If you don’t have a reliable and authoritative repository of the devices connected to your network, their posture and the use of privileged accounts, it is difficult to believe that you really have any hope of managing them well to protect your organization’s sensitive information. If you are not managing IT security risk well, it will have an effect on all aspects of enterprise risk. This is why situational awareness needs to be a top enterprise focus.
The first category in the NIST Cybersecurity Framework is “Identify”. The first 5 CIS controls related to discovery, inventory and posture of endpoints, software and privileges. Read More
Posted in Blog, Cybersecurity & Infosec, Risk Management, Vulnerabilities
The NIST Cybersecurity Framework has five categories for enterprise security: Identify, Protect, Detect, Respond, Recover. There is a lot of focus on Detect and Respond as the new shiny. Let’s be honest, every company should be doing their due diligence in all five of these categories. While traditional protection controls are less effective, we still need to be doing what we can to identify and protect (let’s face it, we used to rely on static antivirus and today it is laughable to suggest static AV is anywhere adequate protection for endpoints).
I’ve heard people say that we don’t need defense in depth, we need to detect in depth. I’m not sure what that means. I agree we need to do a better job of detecting faster and responding better, but we only have two options here, DEFENSE and OFFENSE. I really don’t hear enterprise CISOs suggesting we attack back. Not sure the general counsel would agree on that either. Read More
Posted in Blog, Cybersecurity & Infosec
February 8th, 2018 by John
QC Cybersecurity Alliance worked with the Quad Cities Chamber of Commerce and others in the Quad Cities to develop best practices and guidance for local businesses. Check it out!
http://quadcitieschamber.com/playbooks/cybersecurity
Posted in Community, Cybersecurity & Infosec
February 8th, 2018 by John
Steve Marino, CISO of Cisco, explains the need for security and business alignment. This is a basic concept we need to embrace, which is why I founded the infosec company Aligned Security: Align, measure, communicate.
Posted in Cybersecurity & Infosec
January 22nd, 2018 by John
The World Economic Forum has released its annual Global Risks Report, which prominently addresses cyber risk. They’ve also released a Cyber Resilience Report, which comes in two parts: “a reference architecture for public-private collaboration, and cyber policy models.” The playbook, intended to be adaptable to any nation’s values and interests, takes up fourteen policy topics and analyzes them in terms of their impact on five areas: security, privacy, economic value, accountability, and fairness.
Posted in Cybersecurity & Infosec, Risk Management
January 17th, 2018 by John
Please folks, don’t post passwords on PostIt Notes… especially when you are on TV.
Posted in Cybersecurity & Infosec