We were curious about what CISOs and security managers have on their minds these days—so we searched around online and asked a few to share their thoughts. Below, you’ll find some interesting insights and observations to get a good conversation started in your office.
“There are still too many CISOs out there running ‘security in a vacuum,’ where they fail to take into consideration the needs of the business. When security is conducted in a vacuum, it results in ineffective controls that waste resources and does not effectively move the business forward. Traditionally, security and business were seen as being ‘at odds’ with each other with the business wanting things fast, cheap, and easy to use, while strong security controls can go too far in the other direction, resulting in controls being slow, expensive, and not user friendly. Neither end of the spectrum is optimal. The trick is for security and the business to work together in a partnership to find the right balance of controls so things are secure enough to protect what's really at risk while helping the business achieve its goals.”
Celia Baker
CISO, IntelliGRACS Group, Inc.
LinkedIn: https://www.linkedin.com/in/celiabaker/
“Usernames and passwords are no longer strong enough to properly authenticate an authorized individual. Password databases are leaked almost daily, and oclHashCat can now brute-force passwords up to 55 characters long.
Moving to 2FA authentication seems absolutely required these days, but 2FA tokens need to be secured adequately, too. iCloud backups are regularly broken into, Authy accounts can be hijacked alongside a cellular phone number, and companies that use SMS as a second factor of authentication are learning that enabling SMS 2FA actually decreases the security of accounts, thanks to cellphone providers' lack of security measures.
Anyone can call a cell provider, impersonate an account holder, and request a new SIM card to replace their old one. The attacker can then receive the victim's text messages even though the victim is still holding their handset. You can enable a verbal password on your cellphone account, but not all providers enforce them. T-Mobile and Sprint seem to enforce passwords well; however, Verizon doesn't seem to enforce verbal passphrases on support calls at all.
Our company has made the decision to move all 2FA tokens onto hardware devices (like Yubikeys) and forbid anyone from using a cellphone provider that does not enforce verbal passphrases if they need that cellphone for business.”
Michael Perklin
CISO, ShapeShift
LinkedIn: https://www.linkedin.com/in/perklin/
“In general, cybersecurity seems to be reacting to threats after they appear. How do we get security systems in place that anticipate coming threats or can address a significant number of certain threat types?”
Dr. Jim Sullivan
Senior Director Of IT, Pharmaca Integrative Pharmacy
Twitter: https://twitter.com/DrJim1717
In a recent Inc. article, contributor Joseph Steinberg interviewed Lou Modano, CISO and global head of infrastructure services of Nasdaq, regarding his fears about keeping Nasdaq safe from cyber incidents.
“It is no secret that, in recent years, hackers have become much more adept at creating cyberweapons to exploit vulnerabilities and that the time between the disclosure of a particular vulnerability and the creation of a weapon that exploits it has dramatically decreased… While businesses can work to make their patching and change management process extremely efficient, even doing so does not fully solve the problem—especially in situations in which vulnerabilities are announced before patches are available, in which cases criminals often create cyberweapons that exploit the vulnerabilities even before the associated patches are released by vendors… Lesson: Make sure you have an efficient process for obtaining, testing, and deploying security fixes, and be aware of when you may be at risk even with such a process in place.”
Joseph Steinberg
CEO, SecureMySocial
Twitter: https://twitter.com/JosephSteinberg
Note: To learn more about the impact a vulnerability could have on your network, take a look at this article on the MongoDB vulnerability.
Cybersecurity is something companies today prioritize—all the way up to the boardroom. But do you have the tools you need to present it effectively? This guide helps you nail down your presentation goals and style, select metrics your board will care about, and more. Download it for free today.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469