The Cybersecurity Venture report correctly identified the talent crunch as a reason for concern. But the problem has even deeper roots. The worldwide economic outlook continues to face stiff headwinds. Inflation, the energy crisis and supply chain issues are affecting every industry. Inflation will increase the overall cost of cyber crime as preventive and remediation costs rise. While inflation is not directly related to the number of incidents, it does impact company budget decisions. In response, some of the biggest tech brands are reducing headcounts and implementing hiring freezes. Meanwhile, security teams have been stretched thin for years. If security budgets don’t rise with inflation, security leaders will have even less buying power to implement strong security and capable teams. ... While the big, high-profile breaches fill headlines, many intruders prefer to target smaller organizations. Between 2020-2021, cyberattacks on small companies surged by more than 150%, according to RiskRecon, a Mastercard company that evaluates companies’ security risk.
One of the guiding principles for those who would master uncertainty is to recognize that there has always been something irresistible about advice in mathematical form. Over-reliance on metrics has given rise to the term “McNamara fallacy” referring to the tragic missteps associated with the misaligned quantifications used during the Vietnam War. Instead of flailing around trying to enumerate everything that could happen, executives need to place intense scrutiny on a subset of critical uncertainties. In other words, neglect the right uncertainties. ... Finding workers might be an uncertain undertaking but retaining key performers is not. Leaders have it in their power to know what their high performers are thinking. For these key employees it is possible to paint reasonably clear pictures of what happens next. Mike McSally, a human capital advisor with 20-plus years of experience in executive recruiting, does not believe recruiting has to be a problem. Reducing talent uncertainty is a simple matter of managing personal networks.
Employees should have no choice but to comply with the password policy rules of your organization. With Specops Password Policy, for instance, organizations can enforce length and complexity requirements to ensure that their password is as strong as possible while blocking over 3 billion known breached passwords. ... To further secure end-user accounts, the implementation of multifactor authentication (MFA) should be mandatory for end-users logging into work apps, or making a change like resetting their passwords. When it comes to the MFA process, the more ways you can verify your identity when logging in, the harder it is for someone to steal your information. ... Another best practice pertaining to account information is to encourage employees to lock their screens when they’re not around. Leaving screens unlocked increases the risk of someone viewing or accessing sensitive data. ... To start, all new purchases should come directly through the IT department. IT is responsible for not only setting up the employee on the company’s network, but also for making sure the computer is properly equipped with security and OS or system support.
Key to success is a company’s ability to embrace change and for the staff at all levels to reframe the transformation as something they are an owner of and a strategic investor in, rather than it being something that is happening to them. This often requires a major change in company mentality and behavior. Altering the attitudes towards transformation in this manner can help the staff to challenge assumptions and redefine problems in an attempt to identify alternative strategies and solutions that are very likely not apparent to the leadership of the transformation. Adopting the idea that everyone is leading the transformation, and has the opportunity to be an active contributor to it, is the objective. This requires promoting psychological safety and open communication as a cornerstone of company culture. Close collaboration and constant, effective communication with all parties can ensure the success of any given initiative, most significantly, digital transformation. This communication ensures that respect is granted to all members of the company and that they are supported throughout the transformation process.
Attackers will lean more on their powers of persuasion than on their malware kits as they step up social engineering attacks in the cloud … a single fake social media profile, leveraged in the right way, can allow a threat actor to impersonate a trusted vendor,” said Morey Haber, chief security officer at Boston-based security firm Cybereason. “The threat actor will persuade victim after victim to divulge secrets or act in other ways contrary to their interest or that of their employer. The Lapsus$ [ransomware] group used social media to become an employee and then spoof access by calling a support helpdesk.” In March, the UK police arrested seven people, including a teenage boy, following a series of online attacks by the Lapsus$ hacking group that hit major technology companies, including Okta and Microsoft. Lapsus$ has publicly taunted its victims, leaking their source codes and internal documents. It has reportedly gone as far as to join the Zoom calls of companies they’ve breached, during which they have taunted employees and consultants trying to manage the hack. The group has claimed to breach companies such as Samsung, Vodafone and Ubisoft.
