A Review of the Best News of the Week on Cybersecurity Management & Strategy

China Used Tiny Chip in Hack That Infiltrated Amazon, Apple (Bloomberg, Oct 04 2018)
In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip, the person says.

Security Staffing Low in Midsized and Large Orgs (Infosecurity Magazine, Sep 28 2018)
Large organizations have only one security staff for every 1,488 employees, says ProtectWise.

Making an Impact with Security Awareness Training: Quick Wins and Sustained Impact (Securosis, Sep 27 2018)
It’s a balance between being overly heavy-handed against the importance of training users to defend themselves. You need to ensure employees know about the ongoing testing program, and that they’ll be testing periodically. That’s the continuous part of the approach – it’s not a one-time thing.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

NYC wants to build a cyber army (TechCrunch, Oct 02 2018)
New York City Economic Development Corporation (NYCEDC) announced the launch of Cyber NYC, a $30 million “catalyzing” investment designed to rapidly grow the city’s ecosystem and infrastructure for cybersecurity.

Organizations need to shift strategies, adopt a proactive approach to cybersecurity (Help Net Security, Oct 01 2018)
The cybersecurity market has reached a point whereby organisations need to shift their strategies and have a new, proactive approach to their cybersecurity, according to a report by 451 Research.

More on the Five Eyes Statement on Encryption and Backdoors (Schneier on Security, Oct 01 2018)
Susan Landau examines the details of the statement, explains what’s going on, and why the statement is a lot less than what it might seem.

Quantifying a firm’s security levels may strengthen security over time (Help Net Security, Oct 01 2018)
Cyberattacks grow in prominence each and every day; in fact, 2017 was the worst year to-date for data breaches, with the number of cyber incidents targeting businesses nearly doubling from 2016 to 2017.

CISOs: How to Answer the 5 Questions Boards Will Ask You (Dark Reading, Oct 02 2018)
As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.

Financial Sector Breaches Have Tripled Since 2016 (Infosecurity Magazine, Oct 02 2018)
Bitglass report claims over 100 incidents in US alone

U.S. Energy Department Invests Another $28 Million in Cybersecurity (SecurityWeek, Oct 02 2018)
The U.S. Department of Energy on Monday announced that it’s investing up to $28 million in tools and technologies that will improve the resilience and cybersecurity of the power grid and oil and gas infrastructure.

How Ashley Madison Recovered From Its Massive Data Breach (eWEEK, Oct 03 2018)
At SecTor, the CISO of Ruby Life, the parent company of breached infidelity website Ashley Madison, details the steps the company has taken to improve security.

Patching and Policy Lessons Learned from WannaCry (Infosecurity Magazine, Oct 03 2018)
IT and cybersecurity professionals that don’t make patching a priority are essentially shining a light on their organization’s weaknesses.

NKorea Said to Have Stolen a Fortune in Online Bank Heists (SecurityWeek, Oct 03 2018)
North Korea’s nuclear and missile tests have stopped, but its hacking operations to gather intelligence and raise funds for the sanction-strapped government in Pyongyang may be gathering steam.

Tanium Raises $200 Million at $6.5 Billion Valuation (SecurityWeek, Oct 02 2018)
Emeryville, CA-based endpoint security and systems management firm Tanium announced on Tuesday that it has raised an additional $200 million through the sale of common stock, which raises the company’s pre-money valuation to $6.5 billion.

GDPR Report Card: Some Early Gains but More Work Ahead (Dark Reading, Oct 04 2018)
US companies paid the most, to date, to meet the EU’s General Data Protection Regulation, according to a recent study, but UK companies made greater progress in achieving compliance goals.

Malware Outbreak Causes Disruptions, Closures at Canadian Restaurant Chain (Dark Reading, Oct 03 2018)
Recipe Unlimited, a publicly traded company that operates nearly 1,400 restaurants under 19 different brands in Canada, has experienced what appears to be a significant security incident impacting several of its brands.

US to Let NATO Use its Cyber Defense Skills (SecurityWeek, Oct 03 2018)
The United States is expected to make its offensive cyber warfare capabilities available to NATO, officials said Wednesday, as the alliance seeks to strengthen its defenses against Russian electronic attacks.

How Letting Go of the Familiar Can Improve Security Maturity (SecurityWeek, Oct 03 2018)
The known provides something very comforting to the human psyche. On the contrary, the unknown causes discomfort and unsettledness. Perhaps it is because of this that people love to stay with what is known and familiar, even if it is less optimal.

The Effects of GDPR’s 72-Hour Notification Rule (Schneier on Security, Oct 03 2018)
The EU’s GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem.

Endpoint Has Won, Why Bother With NTA? (Gartner Blog Network, Oct 03 2018)
SOCs should use logs, endpoint and network data on their threat detection and response efforts. But we also know that organizations don’t have infinite resources and will often have to decide about which tool to deploy first (or ever). Leaving logs aside for a moment, as it usually has additional drivers (i.e. Compliance), the decision eventually becomes: Endpoint vs Network.