Hospitals are set up to fight infections, but not necessarily the kind that has been plaguing healthcare institutions lately – malware. A new report estimates that cyber threats against healthcare targets increased 60% since January, surpassing the total number of threats identified in all of 2018. The most common threat targeting the healthcare industry is Trojan malware, which increased 82% in the third quarter from Q2, according to the report by Malwarebytes, Cybercrime Tactics and Techniques: The 2019 State of Healthcare. Most of the Trojan attacks involved Emotet and TrickBot, which are the two most dangerous Trojans around since 2018.... Continue reading

(ISC)² members and associates have an exclusive opportunity to win a Nintendo Switch while earning CPEs. This participation-based contest is running until the end of December – just in time for the holidays. Fifteen winners will be chosen. Steps to complete in order to be entered to win: Members and associates must fill out a registration form for December entries, even if there has been a previous entry. Complete any (ISC)² PDI free online courses by December 31, 2019. Score at least 70% on the final assessment. Submit an end-of-course evaluation for each course completed. Participants can earn additional entries... Continue reading

by Dr. Chris Veltsos, CISSP (ISC)² Security Congress wrapped up four weeks ago. The event sported world-class keynotes and also had many great sessions. This article shares some reflections on Captain Sully’s keynote, and his message to all of us information security professionals. A Perfect Fit for Cybersecurity The opening keynote at the 2019 (ISC)² Security Congress could easily be mistaken for a figure larger than life. Captain Sully’s story is one of calm in the face of chaos, with the result being that everyone on board that fateful flight was able to get out alive. As some of the... Continue reading

Nearly half of midmarket executives (47%) in a newly released quarterly report cited cybersecurity as their top concern for the coming year. The Middle Market Indicator report, by Chubb and the National Center for the Middle Market (NCMM), shows that cybersecurity topped the list of concerns for the second quarter in row. The concern isn’t surprising. Any executive who pays attention to the cyber threat landscape is bound to feel trepidation about the potential for cyber attacks against their organization. A study published by The Conference Board earlier this year found that cybersecurity is the top business concern for U.S.... Continue reading

By Andrea Little Limbago, Chief Social Scientist, Virtru Limbago presented during the Governance, Risk and Compliance track at the 2019 (ISC)2 Security Congress in Orlando. The session, Global Factors Driving Data Privacy Regulation, explained data localization, how it is progressing and what that means for organizations. In two parts, Limbago recounts the information covered in her session. In the previous post, we discussed the growing influence of digital authoritarianism, which has now contributed to nine consecutive years of a decline in internet freedoms across the globe. We’ll now turn to two other competing global influences that are further shaping data... Continue reading

By Andrea Little Limbago, Chief Social Scientist, Virtru Limbago presented during the Governance, Risk and Compliance track at the 2019 (ISC)2 Security Congress in Orlando. The session, Global Factors Driving Data Privacy Regulation, explained data localization, how it is progressing and what that means for organizations. In two parts, Limbago recounts the information covered in her session. On October 29, the internet turned 50. Despite original aspirations of a free and open internet, the modern internet is increasingly segmented and shaped by political boundaries. Included within broader technological shifts such as 5G, artificial intelligence, and the internet of things, these... Continue reading

Unlike doctors or engineers, most cybersecurity professionals didn’t set out to work in their chosen field. In fact, more than half started their careers elsewhere and eventually made the move to cybersecurity. But once they make the move, most decide to stay. Nearly two thirds of cybersecurity professionals (65%) intend to stay in the field until they retire, thanks to high demand for their skills and the challenging nature of the work, according to the (ISC)2 Cybersecurity Workforce Study, 2019. The desire to stay indicates most are finding fulfillment in the field, even if working in cybersecurity wasn’t their original... Continue reading

Gender diversity in the cybersecurity industry is a key issue as we seek to create a larger, more representative, balanced and welcoming industry for all. As the (ISC)2 2019 Cybersecurity Workforce Study revealed, a global shortage of more than four million trained cybersecurity professionals exists, and women represent just 30% of the current workforce, meaning recruitment and advancement of women is a strategic imperative to limiting, if not closing, the gap. A separate report by (ISC)2 published earlier this year highlighted the surge of women into senior roles, but confirmed that there remains much more work to do to both... Continue reading

