{"id":5135,"date":"2024-04-14T14:19:45","date_gmt":"2024-04-14T19:19:45","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5135"},"modified":"2024-04-14T14:19:45","modified_gmt":"2024-04-14T19:19:45","slug":"cso-news-2024-04-15","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5135","title":{"rendered":"CSO News &#8211; 2024-04-15"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><a>Table of Contents<\/a><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hardest Cybersecurity Jobs to Fill in 2024: Top Roles &amp; Skills<\/li>\n\n\n\n<li>Apache Software Foundation Celebrates 25 Years<\/li>\n\n\n\n<li>Finite State: Software Risk Management Company Raises $20 Million<\/li>\n\n\n\n<li>OMB Approves Final CISA Secure Software Attestation Common Form, Triggering Clock for Collection<\/li>\n\n\n\n<li>Tips from a CSO: How to Secure Your Software Supply Chain<\/li>\n\n\n\n<li>CISA announces new efforts to help secure open source ecosystem<\/li>\n\n\n\n<li>Introducing ArmorCode Risk Prioritization, the Most Intelligent Risk Scoring Algorithm in ASPM |&#8230;<\/li>\n\n\n\n<li>Micro Certification Trend Growing in IT<\/li>\n\n\n\n<li>52% of organizations to invest in AI-based security tools \u2013 2024 Thales Global Data Threat Report<\/li>\n\n\n\n<li>Organizations Are Shifting Ransomware Defense Tactics, But Malware Is Still the Problem<\/li>\n\n\n\n<li>Understanding The Implications Of The SEC Incident Disclosure Rules<\/li>\n\n\n\n<li>Global Outlook: World Economic Forum\u2019s warning on cyber challenges we all face<\/li>\n\n\n\n<li>The impact of cybercrime on employee health and happiness<\/li>\n\n\n\n<li>Companies State it Takes More Than 6 Months to Fill Cybersecurity Positions | Metro Cebu News<\/li>\n\n\n\n<li>Regulation remains the strongest multiplier to cybersecurity growth, according to report from Fr&#8230;<\/li>\n\n\n\n<li>Only 5% of Boards Have Cybersecurity Expertise &#8211; Infosecurity Magazine<\/li>\n\n\n\n<li>Code42 Appoints Dennis Dayman as Chief Information Security Officer &#8211; US Politics Today &#8211; EIN Pr&#8230;<\/li>\n\n\n\n<li>Questions to Ask Your vCISO Vendor | MSSP Alert<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"http:\/\/blank.ico\/\" width=\"16\">&nbsp;<a><strong>Hardest Cybersecurity Jobs to Fill in 2024: Top Roles &amp; Skills<\/strong><\/a><br><em>John Meah<\/em><br>The cybersecurity job market is projected to grow by 32% through 2032, much faster than average, with around 16,800 openings for information security analysts each year<br>This surge in demand is driven by the increasing sophistication of cyber threats and the need for robust defenses to protect sensitive data and systems<br>Chief Information Security Officers (CISOs), security architects, security engineers, and DevSecOps engineers are among the hardest cybersecurity roles to fill currently<br>Other critical roles include cybersecurity analysts, application security testers, penetration testers, incident responders, cyber threat intelligence analysts, risk\/fraud analysts, IT security compliance officers, and IT security auditors<br>These roles require specialized certifications like CISSP, CCSP, CEH, OSCP, CISA, and others to validate expertise<br>Key skills needed span areas like risk assessment, secure coding, threat analysis, digital forensics, ethical hacking, compliance, and strategic planning<br>Despite growth, there is a significant global workforce shortage, with demand outpacing supply of qualified cybersecurity professionals<br>Challenges include rapid skill obsolescence, lack of experience, and lack of diversity in the cybersecurity workforce<br>To tackle the skills gap, strategies include continuous education, cross-training, competitive compensation, apprenticeship programs, and tapping diverse talent pools.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.techopedia.com\/hardest-cybersecurity-jobs-to-fill-and-essential-certifications\">https:\/\/www.techopedia.com\/hardest-cybersecurity-jobs-to-fill-and-essential-certifications<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/www.globenewswire.com\/Content\/logo\/favicon.ico\" width=\"16\">&nbsp;<a><strong>Apache Software Foundation Celebrates 25 Years<\/strong><\/a><br><em>The Apache Software Foundation<\/em><br><em>Globe Newswire<\/em><br>The Apache Software Foundation (ASF) is celebrating its 25th anniversary as an all-volunteer organization that develops and stewards over 320 active open source projects<br>ASF is launching a social media campaign (#ASF25years) to showcase the software development and innovation from its projects over the past 25 years<br>ASF projects provide reliable open source software that fuels innovation and powers organizations worldwide, with use cases like cancer research, clean energy, and reducing food waste<br>Recent major releases include Apache Cassandra, Apache Kafka, Apache Lucene, and Apache Spark<br>ASF fosters welcoming communities around its projects through mentorship, the Apache Incubator program, and preserving retired projects in the Apache Attic<br>ASF celebrates all types of contributions &#8211; code, documentation, marketing, translations, etc. through initiatives like the First Contribution Campaign<br>Looking ahead, ASF will continue upholding open source values, providing guidance on generative AI, engaging in public policy, and investing in software security issues<br>ASF encourages getting involved through social media, hosting projects, sponsorships, and attending the Community Over Code event<br>The 25th anniversary highlights ASF&#8217;s mission of providing software for the public good through its open source communities and practices.