In a video interview with CISO MAG, Caroline Wong, Chief Strategy Officer at Cobalt said it is a myth that business leaders do not understand cybersecurity. But the complication occurs because cybersecurity is about measuring risks and it is a challenge to put straightforward metrics on that, as we do with everything else in business. Wong says there are so many parameters in cybersecurity. She says everyone is trying to come up with a number for the dollars that would be lost if an organization is breached. Instead, the value number to have is the cost of a plan to achieve an objective. Cybersecurity leaders should begin with risk management objectives. Caroline offers seven risk management objectives. Business leaders should agree on a risk management objective and a common goal.

Caroline is a strategic leader with great communications skills, deep cybersecurity knowledge, and a lot of experience in delivering global programs. Her practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga.

In all Caroline has 15+ years of deep and practical cybersecurity expertise, including leading teams at eBay, Zynga, Symantec, and Synopsys.

She authored the popular textbook Security Metrics: A Beginner’s Guide;  hosts the cybersecurity podcast Humans of Infosec, and teaches cybersecurity courses on LinkedIn Learning.

Most recently, Caroline published a new book called The PtaaS Book. To learn more about it, click here.

Cobalt is a global, remote-first cybersecurity company with a focus on Pentest as a Service (PtaaS).

Also Read:

Our 2021 interview with Caroline Wong.

In this interview Caroline offered advice on how security leaders should communicate with Board members and other stakeholders.

The post Back to Basics: What Security Leaders Need to Do to Protect their Organizations appeared first on CISO MAG | Cyber Security Magazine.

In an exclusive video interview, Brian Pereira, Editor-in-Chief, CISO MAG and Justin Hurst, Field CTO, APJ for Nutanix discuss security strategies that leading organizations are betting on, to ensure security isn’t dictating their business growth.

Hurst says organizations face a tremendous risk as they embrace the cloud and digital transformation. The risks include loss of revenue, risk of reputation, customer churn, loss of sensitive data, and complete breach of compliance.

Security Strategies

The balance for companies is finding a way to embrace these new technologies — to embrace the agility of the public and hybrid cloud. But they should do so in a way that incorporates security posture from the foundation up.

The challenge that many companies are facing is that they want to use these new resources; they want to use the agility of the cloud, but their people and their processes are in an on-prem mode of thinking. The type of security that is used today in the private data center does not apply in the hybrid or public cloud world. So it requires rethinking how security is thought about throughout the whole organization — not just the compliance team. More so as apps are modernized and moved to the public and private cloud.

Also see:

3 Takeaways from 2020 for CISOs to Guide This Year’s Strategy

At Nutanix, Hurst is responsible for guiding and articulating technical vision across all products and platforms in the APJ region. His key focus areas are enabling digital transformation, IT modernization, and innovation  through design. He also connects Nutanix customers and partners with internal R&D to guide product direction and ensure customer success. He brings twenty years of experience in a broad range of technology roles, including IT  operations, architecture, education, and sales. He has been with Nutanix for over eight  years. Justin is a frequent keynote speaker, and has presented worldwide on transformative  technological change and embracing disruption. He is based in Tokyo, Japan.

The post “We Need to Rethink How Security is Applied Throughout the Organization” appeared first on CISO MAG | Cyber Security Magazine.

In an exclusive video interview, Brian Pereira, Editor-in-Chief, CISO MAG, discusses human preparedness with Jawad Kazim, CISO at a leading MSSP in New Jersey.

Speaking about his experience as an external auditor, Kazim says organizations have excellent firewalls, antivirus, and other tools. But they lag in human preparedness. And this can be corrected through training and awareness.

He speaks about the preparedness of humans and the “human firewall.” He says governance is critical too, coming from the highest office in the organization.

Kazim also updates us on the state of cybersecurity in Pakistan, and the initiatives the government and universities have taken to spread awareness.

Kazim is an experienced Information Technology Audit Manager with a demonstrated history of working in the banking industry. He is skilled in Cyber Security, audit and humanity sciences. And his experience spans multiple continents. He is currently serving a leading MSSP in New Jersey. And previously, he worked as a Manager IT/IS audit (Information Security) for a leading bank in Pakistan.

