Category: Business

New Year’s Resolutions for CIO and Digital Transformation Leaders

Happy holidays and new year everyone! Have your final cocktails of 2018, read up on my driving digital predictions for 2019, and get ready to lead your organizations through what is likely going to be a jittery year of successes, surprises, and necessary pivots.

I’m guessing you have your 2019 plan locked and loaded, but if you’re a reader of my book Driving Digital, my articles (here and on InfoWorld and CIO) and the monthly Driving Digital Newsletter, you’ll know that roadmaps need ongoing refinement.

So with that, allow me to suggest some new year’s resolutions that you might want to bake into your 2019 plans.

Develop relationships, then drive change

If transformation is a journey, then you best be prepared to meet, learn from, question, inspire, and drive change with new people every day. These activities should occupy a healthy percent of your weekly activities especially because you need relationships and empathy before you can drive culture, behavioral, and process changes. Consider establishing a Driver’s Voice Meeting, taking steps to become an agile organization, looking for new ways to reward top performers, and seeking other practical advice for managing organizational change. The number one reason digital transformations fail is because executives fail to embrace that it’s a bottoms up transformation that will require change across the organization.

Roadmap a proactive data governance program

With the initial GDPR compliance behind us, I hope more organizations will take proactive steps and invest in data governance programs. Yes, you cannot afford to lag in your industry with data, analytics, and AI, and maybe you are already becoming a real time enterprise, but most experts agree that investing in data quality, cataloging, and access policies is a critically important step. 

Read three more of Isaac’s Driving Digital new year’s resolutions for CIOs and digital transformation leaders.

 

Isaac Sacolick is a former CIO and CTO and now President of StarCIO, a services company that helps businesses drive smarter, faster, and more innovative business transformations. He is the author of Driving Digital: The Leader’s Guide to Business Transformation through Technology which covers many practices such as agile, devops, and data science that are critical to successful digital transformation programs. Sacolick is a recognized top social CIO, digital transformation influencer, and blogs at Social, Agile and Transformation, InfoWorld and CIO.com.

Philadelphia University’s Cybersecurity Program Receives “Top Curriculum” in the US

OnlineMasters.com, an industry-leading educational research organization, has named La Salle University’s Master of Science in Cybersecurity a top 25 internet security program for 2019, and also awarded the program “best curriculum.”

OnlineMasters.com analyzed every online master’s program in internet security in the nation with a team of 43 industry experts, hiring managers, current students and alumni.

According to OnlineMasters.com, the study leveraged “an exclusive data set comprised of interviews and surveys from current students and alumni in addition to insights gained from human resources professionals.” Their methodology weighted academic quality (academic metrics, online programming, and faculty training and credentials) at 40 percent, student success (graduate reputation, student engagement, and student services and technology) at 40 percent, and affordability (average net cost, percent of students with loans, and default rate) at 20 percent. The study incorporated current data from the Integrated Postsecondary Education Data System (IPEDS) and statistical data from the National Center for Education Statistics. Only programs from accredited nonprofit institutions were eligible.

“We are honored to be recognized as a top 25 internet security master’s program, with a special nod to our curriculum,” says Peggy McCoey, assistant professor and graduate director for La Salle’s M.S. in Cybersecurity. “We have developed a flexible, rigorous, and highly relevant program to ensure today’s students develop competencies in cybersecurity management as well as breach detection, mitigation and prevention. The Program balances both theoretical and practical aspects and draws key learnings from industry practitioners to ensure attention to ethical principles and changes related to cybersecurity.”

La Salle’s M.S. in Cybersecurity is a 100 percent online asynchronous program with three start dates and eight-week courses so students can complete two courses per semester. OnlineMasters.com noted its “engaging courses in cyberwarfare, cybercrime and digital forensics” in support of its “best curriculum” designation[…] Read more ».

 

 

Is Your Data Breach Response Plan Ready?

Fifty-six percent of organizations experienced a data breach involving more than 1,000 records over the past two years, and of those, 37 percent occurred two to three times and 39 percent were global in scope, according to Experian. In 2017 in particular, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone.

In an effort to help businesses prepare for data breach response and recovery, Experian launched its new Data Breach Response Guide last month to provide in-depth strategy and tactics on how to prepare and manage incidents.