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.globenewswire.com\/news-release\/2024\/03\/25\/2851819\/0\/en\/Apache-Software-Foundation-Celebrates-25-Years.html\">https:\/\/www.globenewswire.com\/news-release\/2024\/03\/25\/2851819\/0\/en\/Apache-Software-Foundation-Celebrates-25-Years.html<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/pulse2.com\/wp-content\/themes\/pulse2\/images\/icons\/favicon.ico\" width=\"16\">&nbsp;<a><strong>Finite State: Software Risk Management Company Raises $20 Million<\/strong><\/a><br><em>Amit Chowdhry<\/em><br><em>Pulse 2.0<\/em><br>Finite State, a leader in software risk management for connected devices and critical infrastructure, announced raising a $20 million growth funding round led by Energy Impact Partners (EIP)<br>This funding highlights Finite State&#8217;s pivotal role in addressing cybersecurity challenges organizations face, especially around securing software supply chains for connected devices and critical systems<br>The investment comes amid escalating cyber threats and regulatory pressures driving the need for better software supply chain security solutions<br>Finite State&#8217;s platform enables organizations to identify and mitigate vulnerabilities in software supply chains while safeguarding critical systems and data through visibility, transparency and risk management capabilities<br>The funding will allow Finite State to accelerate product development efforts focused on enhancing binary analysis, SBOM management, and unified vulnerability management capabilities<br>This will help security teams keep pace with rapidly evolving security demands around software supply chain risks<br>Key quotes emphasize the investment validates Finite State&#8217;s mission, and its innovative platform empowers manufacturers and industrial organizations to actively manage growing software supply chain risks targeting critical infrastructure.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/pulse2.com\/finite-state-software-risk-management-company-raises-20-million\">https:\/\/pulse2.com\/finite-state-software-risk-management-company-raises-20-million<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"http:\/\/blank.ico\/\" width=\"16\">&nbsp;<a><strong>OMB Approves Final CISA Secure Software Attestation Common Form, Triggering Clock for Collection<\/strong><\/a><br><em>Robert Huffman and Ryan Burnette<\/em><br><em>Open Legal Blog<\/em><br>On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released the final version of its common Secure Software Development Attestation Form<br>This form is expected to be widely used by U.S. government agencies to fulfill requirements set by recent OMB memos for ensuring procured software is securely developed<br>Approval of this final form triggers deadlines for agencies to begin collecting the attestation forms from software developers &#8211; within 3 months for &#8220;critical software&#8221; and within 6 months for all other software<br>The form requires developers to attest they follow secure development practices outlined in NIST guidance (SP 800-218 and software supply chain security guidance).<br>&#8220;Software&#8221; is very broadly defined to include firmware, operating systems, applications, cloud services, and any products containing software developed or updated after Sept 2022<br>While plan of actions are permitted, agencies can require additional materials like software bills of materials (SBOMs) at their discretion<br>No new OMB guidance has been issued yet, but the approval conditions have been met to start the 3 and 6 month deadlines<br>Software developers selling to the government are encouraged to assess their compliance posture against the NIST practices and begin documenting their attestation basis to meet upcoming customer requirements.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.openlegalblogarchive.org\/2024\/03\/25\/omb-approves-final-cisa-secure-software-attestation-common-form-triggering-clock-for-collection\">https:\/\/www.openlegalblogarchive.org\/2024\/03\/25\/omb-approves-final-cisa-secure-software-attestation-common-form-triggering-clock-for-collection<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/speedmedia.