but they don’t always know what they need, according to a new (ISC)² study. When asked what they would invest in if they had the budget for it, some respondents alluded to “better” and “new” solutions but weren’t exactly sure what they would be.

(ISC)²’s Securing the Partner Ecosystem report reveals a concern among small businesses about running outdated technology. A comment from one respondent about what the company needs puts it all in perspective: “Phishing attack awareness, and more malware services that are up to date and cutting edge.”

While somewhat unsettling, this concern is also a good sign. It indicates small businesses recognize the need to keep their cyber defenses up to date – even if they don’t know exactly what they need. As attackers refine their methods and exploit new vulnerabilities, cybersecurity teams have to counter them with advanced, current technologies and updated policies and practices.

Currently, small businesses say they employ many of the same cybersecurity practices and technologies enterprises use, including firewalls, endpoint protection, anti-phishing spam filters and user training. The study even revealed that proportionally, small businesses hire more security staff than their large partners.

Most Companies Need More

Asked if there are security tools and solutions they want but don’t have the budget for, 72% responded in the affirmative. It’s not surprising most small businesses could use more money to invest in cybersecurity. Budgets are always under pressure, and technology evolves constantly to keep up with new threats.

What is perhaps unexpected is just how extensive the list of tools and solutions are that small businesses say they need. It shows that even though small businesses generally feel good about covering the basics of cybersecurity, they have a feeling they could do more – and they worry they could be missing out on some critical technology.

Here is a partial list of technologies they could use:

  • Third-party firewall data encryption
  • More advanced malware detection and anti-phishing tools
  • Artificial intelligence (AI) and machine learning
  • Whitelisting
  • Round-the-clock monitoring

Technical Uncertainty

The recognition by small businesses that they could use better protection is a good start. The hard part comes in determining which solutions to implement, as illustrated in these comments from small business respondents:

  • “I am uncertain, but I am confident that we are not doing all that we can.”
  • “I feel like there are better programs than what we currently have that would be more constantly monitored.”
  • “I would need to do further research to find out which programs would help protect our customers/clients payment information.”

It’s clear small businesses are somewhat uneasy and self-aware about their cyber defenses, which should help keep them on their toes. What’s needed now is a better understanding of what to invest in so they can better protect themselves and their partners.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

One of the toughest challenges of cybersecurity is to raise awareness among users. Technology solutions are instrumental in achieving a solid security posture, but they only get you so far. There’s always the risk a user will make a split-second bad decision and open the door to attack.

User awareness was the topic of a recent (ISC)² webcast, Delivering Security Awareness that Works. Participants shared their experiences in modifying user behavior and the challenges they face on a daily basis to save users from their own potentially harmful actions.

User Risks

One theme quickly emerged: Cybersecurity teams must be on their toes. Users pose different levels of risk, so cyber pros have to figure out who’s most vulnerable based on various factors, such as behavior, job responsibilities, location and timing. Understanding risk propensity makes it possible to quantify risk and determine what resources are needed.

Sometimes, panelists agreed, risk originates in unlikely places. A common phenomenon involves IT workers who don’t think they are as vulnerable to cyber threats because of their work. They don’t take all the necessary precautions and end up contributing to the problem. The same occurs with high-level executives, who feel immune to threats because of their positions.

In such situations, users have to be shown the potential consequences of their actions so they understand they aren’t immune to cyber threats.

Behavior Modification

Suggestions on how to improve security awareness were plentiful during the webcast, both from panelists and audience members. The primary goal of awareness is to prevent cyber attacks, but it requires a lot of effort to modify user behaviors.

It isn’t enough to just force people to attend training sessions once a year. Raising awareness requires engaging users on an ongoing basis so they become conditioned to new behaviors. Among the ideas discussed were short instructional videos of no more than three minutes, phishing simulations, games and searchable libraries that make it easy for users to find the information they need.