Security asked Michael Bruemmer, Vice President of Data Breach Resolution & Consumer Protection at Experian, how cybersecurity has changed recently and how enterprises can revamp their security strategies to be resilient and ready.

Security: How have typical responses to data breaches changed over the past five years?

Bruemmer: Fortunately, responses to data breaches are immensely better. There has been great progress in preparation, as 88 percent of companies say they have a response plan in place compared to just 61 percent five years ago, according to our 2018 annual preparedness study with the Ponemon Institute.

One of the biggest changes in data breach responses over the last few years is that organizations now have a breach-ready mindset and know it’s not about whether a breach will happen but rather when it will occur. Thus, many organizations now have a data breach response team in place, which is key to implementing a quick and adept response.

Businesses have also started to include public relations personnel on their data breach response teams, which has helped companies maintain more positive relationships with their stakeholders post-breach. There is still room for improvement: while companies have a plan in place, a large majority don’t practice their plans in a real-life drill setting, and the C-suite and boards are still not engaged enough in the process.

Security: What still needs to occur to improve enterprises’ data breach response protocols and practices?

Bruemmer: A few areas for improvement include actually practicing the data breach response plan and therefore, feeling confident the company can handle an incident successfully. In our 2018 annual preparedness study, only 49% of companies said their ability to respond to data breaches is/would be effective. One of the reasons may be that most boards of directors and C-suite executives are not actively involved in the data breach prep process, nor are they informed about how they should respond to an incident.

Another dynamic that requires attention, and is relatively new, is the passing of the General Data Protection Regulation (GDPR) overseas. Companies that operate internationally must understand the legislation and make sure they are equipped to handle a data breach that involves individuals globally. They should hire legal counsel who have knowledge and experience in this area and enlist partners that have multilingual capabilities and a presence in key countries. That way, operations such as notifying affected parties and setting up call centers can be executed quickly. Organizations are still catching up here.

Security: When auditing their data breach response plan, what in particular should security leaders be looking for?

Bruemmer: Businesses should conduct an audit of every component of a response plan. Security leaders should also assess whether external partners are meeting the company’s data protection standards and are up-to-date on new legislation. For example, healthcare entities should guarantee that business associate agreements (BAAs) are in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Additionally, vendors should maintain a written security program that covers their company’s data. Realistically, an organization could have up to 10 different external vendors involved in a data breach response, so keeping this circle secure is important.

Security: What are the top three issues business security leaders should plan for next year?

Bruemmer: Businesses should keep an eye on artificial intelligence (AI), machine learning (ML) and cryptomining malware next year. In a continuously evolving digital landscape, advanced authentication, or added layers of security, have become increasingly important for businesses to adopt when it comes to safeguarding against potential data breaches. However, while AI and ML are helpful in predicting and identifying potential threats, hackers can also leverage these as tools to create more sophisticated attacks than traditional phishing scams or malware attacks. Criminals can use AI and ML, for example, to make fake emails look more authentic and deploy them faster than ever before. Cryptomining has also become more popular with the recent rise of Bitcoin and more than 1,500 different cryptocurrencies in existence today. Cybercriminals are taking every opportunity, from CPU cycles of computers, to web browsers, mobile devices and smart devices, to exploit vulnerabilities to mine for cryptocurrencies.

Security: Are there any key tools or strategies security leaders can use to better engage with the C-Suite?

Bruemmer: Unfortunately, the lack of engagement by the C-suite and boards seems to be an ongoing issue. In today’s climate, companies should employ a security leader in the C-suite such as a Chief Information Security Officer to ensure protection is a priority and administered throughout the organization.

There should be ongoing and frequent communication about security threats by this officer to leaders and the board. In this instance, it’s better to over-communicate rather than hold back vital information that could help mitigate potential reputation damage and revenue loss […] Read more »

 

 

 

Nearly Half of Americans Willing to Give Brands a Pass for a Data Breach

New data shows that the U.S. public is surprisingly forgiving despite data breaches and controversies as long as companies demonstrate good faith.

The Consumer Attitudes Toward Data Privacy and Security Survey by Janrain also found that 42 percent of U.S. consumers surveyed report at least being open to forgiving the brand, while 7% refuse to forgive brands for allowing bad actors access to their personal data. Fourteen percent have lost all faith in an organization’s ability to protect their data.Nevertheless, consumers are increasingly taking control of their data into their own hands, the survey found. For example, 71% report downloading software that protects their data privacy or otherwise helps control their web experience. But Janrain’s survey brings good news to brands that are evaluating their consent-based marketing processes and capabilities in response to regulatory requirements or to strengthen customer relations.

