Trending in Security Operations

Cyber Security Operations Topics, Trends, and Articles

Digital Or Die: Why Digital Transformation Must Come From The C-Suite

Forbes article, February 15, 2019

“What use could this company make of an electrical toy?” asked Western Union president William Orton, brusquely turning down the chance to buy the patent for Alexander Graham Bell’s telephone in 1877. Over 100 years later, Nokia squandered its position as the global leader in mobile phones by refusing to recognize that data — not voice — was the future of communication. Though a century apart, both of these companies failed to heed the headwinds of new technology, to their detriment.

In hindsight, it’s easy to laugh at this sort of hubris, yet today, many CEOs and their executives are at risk of taking precisely the same approach with digital technology, and it’s putting their companies at risk. Emerging technologies such as artificial intelligence, big data analytics and virtual assistants are transforming business operations, product manufacturing and service delivery, while many new entrants and tech giants are capitalizing on their scale and (analytical) prowess to disrupt new industries. In today’s environment, embracing digital is no longer merely advised -- it’s a mandate for survival. In fact, a 2017 survey found that 56% of CEOs who adopted digital initiatives reported an increase in profits as a result of their efforts.

Burnout warning: High stress levels impacting CISOs' physical, mental health

TechRepublic article, February 14,2019

CISOs experience mounting external and internal stressors in their jobs, according to a report from Nominet released on Thursday. The majority (91%) of these professionals said they face moderate to high stress in their leadership positions, with 60% admitting they rarely disconnect from work, the report found.

The report surveyed 408 CISOs in the US and UK, who all oversee their business' cybersecurity efforts. With immense social, digital, and security pressures, the modern CISO has trouble staying afloat, the report found.

Cybersecurity Predictions and a Wish List for 2019

Peerlyst article, January 3, 2019

As in recent times, the cyber threats will continue to get worse before they get better. Those that think “good enough” security or risk management will be sorely disappointed in the large gaps they will leave open for the cybercriminals and nation-state actors to easily breach and compromise their enterprise. 

2019 and beyond will no doubt be interesting for all of us, stretching those that will be attempting to adapt to this increasingly dynamic threat environment and may be harsh for those that are settling for “good enough” security. 

Proactive Cyber Defense - Modern CyberSOC - Strategy on building a Collaborative Cyber Security

Peerlyst article, January 7, 2019

In earlier years, everyone depends on SOC (includes firewalls, WAF, SIEM, etc.) and the prioritize in building the SOC provides security and the CIA was maintained. However, later the emerge of the attacks and the threat actors becomes more challenge and the existing SOC will not able to provide better security over the CIA. There are many reasons for the failure of the existing SOC, where it only depends on the SIEM. Many organizations, believed integrating all the security devices like Firewall, Routers, AV and DB solutions in SIEM and the correlating the use cases will provide them 100% security over the CIA of the datas. However, it all fails, since the APT emerges.

Don't Buy A Breach: Ten Cybersecurity Red Flags To Look For During M&A Due Diligence

Forbes article, February 12, 2019

We’ve heard the pundits’ criticism: Marriott should have known better. The hospitality company’s recent and well-publicized security breach occurred when hackers exploited network-security vulnerabilities in its Starwood division, a subsidiary that Marriott purchased only three years ago. And actually, it’s the news of the breach that’s recent. The breaching itself began in 2014.

With the benefit of 20/20 hindsight, it’s easy to cast the first stones: In 2016, Marriott purchased a company with compromised infrastructure, and then unknowingly integrated that compromised network into its own infrastructure. The Marriott story doesn’t paint a pretty picture of traditional castle-and-moat security. (“Ignore that extra drawbridge.”)

Instead of piling on further, let’s instead learn from Marriott’s experience. (We in the cybersecurity industry should never let a breach go to waste.) This is a mergers and acquisitions (M&A) object lesson and highlights the crucial role cybersecurity validation and audits must play during the due-diligence phase.

From Survive To Thrive In Cybersecurity

Forbes article, February 13, 2019

(a must read article)

Most CISOs last 13 months in their job, or so I was told a decade ago. I’ve since seen as high as 18 months and as low as 11 months, but regardless of the actual length of time, I think we can all agree that any career with a short lifespan on achieving the leadership position of an entire department is extremely wasteful! The reason is simple: we aren’t aligned with the business. What it takes to get to the CISO seat is not what’s needed when sitting in it. 

How CISOs view their jobs

LinkedIn article, February 12, 2019

Gary Hayslip has previously written about the roles of the modern CISO whose security program is aligned with the business operations of their organization. That article discussed the changing roles CISOs are now assuming as organizations mature and employ CISOs for numerous security/risk initiatives that support strategic business goals. In retrospect, that article was written more about the job, and less about what personal strengths and weaknesses CISOs view as required to be the senior security executive for an organization. So keeping this in mind, let’s look at the lenses through which CISOs view their job, what barriers they feel prevent them from being successful, and what they feel is their responsibility as a business partner.

This article will focus on six domains that impact CISOs personally and professionally in their dynamic roles. These domains are barriers to success, obligations, authority, technology, risk management, and finally the pros/cons of reporting structure

A Road Map for CISOs

SecurityCurrent article, February 11,2019

The role of the CISO has evolved greatly over the years. Over the past 20 years leading security practices across multiple industry verticals for large Fortune 500 organizations, I have observed first hand its various shifts. The natural next question is what the next phase would look like. More importantly, will the CISOs of today be able to keep up with these challenges in the future?

Foremost we have to always be aware that we are not dealing with amateur attackers. We are dealing with well-funded organized crime. Well-funded nation states. Groups that have political agendas. They will be able to use information to influence political designs.

There will be a lot of investments in security analytics and emerging technologies. Just as tech can be used for good, those well-funded groups can also use them for criminal activities.

Dragos 2018 Year in Review

Dragos blog, February 12, 2019

Dragos’ Year in Review reports provide insights and lessons learned from our team’s first-hand experience hunting and responding to industrial control systems (ICS) adversaries throughout the year, so we can offer recommendations for stronger defenses for industrial organizations and help drive change in the ICS cybersecurity community. 

Five emerging cyber-threats to worry about in 2019

MIT Technology Review article, January 4, 2019

Last year was full of cybersecurity disasters, from the revelation of security flaws in billions of microchips to massive data breaches and attacks using malicious software that locks down computer systems until a ransom is paid, usually in the form of an untraceable digital currency.

We’re going to see more mega-breaches and ransomware attacks in 2019. Planning to deal with these and other established risks, like threats to web-connected consumer devices and critical infrastructure such as electrical grids and transport systems, will be a top priority for security teams. But cyber-defenders should be paying attention to new threats, too. Here are some that should be on watch lists...

6 Steps Every New CISO Should Take to Set Their Organization Up for Success

SecurityIntelligence article, February 7, 2019

With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.

What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?


Akamai blog, February 7, 2019

Everyone and everything on the Internet depends on the Domain Name System (DNS) being functional. The DNS has been a common vector for attacks in recent years, and 2019 seems to be no different. Many of these attacks have goals far more sinister than simply taking a company offline or defacing a website; reported attacks include redirecting some or all of an organization's domain to gain access to protected resources, intercept traffic, and even obtain TLS certificates for that domain.  Organizations should perform regular DNS reviews and audits. The following guidelines provide a starting point for your review.


The DNS is critical to any organization with an online presence. Attacking domain names is a notable method to DoS (Denial of Service), deface, abuse or otherwise damage any Internet-connected organization. Domain names represent not only your brand but the way your customers interact with your business. In today's world, domain names are critical for web, voice, video, chat, APIs, and all the other services your company may offer or consume. In short, control of your domain names is essential to your business.

One of the most overlooked threats to your DNS presence is neglect. Many organizations take their DNS setup for granted, configuring it once and leaving it for all time. Adversaries leverage this neglect and the resulting weaknesses. Performing regular DNS reviews and audits is an essential preventative measure.

Security Professionals Win When They Can Master Risk Communications

SecurityWeek article, February 7, 2019

A lot of people are talking about security risk right now. A quick Google search reveals articles on risks associated with the Slack collaboration tool, out of date Windows software, 5G network equipment from Huawei, iPhone apps that have been communicating with a malicious server and organizations’ employees. And that’s just the first page! Of course, when these topics make the headlines, security teams inevitably get calls from management, but the nature of these calls is evolving.

Recent analysis by Forrester finds that Boards are maturing in their understanding of cybersecurity and are asking more detailed questions. They don’t just want to know if the latest threat matters to the organization, but how you know that. For Chief Information Security Officers (CISOs) and other security leaders, this means that your ability to communicate effectively about cybersecurity is just as important as your work doing cybersecurity, if not more important. Communication has become a critical component of security operations. 

