[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
I had a request to change the format of the date in the Subject line to make it easier to sort. So I made the change.
* Salesforce.com Inc hires prominent hacking expert Trey Ford
* Ask the expert: What’s keeping CISOs awake at night?
* 7 Data Classification Tips
* Cisco Launches $10 Million Global Cybersecurity Scholarship to Increase Talent Pool; Introduces New and Updated Certifications
* DQM GRC launches the GDPR RADAR™ to help organisations become compliant with the new EU legislation within two years
* Proposed NY Data Breach Legislation Accounts for PHI Security
* HIT Think How to build an effective ransomware defense
* Boards ready to fire over bad security reporting
* FICO to Offer ‘Enterprise Security Scores’
Salesforce.com Inc hires prominent hacking expert Trey Ford
Ford, 36, told Reuters he will be responsible for cyber security and reliability of Heroku, a cloud-based platform for creating and deploying web software applications.
Ford previously served as general manager of the Black Hat hacking conference.
He was also security response manager for Zynga Inc and held positions with cyber security firms including Rapid7 Inc, McAfee and WhiteHat Security.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a183e87ba7&e=20056c7556
Ask the expert: What’s keeping CISOs awake at night?
Ryan O’Leary, Vice President of the Threat Research Centre at application security company WhiteHat Security, answers some of the burning questions that CISOs are losing sleep over…
How can I justify security ROI?
The average cost of a data breach was estimated to be $3.8 million in 2015 – if implementing a specific security measure would cost your business just 10 per cent of that figure, whilst significantly reducing your threat exposure – it is inarguably a worthwhile investment.
This is especially true when considering the rapid rate at which the cost of a data breach continues to rise.
CISOs must present to their peers the potential savings that can be made by investing in security – because, regardless of the initial pay out, a breach will always cost more.
How can I be sure I am spending my security budget effectively?
Security must be incorporated from the first instance, in order to reduce unnecessary expenditure.
A security-centric development program is the most cost effective way to improve an organisation’s defences.
All too often, security and development do not go hand in hand, meaning that developers do not understand the threats faced by an organisation.
Nonetheless, training and educating developers will cost the organisation a great deal less than investing in costly security measures to remediate vulnerabilities in bad code.
How can I identify my best assets, and protect them?
With a clear view of their organisation’s threat landscape, CISOs can implement a prioritisation process for ensuring that applications are being tested effectively and often enough to maintain the security of the organisation.
Putting these security measures in to affect becomes a great deal easier for the CISO, once they have identified what the key assets of the organisation are, and the level of security needed to protect them.
Where can I find and hire quality security engineers?
…the CISO does not have to blow the budget on hiring affective security engineers.
The other avenue to take is to partner with a vulnerability assessment company, meaning a CISO can rest assured that the needs of the role are being efficiently and cost effectively carried out by trusted security experts.
Is it really just a matter of time before my application is breached?
…a CISO must not lose sleep over the ‘ifs’ or ‘whens’, but rest assured that they know the exact measures they will put in place, should they be targeted by malicious actors.
It is imperative that every organisation implements a strong process for remediating vulnerabilities.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=486cee1947&e=20056c7556
7 Data Classification Tips
Data classification tools can help companies get answers to these questions and help them set policies and train their employees so they can reduce their exposure to data leaking because of inconsistent policies and human error.
In interviews with Hoffer and Feinman about data classification, Dark Reading developed seven tips for security managers to consider.
1- Identify the risk and determine the financial impact of a breach.
2- Manage the risk and set defined policies for data classification.
3- Understand the regulatory issues in your industry.
4- Minimize the risk by implementing tools that can get the job done.
5- Deploy continuous monitoring and education.
6- Data classification software needs to be integrated with DLP and other security technologies.
7- Consider the deployment model.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d14caf3ba7&e=20056c7556
Cisco Launches $10 Million Global Cybersecurity Scholarship to Increase Talent Pool; Introduces New and Updated Certifications
SAN JOSE, CA — (Marketwired) — 06/14/16 — Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow.
However, research indicates there will be a global shortage of two million cybersecurity professionals by 2019.
To help close this security skills gap, Cisco (NASDAQ: CSCO) is introducing a $10 million Global Cybersecurity Scholarship program and enhancements to its security certification portfolio.
The Global Cybersecurity Scholarship Program
• To address the shortfall of security talent, Cisco will invest $10 million in a two-year Global Cybersecurity Scholarship program to increase the pool of available talent with critical cybersecurity proficiency.
• Cisco will offer training, mentoring and certification that align with the Security Operations Center Analyst industry job role.
• Cisco will deliver the program in partnership with key Cisco Authorized Learning Partners.
This training is designed to address the critical skills deficit, providing on-the-job readiness needed to meet current and future challenges of network security.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=108cd81734&e=20056c7556
DQM GRC launches the GDPR RADAR™ to help organisations become compliant with the new EU legislation within two years
To help organisations prepare for this new legislation, DQM GRC has launched its GDPR RADAR™, a unique data protection assessment that will score an organisation’s current fitness against the new regulation, understand where it has to improve and set a bespoke programme to get the organisation to where it needs to be.