There was a suggestion to get personal. Don’t underestimate the power of “me” in raising security awareness. Rather than overly focus on protecting the organization, demonstrate to users the consequences of a bad decision – to themselves, their own hard work and ultimately, the company. Bringing awareness at a personal level makes it easier to understand what’s at stake.

Panelists also suggested using humor and the “repetition is learning” approach. Keep reminding users of safe computing practices. For instance, every time users get a password reset request, include a reminder of what makes a strong password. In another example, one company handed out stickies printed with the message, “don’t write your password on this.”

Reward System

Panelists and audience members also discussed rewarding users for good security practices. One company had the “Red Stapler Security Award,” given monthly to an employee outside the security team for security-related actions. The award included a Swingline red stapler and lunch with the CISO.

To hear the complete webcast and pick up some valuable pointers on raising security awareness, click here.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

You’ve been curious. You’ve waited patiently. And now you’ll know exactly which sessions you can look forward to at our ninth annual Security Congress in Orlando!

The full agenda for this conference is now online for you to browse and you won’t want to miss this year’s event. Security Congress will advance a global perspective and vision as our premier conference for thousands of cybersecurity professionals from all over the world. With more than 4,000 attendees expected, 18 tracks, 175 sessions and more than 200 speakers, this will be the biggest program ever. 

Featured sessions include:

  • A panel discussion on Diversity, Equity and Inclusion: How to Create a Winning Security Company Culture moderated by Jennifer Steffens, CEO of IOActive. Panelists include Ericka Chickowski, Executive Editor of Digirupt.io, Jennifer Minella, (ISC)² Board of Directors Chairperson and VP of Engineering & Security at Carolina Advanced Digital, Inc., Karen Worstell, CEO of W Risk Group and Manju Mude, Security Director of Verizon Media.

 

  • We Take Security Seriously presented by Javvad Malik, CISSP, who is the Security Awareness Advocate at KnowBe4. Javvad will tell you what steps businesses can take and maybe a few hard-to-believe side stories.

 

 

 

 

When you register before August 15, you can save $200 on your All-Access Pass. The early bird discount is your best conference value and includes three days of educational sessions, workshops and keynotes, exclusive networking events and of course, valuable Continuing Professional Education (CPE) credit opportunities.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

While large enterprises are highly confident in their cybersecurity defenses, a new (ISC)² study suggests they need to be more diligent in a couple of areas – taking action when told about security vulnerabilities and removing privileges for users who no longer need access to systems.

The (ISC)² Securing the Partner Ecosystem study polled respondents from both small businesses and large enterprises. Asked if they’ve alerted enterprise clients to security vulnerabilities they’ve discovered on the enterprise’s systems, 53% of small business respondents said yes. Yet, 35% of large enterprise respondents said nothing is done about these alerts.

In response to a question about access to enterprise partner systems, 55% of small business participants said they’ve found they still have access to a former client’s systems after terminating a contract or project.

Both of these practices pose real dangers. Failing to address vulnerabilities can lead to security breaches and all the problems that come with them – downtime, loss of productivity and revenue, remediation costs and reputational damage. Failing to remove access for third parties after a business relationship ends needlessly adds a threat vector that can also lead to a breach.

Security Practices

The study produced some unexpected findings. For instance, it revealed that small businesses don’t cause as many breaches at large partners as previously assumed. It also showed that enterprises and small businesses employ many of the same cybersecurity best practices to protect their networks.

For instance, 68% of enterprises use automated anti-malware scans; 64% use firewalls to block access to malicious IP addresses; 59% evaluate and report on security incidents; 59% use filters to prevent phishing; 57% encrypt sensitive data; and 54% configure user access for least privilege.

Asked how sure they are that third parties follow the same practices, 94% of enterprise respondents said they are “confident” or “very confident.” This certainty is corroborated by answers from small business respondents to the same question about best practices.

