by John Martin, CISSP, Senior Security Architect, IBM New Zealand Are you ready for the New Zealand Privacy Act 2020 to come into effect on 1st December 2020? There’s a lot to consider as the clock ticks down and your organisation’s ability to comply is critical if you want to avoid some of the hefty fines involved. As you align your security strategy with your business, here are some key areas to consider as you prepare: Reporting privacy breaches immediately It will be mandatory for businesses to immediately report serious privacy breaches, particularly where a data breach poses a risk... Continue reading

As published in the September/October 2020 edition of InfoSecurity Professional Magazine By Anita J. Bateman, CISSP We are all plagued by technical debt in the form of legacy systems that can no longer be patched but must be kept up and running. Critical business processes, legacy data retention, lack of system knowledge or “pet” projects might keep us from retiring these difficult-to-maintain systems. From the very first operating system updates on the original IBM 360 to the latest Windows 10 updates today, we still struggle with this common challenge to fully patch and maintain our technical systems. Might there be... Continue reading

While skills shortages remain a major challenge in cybersecurity, those who work in the field have ample opportunities to boost their salaries. And one sure way to get better pay is by earning certifications, according to a new study by training services provider Global Knowledge. “Learning a new skill or earning a certification can result in a raise upwards of $12,000 a year,” according to the Global Knowledge 2020 IT Skills and Salary Report. The figure applies to IT professionals as a whole but is especially relevant to cybersecurity professionals considering that the report says, “cloud computing and cybersecurity certifications... Continue reading

During her (ISC)2 Security Congress 2020 keynote speech, Juliette Kayyem used three words that tidily sum up the can-do spirit of the cybersecurity community: “We got this.” Kayyem, a former assistant secretary at the Department of Homeland Security, was speaking within the context of society’s ability to adapt, learn and build resilience during the COVID-19 crisis. Still, her remarks reflect the general ethos of the cybersecurity profession. Cybersecurity professionals recognize that if they can’t say, “we got this,” the alternative is too alarming to fathom. Cybersecurity workers have to adapt – all the time. Just like what society at large... Continue reading

Are you pursing a degree (or another) in cyber or information security? Know someone who is? The Center for Cyber Safety and Education can help! The high demand for skilled cybersecurity experts and lack of qualified candidates equals a world of opportunity for students and those looking to change careers. The Center for Cyber Safety and Education is excited to kick off our biggest scholarship year in our 10-year history! Thanks to partners like (ISC)², SAIC, Raytheon and KnowBe4, we will be awarding in 2021 a record $235,000 in financial aid to some 70 students from around the world. Who... Continue reading

If there is one thing adversity can teach you, it’s how to avoid bad situations in the future. Or so you would think. But when it comes to incident response, most organizations fail to conduct a post-incident review (PIR) or when they do, it tends to be ineffective, according to Faranak Firozan, who works in Incident Response for NVIDIA. As part of the (ISC)2 Security Congress 2020, Faranak delivered a presentation on PIR components and goals. She stressed the importance of PIRs in determining the causes of a security incident, its effects and the lessons an organization can learn to... Continue reading

For anyone hoping the COVD-19 crisis will come to a quick end, former Homeland Security Assistant Secretary Juliette Kayyem offered some sobering words today: The virus will be with us for the foreseeable future. “I have to be blunt and tell you this period is going to exist until further notice. We are going to have to learn to live with the virus. Once you get your head around that, then the solution becomes clear,” Kayyem said. She delivered her remarks virtually as the third and final keynote speaker at (ISC)2 Security Congress 2020. Kayyem focused her talk on what... Continue reading

The COVID-19 pandemic delivered a serious blow to the global economy, but plenty of job opportunities remain in the cybersecurity field, according to Kris Rides, CEO of cybersecurity staffing company Tiro Security. There were cybersecurity layoffs, Rides said, but in much smaller numbers than in industries such as travel and entertainment, which have taken the brunt of the pandemic’s economic impact. Cybersecurity “is one area where companies couldn’t really afford to lay off people,” Rides said, during a virtual presentation as part of the (ISC)2 2020 Security Congress taking place this week. Kris Rides, CEO of Tiro Security The pandemic’s... Continue reading