Modern Cybercrime: It Takes a Village

ThreatPost article, February 6, 2019

Today’s financial cyber-rings have corporate insider and management roles — cybercrime is not just just for hackers and coders anymore. 

Contrary to the pop-culture image of the hoodie-clad lone hacker with mad keyboard “skillz” siphoning off funds and making people’s lives miserable with a few lines of brilliant code, increasingly cybercrime “takes a village”. The true face of cybercrime today is a more democratic one. 

Modern financial crime rings are made up of a wide range of people with complementary toolsets—from coders to willing corporate insiders wanting to be paid for installing malware on a network and more. 

CISOs: Change your mindset or lose your job

HelpNetSecurity article, February 4, 2019

Capgemini commissioned IDC to produce a new piece of research, which reveals the increasing pressure on the Chief Information Security Officer to drive forward digital transformation – or risk losing their seat at the table when it comes to key business decisions. 

Whilst CISOs are now involved in 90% of significant business decisions, the research found that just 25% of business executives perceive CISOs as proactively enabling digital transformation – which is a key goal for 89% of organizations. 

SQL Slammer 16 years later: Four modern-day scenarios that could be worse

CSO article, January 31, 2019

It’s been 16 years since the SQL Slammer worm struck on January 25, 2003. It was the fastest spreading computer worm in history, and surprisingly nothing has beat it since. Will that record stand much longer? 

The saving grace of Slammer was that it didn’t do any intentional harm beyond crashing the SQL server and killing network bandwidth. It didn’t infect files, delete data, collect passwords, or do any of the devious things that nearly all malware does by default today. To recover from it, you applied the patch and rebooted the server. It was that easy. 

Since then we’ve all wondered if a more devious malware program might beat Slammer’s record. Malware writers are far more sophisticated today, but it’s been 16 years and nothing has beaten Slammer’s record. Is it possible that Slammer will go down in history as the fastest spreading malware program? 

Law enforcement shuts down xDedic marketplace for hacked servers

CSO article, January 28, 2019

The FBI and law enforcement agencies from several European countries have shut down an underground marketplace that specialized in selling access to hacked computers and servers. Called xDedic, the site had been around for years, first on the open internet and then also on the Tor network. According to a 2016 report from Kaspersky Lab, the online shop was run by a group of Russian-speaking hackers. 

The takedown happened Thursday but was only announced January 28 by Europol and Eurojust, who coordinated the investigation among authorities in Belgium, the U.S. and Ukraine. Law enforcement in Germany helped confiscate the site's IT infrastructure, and the domain names were seized through an order issued by a U.S. judge.


Malwarebytes “State of Malware” Report - Malware Detections Targeting Businesses Up ~80 percent

LinkedIn article, January 25, 2019

Earlier this week, Malwarebytes released its annual State of Malware Report, which analyzes top malware threats from January through November 2018 and compares them with the same period in 2017. The report identifies a sharp increase in business-based malware detections, including a more than 100 percent increase in Trojan, riskware tool, backdoor and spyware activity. Overall, the research shows that cyber criminals are finding businesses as the best target with the highest returns. 

10 Data and Analytics Trends to Watch in 2019

Business2Community article, January 24, 2019

"To stay alive and thrive in an era of accelerating digital disruption, organizations are realizing that simply being “data-driven” won’t guarantee future success. In 2019, leaders are now being challenged to change their siloed, departmental analytics approach to data, put away all their “interesting” dashboards, and get down to defined business outcomes.

Forrester notes that it’s not “data-driven,” but rather “insights-driven,” businesses that are growing at an average of more than 30% each year, and by 2021 are predicted to take $1.8 trillion annually from their less-informed peers. Organizations that are intent on lasting into the next decade and beyond must stop doing analytics for analytics’ sake, notes Forrester and other top thought leaders who have shared these 10 Enterprise Analytics Trends to Watch in 2019..."

Secret CSO: Gary Hayslip, Webroot

IDG Connect article, January 24, 2019

Gary Hayslip is an enterprise cybersecurity expert with 17 years of experience. Currently CISO for Webroot, a provider of threat intelligence and endpoint security, he previously held multiple CISO, IT Director and Senior Network Architect roles for the City of San Diego, the U.S. Navy and the U.S. Government. 

And he's a personal favorite of ours here at Phenomenati.

Cloud Customers Faced 681M Cyberattacks in 2018

Dark Reading article, January 24, 2019

Cloud customers were hit with 681 million cyberattacks last year, according to analysts at cloud security provider Armor, which recently analyzed cloud attacks detected in 2018.

The most common cloud-focused threats leveraged known software vulnerabilities, involved brute-force and/or stolen credentials, targeted the Internet of Things (IoT), or aimed for Web applications with SQL injection, cross-site scripting, cross-site request forgery attacks, or remote file inclusion. Researchers based the list on volume; these are not the most advanced or lethal cloud attacks.

Yet they continue to work, are easy to access, and are fairly simple to use, they explained in a blog post on their findings. Any cybercriminal can rent an exploit kit containing attack tools for a reasonable amount of cash. For example, they said, the older and established Disdain Exploit Kit was charging rental fees starting at $80 per day, $500 per week, and $1,400 per month. Kits are designed to be accessible to cybercriminals at all levels and are constantly updated with new exploits.

Shadow IT, IaaS & the Security Imperative

Dark Reading article, January 21, 2019

Shadow IT, the use of technology outside the IT purview, is becoming a tacitly approved aspect of most modern enterprises. Yet, with the vast adoption of software-as-a-service and infrastructure-as-a-service (IaaS) approaches, shadow IT presents increased security challenges that can create major risk. To further complicate things, because organizations aren't centrally controlling these solutions and tools, their vulnerabilities often go undetected for far too long. If individuals and internal teams continue to introduce outside tools and solutions into their environments, enterprises will have to adopt a smart path to ensure they operate securely.

The evolution of shadow IT is a result of technology becoming simpler and the cloud offering easy connectivity to applications and storage. As this happened, people began to cherry-pick those things that would help them get things done easily. Internal groups began using Google Drive for team collaboration and storage; employees used their personal phones to access secured enterprise resources; development teams grabbed code from shared repositories. All of these use cases, and many more, are examples of finding and adopting usable, efficient, and cheap strategies to get things done.

Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure

SecurityIntelligence article, January 21, 2019

"Just how well are organizations informing stakeholders about cyber risks? As 2018 drew to a close, that was the question that EY sought to answer in its “Cybersecurity Disclosure Benchmarking” report. EY looked at how Fortune 100 organizations are sharing information related to cybersecurity in their proxy statements and 10-K filings, specifically analyzing these documents for the following:

  • Information related to how the organization manages cybersecurity and security awareness and training — and whether those are part of a wider enterprise risk management (ERM) program.
  • Whether or not public filings contained statements about the importance of cybersecurity risks as strategic risks, or their potential impact on business objectives.
  • How the board is discharging its responsibility to oversee risks, focusing specifically on cybersecurity risks, including board member qualifications regarding cybersecurity as well as the structure and frequency of cyber reports from management.

Before we look at what EY’s analysis revealed, let’s take a step back and look at the environment that got us here."

Why Compliance Does Not Equal Security

Forbes article, January 7, 2019

A company can be 100% compliant and yet 100% owned by cyber criminals. Many companies document every cybersecurity measure and check all appropriate compliance boxes. Even after all that, they still hit the headlines and lose customer data. Compliance doesn’t mean security.

Take Target as an example. Most of us remember the retail giant’s massive 2013 data breach after a cyber criminal got to its point-of-sale system. What most don’t know is that Target had earned its certification against the payment card industry (PCI) cybersecurity standard that year. And the same likely holds true for Marriott, although data breach investigations by Europe’s General Data Protection Regulation and the state of New York will prove this out.

To understand this gap between compliance and security, we must follow cybersecurity regulation back to its roots: banking regulation. Financial regulation emerged to discourage unwanted behavior such as insider trading. In this world, compliance means documenting transgressions for investigation after the fact. If inappropriate behavior occurs, a bank can punish wrongdoers and make things right afterward. In short, banking compliance is a form of deterrence. 


Morphisec blog post, January 17, 2019

By now you’ve heard all the 2019 predictions from cybersecurity vendors and practitioners. As every year, many are insightful and thought-provoking, some meant to invoke self-serving fear and doubt about the next big threat, others just repeats from the year prior.