By and large, small businesses prioritize the same best practices – with some variations:

Automatic anti-malware scans                                     71%

Firewalls to block malicious IP addresses                   66%

Strong spam filters to prevent phishing                       62%

Scan incoming and for threats                                     60%

Evaluate and report on security incidents                    48%

Ambivalence About Blame

Although enterprises and small businesses generally agree on how to protect their networks, enterprises showed some ambivalence about whom to blame if a third party causes a breach for them? While 52% would blame the partner, 48% would blame their own company.

In answer to a question with different wording, 69% of enterprise respondents said they would “hold a third party fully responsible for any data leak or breach caused by their mishandling of our company’s data.”

Perhaps the ambivalence results from a self awareness that large enterprises aren’t as diligent as they should be in certain areas. When enterprises are alerted to vulnerabilities, they should address them as quickly as possible. If they fail to do so for whatever reason, and a breach occurs, then it becomes hard to hold anyone else responsible.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Parents can play an influential role in their children’s choice of careers but when it comes to cybersecurity, most parents have no advice to give. That’s because they really don’t know much, if anything, about the subject.

A survey by cybersecurity training provider SANS Institute revealed that 63% of parents in the U.K. can’t answer questions about how to find a job in the cybersecurity field. Almost as many parents (61%) said they have little or no knowledge of any career opportunities in the industry, even though 91% said they have heard of cybersecurity.

And despite the high earning potential of cybersecurity careers, 72% of parents said they’ve never considered a career in the field for their children. This lack of knowledge among parents is troubling considering the EMEA (Europe, Middle East, Africa) region currently has a 142,000 shortage of cybersecurity workers, based on (ISC)² research. If children aren’t receiving advice to consider a cybersecurity career, this lowers the prospect of closing the gap any time soon.

“These findings should be seen as a wakeup call to the cybersecurity industry that it needs to do more to promote itself,” said James Lyne, CTO, SANS Institute. “The only people who can really spread that message are those working in the industry already – it’s another way to help close the skills gap we are currently suffering.”

Cyber Misconceptions

While parental knowledge of cyber careers is seriously lacking, there seems to be more awareness of IT careers. More than a quarter of survey participants (27%) said IT is one of the top five career choices for their eldest child, an indication that parents understand the career potential in the overall IT field.

Interestingly, 69% of parents indicated they thought cybersecurity is taught in school, and 87% said they would like their children to learn about cybersecurity as part of the curriculum and in extracurricular activities.

These findings are evidence that if parents aren’t advising their children to pursue cybersecurity career opportunities, it isn’t out of prejudice against the field. Rather, it’s because they really don’t know enough about it and, given the choice, they want their children to learn more about the subject.

Signs of Hope

On a positive note, the SANS Institute also polled U.K. students and found 46% of them have heard of cybersecurity from their parents. With a little more knowledge among parents, it is likely that interest in cyber careers would get a boost.

To achieve that, as Lyne suggested, the industry has some work to do. Collaboration with schools in raising cybersecurity awareness and education among students and parents would be a step in the right direction. Such efforts may take time, but are definitely worth considering. The alternative is the continuation of the cybersecurity skills gap well into the future.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A severe cybersecurity skills gap in EMEA (European, Middle East and Africa) is making it hard for cybersecurity staff to cope with their workloads or acquire the skills they need to handle emerging technologies, according to a new report by Symantec.

Cybersecurity workers believe they are at a serious disadvantage against attackers. Simply finding the time to learn emerging technologies, such as those related to mobility and cloud, is a challenge for a workforce whose experience as a group ranges from 10 to 30 years, the report says.

“Declining skills are highly problematic for cyber security professionals, who are effectively in an arms race, in which talent and skill are their most important weapons. Unfortunately, enterprises feel they are falling behind in precisely this area,” according to the report, High Alert: Tackling Cyber Security Overload in 2019. The report is based on the findings of a study conducted by the University of London for Symantec of more than 3,000 security decision makers in France, Germany and the United Kingdom.

