1. Forrester’s Top Security Program Recommendations for 2022 – 03:00 PM-03:30 PM
Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Security leaders are using their hard-won influence with senior leadership to take on challenges related to emerging threats and unrelenting attackers. Yet plenty of old problems remain and are piling up.
In this session, Senior Analyst Jess Burn will go highlight Forrester’s eight security program recommendations for 2022 that will help security leaders take full advantage of their political capital — and budget — to resolve perennial problems and tackle emerging issues.
Jess is a senior analyst at Forrester serving security and risk professionals. She contributes to Forrester’s research on the role of the CISO and Zero Trust. Additionally, Jess covers email security; incident response and crisis management; and security training, education, and certifications. Prior to her analyst role, Jess spent eight years as a principal advisor on Forrester’s Security & Risk Council. In this role, she was a trusted partner to a network of CISOs and security and risk leaders making critical decisions in the areas of risk management, data privacy and protection, cybersecurity operations, and identity and access management.
CISO at Cradlepoint
Chief Operating Officer at Envision Technologies
Executive Director at CyberRisk Alliance
2. Cybersecurity Metrics, Litigation Risks, and 10 Critical People Skills for CISOs – 03:30 PM-04:00 PM
Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Join Paul Asadoorian and Rich Mogull on May 4th to learn how to choose the right architecture for your application. Live attendees at this webcast will have the chance to win a $100 Hacker Warehouse gift card! Register at securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
In the Leadership and Communications section: What cybersecurity metrics should I report to my board?, Cybersecurity litigation risks: 4 top concerns for CISOs, The SEC Is About To Force CISOs Into America’s Boardrooms, and more!
You should not assume that your board members have the right information to make business decisions about cybersecurity investment just because they are nodding and smiling as you speak to the business importance of cybersecurity .
1. Time to Remediate Incidents: What is your average time (in hours) between incident ticket generation and ticket close for “critical & high priority” security incidents?
2. OS Patching Cadence (Standard): What is your average time (in days) to apply critical operating system patches within your standard patch process?
3. Risky 3rd Parties Engaged: What percentage of known third parties with poor security assessment results have been engaged by the organization?
4. Phishing Reporting Rates: What is your percentage of people who report suspicious emails for your standard organization-wide phishing campaigns?
5. Recovery Testing – Core Systems: What is your percentage of core systems supporting critical business/mission functions that have successfully completed full recovery testing in the last 12 months
– Incidents violating a company’s security policies or procedures, or that expose a company to liability;
– Incidents affecting a company’s reputation, products, or services, including decreases or delays in production;
– Incidents affecting a company’s financial position, either directly or indirectly, through adverse costs such as payments for ransom or extortion demands, fees for remediation or increased cybersecurity protection, lost revenue, or any damage to the company’s competitiveness;
– Incidents disturbing a company’s relationship with either its customers or suppliers through the accidental exposure or access to customer data, deliberate attacks to seal, sell, or alter data, and compromises to the confidentiality, integrity, or availability of such information;
– Incidents affecting a company’s operations including unauthorized access to, damage to, interruption or loss of control over business information or systems; and
– Individually immaterial incidents that are material in the aggregate, meaning that a number of smaller but continuous cybersecurity breaches may, in fact, be subject to disclosure.
The SEC Is About To Force CISOs Into America’s Boardrooms – The proposed SEC rules for boardroom cyber expertise follow the approach taken by the SEC 20 years ago with financial expertise. Instead of focusing on job titles, expertise is about the depth of experience, competencies and formal education on these issues. The proposed SEC rules suggest that expertise be determined by:
– Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager or business continuity planner;
– Whether the director has obtained a certification or degree in cybersecurity; and
– Whether the director has knowledge, skills or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling or business continuity planning.
1. Communication skills
2. An ability to tell stories
5. Ability to promote collaboration
6. Ability to build trust
8. Ability to promote inclusion
10. Ability to motivate people