The GDPR RADAR™ is the first and most efficient way of understanding an organisation’s fitness level and fixing its data protection compliance, data privacy and data security risks.
The GDPR RADAR™ will enable an organisation to:
The GDPR RADAR™’s recommendations and action plan prioritises the high risk areas in an organisation, and can provide template solutions to ensure an organisation reaches compliance.
Once remedies are in place, companies can work towards gaining standards such as ISO27001, Cyber Essentials, DataSeal, Fair Data, and Privacy Seal – which can all help with winning major tenders.
Companies who have undergone a DQM GRC GDPR Data Risk Assessment can benefit from discounts of up to 25% on their cyber insurance from QBE Insurance to cover issues if they arise, such as crisis management, damage to underlying systems from virus injections and notification and fine costs.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=233ef797d4&e=20056c7556
Proposed NY Data Breach Legislation Accounts for PHI Security
Pending data breach legislation in New York could potentially affect the future of PHI security, as the proposed bill would include individuals’ medical information under its definition of personal information.
If the bill passes, unsecured PHI that is held by a HIPAA covered entity would be considered the type of data that requires notification should it be compromised in a data breach.
The bill, A10475, is sponsored by Assemblyman Jeffrey Dinowitz, and would go into effect on January 1, 2017.
The notification process would also be updated.
For example, an entity shall notify individuals affected by the data breach as quickly as possible.
If a business believes that any private information belonging to a consumer has been accessed by an unauthorized individual that the business notify the consumer.
Another important change in A10475 would be the penalty for an entity should it fail to comply with the data breach notification requirements.
Currently, penalties are limited to the greater of $5,000 or $10 per instance.
However, the penalties are not to exceed $100,000 total.
The bill also proposed a “Reasonable Data Security Requirement,” which would require companies that collect or store private information to adhere to administrative, technical, and physical safeguards.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ca1c5ecc1f&e=20056c7556
HIT Think How to build an effective ransomware defense
Make sure all systems are promptly updated with the latest operating system security patches.
* Enforce anti-malware scanning across all departments, and ensure your malware signature databases are up to date.
* Implement content-based scanning and filtering on email servers, particularly where access to cloud services such as Gmail, Yahoo Mail, and Outlook.com are permitted from the enterprise network.
* Restrict users’ access to only those systems that are necessary for their roles.
Avoid “access sprawl.”
* Use two-factor authentication, so a stolen password isn’t enough to grant access.
* Ensure user accounts are de-provisioned promptly.
There should be no orphaned accounts of former employees, especially if they served in a technical role.
* Deploy and maintain a comprehensive backup system, including offsite storage, in the event that files need to be restored.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cb875e68bd&e=20056c7556
Boards ready to fire over bad security reporting
If CISOs don’t do a good job of communicating, 59 percent of board members said that the security executives stand to lose their jobs, according to a new survey released today.
Previously, boards looked at breaches as an act of God or natural disaster, he said, or just fired the CISO even if the breach was not something they could have prevented.
If there’s a breach, CISO must be able to show that they’re running an effective operation, and are following industry best practices, he said.
As a result of the increase in cyber attacks and the associated rise in attention from the media, industry groups and regulators, boards are becoming better educated about cybersecurity.
And they expect the CISO to be able to keep the board well informed.
According to the survey, which was conducted by Osterman Research, cyber risk is now a top priority for board members, right up there with financial risk, regulatory risk, competitive risk, and legal risk.
But they expect security reports to present information that they need to make decisions.
That requires the information that they need to make investments for cyber risk planning and expenditures, budget estimates, direct costs and detailed spending information.
In addition, 54 percent of board members said that the data they were getting was too technical, and 85 percent said that IT and security executives need to improve the way they report to the board.
If the reports aren’t useful and actionable, 93 percent said that there would be consequences.
These included termination, said 59 percent, or warnings, said 34 percent.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dbf8a414c5&e=20056c7556
FICO to Offer ‘Enterprise Security Scores’
Fair Isaac Corp., known for its FICO consumer-credit scores, waded deeper into online security Tuesday with the acquisition of cybersecurity startup QuadMetrics.
The company said it plans to leverage QuadMetrics’s predictive analytics and security-risk assessment tools to develop an industry-wide “enterprise security score” for businesses.
The security score is meant to provide an “easy-to-understand” metric to help chief information officers and other corporate IT decision-makers gauge their company’s online risks, while managing risks from third-party software vendors.
QuadMetrics, based in Ann Arbor, Mich., claims to be able to predict the likelihood of a company being breached with greater than 90% accuracy, the company told CIO Journal in January.
QuadMetrics, leveraging technology developed at the University of Michigan with funding from the Department of Homeland Security, collects more than 250 data points from a company’s IT network, such as spam traffic or the configuration of servers and routers.
It then runs through predictive risk models based in part on a database on past security incidents.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1ff64f2af6&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage2.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=bd684b1e01)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)