A Review of the Best News of the Week on Cybersecurity Management & Strategy

Huawei Sues US Government Over Ban (Infosecurity Magazine, Mar 07 2019)
Chinese telecoms kit maker brings out the big guns in escalating battle

As Trump and Kim Met, North Korean Hackers Hit Over 100 Targets in U.S. and Ally Nations (The New York Times, Mar 04 2019)
McAfee researchers watched, in real time, as the North Koreans attacked the networks of companies in the United States and around the globe.

Alphabet aims for Splunk in security startup’s coming-out party (MarketWatch, Mar 05 2019)
Alphabet Inc. announced its biggest thrust into the cybersecurity space Monday, as the Google parent company’s internal security startup, Chronicle, detailed a new big-data software offering similar to Splunk Inc.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Cisco Publishes Annual CISO Benchmark Study (SecurityWeek, Mar 04 2019)
Cisco’s 2019 Chief Information Security Officer (CISO) Benchmark Study has one great strength. It queried more than 3,200 senior leaders with a CISO role (if not title) from 18 different countries. This greater than average quantity of respondents gives it a greater than average legitimacy.

Data Breach Cost Marriott $28 Million So Far (SecurityWeek, Mar 04 2019)
The massive data breach disclosed by Marriott last year has cost the company $28 million to date, most of which has been covered by insurance, the hotel giant revealed last week in its earnings report for the last quarter of 2018.

NSA’s top policy advisor: It’s time to start putting teeth in cyber deterrence (Ars Technica, Mar 04 2019)
The midterms were just a warmup, NSA’s Joyce warns, as work begins to defend 2020 election.

Symantec CEO Says He Aims To Drive Down Cost And Complexity Of Cybersecurity (Forbes, Mar 05 2019)
Symantec’s CEO Greg Clark has been in the cyber security field for three decades. He has founded and sold multiple companies. He was the CEO of Blue Coat when Symantec acquired the company. In his current perch as the head of the combined company, he leads, by some measures, the largest cyber security company in the world. I sat down with him to talk about the recent announcement, but also to get his thoughts on the evolving threat landscape, as well as to talk about his extraordinary career path.

Cybersecurity for the Public Interest (Schneier on Security, Mar 05 2019)
The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there’s no way to provide this capability without also weakening the security of every user of those devices and communications systems.

U.S. officials: It’s China hacking that keeps us up at night (Washington Post, Mar 06 2019)
Russia hacking has Washington spooked. But security officials say China is the biggest long term threat.

Axonius’ ‘Unsexy’ Tool Wins RSAC Innovation Sandbox (Dark Reading, Mar 05 2019)
Judges award top honor to new company solving an old, unsolved problem: asset discovery and management.

Coinbase Says Ex-Hacking Team Members Will ‘Transition Out’ After Users Protest (Motherboard, Mar 05 2019)
Coinbase acquired Neutrino in February, sparking a #DeleteCoinbase campaign in protest.

Senate report: Equifax neglected cybersecurity for years (Yahoo Finance, Mar 07 2019)
A new report claims Equifax neglected cybersecurity for years leading up to the massive 2017 data breach.

Huawei calls for common cybersecurity standards amidst concerns (Reuters, Mar 07 2019)
Huawei, in the spotlight over the security risks of its telecom equipment gear, urged governments, the telecoms industry and regulators on Tuesday to work together to create a common set of cybersecurity standards.

How Superforecasting Can Help Improve Cyber-Security Risk Assessment (eWEEK, Mar 06 2019)
Palo Alto Networks Chief Security Officer Rick Howard ran a session on an advanced method known as “Superforecasting” that can help organizations go beyond basic heat maps to better evaluate and define risk.

U.S. to try new approach to punish hacking nations: Working with allies (Washington Post, Mar 07 2019)
State Department cyber chief wants “swift and transparent consequences that will change their calculus.”

United Airlines CISO: To soar, security teams must focus on business, not technology (SC Magazine, Mar 06 2019)
This approach requires security teams to develop an understanding of the most critical functions that drive the company, and the various needs and risks of each business department — something Heath herself seeks to achieve in her role at the airline carrier.

#RSAC: Build Better Bridges Between OT and IT (Infosecurity Magazine, Mar 05 2019)
“OT care about safety and not data loss, and what is going off the production line,” she said. “The OT world wants systems up and running.”

#RSAC: How to Nudge User Behavior (Infosecurity Magazine, Mar 05 2019)
In terms of methods, Williams picked four examples of simplification (making information more straightforward and easy to process) and framing (phrasing of information to activate values/attitudes of the target), changes to physical environment to guide your target to one choice over another (such as an arrow on the ground), changes to a default policy so that the standard choice is the one you want made and use of social norms to leverage peer pressure to cause your target to choose the preferred option.

For enterprises, malware is the most expensive type of attack (Help Net Security, Mar 07 2019)
…the cost to companies due to malware increased 11 percent, to more than US$2.6 million per company, on average, and the cost due to malicious insiders — defined as employees, temporary staff, contractors and business partners — jumped 15 percent, to US$1.6 million per organization, on average.

FBI’s Wray says cyberthreats ‘bigger than government’ (SC Magazine, Mar 06 2019)
“Today’s cyberthreat is bigger than any one government agency — in fact it’s bigger than the government itself,” he said. “The scope, breadth, depth, sophistication and diversity of the threat we face now is unlike anything we’ve had in our lifetimes.”