bsw231

Business Security Weekly Episode #231 – September 13, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Cyber Education Is the Key to Solving the Skills Gap – 03:00 PM-03:30 PM

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

Kevin Nolten, Director of Academic Outreach from Cyber.org, joins Business Security Weekly to discuss how cyber education is the key to solving the skills gap and developing the next generation of cybersecurity professionals.

Kevin will share examples of how we, the cybersecurity community, can get involved in K-12 and higher education programs, strategies for developing young talent, and how Cyber.org’s curriculum can be used to train your employees!

Guest(s)

Kevin Nolten

Kevin Nolten – Director of Academic Outreach at CYBER.ORG

@KevinNolten

As the Director of Academic Outreach at CYBER.ORG, Kevin directs the organization’s?programmatic outreach efforts and partnerships with the goal of ensuring that every K-12 student in the U.S. has access to cybersecurity education. In his role, he helps advance CYBER.ORG’s K-12 cyber education program with age-appropriate content that aligns with state standards for education in 27 states and counting. The impact of that work is measured in thousands of teachers and students with more content, resources and training that will fuel the cyber workforce pipeline for the future.

Kevin received his Bachelor of Science in Business Management and Administration from LSU Shreveport. Kevin also received his MBA from LSU Shreveport.

Hosts

BenCarr

Ben Carr

CISO at Qualys

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

2. SEC Is Serious, CISA’s Bad Practices, & What Tech Workers Really Want – 03:30 PM-04:00 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    We are excited to announce our speakers: Lesley Carhart, John Strand, Alyssa Miller, Dave Kennedy, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Nick Leghorn, Michael Schladt, Kevin Johnson, Justin Kohler, Jay Beale, Trenton Ivey & Ryan Cobb!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This Week, in the Leadership and Communications section, The SEC Is Serious About Cybersecurity. Is Your Company?, CISA Urges Organizations to Avoid Bad Security Practices, IT leaders facing backlash from remote workers over cybersecurity measures, and more!

Hosts

BenCarr

Ben Carr

CISO at Qualys

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. CISO Conversations: Zoom, Thycotic CISOs Discuss the CISO Career Path – We wanted to know, first and foremost, is there any career path left for a CISO; or is there nowhere else to go. Is being a CISO effectively a dead-end job?

    The concept of risk management – something all CISOs must understand – is the important element. We have seen many times in this series that the modern CISO needs to understand and be fully immersed in the business side of the organization. So, the modern CISO needs to be technically minded, deeply involved in all aspects of the business, and conversant with the principles and practice of risk management. That is almost a job-description for a Chief Risk Officer – and CRO, one of the most senior positions in any company, is certainly a potential aspiration for any career-minded CISO.

  2. The SEC Is Serious About Cybersecurity. Is Your Company? – The SEC has signaled that it has started taking cyber vulnerabilities much more seriously than it has in the past. Two recent fines signal that the agency views lax cybersecurity as an existential threat to businesses and is willing to penalize companies who fall short. This, of course, is reasonable: Cyber threats pose as significant a danger to businesses (and their shareholders) as supply-chain vulnerabilities or natural disasters. To make sure they’re compliant, companies should:

    1) create a disclosure committee composed of director and senior director level employees,
    2) be sure to disclose cybersecurity risks, incidents, and their business impacts in a timely manner,
    3) build more visibility into their processes to better understand their weaknesses,
    4) conduct regular forensic assessments of the company’s cybersecurity systems, and 5) be prepared to disclose incidents before they’re fully understood.

  3. Cybersecurity spending is a battle: Here’s how to win – Executives can be reluctant to free up budget to fund cybersecurity. Here’s how to convince them that spending money on securing the business is the right thing to do.

    1. To get the board’s full attention, explain, in plain language, the potential threats out there. It could even be a good idea for a CISO to run an exercise to demonstrate the potential impact of a cyber incident.
    2. Once CISOs have the board’s attention, they should back it up with a plan. They need a strategy for the security budget, and a clear idea of the tools, personnel and training it will purchase.

  4. Do tech investments really yield cost savings? – The link between technology investments and long-term cost savings isn’t always linear. Not every technology gain will directly affect the budget. Generating cost savings from technology requires buy-in from stakeholders across the business, and an IT leadership team privy to the importance of effective, not just money-saving, investments.
  5. CISA Urges Organizations to Avoid Bad Security Practices – CISA has listed certain bad practices that are extremely risky for organizations that support critical infrastructure for the nation. These include:

    – The use of unsupported (or end-of-life) software in service of NCF is dangerous. It significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
    – Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and NCF.
    – The use of single-factor authentication for remote or administrative access to systems supporting Critical Infrastructure and NCF is risky and increases the chance of hacker intrusions. Threat actors could easily obtain access to critical systems with poor authentication. Weak or easy-to-guess passwords can be guessed with different hacking tactics like phishing, credential stuffing, keylogging, social engineering, and brute-force attacks.

  6. Remote work is widening the skills gap, report finds – Technical skills gaps among employees have grown as more employees work from home, according to a Pluralsight survey of more than 600 technology executives and practitioners. Four in 10 found increased gaps in cybersecurity and cloud computing.
  7. IT leaders facing backlash from remote workers over cybersecurity measures: HP study – A new study from HP has highlighted the precarious — and often contentious — situations IT teams are facing when trying to improve cybersecurity for remote workers.

    The study found that IT workers often feel like they have no choice but to compromise cybersecurity in order to appease workers who complain about how certain measures slow down business processes. Some remote workers — particularly those aged 24 and younger — outright reject cybersecurity measures they believe “get in the way” of their deadlines.

  8. What do tech workers want? – The demand for talent far exceeds supply, giving technology workers the power to choose their employer.

    Technology workers want higher pay and flexibility, a readily accessible combination in the remote and hybrid work era. Flexibility extends to job responsibilities, as employees take advantage of chances to learn new skills and work with top-of-the-line technology stacks. These are all factors IT candidates take into account when searching for their next role.