Citing an IDC statistic, the report says 97% of European enterprises agree a skills gap exists and that it has negative effects. “It means only 3% of enterprises in Europe believe the industry has the requisite talent to deliver on its mandate – to ensure business integrity and protect sensitive company, customer and shareholder data,” the report says.

The cybersecurity skills gap is well documented. (ISC)²’s Cybersecurity Workforce Study, 2018 found that the EMEA region has a shortfall of 142,000 cybersecurity workers. Worldwide, the skills shortage is nearly 3 million, with Asia Pacific experiencing the biggest gap, 2.14 million. The shortfall in North America is about 500,000.

Cyber Struggles

The Symantec report paints a dire picture of the current struggles of cybersecurity teams in Europe. Nearly half of survey participants (45%) say technological change is happening faster than their businesses can adapt; 48% believe attackers “have a raw skills advantage over defenders;” and 44% say their team lacks the necessary skillset to fight cyber threats.

In addition, 33% say the volume of threat makes it harder to protect their organizations. Perhaps not surprisingly, 49% of participants say attackers have unprecedented access to resources and support provided by bad actors.

Even with all these challenges, the report says only 4% to 8% of IT budgets are allocated to security. Those amounts often don’t even cover the costs of hiring and retaining security professionals, which forces CIOs, CISOs and security managers to ask for more money.

Citing information from the Symantec CISO Forum in February 2019, the report says that hiring a cyber professional takes at least six months and often takes even longer – nine to 12 months. As a result, CISOs are taking a pragmatic approach of teaching skills on the job to candidates who make up for lack of experience with “attitude, mindset and potential.”

To help address the skills gap, the report recommends that cyber workers do a better job of learning from each other and take advantage of cloud-based security solutions, managed services and automation. These steps will help reduce repetitive, mundane tasks and let cyber workers focus on higher-value work.

(ISC)² offers free on-demand courses to its members and associates online through its Professional Development Institute in order to help cybersecurity professionals learn new skills at a pace and timing that works for them. These courses are also available for purchase to non-members. To see a listing of available courses, please visit: https://www.isc2.org/development

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A severe cybersecurity skills gap in EMEA (European, Middle East and Africa) is making it hard for cybersecurity staff to cope with their workloads or acquire the skills they need to handle emerging technologies, according to a new report by Symantec.

Cybersecurity workers believe they are at a serious disadvantage against attackers. Simply finding the time to learn emerging technologies, such as those related to mobility and cloud, is a challenge for a workforce whose experience as a group ranges from 10 to 30 years, the report says.

“Declining skills are highly problematic for cyber security professionals, who are effectively in an arms race, in which talent and skill are their most important weapons. Unfortunately, enterprises feel they are falling behind in precisely this area,” according to the report, High Alert: Tackling Cyber Security Overload in 2019. The report is based on the findings of a study conducted by the University of London for Symantec of more than 3,000 security decision makers in France, Germany and the United Kingdom.

Citing an IDC statistic, the report says 97% of European enterprises agree a skills gap exists and that it has negative effects. “It means only 3% of enterprises in Europe believe the industry has the requisite talent to deliver on its mandate – to ensure business integrity and protect sensitive company, customer and shareholder data,” the report says.

The cybersecurity skills gap is well documented. (ISC)²’s Cybersecurity Workforce Study, 2018 found that the EMEA region has a shortfall of 142,000 cybersecurity workers. Worldwide, the skills shortage is nearly 3 million, with Asia Pacific experiencing the biggest gap, 2.14 million. The shortfall in North America is about 500,000.

Cyber Struggles

The Symantec report paints a dire picture of the current struggles of cybersecurity teams in Europe. Nearly half of survey participants (45%) say technological change is happening faster than their businesses can adapt; 48% believe attackers “have a raw skills advantage over defenders;” and 44% say their team lacks the necessary skillset to fight cyber threats.

In addition, 33% say the volume of threat makes it harder to protect their organizations. Perhaps not surprisingly, 49% of participants say attackers have unprecedented access to resources and support provided by bad actors.