If given the option, most people (55%) would let companies they trust use some of their personal data for specific purposes that benefit them in clear ways, the survey found. Only 36% wouldn’t let any company use their personal data. Sixty-six percent like the idea of being able to alert companies when they’re interested in something as long as they could “switch it off” when they’re no longer interested. Only 16% aren’t interested in this even if it came with preferences control.

When Janrain probed to gain more understanding about how effective digital brands have been in using consumer data to personalize their online ads, only 18% said ads “often” seemed to understand their needs, presenting brands with an important area for improvement. The largest bulk of respondents (47%) reported that these ads do seem to understand their needs at least “sometimes” while 26% said ads “hardly ever” understand them. Nine percent said online ads “never” do.

When asked whether they’d walk away from a business that requires personal information up front (like a phone number or email address) in order to conduct business, 15% of those surveyed said “yes” while 24% said “probably.” Fifty-four said it depends on whether the business is trusted or the only option.

Sixty-six percent of those surveyed renewed their call for GDPR-like rules in the United States that force brands to provide consumers with greater privacy, security and control of their personal data. Janrain asked a similar question in May of 2018 to which 69% responded favorably to more regulation in the States. This time, Janrain’s findings show consumers not only want more regulation, they believe it will actually help in the wake of high-profile breaches and controversies affecting well-known organizations such as Yahoo!, Equifax and Facebook. Only 9% believe such laws would be ineffective while only 6% believe more regulation would be too hard on businesses and the economy […] Read more »

 

 

8 Events That Changed Cybersecurity Forever

Cyber attacks happen daily and have evolved to become a pandemic. From the first computer virus, to billion dollar data breaches at large-scale companies, we can learn a lot from cybersecurityhistory.  And while threats continue to develop, so does the defense against them. Hackers are getting smarter, and it is our job to educate ourselves on past incidents so we can better prepare for the future. Take a look at these top 8 events that changed cybersecurity and made it what it is today.

Those who cannot remember the past are condemned to repeat it.” – George Santayana

The first computer virus was created in the early 1970s and was detected on ARPANET, the predecessor to the internet. In 1988 the first computer worm was distributed, gaining mass mainstream media attention. A quarter of a century later and viruses have evolved to become a pandemic. Viruses have proliferated quickly and malware has become more complex.

Cyber attacks happen daily and are constantly evolving. From computer worms to large data breaches, attacks come in all shapes and sizes. In the past quarter century alone, cyber attacks have evolved from tiny hacks created by high-school students to state-sponsored attacks compromising presidential elections.

While threats continue to develop, so does the defense against them. It’s important to remember these past events in order to combat impending attacks. Milestone incidents are what made cybersecurity what it is today – take a look at the top 8 events that changed cybersecurity, and why they (still) matter.

Though new cyber attacks appear each day, these top 8 watershed moments had a major impact on security and have led to where we are today. Here are just a few lessons we can learn from cybersecurity history.

  1. Never assume it won’t happen to you: Anyone and everyone is susceptible when it comes to data – whether it’s stored in the cloud or on premises.
  2. Hackers come from all over: Attacks no longer comes exclusively from hackers in their parents’ basements. They have evolved geographically, advanced in sophistication, and the amount of attacks from overseas has increased drastically.
  3. Insiders are just as dangerous: Vulnerabilities now come from the inside as well. All it takes is one click on a phishing email. Educate your employees on basic cybersecurity terms so that they are able to protect themselves and the company.
  4. Hackers are not going away: With change in technology comes change in crime — and cybercriminals are working harder than ever. It’s important to always be alert and keep up with important trends in order to keep you and your organization as safe as possible.

Unfortunately, the number of cyber attacks is only going to continue increase, and the impact of those attacks is becoming more significant than ever. It’s important to arm ourselves with what we can: learn from the past and protect your data first, not last.

Uncover your biggest security risks with a data risk assessment – and see how Varonis helps protect your data from the next generation of cyber attacks.

