A Review of the Best News of the Week on CISO Views

Facebook is struggling to meet the burden of securing itself, security chief says (Ars Technica, Oct 19 2017)
Chief Security Officer said Facebook is struggling to live up to the responsibility it faces for adequately securing the vast amount of personal information it amasses, the social network’s top security executive said in a leaked phone call with company employees.

IRS chief: assume your identity has been stolen (Naked Security – Sophos, Oct 19 2017)
American’s should “assume their data is already in the hands of criminals and ‘act accordingly.’”

10 Social Engineering Attacks Your End Users Need to Know About (Dark Reading, Oct 19 2017)
It’s Cybersecurity Awareness Month. Make sure your users are briefed on these 10 attacker techniques that are often overlooked.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

How to Buy Cyber Insurance (CFO, Oct 16 2017)
Health care is the most expensive industry for data breaches for the seventh consecutive year, costing health care organizations $380 per record, more than 2.5 times the global average of $141 per record across industries.

NIST Cybersecurity Framework not just for large organizations (CSO Online, Oct 17 2017)
“Small- and medium-sized businesses are drivers of the economy. Statistics show that when [these businesses] are the victim of a cyberattack they go out of business in less than a year,” Walter Copan, the President’s current nominee for the NIST director post, told Science magazine recently.

Reevaluate Your Cybersecurity Spend in 2017 (Secure Thinking by Centrify, Oct 17 2017)
Centrify, an identity and access management (IAM) software vendor, points out that, “Companies spend a meager 4.7% of their total security budgets on IAM – while compromised identities are responsible for 80 percent of all data breaches.”

Your Security Operations Maturity – and Your MSSP (Gartner Blog Network, Oct 17 2017)
Contrary to what some people think, using MSSP is not just for losers, err, low-maturity organizations and SMBs. For sure, we do see a lot of MSSP usage by clients who “need some monitoring for compliance” or “have no team and no process, and want ‘security outsourced’” (the latter seems like a good indication for MSSP use, but in reality smells like MSSP FAIL in the making).

CISOs: Striving Toward Proactive Security Strategies (Dark Reading, Oct 19 2017)
60% of respondents say material data breaches and cybersecurity exploits are the primary drivers of change in security programs. A mere 22% of respondents say their organizations’ security function is integrated with other business functions. Perhaps most concerning, only 51% say their organization has an IT security strategy and, of those, only 43% say that the company strategy is reviewed, approved, and supported by C-level executives.

6 cybersecurity predictions (that might actually come true) (Naked Security – Sophos, Oct 18 2017)
Sophos asked a number of people working in different technical roles at Sophos where they’re actually planning to spend some of their time and energy in the next six months. So here are their “from the trenches” predictions that reflect what people are actually preparing for.

How to Talk to the C-Suite about Malware Trends (Dark Reading, Oct 20 2017)
There is no simple answer to the question ‘Are we protected against the latest brand-name malware attack?’ But there is a smart one.

Mr. Robot eps3.1undo.gz – the security review (Naked Security – Sophos, Oct 19 2017)
We’re looking at how Mr Robot’s treatment of security stacked up in episode 2 of season 3

Digital transformation: securing customer-centric initiatives (CSO Online, Oct 18 2017)
Data security and an improved customer experience go hand in hand for successful digital transformation.

Big picture security (CSO Online, Oct 20 2017)
We need to look at access control through more than just a purely contextual lens, and also consider risk factors. Risk driven access control treats authentication as a continuous stream of events that are under constant evaluation from the beginning to the end of a session.