However, what very few mention, because it’s hard to quantify and doesn’t make good headlines, is the escalating trend of technology confusion and overload. This didn’t happen overnight. More investment has poured into the cybersecurity market than any other B2B software market. In 2017, $4.9 billion was invested in cybersecurity start-ups. And while there are some truly innovative technologies solving real problems, far too many providers just do more of the same thing in different packaging, or simply throw food at a wall to see if it will stick. 

So how can organizations make sure that the solutions they choose provide the best defense possible?

Enterprises betting on SOAR tools to fill security gaps

TechTarget article, January 16, 2019

Security professionals are struggling to keep up with today's dynamic threat landscape as they continue to deal with security alert overload and cybersecurity skills shortage, but several security experts believe deploying security orchestration, automation and response tools can aid security teams with streamlining and improving everyday processes.

Gartner defines SOAR as "technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed using a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow." For companies with five or more security professionals, the research outfit forecasts SOAR adoption rate to rise from 1% to 15% by 2020.

Research from Enterprise Strategy Group (ESG) found even higher adoption rates for SOAR tools. In a survey conducted last year, ESG found that 19% of responding enterprises said they had deployed operations automation and orchestration technology "extensively," while 39% of respondents said they are deploying the technology on a "limited basis."

With most enterprises receiving more than 10,000 alerts per day -- according to data from a 2018 RSA survey -- it is impossible for security teams to review all of those alerts. This high volume of alerts and the need to perform detection in multiple stages would be enough of a driver for SOAR tools, but there's something else, Gartner analyst Augusto Barros said in an email interview.

How Do We Define “Big Data” And Just What Counts As A “Big Data” Analysis?

TweetChat article, January 9, 2019

"... when I noted that what I had done was run a bunch of Google searches and that every day people all over the world were running billions of identical analyses over Google’s 100 petabyte index, suddenly the audience usually changed its mind and argued this was clearly not a “big data” analysis, it was merely “search.” 

Indeed, it seems hardly satisfying to argue that a 10-year-old running a Google search should count as a bleeding edge “big data” analyst. 

As with Google searches, does merely keyword searching a trillion tweets really count as performing a trillion-tweet “big data” analysis? 

Does a keyword search of a trillion tweets that yields a set of 100,000 results of which just 1,000 randomly selected tweets are finally analyzed, really count as a “big data” analysis? 

CISO Liz Joyce: Cybersecurity leadership requires more than technical chops

HPE blog post, January 7, 2019

Cybersecurity professionals grapple with increasingly sophisticated technical challenges. But for risk management and strategic planning, they need a seat at the table. 

Liz Joyce has been fascinated by cybersecurity since her student days. She has had a ringside view of the evolving threat landscape as individual hackers and script kiddies have been replaced by hacktivists, state actors, organized cybercrime rings, and other cunning adversaries. As Hewlett Packard Enterprise’s chief information security officer, she not only has to consider these threats, but her team also has to deal with formidable management challenges, from workforce development to infusing a cybersecurity perspective across HPE. In an interview with enterprise.nxt, Joyce shares insights and advice from decades of experience in the field. 

I can get and crack your password hashes from email

CSO article, January 17, 2019

A few months ago, I participated in a public debate on password policy with my co-worker and friend, Kevin Mitnick. It was a heated back and forth discussion, with Kevin arguing for far longer passwords than most expert sources, including me, recommend. I just wasn’t buying his arguments. 

Then he sent me an email that, when I opened it, sent Kevin my Microsoft Windows password hash, which he then cracked. It was a knock-out punch. I didn’t know it was possible. 

Why AI-based threat detection hasn’t taken over the market … yet

CSO article, January 16, 2019

According to Nicole Eagan, CEO of software company Darktrace, only two out of every ten cybersecurity experts typically embrace artificial intelligence (AI) as a key component of threat detection. The others, she explains, tend to be "totally resistant" or agree to "give [AI] a try" but don’t put in the effort required to make the most of the tech post-purchase. 

 Granted, information security professionals are known to be risk-averse, which has the flip side of sometimes making them resistant to try out new tech — and for good reason: Protecting the company against risk is the number one job. Yet, theoretically, AI has the potential to more quickly identify a larger number of problems. So why doesn’t every security team use it? 

How to build a better CISO

HelpNetSecurity article, January 15, 2019

The CISO, a title skyrocketing in popularity, is now an essential part of every organization. Companies that aren’t employing a CISO need to embrace this position (and in some states quickly if they don’t want to be fined). As threats become exponentially more elaborate and the world becomes more connected the need for CISOs is undeniable.

Even if a company is based in a state where it is not mandatory, not having a CISO could be a clear indicator to a prospect or customer that security is not being taken as a priority. But with the increase in security threats and the business implications they raise, one question remains unanswered: what does it take to be an effective CISO?

Kudos to the Unsung Rock Stars of Security

Dark Reading article, January 11, 2019

The general public, and even the security industry, seems to idolize the "hackers" and people who can compromise security of organizations with ease. They are frequently referred to as the "Rock Stars of Security." Some of these people have incredible skills at what they do. However, the "Rock Stars" we should be revering are those working on internal security teams, who know all too well that real security involves infinitely more than telling people "don't give away your passwords" or "patch your systems." They frequently experience failures of one form or another but somehow manage to effectively mitigate losses and keep major organizations up and running.

It is great to have heroes, but the world needs to realize that the real heroes of security are those with the really hard jobs, which means those who are constantly trying to keep the bad guys out while fighting their own organizations more than the hackers. Unfortunately, we rarely know their names, how hard they're working, or acknowledge them for the heroes that they are.

From global risks to global visibility: A new paradigm for cyber in a connected world

CSO article, January 9, 2019

“The complexity of managing internet visibility is a challenge for every organization today,” Ann Barron-DiCamillo, the former director of the United States Computer Emergency Readiness Team, said at recent private event at the National Press Club in Washington, D.C. “Traditional security stacks do not address these internet visibility challenges; we need to think about the problem differently.”

So how do agencies even begin to address these vulnerabilities? The key is a paradigm shift in how cyber professionals engage with the public internet -- not just as a risky environment, but as the great technology equalizer. This shift in thinking offers a strategic advantage for anyone willing to embrace it. It will not only futureproof where the agency is going, but also directly address the current visibility challenges the internet poses. 

What Cyber Security Skills Are Most In Demand

Cyber Security Hub article, January 1, 2019

“What's in short supply is the security analyst type of individual as well as someone that's very knowledgeable about software security assurance … and application security. I'm seeing those two areas being the most difficult to locate.” McCarthy said a threat hunter is a newer role that is also in demand in the security operations center. A threat hunter, “is really able to cross and correlate the different threat feeds and all the different data and build conclusions on what's happening from inside and the dark web and across that horizon.”

She said that as security threats become a lot more complex, “you really need some very smart and savvy young folks that have a real appetite for correlating that data … like the James Bond of IT” who is interested in threat hunting, pulling data together and problem solving.

2019 will be the year of cloud-based cybersecurity analytics/operations

CSO article, January 4, 2019

Security information and event management (SIEM) systems first appeared around 2000 from vendors such as Intellitactics, NetForensics, and eSecurity. The original functionality centered around event correlation from perimeter security devices such as IDS/IPS and firewalls.

The SIEM market evolved over the past 19 years, with different vendors, functionality, and use cases. SIEM has also grown into a $2.5 billion market, dominated by vendors such as Splunk, IBM, LogRhythm, and AT&T (AlienVault).

Despite the SIEM evolution, today’s products can be seen as super-sized versions of those of yesteryear. In fact, the original design of SIEM seemed like a knockoff of network and systems management tools CA Unicenter, HP OpenView, and IBM Tivoli. SIEM products were based upon a tiered architecture of distributed data collectors/indexers/processors and a central database used for data analytics, visualization, and reporting.

Prove Cybersecurity’s Value to Build a Culture of Cybersecurity

Security Magazine article, January 3, 2019

If you want senior executives to buy into cybersecurity, you need to prove the value cybersecurity brings to the core business. Read your organization’s annual reports, corporate governance documents, shareholder statements and the like. These documents will give you a better sense for what drives your organization and, in turn, what your executives are thinking about.

You’ll likely find that cybersecurity shows up in these documents but not around specific attacks, zero-days and APTs. You’ll see verbiage about material harm. You may see risk statements around maintaining effective cybersecurity controls, protecting confidentiality and privacy, and the need to safeguard sensitive data.

