Category: blog

Effective July 1, 2024

 The data privacy landscape for Texans and businesses operating in the state has now changed significantly. With the Texas Data Privacy and Security Act (TDPSA), which went into effect on July 1, this comprehensive legislation grants individuals new rights over their personal information. 

Businesses are now responsible for reviewing their data practices and ensuring compliance with the TDPSA. This may involve updating privacy policies, implementing processes for handling consumer requests, conducting data protection assessments, and revising contracts with third parties. The Texas Attorney General has the authority to enforce the law, and businesses that violate the TDPSA could face civil penalties. As Texas residents become more aware of their new rights and companies adapt to these changes, the TDPSA is poised to reshape how personal data is handled in the state.

Your New Rights Under the TDPSA:

• Right to Know: You have the right to know what personal data a company collects about you and how it’s being used.
• Right to Correct: You can request corrections to any inaccurate personal data a company holds.
• Right to Delete: You can ask companies to delete the personal data that they have collected.
• Right to Access: You can request a copy of your personal data in a portable format.
• Right to Opt Out: You can opt out of selling your personal data, targeted advertising, or profiling activities.

Who Does the TDPSA Apply To?

The TDPSA applies to any business that conducts business in Texas or produces a product or service consumed by Texas residents and processes a large amount of personal data. Unlike some other state laws, the TDPSA doesn’t have a minimum threshold for the number of consumers a business must interact with to be covered.

What is Considered Personal Data?

Personal data is any information that is linked or reasonably linkable to an identified or identifiable individual. This includes sensitive data such as racial or ethnic origin, religious beliefs, genetic data, biometric data, health information, and sexual orientation.

How Can You Exercise Your Rights?

You can exercise your rights under the TDPSA by submitting requests directly to companies. Companies must respond within a reasonable timeframe.

What Happens if a Company Violates the TDPSA?

The Texas Attorney General is responsible for enforcing the TDPSA. Companies that violate the law may face civil penalties.

What Should Businesses Do to Comply?

Businesses should review their data practices and update their privacy policies to comply with the TDPSA. This may involve implementing processes for handling consumer requests, conducting data protection assessments, and revising contracts with third parties.

Key Takeaways:

• The TDPSA gives Texas residents significant new rights over their personal data.
• Businesses need to understand and comply with the TDPSA’s requirements.
• If you’re a Texan, know your rights and how to exercise them.

For further information, you can visit the Texas Attorney General’s website: https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act

 

Author: The Sensei of AI Governance and Risk Management

James K. Sayles, Sr, Director of Advisory Services, AI and Cybersecurity

Certified Chief Information Security Officer (CCISO), Certified AI Professional, CIA, CISA, CCIE, CCAE, CCISP, CRISC, CIPP, CFE, CISM

James is a Senior Director at CyberOne, specializing in AI Governance and Model Risk Management, GRC, and Cybersecurity Strategy. With extensive experience in the field, James is a certified AI/GRC executive and fellow, ensuring cybersecurity and business alignment and the responsible and ethical use of AI technologies.

 

In today’s rapidly evolving digital landscape, cybersecurity is no longer just an IT concern. It’s a critical business risk that demands the attention of the highest levels of leadership. While a technically oriented Chief Information Security Officer (CISO) excels at understanding the intricate details of cybersecurity systems and vulnerabilities, a business-minded CISO brings a broader perspective. They can effectively communicate cybersecurity risks in terms of business impact, aligning security initiatives with overall organizational goals. This ensures that cybersecurity investments are not just seen as cost centers but as strategic enablers for growth and resilience. In contrast, a purely technical CISO might struggle to translate technical jargon into actionable business insights, potentially leading to misalignment between security and business objectives. As cyber threats become increasingly sophisticated, particularly with the rise of artificial intelligence (AI), the value of having a CISO in the boardroom is undeniable.

Inviting your CISO to sit on your board offers your organization a host of advantages. A CISO on your board provides strategic oversight, helping to ensure that AI adoption and cybersecurity are aligned with your company’s overall goals, not to mention bolster investor confidence through the knowledge that your board has the expertise to safeguard against the latest threats. As a member of your company’s board, your CISO can help the rest of the board better understand and learn how to navigate AI-related risks such as AI model bias, data privacy, and other concerns. In addition, your CISO can:

• Keeping the Board Informed. Having a CISO on your board gives you a direct line to the latest cyber threats. Their firsthand knowledge of evolving cyber threats, including AI-powered deepfake attacks and AI-driven phishing scams, is invaluable. They can provide risk assessment expertise to evaluate the potential impact of these threats on your company’s operations, reputation, and financial stability. This proactive approach to cybersecurity protects your company and helps the board make more informed decisions about cyber investments and strategies.

• Align cybersecurity with business objectives. By understanding the business context, CISOs can prioritize security efforts to protect their most critical assets and processes and deliver a competitive advantage.  

• A business-minded CISO can navigate the complex interplay between security, compliance, and business operations, fostering a security culture that permeates the entire organization.

