bsw260

Business Security Weekly Episode #260 – April 25, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Forrester’s Top Security Program Recommendations for 2022 – 03:00 PM-03:30 PM

Announcements

  • Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Security leaders are using their hard-won influence with senior leadership to take on challenges related to emerging threats and unrelenting attackers. Yet plenty of old problems remain and are piling up.

In this session, Senior Analyst Jess Burn will go highlight Forrester’s eight security program recommendations for 2022 that will help security leaders take full advantage of their political capital — and budget — to resolve perennial problems and tackle emerging issues.

Segment Resources:
Blog post: https://www.forrester.com/blogs/our-2022-top-recommendations-for-your-security-program-cisos-get-an-offer-they-cant-refuse/?ref_search=604835_1649953578273

Full report: https://www.forrester.com/report/top-recommendations-for-your-security-program-2022/RES177270?ref_search=604835_1649953578273

Guest(s)

Jess Burn

Jess Burn – Senior Analyst at Forrester Research

@jess_burn_

Jess is a senior analyst at Forrester serving security and risk professionals. She contributes to Forrester’s research on the role of the CISO and Zero Trust. Additionally, Jess covers email security; incident response and crisis management; and security training, education, and certifications. Prior to her analyst role, Jess spent eight years as a principal advisor on Forrester’s Security & Risk Council. In this role, she was a trusted partner to a network of CISOs and security and risk leaders making critical decisions in the areas of risk management, data privacy and protection, cybersecurity operations, and identity and access management.

Hosts

BenCarr

Ben Carr

CISO at Cradlepoint

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

2. Cybersecurity Metrics, Litigation Risks, and 10 Critical People Skills for CISOs – 03:30 PM-04:00 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Join Paul Asadoorian and Rich Mogull on May 4th to learn how to choose the right architecture for your application. Live attendees at this webcast will have the chance to win a $100 Hacker Warehouse gift card! Register at securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

In the Leadership and Communications section: What cybersecurity metrics should I report to my board?, Cybersecurity litigation risks: 4 top concerns for CISOs, The SEC Is About To Force CISOs Into America’s Boardrooms, and more!

Hosts

BenCarr

Ben Carr

CISO at Cradlepoint

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. Gartner : Value is Missing in Executive Communication on Cybersecurity – In 2022, 88% of boards say that cybersecurity is a business issue, not a technical one. This conversation is about resetting executive engagement, putting a business context around security, and literally how we invest in security.

    You should not assume that your board members have the right information to make business decisions about cybersecurity investment just because they are nodding and smiling as you speak to the business importance of cybersecurity .

  2. What cybersecurity metrics should I report to my board? – Here are 5 examples of cybersecurity value deliver metrics you should give to your board:

    1. Time to Remediate Incidents: What is your average time (in hours) between incident ticket generation and ticket close for “critical & high priority” security incidents?
    2. OS Patching Cadence (Standard): What is your average time (in days) to apply critical operating system patches within your standard patch process?
    3. Risky 3rd Parties Engaged: What percentage of known third parties with poor security assessment results have been engaged by the organization?
    4. Phishing Reporting Rates: What is your percentage of people who report suspicious emails for your standard organization-wide phishing campaigns?
    5. Recovery Testing – Core Systems: What is your percentage of core systems supporting critical business/mission functions that have successfully completed full recovery testing in the last 12 months

  3. Cybersecurity litigation risks: 4 top concerns for CISOs – Cybersecurity and data protection are expected to become top drivers of legal disputes. What litigation risks should CISOs be most concerned about and what can they do about it?

    1. Data breaches draw lawsuits
    2. CISOs under fire
    3. Loss of trade secrets and reputational damage
    4. Regulations and requirements

  4. What Makes a Cybersecurity Risk or Incident Material? A Look at the SEC’s Proposed Rules on Cybersecurity – The Proposed Rules provide clues as to the type of material cybersecurity incidents and risks that may warrant disclosure, including:

    – Incidents violating a company’s security policies or procedures, or that expose a company to liability;
    – Incidents affecting a company’s reputation, products, or services, including decreases or delays in production;
    – Incidents affecting a company’s financial position, either directly or indirectly, through adverse costs such as payments for ransom or extortion demands, fees for remediation or increased cybersecurity protection, lost revenue, or any damage to the company’s competitiveness;
    – Incidents disturbing a company’s relationship with either its customers or suppliers through the accidental exposure or access to customer data, deliberate attacks to seal, sell, or alter data, and compromises to the confidentiality, integrity, or availability of such information;
    – Incidents affecting a company’s operations including unauthorized access to, damage to, interruption or loss of control over business information or systems; and
    – Individually immaterial incidents that are material in the aggregate, meaning that a number of smaller but continuous cybersecurity breaches may, in fact, be subject to disclosure.

  5. The SEC Is About To Force CISOs Into America’s Boardrooms – The proposed SEC rules for boardroom cyber expertise follow the approach taken by the SEC 20 years ago with financial expertise. Instead of focusing on job titles, expertise is about the depth of experience, competencies and formal education on these issues. The proposed SEC rules suggest that expertise be determined by:

    – Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager or business continuity planner;
    – Whether the director has obtained a certification or degree in cybersecurity; and
    – Whether the director has knowledge, skills or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling or business continuity planning.

  6. 10 critical people skills today’s CIOs and IT leaders need – Here are 10 of those softer skills that technology leaders need:

    1. Communication skills
    2. An ability to tell stories
    3. Empathy
    4. Curiosity
    5. Ability to promote collaboration
    6. Ability to build trust
    7. Vulnerability
    8. Ability to promote inclusion
    9. Future-thinking
    10. Ability to motivate people