New ISACA and CMMI Institute research on cybersecurity culture is full of attention-grabbing perspectives and stats regarding the value of a strong cybersecurity culture, such as reduced cyber incidents, stronger customer trust and better brand reputation. This study made me think about how a cybersecurity culture is really created and what a cybersecurity team needs to be able to prove within its organization to earn the support and resources required for a cybersecurity culture.

A Pessimist's Guide to 2019 Cyber Security Predictions

LinkedIn article, January 2, 2019


With the introduction of a new year, we are seeing the influx of regular cybersecurity predictions and by most counts, this one is no different. Except, I do not have a product to sell, a book to advertise, or a political position to encourage. These are just the predictions that I see beginning to emerge now and will have some amount of maturity during 2019 and 2020. 

7 Tips for New Cybersecurity Leaders in Their First 100 Days

GovTech article, January 2, 2019

The beginning of a new security chief's tenure is critical. From opening lines of communication to creating a strategic plan, here are seven dos — and three don’ts — for successfully navigating a new position.


Let’s say you were just appointed to lead the cybersecurity program within a new government administration — congratulations! You’re likely excited to be a part of a new tech team with a fresh mandate from voters and a group of like-minded professionals. Or maybe you just landed a top job as a chief information security officer (CISO), director of IT security or cybermanager within a new organization.  

Regardless of how you arrived at your new role, it’s an exciting opportunity. After reading a ton of material on security leadership, your ideas are set. You’re determined to be successful and fix everything you’ve been told is wrong with the current cyber team and security culture. 

First-Ever UEFI Rootkit Tied to Sednit APT

ThreatPost article, December 28, 2018

Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.

The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system’s UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.

“UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level,” he said.


ISACA report, December, 2018

The importance of strong cybersecurity is no longer in question in today's harrowing threat landscape, but less clear is how organizations put a strong culture of cybersecurity in place, beginning with leadership from the board of directors and inclusive of all employees. The 2018 Cybersecurity Culture Report from ISACA and CMMI Institute shows there is much progress to be made, as 95 percent of global survey respondents identify a gap between their current and desired organizational culture of cybersecurity.

The research shows that prioritizing investment in training can be a meaningful driver of strong cybersecurity culture, while annually measuring and assessing employee views on cybersecurity is among the other steps that can lead to heightened awareness and improved culture.

Securing the Industrial Internet of Things in OT Networks

CSO article, December 18, 2018

In many organizations, traditional IT and critical Operational Technology (OT)networks are being merged to take advantage of the speed and efficiency of today’s digital marketplace. Typical OT networks are comprised of switches, monitors, sensors, valves, and manufacturing devices managed by an ICS system through remote terminal units (RTUs) and programmable logic controllers (PLCs) over a serial or IP connection. Since these systems manage sensitive and sometimes dangerous environments, they demand safe and continuous operation. To achieve that, they have traditionally tended to be air-gapped from the IT network to avoid the sorts of intermittent network or device crashes that IT systems can tolerate.

These systems are built upon high-value OT assets that can range into the billions of dollars. A system crash on a manufacturing floor can stall production for hours and potentially ruin millions of dollars in materials. Even worse, having to reset an open furnace or a 10,000-gallon boiler processing caustic chemicals can have far more devastating consequences than temporarily losing access to an online printer.

Why Cyber Range Training and Simulation is Key for Effective Security Operations

LinkedIn article, October 19, 2018

The cybersecurity scene has never been so dynamic and complex. The number of attacks and their complexity has grown drastically, and the amount of security solutions collecting endless amounts of alerts and events have raised drastically. A recent Ovum survey sponsored by McAfee, found that 37 percent of respondents in the financial sector had to deal with over 200,000 daily security alerts, and many institutions deploy between 100-200 disparate security solutions. New threats and attack vectors emerge, spanning across a converged attack surface of IT and OT networks, as well as IoT devices. Attacks have become time-sensitive, requiring SOCs to detect and respond within seconds to minutes, and challenging the SOC’s ability to perform effectively. We have seen this new reality once again in the recent attack on the Cosmos Bank in India last month, where over $15M were stolen via ATM hacking. Topping this, new regulatory guidelines are being introduced , requiring strict procedures and comprehensive reporting processes. In parallel, our overall ability to recruit, train and retain our cybersecurity experts has been dropping continuously over the last years. These trends will remain with us and in many cases increase in the foreseen future, making the jobs of our CISOs ever more challenging. 

Cybersecurity Predictions and a Wish List for 2019

LinkedIn article, December 28, 2018


As in recent times, the cyber threats will continue to get worse before they get better.  Those that think “good enough” security or risk management will be sorely disappointed in the large gaps they will leave open for the cybercriminals and nation-state actors to easily breach and compromise their enterprise. 

The most interesting and important hacks of 2018

CSO article, December 27, 2018

The hacks, exploits and data breaches security researcher need to most pay attention to are those that do something new or suddenly increase in volume.

Each year a few hackers do something new that begs further examination. The general public and Hollywood paints most hackers as these uber-smart people who can take control of entire city’s infrastructure and crack any password in seconds. The reality is that most hackers are fairly average people with average intelligence. Most don’t do anything new. They just repeat the same things that have worked for years, if not decades, using someone else’s tool based on someone else’s hack from many years ago.

The stuff that we need to pay more attention to are the new, evolutionary or revolutionary hacking methods that gave hackers access to something they didn’t have before. Maybe it isn’t exactly new, but it’s being used more or in more innovative ways than in the past (like ransomware did a few years ago). With that said, here are my choices for most interesting hacks of 2018.

How to boost collaboration between network and security teams

NetworkWorld article, December 21, 2018

When Tim Callahan came to Aflac four years ago to take on the role of CISO, enterprise security at the insurance giant was embedded deep in the infrastructure team.

One of his first requests of the CIO: Let me extract security out into its own group. Callahan readily admits the culture shift was not easy but believes that the demarcation has actually led to better collaboration.

 Arguing for a walled-off security team is not easy for security leaders amid a shrinking talent pool of qualified security professionals. Analyst firm ESG found that from 2014 to 2018, the percentage of respondents to a global survey on the state of IT claiming a problematic shortage in cybersecurity skills at their organization more than doubled from 23% to 51%. 

Cybersecurity 101 For The C-Suite And Board Members

Forbes article, December 17, 2018

Today, most C-Suite and boardroom discussions on cybersecurity are based on gut feelings and incomplete data. We are wasting a lot of money because we don’t know how to deal with cybersecurity effectively.

If you have a mature cybersecurity program, your chief information security officer (CISO) probably provides periodic updates with qualitative (or quasi-quantitative) estimates of cyber-risk organized around categories such as risk to intellectual property, risk of operational disruption from a cyberattack, risk of customer data disclosure, etc. The presenting executive might review status of key cybersecurity projects, and perhaps ask for additional budget to pursue “necessary” initiatives to keep up with the evolving threat landscape. Sometimes these sessions become deeply technical and hard to follow. Come next year (or next quarter), a similar meeting occurs. With the steady stream of cyber breaches in the news, you hope your company is doing the right things to stay out of trouble.

Why the CISO’s Voice Must be Heard Beyond the IT Department

InfoSecurity Magazine article, December 10, 2018

In a recent company board strategy meeting the CFO presented the financial forecast and outcome and made some interesting comments about fiscal risks and opportunities on the horizon. The COO discussed efficiency in operations, explained how the company may need to adjust the hiring procedures to avoid the risk of high turnover and to speed up the candidate selection. She also argued in favor of some new IT initiatives to automate and modernize some processes – including the hiring process. With these in mind, the CEO made some strategic decisions on projects and operations, and the meeting was concluded.

Three months later the company name was in the headlines. A temp employee of the vendor that was selected to implement the new IT system had his laptop stolen, credentials were cached in the browser. The personal details of all applicants in the new system, including previous salary details and diversity data (such as race, religion and sexual orientation), were posted on a public website.

Storytelling Is A Critical Skill Set For CISOs

Forbes article, December 6, 2018

As a recovering CIO and current CISO, I discovered one of the fundamental skill sets useful for technical leaders to drive informed decision making by nontechnical audiences is the art of storytelling. CISOs typically communicate in numerous formats, and I have known many of my peers to be masters at documenting and describing security architectures and emerging threats. However, to be truly effective in evangelizing the worth of a security program to the business, a CISO must describe their vision of cybersecurity, risk management and its business value to company employees and leadership stakeholders. This shift of taking highly technical information and transforming it into a presentation that non-technical people can understand and relate to is not easy. In fact, it is a skill that CISOs today must regularly practice as their role continues to evolve into one that supports business operations. 