• They can also build strong relationships with other executives and board members, advocating for cybersecurity as a core business function.

 

How CISOs can ask for a seat at the table

As a CISO, it’s essential to communicate in the language of the board. Quantify cyber risk in financial terms and use real-world stories and examples to illustrate the potential damage of cyberattacks. By aligning cybersecurity with business goals and demonstrating a return on investment, you can effectively highlight the value proposition of your role. It’s also important to emphasize the growing sophistication of AI-powered threats, showcasing AI’s role in proactive defense to underscore the importance of your expertise in today’s rapidly evolving threat landscape.

 

Author: The Sensei of AI Governance and Risk Management

James K. Sayles, Sr, Director of Advisory Services, AI and Cybersecurity

Certified Chief Information Security Officer (CCISO), Certified AI Professional, CIA, CISA, CCIE, CCAE, CCISP, CRISC, CIPP, CFE, CISM

James Sayles is a distinguished senior leader with over 25 years of expertise in strategic cybersecurity and intelligent automation across financial services, healthcare, technology, energy, and oil and gas sectors. He has worked with prominent organizations, including Deloitte, Microsoft, IBM, Capgemini, and the Royal Dutch Shell Group of Companies. His executive experience covers cybersecurity, AI strategy, AI governance and model risk management, and eGRC strategy. Mr. Sayles has held pivotal roles such as Chief Information Security Officer, AI Governance Officer, Chief Risk and Compliance Officer, Chief Audit Executive, eGRC Strategist, and Advisor to corporate boards. An entrepreneur at heart, he drives innovation through ethical and secure AI systems. 

Recognized as a thought leader and Fellow in his field, he is dedicated to helping organizations achieve long-term, sustainable success from the server room to the boardroom.

 

The tech world has been buzzing about Microsoft Copilot over the past 12 months – and for good reason. The technology has the potential to enhance the way you work, as well as your experience within Microsoft 365. An AI-powered tool, Copilot offers personalized assistance by harnessing the power of diverse data sources, including your Microsoft 365 data, large language models (LLMs), and custom data sources. Copilot generates human-like text and seamlessly performs various tasks.

As you seek to integrate Copilot into your operations, the following guidelines and best practices can help you maximize its value and ensure a seamless, secure, and successful deployment.

 

Understanding the Architecture

As you begin your implementation plans, it may help to first understand its architecture. Copilot’s architecture is a sophisticated blend of Microsoft Graph, LLMs (like GPT-4), Azure OpenAI Service, semantic indexing, and seamless integration with Microsoft 365 apps. This powerful combination enables Copilot to understand your context, anticipate your needs, and provide tailored assistance across different applications.

 

Don’t Underestimate the Importance of Data Governance

Data governance is the cornerstone of Copilot’s success. It ensures that data quality, privacy, and ethical use controls are operationally effective. Additional comprehensive and well-structured data governance practices are required to protect sensitive information, prevent misuse and legal issues, and maintain user trust.

 

Data Management and Access Controls

Data management and classification are key to managing Copilot’s access to sensitive data. Organizations can implement granular access controls and tiered security measures by categorizing data based on sensitivity. This ensures that Copilot only accesses information it is authorized to handle, safeguarding confidential data. Access controls are implemented through various mechanisms, including Microsoft Purview, role-based access control (RBAC), data loss prevention (DLP) policies, sensitivity labels, encryption, and restricted SharePoint search. These controls must work together to limit access to authorized personnel and protect sensitive information.

 

Key Considerations for Structured and Unstructured Data

Organizations must assess the various structured and unstructured data formats Copilot will encounter. Leveraging natural language processing (NLP) techniques is essential for extracting insights from unstructured data like emails and documents. In some cases, structuring unstructured data can facilitate analysis and integration with structured data sources.

 

Preparing for Microsoft Copilot: CyberOne’s Microsoft Copilot Readiness Assessment Services

A comprehensive readiness assessment is essential before deploying Microsoft Copilot. This assessment involves establishing a data governance framework, implementing stringent access controls, and evaluating data sources. Prioritizing high-quality, relevant data sources is essential to ensure seamless integration with Copilot. Additionally, continuous monitoring of data sources and retraining Copilot on updated data is required to ensure its accuracy and relevance.

 

The Road Ahead

By understanding the architecture, embracing data governance, and conducting a thorough readiness assessment, organizations can unlock Microsoft Copilot’s full potential. This AI-powered tool is poised to transform how we work, enhancing productivity, streamlining workflows, and empowering users to achieve more. Remember, Microsoft Copilot is not just a tool; it’s a strategic asset that can drive innovation and efficiency across your organization.

