From Security Weekly Wiki
Revision as of 13:42, 20 July 2020 by Matt (talk | contribs) (→‎Articles)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search


  • CISOs undervalued, overworked, burning out, warns CIISec - According to the results of the security profession 2019/2020, a report produced by the Chartered Institute of Information Security (CIISec) that surveyed 445 IT security professionals:
    • 82% said security budgets were failing to keep pace with the wider environment, either rising too slowly, staying static, or dropping
    • 64% said their businesses were having to cope with fewer resources when necessary
    • 51% admitted to having let routine or non-critical security tasks slip, increasing risk to their organisations
    • Over half (54%) said they had either quit a job due to overwork or burnout, or had worked with someone who had
  • Cybersecurity Leaders: Invest In Your People - Training, especially cross-training, is insanely powerful when team members are able to experience, train, and work together. It also builds trust. Here are five steps for enterprises to take:
    • Find the right training environment for a hands-on ongoing training program and commit to it. This is essential unless you want to lay people off, have a revolving door for talent, or have people sitting on their hands during an incident.
    • Stop wasting time and money sending people to costly online and classroom training that only contributes to the misguided view that training is something to be scheduled.
    • Assess who and what you have to work with. Have each team member complete assessments to discover their hard and soft skills. You can do this with individual training assessments, or for a team in an online cyber range and learn even more about how your team performs under the stress of an attack. This is where you learn where the gaps are, not just in skills but in communications and collaboration.
    • Build a cross-training program. For staffing shortages, the team's most reliable players can cross train to become subject matter experts to backup existing staff. Extending training to web application developers, DevOps, network, and IT specialists will help provide the reserves and reinforcements you need when trouble strikes.
    • With work-from-home likely to be here to stay, it makes sense to cross train network security or other IT staff whose workloads may have dropped and point them toward building endpoint security, administering VPN systems, and handling encryption configuration and threat hunting.
  • The 10 Worst Cybersecurity Strategies - Let’s count them down.
    • 10. Cyber-Insurance
    • 9. Audit Confidence
    • 8. Best Tools, Left Unmanaged
    • 7. Regulatory Compliance
    • 6. One Good Tool
    • 5. IT Dependence
    • 4. Security by Marketing
    • 3. Default Security Settings
    • 2. Security by Obscurity
    • 1. Hope, as a Strategy
  • Choosing Wisely: An Entrepreneur’s Guide to Better Decision-Making - Here are some expert-backed tips for making smarter decisions:
    • Let go of ‘perfect’ and aim for ‘good enough’
    • Combine intuition with expertise
    • Create a value-based pros and cons list
    • Try negative visualization
  • AppSec Becomes A Priority For New CISOs/CSOs: Recommendations For The First 100 Days - Quick wins at the beginning of a leader’s tenure help set the table for long-term success. Incoming CISOs can work with their teams to achieve benchmarks like these in the first 100 days:
    • By day 30, a complete application inventory, if one is not already available. This data source should include information about the importance to the business of each application and the cybersecurity risk it poses.
    • By day 60, a policy gap analysis and SAMM assessment. These formal reviews assess the maturity of the AppSec program and how complete the formal AppSec policies are.
    • By day 100, a complete AppSec roadmap. By this time the CISO should be familiar with past successes, and can plan to build upon them to advance the program’s maturity.
  • Types of Cyber Security Roles: Job Growth and Career Paths - You figured how to get into cyber security: you learned the technical skills, landed the job, did the work and proved yourself - now it’s time to chart your career path...
    • What Are Cyber Security People Called? - Cyber security professionals go by many names, but the job titles or descriptions will “normally have ‘information security,’ ‘cyber security,’ or related terms in them
    • What Are the Different Roles in Cyber Security? - Cyber security professionals can benefit from starting as generalists and then specializing in an area of interest or strength, including:
      • Application security
      • Data loss prevention
      • Forensics
      • Incident response
      • Network security
      • Security architecture
      • Threat intelligence
      • Vulnerability management
    • How to Take the Next Step in Your Cyber Security Career? - Whether you’re a generalist or a specialist, you’ll need to keep up with cyber security’s ever-changing changing technical requirements, latest legal regulations and best practices as well as the emerging trends in the industry in order to achieve your career goals. To that end, consider:
      • Taking coursework toward a degree (such as a bachelor’s or master’s in cyber security) or certification that aligns with your career aspirations
      • Upskilling in virtual labs to practice industry applications and technologies
      • Completing a cyber internship
      • Joining a professional organization or association, such as ISACA, Information Systems Security Association (ISSA), (ISC)² or the SANS Institute
      • Networking or finding a mentor to help you outline and achieve your medium- and long-term plans