Infographic Sources:
InfosecurityCSOVerizon Data Breach ReportWikipediaTheGuardian

Rob Sobers is a Sr. Director at cybersecurity firm Varonis. He has been writing and designing software for over 20 years and is co-author of the book Lean Ruby the Hard Way, which has been used by millions of students to learn the Ruby programming language. Prior to joining Varonis in 2011, Rob held a variety of roles in engineering, design, and professional services.

Magecart: The Largest Payment Card Attack in History. Here’s what you can do …

The previously disclosed Ticketmaster attack was not a one-off event, but instead part of the largest payment card theft in history impacting over 800 ecommerce sites around the world. If we consider the true impact of this event it is absolutely astonishing. The Target supply-chain-enabled attack from a few years ago was frightening, and that was only one merchant under attack, on in-store point-of-sale systems, for a mere 9 days. The Magecart website supply chain attack leveraged digital website payment card skimming that victimized over 800 global merchants for over 3 years – multiple orders of magnitude larger and significantly more chilling in scope.

The Magecart hacker group successfully attacked some of the most sophisticated ecommerce players and operated largely undetected since 2015 by taking advantage of a client-side vulnerability that exists in every commercial website today.  In the case of Ticketmaster, Magecart actors were able to compromise a 3rd party chatbot service called Inbenta that had been embedded on the Ticketmaster site. By manipulating the Inbenta JavaScript code on Ticketmaster’s webpages, Magecart could exfiltrate payment information from every single Ticketmaster customer who was served the Inbenta code.

The client-side browser is the primary environment wherein websites display and capture critical customer and payment data. It is the front door for interaction with customers and their data. 3rd party JavaScript executes on the client-side browser and is granted unmanaged and unlimited access to the entire webpage including the ability to exfiltrate data (keylogging, web injection, form field manipulation, phishing, etc.) and deface/alter webpage content. Simply put, by integrating 3rd party JavaScript, website owners are handing out skeleton keys to the front door while they focus extensively on securing the server-side back door. Security pros must think twice about being so cavalier with the skeleton keys to their front door and diligently secure both the server side and the client side of web sessions.

Given that many 3rd party vendors have comparatively weaker security protocols than the corporate websites that run them, it makes them attractive and susceptible attack targets.  3rd party JavaScript has unlimited access to the webpage DOM. This means that every 3rd party JavaScript vendor, and the hackers that seek to exploit them, have the same level of access to all webpage elements as the website owner’s development team.

 

Once that vendor is compromised, their code can be modified or replaced representing a major vulnerability for website owners. Magnifying the potential damage, once a hacker compromises a single 3rd party vendor, they have access to every single website that runs the tool.

3rd party JavaScript is served from external remote servers and executes on the client. This makes current security approaches such as pentesting, periodic code review, and dynamic application security testing entirely incapable of preventing these attacks. Since client-side connections with external servers are completely unmanaged and largely unmonitored, the company has no visibility into what these 3rd parties are doing and no way to prevent hackers from maliciously exploiting this access. Nearly every corporate website is currently unavoidably vulnerable to this attack vector.

Request an Expert Walk-Through of Data Exfiltration from Your Site

Here’s what you can do …

Luckily, there are steps that security teams can take to mitigate or even eliminate the risks of 3rd party vendors. From stringent prevention-level controls that still enable the beneficial usage of 3rd parties all the way to usage limitations that are restrictive and counterproductive, there are practical things that security pros can implement today to protect their companies from the next website supply chain attack.

Prevention is the best option

The best thing security pros can do to prevent an attack like Magecart is to implement technology that controls the access and permissions of every 3rd party running on the page. This insulates websites, their corporate owners, their visitors and private customer data from the inappropriate behaviors of overzealous 3rd parties and the more malicious activities of hackers that seek to exploit them.

Prevention-level approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by 3rd party website vendors or hackers, an organization is in a state of non-compliance.  

Additionally, a major benefit of prevention is that with security and privacy concerns satisfied, the business is free to deploy beneficial 3rd party website tools to achieve the shared goal of the business – revenue generation. By using 3rd parties on otherwise sensitive pages (e.g. payment, registration, login) the business is able to optimize their conversion rates at critical junctions of the customer journey. By using new and innovative tools, the business can be dynamic and differentiate from their peers who are forced to move slower and in a more restricted fashion. The end result is a secure and compliant site that delivers a superior customer experience and produces better analytics.

