Cybersecurity leaders want to quit. Here's what is pushing them to leave
Almost a third of chief information security officers (CISOs) and IT security
managers in the UK and US are considering leaving their current organization,
according to new research. Not only that, but a third are planning to quit their
jobs within the next six months. ... many IT security leaders are struggling to
keep up with evolving threats and new cybersecurity practices, while also
reporting issues around recruitment, retention and work-life balance that are
prompting many to turn away from the industry. When asked about the aspect of
their role that they disliked most, 30% cited the lack of a work-life balance,
with 27% saying that much time was spent on 'firefighting' rather than
addressing strategic business issues. On top of the 32% of CISOs planning a
departure due to the stresses of the job, 52%, admitted that they are struggling
to keep up to date with new frameworks and models such as Zero Trust, while a
further 20% felt that having the right skills on their team was "a serious
challenge".
Why Is Optimism a Critical Security Skill?
There’s a different way to think about the practice of security: as a vision-
and mission-based endeavor. When security practitioners log in each day to start
work, they are protecting people they care about: their colleagues, partners and
customers. They’re also safeguarding their organizations’ ability to do business
in a complex world by delivering vital products and services that others need
and ensuring society functions as intended. As a result, security teams are
creating a better world for everyone. For employees in organizations, these
connections may either be explicit or implied. Security professionals who
protect national infrastructure for a government agency, a nonprofit’s ability
to deliver aid or an e-commerce firm’s ability to deliver goods will likely see
the value in safeguarding their organizations’ business and operations. Yet,
countless others provide processes or services that enable the effective
functioning of businesses and community life. These professionals, too, should
take pride in fulfilling their organization’s vision and mission.
Networking and Data Center Horrors That Scare IT Managers
Carrie Goetz, D.MCO and Principal/CTO at StrategITcom, LLC, and a frequent
speaker at Network Computing events, offered up some spooky incidents she has
encountered over the years. “There was the case of cleaning people plugging
vacuum cleaners into UPS outlets when cleaning the data center and shutting them
down. Happened every night sometime between 2 and 4 AM. The only way we caught
it was to sit up there at that time.” “Or how about doing an audit of the gear
in a data center? The customer thought they had about 2,600 servers, and we
found over 3,000 physical machines. Some had not passed a bit of traffic in
years.” Talk about a nightmare. She noted, “decommissioning was not in their
vocabulary until after the audit.” Another example should send chills down any
IT manager’s spine. “We took over a contract for a prison health care provider.
They had previously hired another company. When all of the deliveries were late,
the customer started investigating and found out that the company was staging
their servers in a shed with a dirt floor and no AC running. They kept going up
and down, and two failed for dirt and moisture.”
HervĂ© Tessler – ‘Cyberattacks can mean total reputational death’
When I joined the business 33 years ago, nobody ever talked about cybersecurity.
I don’t recall the word. Everything was physical: what if somebody’s gotten into
my flat or I’m afraid someone’s going to take my car, attack me in the street to
take my watch or my wallet or whatever. Obviously, the world has become much
more digital. All these fears and threats became digital. What I would say over
the past few years is that we’ve seen a massive amplification of risk. Large
companies have a board and an IT group under the board looking at cybersecurity.
They take it very seriously. They are scared to death of any brand damage. They
are relatively focused, which is not the same as being well equipped. What I’ve
found out over the last six months is that more and more small and mid-sized
businesses are paying a lot more attention to cyber. When I open the newspaper,
there’s not a day without a small story about a major cyber negative impact on a
business. There was a recent cyberattack on a French hospital that sent them
back to the Middle Ages – it lasted for months. Of course, SMBs taking
cybersecurity seriously is an opportunity for us to help them with this
threat.
Cyber criminals have World Cup Qatar 2022 in their sights
The Digital Shadows Photon research team have been tracking cyber threats
coalescing around the World Cup over the past 90 days using a specially created
alert system. They have found that broadly, threats to the event can be arranged
into four categories – brand protection, cyber threat, physical protection and
data leakages. Of these, most of the observed activity relates to the cyber
threat category. “Scams could present themselves in many forms,” the Photon team
wrote in a newly published online advisory. “For instance, financially motivated
threat actors often plant in malicious URLs spoofing these events to fraudulent
sites, hoping to maximise their chances of scamming naive internet users for a
quick, illicit, profit. “At the same time, hacktivist groups may exploit the
public attention given to such events to exponentially increase the reach of
their message. State-sponsored advanced persistent threat (APT) groups may also
decide to target global sporting events to achieve state goals to the hosting
country or the broader event community.”