What CISOs are Sharing With Their Boards

Cyber Security Hub article, December 12, 2018


Regardless of whether you’re in a regulated industry or a publicly-traded industry, you always have “crown jewels” that need to be protected and the same types of motivations to guard them, said Tomas Maldonado, chief information security officer at International Flavors & Fragrances. Maldonado was the guest on Episode 62 of Task Force 7 Radio on Monday night, with host, George Rettas, president and CEO of and Task Force 7 Technologies.

Those crown jewels include intellectual property and trade secrets, which he said are very similar to what is protected in the financial services sector, where he has also worked. The difference is, “In the industry that I'm in now … I have to do more really with less in terms of resources and I have to be creative as to how we make investments because you don't have that enormous amount of open pocketbook.”

10 cyber security trends to look out for in 2019

InformationAge article, December 10, 2018

2018 was an interesting year for all things cyber.

It was the year that brought major breaches pretty much every week. Most recently, the Marriott Hotel group suffered a significant data breach, while Quora fell foul to some cyber criminals.

Cyber security is still the issue on every business leaders mind.

This year, organisations have had to get their house in order with GDPR, amongst others, coming into force on 25 May. The stakes for protecting your organisation from cyber threats have never been higher.

So, what can we expect to see in 2019 then? Here are some things to consider.

The 10 Coolest New Cybersecurity Tools Of 2018

CRN article, December 6, 2018

The 10 products making waves in the cybersecurity market have emphasized stronger detection and correlation of threat data as well as extending and centralizing device management. 

Getting cybersecurity to the top of the boardroom agenda

ITProPortal article, December 5, 2018

The IT industry has undoubtedly shone a bright light on the role of the Chief Information Security Officer (CISO) this year; the increasing responsibility and heightened risks associated with the role and the fact that no organisation appears to be safe from a data breach has given the role a new purpose and place within the structure of a business. 

 CEOs, Boards of Directors and Trustees are now realising how fatal cybersecurity failures can really be. In reality, a major data breach will ruin not only an organisation’s reputation, damage its brand and future prospects or plans, but also have serious consequences on the bottom line. When a breach occurs, and the data of customers, partners, employees or even the general public, is compromised, hard decisions need to be made - and fast. How can a CISO put cybersecurity at the top of the Board’s agenda BEFORE a breach occurs - and make it stay there? 

9 cyber security predictions for 2019

CSO article, November 20, 2018

Predictions are tough, but even moreso in the chaotic world of cyber security. The threat landscape is huge, offensive and defensive technologies are evolving rapidly, and nation-state attacks are increasing in terms of scope and sophistication. 

This cyber “fog of war” makes it hard to see or assess every trend. Last year, for example, CSO’s predictions for 2018 did not anticipate the rapid rise of cryptomining. In hindsight, this relatively easy to execute, lower risk way for cyber criminals to monetize their efforts should have been an obvious choice. 

Still, we got a few things right: more automation of threat-detection processes, significant rise in attacks using compromised IoT devices, and the decline of trust in the face of rising cyber crime, to name a few. 

6 mobile security threats you should take seriously in 2019

CSO article, November 20, 2018

Mobile security is at the top of every company's worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smartphones, and that means keeping sensitive info out of the wrong hands is an increasingly intricate puzzle. The stakes, suffice it to say, are higher than ever: The average cost of a corporate data breach is a whopping $3.86 million, according to a 2018 report by the Ponemon Institute. That's 6.4 percent more than the estimated cost just one year earlier.  

While it's easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon in the real world — with your odds of being infected significantly less than your odds of being struck by lightning, according to one estimate. That's thanks to both the nature of mobile malware and the inherent protections built into modern mobile operating systems. 

Top security tips revealed by industry experts

TechRepublic article, November 19, 2018

Regardless of your career, when you work with technology you're usually inundated with security risks and threats, many of which are tough to keep up with. Whether you face application or operating system vulnerabilities, insecure passwords, phishing attempts, scams, social engineering gimmicks, or more, it's important to stay nimble and aware. This can be challenging when there is another data breach or must-patch vulnerability on a weekly basis. 

 Here is a compilation of the best security tips recommended by both hands-on tech pros and the executives who lead them. Hopefully, this advice will make your job (or consumer endeavors) easier. 

Texas hospital becomes victim of Dharma ransomware

ZDNet article, November 19, 2018

The Altus Baytown Hospital (ABH) has revealed a ransomware outbreak which may have led to the leak of patient data. 

 In a statement on its website, the Texas-based hospital said that ABH discovered an unauthorized threat actor rifling through the organization's systems on roughly September 3. 

 The ransomware at fault for the infection is known as Dharma. As with most strains, the malware was able to encrypt files and then demanded a ransom payment in return for access. 

The 7 deadly sins of endpoint detection & response

CSO article, November 19, 2018

The average IT environment today includes countless devices running different operating systems. Complexity is growing as the IoT, remote workers, and third parties add more potentially exploitable endpoints into the mix every day. Every organization needs to take steps to secure unmanaged devices and eliminate the IoT blind spot. Complete, real-time visibility into every endpoint on your network should be a priority. 

Breaches often take weeks or even months to uncover, but the right strategy combined with strong endpoint detection & response (EDR) tools can make all the difference. We examine seven vital factors to consider.

12 Specific Techniques to Build Relationships with CISOs

CISO Relationship Series, by David Spark, November 14, 2018

CISOs (chief information security officers) are a prime target for security sales and marketing because they are usually the point person who controls a company’s security budget. Given the overflow of traditional marketing and sales techniques, CISOs often cringe or are turned off, preferring instead to build relationships with vendors. To better understand how those relationships are formed, I asked CISOs to give me specific stories of how a vendor fostered a relationship with them and what they liked about it. Here are their tales and their advice.

The state of ICS and IIoT security in 2019

CSO article, November 12, 2018

According to a new report from CyberX, industrial organizations are doing themselves no favors and making themselves easy targets. The report, 2019 Global ICS & IIoT Risk Report, analyzed real-world network traffic data from more than 850 production ICS networks worldwide to get a view into existing vulnerabilities in ICS environments.

“The data clearly shows that industrial control systems continue to be soft targets for adversaries,” said the report. “Many sites are exposed to the public internet and trivial to traverse using simple vulnerabilities like plain-text passwords. Lack of even basic protections like automatically updated anti-virus enables attackers to quietly perform reconnaissance before sabotaging physical processes such as assembly lines, mixing tanks, and blast furnaces.”

Relaxed, Anxious, Ignorant: Our Attitudes Towards CyberSecurity Are Making The Problem Worse

Forbes article, November 9, 2018

 Data breaches are our own fault. A 2016 study by Phishme found that 91% of all cyber attacks start with a phishing email, and since then these schemes have only gotten more sophisticated in their methods. With recent cybersecurity initiatives in the UK and the US it seems that authorities are waking up to the risks. But the conversation around cybersecurity has to move away from seeing cybercriminals as opportunists if we are to properly address the ever-evolving threats facing us. 

What is adversarial artificial intelligence and why does it matter?

World Economic Forum article, November 21, 2018

Artificial intelligence (AI) is quickly becoming a critical component in how government, business and citizens defend themselves against cyber attacks. Starting with technology designed to automate specific manual tasks, and advancing to machine learning using increasingly complex systems to parse data, breakthroughs in deep learning capabilities will become an integral part of the security agenda. Much attention is paid to how these capabilities are helping to build a defence posture. But how enemies might harness AI to drive a new generation of attack vectors, and how the community might respond, is often overlooked. Ultimately, the real danger of AI lies in how it will enable attackers.


Adversarial AI is the malicious development and use of advanced digital technology and systems that have intellectual processes typically associated with human behaviour. These include the ability to learn from past experiences, and to reason or discover meaning from complex data.

With supply chain security grabbing headlines, NIST sees new relevance for its guidance

CSO article, November 19, 2018

Supply chain is sexy again, and NIST hopes that means more companies take its supply chain risk guidance seriously.

Cybersecurity in the supply chain is a dense, massively complicated topic that lies beyond the comprehension of all but a few dedicated experts. It has nonetheless risen to the top of security challenges organizations face today. “Supply chain is the new black. Supply chain is sexy again. That’s kind of hard to imagine,” said Jon Boyens, manager, security engineering and risk management at the National Institute of Standards and Technology (NIST). Boyens, who manages cybersecurity supply chain efforts at the National Institute of Standards and Technology (NIST), made that comment during a plenary session at NIST’s Cybersecurity Risk Management Conference.

Malicious code hidden in advert images cost ad networks $1.13bn this year

ZDNet article, November 16, 2018

Steganography is rapidly becoming a favored tool of fraudsters.