As organizations struggle to staff their cybersecurity teams, new (ISC)2 research reveals they also may be suffering from an imbalance in the distribution of team member roles. Positions that currently appear overstaffed include compliance, forensics and operational technology security while jobs in security operations, security administration and risk management seem to be understaffed. This creates a need for CISOs and cybersecurity managers to take a close look at their teams and figure out what adjustments to make. Keeping too many people in certain roles while understaffing other positions potentially makes it harder for an organization to build and maintain effective... Continue reading

As organizations struggle to fill cybersecurity vacancies due to a worldwide shortage of 4 million professionals, they should consider implementing strategies to attract qualified candidates and prevent experienced staff from leaving. The (ISC)2 Cybersecurity Workforce Study 2019 lays out four strategies organizations should consider: Address cybersecurity team members’ needs with training and career development opportunities. Properly set internal expectations about applicant qualifications to widen the search for candidates as much as possible. Target recent college graduates and workers with degrees relevant to cybersecurity. Grow your cybersecurity team from within with further development and cross-training opportunities. All of these strategies are... Continue reading

The (ISC)² Chapter Recognition Awards are presented to official regional chapters of (ISC)² that best promote the vision of (ISC)² by inspiring a safe and secure cyber world. The chapters demonstrate a well-rounded offering of activities and services designed to benefit members and affiliates, while making a significant contribution to the profession and their local community through the core focus areas of the (ISC)² Chapter Program of Connect, Educate, Inspire and Secure. (ISC)² chapters self-nominated by completing a questionnaire on their accomplishments. Members of the newly formed Chapter Advisory Committee reviewed and scored the entries, and the top-rated chapter in... Continue reading

The cybersecurity industry in the United States and 10 other major global economies currently employs 2.8 million professionals. But the industry continues to struggle with a significant workforce shortage, and it would take another 4 million professionals to close the gap. That would mean an increase of 145% cybersecurity workers, according to the findings of the (ISC)² Cybersecurity Workforce Study 2019. The study, released this week, represents the first estimate of how many people are employed in cybersecurity. Countries covered by the study are the U.S., U.K., Canada, Germany, France, Australia, Singapore, Brazil, Mexico, Japan and South Korea. According to... Continue reading

On November 1, 2019 CNBC’s Nightly Business Report featured the growing need for qualified cybersecurity workers in their “Help Wanted” segment. The (ISC)2 Cybersecurity Workforce Study, 2019 served as the foundation of this story, which pointed to the newly reported shortage of 4 million trained cybersecurity professionals worldwide. Cybersecurity analyst Mandi Ingersoll of TDI Security, a cybersecurity firm in Washington, D.C., began her career in cybersecurity in the U.S. Navy. She chose to stay in the field after retiring from military service. “It’s interesting because it’s always something new.” TDI’s CEO, Paul Innella, CISSP-ISSMP says the firm has had trouble... Continue reading

Human Spirit Admiral William H. McRaven (retired) was one of the speakers at (ISC)2 Security Congress who received a standing ovation. Another was Eric Wahl, an artist and best-selling author, who delivered the lunch hour keynote on the second day. He mesmerized the audience by painting portraits of Michael Jordan, John Lennon and Albert Einstein to heart-pounding music in a matter of minutes. He urged attendees to let the human spirit drive them even as they increasingly rely on digital tools, data, analytics and automation to do their job of protecting people and organizations. Wahl talked about the importance of... Continue reading

Sometimes you need a boatload of people to help you through. It’s a lesson Admiral William H. McRaven (retired) learned after a parachute accident that left him bedridden for months. The accident happened while he was participating in a Naval Special Warfare exercise involving a 1,000-foot free-fall jump. McRaven, who served as the ninth commander of the U.S. Special Operations command from August 2011 to August 2014, got both legs tangled in his parachute because another parachutist was underneath him and opened his chute into McRaven’s falling body. When McRaven opened his own chute, his legs became tangled and the... Continue reading

The cyber ecosystem is changing faster than ever, creating new attack surfaces and increasing the challenge of defending against new and evolving threats. The fast-changing landscape requires new ways of thinking and approaches to protect environments that spread across on-premise and cloud infrastructures and connect IT with OT (operational technology) systems. Just accepting that the expansion of the ecosystem – and the growing presence of technology in our lives – will increase risk isn’t good enough. This is a point (ISC)2 CEO David Shearer made clear at the kickoff of the organization’s Security Congress 2019 this week in Orlando. We... Continue reading

