The Rise of the BISO in Contemporary Cybersecurity
In general, “A BISO is assigned to provide security leadership for one
particular business unit, group, or team within the greater organization,”
explains Andrew Hay, COO at Lares Consulting. “Using a BISO divides
responsibility in large companies, and we often see the BISOs reporting up to
the central CISO for the organization.” “A BISO is responsible for
establishing or implementing security policies and strategies within a line of
business,” adds Timothy Morris, chief security advisor at Tanium. “Before the
BISO role became popular, other director-level roles performed similar
functions in larger organizations as an information security leader.” The
precise role of the BISO varies from company to company depending on the needs
of that company. “In some cases, the BISO will hold a senior position
reporting directly to the CISO, CTO, or CIO,” explains Kurt Manske, managing
principal for strategy, privacy, and risk at Coalfire. “At this level, the
BISO acts as a liaison with business unit leaders and executives to promote a
strong information security posture across the organization.”
CEO directives: Top 5 initiatives for IT leaders
Cybersecurity became a bigger issue this year for Josh Hamit, senior VP and
CIO at Altra Federal Credit Union, due in part to Russia’s invasion of
Ukraine, which touched off warnings about possible Russia-backed hackers
stepping up cyberattacks on US targets. As a result, Hamit has brought extra
attention to partnering with Altra’s CISO to perfect security fundamentals,
cyber hygiene and best practices, and layered defenses. More likely cyber
scenarios have IT leaders increasingly concerned as well. For instance, three
out of four global businesses expect an email-borne attack will have serious
consequences for their organization in the coming year, according to CSO
Online’s State of Email Security report. Hybrid work has led to more email
(82% of companies report a higher volume of email in 2022) and that has
incentivized threat actors to steal data through a proliferation of social
engineering attacks, shifting their focus from targeting the enterprise
network itself to capitalizing on the vulnerable behaviors of individual
employees.
Breach Roundup: Med Devices, Hospitals and a Death Registry
A vulnerability the Indian government at first said did not exist it now says
is fixed. The Indian Ministry of Railways in December denied that the data of
30 million people allegedly on sale on the dark net came from a hacker
breaching Rail Yatri, the official app of Indian Railways. On Wednesday,
Minister of State for Electronics and Information Technology Rajeev
Chandrasekhar said the Indian Railway Catering and Tourism Corp. fixed the
issue and took necessary precautions to prevent its recurrence. Neither Rail
Yatri nor the minister disclosed the penalty paid for the incident. ... A
February data breach of the U.S. Marshals Service systems, which led to
hackers maliciously encrypting systems and exfiltrating sensitive data law
enforcement data, got worse. A threat actor is reportedly selling 350
gigabytes of data allegedly stolen from the servers for $150,000 on a
Russian-speaking hacking forum. The data on sale allegedly includes "documents
from file servers and work computers from 2021 to February 2023, without
flooding like exe files and libraries," reported Bleeping Computer.
BianLian ransomware group shifts focus to extortion
Researchers observed that the speed at which BianLian posts the masked details
has also increased over time. If one is to accept the date of compromise
listed by BianLian as accurate, the group averages just ten days from an
initial compromise to ratcheting up the pressure on a victim by posting masked
details. In some instances, BianLian appears to have posted masked details
within 48 hours of a compromise, Redacted said in its report. “With this shift
in tactics, a more reliable leak site, and an increase in the speed of leaking
victim data, it appears that the previous underlying issues of BianLian’s
inability to run the business side of a ransomware campaign appear to have
been addressed,” Redacted said, adding that these improvements are likely the
result of gaining more experience through their successful compromise of
victim organizations. The BianLian group appears to bring close to 30 new
command-and-control (C2) servers online each month. In the first half of
March, the group has already brought 11 new C2 servers online. The average
lifespan of a server is approximately two weeks, Redacted said.
CIOs Must Make Call on AI-Based App Development
Erlihson says other key stakeholders necessary for an AI-based app development
strategy include the chief data officer (CDO), who can help manage and govern
the organization’s data assets, ensure data quality, and make sure that data
is used in compliance with regulations. The chief financial officer (CFO) can
ensure that the organization’s investments in AI-based tools are aligned with
the financial objectives and overall budget of the company. “It's also
important to include business leaders to identify business problems that can
be solved by AI, providing use cases, and setting priorities for AI-based app
development based on business needs,” he says. Legal and compliance must also
be involved to ensure AI-based tools are compliant with data privacy laws and
regulations, security, and ethical use of AI. “Finally, operations and IT
teams are needed to provide feedback on the feasibility and scalability of
AI-based tool development and deployment and to assure that the necessary IT
infrastructure required to support AI-based app deployment is in place,”
Erlihson says.