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/https:\/\/media.jfrog.com\/wp-content\/uploads\/2019\/04\/20131046\/Jfrog16-1.png\" width=\"16\">&nbsp;<a><strong>Tips from a CSO: How to Secure Your Software Supply Chain<\/strong><\/a><br><em>Moran Ashkenazi<\/em><br><em>JFrog Blog<\/em><br>Trust is vital, which requires showing evidence of strong security measures across the software supply chain<br>Common misconceptions include assuming external dependencies are secure, having limited visibility into supply chain risks, and thinking code signing alone ensures security<br>Developers play a crucial role in proactively understanding and mitigating supply chain risks through secure coding practices<br>Being proactive and adaptive is important &#8211; integrating security from the start, staying aware of emerging threats, and using techniques like simulated attacks<br>AI and machine learning can help accelerate processes like vulnerability prioritization and remediation<br>Best practices at JFrog include using a central binary repository, maintaining SBOMs, automating security testing, software composition analysis, signing\/verifying packages, access control, and simulating attacks<br>Security is a shared responsibility across the organization &#8211; from leadership to employees<br>Promoting security awareness and empowering everyone is key<br>The growing complexity of software supply chains requires increased collaboration, standards, and integration of advanced technologies like AI\/ML for effective security.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/jfrog.com\/blog\/cso-how-to-secure-your-software-supply-chain\">https:\/\/jfrog.com\/blog\/cso-how-to-secure-your-software-supply-chain<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"http:\/\/blank.ico\/\" width=\"16\">&nbsp;<a><strong>CISA announces new efforts to help secure open source ecosystem<\/strong><\/a><br><em>CHIPS<\/em><br>CISA hosted an Open Source Software (OSS) Security Summit with participants from government agencies, open source foundations, package repositories, industry, and civil society<br>The summit explored approaches to strengthen the security of the open source infrastructure through collaborative efforts<br>CISA announced several initial actions it will take to help secure the open source ecosystem in partnership with the community, such as providing resources and guidance<br>Five major package repositories committed to implementing the Principles for Package Repository Security framework to enhance security measures<br>The summit featured discussions, a tabletop exercise on vulnerability response, and a roundtable on package manager security<br>It aligns with the Biden Administration&#8217;s Open Source Software Security Initiative led by the Office of National Cyber Director (ONCD) to prioritize securing open source software<br>CISA released its Open Source Software Security Roadmap in 2023 outlining goals to support federal and global open source security<br>The announced actions represent key steps fulfilling the roadmap&#8217;s objectives around partnering with OSS communities and encouraging collective action<br>Open source community members are invited to get involved with CISA&#8217;s ongoing OSS security efforts.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.doncio.navy.mil\/CHIPS\/ArticleDetails.aspx?ID=16668\">https:\/\/www.doncio.navy.mil\/CHIPS\/ArticleDetails.aspx?ID=16668<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/www.businesswire.com\/news\/home\/20240326648648\/en\/favicon.ico\" width=\"16\">&nbsp;<a><strong>Introducing ArmorCode Risk Prioritization, the Most Intelligent Risk Scoring Algorithm in ASPM |&#8230;<\/strong><\/a><br><em>Business Wire<\/em><br>ArmorCode, a leading Application Security Posture Management (ASPM) platform, announced ArmorCode Risk Prioritization &#8211; the industry&#8217;s first 3D risk scoring approach for application security<br>It combines technical severity ratings, business context, and insights on active threat exploitation to help organizations prioritize and remediate their highest-risk findings<br>The goal is to solve the challenge of too many security alerts from different tools across environments, which has grown 500% harder to manage in the last decade<br>Risk Prioritization ingests findings across security tools, normalizes severities, and assesses business impact to produce a single &#8220;Adaptive Risk Score&#8221; for the entire ecosystem<br>Key benefits include unified risk visibility, intelligent prioritization based on business context, focused remediation efforts, automated workflows, and improved risk management reporting<br>It allows security and development teams to jointly focus on fixing the highest-impact issues first, improving overall posture while accelerating secure software delivery<br>ArmorCode aims to move beyond outdated severity-based remediation to a more intelligent, context-driven approach to application security risk management<br>The capability is part of ArmorCode&#8217;s unified ASPM platform that integrates across the entire software ecosystem for visibility, prioritization and automation.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.businesswire.com\/news\/home\/20240326648648\/en\">https:\/\/www.businesswire.com\/news\/home\/20240326648648\/en<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"http:\/\/www.devopsdigest.com\/sites\/all\/themes\/mix_and_match\/images\/favicon.ico\" width=\"16\">&nbsp;<a><strong>Micro Certification Trend Growing in IT<\/strong><\/a><br><em>Anthony James<\/em><br><em>Dev Ops Digest<\/em><br>Micro certifications are driven by industries like IT and cybersecurity facing workforce skills gaps, benefiting both working professionals looking to advance\/switch careers and the unemployed seeking skill development<br>Top reasons for pursuing micro certs are keeping up with changing technologies and self-paced learning (86% prefer this format).