Malvertising, the practice of embedding malicious code in seemingly innocent online adverts, is evolving through the use of steganography.

Files, messages, images, and video can be hidden within content of the same format, potentially leading to malicious redirects and the download of exploit kits.

The steganographic technique is fast becoming a popular method for fraudsters to dupe legitimate ad networks and spread malvertising across legitimate domains, according to researchers from GeoEdge, with a recent string of incidents highlighting the method's capabilities.

What is the cyber kill chain? Why it's not always the right approach to cyber attacks

CSO article, November 15, 2018

Lockheed Martin's cyber kill chain approach breaks down each stage of a malware attack where you can identify and stop it, but be aware of how attack strategies are changing.

As an infosec professional, you’ve likely heard about using a cyber kill chain, also known as a cyber attack lifecycle, to help identify and prevent intrusions. Attackers are evolving their methods, which might require that you look at the cyber kill chain differently. What follows is a recap of what the cyber kill chain approach to security is and how you might employ it in today’s threat environment.

12 Specific Techniques to Build Relationships with CISOs

CISO Series article, November 14, 2018

CISOs (chief information security officers) are a prime target for security sales and marketing because they are usually the point person who controls a company’s security budget. Given the overflow of traditional marketing and sales techniques, CISOs often cringe or are turned off, preferring instead to build relationships with vendors. To better understand how those relationships are formed, I asked CISOs to give me specific stories of how a vendor fostered a relationship with them and what they liked about it. Here are their tales and their advice.

Canadian University Shuts Down Network in Response to Cryptocurrency Mining Attack

SecurityIntelligence article, November 14, 2018

St. Francis Xavier University had to take its critical IT systems offline after it discovered a scheme to mine cryptocurrency using its network resources.

On Nov. 9, the school’s IT team identified an automated attack launched by unknown threat actors in an effort to steal computing power to mine cryptocurrency, otherwise known as cryptojacking.

After consulting with security specialists, the university, which is based in Nova Scotia, made the decision to disable all network systems. Representatives of the school announced plans to reinstate the offline servers across its network in stages to reduce potential security risks.

Internet traffic hijack disrupts Google services

Washington Times article, November 12, 2018


An internet diversion that rerouted data traffic through Russia and China disrupted several Google services on Monday, including search and cloud-hosting services.

Service interruptions lasted for nearly two hours and ended about 5:30 p.m. EST., network service companies said. In addition to Russian and Chinese telecommunications companies, a Nigerian internet provider was also involved.

Google confirmed Monday’s disruption on a network status page but said only that it believed the cause was “external to Google .” The company had little additional comment.

The specific method employed, formally known as border gateway protocol hijacking, can knock essential services offline and facilitate espionage and financial theft. Most network traffic to Google services -94 percent as of October 27 - is encrypted, which shields it from prying eyes even if diverted.

The White Company: Inside the Operation Shaheen Espionage Campaign

Cylance ThreatVector blog, November 12, 2018

In a new collection of extensive research reports, the Cylance Threat Intelligence Team profiles a new, likely state-sponsored threat actor called The White Company - in acknowledgement of the many elaborate measures they take to whitewash all signs of their activity and evade attribution. 


The report details one of the group’s recent campaigns, a year-long espionage effort directed at the Pakistani government and military – in particular, the Pakistani Air Force.

Cylance calls this campaign Operation Shaheen.

5 Reasons Why Threat Intelligence Doesn't Work

Dark Reading article, November 7, 2018

Offense is the best defense. To defend well, we must take the initiative. When we are aware, we can prepare. Whatever the motto of your cybersecurity team, fighting cybercrime requires keeping an ear to the ground to anticipate threats.

That's what threat intelligence is all about, isn't it? Identifying and mending the weak spots of corporate IT infrastructure before someone maliciously exploits them instead. At least that's what the theory says. And many organizations are buying into it as global spending in threat intelligence services will surpass $1.4 billion in 2018 — up from $905.5 million in 2014.

The problem is, CSOs and cybersecurity folks often struggle to understand threat intelligence's benefits. Let's examine the reasons why and who's to blame — and how to move beyond those problems.

Top ten cybersecurity predictions for 2019

IT Pro Portal article, November 6, 2018

Cybercrime, DDoS, IoT - what should you pay attention to next year?

1. Increase in crime, espionage and sabotage by rogue nation-states

2. GDPR - The pain still to come

3. Cloud insecurity - it's your head on the block

4. Single factor password - the dark ages

5. Malware - protect or fail

6. Shift in attack vectors will drive cyber hygiene growth

7. IoT - the challenge will only increase

8. Increasing risks with shadow IT systems and bad housekeeping

9. DDoS - usually unseen, but still a nightmare

10. Cybersecurity in the boardroom

Veracode Acquired by Thoma Bravo and Splits from CA After Broadcom Deal

InfoSecurity Magazine article, November 5, 2018

Private equity investment firm Thoma Bravo has agreed to acquire Veracode for $950 million, on the same day that its parent CA Technologies were acquired by Broadcom for a reported$18.9 billion.

Veracode were acquired by CA Technologies in March 2017 for $614m. Today’s Thoma Bravo announcement is expected to close in Q4 of 2018.

The Untold Story of NotPetya, the Most Devastating Cyberattack in History

Wired Article, August 22, 2018


It was a perfect sunny summer afternoon in Copenhagen when the world’s largest shipping conglomerate began to lose its mind. 

The headquarters of A.P. Møller-Maersk sits beside the breezy, cobblestoned esplanade of Copenhagen’s harbor. A ship’s mast carrying the Danish flag is planted by the building’s northeastern corner, and six stories of blue-tinted windows look out over the water, facing a dock where the Danish royal family parks its yacht. In the building’s basement, employees can browse a corporate gift shop, stocked with Maersk-branded bags and ties, and even a rare Lego model of the company’s gargantuan Triple-E container ship, a vessel roughly as large as the Empire State Building laid on its side, capable of carrying another Empire State Building–sized load of cargo stacked on top of it. 

The first 100 days of the new CISO: how to avoid the “curse of firefighting”

The Digital Transformation People article, November 1, 2018

How an incoming executive needs to approach such a complex role is also a hot debate. Many experts – including us ­– have written about this and have framed the topic using the “first 100 days” journalistic cliché. In our own series, we took issue with the fact that most consultants’ analysis and suggestions fail to consider the incoming CISO within the broader context and organisational complexity of the firm.

In large organisations, no function exists in a vacuum, and getting anything done requires aligning your strategy with other stakeholders’ priorities, business cycles, and budget cycles. It will always take time, as well as political and managerial acumen, but nothing in our opinion that could not be set in motion to an extent with the first 6 months in office.

4 Dangerous Security Assumptions to Avoid

CSO article, November 1, 2018

Many organizations take steps to guard against data breaches, employing new policies, tools and strategies that make them feel protected, but their defenses may not be as strong as they think. Unfortunately, this false sense of security is all-too-easy to come by.

It’s not unusual for companies to start out in the right direction but fall short in their efforts because one specific area is overlooked. Achieving a high standard of cybersecurity requires a thorough, holistic view of the risks and a robust, continuous effort. The truth is that many organizations do one or two things right and then put their feet up, content to bask in the warm, but erroneous sensation that they’re safe.

Here are four common statements that indicate a false sense of security.

Cybersecurity Professional Impressions on Cloud-native Security

CSO article, October 31, 2018

Organizations use cloud-native security controls, but they really want central management for cloud security across heterogeneous clouds.

 In a recent research survey, ESG asked a panel of 232 security and IT professionals a series of questions about cloud-native security (i.e. security controls, management, and monitoring options built into cloud infrastructure and offered by cloud service providers).  Here are a few of the data points ESG uncovered...

Cyber Is a Boardroom Issue in 2018

Infosecurity Magazine article, October 30, 2018

Based on studies and interviews with corporate board members and chief information security officers (CISOs), the Cyber Balance Sheet, published by Focal Point Data Risk and produced by the Cyentia Institute, found that boardrooms are engaging in more conversations about security.

While the talks about cyber risk are more commonplace, the C-suite and security leaders are still struggling to effectively translate security risks into an effective decision-making framework that enables the business to operate within its proper risk appetite.

Communication is Broken Between CISOs and the Rest of the Business

SecurityWeek article, October 29, 2018


Time was, the rest of the business might have bought into the idea IT security was unique among business functions, with processes, standards and language too technical to be understood by ordinary business folk.  Cybersecurity management is technical, the thinking went, therefore the results could only be expressed in technical language, too.  

