Security News

The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them. As the Agile dogma continues to spread, it's our job as dispassionate security leaders to push back.

This holds true as attackers become more organised - constantly tweaking threat vectors, studying widely-used security playbooks, or testing their attacks against ancient security tools like IDPS. By relying on signatures to detect known threats and following the same old approaches, you're always going to be caught out by modern attackers, who already have the tools to bypass these dated defenses. I still see 90% of CISOs today are "Playing it safe", clinging to old playbooks and legacy tools like IDPS. Perhaps it ticks a box for them by filling a control gap, or maybe the board is tired of security asking for new products, or these tools are just seen as "Tried and tested." The inconvenient truth is that we can't sit on our laurels in security, or we'll be completely exposed to attacks like Sunburst and Colonial Pipeline.

Two in five Chief Information Security Officers have missed holidays like Thanksgiving due to work demands, a Tessian report reveals. In addition to missing national holidays, the report reveals that CISOs work, on average, 11 more hours than they're contracted to each week while one in 10 works 20 to 24 hours extra a week.

45% of companies do not employ a Chief Information Security Officer, a Navisite research found. Of this group, 58% think their company should hire a CISO. Only 40% of respondents stated their cybersecurity strategy was developed by a CISO or member of the security team, with 60% relying on other parts of their organization, including IT, executive leadership and compliance.

The research also uncovered that organizations underestimate the risk of a cyberattack, with 73% of CIOs and CISOs "Highly confident" their organizations will not suffer an OT breach in the next year. 83% also said they had at least one OT security breach in the prior 36 months.

While cyber insurance is an effective risk transference mechanism, don't confuse it with having a plan. Boards and C-suites understand and commonly factor in a variety of business risks, including market risk, supply chain risk, and liquidity risk, yet many don't understand industrial cyber risk.

In this interview with Help Net Security, she talks about her take on the CISO role and offers advice for those who aspire to fulfill it one day. The company then created the first Information Security Officer role, which I stepped into to work on building out a security-first approach.

Managing the security of your third parties is crucial, but security assessments are riddled with problems, including a lack of context, scalability and relevance. In this comprehensive guide, we provide the direction you need to make your organization's third-party security program efficient and scalable.

In this day and age of cyber risk and data privacy regulations, automated third-party questionnaires are a must. Organizations can no longer simply hire vendors without proof of a strong cyber posture, and a comprehensive questionnaire can demonstrate that vendors' internal security policies are up to par.

A comprehensive third-party security program can align your vendor's security with your internal security controls and risk appetite. The right third-party security management platform can be a smart way to get your program off the ground or automate the one you already have in place.