CISO MAG Experts Series

CISO MAG interviews CISOs and cybersecurity experts from all parts of the world. Do read their opinions or watch their videos on cybersecurity awareness and incident response by following the links below.

“The State of Readiness Will Always Be in a Flux”

For Dr. Imtiaz Abdul Kader, CEO, Perfected Execution, there are two core elements to cybersecurity awareness and readiness. One is the training and the skills, and the other is partnerships within the industry.

“Security is Everybody’s Business”

Everyone in the organization is a security leader and is responsible for security, says Dr. Frank E. Ofori, Cyber Security Specialist and former U.S. Army Veteran.

Expert’s Take: Why Organizations Fail to Prepare for Cyberattacks

Le Nguyen Truong Giang, a Global Security Operations Lead and Security Transform Consultant, speaks to CISO MAG about cybersecurity awareness, resilience, and failure to prepare for cyberattacks.

“Being Compliant Gives Organizations a False Sense of Security”

Ditmar Tavares, Senior Cybersecurity Consultant, Mariner Innovations, explains where organizations fall short in their awareness about threats that target their business and employees.

Cybersecurity Awareness Month 2021: Here’s What the Experts Have to Say

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

More stories from Brian

The post “We Lack in Human Preparedness” appeared first on CISO MAG | Cyber Security Magazine.

Tavares sees organizations changing their awareness, thanks to the incidents reported in the news. He says most of them are taking steps to be more secure. He breaks down cybersecurity awareness into two portions: being aware of the field, which he considers “pretty good” as everybody knows what it is and what they are concerned about.

The second part of it seems to be a problem — how well organizations know about the treats they are facing, specifically based on what they do, the risk that they are introducing with the actions they take, with the data they are collecting — or even with the social media posts their employees are doing.

He believes risks are introduced with the third-party organizations they do business with. That is where most organizations are falling short. He wishes they knew what matches their needs, gaps, and what they need to do and tailor to their expectations.

CISO MAG Experts Series

CISO MAG interviews CISOs and cybersecurity experts from all parts of the world. Do read their opinions or watch their videos on cybersecurity awareness and incident response by following the links below.

“The State of Readiness Will Always Be in a Flux”

For Dr. Imtiaz Abdul Kader, CEO, Perfected Execution, there are two core elements to cybersecurity awareness and readiness. One is the training and the skills, and the other is partnerships within the industry.

“Security is Everybody’s Business”

Everyone in the organization is a security leader and is responsible for security, says Dr. Frank E. Ofori, Cyber Security Specialist and former U.S. Army Veteran.

Expert’s Take: Why Organizations Fail to Prepare for Cyberattacks

Le Nguyen Truong Giang, a Global Security Operations Lead and Security Transform Consultant, speaks to CISO MAG about cybersecurity awareness, resilience, and failure to prepare for cyberattacks.

Cybersecurity Awareness Month 2021: Here’s What the Experts Have to Say

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

 

More stories from Brian

The post Being Compliant Gives Organizations a False Sense of Security appeared first on CISO MAG | Cyber Security Magazine.

In an exclusive video interview, Brian Pereira, Editor-in-Chief, CISO MAG, discusses the state of cybersecurity awareness and readiness with Dr. Imtiaz Abdul Kader, CEO, Perfected Execution.

Dr. Imtiaz, who lives in Johannesburg, says there are two core elements cybersecurity awareness and readiness. One is the training and the skills, and the other is partnerships within the industry.

He says we still have a long way to go for training and skills advancement, though initiatives have been taken to establish specialist training centers.

Cybersecurity threats keep advancing and skills need to keep up, so the state of readiness will always be in a flux, says Dr. Imtiaz.

He believes constant knowledge sharing with employees is quite important for keeping up with the latest threats. It also removes the ambiguity about what they need to do when receiving malicious emails and how to react to incidents.

The second vital thing is engagement with partners and individuals specializing in cybersecurity to acquire the knowledge and the skills. This is a good approach to establishing a cybersecurity response environment.