 

Author: The Sensei of AI Governance and Risk Management

James K. Sayles, Sr, Director of Advisory Services, AI and Cybersecurity

Certified Chief Information Security Officer (CCISO), Certified AI Professional, CIA, CISA, CCIE, CCAE, CCISP, CRISC, CIPP, CFE, CISM

James is a Senior Director at CyberOne, specializing in AI Governance and Model Risk Management, GRC, and Cybersecurity Strategy. With extensive experience in the field, James is a certified AI/GRC executive and fellow, ensuring cybersecurity and business alignment and the responsible and ethical use of AI technologies.

 

Today’s dependence on technology demands the need for security. A quick scan of the news provides details on latest the breach of the day – yet another tale of how a hacker was able to bypass an organization’s security layers to gain access to customer data. 

Protecting your organization’s assets involves more than emphasizing cyber hygiene or the set and forget of tools and technology. You need a culture that embraces cybersecurity, a culture that makes cybersecurity top of mind among all your employees, top to bottom. Employee behavior plays a critical role in an organization’s cyber resiliency since most breaches are caused by human error. With nearly three-quarters of data breaches involving error, privilege misuse, use of stolen credentials or social engineering, it’s clear that organizations need to address not just the technology element, but also the human element when building a cybersecurity culture.

 

What defines a cybersecurity culture? What does it look like? 

Every organization has a security culture, the question is whether yours is healthy or unhealthy. A healthy cybersecurity culture is holistic and includes cyber hygiene, tools, and security awareness. Getting there means diving into the values that drive how people should think about and approach security within an organization. These values are shaped by the goals, structure, policies, processes, and leadership of the organization. A healthy, effective cybersecurity culture is one in which every person – top to bottom of the company – values cybersecurity and is motivated to make it better. They get why it’s important and see themselves as part of the solution. Fostering a strong cybersecurity culture ensures that employees are aware of the risks and understand how to respond to or report such risks. 

 

Developing the right culture is a continuous process 

Culture shifts start from the top – leadership action more than speeches set the tone. When the C-suite and directors role model transparency, accountability and cyber smarts in their own practices, it manifests across the entire company. Culture is the goal, not a simple step. You don’t just flip a switch to change a culture to develop the right behaviors around cybersecurity – it’s a process that gets baked into your organization.

As your team embarks on creating real, long-lasting change in developing a cybersecurity culture, be sure it includes:

• Organizational buy-in that starts at the top. Ensure senior leadership is committed to cybersecurity and sets a strong example. Your leadership team should actively promote and support cybersecurity initiatives, promoting and embracing policies and processes.
• Develop clear and comprehensive security polices, guidelines and best practices and make sure they are updated and communicated regularly.
• Encourage reporting of security concerns including simple reporting of incidents. Create an environment where employees feel comfortable reporting concerns without fear of reprisal.
• Regularly test your incident response plan, ensuring that all employees know how to report security incidents, with clear steps for containment and recovery.
• Make sure your drills and exercises include social engineering awareness training. Train staff to recognize and resist tactics such as phishing, baiting and tailgating, and exercises that simulate real-world threats to test your organization’s readiness.
• Maintain open lines of communication about cybersecurity matters.
• Celebrate successes including rewards and positive reinforcement to maintain a strong culture.
• Make security fun and engaging. Consider gamification of monthly trainings or other lighthearted features so people won’t roll their eyes at the thought of yet another security training.
• Extend culture beyond the workplace.  Encourage discussion of good security habits at home to protect families as well. A security-aware culture should translate beyond the workplace. Provide resources and training for families of employees.
• Communicate transparently especially around incidents. Breach notifications to customers should extend internally too. Discuss outage root causes without blame or punishment. Learn from incidents through updated controls rather than instill fear.

 

CyberOne Viewpoint: 

We cannot overstate the foundational importance of human-centric security. Technical controls will fail without an organizational culture that makes cyber risks everyone’s responsibility. Many boards continue grappling to motivate employee behaviors amid rapid digitization. At CyberOne, we guide clients to invest in their people first through policies that empower and educate, backed by resilient systems that support the business.

In summary, building a robust cybersecurity culture requires a multilayered approach with buy-in across the organization. It’s an ongoing initiative that requires constant reinforcement through policies, training, and leadership exemplification. By making security second nature to staff, you vastly improve resilience against cyber threats. The human layer is the first line of defense for any organization.

 

About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.

 

Make no mistake: investing in cybersecurity is critical to the health of your entire organization. Once viewed as an IT issue, cybersecurity has evolved to become an organizational issue. While the investment spans technology, personnel, and training, these costs are frequently dwarfed by potential financial and reputational losses.

Cyber threats continuously evolve, advancing in complexity and frequency at a rate that demands consistent, adequate security budgets to stay ahead of the curve. Just as medical checkups and preventative health underpin personal wellbeing, proactive cybersecurity investments are essential to organizational health and resilience.