That era came to a crashing end in the last few years when crippling malware and devastating data breaches made cyber risks a clear and present danger for the entire organization. Now, board members and senior management are likely to wave off CISO techno-speak and push to get their questions answered on their terms.

The CSO Guide to Top Security Conferences, 2018-19

CSO article, October 25, 2018


There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don’t have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts.

Fortunately, plenty of great conferences are coming up in the months ahead.

CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to our community.

6 Cybersecurity Tools You'll Need to Know About in 2019

HackerNoon article, October 24, 2018

Whether it’s maintaining transparent and reliable voting systems, combatting DDoS attacks at the G20 summit and WTO conference, or even protecting a corporation’s new batch of smart contracts, proactive solutions are necessary in an era when cybercrime seems to reach a new all-time high every few months.

In this vein, smart IT experts and even regular users would be wise to keep an eye on these up-and-comers in the sector. A place on this list means that the company has identified a crucial area of vulnerability in the status quo and develops a unique, airtight solution.

Questions to Ask Before Accepting that CISO Job Offer

LinkedIn article by Gary Hayslip, October 21, 2018

In writing earlier articles and releasing them to our community I have been asked by several people if I could make a list of questions to ask at an interview. These would be questions you could ask the interviewer and interview committee to make sure the role you want is the right one for you. In the past I have had positions I wanted but when asking these questions, the answers I received painted a picture I wanted nothing to do with and I walked away from the position. What is important is not all of these questions will apply to your situation but hopefully they will give you some ideas on what to ask during your interview so you feel comfortable that the role you are interviewing for is a good fit for you and your career. 

How CEOs And Boards Can Manage The Strategic Impacts Of Cyber Risk

Forbes article, October 15, 2018

The digitalization of the business landscape offers never-before-seen opportunities but also makes organizations more vulnerable to cyber attacks and breaches. At the highest level, leaders are focused on maturing their cyber risk programs and dealing with the fact that cyber risk is everywhere—from the light switch in the office to the systems storing the organization’s most sensitive information. 

Irfan Saif, principal at Deloitte Risk and Financial Advisory, Deloitte & Touche LLP, shares his perspective on how organizations are currently managing cyber risk.

Gartner Top 10 Strategic Technology Trends for 2019

Gartner Report, October 15, 2018

The Gartner Top 10 Strategic Technology trends highlight changing or not yet widely recognized trends that will impact and transform industries through 2023. 

Trend No. 1: Autonomous Things

Trend No. 2: Augmented Analytics

Trend No. 3: AI-driven Development

Trend No. 4: Digital Twins

Trend No. 5: Empowered Edge

Trend No. 6: Immersive Technology

Trend No. 7: Blockchain

Trend No. 8: Smart Spaces

Trend No. 9: Digital Ethics and Privacy

Trend No. 10: Quantum Computing

Sednit APT Group Uses First UEFI Rootkit Detected in the Wild to Execute LoJax Malware

SecurityIntelligence article, October 4, 2018

For the first time ever, researchers discovered a Unified Extensible Firmware Interface (UEFI) rootkit in the wild that they believe the Sednit advanced persistent threat (APT) group used to execute LoJax malware.

Researchers at ESET observed an attack campaign distributing LoJax and three types of tools. The first component dumped system information into a text file. The second tool read the contents of the Serial Peripheral Interface (SPI) flash memory to save an image of the system’s firmware. The third wrote a UEFI module to the SPI flash memory and installed a UEFI rootkit that’s responsible for dropping LoJax onto the machine.

Cyber Security Is A Business Risk, Not Just An IT Problem

Forbes article, from October, 2017

Gone are the days when companies could pass the headaches of cyber security to the IT department, as it has become more of a business issue too. This is especially important as businesses are more digitized, meaning they are exposed to an increasing number of threats if they do not manage the risk of security properly. While more Hong Kong businesses understand the value of shifting their mindset in cyber security from questioning if their business will experience an attack, to when will they be threatened and how will they respond, they still need to address cyber security as the business risk it is.

In Telstra’s recent Cyber Security report, data shows that 59% of Asian organizations experienced a business-interrupting security breach at least once a month. This comes down to the increase in digitization across the board. As we move towards digitization, the number and type of devices requiring enhanced security measures increase too. Mobiles, tablets, wearables and Internet of Things (IoT) enabled devices all fall short in the traditional approach of securing network perimeters by a firewall. Additionally, new technologies such as artificial intelligence and machine learning are providing attackers with enhanced tools for more complex attacks.

Form factor wars: Cloud-based or on-premises security technologies?

CSO article, September 26, 2018

While most organizations are willing to consider cloud-based or on-premises security solutions, nearly one-third still demand the control associated with on-premises.

Cybersecurity professionals are paid to be paranoid and tend to want to control everything they can to minimize surprises or third-party dependencies. This has always been the case with regards to security technology. Historically, CISOs mistrusted managed services, preferring instead to “own” the deployment and operations associated with their security technologies. 

While cultural attitudes toward security control remain today, demand- and supply-side changes are influencing new security technology decisions.

Lucy Gang Debuts with Unusual Android MaaS Package

ThreatPost article, September 20, 2018

The threat actor’s Android-focused cyber-arms package, dubbed Black Rose Lucy, is limited in reach for now, but clearly has global ambitions.

There’s a fresh bloom in the malware-as-a-service garden: Researchers have uncovered a new Russian-speaking threat actor hawking a proprietary cyber-weapon dubbed “Black Rose Lucy.”

The offering is a malware-as-a-service (MaaS) bundle with two parts, consisting of a controlling web interface (which acts as a dashboard and command-and-control server), and malware that targets Android systems. Infected devices are enslaved to a botnet that’s placed at an operator’s disposal, according to analysis from Check Point.

5 biggest cybersecurity challenges at smaller organizations

CSO article, September 19, 2018

Manual processes, security complexity, and a lack of support from business management plague SMBs.

Aside from security incidents and subsequent actions, what are the major cybersecurity challenges experienced by small and mid-sized organizations? 

ESG asked this question in a survey of 400 IT and cybersecurity professionals working at SMB firms. The results are as follows (multiple responses were accepted):

  • 28% of respondents say their biggest cybersecurity challenge is that their organization depends upon too many manual or informal processes for cybersecurity.
  • 27% of respondents say their biggest cybersecurity challenge is that it is difficult to manage the complexity of too many disconnected cybersecurity tools.
  • 27% of respondents say their biggest cybersecurity challenge is that business managers don’t understand or support strong cybersecurity.
  • 25% of respondents say their biggest cybersecurity challenge is that their organization doesn’t provide an appropriate level of cybersecurity training for non-technical employees, leading to increased risk.
  • 24% of respondents say their biggest cybersecurity challenge is that their organization lacks the right skills to deal with modern types of cyber threats.

The SOC Gets a Makeover

DARK Reading article, September 6, 2018

Today's security operations center is all about reducing the number of alerts with emerging technologies - and enhancing old-school human collaboration. Here's how some real-world SOCs are evolving.

Blame it on the success of the SIEM. For many security operations center (SOC) managers, the security information and event management system was both a blessing and a curse: It was a way to consolidate and correlate security alerts from firewalls, routers, IDS/IPS, antivirus software, and servers, for example, into a centralized console. But with the recent wave of new security tools, threat intelligence feeds, and constantly mutating threats, SOCs are drowning in anywhere from thousands to a million security alerts daily. 

The most important attributes of a cybersecurity platform

CSO article, August 29, 2018

Information security professionals want coverage across major threat vectors, central management, and technologies for prevention, detection, and response in any security platform.

ESG has seen an ongoing cybersecurity technology trend that goes something like this:

  1. Enterprise organizations address cybersecurity using disconnected point tools. This strategy is no longer adequate, as it impacts security efficacy and adds operational overhead.
  2. Security teams address these problems by consolidating and integrating the security tools they use. Many are building security technology architectures a la SOAPA (i.e. security operations and analytics platform architecture).
  3. Seeing this trend in process, security technology vendors push internal development teams to integrate point tools across their portfolio. They then pitch integrated security "platforms" to customers.

Spotlight Shines on Role of CISO

Wall Street Journal article, from June, 2016

Not long ago, many senior management teams regarded their risk executives as “business prevention officers.” For that reason, risk managers often felt like salmon swimming upstream, their advice lost in the press of doing business, according to University of Maryland Executive-in-Residence Clifford Rossi. But large-scale “black swan” events like the 2008 financial crisis demonstrated the perils of leaping after business opportunities without first taking a long, hard look at risk. Since then, chief risk officers (CROs) have gained enormously in respect and prestige and are now seen as “business protectors” essential to success. This has led a number of organizations to increase their risk management budgets (some by as much as 100 percent), raise CRO pay, and make the position a senior management and, in some cases, board-level role, “The Wall Street Journal” reports.