Monitoring and detection

While prevention is obviously the best method, monitoring provides a less secure and reactive option. Magecart’s multi-year activities are evidence that detection, although helpful, is woefully inadequate. The major inadequacy of detection approaches is that they are incapable of detecting these attacks in real-time. Even with a multitude of global sensors detection schemes may miss highly targeted and hyper-segmented attacks altogether.

Although they may detect an attack, they assuredly will never detect the attack in time for the website owner to avoid some damage. After all, even if the majority of the damage is avoided after detection, any leakage of customer data constitutes a compliance violation that will require full public disclosure. The resulting fines, PR crises and operational fire drills are typically crippling. We have not even begun to discuss that detection approaches have no remediation capability, so the only response is to completely remove the tool and suffer the operational and capital costs associated with losing and/or replacing its functionality. Ultimately, even this removal does not address the root cause leaving the site entirely and continuously exposed to future attacks via another compromised 3rd party tool operating on the site.

Fundamentally, these approaches are not scalable. 3rd party JavaScript changes routinely and sites are frequently changing and rotating the vendors they use. The alert fatigue coupled with the reactive nature of detection and the persistence of the underlying vulnerability renders these approaches severely limited.

Vendor due diligence assessments

Many organizations, and especially those under strict compliance mandates, perform routine, comprehensive vendor security assessments. Although, well intended and highly recommended, such exercises only provide a point-in-time assessment – and even then, only produce a comfortability level rating of a vendor’s security program. Any vendor can be breached at any time.  In practice we see some of the most seemingly mature and trusted 3rd party website tools be breached and exploited to victimize hundreds of websites. Although these assessments provide a semblance of comfortability and satisfy some compliance requirements, they do not provide prevention or even continuous detection. These assessments should be part of a comprehensive security program but are in no way adequate as a stand-alone approach to mitigating or preventing 3rd party risk.

Restricting the usage of 3rd party tools

The last resort would be to exercise a debilitating level of caution. The result is limiting the usage of beneficial 3rd party tools and is entirely counterproductive to the overall goals of the business. Limiting the number of tools used limits the organization’s ability to provide an engaging user experience and extract meaningful analytics. Relying only on “mature” or “trusted” 3rd party vendors and missing out on new and innovative tools makes delivering a compelling, differentiated, and dynamic web presence difficult. Restricting 3rd party tool usage in on sensitive areas of the website cripples conversion rates if customer experience and analytics are not optimized at critical points in the customer journey – like account registration, transactions, and check out.

The Time to Act is Now

It’s likely that the more than 800 compromised sites in this attack are just the tip of the iceberg given the amount of time that this attack was running undetected. Similar attacks on major global airlines, online electronics merchants, online mass merchants and credit rating agencies have recently been reported as exploited by this same attack vector.  3rd party vendors have shifted blame to site owners to incorporate the necessary security measures themselves.  It is therefore critical that site owners proactively employ preventative technology to prevent website supply chain attacks and continue to benefit from the differentiating utility they provide.

Next Steps

Quickly access an assessment of your current risk level.

If the industry wide susceptibility to this attack vector does not have you concerned about your own current vulnerability:

Request a customized expert walk-through of data exfiltration on your site @
www.sourcedefense.com

 

 

 

 

From a birds eye view of a CSO with Ian Amit

Apex sat down with Ian Amit, Chief Security Officer of Cimpress to discuss his views on what it means to be an innovative CSO today while remaining a business enabler. With over a decade of experience in diverse security fields he shares his experience and advice.

Q: What is IT security doing to support innovation in the enterprise?

A: First and foremost, ensuring that security understands the business needs as far as direction (technologically) and strategy. Then security complements said strategy and not only ensures it is taken through secure means, but also further enables it to take additional risks.

Q: What is the single most important thing CISOs should be focusing on today?

A: Understanding and prioritizing the risks for the business. It’s not a question of a technological vulnerability “du jour” to be addressed (especially if it does not affect the organization’s threat model) and more about being able to correctly utilize the resources at hand to most effectively address the actual relevant risks.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: Independent. The CIO and CISO have potential conflicting views when it comes to technology, and hence should be independent of each other.

Q: Should IT security be a business enabler?

A: Absolutely. IT Security should never come from a “NO” approach, and by definition should enable the business to pursue whatever course of action it deems the most beneficial.