Most organizations know they need cybersecurity. They understand that a positive cybersecurity posture helps protect sensitive data, satisfy regulatory and legal requirements, ensure business continuity, protect the organization’s reputation in the event of an attack, shore up the supply chain, and reduce insurance costs, among other things. When thinking about your cyber defense, it’s crucial that your executive team understands that it’s not a matter of “if” but “when” you’ll get hit. And when it does, it’s going to cost you – big – as cyberattacks are increasing in both frequency and cost. For example: 96% of organizations were targeted by an email-related phishing attempt in 2021, and predictions are that by 2031, ransomware will cost victims $265 billion, with attacks occurring every 2 seconds.

Despite the risks, security teams still struggle to get the funding necessary to create a robust cybersecurity posture. CISOs looking to justify their cybersecurity budgets need ways to prove return on investment, provide metrics for measuring success, and ensure continued value. Therefore, it’s critical you present the case for robust cybersecurity in a compelling fashion. 

As you prepare your business case, as a starting point, be sure you:

Highlight the need in terms of the total cost of a data breach. While the average global cost of a data breach in 2023 cost organizations more than $4 million USD (which is far more than cybersecurity budgetary requirements) – a 15 percent increase over the past three years – data breaches in the U.S. are much more expensive than other countries, with average cost in the U.S. just over $9 million. Costs include more than just breach containment and remediation, but also downtime, legal expenses, regulatory fines, lost business, and long-term costs such as repairing your reputation. And costs are only expected to increase over time, so need to be emphasized as part of your request. Be sure to include examples or case studies of what could happen if your organization does not act.

Focus on the ROI of your cybersecurity request, not just the costs. Everyone loves data, and your key decision makers are no exception. While it’s true that cybersecurity is an investment and you’ll need to present what those line items entail, don’t just focus on the costs – present the whole picture including an estimated ROI. To prove out your cybersecurity ROI, be sure your calculations subtract the cost from the net gain, such as:

• Net gain from your investment, including monetary benefits or cost savings realized as a result of the cybersecurity investment. Alternatively, you could use reduced losses from security incidents, costs avoided from data breaches or increased efficiency as the result of improved security measures.
• Cost of investment, including all costs associated with implementing and maintaining your investment such as initial costs of software and hardware, operational costs, training costs and other cybersecurity-related expenses.

It’s important to note that calculating an exact ROI can be challenging. Some benefits, such as preventing a potential attack, can be difficult to quantify in monetary terms. And some costs may be over an extended period of time, making it important that executives understand the long-term impact of cybersecurity. To gather data that’s as accurate as possible, consult with finance and cybersecurity professionals.

Determine quantifiable metrics for how you will track and measure your investment. Set a clear direction and present a solid case on how your budget request will reduce risk. Create clear metrics up front. Then present how you will track risk reduction over time. One way to do this is to determine the average industry risk score (including competitors and your peers) and compare your own. For example, if the organization had a score of X to start, then compare the difference in implementing the proposed service or solution (perhaps every six months or so) to better magnify the reduction in risk. Comparing your own data with the industry average risk score will help highlight the broader security risk trends and highlight how your organization compares to others. Obviously if your company scores higher than your competitors and peers you’ve helped make your case for your cyber investment.

While there are numerous factors that go into making a business case for cybersecurity, the information above can serve as a starting point. Increasingly complex security challenges and a dynamic threat environment mean you need a strong and agile security planning, programming and budgeting process. By highlighting benefits and ROI of your proposed cybersecurity investment with the realities of what will happen if you don’t make this commitment should help your decision makers understand that an investment in cybersecurity is one they can’t afford not to make.

CyberOne Viewpoint: 

By quantifying potential breach costs and disaster recovery readiness using data-driven metrics tied directly to business outcomes, security leaders make an ironclad case for critical budget increases. These lifesaving investments across people, process and technology controls act as insurance policies against exponentially rising risks in an interconnected world.

Much like dutifully paying insurance premiums amid calm waters, executives must dedicate steady security funds now before the storms hit. Cybercrime costs the world economy over $1 trillion already, yet the majority of successful attacks exploit known unpatched vulnerabilities. Clearly organizations continue underestimating the havoc from being ill-prepared – a status quo that must change immediately.

Forward-looking leaders across healthcare, retail, government and other breach-prone sectors now rightfully elevate cybersecurity to a board-level concern vital to sustaining operations. They understand addressable security gaps can no longer be the weakest link that brings hostile forces past the gates. Just one destructive breach can fatally undermine customer trust, shareholder value and an organization’s foundational mission.

By heeding security’s call to action and dedicating adequate, consistent investment into defense today, organizations globally can collaboratively reach safe harbors tomorrow. Now is the time for cyber resilience to become every executive’s shared priority before the preventable occurs.

 

About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.

 

Your organization has made numerous investments to protect against external threats. But what about internal threats?

Threats today aren’t just external, companies face challenges detecting and mitigating a wide range of internal threats. This includes individuals with legitimate access to your organization’s network who might use this access in a way that causes damage to your company. These threats include disgruntled employees or those with malicious intent, employees willing to sell your data to nation-state actors or competitors to make a quick buck, or even the rogue software developer looking to take your company’s intellectual property with them to their new start-up. Also, we cannot forget the threats that stem from employee mistakes, carelessness, or lack of knowledge. 

