12 steps to building a top-notch vulnerability management program

Along with my peer CISOs, I recently added my $0.02 to a CSO Online article on how to get the best results out of an enterprise vulnerability management program.

I particularly wanted to zoom in on key performance indicators (KPIs), given this is an area where many security professionals don’t focus enough of their attention.

“He says organizations could use any of the commonly used key performance indicators—such as percentage of critical vulnerabilities remediated on time and percentage of critical vulnerabilities not remediated on time—to measure current state and track improvement over time.

Other KPIs to use could include percentage of assets inventoried, time to detect, mean time to repair, number of incidents due to vulnerabilities, vulnerability re-open rate and number of exceptions granted.”

What are some of your key focus areas?

Don’t get your wires crossed – The evolution of cyber risk and why more companies are considering captives

A captive is a licensed insurance company fully owned and controlled by the insured parties – a type of “self-insurance.”

Captives are essentially an alternative for organizations to retain and finance cyber risk via actuarial-determined premiums to be paid from the parent company to the captive. They’re becoming more popular due to an increasingly tough cyber insurance market.

Many thanks to Captive Insurance Times and to the amazing Rebecca Delaney for featuring me alongside other industry professionals on discussing this important topic.

The feature can be found on pages 18-22, and is now available to read in the latest online issue at this link: https://bit.ly/3KMnX8j

The UK seeks to enforce tougher standards on MSPs

The UK government is proposing new regulations to strengthen cyber resilience in the private sector. Their intention is to expand cybersecurity rules for critical infrastructure (CI) operators to include managed service providers (MSPs), more stringent breach notification requirements, and legislation to establish the UK Cyber Security Council as the standards development organization for the cybersecurity profession. This is a welcomed development, but more details about implementation and enforcement are needed.

MSPs are deeply integrated into the supply chains of several businesses, especially those organisations categorised as CI providers. They not only have privileged access to their customer’s infrastructure and applications, but also to the personal data of millions of citizens. A single breach of a MSP can potentially allow threat actors to compromise hundreds, even thousands of organisations. Additionally, the accompanying fallout from personal data leakage would have a serious impact in terms of impersonation, fraud, and other identity-based crimes. Poor risk management practises and weak security controls in MSPs can have dire consequences to national security and the economic prosperity of the UK.

Better cyber incident reporting, especially where mandated by law, has several positive effects. For one, it ensures that regulations keep pace with the evolving threat landscape to better protect consumers by allowing them to respond quicker to leaks of their information. It also provides certain guarantees that law enforcement agencies (LEAs) receive timely information to better model threats, mitigate the risks, prevent or lessen harm from breaches, and take action to reduce the likelihood of future attacks.

At a macro level, the new regulations are focused on strengthening the country’s cyber-resilience in response to growing supply chain and critical infrastructure attacks – this is essentially a public safety matter. It can provide security to UK citizens against the negative impacts of attacks on critical infrastructure providers such as financial services, telecoms, energy, food & agriculture, defence, manufacturing, and others. It also protects businesses in these key industries where the incapacitation or destruction of their assets, networks and systems would have a paralysing effect on the UK’s national security, economic security, national public health or safety, or any combination thereof.

Cybersecurity is a risk management discipline, and improvements in the overall assessment of risks and development of effective risk responses leads to better security posture. For example, ransomware attacks are very much preventable, yet many businesses don’t invest the time or resources to understand their risks/exposures and implement relevant controls such as data recovery processes, isolated backups, encryption at rest, and routine backup testing. I believe these new regulations can most definitely enhance risk management capabilities in MSPs and other CI operators to counteract a broad range of cyber attacks, including ransomware.

It is imperative that companies develop stronger capabilities around risk management. For one, they need to view cyber risks as business risks and recognise that the impacts range from financial (loss of revenue or drop in share price) to operational (business disruption) to reputation (loss of customer and shareholder confidence) and ultimately regulatory (fines or other penalties). Consequently, they will need to embed a risk culture and build risk management capacity across their enterprises, or face punitive regulatory measures.

A shocking percentage of businesses routinely ignore growing cyber threats, thinking that “it won’t happen to them.” And this isn’t just small to medium enterprises (SMEs), but also large businesses across critical sectors. Several of these organisations don’t have a dedicated cybersecurity leader or functional information security department, refuse to invest in much needed controls and capabilities, and regularly hide breaches from staff, customers, and investors. Without specifically calling out any companies, there are more than enough examples of massive breaches at major businesses to validate my points. The price of failing to act is way too high, and the government would be negligent to not introduce these new regulations.