How Design Thinking and Improved User Experiences Contribute to Customer Success
Everything is about the needs, preferences and behaviors of users and the
frustrations they sometimes face, with a continuous feedback loop used for
perpetual reporting. The model emphasizes the need for diverse voices,
experimentation with new ways of working, rapid prototyping and iteration, as
well as a commitment to constantly improving the quality of service. As an
example of experimentation, Airbnb unlocked growth by using professional
photography to replace poor-quality images advertising property rentals in New
York and saw an instant uptick. Done right, it has the benefit of challenging
developer assumptions and management status quo. It helps to mitigate against
the narrative of ‘we’ve always done it this way’ or the temptation to
‘bloatware’ which adds pointless features and functions. Despite the name,
Design Thinking doesn’t just impact software user experience design; product
managers and others are also involved to create a holistic understanding of
what is happening.
Sovereign clouds are becoming a big deal again
Although sovereign clouds aim to increase data privacy and sovereignty, there
are concerns that governments could use them to collect and monitor citizens’
data, potentially violating privacy rights. Many companies prefer to use
global public cloud providers if they believe that their local sovereign cloud
could be compromised by the government. Keep in mind that in many cases, the
local governments own the sovereign clouds. Sovereign clouds may be slower to
adopt new technologies and services compared to global cloud providers, which
could limit their ability to innovate and remain competitive. Consider the
current artificial intelligence boom. Sovereign clouds won’t likely be able to
offer the same types of services, considering that they don’t have billions to
spend on R&D like the larger providers. Organizations that rely on a
sovereign cloud may become overly dependent on the government or consortium
operating it, limiting their flexibility and autonomy. As multicloud becomes a
more popular architecture, I suspect the use of sovereign clouds will become
more common.
Why You Need a Plan for Ongoing Unstructured Data Mobility
Most organizations keep all or most of their data indefinitely, but as data
ages, its value changes. Some data becomes “cold” or infrequently accessed or
not needed after 30 days yet must be retained for a period of time for
regulatory or compliance reasons; some data should be deleted; and some data may
be required for research or analytics purposes later. ... Ensuring easy mobility
for the data as it ages and understanding the best options for different data
segments is paramount. Another reason why unstructured data mobility is
imperative is due to growing AI and machine learning adoption. Once data is no
longer in active use, it has the potential for a second or third life in big
data analytics programs. You might migrate some data to a low-cost cloud tier
for archival purposes but IT or other departments with the right permissions
should be able to easily discover it later and move it to a cloud data lake or
AI tool when needed for many different use cases.
Microsoft: 365 Copilot chatbot is the AI-based future of work
Microsoft CEO Satya Nadella said the new 365 Copilot chatbot will “radically
transform how computers help us think, plan and act. “Just as we can’t imagine
computing today without a keypad, mouse or multitouch, going forward we won’t
be able to imagine computing without copilots and natural language prompts
that intuitively help us with continuation, summarization, chain-of-thought
reasoning, reviewing, modifying and acting,” he said. Copilot combines a large
language model (LLM) with the 365 suite and the user data contained therein.
Through the use of a chatbot interface and natural language processing, users
can ask questions of Copilot and receive human-like responses, summarize
online chats, and generate business products. Copilot in Word, for example,
can jump-start the creative process by giving a user a first draft to edit and
iterate on — saving hours in writing, sourcing, and editing time, Microsoft
said in a blog post. "Sometimes Copilot will be right, other times usefully
wrong — but it will always put you further ahead,"
How CISOs Can Start Talking About ChatGPT
Do we have the right oversight structures in place? The fundamental
challenge with AI is governance. From the highest levels, your company needs
to devise a system that manages how AI is studied, developed and used within
the enterprise. For example, does the board want to embrace AI swiftly and
fully, to explore new products and markets? If so, the board should
designate a risk or technology committee of some kind to receive regular
reports about how the company is using AI. On the other hand, if the board
wants to be cautious with AI and its potential to up-end your business
objectives, then perhaps it could make do with reports about AI only as
necessary, while an in-house risk committee tinkers with AI’s risks and
opportunities. Whatever path you choose, senior management and the board
must establish some sort of governance over AI’s use and development.
Otherwise employees will proceed on their own – and the risks only
proliferate from there.
Quote for the day:
"Humility is a great quality of
leadership which derives respect and not just fear or hatred." --
Yousef Munayyer