<br>35% said micro certs helped them get a job or advance, 70% see benefit in employer partnerships with micro cert providers, and 85% would pursue if facilitated by employers.<br>40% of companies review micro cert digital badges when assessing candidates, 54% view traditional certs as somewhat\/no longer important for hiring.<br>58% believe micro certs convey same technical proficiency as traditional training, but 36% of companies still value traditional training over micro certs.<br>82% find micro certs more affordable than traditional IT training, with 58% paying $25+ per course<br>Over 90% had a high experience with micro certs and plan to take more, also recommending them to peers.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.devopsdigest.com\/micro-certification-trend-growing-in-it\">https:\/\/www.devopsdigest.com\/micro-certification-trend-growing-in-it<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"http:\/\/blank.ico\/\" width=\"16\">&nbsp;<a><strong>52% of organizations to invest in AI-based security tools \u2013 2024 Thales Global Data Threat Report<\/strong><\/a><br><em>Amy Sarah John<\/em><br><em>Daily Host News<\/em><br>Data Breach Trends and Threats:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>93% of enterprises globally have seen an increase in cybersecurity threats<\/li>\n\n\n\n<li>Top threats are malware, phishing, ransomware<\/li>\n\n\n\n<li>Cloud complexity is rising with over 40% using 50+ SaaS apps<\/li>\n\n\n\n<li>Human error is a top concern for 22% of respondents<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Risks from Emerging Technologies:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>22% plan to integrate generative AI in next 12 months, 33% will experiment<\/li>\n\n\n\n<li>Rapid AI changes are the top concern around 68%<\/li>\n\n\n\n<li>52% are prototyping post-quantum cryptography to address future encryption risks<\/li>\n\n\n\n<li>75% are having IT security teams cover operational technology for IoT threats<\/li>\n\n\n\n<li>65% have concerns around 5G network data security<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Compliance and Data Sovereignty:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>84% who failed compliance audits had previous breaches vs 21% who passed<\/li>\n\n\n\n<li>Only ~50% can classify their sensitive data<\/li>\n\n\n\n<li>28% use external key management for data sovereignty<\/li>\n\n\n\n<li>Multicloud usage is slightly declining to 2.02 providers on average<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Identity and Access Management:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>89% of customers willing to share data, 87% expect privacy rights<\/li>\n\n\n\n<li>CIAM is a top priority but has user experience challenges<\/li>\n\n\n\n<li>Workforce IAM is the most pressing discipline at 71% priority<\/li>\n\n\n\n<li>Only 46% use multi-factor authentication widely<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">DevSecOps Challenges:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>66% prioritize DevSecOps and cloud security<\/li>\n\n\n\n<li>Top DevOps challenges are secrets management (56%) and workforce IAM (52%)<\/li>\n\n\n\n<li>53% have implemented security champions programs<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Key Principles and Initiatives:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Align spending with top threats like phishing<\/li>\n\n\n\n<li>Shift to proactive security for new tech adoption<\/li>\n\n\n\n<li>Facilitate stakeholder buy-in through better user experiences<\/li>\n\n\n\n<li>Grow customer trust, resilience and readiness as security priorities<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.dailyhostnews.com\/52-of-organizations-to-invest-in-ai-based-security-tools-thales-global-data-threat-report\">https:\/\/www.dailyhostnews.com\/52-of-organizations-to-invest-in-ai-based-security-tools-thales-global-data-threat-report<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/www.cyberdefensemagazine.com\/favicon.jpg\" width=\"16\">&nbsp;<a><strong>Organizations Are Shifting Ransomware Defense Tactics, But Malware Is Still the Problem<\/strong><\/a><br><em>Trevor Hilligoss<\/em><br><em>Cyber Defense Magazine<\/em><br>Ransomware Prevalence<br>72% of global businesses were impacted by ransomware in 2023<br>This number is even higher (81%) for U.S., Canadian, and U.K. organizations<br>Disconnect in Preparedness<br>79% of security leaders feel confident in their ransomware defenses<br>However, cybercriminals are shifting tactics, increasingly relying on data exfiltration before deploying ransomware<br>Role of Malware<br>Infostealer malware infections preceded 22% of ransomware attacks in 2023<br>Malware is used to steal authentication data which is then sold on dark web<br>This stolen data allows criminals to gain network access before ransomware deployment<br>Limitations of Current Defenses<br>While MFA and