Q: How do you stay abreast of the trends and what your peers are doing?

A: Beyond the continued technological education, working and engaging with peer CSOs and CISOs has been the most beneficial for me as far as keeping up with the news, and mostly around how other executives are meeting their challenges. Forums where there are curated discussions where the members drive the conversations have been the most effective in doing that.

Q: How have you searched for and found the best vendors for your organization?

A: It is a constant cycle of looking for the right vendors for the organization, and in my view the value of VARs have diminished significantly over the years and are only used to secure the best price point for a product. For me the focus on products is shifting, and I’m spending more on training my internal resources, while augmenting them with the right products. That means continuously challenging our operating model, and also the products we use.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: There is definitely a lot of overlap from my perspective, and I feel like a CRO is only applicable in organizations where the majority of the risk contains not only non-information elements, but is highly biased to financial or legal elements. In more “traditional” organizations, I believe that a CSO (who has all security in scope, not just information security) is the executive role responsible for risk overall, and can be coupled with a strong internal audit function to provide full risk management coverage for the organization.

Q: How has the role of the CISO changed over your career?

A: At the beginning of my career, CISOs were mostly IT-Security managers. The scope and focus of those roles has been mostly limited to technology risk and managing the security of the infrastructure and the technology stack. Modern CISOs, and especially CSOs are tasked with a broader scope which includes the social as well as physical elements of security of the organization.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Communication is key. Being able to have discussions with your peers in the executive management is critical, and this includes learning to formulate risk in business terms. Only then the application of “our” domain knowledge becomes applicable. One of the most common mistakes I’m seeing with CISOs in general is gravitating back to the engineering-heavy comfort zone where a lot of them came from, while losing focus over the actual missions which is to secure the organization and enable it to advance.

 

Why Employees are Your Greatest Cyber Risk

A new study has found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize.

This security slip-up is significant due to the installation of malware on their devices and the harvesting of sensitive corporate data.

Resulting from the societal BYOD (bring your own devices) trend, the Finn Partners Research study shows that more than half of employees (55 percent) are using their personal devices for work, which directly impacts increased vulnerability to hackers, malware and data breaches. In addition, only 26 percent of employees change their login credentials and/or passwords for personal and work applications at least once a month.

“The fastest and easiest way for bad actors to gain access to sensitive organizational data is for employees to click on nefarious links – we know that around 40 percent of our workforce is engaging in such behavior,” said Jeff Seedman, senior partner at Finn Partners who leads the firm’s U.S. cybersecurity specialty group. “Employees often assume their personal devices are secure, but then neglect to update their software regularly or put any protection policies in place. This is a serious problem, especially if a device loaded with company data gets lost, stolen or hacked.”

Only 25 percent of employees said they receive “cyber hygiene” training on a monthly basis from their IT team. Cyber hygiene refers to the updating of operating systems on devices, checking for security patches, and changing passwords […] Read more »

 

 

50% of Retailers Experienced a Data Breach Last Year

Three-quarters of U.S. retailers have experienced a data breach, half in the last year, says the Thales 2018 Data Threat Report.

According to U.S. retail respondents, 75% of retailers have experienced a breach in the past compared to 52% last year, exceeding the global average. U.S retail is also more inclined to store sensitive data in the cloud as widespread digital transformation is underway, yet only 26% report implementing encryption – trailing the global average.

Year-over-year breach rate takes a turn for the worse

While last year’s report showed an encouraging decrease in breaches, this year U.S. retail data breaches more than doubled from 19% in the 2017 survey to 50%. This massive increase drove U.S. retail to be the second highest vertical polled to experience a data breach in the last year, ahead of healthcare and financial services and only slightly behind the U.S. federal government.

Digital transformation brings increased risks to data
According to the report, 95% of U.S. retail organizations will use sensitive data in an advanced technology environment (such as cloud, big data, IoT and containers) this year. More than half believe that sensitive data use is happening now in these environments without proper security in place. Each of these technology environments comes with unique security challenges. As the attack surface increases, unique data security challenges need to be addressed.

The increase in attacks against the retail sector calls into question why spending on data security isn’t more significant. Ironically, in the U.S., the traditional concerns about data security related to perceived complexity and business performance impact are now outpaced by a perceived lack of need, which was cited by 52% of respondents. Although not exactly the same globally, a lack of organizational buy-in was tied to 41% not perceiving a need for data security. The message here is that management needs a sense of urgency, and security professionals must do a better job of selling the importance of data security.