While cybersecurity spending is expected to hit $124 billion this year, only a small portion of it will go toward identity management. Yet, a disproportionate number of breaches occur because of flaws in access management and dangerous practices such as the sharing of passwords, according to Tariq Shaikh, CISSP, Senior Security Advisor for CVS Health. Identity management spending accounts for 5% to 10% of total cybersecurity spend. When it comes to privileged access management (PAM), Shaikh said the portion is even smaller -- 1%. It’s time to change that, he argued during a session on PAM at the (ISC)2 Security... Continue reading

While artificial intelligence (AI) has gotten a lot of attention in recent years as a possible solution for cybersecurity issues, Winn Schwartau argues there’s a long way to go before we can trust AI and its siblings, machine learning (ML) and deep learning (DL), to deliver the results we need. During a presentation on the ethical bias of AI-based systems at the (ISC)2 Security Congress 2019, Schwartau said significant problems with AI need to be overcome before we can fully trust it with something as important as cybersecurity. Schwartau, a top expert on security and privacy, is the Chief Visionary... Continue reading

Whenever new data privacy and cybersecurity laws go into effect, they create more work and responsibilities for cyber professionals. This reality hasn’t gone unnoticed by attorney Scott Giordano, who reminded cybersecurity professionals during a session about the California Consumer Privacy Act (CCPA) that the law will create new duties for them. Giordano, Vice President of Data Protection at Spirion, went over details of the law, which takes effect on Jan. 1, 2020, and how organizations should prepare for it. His was one of a series of presentations at the 2019 (ISC)² Security Congress, taking place in Orlando this week, about... Continue reading

At public events, speakers and performers often ask the audience to turn off their mobile phones, but Catherine Price really meant it. She asked attendees of Tuesday’s keynote speech at (ISC)2 Security Congress 2019 to actually press their phones’ power button. “I’m going to guess a lot of people are feeling uncomfortable. A lot of you faked it. A lot of you are probably hating me right now,” said Price, a journalist and author of the book, “How to Break Up with Your Phone.” For the next hour, Price discussed the reasons we are so tethered to our phones, what... Continue reading

When doing their work, cybersecurity professionals often come across situations that put their skills to the test. And sometimes those tests have far less to do with technology or business than with questions of ethics. When cyber professionals discover vulnerabilities while performing penetration tests or some other security-related work, is it OK to disclose those vulnerabilities publicly? What happens if system owners are made aware of issues but decide to ignore them? And at which point, while testing systems containing private information, do cyber professionals reach a line they should not cross? These questions were part of a lively panel... Continue reading

The spotlight was on safety at the kickoff this morning of (ISC)² Security Congress 2019, taking place this week in Orlando. First, (ISC)² CEO David Shearer talked about the role that association members have in protecting society through their cybersecurity work. Then, Capt. Chesley Burnett "Sully" Sullenberger, the pilot of flight 1549, which landed on the Hudson River in January 2009, related the events of that day and how he and his co-pilot, Jeff Skiles, safely landed their U.S. Airways Airbus with everyone aboard surviving the event. Shearer spent much of his kickoff address on the importance of abstracting what... Continue reading

It is widely known within the cybersecurity field that there is a severe talent shortage. Organizations across all industries are facing major challenges in staffing their security teams to protect themselves from cyber threats. Healthcare, along with finance and retail, is one of the most commonly-targeted industries by cybercriminals. As the (ISC)2 Cybersecurity Workforce Study revealed, the deficit of cybersecurity professionals has reached critical levels, at nearly 3 million worldwide. According to the March 2018 McAfee Labs Threat Report, healthcare is the most targeted of any sector for cybersecurity attacks. Ransomware attacks, specifically in the healthcare sector, increased by 210... Continue reading

by Adam M. Lechnos, CISSP Payment Card Industry Data Security Standards or PCI DSS, are a set of 12 requirements with over 300 controls which apply to any organization which stores, processes or transmits credit card data. Today, I will attempt to add some clarity around PCI compliance within AWS. Concepts and practices were sourced from the referenced document below and here I will break it down further. I do suggest you first read the Architecting for PCI DSS Scoping and Segmentation on AWS and come back to enhance your understanding of the methods being applied and its rationale. For... Continue reading

When M&A auditors look at a target company’s tangible assets, in the vast majority of cases that includes cybersecurity. In a new (ISC)² study about the impact of cybersecurity in M&A, 95% of respondents say they consider cybersecurity infrastructure “a tangible part” of the value calculation. The stronger the infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher a target company’s value will be, according to 82% of respondents. If an audit reveals weak security practices, 52% of respondents would view the cybersecurity program as a liability. What this means for organizations considering... Continue reading