Dr. Imtiaz is an avid researcher in the field of advanced technology integration to enable business growth. He is also the co-founder and CEO of Perfected Execution, a technology and strategy research start-up. In addition, he also practices as a Technology and Strategy Execution Executive in the Banking Industry, with 23 years of experience in executing large-scale organization transformations. He holds a Ph.D. and M.Eng degrees from the University of the Witwatersrand and published the book #Throw Away the Box.

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

 

More stories from Brian

The post The State of Readiness Will Always Be in Flux appeared first on CISO MAG | Cyber Security Magazine.

In an exclusive video interview, Brian Pereira, Editor-in-Chief, CISO MAG, discusses the organizational challenges for security awareness with Dr. Frank Ofori, Cybersecurity Specialist and a former U.S. Army veteran.

Dr. Ofori says everyone in the organization is responsible for security awareness and must practice cyber hygiene at work and home for personal computing. It is not just a top-down approach. It could also be bottom-up. He also offers some tips and advice for creating an incident response plan.

Dr. Ofori is a retired U.S. Army veteran with over 13 years of experience in both IT and Cyber Security. He is a Cyber Security Specialist with the U.S. Department of State and an Adjunct Professor at Stratford University with concentration in both Offensive and Defensive Cyber Security.

He specializes in corporate and enterprise security, development of cyber defense programs, and business operations protection for both US Federal and commercial clients.

He has been certified an industry professional by the International Information Security Certification Consortium (ISC2), Information System Audit and Control Association (ISACA), and the EC-Council as Certified Chief Information Security Officer (C|CISO).

Dr. Ofori started his career as a technical networking specialist; he then specialized, trained, and qualified in a number of disciplines including but not limited to ethical hacking, international management systems, risk management, business continuity, international governance frameworks, financial service regulations, cyber laws, and project management.

Dr. Ofori is noted for his ability to integrate competing objectives (like a “cloud-first” policy, data transparency, clarity of multiple-party responsibilities, Privacy, and security) in customized and practical compromises that are acceptable to all parties involved. He acknowledges that information security is multi-disciplinary, multi-departmental, and often multi-organizational. He is also noted for his ability to synthesize and document cybersecurity policies in contracts, security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear action-oriented documents.

Also see:

Expert Opinion: Cybersecurity Awareness Month

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

 

More stories from Brian

The post Security Is Everybody’s Business appeared first on CISO MAG | Cyber Security Magazine.

In an exclusive interview with Brian Pereira, Editor-in-Chief, CISO Mag, John Kindervag Senior Vice President Cybersecurity Strategy and ON2IT Global Fellow, explains the genesis of the Zero-Trust model, and what he wanted it to be, when he came up with the term in 2008.

Kindervag said there were two worlds back then. The internal network was safe, trusted, and secure. It had the highest level of trust. The external network had the lowest level of trust. He opposed the idea that the network needed to have a crunchy, hardened layer on the outside, and a soft, chewy inside. For a long time, security professionals assumed that malicious individuals wouldn’t get past the “hard, crunchy outside,” as he writes in his paper. He suggested that there should be a lot of crunchy, and a little bit of softness on the inside, which is the data that needs to be protected. In his words, “Zero trust needs to be like a chocolate chip cookie.”

The paper suggested that the way to confront new threats was to eliminate the soft, chewy center and make security ubiquitous throughout the network, not just the perimeter. So, the zero-trust model was created to help security professionals do this effectively.

The zero-trust definition is more widespread today, with zero-trust architecture extending way beyond the corporate perimeter and onto the cloud and remote access platforms.

Kindervag joined ON2IT in March of 2021 as Senior Vice President Cybersecurity Strategy and ON2IT Global Fellow. He spent the previous four years at Palo Alto Networks as Field CTO. Before Palo Alto Networks, John spent eight and one-half years at Forrester Research as a Vice President and Principal Analyst on the Security and Risk Team. John is considered one of the world’s foremost cybersecurity experts.

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved foundational certifications in cloud computing (IBM) and cybersecurity (EC-Council).

 

More stories from Brian

The post Creator of Zero-Trust Model Says Trust Did Not Exist in a Digital World appeared first on CISO MAG | Cyber Security Magazine.

In the survey, which included 400 C-suite executives at European and U.S. global companies, 64% reported revenue losses between 6% and 20% in 2020.

