Security Budgets Increasing, But Qualified Cybertalent Remains Hard to Find

The worldwide cybersecurity skills gap continues to present a significant challenge, with 59 percent of information security professionals reporting unfilled cyber/information security positions within their organization, according to ISACA’s cybersecurity workforce research.

According to the report,

  • High likelihood of cyberattack continues. Four in five security professionals (81 percent) surveyed indicated that their enterprise is likely or very likely to experience a cyberattack this year, while 50 percent of respondents indicate that their organization has already experienced an increase in attacks over the previous 12 months.;
  • Nearly 1 in 3 organizations (31 percent) say their board has not adequately prioritized enterprise security.
  • Men tend to think women have equal career advancement in security, while women say that’s not the case. A 31-point perception gap exists between male and female respondents, with 82 percent of male respondents saying men and women are offered the same opportunities for career advancement in cybersecurity, compared to just 51 percent of female respondents. Of those surveyed, about half (51 percent) of respondents report having diversity programs in place to support women cybersecurity professionals.
  • Individual contributors with strong technical skills continue to be in high demand and short supply. More than 7 in 10 respondents say their organizations are seeking this kind of candidate.

Yet, there are several positive and promising insights in the ISACA data:

  • Time to fill open cybersecurity positions has decreased slightly. This year, 54 percent of respondents say filling open positions takes at least three months, compared to last year’s 62 percent.
  • Gender disparity exists but can be mitigated through effective diversity programs.Diversity programs clearly have an impact. In organizations that have one, men and women are much more likely to agree that men and women have the same career advancement opportunities. Eighty-seven percent of men say they have the same opportunities, as compared to 77 percent of women. While a perception gap remains, it is significantly smaller than the 37-point gap among men and women in organizations without diversity programs (73 percent of men in organizations without diversity programs say advancement opportunities are equal, compared to 36 percent of women).
  • Security managers are seeing a slight improvement in number of qualified candidates.Last year, 37 percent of security professionals said fewer than 25 percent of candidates for security positions were sufficiently qualified. This year, that number dropped to 30 percent.
  • Budgets are increasing. Sixty-four percent of respondents indicate that security budgets will increase this year, compared to 50 percent last year […] Read more »



The Quantum Computing Revolution

“Only six electronic digital computers would be required to satisfy the computing needs of the entire United States.” A prediction made by Howard Aiken in 1947 which on hindsight, we can all agree on has not turned out to be very prophetic. The need for processing power has continuously been on the rise and for the most part, the need has been catered through an unparalleled evolution of chip technology as forecasted by Moore’s Law. Moore’s Law states that the number of components that can fit on a computer chip will double roughly every two years, which in turn will improve the processing capabilities of computer chips. The law which is more of an observation rather than a physical law has held true over the decades and has seen digital computers which originally took up entire rooms reduced to being carried around in our very own pockets. But with components reaching atomic scales, and more and more money being fueled in to make chips smaller and faster, it has now come to a point where we cannot count on chip technology to advance as predicted by Moore’s Law. Hence, alternatives are being pursued and developments are being made which has given rise to the idea of quantum computing.

The traditional computer at its very core performs simple arithmetic operations on numbers stored in its memory. The key is the speed at which this is done, which allows computers to string these operations together to perform more complex things. But as the complexity of the problem increases, so does the number of operations that is required to reach a solution; And in this present day and age, some specific problems that we need to solve, far surpasses the computing capabilities of the modern computer. This, however, has also been used to our advantage, as modern cryptography which is at the core of cyber-security, relies on the fact that brute forcing complex mathematical problems is a practical impossibility.

Quantum computers, in theory, do things differently. Information is represented in physical states that are so small that they obey the laws of Quantum Mechanics. This information is stored in quantum bits known as qubits rather than the traditional binary bits used in conventional computers. Quantum Mechanics allows a qubit to store a probability of its value as either a 0 or 1 with the exact value of the qubit unknown until it is measured. Without getting too technical, this allows a quantum computer to contain several states at the same time, giving it the potential to be millions of times faster at solving certain problems than classical computers. This staggering computational power, in theory, could be used to render modern cryptography obsolete.

Modern cryptography relies on complex mathematical problems that would take computers hundreds, thousands or even millions of years to solve. This practical limitation is what keeps our cryptography based security systems secure. But with quantum computers, it is theoretically possible that these solutions could be reached in days or even hours, posing a massive vulnerability threat to our current encryption. If cryptography collapses, so will all our security.