Growing Risks and High Costs of Insider Threats

And your internal threat risk is growing – and costly. A recent report revealed that 74% of companies are at least moderately vulnerable to insider threats, with an average cost to an organization in 2023 of $15.38 million. 

Many companies have controls in place, which may include a data loss prevention (DLP) tool, native audit logs to see who’s touching the files, or properly configured firewalls/edge controls. But it’s imperative to have a multifaceted approach as your highly technical individuals typically know where your technical controls exist and likely can find a way around those individual controls. Some organizations have even reported instances of individuals taking photos of files with their phones, a scenario in which your DLP tools or alerts won’t protect you.

Strategies to mitigate insider risks:

• Enhance Audit Logging: Native audit logs from wherever you are storing data. Whether you’re storing it in OneDrive or an on-prem network attached storage device, a product such as Varonis that analyzes all those logs in near real time can help you better understand user behavior as these tools have built-in user behavior analytics. In these cases, you can see that, “Hey, this person touched 1000% more files today than they did previously,” (Ex. opening large amounts of files to scan with smart phone) sending an alert that can be configured to kick off a script to lock that user’s accounts to stop the threat.
• Least-Privilege Access Model: Implement a least-privileged model where employees only have access to the files and applications required to do their daily duties. With a least-privileged model and privileged account management you can leverage those accounts to put procedures in place to control who has access to your company’s most important data. 

• Cloud Access Monitoring: Leverage a cloud access security broker (CASB) to give you controls to make sure that only a corporate device or a company-approved device can touch the data. Having a CASB in place can act as the gatekeeper on who is or is not allowed in, and what data they’re allowed to access, dependent upon whether they access from a company resource or not.
• Utilize Security Awareness Training for Insider Detection: Ensure you have a good security awareness program in place. Education is key in teaching team members about scenarios that could happen, and how to respond. For example: one of our employees received a message that came from a colleague over a 412-area code. Realizing something seemed off, they looked up their coworker’s cell number and saw it was a completely different area code, so knew it was an imposter. 
• Create Anonymous Reporting Channels: Implement a hotline or other confidential communication channel for employees to report anonymous tips. That way, if they see something and want to say something, they won’t be concerned about retribution.

At CyberOne, we firmly believe that organizations should adopt controls based on their security condition level (SECCON) to reasonably achieve security objectives.  We recommend Insider Threat monitoring at multiple layers to help quickly identify, detect, and respond to common threats.  We are excited to expand the conversation, contact us at info@cyberonesecurity.com.

 

Authored by Scott Wright, Senior Security Solutions Architect

Background

The Security and Exchange Commission (SEC) continues to convey the importance of Cybersecurity for publicly traded companies by finalizing additional rules requiring disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports. The rationale, in my opinion, results in the strengthening, enhancement, and standardization of a registrant’s cybersecurity control measures and reduces the inaccuracies of financial statement reporting within its information systems.

SEC Rule Interpretation     

What does this mean for Publicly Traded Companies? Before I interpret the final ruling, I would like to emphasize the Commission’s dedication to effective cybersecurity risk and controls for publicly traded companies.  In fact, since 2011, the Division of Corporation Finance issued interpretive guidance providing its views concerning operating companies’ disclosure obligations relating to cybersecurity. In 2018, the Commission also issued interpretive guidance to public companies in fulfilling their obligation to take all required actions to inform its investment community and investors about their significant cybersecurity risks and incidents timely. So, it should come as no surprise to companies as to the direction and intent of the commission regarding cybersecurity risk and controls management.  

Now, the interpretation.  In its periodic disclosures, publicly traded companies must:

1. Report a material cybersecurity incident within four business days after determining that such an incident is material.
2. Describe its processes for assessing, identifying, and managing material risks from cybersecurity threats and whether those risks are reasonably likely to materially affect its business strategy, operations, or financial condition.
3. Disclose its cybersecurity governance practices, including the board’s oversight of cybersecurity risk and management’s process to manage, monitor, detect, mitigate, and remediate cybersecurity incidents.
4. Public companies must comply with the cybersecurity incident reporting obligations 90 days after publication in the Federal Register or by Dec. 18, 2023, whichever is later.
5. Assistance for the smaller reporting companies comes with an additional 180 days to comply with the final rule.

In my analysis of the final rule, it is well aligned with other incident reporting rules and improves a public company’s ability to mitigate its cybersecurity risks and prevent financial statement inaccuracies. Additionally, the rule evades a registrant’s requirement to restate its financial statements or, more importantly, a reduction in investor confidence levels.