other protections help, they don&#8217;t fully address the malware threat<br>Stolen cookies enable session hijacking, bypassing MFA<br>Over 22 billion stolen cookie records were found in 2022, yet monitoring for this is deprioritized<br>Need for Comprehensive Response<br>Simply cleaning infected devices is insufficient<br>Organizations must identify and remediate all stolen authentication data<br>This prevents criminals from using exfiltrated data for repeat attacks<br>A holistic malware remediation strategy is crucial for effective ransomware defense<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.cyberdefensemagazine.com\/organizations-are-shifting-ransomware-defense-tactics-but-malware-is-still-the-problem\/\">https:\/\/www.cyberdefensemagazine.com\/organizations-are-shifting-ransomware-defense-tactics-but-malware-is-still-the-problem\/<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/i.forbesimg.com\/48X48-F.png\" width=\"16\">&nbsp;<a><strong>Understanding The Implications Of The SEC Incident Disclosure Rules<\/strong><\/a><br><em>Jim Richberg<\/em><br><em>Forbes<\/em><br>The SEC&#8217;s Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rules, effective December 2023, require publicly traded companies to disclose material cybersecurity incidents within four business days via Form 8-K and annually report their cybersecurity risk management processes via Form 10-K<br>The rules aim to promote transparency without requiring sensitive information that could aid malicious actors<br>Key points:<br>The 10-K reporting requirement focuses on whether companies assess cyber risk, act on lessons learned from past incidents, and how executives and the board manage cyber risk<br>Although the SEC&#8217;s purpose is to inform investors rather than influence cybersecurity management, the reporting is likely to drive expectations of due diligence in corporate cybersecurity across industries<br>Determining &#8220;materiality&#8221; of a cyber incident requires collaboration among multiple company stakeholders, each focusing on different aspects such as what happened, operational impact, and materiality assessment<br>Creating and following a playbook for cyber incident response, including worst-case and more frequent scenarios, is a key best practice<br>Testing and refining the playbook based on lessons learned is crucial<br>In the event of a material cyber incident, the response team should extend beyond the company to include public sector partners like the SEC, FBI, and CISA, as well as private sector partners for digital forensics, incident response, and specialized legal counsel<br>The new SEC reporting requirements should promote transparency and provide investors with uniform insight into corporate cybersecurity, while also fueling action within individual companies and serving as a differentiator in the marketplace.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2024\/03\/25\/understanding-the-implications-of-the-sec-incident-disclosure-rules\">https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2024\/03\/25\/understanding-the-implications-of-the-sec-incident-disclosure-rules<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/www.scl.org\/wp-content\/uploads\/2024\/02\/cropped-scl-32x32.png\" width=\"16\">&nbsp;<a><strong>Global Outlook: World Economic Forum\u2019s warning on cyber challenges we all face<\/strong><\/a><br><em>Sasha Henry, Archie Millar<\/em><br><em>Society for Computer and Law<\/em><br>Sasha Henry and Archie Millar discuss the current state of cyber threats and the future of cybersecurity, as identified by the World Economic Forum (WEF)<br>Threat actors have adapted their methodologies to facilitate enterprise-scale attacks, and the increasing use of AI has lowered barriers to entry for cybercriminals<br>The WEF predicts that greater adoption of cloud technology, user identity, and access management tooling will have the greatest influence on the direction of cyber risk strategies<br>The rapid evolution of technology is creating new challenges for businesses, outpacing the development of skilled professionals and organizational awareness<br>Highlights:<br>In 2023, the cybersecurity economy grew four times as fast as the world economy, driven by investment in new technologies and tooling to improve protection of digital assets<br>According to the WEF, 25% of companies stated their cyber resilience was sufficient in 2024, up from 14% in 2022, and 39% of companies now report resilience levels exceeding their requirements, up from 19% in 2022.<br>85% of organizations with more than 100,000 employees have a cyber policy in place, compared with 21% of small to medium-sized enterprises (SME)<br>The number of organizations holding cyber insurance has dropped by 24% since 2022 due to the economic viability of risk transfer products<br>Generative AI has become a tool for cybercriminals, lowering barriers to entry and providing access to complex phishing exploits, malware development, and deepfakes<br>The WEF predicts that greater adoption of cloud technology, user identity, and access management tooling will have the greatest influence on the direction of cyber risk strategies.