Security spending is up but not aligning with risk

The good news is that U.S. retail organizations are responding to the ever-increasing threat with 84% citing plans to increase IT security spending and 28% noting the increase would be significant. The bad news is that spending is not going to what respondents believe are the most effective defenses.

The retail sector recognizes the need for encryption to protect sensitive data. Forty-nine percent require encryption to increase cloud usage and 44% need system level encryption and access controls to expand the use of big data. More than half (52%) believe encryption (along with anti-malware tools) is needed to drive IoT adoption. This is in addition to encryption being the number one choice to satisfy compliance and data security laws such as GDPR, Korea’s PIPA and APPI in Japan.

Seemingly contradicting themselves, both U.S. and global retail ranked endpoint and mobile defenses as those that will get the largest spending increase (72% U.S.; 52% global)) even though they rank them the least effective.  A bright spot is that more organizations are recognizing the threat to cloud data and with that 49% of respondents have ranked cloud at the top of their IT security spending priorities […] Read more »

 

 

Discussions with Malik Bernard on the pathway to cyber success

 

Apex sat down with Malik Bernard, Executive Head, Cyber Governance (Cyber Security and GRC) at the City of New York to discuss the cyber journey. With over 20 years overall in the space of Cybersecurity, Enterprise IT Strategy and Design, Vendor Management coupled with IAM and DLP program implementation, he shares his experience on the pathway to cyber success.

Q: What is IT security doing to support innovation in the enterprise?

A: This is an interesting question; On its face, a simple question; but if you give it some thought, there has to be a distinction between IT Security and  how it supports Cyber. Within IT Security, one may look at Data, Hardware/Software and Artificial Intelligence. I know from performing hands on labs, working with industry leaders, and analysts, the trend is towards

  • Hardware Authentication
  • Machine Learning coupled with Behavior Analytics
  • Cloud Security or should I say, better cloud security, beyond Firewalls, Storage etc. In this space, virtualization still rules and the implementation of Virtual IPS/IDS is paramount as part of an overall Cloud security strategy.

Q: Should IT security be a business enabler?

A: Everyone and every department, should support the business through smart hiring, defined, well documented processes and procedures and with appropriate technologies.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I listen to smarter people than myself. I have within my circle of whom I trust, those that are non-bias individuals who aren’t afraid to tell me no, share with me what they really think and I attend a few workshop forums yearly to challenge and stretch my knowledge.

Q: How have you searched for and found the best vendors for your organization?

A: It helps to be the SME or subject matter expert or know a few on a variety of business and tech needs. This way, you can cut through the ‘pitch’ and get to the ‘how will this help solve the challenge(s) we’re currently facing’ and how will it scale.

Q: What is the biggest challenge for a CISO today?

A: This one depends on many factors; The size of the organization; The amount of power and control trusted and given to the CISO. I would say, keeping up with the ever changing attack surface of the enterprise and ensuring that one’s defensive posture, is the ‘right size’ for their environment.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: CISOs are more focused on tech, cyber, etc. CROs are more focused on Risk, Threats etc. They both should work closely together to ensure a full 360 view of Risk and Threats across the landscape.

Q: How has the role of the CISO changed over your career?

A: I’ve actually changed and defined in my prior role, what a next generation CISO should be focused on and how to get quick wins, towards a sustainable strategy of measured success. This role simply validated what I’ve been doing in prior, non exec, C-Suite positions.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Discern what’s real, what’s perceived and what’s noise. Find a way to cut through the ‘pitch’ and understand how x may occur and have in place, 2, 3 options at the ready to defend the organization. Finally, listen more, speak less and be curious.

 

Mr. Bernard is the Senior Executive Head of the City of New York, where he heads up the City’s Cyber Governance Tower. He was also in charge of leading the following domain areas: Software Security Assurance akin to SDLC, Cybersecurity and Awareness Training and IT Risk.

Prior to joining the City of New York, Mr. Bernard held the role of Chief Information Security Officer (CISO), for a global technology company, where his and his team’s focus was on Cybersecurity (Identity Access Management, Data Leakage Prevention, Threat Management, GRC and Privacy Management.)