The Pathway Forward

 In my closing, companies shouldn’t see the Commission’s rules and requirements as an additional burden of cybersecurity risk management; however, they should see them as a means for improvement of their risk and control processes, increasing their investor confidence, and providing some level of competitive advantage. My recommendations for adhering to the rule requirements are:

1. Cybersecurity leaders should ensure that their cybersecurity program is well-aligned with business objectives and strategies. Too often, I see cybersecurity programs and business strategies move in totally opposite directions, resulting in a lack of inclusion, oversight, and awareness of the latest security threats.  
2. Chief Information Security Officers and Chief Information Officers should have a say in boardroom discussions regarding cybersecurity and information risk management. The Commission expects the Board of Directors to be well-informed regarding cybersecurity matters. The most effective way of getting the information is direct and periodic communication with IT leaders.
3. Build an effective governance and compliance program that aligns with not only the SEC requirements but other applicable regulations. When complying with federal mandates, an effective compliance program is key.  
4. Develop and implement effective cybersecurity control procedures based on industry standards (i.e., NIST Cybersecurity Framework or its 800-series, ISO cybersecurity and risk management standards, etc.). Risk assessment and management strategies should be defined, aligned, and disseminated across the organization, and more relevant, incident response policies and procedures should be implemented and current.  These controls should be tested on frequent cycles, with gaps documented and corrective actions performed in a timely manner.  
5. Internal Audit and Cybersecurity Teams should be tightly integrated. This ensures that governance, risk, and compliance processes are implemented, controls are tested, and remediation is performed timely.  

 

By:

James Sayles, BS, MBA, DDiV
GRC-Fellow/Professional, Certified Information Security Officer, CISSP, CGEIT, CISM, CRISC, CIA, CISA, CFE, CIPP-US/EU
Sr. Director, Advisory Services – CyberOne Security

Ten tips for finding your first job by building up your cybersecurity knowledge and experience.

Congratulations to the class of 2023, and welcome to the job market! If you’re interested in cybersecurity, you may be frustrated that most entry-level positions require two to three years of experience. And if everything requires experience, then nothing is really an “entry-level job,” right?

It leaves you wondering: WHERE ARE ALL THE JOBS? 

Here’s what’s going on. Hiring companies normally post jobs seeking an “entry-level expert” in cybersecurity. They are looking for someone with a combination of technical product knowledge and experience performing investigations, troubleshooting, and response activities. 

You may not have these skills right out the gate, so here are 10 ways you can build your cybersecurity resumé: 

1. Gain Baseline Knowledge in Cybersecurity.
   At a minimum, you should have the Security+ Certification from CompTIA. These topics are some of the most important aspects within the industry, and prospective employers want you to know the basics. The Security+ certification provides a basic understanding of the terms, concepts, and approaches you will need for day one. This is non-negotiable and is a necessary certification to get started in this industry.
2. Get Cloud Certified.
   Cloud technology is the core of every IT department, and it is critical for you to understand. Whether you want to be a developer, auditor, analyst, or consultant, you need to know cloud-related terms and approaches. Amazon, Azure, and Google all offer free introductory courses for understanding their cloud platforms and the basics of security. Earning their initial certifications or accreditations is necessary to prove your knowledge.
3. Train on a Leading Technology.
   In addition to cloud knowledge, having an exact platform skill is a game-changer for your resumé. Increasing your knowledge and experience with the largest companies in cybersecurity will never fail. You can get in on the ground floor with these companies as an engineer or analyst that helps respond to alerts, works with help desk tickets, and manages users but you won’t be given full administration rights on day one. Leading companies such as Microsoft, Palo Alto Networks, Fortinet, Okta, Splunk, Proofpoint, CyberArk, Trellix, SailPoint, and Cisco all have platforms in use by a majority of Fortune 1000 corporations and there are positions open to help run and manage these environments.  Many of the cybersecurity companies mentioned above offer free training or a test drive of their products and platforms to help you prepare.
4. Focus on Operations.
   ITIL certifications are rare these days. ITIL is an adaptable framework for managing cybersecurity. Having an ITIL approach to platform management really shows that you have your act together and separates you from the pack.
5. Seek Out Advice.
   Join a local association meeting and start networking within the industry. Ask questions to determine what real security managers need in their departments. Associations such as ISSA, ISACA, and CSA are great places to start. Ask about mentor programs or other ways to get involved to meet members in the community.
6. Start at the Help Desk.
   This has long been the best in-road for getting started in the IT industry by understanding the company, its requirements, and the technologies it has in place. This position allows you to work with a variety of users and provides an opportunity to understand the overall skill level needed to succeed.
7. Consider Temp or Contract Work.
   Companies are constantly looking for temporary staff members to fill openings when they cannot justify a full-time position. Leveraging a temporary placement will help you get the real-world experience you need and allow you to show off your skills to the hiring manager.
8. Remember, Your First Job Won’t Last Forever.
   Companies make a sizable investment in your first year of employment and do everything possible to reduce the cost of your position. Think of your first few years as a part of your job search, and put in the extra hours at a consulting firm or systems integrator to get some of the best training possible for success later in your career.  You may be up for a career change or find your niche in a particular area of IT.
9. Show You Can Train Yourself.
   Online training is practically free, and it is a critical requirement for anyone hoping to join a cybersecurity team. There are an abundance of online providers, and training in cybersecurity has never been more accessible. Look for deals from StackSocial. You can get a full bundle of certifications for less than $50.  Employers will know that you are able to quickly onboard to new technologies and teach yourself vs waiting for expensive in-person training.
10. Attend Local Cybersecurity Conferences.
    Student rates are often available, making it inexpensive to attend local cybersecurity events. Learn about the latest industry trends, understand and speak with the vendors, network with others in the space, and have a good time. You may need to contact the conference manager directly to ask for a discount code, student rate, or even volunteer to help with the event.

