CISO Corner: What Cyber Labor Shortage?; Trouble Meeting SEC Disclosure Deadlines

  /     /     /  
Publicated : 23/11/2024   Category : security


CISO Corner: What Cyber Labor Shortage?; Trouble Meeting SEC Disclosure Deadlines


Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: DRs podcast on the CISO & the SEC; breaking down CISAs Secure by Design Pledge; Singapore puts cloud providers on notice.



Welcome to CISO Corner, Dark Readings weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, well offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. Were committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
CISOs & Their Companies Struggle to Comply with SEC Disclosure Rules
Podcast: Dark Reading Confidential: The CISO & the SEC
Top 5 Most Dangerous Cyber Threats in 2024
DR Global: Singapore Cybersecurity Update Puts Cloud Providers on Notice
There Is No Cyber Labor Shortage
Is CISAs Secure by Design Pledge Toothless?
By Rob Lemos, Contributing Writer, Dark Reading
Most companies still cant determine whether a breach is material within the four days mandated by the SEC, skewing incident response.
Companies could face millions of dollars in fines if they fail to notify the SEC of a material breach. But, overall, 68% of cybersecurity teams do not believe that their company could comply with the four-day disclosure rule, according to a survey published on May 16 by cloud security firm VikingCloud.
The largest public companies already have disclosure committees to determine whether a variety of events — from severe weather to economic changes and geopolitical unrest — might have a material impact. But while larger companies have focused on the issue for over a year — even before the rule was finalized — smaller companies have had a more difficult road, says Matt Gorham, leader of the Cyber and Privacy Innovation Institute at consultancy PricewaterhouseCoopers. Companies need to focus on creating a documented process and saving contemporaneous evidence as they work through that process for each incident.
Theres a great disparity from one company to the other ... and between incidents, he says. Initially, you may have decided that [the breach] may not be material at that point in time, but youre going to have to continue to assess the damage and see if its risen to the level of materiality.
Read more:
CISOs & Their Companies Struggle to Comply with SEC Disclosure Rules
Related:
Anatomy of a Data Breach: What to Do If It Happens to You
, a free Dark Reading virtual event scheduled for June 20. Verizons Alex Pinto will deliver a keynote, Up Close: Real-World Data Breaches, that details DBIR findings and more.
Hosted by Dark Readings Becky Bracken, Sr. Editor, and Kelly Jackson Higgins, Editor-in-Chief
Episode 1 of Dark Reading Confidential brings Frederick “Flee” Lee, CISO of Reddit; Beth Burgin Waller, a practicing cyber attorney who represents many CISOs; and Ben Lee, Chief Legal Officer of Reddit, to the table.
Its a brand new podcast from the editors of Dark Reading, where we are going to focus on bringing you real-world stories straight from the cyber trenches. The first episode dives into the increasingly complicated relationship between the Securities and Exchange Commission (SEC) and the role of the chief information security officer (CISO) within publicly traded companies.
In the wake of Ubers Joe Sullivan and the SolarWinds executive Tim Brown being held accountable for breaches, CISOs now face a dual challenge of properly interpreting what the
SEC means by its new rules for cyber incidents
, as well as their own personal liability.
Read more:
Dark Reading Confidential: The CISO and the SEC
(transcript available)
Related:
Ex-Uber CISO Advocates Personal Incident Response Plan for Security Execs
By Ericka Chickowski, Contributing Writer, Dark Reading
SANS Institute experts weigh in on the top threat vectors faced by enterprises and the public at large.
Only five months into 2024, and the year has been a busy one for cybersecurity practitioners. But whats ahead for the rest of year? According to the SANS Technology Institute, there are five top threats flagged by SANS experts that enterprises should be worried about.
1. Security Impact of Technical Debt:
The security cracks left behind by technical debt may not sound like a pressing new threat, but according to Dr. Johannes Ullrich, dean of research for SANS Technology Institute, the enterprise software stack is at an inflection point for cascading problems.
2. Synthetic Identity in the AI Age:
Fake videos and fake audio are being used to impersonate people, Ullrich said, and they will foil many of the biometric authentication methods that have gained steam over the last decade. The game changer today is not the quality of these impersonations, he said. The game changer is cost. It has become cheap to do this.
3. Sextortion:
According to Heather Mahalik Barnhart, a SANS faculty fellow and senior director of community engagement at Cellebrite, criminals are increasingly extorting online denizens with sexual pictures or videos, threatening that theyll release them if the victim doesnt do what they ask. And in the era of highly convincing AI-generated images, those pictures or videos dont even need to be real to do damage. Its a problem thats running rampant, she said.
4. GenAI Election Threats:
Fake media manipulation and other generative AI-generated election threats will be ever present across all of the major platforms, warned Terrence Williams, a SANS instructor and security engineer for AWS. You can thank 2024 for giving us the blessing of GenAI plus an election, he said. You know how well we handle those things, so we need to understand what were coming up against right now.
5. Offensive AI as Threat Multiplier:
According to Stephen Sims, a SANS fellow and longtime offensive security researcher, as GenAI grows more sophisticated, even the most nontechnical cyberattackers now have a more flexible arsenal of tools at their fingertips to quickly get malicious campaigns up and running.
The speed at which we can now
discover vulnerabilities and weaponize them