The Internal and External Struggles of Ethics and the CISSP Credential As Old As Mythology All students of information security have heard of the Caesar cipher and the Spartan Scytale. These early encryption methods demonstrate the craftiness of the human mind. Encryption has evolved and become more sophisticated. Encryption has been instrumental in the advancement of society. Can you think of another ancient mental construct of humanity that has remained static, yet is no less important to the functioning of society? Let’s consider the topic of ethics. The concept of ethics has existed since ancient times, and the subject is... Continue reading

Cybersecurity expert Joseph Carson, CISSP, learned a valuable lesson after conducting a penetration test at a power station that took him four months of preparation: How you communicate your findings to an organization’s leadership makes all the difference in how they decide to act on the information. During a virtual presentation as part of the (ISC)2 2020 Security Congress, Carson, who serves as Thycotic’s chief security scientist and advisory CISO, said he was shocked when the power utility’s board essentially shrugged off his findings. After all, he thought the findings were pretty damning. Get this: After spending a morning inside... Continue reading

Graham Cluley Despite the substantial increase in remote working since the start of the COVID-19 pandemic, security breaches have stayed about the same for the vast majority of people and businesses, according to security expert Graham Cluley, an award-winning blogger who provided the Tuesday keynote speech at this year’s virtual (ISC)2 Security Congress. Only one in 10 businesses say they have experienced a dramatic increase in attacks, Cluley said, before quickly adding that attacks don’t always result in breaches. As a matter of fact, research shows breaches increased by only one percentage point over the past 12 months, to 16%... Continue reading

When does technology become too easy to use? And when does simplicity start working against you? These were among the many the questions tackled by a group of panelists during a 2020 (ISC)² Security Congress virtual session called “Easily Deployed and Sold Short.” At issue was whether easy-to-use user interfaces on complex security tools make it more difficult for cybersecurity team leaders to figure out what skills their team members have mastered. Timothy Robnett, vCISO at Wavefront Consulting, made no bones about it: “A simple UX makes it harder to promote somebody,” he said. Simplicity of use, he said, doesn’t... Continue reading

5G is coming, bringing with it speedier connections and higher bandwidth. But what about security? As with most things related to technology, there’s good and bad, according to Kevin McNamee, director of threat intelligence at Nokia. It’s a two-sided coin. 5G is inherently more secure than previous wireless standards, but also vastly increases the attack surface as Internet of Things (IoT) devices proliferate, McNamee said. Monitoring, automation and secure communications will be essential to securing 5G investments, he added. His remarks came during a breakout session as part of (ISC)2 Security Congress 2020, taking place virtually this week. Kevin McNamee,... Continue reading

Bruce Schneier The relationship between technology and public policy is the defining challenge of the current century, according to Bruce Schneier, the keynote speaker at (ISC)2 Security Congress 2020, taking place virtually this week. “Today technology is deeply intertwined with society. It’s literally creating our world. It’s no longer sustainable for technology and policy to be in different worlds,” said Schneier, a security expert, best-selling author and Fellow at Harvard University’s Berkman-Klein Center for Internet & Society. When the internet was first commercialized, governments didn’t want to stifle the development of an important and profitable industry. As a result, the... Continue reading

Take the CISSP practice quiz to find out if you’re ready for the exam The CISSP certification is the ideal credential for those with the technical and managerial competence, skills, and experience to design, engineer, implement, and manage an overall cybersecurity program. Considered the industry’s premier security credential, the CISSP differentiates leaders giving them the competitive advantage across the industry. The CISSP covers eight broad domains, so it’s no surprise that preparing for the exam can be a daunting task. To help you assess your readiness, we’ve developed the CISSP practice quiz. The free online quiz is designed to test... Continue reading