Why the humanitarian sector needs to make cybersecurity a priority

“In the not-too-distant past, international organizations (IOs) and non-governmental organizations (NGOs) working on humanitarian initiatives largely depended on landlines and fax machines to communicate and convey data back to their regional hubs or headquarters.

Now, like most businesses, NGOs and IOs have invested significant funds in information and communication technologies to enhance their crisis management capabilities. For example, better and faster decision-making is achieved through capturing and analysing demographic data to identify vulnerable groups, online surveys have proven critical for water, sanitation, and hygiene teams in the delivery of population health services, and biometric-enabled digital vouchers have been instrumental in reducing errors and fraud in the payment of traders.

These changes make humanitarian aid faster and more efficient. Picking up these digital tools helps save lives. However, digital transformation has also made IOs and NGOs enticing targets for cyber attacks by criminals, terrorists, and authoritarian regimes. The reasons for this range from the purely financial – people in crisis make easy targets for scams and theft – to the political – digital is becoming another avenue to attack a regime’s perceived enemies.”

I recently joined with the World Economic Forum’s Centre for Cybersecurity to author this piece for the Davos Agenda.

This article examines the cybersecurity threats being faced by international organizations (IOs) and non-governmental organizations (NGOs), outlines some key steps they should take to counteract these threats, and touches on what the private sector can do to support IOs and NGOs in responding to these risks & challenges.

You can read the full article on the World Economic Forum website.

ARIN 48 – Evolving Cybersecurity, Strategies for the New Normal

It was great participating in this panel discussion today, exploring the different ways law enforcement, international organizations, service providers, and standards development organizations are shifting their strategies to address an evolving threat landscape.

The cross-cutting theme that was evident in each presentation was COLLABORATION. More specifically, each panelist repeatedly emphasised the importance of cross-border, cross-sectoral collaboration in effectively combating cybercrime. 

It is essential that both businesses and governments anticipate and incentivise collaboration and accountability through strong public-private partnerships (PPPs), which will make it more difficult for threat actors to commit criminal acts online. For the private sector, it’s essential for business to enhance information-sharing relationships, within industry and with the public sector, to deliver a more all encompassing approach to incident response, threat management and disruption of cybercrime.Through collaboration and cooperation, and creating implementing mechanisms for information-sharing and tactical collaboration, the good guys will make successful inroads into the fight against global cybercrime.

Thanks to the American Registry for Internet Numbers (ARIN) for the opportunity to share my thoughts!

Cloud Fundamentals Study Guide

The Information Systems Audit and Control Association (ISACA) just released the ‘Cloud Fundamentals Study Guide’ publication.

“The ‘Cloud Fundamentals Study Guide’ works through each aspect of cloud computing, its characteristics, common decision points, gaps and security vulnerabilities. It helps individuals prepare for the ISACA Fundamentals certificate exams, one of the components of the ISACA Certified in Emerging Technology certification program. I served as an Expert Reviewer on this project.

As a member of ISACA’s Emerging Technology Advisory Group, I served as an Expert Reviewer of this document.

I can’t fully explain the distinct pleasure that I derive from working with so many recognised and respected subject matter experts (SMEs) in the development of this type of content. We owe it to the next generation of IT risk management, audit & assurance, information security, and privacy professionals to provide them with the tools needed to aid their success. This is why we do what we do as ISACA volunteers!

You can access the ‘Cloud Fundamentals Study Guide’ through ISACA’s Bookstore.

Internet Infrastructure Security Guidelines for Africa

To facilitate implementation of the Convention, the African Union Commission (AUC) asked the Internet Society (ISOC) to jointly develop the Internet Infrastructure Security Guidelines for Africa. The Guidelines were created with contributions from regional and global Internet infrastructure security experts, government and CERT representatives, and network and ccTLD DNS operators. As one of the cybersecurity experts involved in the development of these Guidelines, I am proud and deeply humbled to have made a contribution.

The Guidelines emphasize the importance of the multistakeholder model and a collaborative security approach in protecting Internet infrastructure. The Guidelines put forward four essential principles of Internet infrastructure security: Awareness, Responsibility, Cooperation, and adherence to Fundamental Rights and Internet Properties.

These critical actions are tailored to the African cybersecurity environment’s unique features: a shortage of skilled human resources; limited resources (including financial) for governments and organizations to allocate for cyber security; limited levels of awareness of cyber security issues among stakeholders; and a general lack of awareness of the risks involved in the use of information and communication technologies (ICTs).

Only with ongoing multistakeholder efforts from the African Internet community can the continent overcome its challenges, embrace its opportunities, and become an Internet world leader.