Agile or V-Shaped: What Should Be Your Next Software Development Life Cycle Model?
The agile model is known for its flexibility and responsiveness to change. This
makes it ideal for projects that are constantly evolving or that require quick
turnarounds. However, this flexibility can also be a downside, as it can lead to
scope creep and unrealistic expectations. The V-shaped model is more rigid and
structured, but this can also be seen as a strength. This model helps to prevent
scope creep by clearly defining the deliverables at each stage of the project.
It also provides more structure and transparency, which can help to keep
stakeholders informed and on track. However, the downside of this model is that
it can be inflexible and resistant to change. So, which model is best for your
project? Ultimately, it depends on your specific needs and objectives. The Agile
software development life cycle model is a great choice for small to
medium-sized projects. This is because it offers flexibility and adaptability,
which are essential when working on smaller-scale projects. So if you need a
flexible and responsive approach, then the agile model may be a better fit.
Veteran CIOs on leading IT today
It’s a different role as you shift from manager to director. It’s realizing your
entire organization is essentially run by someone else tactically, so really
backing off and letting them fail or succeed on their own. And then you have to
figure out how to focus very differently on alignment, making sure all the
leaders are on the same page, because now you have really good leaders and
they’re all running in different paths. In IT especially, managers tend to want
to hang on to some of the hands-on work after they become directors, and that’s
often because they’re promoted due to skill, not leadership. So suddenly they
find themselves at a director level and they’re just a really good engineer.
They don’t have any other tool in their toolkit except doing it themselves. So
it’s hard for them to let others own things completely. It’s really important to
get a good mentor or someone in place to help them. Usually what you hear is the
horror stories, where someone fails miserably and then they learn and pick
themselves up and go again. We’ve got to find a way to prevent that.
IT security: 3 areas to prioritize for the rest of 2022
If companies fail to frequently audit access policies to ensure that external
groups can only access the systems they need, this is another avenue that
hackers can easily exploit. It’s also essential to immediately cut off access
after parting ways with a consultant and periodically confirm that former
contractors no longer have access. Ensure an established timeline for auditing
access policies – and never allow it to slip. Addressing password hygiene is
another critical consideration. According to the most recent Verizon Data Breach
Investigations Report, over 80 percent of hacking incidents involved stolen
credentials. And studies have repeatedly shown that at least 71 percent of
people reuse passwords. If just one of the sites associated with a reused
password has been breached, then all other accounts protected by that password
are also at risk. With workforce management challenges on the horizon for 2023,
it’s essential to implement policies and procedures addressing the inherent
security vulnerabilities of the Great Resignation.
Cookies for MFA Bypass Gain Traction Among Cyberattackers
Stealing session cookies has become one of the most common ways that attackers
circumvent multifactor authentication. The Emotet malware, the Raccoon Stealer
malware-as-a-service, and the RedLine Stealer keylogger all have functionality
for stealing sessions tokens from the browsers installed on a victim's system.
In August, security software firm Sophos noted that the popular red-teaming and
attack tools Mimikatz, Metasploit Meterpreter, and Cobalt Strike all could be
used to harvest cookies from the browsers' caches as well, which the firm called
"the new perimeter bypass." "Cookies associated with authentication to Web
services can be used by attackers in 'pass the cookie' attacks, attempting to
masquerade as the legitimate user to whom the cookie was originally issued and
gain access to Web services without a login challenge," Sean Gallagher, a threat
researcher with Sophos, stated in the August blog post. "This is similar to
'pass the hash' attacks, which use locally stored authentication hashes to gain
access to network resources without having to crack the passwords."
Scrutinising AI requires holistic, end-to-end system audits
To combat the lack of internal knowledge around how AI systems are developed,
the auditing experts agreed on the pressing needed for a standardised
methodology for how to conduct a socio-technical audit. They added that while a
standardised methodology currently does not exist, it should include practical
steps to take at each stage of the auditing process, but not be so prescriptive
that it fails to account for the highly contextual nature of AI. However,
digital rights academic Michael Veale said standardisation is a tricky process
when it comes to answering inherently social questions. “A very worrying trend
right now is that legislators such as the European Commission are pushing
value-laden choices around fundamental rights into SDOs [standards development
organisations],” he said ... Another risk of prescriptive standardisation,
according to Brown, is that the process descends into a glorified box-ticking
exercise. “There’s a danger that interrogation stops and that we lose the
ability to really get at the harms if they just become standardised,” he
said.
Quote for the day:
"What I've really learned over time is
that optimism is a very, very important part of leadership." --
Bob Iger
No comments:
Post a Comment