Like most things this year, (ISC)² Security Congress looks a little different. This year’s virtual event might not have you gathering with thousands of colleagues in Orlando, but you can still enjoy many of the fun activities we’ve offered over the years. Be sure to log into https://securitycongress.brighttalk.live/networking-engagement/ using your BrightTALK credentials. Escape Room A crowd pleaser at past Security Congress conferences, Living Security is back this year with their Virtual CyberEscape Room. Play online with colleagues in this team-based, engaging and FUN exercise. Sign your team up. Panoply Another Security Congress classic is the Panoply competition. This network assessment... Continue reading

For the first time since (ISC)2 started tracking cybersecurity workforce numbers in 2004, we have seen a decrease in the skills gap, from 4.07 million in 2019 to 3.12 million. According to the 2020 (ISC)2 Cybersecurity Workforce Study, the workforce increased 25% from 2019 to a total of 3.5 million professionals worldwide. The numbers reflect an increase in new entrants to the field – 700,000 of them – but that doesn’t tell the whole story. Another contributing factor is an apparent reduction in demand as a result of the COVID-19 pandemic, which has had significant economic impacts around the world.... Continue reading

One of the biggest draws to (ISC)² Security Congress is networking and engaging with other experts in the cybersecurity industry. Despite the lack of gathering together in-person, #ISC2Congress 2020 will not be lacking in the opportunities for connecting with others, learning best practices and providing career enhancement in five networking lounges throughout the conference. With more than 4,500 attendees registered, there is something for everyone at all career levels. Each of the five topic-specific lounges will allow attendees to participate in a discussion forum, access resources, view presentations, ask questions and even earn CPEs for attending. Attendees and Members Lounge... Continue reading

A corporate security policy is the cornerstone document of a company’s risk management. Does your business have the appropriate security controls in place to implement the policy, or is the policy a forgotten document in a dusty drawer? Although most companies have established security policies at the strategic level these are not always enforced, because they lack foundational support at the tactical level. The key to solving this is knowledgeable and skilled security practitioners who can take the lead and implement security controls aligned to the policy’s goals. Many security incidents may have been avoided if the proper security controls... Continue reading

The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted. In support of this, (ISC)2 has launched a series of interviews to explore where CISSP certification has led security professionals. Our first installment features Javvad Malik, a security awareness advocate at KnowBe4, as well as blogger and YouTuber at JavvadMalik.com. He’s also contributes on two podcasts, The... Continue reading

(ISC)² Security Congress is virtual for the first time this year making it even easier for CISSPs, and all certified (ISC)² members, to earn CPEs. Taking place November 16-18, we’ll been presenting 3 expert keynotes, a Town Hall meeting, virtual expo hall and networking opportunities, along with nearly 50 hours of educational breakout sessions. To attend, you’ll need to create an account and purchase your pass for the conference. Member pricing is U.S. $395 for an All Access Pass which is your best value for price and CPEs. Keynote sessions will be available on-demand for 60 days after the event.... Continue reading

by Anastasios Arampatzis Cyberattacks in the Healthcare Industry are Increasing The use of technology in the healthcare sector can be both life-saving and life-threatening. Advancements in technology, like 3D printing, virtual reality, robotics, and Internet of Medical Things (IoMT), improve the ability of healthcare organizations to provide better care for their patients. At the same time, criminals leverage this new technology to execute their malevolent causes by either stealing protected health information (PHI) and other sensitive data or disrupting the operation of healthcare providers. The recent COVID-19 pandemic serves as a good example of the attack vectors criminals are using.... Continue reading

Inadequate cybersecurity staffing is the second-largest barrier faced by state governments in their attempts to overcome cybersecurity challenges, according to a newly released Deloitte study. Insufficient budget was the biggest barrier reported, and interestingly, the lack of availability of cybersecurity professionals was cited as the fifth largest barrier. Inadequate staffing has been a prevalent issue for years. (ISC)2’s 2019 Cybersecurity Workforce Study estimates the shortage of needed skilled professionals is more than 4 million worldwide. This creates challenges for CISOs as they focus on protecting their organizations. The Deloitte study, which is based on responses from 51 U.S. states and... Continue reading