STE WILLIAMS

CISOs, you’ve got a hard job. There are some new positions in the corporate org chart who are eager to take a piece of the infosec action to help you out. The question is, can you work with them, not against them, and ensure you keep your authority (and your paycheck)?

You go through this battle with the CIO already. So, what about the new Chief Data Officer and Digital Risk Officer? Are they friends or foes?

Chief Data Officer

Meet your new best friend.

You know those Social Security Numbers you’d like to encrypt, but you don’t know all the places they’re stored? And that pile of data you don’t know how to classify (what’s sensitive, what’s useless, what needs to be saved, what can or must be deleted)? And those behavior analysis tools you bought to recognize when data is being accessed in an abnormal pattern…but you have no idea what the normal pattern is?

The chief data officer is going to help you with all of that.

The CDO’s domain is “the who, what, when, where, how, and even why of data,” says Todd Feinman, CEO of data management firm Identity Finder. It’s work that typically falls under the job description of the CIO, says Feinman, “but it just doesn’t get done.”

The CDO usually reports to the CIO, but sometimes to the CEO with a “dotted line” to the CIO, says Feinman. Could the security department steal the CDO all for itself though? Feinman doesn’t think so.

“The problem is, it’s a data role, it’s not a security role,” he says. “The CDO doesn’t necessarily have to be just for security purposes.”

So, you may have to share them with other departments, but the good news is “we only see this as a friend [to the CISO],” says Feinman.

So don’t feel the need to give this person an intimidating, bone-crushing handshake when you’re introduced. He or she could be on your side, solving your shadow IT problem, zipping through e-discovery requests, and making your access controls much more effective. Plus, when you do experience a breach, you’ll be grateful to your CDO for trimming down your PII database before the bad guys got to it.

Digital Risk Officer

Meet your new boss. (Or, the new you.)

Plenty of companies have Chief Risk Officers, but as organizations do more business online, the nature of their risk exposure changes. Add the Internet of Things to the mix and things get really interesting. For these reasons, some organizations have begun to add Digital Risk Officers to their teams who focus just on the risks that relate to a company’s “digital operating model.”

Gartner predicts that “by 2017 one-third of large enterprises engaging in digital businesses will have a digital risk officer or equivalent.”

As a recent PwC Technology Institute report describes:

Digital risk governance requires a new set of mandates that expand beyond the traditional scope of Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Digital operating models need to incorporate many corporate functions, including marketing, merchandising, technology, customer support, and finance.

As the Internet of Things (IoT) magnifies increased dependencies and overlaps within your organization, your company may consider investing in developing a Digital Risk Officer (DRO).

According to PwC, some web security issues will fall under the DRO’s bailiwick, including social media usage policies and fraudulent payments at online shops.

They will also have to manage financial, regulatory, and operational risks related just to the digital side of the business. As Heather Levy wrote for Gartner, DROs “will manage risk at an executive level across digital business units, working directly with peers in legal, privacy, compliance, digital marketing, digital sales and digital operations.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/the-cisos-new-best-friend-and-new-boss/d/d-id/1323557?_mc=RSS_DR_EDT

CISOs, you’ve got a hard job. There are some new positions in the corporate org chart who are eager to take a piece of the infosec action to help you out. The question is, can you work with them, not against them, and ensure you keep your authority (and your paycheck)?

You go through this battle with the CIO already. So, what about the new Chief Data Officer and Digital Risk Officer? Are they friends or foes?

Chief Data Officer

Meet your new best friend.

You know those Social Security Numbers you’d like to encrypt, but you don’t know all the places they’re stored? And that pile of data you don’t know how to classify (what’s sensitive, what’s useless, what needs to be saved, what can or must be deleted)? And those behavior analysis tools you bought to recognize when data is being accessed in an abnormal pattern…but you have no idea what the normal pattern is?

The chief data officer is going to help you with all of that.

The CDO’s domain is “the who, what, when, where, how, and even why of data,” says Todd Feinman, CEO of data management firm Identity Finder. It’s work that typically falls under the job description of the CIO, says Feinman, “but it just doesn’t get done.”

The CDO usually reports to the CIO, but sometimes to the CEO with a “dotted line” to the CIO, says Feinman. Could the security department steal the CDO all for itself though? Feinman doesn’t think so.

“The problem is, it’s a data role, it’s not a security role,” he says. “The CDO doesn’t necessarily have to be just for security purposes.”

So, you may have to share them with other departments, but the good news is “we only see this as a friend [to the CISO],” says Feinman.

So don’t feel the need to give this person an intimidating, bone-crushing handshake when you’re introduced. He or she could be on your side, solving your shadow IT problem, zipping through e-discovery requests, and making your access controls much more effective. Plus, when you do experience a breach, you’ll be grateful to your CDO for trimming down your PII database before the bad guys got to it.

Digital Risk Officer

Meet your new boss. (Or, the new you.)