But a quantum world is not all doom and gloom. Active research is already being done on quantum safe algorithms that can replace current algorithms that are under threat from the capabilities of a quantum computer. Theoretically, these quantum safe algorithms could prove to be more secure than anything we currently know of. Another area where quantum computing is likely to shine is in Big Data. With cross industry adoption of new technologies, the world is transforming itself into a digital age. This is sure to pose new problems well beyond the capabilities of modern computers as the complexity and the size of data keeps increasing. The challenge lies in converting real-world problems into a quantum language, but if that is accomplished, in quantum computing we will have a whole new computational system to tackle these problems.

It is important to realize that quantum computing is still in its infancy and almost all of the hype surrounding it is theoretical. But it is clear that the technology promises a revolution in computing, unlike anything we have seen before. It is also important to understand that quantum computers are not a replacement to the classical computer; Rather, it is specialized at solving a particular set of problems that are beyond the powers of a modern computer. This opens up a vast avenue of possibilities for quantum computing. The traditional computer will still have its place but with the world moving more and more towards a data-driven future, expect quantum computers to play a vital role in the future of technology.


Cybersecurity Partnerships: A New Era of Public-Private Collaboration

It is generally understood that the public and private sectors need to collaborate to address the nation’s cybersecurity challenges, yet there remain significant questions regarding the circumstances, nature, and scope of those relationships. Legal, strategic, and pragmatic obstacles often impede effective public-private sector cooperation, which are compounded by regulatory and civil liability risks. Different government agencies have competing roles and interests, with the government serving dual roles as both partner and enforcer, influencing how companies facing cyber threats view public authority. These domestic cybersecurity challenges are complicated further by cross- border issues, including inconsistent laws and perspectives regarding, in particular, privacy norms and restrictions, data transferability, and divergent political interests in combating cyber threats.

A welter of issues involving technology, business, law, and policy affect the strategic cybersecurity relationship between the government and the private sector. And many of those issues are evolving and unclear. Because cybersecurity’s challenges are multifaceted, traditional modalities of interaction between government and private sector— between regulators and regulated—do not always capture the nuanced ways in which the nature of the cybersecurity challenge has fundamentally altered these relationships.

In an effort to better understand and, hopefully, help address the challenges of institutionalizing effective cooperation, this paper will explore four key areas that should be clarified as a necessary step in adopting a strategic approach to cybersecurity:

  1. Why is cybersecurity different from other threats, and why is public/private collaboration uniquely valuable to address cybersecurity challenges?
  2. What barriers—including, for example, the evolving regulatory and civil litigation landscape, and cross-border challenges—impede e ective cybersecurity collaboration, and themselves generate additional layers of uncertainty and cost for institutional victims of cyber attacks?
  3. In light of those barriers, and available private-sector resources, should companies focus on self-help for addressing cybersecurity issues? When and to what extent can companies more effectively combat cyber threats without government assistance?
  4. What methods of public-private sector collaboration have been more successful than the traditional models of governance, and what roles can, and should, different parts of the government play in a comprehensive cybersecurity strategy?

While the problems are difficult, the answers may, in some respects, be astounding in their simplicity—solutions grounded in basic principles of organizational communication, teamwork, trust and relationship building, accountability, and foresight to prepare for and invest in mitigating risk before disaster strikes. These approaches are critically important and readily attainable, for those within industry and government who are willing to invest time, thought, and resources proactively, to avoid the far greater costs of an ill-prepared cyber response strategy.

Yet, in other ways, the challenges to effective cybersecurity solutions are confounding. The technology is often complex and constantly evolving, the vulnerabilities are vast and elusive, and the laws are fragmented and unclear. Perhaps the greatest challenges emerge from the significant, sometimes competing, domestic and foreign policy consequences impacting both government and business that ow from any proposed policy or legal response. These issues emerge at the intersection of technology, risk management, business, law, and strategy; successfully navigating them requires a sophisticated understanding of each of those diverse areas.

Government and industry bring a diverse range of resources, priorities, and perspectives to these issues that can sometimes compete. But, at a strategic level, they often are fundamentally aligned in their shared desire to develop effective strategic solutions to cybersecurity challenges.The key is determining how best to maximize the collective resources of business and government at that point of alignment.

