bsw219

Business Security Weekly Episode #219 – June 07, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Optimize Buying Criteria to Ensure Success of Your New Security Tools – 03:00 PM-03:30 PM

Sponsored By

sponsor
Visit https://securityweekly.com/detectify for more information!

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

CISOs know the power of security as a driver of business, but other stakeholders often equate security with compliance. Security shouldn’t be viewed as a controlling organ – then it will stall innovation and become a blocker for deploying new techniques. Implemented and evaluated correctly, new security tools should speed up the development processes and enable innovation.

So how do you measure success in app sec?

There are several methods that define the success of a new tool. New tools have to live up and in most instances exceed the existing solutions in place and should help developers to do their job more efficiently.

Here we can discuss the relevance of pre-planning and the definition of clear success criteria to get the most out of any solution decided upon. We draw parallels to real world examples of companies that have found success by optimising the time spent on evaluating and implementing new tools.

This segment is sponsored by Detectify.

Visit https://securityweekly.com/detectify to learn more about them!

Guest(s)

Travis Isaacson

Travis Isaacson – Technical Expertise Manager at Detectify

@Maxi_crisp

Travis Isaacson is Technical Expertise Manager at Detectify, where he helps customer security teams utilize the latest crowdsourced vulnerability research in their automated security practices and keep web apps secure. Travis has a background in supply chain logistics and digital AdTech. Outside of office hours, he enjoys dabbling in ethical hacking and bug bounties.

Hosts

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

CIO & CSO at Carousel Industries

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

2. 3 Ways + 4 Measures + 5 Approaches + 5 Myths = 17 Questions – 03:30 PM-04:00 PM

Announcements

  • Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!

  • Join us on June 10 at 11am ET for our technical training on insider risk to learn how to quickly mitigate data exposure risks. Then join us June 24 at 11 AM ET to learn how web application firewalls can help mitigate exposure in a complex threat landscape. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

In the Leadership and Communications section, 3 Effective Ways To Improve Your Internal Communication To Boost Employee Engagement, 4 Immediate Measures to Execute After a Cyberattack, 17 cyber insurance application questions you’ll need to answer, and more!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

CIO & CSO at Carousel Industries

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. 4 Immediate Measures to Execute After a Cyberattack – Organizations should have an incident response plan in place to get the compromised networks back and recover from the damage as early as possible. Here are the four immediate steps to follow when dealing with a cyberattack:

    1. Contain
    2. Report
    3. Investigate and Recover
    4. Remediate

  2. CISO’s Guide to a Modern AppSec Program – A guide for CISOs and security leaders to enable a business with Application Security and a shift left approach starts with:

    1. Cybersecurity influence on Organizational Culture Change
    2. The Product and Application Security Program Checklist
    3. Building out AppSec Focus Areas

  3. The Evolving CISO: From Naysayer to Enabler – Chief Information Security Officers (CISOs) are not typically perceived as business enablers. Their core responsibility is to safeguard the company’s sensitive information and operational services, which makes us naturally risk-averse. Business innovation tends to require some level of experimentation, failure, and recalibration. But for the CISO, a single instance of failure can be catastrophic.

    The good news is that many of the same technologies used to lock down environments can be repurposed to enable innovative new use cases with significant potential for business transformation. Additionally, new capabilities continue to emerge. Let me highlight three possibilities below:

    1) Creating secure sandboxes for development teams to innovate freely
    2) Using machine learning to dramatically improve application time to market
    3) Freeing the value of data

  4. 5 Cybersecurity Approaches All Businesses Should Consider – Cybersecurity forces us to stay sharp and is continually challenging us to be better at what we do. The top five cybersecurity approaches you should consider are:

    1. Teams/Slack Notifications for Critical Issues
    2. Start Learning Incident Response
    3. Harden Your Critical Infrastructure

  5. 17 cyber insurance application questions you’ll need to answer – Recent high-profile security incidents have tightened requirements to qualify for cyber insurance. These are the tougher questions insurance carriers are now asking, including:

    1. Do you perform regular backups and store them in a secure off-site location?
    2. Do you limit remote access to all computer systems by using two-factor authentication?
    3. How many PII records are held on your network?
    4. Do you provide periodic anti-fraud training to employees?
    5. Are processes in place to request changes to bank account details including account numbers, telephone numbers, or contact information?
    6. Are you using Office 365?
    7. Can users access email through a web application on a non-corporate device?
    8. Do you strictly enforce SPF on incoming emails?
    9. Are your backups encrypted and kept separate from the network whether offline or with a specialist cloud service?
    10. Do you use endpoint protection in the network? What brand?
    11. How long does it take to install critical, high severity patches?
    12. Do you have a SOC?
    13. What steps are you taking to detect and prevent ransomware attacks?
    14. Have you implemented a hardened baseline configuration across servers, laptops, desktops, and managed mobile devices?
    15. How do you implement local administrator rights?
    16. Do you provide users with a password manager software?
    17. Are end-of-life or out-of-support hardware and systems segregated from the rest of the network?

  6. 3 Effective Ways To Improve Your Internal Communication To Boost Employee Engagement – Here are three ways companies can show they value their employees through effective communication.

    1. Maximize Communication Channels And Techniques
    2. Dismantle The Red Tape And Have An Open-Door Policy
    3. Give Employees A Seat At The Table

  7. 5 Myths About Flexible Work – We believe fear has created stumbling blocks for many organizations when it comes to flexibility. Companies either become frozen by fear or they become focused by fear. It is focus that can help companies pivot during challenging times. In the years that we’ve been working with companies on flexibility, we’ve heard countless excuses and myths for why they have not implemented a flex policy. In fact, the Diversity & Flexibility Alliance has boiled these myths down to the fear of losing the 5 C’s:

    Loss of control
    Loss of culture
    Loss of collaboration
    Loss of contribution
    Loss of connection