These tips for finding entry-level cybersecurity positions will prepare you with the skills you need to get a foot in the door and have a successful career in cybersecurity. Hiring managers are looking for ambition, fast ramp-up times, and knowledge about existing products. While the job market for new graduates may seem tight, it still has advantages. If you’re willing to do the work to stand out, you will have a better chance of hearing that you’re the best candidate for the position.  

 

About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.

 

A look at upcoming changes to the standards, guidelines, and practices that organizations of every size need to manage and reduce cybersecurity risk.

By Glenn Sweeney
vCISO at CyberOne Security

 

The NIST Cybersecurity Framework was originally created in 2014 to give federal users a common standard by which to measure their cybersecurity assessment efforts. Since then, NIST has evolved to include corporate users who have had ongoing input into its content. NIST Cybersecurity Framework is a living document that is regularly refined and improved based on stakeholder feedback to keep pace with changing technology and threat trends.

As a vCISO at CyberOne Security, I actively participate in discussions to help improve the NIST Framework. The scope of CSF 2.0 will cover all organizations across government, industry, and academia to boost its broader use. As stated in the current NIST 2.0 concept paper, a primary goal of cybersecurity measurement and assessment is to determine how well an organization is managing cybersecurity risk, and if and how they are continuously improving. Following are four areas that are being updated to make NIST 2.0 more robust for federal and industry users:

1. A New “Govern” Function Will Be Added to Core

The NIST Framework Core formerly consisted of five continuous functions — Identify, Protect, Detect, Respond, and Recover. The upcoming version will also include “Govern,” which will address the importance of aligning cybersecurity activities with business risks and legal requirements.

In the past, cybersecurity governance was addressed in the “Identify” function. Addressing it as a function reflects its high importance and allows NIST to go deeper into the topic. The new “Govern Function” will cover four areas that are critical to broad defense and recovery, including:

• Determining the priorities and risk tolerances of the organization, customers, and larger society
• Assessing cybersecurity risks and impacts
• Establishing cybersecurity policies and procedures
• Understanding of cybersecurity roles and responsibilities

I like to think of Govern as the foundation of a house. It ensures that the entire infrastructure aligns with organizational policies and legal requirements, so it is more stable and secure from the ground up.

 

2. Supply Chain Risk Will Be Added to the Identify Function

Technologies and computing services like cloud enable organizations to do business with people and groups all over the world, but they also open enterprises up to third-party vulnerabilities. Feedback from NIST 2.0 respondents make it clear that supply chains are a top risk. Adding Supply Chain Risk to the Identify Function provides an opportunity to go deeper and provide broader guidance on addressing third-party risk. This may include the need for special teams within the organization that are focused on these specific risks. Feedback will inform the final draft of NIST CSF 2.0. You can submit your feedback on this discussion draft at cyberframework@nist.gov  at any time. 

 

3. Respond & Recover Will Be Added to Incident Response Management

Artificial intelligence (AI) is one of the newest and most versatile weapons in the arsenal of bad actors, and it serves as a strong reminder that even the best defenses can be breached. Organizations need a well thought out recovery plan to limit damage while maintaining business as usual. For this reason, NIST 2.0 is expanding consideration of outcomes in the CSF Respond and Recover Functions to include Response and Recovery management. This section may include subtopics such as indirect mitigation, recovery plan execution, and incident forensics. Content is being changed or added to keep up with new and emerging threats and ensure that organizations can accurately assess how prepared they are to recover critical assets and sensitive information and keep their businesses running in the event of a breach.

 

4. Updated Digital Identity Guidelines

Finally, NIST 2.0 will also include revised Digital Identity Guidelines with updates to the CSF’s identity management, authentication, and access control category. Through these updates, NIST 2.0 will provide a roadmap for assessing the strength of your approach to managing identities and access that is more tailored to today’s threat landscape.

In my role at CyberOne Security, I leverage NIST to ensure my assessments are as relevant and thorough as possible. As a participant in the process of updating NIST 2.0, I think these new updates will cover a lot of ground in the ongoing effort to keep up with changes to the threat landscape.

If your organization needs help assessing its current security posture, contact CyberOne for customized exposure management support that prioritizes the unique risks to your business. We can help you develop a strategic and tactical roadmap based on previous assessments of your cybersecurity program.