is extremely fast, and its getting faster, Sims said.
Read more:
Top 5 Most Dangerous Cyber Threats in 2024
Related:
Why Criminals Like AI for Synthetic Identity Fraud
Commentary by Matan Getz, CEO & Co-Founder, Aim Security
CISOs are now considered part of the organizational executive leadership and have both the responsibility and the opportunity to drive not just security but business success.
As organizations get a handle on how AI can benefit their specific offerings, and while they try to ascertain the risks inherent in AI adoption, many forward-thinking companies have already set up dedicated AI stakeholders within their organization to ensure they are well-prepared for this revolution.
Chief information security officers (CISOs) are the heart of this committee, and those ultimately responsible for implementing its recommendations. Therefore, understanding its priorities, tasks, and potential challenges is pivotal for CISOs who want to be business enablers instead of obstructors.
There are three fundamentals CISOs can use as a guide to being the pivotal asset in the AI committee and ensuring its success:
1. Begin with a
comprehensive assessment
: You cant protect what you dont know.
2. Implement a phased adoption approach: Implementing a phased adoption approach allows for security to escort adoption and assess real-time security implications of adoption. With gradual adoption, CISOs can embrace parallel security controls and measure their success.
3. Be the YES! guy — but with guardrails: To protect against threats, CISOs should set up content-based guardrails to define and then alert on prompts that are risky or malicious, or that violate compliance standards. New AI-focused security solutions may allow customers to also set up and define their own unique parameters of safe prompts.
Read more:
3 Tips for Becoming the Champion of Your Organizations AI Committee
Related:
US AI Experts Targeted in SugarGh0st RAT Campaign
By Robert Lemos, Contributing Writer, Dark Reading
The nation amends its Cybersecurity Act, giving its primary cybersecurity agency more power to regulate critical infrastructure and third parties, and requiring cyber incidents be reported.
Lawmakers in Singapore updated the nations cybersecurity regulations on May 7, to take into account the impact of running critical infrastructure management systems on cloud infrastructure and the use of third-party providers by critical infrastructure operators, as well as a
cyber threat landscape in Asia
that is growing more dangerous.
Given that so many critical information infrastructure operators have outsourced some facets of their operations to third parties and cloud providers, new rules were needed to hold those service providers accountable, Janil Puthucheary, senior minister of state for the Singapore Ministry of Communications and Information, said in a speech before the countrys parliament.
The 2018 Act was developed to regulate CII that were physical systems, but new technology and business models have emerged since, he said. Hence, we need to update the Act to allow us to better regulate CIIs so that they continue to be secure and resilient against cyber threats, whatever technology or business model they run on.
Read more:
Singapore Cybersecurity Update Puts Cloud Providers on Notice
Related:
Singapore Sets High Bar in Cybersecurity Preparedness
Commentary by Rex Booth, CISO, SailPoint
There are plenty of valuable candidates on the market. Hiring managers are simply looking in the wrong places.
Hiring managers often are hesitant to hire candidates perceived as undercredentialed when they believe there must be a perfect candidate out there somewhere. But the truth is, a perfect candidate [a bachelors degree in cybersecurity, Security+ (CISSP preferred) training, and $30,000 worth of SANS courses] probably isnt interested in a third-shift SOC position — which means hiring managers need to reevaluate where they look for new employees and which qualifications matter most.
By narrowing down candidate pools based on a small number of arbitrary qualifications, organizations and recruiters end up self-selecting candidates who are good at acquiring credentials and taking tests — neither of which necessarily correlate to long-term success in the cybersecurity field. Prioritizing this small pool of candidates also means overlooking the many, many candidates with analytical potential, technical promise, and professional dedication who may not have gotten the right degree or attended the right training course.
By tapping into these candidates, organizations will find that the
cyber labor shortage
that has received so much attention isnt such a hard problem to solve, after all.
Read more:
There Is No Cyber Labor Shortage
Related:
Cybersecurity Is Becoming More Diverse ... Except by Gender
By Nate Nelson, Contributing Writer, Dark Reading
CISAs agreement is voluntary and, frankly, basic. Signatories say thats a good thing.
At 2024s RSA Conference last week, brand names like Microsoft, Amazon Web Service (AWS), IBM, Fortinet, and more agreed to take steps toward meeting a set of seven objectives defined by the USs premier cyber authority.
CISAs Secure by Design pledge consists of
areas of security improvement
split into seven primary categories: multifactor authentication (MFA), default passwords, reducing entire classes of vulnerability, security patches, vulnerability disclosure policy, CVEs, and evidence of intrusions.
The pledge contains nothing revolutionary and has no teeth whatsoever (its voluntary and not legally binding). But for those involved, thats all beside the point.
While they may not have direct authority, I think that there is indirect authority by starting to define what the expectation is, says Chris Henderson, senior director of threat operations at Huntress, one of the signees.
Read more:
Is CISAs Secure by Design Pledge Toothless?
Related:
Patch Tuesday: Microsoft Windows DWM Zero-Day Poised for Mass Exploit

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CISO Corner: What Cyber Labor Shortage?; Trouble Meeting SEC Disclosure Deadlines