As U.S. businesses were shutting for the 4^th of July national holiday, adversaries launched a well-timed supply chain attack on Florida-based software company, Kaseya Ltd., which makes a VSA product for managed service providers.

Attackers were targeting MSPs and then their customers who used the Kaseya VSA solution on-premise, with ransomware being executed at the end-point products.

Due to this, customers who use the on-premise VSA client were impacted by ransomware attacks.

In a move that was quite unexpected, on July 21, Kaseya received a universal decryptor for victims of the REvil ransomware attack. Since the decryption key was obtained from a “third-party,” the company tested its credibility and confirmed that it is actively helping its customers to decrypt their data and ensure safety.

REvil mysteriously disappeared from the internet on July 13 and all their sites were taken down.

Brian Pereira, Editor-in-Chief, CISO MAG, spoke to Andrew Hollister, Deputy CSO and VP Labs LogRhythm to discuss the impact of the Kaseya supply chain attack and mitigation strategies to check supply chain attacks.

Andrew Hollister is Vice President of LogRhythm Labs and Deputy Chief Security Officer (CSO) for EMEA, IMETA, and APJ. He is the most senior engineering lead outside the U.S. at the Security Information and Event Management (SIEM) platform provider. Hollister is responsible for overseeing LogRhythm Labs’ research in Threat, Compliance and Operational Risk. He also advises on LogRhythm’s product strategy and direction. Over the last nine years, Hollister has proven himself an invaluable member of the business and leadership team in Customer Care, Sales, Labs, and the OCSO organization.

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved foundational certifications in cloud computing (IBM) and cybersecurity (EC-Council).

 

More stories from Brian

The post Discussing the Impact of the Kaseya Supply Chain Attacks appeared first on CISO MAG | Cyber Security Magazine.

CISO MAG identified Elron as a key investor with $90 million in funds.

Elron is an Israeli investment company specializing in early-stage investments, focusing on building Israeli technological cyber and enterprise software companies. It provides direct capital and assistance to startups from their early stage in accelerating team building and accelerating product-market fit.

With a proven track record of investments and M&As worldwide, Elron has spearheaded exits valued at over $1.6 billion over the past decade and manages assets exceeding $300 million.

The companies backed by Elron include Open Legacy, Sixgill, Ironscales, BrainsGate, and CartiHeal.

Brian Pereira, Editor-in-Chief, CISO MAG, interacted with Elik Etzion, CSO, Leading Enterprise Software & Cybersecurity Investments, Elron, to discuss early-stage investments in cybersecurity startups.

Etzion is joining Elron’s management team to head cyber and software investments in the company after a comprehensive career of 25 years in key Elron investment sectors.

A retired lieutenant colonel, he began his career at the top of the tech and cyber world in the IDF, where he gained diverse technological-operational experience and knowledge over the course of 20 years in Unit 8200. In his last positions in the IDF, Etzion served as deputy commander of the cyber division, head of the R&D Department, and Head of the Cyber operations Department.

Upon his discharge from the IDF, Etzion served as CISO and member of the Technology Division Management at Bank Hapoalim Group. This is one of the largest financial institutions in Israel. He enhanced the bank’s cybersecurity posture and contributed to the cyber resilience of Israel’s banking sector, alongside being party to spearheading the bank’s digital transformation.

Etzion also served as a director in SHVA and as Chairman of the Board of Directors of Masav, specializing in payments and clearance. He brings in-depth expertise and understanding, a strategic vision of the market along, and practical experience.

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

 

More stories from Brian

The post “We are committed to turning companies with ideas into global industry leaders” appeared first on CISO MAG | Cyber Security Magazine.

With this in mind, bestselling author Ted Harrington wrote the book Hackable: How to Do Application Security Right.

In an interview with Brian Pereira, Editor-in-Chief, CISO MAG, Harrington talks about his book, the genesis of the topic, and who will benefit from the book. He delves into the challenges of building security into applications at the beginning of the software development cycle. The book also breaks many misconceptions about application security.

Harrington is also the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, and password managers.

The post “Application Security is not a process” appeared first on CISO MAG | Cyber Security Magazine.