Ultimately, the short answer is that no single actor (or group of actors) can figure it out alone. A strategic cyber- security solution mandates the combined resources and coordination of government and industry, within a practical framework that balances effectiveness with efficiency, and security with privacy and innovation. To reach that solution, we first need to understand the benefits, barriers and alternatives to effective coordination, and why the nature of the problem demands new and innovative forms of collaboration. In doing so, we will come to realize that the government and private sector already are innovating in the forms of collaboration necessary to address the cyber- security threat; next, the challenge will be to institutionalize and expand these means of working together […] Read more »


After the Breach: Cybersecurity Liability Risk

Cybersecurity’s evolving regulatory and liability landscape compounds the challenges that companies face from cyber attacks, and further complicates the ability of corporate executives and their advisors to understand and effectively manage cyber risk. Companies must prepare for and respond to a potential cyber attacks direct damage, including financial and data loss, system and service interruptions, reputational harm and compromised security. Cyber attacks also expose companies to diverse and uncertain regulatory and civil liabilities. Although these risks generally become apparent post-breach, they must be contemplated and managed proactively, before a breach occurs.

The decision-making of companies that are facing systematic and strategic cyber threats is, therefore, fraught with legal uncertainty about the implications of how they prepare for and respond to the threat. With piecemeal statutes and regulations, and emerging technologies, companies must navigate myriad potential sources of civil and criminal liability related to cyber incidents whose doctrinal contours are unsettled. Concerns include, for example, how to: Institute and monitor security protections; implement cyber incident response policies and procedures; disclose threat, vulnerability and incident information; and determine when, whether and how best to inform, and potentially cooperate with, government. In addition to the inherent difficulties in determining how to address these concerns, companies also must evaluate how each of those decisions may impact litigation risk.

These concerns are particularly acute because many of the most serious cyber vulnerabilities reside in privately- owned networks and systems, those systems often contain some of the most valuable information available about the nature of the threat, and, ultimately, steps to prevent and mitigate harms must be implemented largely by the private sector. Unless we understand better the factors shaping the private sector’s response to cyber harms, including the ways in which litigation risks shape strategic decisions about cybersecurity, it will be di cult to comprehensively address the threat. And while governments traditionally have been charged with protecting the national interest, that role, in a digital era, is increasingly also played by private companies. To the extent that an unsettled liability landscape shapes private sector decisions about investing in cybersecurity protections, disclosing cyber incidents to the public, and cooperating with government, the problem is no longer exclusively one of legal rights and remedies, but also one of strategic cyber preparedness.

Managing this shifting landscape requires executives, including at the board and senior leadership level, not only to con rm that adequate technological defenses are in place, but also to think strategically regarding how to create and implement corporate governance, and communication and response structures, to manage cyber risk. This means ensuring that the organization effectively can identify and address emerging regulatory and liability issues on both a proactive and responsive basis. Moreover, because systems can be compromised at any level, it also involves communicating (through training and protocols) the significance and means of properly managing cybersecurity risk […] Read more »


Is Your Vendor Risk Management Program Working?

As the saying goes, you can outsource most anything, but you can’t outsource responsibility.  Companies remain on the hook for ensuring their vendors are up to task when it comes to cybersecurity, privacy compliance and continuity of operations. This checklist can help determine the maturity of your vendor risk management program.

✔ We understand the vendor’s role relative to our business risk.

Knowing if a vendor is reliable requires knowing how they are being relied upon. It is worth considering how a particular vendor’s security failure might impact the confidentiality, integrity or availability of your employee records, customer data and business secrets, and whether their failure could put a halt to your operations altogether.

✔ We understand the vendor’s security relative to our requirements.

Just because a vendor is well known, does not mean their standard offering meets your company’s legal, regulatory, contractual and business security needs. Companies often take advantage of a cross-functional team of information security, legal, compliance, procurement, privacy and risk experts when making important vendor decisions.

✔ We ask the right questions and understand the response.

Vendor questionnaires are all the rage, but they are resource intensive for both parties. If your company uses them, do it right by assigning appropriate personnel to assess the answers, recognize gaps and potential remediation measures, follow your organization’s risk acceptance procedures and document decisions. Alternatively, consider accepting independent third-party audits and certifications, supplemented only as necessary for unique requirements.

✔ Our contracts are rock solid.

The Federal Trade Commission put it succinctly: “Insist that appropriate security standards are part of your contracts.” But, what are appropriate standards? Among other things, strong contracts take into account a company’s legal and regulatory environment, and often have provisions relating to specific security controls, compliance with industry standards, third-party certifications, data rights and privacy requirements, audit rights, insurance coverage, incident notification (and cooperation and information sharing if there is an incident), responses to legally compelled disclosure, data localization requirements, choice of law, restrictions on subcontracting, data destruction, SLAs and indemnification […] Read more »



Atlanta Municipal Systems Hit with Ransomware Attack

Atlanta city employees coming to work this morning were handed an unusual notice: don’t turn on your computers. The municipal systems had been hit with a ransomware attack on Thursday, and employees at City Hall were not to use their computer until they were cleared by the municipal IT group.