Cybersecurity decisions that can’t be automated

CSO article, September 17, 2018

Encourage those inside and outside your team to identify and challenge daily assumptions in order to adapt to change, think differently and make smarter, faster security related decisions.

Cybersecurity’s future in reducing incident response time is to automate the process. In other words, the process of marking an attack, aggregating key data, identifying the actual threat, assembling the tools and executing actions needs to be as close to machine speed as possible.

Unfortunately, most companies are still outsourcing only 30 percent of the decision-making to AI/cybersecurity programs that allow this, when a minimum of 70 percent is the healthier goal. 

Nevertheless, reaching that goal does not free a CSO or anyone in an organization from making key “human” decisions in the AI/cyber arena. Processes that include automated programs and algorithms are just one part of the job.

CISOs and the Quest for Cybersecurity Metrics Fit for Business

Security Week article, September 17, 2018

Never-ending breaches, ever-increasing regulations, and the potential effect of brand damage on profits has made cybersecurity a mainstream board-level issue. It has never been more important for cybersecurity controls and processes to be in line with business priorities.

A recent survey by security firm Varonis highlights that business and security are not fully aligned; and while security teams feel they are being heard, business leaders admit they aren't listening.

The problem is well-known: security and business speak different languages. Since security is the poor relation of the two, the onus is absolutely on security to drive the conversation in business terms. When both sides are speaking the same language, aligning security controls with business priorities will be much easier.

Well-presented metrics are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isn’t always happening.

A Quantified Approach To Cybersecurity Risk Management

LinkedIn article by Steve King, September 16, 2018

Cybersecurity Risk Assessment should be a hot topic these days. How else can you not only convince your board and management team that you need to do something to protect against cyber-attacks, but also be able to communicate for once in a language they understand

What if Equifax knew that their risk was quantified at more than $100 million along with a high probability of an ugly event actually happening. Do you think they might have installed that patch? I think they probably would have. Because as thing stand right now (one year later) they might not be in business by the second anniversary.

Cybersecurity Skills Report: Today’s CISO is Shifting Toward Strategic Business Enablement

CSO article, September 11, 2018

Businesses and government agencies of all sizes are experiencing cyber attacks that are growing in both frequency and complexity. Cybercriminals, nation-states, and a host of other bad actors are developing new tactics, tools, and procedures to circumvent modern cybersecurity solutions. We are increasingly seeing targeted attacks employing customized malware and the ready availability of dark web market tools and services covering every aspect of the cyber kill chain. In fact, a recent Fortinet Global Threat Landscape Report shows that virtually no firm is immune, with 96% of firms experiencing at least one severe exploit.

In order to address these new threats while maintaining operations, growing the business, executing the mission, and implementing digital transformation, organizations are finding that success requires a balanced focus on both business and security requirements. This development is reflected in the changing roles and responsibilities of the Chief Information Security Officer (CISO). Public sector agencies and private enterprises are now seeking CISOs with the deep technical expertise, organizational leadership, and business acumen needed to achieve business objectives.

PowerShell Obfuscation Ups the Ante on Antivirus

ThreatPost article, September 12, 2018

A new malware sample using a rare obfuscation technique has been spotted that uses the features of PowerShell, a tool that comes built in to Microsoft Windows. Analysis from Cylance shows that the tactic succeeds in bypassing most antivirus products.

Cylance researchers stumbled across a malware file using a PowerShell obfuscation method while looking into a set of malicious scripts that had low antivirus detection. The file was a ZIP file containing both a PDF document and VBS script, and it was flagged by just three antivirus products.

CISOs recommend future actions for their organizations

CSO article, from September 5, 2018

Each year, ESG conducts a research project with the Information Systems Security Association (ISSA) on the mindset of cybersecurity professionals. (The 2017 report is available here.) As part of last year’s research, we asked respondents to identify the top actions their organizations should take in the future to improve cybersecurity. We then looked at this data based upon respondents’ roles, so we could look at the specific recommendations from CISOs (or other titles with equivalent job descriptions). 

Using "Digital Twins" to inform Cyber Security Operations

LinkedIn article by Scott Foote, September 3, 2018

The idea of a “Digital Twin” is not new. Engineers and other professionals have been using digital simulation models for many decades to provide the contextual awareness that informs their decision making. These digital simulations are simply formal, detailed versions of the anecdotally-collected mental models that most of us carry around in our heads. With the added benefit of course that digital models can be shared for continuous evolution, verification & validation; and persisted to survive the turnover of personalities and staff.

What is new… is the application of these digital models to the high-tempo, high-risk decision making of Cyber Security Operations.

The surge toward digital transformation continues to compound the complexities of contemporary business models as well as the underlying information technology that supports them. This exponential growth in inter-dependencies and rapid adoption of leading-edge technologies creates RISK. A direct result of the ever growing attack surface that adversaries are increasingly better prepared to exploit. While Cyber Defenders are hard pressed to keep pace, struggling to maintain effective comprehension of their “enterprise architecture” as it continuously morphs in pursuit of greater business value.

Why CISOs Should Make Friends With Their CMOs

DARK Reading article, August 27, 2018

A partnership between IT security and marketing could offer many benefits to each group - and to the entire enterprise.

It might not seem like CISOs and CMOs have much in common, but both executives stand to gain by becoming allies.

Every day cybersecurity factors, such as bad breach publicity and phishing impersonators, erode enterprise brands — thereby diminishing the effectiveness of a CMO's daily efforts. Brand value goes down, email marketing ROI gets trashed, and customer churn increases, all of which reflect poorly on the chief marketer. CMOs need help from CISOs to lock down risk factors. On the flip side, CISOs grapple with a number of challenges that CMOs could help them with, including insecure marketing technology and communication processes, breach response communication, and inadequate budget for preserving brand value.

While CISOs and CMOs might never become corporate besties, there's clearly a lot of room for some mutual back-scratching. Here are some proof points to show why a partnership between this pair of executives can benefit both parties, as well as their companies.

What are small organizations doing about cybersecurity?

CSO article, August 21, 2018

According to a survey by ESG, firms with 50 to 499 employees are spending more money, purchasing security product suites, and outsourcing security tasks to MSSPs.

From the survey, two-thirds of firms with 50 to 499 employees have experienced at least one cybersecurity incident over the past few years, leading to lost productivity and business disruptions.  Survey respondents claim that the biggest contributing factors to these cybersecurity incidents included human error, a lack of knowledge about cyber risk, and new IT initiatives lacking proper cybersecurity oversight.

Based upon this data, many small organizations don’t have the skills, staff, or cybersecurity infrastructure to keep up with the threat landscape. 

So, what are they doing to bridge this gap?  Spending more money on cybersecurity for starters.  Fifteen percent of organizations claim they will substantially increase their cybersecurity budgets while another 53 percent will increase their cybersecurity budget somewhat.

Balanced Skills for CISOs

LinkedIn article by Luiz Firmino, August 2, 2018

CISOs must have a keen emotional intelligence to allow them to quickly detect whether their audience is closed to suggestions or possibly even hostile to the suggested or required changes. One of the CISO’s key roles is as translator of tech-related terms and threats into a language appropriate for his or her audience. When conversing with business leaders, the CISO needs to be able to communicate clearly and effectively, in the language of the business, through explanations, metaphors or visual aids. This type of interaction is likely to increase as the CISOs communicate ways to reduce cyber risks to other groups.

Ultimately, the CISO’s currency is trust. CISOs must earn the trust of the rest of the executive team and maintain that trust. In turn, executives and boards have to trust that the CISO will be an accurate vessel through which their wishes will be communicated and executed. Just as importantly, they have to trust that the CISO will be honest and transparent in reporting the true security posture of the organization.

The Good & Bad News About Today's Cybersecurity Investment Landscape

DARK Reading article, July 25, 2018

Lots of things keep CISOs up at night. But instead of guessing what CISOs want, investors and vendors should incorporate customer feedback throughout product ideation and development cycles.

Cyberwar: What happens when a nation-state cyber attack kills?

ZDNet article, from July 24, 2018

A cyber attack that kills someone is getting ever more likely. What happens then is a big -- and scary --question.

The increasing sophistication and power of state-backed cyber attacks has led some experts to fear that, sooner or later, by design or by accident, one of these incidents will result in somebody getting killed.

It might sound far-fetched, but a former head of the UK's intelligence agency has already warned about the physical threat posed by cyber attacks and the potential damage they could do.