bsw244

Business Security Weekly Episode #244 – December 20, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Security Maturity: From Hostage Negotiator to Business Leader – 03:00 PM-03:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • We had an absolute blast putting together this year’s SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!

Description

Throughout her career, Sandy Dunn has continued to mature and refine her skills. In the early days, she describes her job as a “hostage negotiator”, constantly negotiating between the business teams and the security team. But as you mature, so does your approach to security. Now, Sandy talks about simplifying “knowledge management” to make it easy to understand security and becoming a “business listener” to make the right decisions.

Guest(s)

Sandy Dunn

Sandy Dunn – CISO at Health Payer Idaho

@subzer0girl

Sandy Dunn, CISO Blue Cross of Idaho has 20 years in Cybersecurity. Initially starting out in software and hardware sales she worked with NASA, JPL, Secret Service, IRS, and other Federal Agencies. Her roles in Cybersecurity have included Competitive Intelligence, Security Engineer, Information Security Officer, Senior Security Strategist, and IT Security Architect. She prioritizes a risk based, business focused, cyber security strategic approach through process, standards, and threat intelligence. She has a Masters from SANS in Information Security Management. And her certifications include a CISSP, SANS GSEC, GWAPT, GCPM, GCCC, GCIH, GLEG, GSNA, GSLC, GCPM, Security +, ISTQB, and FAIR. She is an Adjunct Professor at BSU in their Cybersecurity program, a frequent speaker on cyber security and helped organize the first BSidesBoise events in Boise, Idaho. She has two children, a wonderful husband, too many horses and lives outside of Boise Idaho.

Hosts

BenCarr

Ben Carr

CISO at Qualys

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

2. Office of the CISO, The Fearless CISO, and America’s Cyber Reckoning – 03:30 PM-04:00 PM

Announcements

  • Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference dates have changed, and will now be live in San Francisco June 6th through 9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

  • Join us January 20th to learn how to build your own security lab at home! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand.

Description

In the leadership and communications section, The Office of the CISO: A Framework for the CISO, America’s Cyber-Reckoning, How to Include Cybersecurity Training in Employee Onboarding, and more!

Hosts

BenCarr

Ben Carr

CISO at Qualys

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. C-suite’s biggest ransomware fear: Post-attack regulatory sanctions – C-suite executives and business leaders are most concerned about being exposed to regulatory sanctions, such as fines, over and above the loss of data or intellectual property (IP) and other consequences, in the wake of a ransomware attack, according to new data from cyber pro association (ISC)².
  2. The Office of the CISO: A Framework for the CISO – The Office of the CISO framework integrates the (increasingly expected) elements of ‘executive’ in the context of the CISO function. CISOs are more impactful, and their programs are more effective; when they are delivering at a higher caliber of ‘executive.’

    The 3 Pillars of the Office of the CISO:

    1. Strategy, Governance & Oversight
    2. Talking & Partnering
    3. Operations

  3. The Fearless CISO: 4 Ways to Secure Everything – What happens when security leaders have a comprehensive security approach based on Zero Trust principles? They can be fearless, armed with the ability to secure everything without any limits. Let’s take a look at four ways that we have seen organizations manage a comprehensive security approach:

    1. Commit to a Zero Trust Strategy
    2. Manage Compliance, Risk, and Privacy
    3. Use a Combination of XDR + SIEM Tools
    4. Using MFA Whenever and Wherever Possible

  4. America’s Cyber-Reckoning – To do better, the United States must focus on the most pernicious threats of all: cyberattacks aimed at weakening societal trust, the underpinnings of democracy, and the functioning of a globalized economy. The Biden administration seems to recognize the need for a new approach. But to make significant progress, it will need to reform the country’s cyber strategy, starting with its most fundamental aspect: the way Washington understands the problem.
  5. Security priorities for 2022: Advancement, not revolution – Security leaders say their priorities reflect security needs due to recent shifts in their organization’s IT and business environments, a changing threat landscape, and emerging risks.

    – Cloud data protection technologies top the priority list, with 87% of CISOs either studying, piloting, using or upgrading their use of them. In a related finding, 88% of CISOs are prioritizing cloud-based cybersecurity services.
    – Data access governance technologies also tops the CISO priorities list, as does zero trust, with 84% indicating that zero trust is a priority for them.
    – Behavior monitoring and analysis is another big priority, with 82% saying they’re studying, piloting, using, or upgrading their use of them.
    – CISOs also indicated high interest or use of security orchestration, automation and response (SOAR) technologies, with 77% of CISOs either studying, piloting, using or upgrading their use.

  6. How to Include Cybersecurity Training in Employee Onboarding – Approach cybersecurity training in a structured way. Think of it as a cybersecurity checklist for new employees:

    – Set Employee Cybersecurity Expectations
    – Cybersecurity Awareness Training for New Employees
    – Easy Security Threat Reporting
    – Cybersecurity Training Advocates
    – Manage User Privilege Access
    – Protecting Passwords and Other Login Credentials
    – Require Lock Screen Passcodes for Unattended Devices
    – Require a VPN for Remote Work
    – Cybersecurity Training Should Include Managing Allowed Apps
    – Set BYOD Guidelines
    – Include Company Device Use Policies in Employee Onboarding
    – Device Monitoring
    – Ongoing Cybersecurity Training