According to the Atlanta Journal-Constitution, city officials have been struggling to determine how much sensitive information may have been compromised in the attack. Atlanta Mayor Keisha Lance Bottoms told employees to monitor their bank accounts.

“Let’s just assume that if your personal information is housed by the City of Atlanta, whether it be because you are a customer who goes online and pays your bills or any employee or even a retiree, we don’t know the extent, so we just ask that you be vigilant,” Bottoms said.

The attackers demanded the equivalent of $51,000 in digital currency to unlock the system, and the attack is affecting applications customers use to pay bills or access court-related informationUSA Today reports.

According to Craig McCullough, AVP, U.S. Federal for data protection and information management solution provider Commvault: “The recent ransomware attacks on Atlanta’s computer systems is another wake up call for the U.S. Government to be better prepared to defend against cyber-attacks. Unfortunately these attacks are not isolated incidents and will continue across Federal […] Read more »



Only 39% of Breached Companies Can Confidently Identify Source

Nearly four in five companies (79%) were hit by a breach in the last year, according to new research from Balabi. The report, titled The Known Unknowns of Cyber Securityalso revealed that seven out of ten (68%) businesses expect to be impacted by further breaches this year, with more than a quarter anticipating a breach to occur within the next six months.

The Unknown Network Survey, deployed in the UK, France, Germany and the US, reveals the attitudes of 400 IT and security professionals surrounding their IT security concerns, their experience with IT security breaches, their understanding of how and when breaches occur, and the strategies they’re using to combat hackers.

Knowing your Environment

The majority of businesses know very little about the nature of the security breaches that take place within their organizations. Whilst a high percentage of companies have experienced a breach, less than half of respondents (48%) feel fully confident that they would know if a breach had even happened, meaning that more could have taken place without their knowledge. Furthermore, only 42% of respondents feel very confident about what data was accessed during a breach, and a mere 39% were fully confident that they could identify the source of a breach.

Privileged users, who are granted the most access within an organization, are vulnerable to attack and can open the door to insider threats, leading to internal tension around the development of cohesive security strategies. With half of all security breaches being employee-related, 69% of senior IT professionals agree that an insider data breach is the biggest threat they are facing in network security.

“Attacks are becoming more and more sophisticated and every organization is at risk,” said Csaba Krasznay, security evangelist, Balabit. “Security is no longer about simply keeping the bad guys out. Security teams must continuously monitor what their own users are doing with their access rights, as part of a comprehensive and cohesive security strategy.”

“What’s really alarming, though, is that the majority of businesses know very little about the nature of the security breaches that are happening to them. Many even admit that a security breach could quite feasibly go unnoticed. That’s how loose a grip we’ve got on them, or how little we really understand them. We know about breaches, sure – but we really don’t know enough,” Krasznay continued […] Read more »



4 Trends Driving Security Operations Center

Today, the need for organizational trust has been amplified by cyber threats that continue to grow in variety, volume and scope. According to the Cisco 2018 Annual Cybersecurity Report, 32 percent of breaches affected more than half of organizations’ systems, up from 15 percent in 2016. Network breaches shake customer confidence, and it’s essential that organizations protect intellectual property, customer records and other critical digital assets. A strong cybersecurity strategy is today’s foundation for creating confidence among partners and customers.

The Security Operations Center Gains Prominence

A key factor in establishing trust is the presence of a Security Operations Center (SOC). This is true whether the SOC functions internally or is provided by a third party, such as a managed security service provider (MSSP).

This team monitors, detects, investigates and responds to cyber threats around the clock. The SOC is charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems and brand integrity. This includes the connected controls found in networked industrial equipment. The SOC assumes overall responsibility for monitoring, assessing and defending against cyberattacks.