<br>76% of commercial leaders agree that increased enforcement of AI regulation will improve overall cyber resilience<br>The perception gap between technical subject matter experts and executive leadership continues to delay critical decision-making in cybersecurity governance.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.scl.org\/global-outlook-world-economic-forums-warning-on-cyber-challenges-we-all-face\">https:\/\/www.scl.org\/global-outlook-world-economic-forums-warning-on-cyber-challenges-we-all-face<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/southafricatoday.net\/wp-content\/uploads\/2023\/08\/favicon-sat-1-16x16-1.png\" width=\"16\">&nbsp;<a><strong>The impact of cybercrime on employee health and happiness<\/strong><\/a><br><em>South Africa Today<\/em><br>Researchers have identified a correlation between the threat of cybercrime and employee health and wellbeing<br>Stress, fear, and uncertainty caused by cybersecurity responsibilities and the potential consequences of failing to prevent an attack can lead to poor health outcomes such as burnout, hypertension, strokes, and post-traumatic stress disorder<br>These concerns affect not only security teams but all employees across organizations<br>Gerhard Swart, CTO at Performanta, emphasizes the need for companies to address these issues and support their employees<br>Highlights:<br>Cybercrime affects employee health through four main factors: vigilance, siege, failure, and morale<br>Vigilance, or constantly watching out for cybercrime attempts, can take a toll on employees, especially in harsh company cultures<br>Siege refers to criminals targeting employees through provocative means like phishing attacks, designed to evoke reactionary responses<br>Failure occurs when a siege is successful, and the employee may feel guilt, which can be worsened by punitive corporate cultures<br>Studies indicate that up to 25% of phishing victims were fired or changed jobs<br>Morale problems can severely affect employees&#8217; ability to perform, especially when facing customers and dealing with reputational damage<br>Moving away from a culture of blame to one that encourages cooperation is crucial in improving employee wellbeing<br>Establishing good communication, informing employees of potential threats, and involving employee-focused parts of the business can help address these issues<br>Investing in well-resourced and supported security teams, with services and partners that increase visibility, automate processes, and create proactive response, can significantly reduce pressure on employees.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/southafricatoday.net\/business\/the-impact-of-cybercrime-on-employee-health-and-happiness\">https:\/\/southafricatoday.net\/business\/the-impact-of-cybercrime-on-employee-health-and-happiness<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"http:\/\/blank.ico\/\" width=\"16\">&nbsp;<a><strong>Companies State it Takes More Than 6 Months to Fill Cybersecurity Positions | Metro Cebu News<\/strong><\/a><br><em>MCN<\/em><br>Kaspersky&#8217;s recent survey reveals that 48% of companies require more than six months to find a qualified cybersecurity professional, with a lack of proven experience, high hiring costs, and global competition being the biggest challenges<br>The study also found that 41% of companies admit their cybersecurity teams are understaffed, putting them at risk of cyberattacks<br>Highlights:<br>Recruitment for senior-level positions takes the longest, with 36% of companies saying it requires almost a year or more, while junior jobs can be filled in one to three months, according to 42% of respondents<br>The biggest challenges in hiring the &#8220;right&#8221; InfoSec professional include a discrepancy between certification and real practical skills (52%), lack of experience (49%), high cost of hiring (48%), and global competition (41%)<br>Even if a company finds candidates who meet all the requirements, they may be headhunted by other organizations due to the competitive environment<br>Small and medium-sized businesses are recommended to outsource cybersecurity tasks to managed security services providers (MSSP) to close talent gaps quickly and with minimum losses<br>Recommendations:<br>Adopt managed security services such as Kaspersky Managed Detection and Response (MDR) and\/or Incident Response to acquire additional expertise without hiring additional personnel<br>Regularly educate IT and InfoSec staff about actual cyber risks and invest in their training to advance their skills in detecting and responding to sophisticated cyber threats<br>Use centralized and automated solutions such as Kaspersky Extended Detection and Response (XDR) to reduce the burden on the IT security team and minimize the possibility of making mistakes.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/metrocebu.news\/companies-state-it-takes-more-than-6-months-to-fill-cybersecurity-positions\">https:\/\/metrocebu.news\/companies-state-it-takes-more-than-6-months-to-fill-cybersecurity-positions<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/defensetalks.com\/wp-content\/uploads\/2023\/03\/GD-Insight-Logo--150x150.png\" width=\"16\">&nbsp;<a><strong>Regulation remains the strongest multiplier to cybersecurity growth, according to report from Fr&#8230;<\/strong><\/a><br><em>Maheera Munir<\/em><br><em>Defense Talks<\/em><br>The United Arab Emirates (UAE) successfully repelled over 50,000 cyberattacks daily in 2023, with a total of 71 million attempted attacks prevented in the first three quarters of the year, according to the UAE Cybersecurity Council<br>A report by Frost &amp; Sullivan (F&amp;S) highlights the exponential growth of the Gulf Cooperation Council (GCC) cybersecurity industry, which is estimated to triple in value by 2030, reaching US$13.4 billion<br>Highlights:<br>The UAE and Saudi Arabia are reducing their dependence on oil exports and adopting digital tools and technologies, making businesses more prone to escalating cyber threats<br>Challenges in the region include a lack of awareness, scarcity of skilled professionals, and a lack of clarity among businesses regarding proactively combating cyberattacks<br>Countries in the Middle East are taking steps to enhance their cybersecurity posture, such as setting up cyber-specific departments, driving awareness through educational campaigns, and promoting entrepreneurship through cybersecurity conferences<br>Saudi Arabia and the UAE rank second and fifth, respectively, among 194 participating countries in the ITU Global Cybersecurity Index 2020<br>The UAE government has launched the first national Cyber Pulse Innovation Centre to upskill professionals at Abu Dhabi Polytechnic<br>Saudi Arabia, the UAE, and Bahrain have established national cybersecurity authorities to oversee ongoing industry efforts<br>The Middle East remains one of the most promising global regions for cybersecurity industry growth due to its commitment to regulation, training, and supply chain security<br>GISEC Global 2024, organized by DWTC and hosted by UAE Cyber Security Council, is a testament to the UAE&#8217;s prioritization of collaboration, innovation, and talent development in the cybersecurity industry<br>The report emphasizes the Middle East&#8217;s potential as a global leader in the cybersecurity industry, with countries like the UAE and Saudi Arabia taking significant steps to enhance their cybersecurity posture and develop a robust infrastructure.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/defensetalks.com\/regulation-remains-the-strongest-multiplier-to-cybersecurity-growth-according-to-report-from-frost-sullivan\">https:\/\/defensetalks.com\/regulation-remains-the-strongest-multiplier-to-cybersecurity-growth-according-to-report-from-frost-sullivan<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/www.infosecurity-magazine.com\/favicon.ico\" width=\"16\">&nbsp;<a><strong>Only 5% of Boards Have Cybersecurity Expertise &#8211; Infosecurity Magazine<\/strong><\/a><br><em>James Coker<\/em><br><em>Info Security Magazine<\/em><br>A new report by Diligent and Bitsight reveals that only 5% of businesses have a cyber expert on their board, despite a strong correlation between better cybersecurity and higher financial performance<br>The study found significant variations among countries, with France having the highest percentage (10%) and Canada the lowest (1%)<br>Key findings:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Companies with cyber experts on audit or specialized risk committees achieved an average security performance score of 700 out of 900, compared to 580 for those without such experts<\/li>\n\n\n\n<li>Countries with a higher likelihood of having specialized risk committees (Australia, UK, Canada, and France) also had higher overall average security ratings<\/li>\n\n\n\n<li>Companies with &#8216;advanced&#8217; security ratings (740-900 score) had a much stronger financial performance than those with &#8216;basic&#8217; ratings (250-630 score), with average total shareholder return (TSR) over three years being 67% and 14%, respectively<\/li>\n\n\n\n<li>Highly-regulated industries, such as healthcare, energy, utilities, and financials, outperformed other sectors in cybersecurity performance measures<\/li>\n\n\n\n<li>The financial industry had the highest proportion of organizations in the advanced security performance range (33%), followed by healthcare (18%), industrials (10%), information technology (9%), and consumer discretionary (9%)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The report emphasizes the need for boards and business leaders to build competency around cyber risk, as it is a key indicator of financial performance and an enterprise risk that management and the board need to be well-informed about.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.infosecurity-magazine.com\/news\/boards-cyber-expertise-financial\">https:\/\/www.infosecurity-magazine.com\/news\/boards-cyber-expertise-financial<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/www.einnews.com\/favicon.ico\" width=\"16\">&nbsp;<a><strong>Code42 Appoints Dennis Dayman as Chief Information Security Officer &#8211; US Politics Today &#8211; EIN Pr&#8230;<\/strong><\/a><br><em>EIN News<\/em><br>Code42 Software, Inc., a leader in data loss and insider threat protection, has appointed Dennis Dayman as its new Chief Information Security Officer (CISO)<br>With over 25 years of experience in cybersecurity, privacy, and data governance, Dayman will be responsible for leading global risk and compliance, security operations, incident response, and external and internal threat management and investigations<br>Key points:<br>Dayman&#8217;s appointment aligns with Code42&#8217;s mission to protect critical data from exfiltration, and his proven experience in this area will be invaluable in driving the company&#8217;s strategic vision forward<br>Dayman serves on the U.S<br>Department of Homeland Security (DHS) Data Privacy and Integrity Advisory Committee as Chair of the Policy Subcommittee, providing advice on data integrity and privacy-related matters<br>Prior to joining Code42, Dayman held leadership positions at Proofpoint, Maropost, Return Path, and Eloqua<br>Code42&#8217;s data protection solution, Incydr, rapidly detects data exposure, loss, leak, and theft, and speeds incident response without complex deployments or disrupting employee productivity<br>The company&#8217;s clients include recognizable security, technology, manufacturing, and life sciences organizations, such as CrowdStrike, Okta, Lyft, and Snowflake<br>As CISO, Dayman is committed to training people to become better data stewards and aiding companies in safeguarding their assets<br>He looks forward to working with the Code42 team to evolve and enhance their information security and IT risk management programs.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.einnews.com\/pr_news\/698855459\/code42-appoints-dennis-dayman-as-chief-information-security-officer\">https:\/\/www.einnews.com\/pr_news\/698855459\/code42-appoints-dennis-dayman-as-chief-information-security-officer<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" height=\"16\" src=\"https:\/\/www.msspalert.com\/favicon.ico\" width=\"16\">&nbsp;<a><strong>Questions to Ask Your vCISO Vendor | MSSP Alert<\/strong><\/a><br><em>MSSP Alert<\/em><br>This blog post provides a comprehensive checklist for evaluating and selecting the right virtual Chief Information Security Officer (vCISO) for your organization<br>With the increasing risks and regulations in cybersecurity, a vCISO can help secure your operations and ensure compliance<br>However, finding the right vCISO can be challenging, and this checklist aims to simplify the process<br>Key points:<br>The importance of choosing the right vCISO vendor: A vCISO provides strategic security direction, develops policies, and ensures compliance<br>They should integrate into your organization&#8217;s culture and operational cadence, elevating your business as a whole<br>Industry experience: A vCISO with deep knowledge in your specific sector brings an understanding of unique requirements and knows how to handle them effectively<br>Services scope: Discussing the services scope helps you understand the vCISO&#8217;s abilities and limitations and whether their expertise aligns with your organization&#8217;s specific needs<br>Communication and processes: Clear and effective communication and standardized processes ensure all relevant stakeholders are always informed and can make informed decisions<br>Reporting: Reporting provides a clear view of the organization&#8217;s security and compliance posture, allowing for monitoring and measuring security activity<br>Compliance: Effective compliance management under a vCISO&#8217;s guidance ensures the organization avoids fines and sanctions and builds trust with customers, partners, and regulators<br>Technologies and platforms: A vCISO who leans towards innovative solutions will better manage your security and compliance posture while offering more advanced solutions to deal with risks and threats<br>Contracts: Contracts establish a clear, mutual understanding of the engagement&#8217;s terms, conditions, and expectations<br>Team: A vCISO supported by a diverse and skilled team can ensure that all aspects of your organization&#8217;s security needs are addressed<br>By following this structured approach and asking the right questions, organizations can make an informed decision when selecting a vCISO, ensuring their investment adds significant value to their cybersecurity posture and business strategy.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.msspalert.com\/native\/questions-to-ask-your-vciso-vendor\">https:\/\/www.msspalert.com\/native\/questions-to-ask-your-vciso-vendor<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Table of Contents &nbsp;Hardest Cybersecurity Jobs to Fill in 2024: Top Roles &amp; SkillsJohn MeahThe cybersecurity job market is projected to grow by 32% through 2032, much faster than average, with around 16,800 openings for information security analysts each yearThis surge in demand is driven by the increasing sophistication of&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-5135","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5135"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5135\/revisions"}],"predecessor-version":[{"id":5136,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5135\/revisions\/5136"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}