Plenty of companies have Chief Risk Officers, but as organizations do more business online, the nature of their risk exposure changes. Add the Internet of Things to the mix and things get really interesting. For these reasons, some organizations have begun to add Digital Risk Officers to their teams who focus just on the risks that relate to a company’s “digital operating model.”

Gartner predicts that “by 2017 one-third of large enterprises engaging in digital businesses will have a digital risk officer or equivalent.”

As a recent PwC Technology Institute report describes:

Digital risk governance requires a new set of mandates that expand beyond the traditional scope of Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Digital operating models need to incorporate many corporate functions, including marketing, merchandising, technology, customer support, and finance.

As the Internet of Things (IoT) magnifies increased dependencies and overlaps within your organization, your company may consider investing in developing a Digital Risk Officer (DRO).

According to PwC, some web security issues will fall under the DRO’s bailiwick, including social media usage policies and fraudulent payments at online shops.

They will also have to manage financial, regulatory, and operational risks related just to the digital side of the business. As Heather Levy wrote for Gartner, DROs “will manage risk at an executive level across digital business units, working directly with peers in legal, privacy, compliance, digital marketing, digital sales and digital operations.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/the-cisos-new-best-friend-and-new-boss/d/d-id/1323557?_mc=RSS_DR_EDT

One of the seminal movies that all cybersecurity professionals should watch is of course War Games. It features a young hacker, played by Matthew Broderick, who almost starts a nuclear war when he starts playing war games with a central military computer.

While the premise itself seems improbable, the concept of playing war games isn’t new. The many arms of government do it. Large corporations do it. This concept has also made its way into the cybersecurity world—cyber war games to test one’s security infrastructure. In a red team and blue team engagement, the red team attacks and the blue team defends to validate readiness. In the cybersecurity world, war games can range from table top exercises to actual live exercises where attack scenarios are simulated. 

To date, most of the cyber war exercises have been deployed by governments to test both public and private sector infrastructures, or large corporations with the time and resources to support them. But as attacks become more sophisticated and automated, and attackers more greedy, the need for all organizations to at some level understand and experience the mind and method of hackers is becoming more urgent.

The mindset of an attacker

The fundamental premise behind this is simple. To better defend yourself, you need to put yourself in the mindset of an attacker. It’s about learning from the hackers and understanding their behavior — and understanding how your own actions (or inaction) affects the outcome. Most importantly, it is about proactively executing real breach scenarios on your network to find holes before an attacker does, and understanding what vulnerabilities are most pressing for you.

This mindset makes sense. After all, we spend more than $70B in cybersecurity, yet we continue to be breached. The latest Mandiant report states that organizations take almost 205 days to discover breaches in their network — only a marginal improvement from the year before. No surprise, the latest PWC Global State of Information Security report shows that we’re seeing more security incidents in 2015 than last year: 38% more security incidents were detected in 2015 than 2014 and the theft of “hard” intellectual property increased 56%.

It doesn’t feel like we’re winning, does it? One reason is the current reactive approach to cybersecurity – if and when a new threat is exposed, a new security solution is deployed. Each of these point products requires a unique management system and configurations that needs to be optimized. Complexity impacts security.

The biggest challenge for CISOs today is not waiting for a vendor to offer a solution to their problem; it’s prioritizing their efforts (amidst a talent shortage), understanding which of their security systems are working as expected, and knowing what their cybersecurity risks are at any one point in time. How does a CISO answer the board-level question of “Are we secure”? The answer is combining current approaches with an offensive security approach that adopts the mindset of the hacker.

But first, there are specific characteristics of the hacker that we need to understand:

• Persistence and patience. We know hackers are persistent and relentless. They spend time getting to know the organizational structure and the network; they will actively investigate the best way to infiltrate an organization. Whether they are motivated by money or another cause, they’ve evolved from the equivalent of the cyber purse-snatcher to the great cyber heist. 
• Breach methods. Malware today has become much more sophisticated, it can exhibit specific behaviors based on user activity, and is sophisticated enough to lie latent when necessary to bypass security solutions. Yet, what we find are the majority of breach methods are limited, and are being replicated across organizations. According to the Verizon Data Breach Investigations Report, 92% of cyber attacks in the past 10 years can be linked to just nine basic attack patterns. Of these, most companies have to face only between two and four.
• Asset- and objective-oriented. Every action performed by an attacker may look like a singular incident, but is actually a phased progression toward their objective. Hackers will adjust their methods based on success and failures; they also tend to reuse tools and infrastructure. The ability to look at the entire cohesive view of what an adversary is doing (the complete attack kill chain), and their techniques is critical to not only to detect today’s attack but understand their modus operandi for future attacks. 

Cyber war gmes of the future

When we look at these characteristics, it’s clear we need automation to more effectively (and continuously) execute war games — with an emphasis on the word “war.” So many security strategies and solutions today are focused on individual battles. You can win some, but not all, and in cybersecurity, one loss can cost you the war.