SOCs have grown in importance due to four primary trending needs:

  1. Departmental collaboration: It’s more important than ever that organizations maintain an environment where skilled people with the right tools can react quickly and collaborate to remediate system-wide as well as local problems.
  2. Cross-functional collaboration: People and cybersecurity tools must work together with other critical IT functions and business operations. These departments align with business objectives and compliance needs for a high-performing operation that is efficient and effective.
  3. Company-wide coordination and communication: As a security event takes place, it’s essential that there’s a centralized team to communicate with the rest of the organization and ensure efficient resolution. In turn, it’s also important that the organization knows who to turn to in the event of an incident.
  4. A holistic view: A view of all digital assets and processes that is centralized and real-time makes it possible to detect and fix problems whenever and wherever they occur. Centralization is critical for IoT systems. The sheer number of devices and the likelihood that they are widely dispersed make local monitoring impractical and inconsistent.

As security operations have changed, the associated job roles and responsibilities have evolved as well. Having the right team with the right skills in place is essential to optimizing an organization’s front-line defense.

SOC Member Roles

Within the SOC, there are many roles. While SOC teams are not all the same, these roles typically include:

  • Cybersecurity SOC Manager: Manages the SOC personnel, budget, technology and programs, and interfaces with executive-level management, IT management, legal management, compliance management and the rest of the organization.
  • Incident Responder: Investigates, evaluates and responds to cyber incidents.
  • Forensic Specialist: Finds, gathers, examines and preserves evidence using analytical and investigative techniques.
  • Cybersecurity Auditor: Monitors compliance of people, procedures and systems against cybersecurity policies and requirements.
  • Cybersecurity Analyst: Identifies, categorizes and escalates cybersecurity events by analyzing information from systems using cyber defense tools.

These individuals work together to identify and respond to cybersecurity incidents in real time.

Building a SOC: A Challenge and an Opportunity

As networks expand and grow in complexity, SOCs are emerging as the enterprise’s front and best line of defense. The SOC is a strategic, risk-reducing asset that strengthens the security of an organization’s systems and data. Building a SOC isn’t as easy as simply hiring new team members, however […] Read more »



The US Cities that are Best at Password Security

New research reveals the US cities that are best at password security, with Minneapolis topping the list.

A study by password manager Dashlane scores cities based on several metrics, including average password strength and average number of reused passwords.

The cities best at password security are:

  1. Minneapolis, MN
  2. Seattle, WA
  3. San Francisco – Oakland, CA
  4. Detroit, MI
  5. Chicago, IL
  6. Denver, CO
  7. New York, NY
  8. Saint Louis, MO
  9. Washington, DC
  10. Miami – Fort Lauderdale, FL
  11. Riverside, CA
  12. Boston, MA
  13. Philadelphia, PA
  14. San Diego, CA
  15. Tampa – St. Petersburg, FL
  16. Los Angeles, CA
  17. Dallas, TX
  18. Phoenix, AZ
  19. Houston, TX
  20. Atlanta, GA

Mess With Texas

Things might be bigger in Texas, but not when it comes to passwords: All of the Texas locations scored near the bottom in both rankings, the study said.

NorCal vs. SoCal

According to the study, NorCal officially takes cybersecurity bragging rights as their scores were dramatically better across the board. The trend does not follow a straight North-South progression, however, as San Diego came out on top of LA.

Southern Discomfort

Four out of the six lowest-scoring cities hail from the south: Dallas, Atlanta, Houston, and Tampa […] Read more »



Investors Put Cybersecurity Top of the Business Threat List

Cyber attacks are the now the biggest threat to business in the eyes of investors, mirroring growing global concern from business leaders, according to a new study by PwC.

In the PwC Global Investor Survey 2018 the views of investors and analysts are compared with those of business leaders. The study found that 41% of investors and analysts are now extremely concerned about cyber threats, seeing it as the largest threat to business, rising to first from fifth place in 2017. A similar amount (40%) of business leaders see it as a top three threat, but business leaders rank over-regulation and terrorism higher in the global study.

To improve trust with consumers, investors believe businesses should prioritize investment in cyber security protection (64% investors; 47% CEOs).

Investors rank geopolitical uncertainty (39% extremely concerned), speed of technological change (37%), populism (33%) and protectionism (32%) in the top five threats to growth.

Hilary Eastman, head of global investor engagement at PwC, said: “The top concerns of investors and CEOs emphasise the different internal and external perspectives on, and day to day experiences of, businesses. While on-the-ground challenges such as finding the right skills are high on business leaders’ agendas, investors are preoccupied with the impact that wider societal trends, such as geopolitical uncertainty, populism and protectionism, have on businesses generally.”

Overall, PwC finds that both investors and CEOs are more confident about the global growth outlook than they were last year. 54% of investors (+9%) believe global economic growth will improve and 57% of CEOs (+19%) […] Read more »