 

About Glenn Sweeney

Linkedin: https://www.linkedin.com/in/glennbsweeney/

Glenn Sweeney is a successful information security leader with over 20 years of cybersecurity technical and managerial experience supporting many types of industries from small to large enterprises. He has a passion to help businesses create a cybersecurity strategy and program using the latest frameworks such as NIST, ISO, IEC, and CIS, giving them the direction they require to succeed in implementing, managing, and administering a proven security program. Glenn has quite a list of information security certifications that include Certified Information System Security Professional (CISSP), SANS GIAC-GSEC, SANS GIAC Certified Incident Handler, Certified HIPAA Security Expert (CHSE), Certified Cybersecurity Awareness Professional (CCAP), EC-Council Computer Hacking Forensic Investigator (CHFI), and CompTIA Security+.

Continuing the thought from my previous blog: Does Your Organization Need a Cloud Security Architect? – CyberOne (cyberonesecurity.com)

Building a Strong Cloud Posture: Key Considerations for Cloud Cyber Architects

When it comes to deploying and managing cloud services, security should be a top priority. In this blog, we will explore three vital aspects that organizations should focus on during the building out of their cloud environment: segmentation, policies (identity-based and organizational), and infrastructure as code (IaC). By understanding the importance of these elements, businesses can enhance their cloud security measures and mitigate potential risks.

Segmentation: A Fundamental Security Measure

One reason organizations separate workloads in data centers by geographical locations and within them is to satisfy security requirements. For the same reason, cloud environments should also establish segmentation boundaries for workloads. Thinking back to the house analogy in my previous post: a house has doors between various rooms; some of those doors leverage deadbolt locks, where others are secured by children who have simply posted on the door “Stay Out!”. The key takeaway here is segmentation should be defined to handle various types of sensitive workloads and data. Segmentation is accomplished by leveraging both cloud accounts and cloud objects. Regardless of the chosen CSP (AWS, Azure, GCP, etc), they all have essentially the same approach for organizing accounts as well as the constructs for cloud objects (VPCs, Subnets, NACLs, Security Groups). Organizations typically leverage segmentation to isolate the following environments: Production, Development, Sandbox – with possibly micro-segmentation taking place within those environments. Mature, security-minded organizations will leverage dedicated accounts for Security and Infrastructure services. Deploying all workloads in a single account, relying on a single VPC/Subnet, is suboptimal even for smaller organizations.

Establishing Effective Cloud Policies

After completing the segmentation, it is crucial for the organization to prioritize the establishment of policies for effectively controlling cloud consumption. This sequence is essential due to the nature of how cloud policies are formulated, which are primarily based on the account and object structures. Three key types of cloud policies exist:

1. Account policies: These policies are applied at the organizational/account level, providing users with broad controls to limit actions. Examples include enforcing encryption, restricting object deployment to specific regions, and denying high-risk or unapproved cloud services.
2. IAM policies: IAM (Identity and Access Management) policies define who can perform specific actions and should adhere to the principle of least privilege. They can be used independently or in conjunction with resource-level policies to establish a defense-in-depth posture.
3. Resource-level policies: These policies limit the actions that can be performed on cloud objects and, like IAM policies, should prioritize the least amount of privilege.

Leveraging Infrastructure as Code (IaC) for Enhanced Security

One common approach for those new to the cloud is to obtain an account and then deploy objects directly from the CSP console – I’m guilty of this approach myself. Unlike the common approach of deploying objects directly from the CSP console, IaC offers an organized and discrete manner of provisioning cloud resources. IaC supports automation, agility, auditing, and compliance, etc. IaC also provides the ability for security teams to examine what the object owner intends to push to the cloud, aligning with the principles of DevSecOps. Security teams have two approaches for the inspection – manual review of code or leveraging cloud native or 3rd party tools. Obviously, the manual approach is time consuming but opens up opportunities for the security team to see specific aspects of the cloud service that might conflict with organizational policies. Leveraging tools, native or 3rd party, to perform the review can be beneficial seeing as they provide built-in compliance frameworks. Ideally, organizations should combine both approaches based on contextual insight, allowing for a comprehensive security assessment. Going back to the house analogy, IaC provides the ability to compartmentalize your cloud environment and allows for the possible reinspection by the security team to only consist of what is being requested to change.   

Final Thoughts

In today’s cloud-driven landscape, prioritizing security is paramount for organizations deploying and managing cloud services. Segmentation, accomplished through the strategic use of cloud accounts and objects, is vital for effectively handling different types of sensitive workloads and data. Establishing effective cloud policies allows for granular control over cloud consumption and fosters a defense-in-depth posture. By embracing IaC, organizations can provision cloud resources in an organized, automated, and compliant manner with effective collaboration between development, security, and operations teams. By combining manual review and tool-based assessments, organizations can achieve a comprehensive security assessment. Embracing these aspects empowers organizations to build a robust and secure cloud environment for their critical workloads.

 

About Marc 

Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University).