At the same time, breach methods must be supported by a human element that understands and can analyze patterns, tactics, and procedures. In a kill chain model, breaking one step thwarts the adversary; proper analysis and understanding of how attackers are behaving and their techniques can only be performed by skilled security professionals.

In other words, the cyberwar games of the future will be played by machines powered by humans.  It is the combination of human plus platform/machine that will tip the advantage towards the defenders. Just like Amazon’s Chaos Monkeys in the cloud world where failures occur to force systems to be more resilient, we need to proactively execute breaches in our environment to find holes — before an attacker does. 

Danelle is vice president of strategy at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/to-better-defend-yourself-think-like-a-hacker/a/d-id/1323562?_mc=RSS_DR_EDT

One of the seminal movies that all cybersecurity professionals should watch is of course War Games. It features a young hacker, played by Matthew Broderick, who almost starts a nuclear war when he starts playing war games with a central military computer.

While the premise itself seems improbable, the concept of playing war games isn’t new. The many arms of government do it. Large corporations do it. This concept has also made its way into the cybersecurity world—cyber war games to test one’s security infrastructure. In a red team and blue team engagement, the red team attacks and the blue team defends to validate readiness. In the cybersecurity world, war games can range from table top exercises to actual live exercises where attack scenarios are simulated. 

To date, most of the cyber war exercises have been deployed by governments to test both public and private sector infrastructures, or large corporations with the time and resources to support them. But as attacks become more sophisticated and automated, and attackers more greedy, the need for all organizations to at some level understand and experience the mind and method of hackers is becoming more urgent.

The mindset of an attacker

The fundamental premise behind this is simple. To better defend yourself, you need to put yourself in the mindset of an attacker. It’s about learning from the hackers and understanding their behavior — and understanding how your own actions (or inaction) affects the outcome. Most importantly, it is about proactively executing real breach scenarios on your network to find holes before an attacker does, and understanding what vulnerabilities are most pressing for you.

This mindset makes sense. After all, we spend more than $70B in cybersecurity, yet we continue to be breached. The latest Mandiant report states that organizations take almost 205 days to discover breaches in their network — only a marginal improvement from the year before. No surprise, the latest PWC Global State of Information Security report shows that we’re seeing more security incidents in 2015 than last year: 38% more security incidents were detected in 2015 than 2014 and the theft of “hard” intellectual property increased 56%.

It doesn’t feel like we’re winning, does it? One reason is the current reactive approach to cybersecurity – if and when a new threat is exposed, a new security solution is deployed. Each of these point products requires a unique management system and configurations that needs to be optimized. Complexity impacts security.

The biggest challenge for CISOs today is not waiting for a vendor to offer a solution to their problem; it’s prioritizing their efforts (amidst a talent shortage), understanding which of their security systems are working as expected, and knowing what their cybersecurity risks are at any one point in time. How does a CISO answer the board-level question of “Are we secure”? The answer is combining current approaches with an offensive security approach that adopts the mindset of the hacker.

But first, there are specific characteristics of the hacker that we need to understand:

• Persistence and patience. We know hackers are persistent and relentless. They spend time getting to know the organizational structure and the network; they will actively investigate the best way to infiltrate an organization. Whether they are motivated by money or another cause, they’ve evolved from the equivalent of the cyber purse-snatcher to the great cyber heist. 
• Breach methods. Malware today has become much more sophisticated, it can exhibit specific behaviors based on user activity, and is sophisticated enough to lie latent when necessary to bypass security solutions. Yet, what we find are the majority of breach methods are limited, and are being replicated across organizations. According to the Verizon Data Breach Investigations Report, 92% of cyber attacks in the past 10 years can be linked to just nine basic attack patterns. Of these, most companies have to face only between two and four.
• Asset- and objective-oriented. Every action performed by an attacker may look like a singular incident, but is actually a phased progression toward their objective. Hackers will adjust their methods based on success and failures; they also tend to reuse tools and infrastructure. The ability to look at the entire cohesive view of what an adversary is doing (the complete attack kill chain), and their techniques is critical to not only to detect today’s attack but understand their modus operandi for future attacks. 

Cyber war gmes of the future

When we look at these characteristics, it’s clear we need automation to more effectively (and continuously) execute war games — with an emphasis on the word “war.” So many security strategies and solutions today are focused on individual battles. You can win some, but not all, and in cybersecurity, one loss can cost you the war.

At the same time, breach methods must be supported by a human element that understands and can analyze patterns, tactics, and procedures. In a kill chain model, breaking one step thwarts the adversary; proper analysis and understanding of how attackers are behaving and their techniques can only be performed by skilled security professionals.

In other words, the cyberwar games of the future will be played by machines powered by humans.  It is the combination of human plus platform/machine that will tip the advantage towards the defenders. Just like Amazon’s Chaos Monkeys in the cloud world where failures occur to force systems to be more resilient, we need to proactively execute breaches in our environment to find holes — before an attacker does. 

Danelle is vice president of strategy at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/to-better-defend-yourself-think-like-a-hacker/a/d-id/1323562?_mc=RSS_DR_EDT