We all struggle with information overload. It’s hard to organize and prioritize the firehose of information—not only external information from intelligence feeds and news sources, but also internal problems, concerns, or tasks. Humans are not able to multitask well. Structuring how you process information, prioritize things, and stay on top of key elements is critical for your success. One of my mentors said, “look back from quarter to quarter at what you’ve done successfully and do more of those things. Be sure to cover yourself in the areas that will really affect your business. Those other things that won’t keep you up at night? Leave them behind or at least wait until they bubble up to the front.” ... In engineering, there are “first principles,” meaning you can deconstruct any problem if you understand the basic building blocks. The same concept applies to cyber security. Working with big frameworks, such as the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO) standards, helps you organize and effectively prioritize what you’re doing.
Even though security vulnerabilities have been an issue in the industry for some time (going back to Charlie Miller and Chris Valasek's infamous 2015 Jeep hack detailed at Black Hat USA), automakers have been slow to recognize the potential severity of the developments, says Gartner automotive industry analyst Pedro Pacheco. He explains that as automakers transition into becoming software developers, they are struggling to address all points of that development cycle — including security. "One very simple notion is if you're not good in software, you're probably not going to be very good in making that software safe," he says. "That is guaranteed." From his perspective, automakers are also too complacent when it comes to addressing and patching security vulnerabilities right away. "Automakers look at this in a more reactive way than a proactive way, basically saying we'll address the small number of customers affected and solve the issue and then everything goes back to normal," he says. "That's the way of thinking for many carmakers."
For IT professionals recently laid off from big tech jobs, the move to cybersecurity can feel like a strange shift. Consider a software engineer or application developer out of a job and looking for new opportunities. They may bypass infosec openings simply because they’re not sure security would be a good fit. They’re not wrong. While cybersecurity is on the same spectrum as other IT opportunities, it comes with a different approach. Conflict rather than consistency is at the heart of these protective positions. Despite its significant departure from other roles, it offers a unique opportunity for growth. Put simply? Having an adversary fuels innovation. Instead of working on projects with a consistent path between point A and point B, cybersecurity staff must be ready to respond at a moment’s notice. Even as they’re busy implementing strategies and solutions to detect attackers earlier and mitigate malware impacts, they’re also the first line of defense against attacks in progress. ... As one digital door closes, however, another opens. And strangely enough, it’s one that sees technology experts finding ways to keep network doors shut tight against potential attackers.
You’ve got to have leaders who can articulate the digital vision, be that ‘tech whisperer’ to explain to senior executives your journey into the future, and then you need to be able to properly manage the change management initiative — or all your great strategies won’t deliver their promised value. Another big skill set that’s absolutely required is financial and business acumen, because you need to be able to explain to people the value that will be created. Yes, you need to know technology, but, boy, you need to be a leader that can get things done quickly in a commercially sound manner, creating a lot of value and articulating not only the business model but the overall strategy for the organization. That means you also need to understand all the global forces, and you need to understand the pulse and the heartbeat of the organization from a cultural perspective. ... In addition to financial acumen, what many CIOs need if they aspire to be a CEO is desire for the role, and a kind of toughness, because being a CEO can be a lonely job. You’ve got to make some really tough choices. It’s less a collaborative team sport than the CIO position.
Entrepreneurship is not for the faint of heart: New problems, scary unknowns and intriguing (but distracting) opportunities will challenge you every day. And you'll second-guess yourself every step of the way while others rely on you to make decisions. People will rely on you to make the right decisions — and they expect you to do it with a degree of confidence, whether you have any or not! Movies love to depict entrepreneurs with automatic access to lavish parties, luxury cars and a golden ticket to Silicon Valley. In this case, life doesn't imitate art. Entrepreneurship includes many struggles. And if you're lucky, and your company begins to grow, your struggles grow as well. In fact, you can compare entrepreneurship to parenting. Some of the most difficult, challenging and stressful moments in life involve raising a child. The bigger the child, the bigger the mess, right? It often feels like an uphill battle trying to keep the house clean. But parenting is also magic. It includes some of the most moving and memorable moments of your life. Parents and entrepreneurs often find themselves in high-pressure situations, managing unique personalities and getting zero credit.
Quote for the day:
"Leadership is the creation of an environment in which others are able to self-actualize in the process of completing the job." -- John Mellecker