Even with all these challenges, the report says only 4% to 8% of IT budgets are allocated to security. Those amounts often don’t even cover the costs of hiring and retaining security professionals, which forces CIOs, CISOs and security managers to ask for more money.

Citing information from the Symantec CISO Forum in February 2019, the report says that hiring a cyber professional takes at least six months and often takes even longer – nine to 12 months. As a result, CISOs are taking a pragmatic approach of teaching skills on the job to candidates who make up for lack of experience with “attitude, mindset and potential.”

To help address the skills gap, the report recommends that cyber workers do a better job of learning from each other and take advantage of cloud-based security solutions, managed services and automation. These steps will help reduce repetitive, mundane tasks and let cyber workers focus on higher-value work.

(ISC)² offers free on-demand courses to its members and associates online through its Professional Development Institute in order to help cybersecurity professionals learn new skills at a pace and timing that works for them. These courses are also available for purchase to non-members. To see a listing of available courses, please visit: https://www.isc2.org/development

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A new (ISC)2 study suggests that small businesses may get too much attribution for causing security breaches for their large enterprise clients. While it’s true that enterprises have suffered breaches caused by third parties, they are more likely a result of actions by a large partner, not a small business.

The Securing the Partner Ecosystem study, which polled respondents both at large enterprises and small businesses, revealed about one third of enterprises (32%) have experienced a breach caused by a third party, but in these cases, large partners are more likely to blame (54%) than small business partners (46%). Only 19% of small business respondents overall say they’ve caused a data breach for an enterprise client or partner.

As a rule, enterprises aren’t concerned about the security practices of small business partners, considering 57% said they are confident and 37% very confident in their cybersecurity measures. And while enterprises have no qualms about holding others responsible for security incidents, almost half (48%) would consider themselves “ultimately at fault” for an incident caused by a third party.

For their part, small businesses hold themselves accountable for breaches at large partners – 73% say they would feel liable if a client was breached. That is the case even if their actions were an indirect cause of the incident.

High Confidence

Enterprises have high confidence in their own cybersecurity posture as well as the security practices of partners. Nearly all enterprises in the study (96%) have contract provisions specifying data access, storage and transmission by third parties.

Almost as many (95%) have standard vetting procedures for small business suppliers’ cybersecurity capabilities before allowing them to access systems. Methods employed to evaluate a partner’s security posture include reviews by a security team or provider (85%), on-site inspections (52%) and RFQs (34%).

A full 98% of enterprises are confident (54%) or very confident (44%) in their ability to protect their own data even if a third-party supplier is breached. However, their confidence may not be entirely justifiable.

For one thing, enterprises don’t always have a handle on how much access third parties have to their systems, with 34% of them saying they have been surprised by a third party’s broad level of access to their network and data. An even higher number of small businesses (39%) were just as surprised by the level of access they were granted.

Also pointing to enterprise overconfidence is a finding about how they react when told by a third party about security vulnerabilities. More than one third (35%) of enterprise respondents said that no action is taken to mitigate these vulnerabilities once notified.

Cybersecurity Staffing

Another surprising revelation in the study has to do with the number of cybersecurity staff employed by enterprises vs. small businesses – 42% of small businesses (with 250 or fewer employees) have at least five cybersecurity staff while 75% of large enterprises (1000 employees or more) employ at least 10 staff members dedicated to cybersecurity. This means that proportionally, many small businesses employ a higher percentage of cybersecurity professionals than enterprises.

While some of this may be explained by the types of tasks cybersecurity teams handle – for instance, there could be more automation at large companies – it also suggests that small businesses aren’t as lax with security as often assumed. It’s even possible the finger-pointing over the years has inspired them to strengthen security efforts.

The research leads to the conclusion that an organization’s size may not be the best indicator of its risk profile. Subscribing to cybersecurity best practices, appropriate staffing levels and maintaining good access management are far more important factors to consider.

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview