Speaker: Brian Lozada, CISO Zocdoc
Driven by ease of deployment, cost effectiveness, and improved productivity among employees, many organizations have adopted cloud technology. Although there are significant benefits to cloud adoption, some organizations still face major challenges preventing their move to the cloud. From maintaining security and compliance to managing data on BYO devices, organizations have a unique set of data security requirements.
In this Bitglass-sponsored webinar, Brian Lozada, CISO of Zocdoc, and Karthik Venna, Product Manager at Bitglass, will discuss how to balance the benefits of moving to the cloud with implementing a security solution that protects data end-to-end.
Nikolay Chernavsky, SVP & CISO Financial Services
Hardly a week goes by without a major cyber security event affecting millions of users – and the financial industry is particularly vulnerable.
The 2017 Verizon Data Breach Investigations Report identified “Insider and Privilege Misuse” as a major incident pattern resulting in confirmed data breaches. According to Verizon, 62% of all breaches featured hacking, and of those, 81% leveraged stolen and/or weak passwords—giving the attacker the same privileges as a trusted insider.
While many tools have been developed to address Least Privilege issues on Windows-based systems, Linux/Unix systems were largely neglected. Unix/Linux systems are serving critical roles for many financial organizations, from storing highly sensitive information to processing millions of transactions between institutions. Being able to tightly control access to these systems is a critical security need.
This webinar will provide CISOs in financial services and other sectors:
September 27, 11 am PDT / 2 pm EDT
Daniel Conroy never expected to be a CISO. He never expected to be in America. He was a rugby playing, triathlon-competing lad from Ireland, who came to the United States for a brief stint with a semiconductor company, using his background as an electrical engineer. Seventeen years later, Daniel, his wife and children are living in Stamford, Connecticut where he is a much sought after CISO in the industry.
The Triathlon of Cyber Security
As his background in rugby and triathlons attest (he took up triathlons because they were easier on his knees), Conroy is fiercely competitive. As a CISO, he realizes that his opponents are trained well-funded and well-connected cyber criminals – and that’s an understatement.
Conroy’s past harkens back to the days when information security, or the more archaic term “computer security,” was part of a job function, and not its own function. “Back then,” Conroy said, “using a Super Bowl analogy, it was 11 defenders facing 11 attackers. Things have changed. It’s still 11defenders but now they have to face the entire stadium. Our approach to security has had to change.” Conroy said.
By David Sheidlower
Security professionals feel no great joy in being right about patching. The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys admin about the importance of patching. (It’s been a long time for me but the memory lingers.)
Still security professionals care more about being safe than being right so, as I say, there’s no great joy. But, now that we’ve had two months of ugly exploits that were very much enabled by unpatched systems and everyone appears to be paying attention, we should take a few moments to review the excuses we’ve heard for why it was not important to patch.
By David Sheidlower
CISO Turner Construction
In my 10+ years as a CISO, I've noticed a trend that appears to only be increasing. What I have observed is a proliferation of job titles that rhyme with CISO. But rather than describing the Chief Information Security Officer, these new titles swap out the word “chief” and come up with something else to describe something different.
There’s the BISO, or Business Information Security Officer, who has some level of responsibility for a specific part of a firm’s business. They are expected to be part of the business unit they are responsible for. In other words, knowing the business is as important as knowing security.
The BISO is not to be confused with the TISO, or Technical Information Security Officer. This individual is more technically focused and might serve multiple BISOs in complementing the BISO’s business acumen with their technical expertise.
You might see a Network Information Security Officer, or NISO, where the word “network” can mean minding security for layers 1 through 4 of the OSI stack or refer to the NISO being a kind of mega-BISO who takes care of an interconnected group of business entities within a complex Enterprise.
If the business is divided into divisions, you might find a DISO and, likewise, if the structure is regional, you might find a RISO. To be fair, I’ve never seen a RISO title. Usually, the regional security heads are called by names like “CISO for EMEA” or “Deputy CISO, APAC region.”
And then there are the companies that are bashful about appointing a CISO and give their head of Information Security titles like “Director of Information Security.” To them we say, either call that person a CISO – and give them the commensurate responsibilities – or go get one. As I’ll argue below, there’s something that can get missed in this game of “ISO scrabble.”
Some CISOs I know responded to this sprawl of ISO job titles by adding “worldwide” or other descriptors as a preface to their title. After all, there should be one Chief and it is important to make sure that there is no confusion about it.
Human Resources, Executive Management, and sometimes even the Board has a direct say in all of this, of course. We can’t simply pin the existence of so many ISOs on the CISO. In fact, some of these ISOs might not report directly to the company’s CISO. Sometimes, there are so many dotted lines, you’d think that the org chart was printed out on an old, cheap dot matrix printer.
The first thing to emphasize about this jumble is: there’s more than enough work to go around. Call yourself Dr. Faustus for all anyone cares, just protect the Enterprise. Organizing that work is one reason these sub-CISO titles came into being. The titles legitimately describe and put limits on a function. You, X-ISO, need to focus on “X” and leave the rest to someone else (Y-ISO, Z-ISO, etc.?).
Ten CISOs from across industries share insight on the future of cyber insurance and tips for success.
Ten CISOs from across industries weigh in on the effectiveness of passwords, with most predicting that the days are numbered for the password as the sole authentication method.
A CISOs Guide to Principles of Data Privacy and Security
By David Sheidlower
Feris Rifai Speaks with CISO David Cass
CISOs are increasingly looking to User Behavior Analytics (UBA) as a key security tool to help combat threats by identifying anomalous behavior.
According to the report, CISOs Investigate: UBA, authored by more than a dozen CISOs, by quickly providing actionable intelligence, UBA enables them to potentially reduce loss to their organizations by identifying and thwarting attacks earlier.
Feris Rifai, CEO of Bay Dynamics, a provider of analytics and UBA solutions, says CISOs are realizing that to effectively protect their organization they need to add a UBA component to their security arsenal.
In this sponsored podcast, Rifai and David Cass, the Global Partner, Cloud Security and FSS CISO at IBM, discuss what UBA offers and how it is helping organizations across industries.
By Daniel Conroy
Today the cybersecurity sector is fraught with the challenge of a diminished talent pool. Cisco’s report, “MitigatiListng the Cybersecurity Skills Shortage,” highlights the worldwide shortage of one million information security professionals. It sends out a disturbing warning to the cybersecurity industry to bridge this gap immediately or face consequences with significant costs.
There is no doubt that the number, scale, and sophistication of operational technology attacks will continue to increase thereby putting connected transportation, health, energy and financial systems at risk.