Professional Documents
Culture Documents
ENDPOINT SECURITY
2 3
ON NOVEMBER 2019
06
BUZZ
Deception all grown up
Volume 3 | Issue 9
October 2019
12 Editorial
International Editor
INSIGHT
Career Options for Cybersecurity
Professionals are Unlimited
06 16
Amber Pedroncelli
amber.pedroncelli@eccouncil.org
Principal Editor
EDITOR’S NOTE
Brian Pereira
brian.p@eccouncil.org
22
Senior Feature Writer
Augustin Kurian
augustin.k@eccouncil.org
Cybersecurity and the risk associated with cyber-attacks are frequent
UNDER THE SPOTLIGHT topics in the Boards of companies. News of cybersecurity threats and attacks
Feature Writer
Rudra Srinivas
Julien Legrand, rudra.s@eccouncil.org
is now common everyday news, so there is much more awareness.
Operation Security Manager, Société Media and Design
Générale The Board is not expecting an explanation of how malware or ransomware Media Director
Saba Mohammad
36
4 works. Instead, they want to know how an attack will impact the business. It saba.mohammad@eccouncil.org 5
22 36
needs to be quantified with business metrics. Sr. Graphics Designer
Sameer Surve
The CISO needs to be an expert in communicating the impact of security to
COVER STORY sameer.s@eccouncil.org
The Security Aware Enterprise the Board. If he speaks the language of the business – in terms of the risks – UI/UX Designer
he might win mindshare. That also makes it easier to convince the CFO for Rajashakher Intha
rajashakher.i@eccouncil.org
54
additional security investment. Management
Companies have for long used deceptive techniques like decoys and Executive Director
Apoorba Kumar*
COLLABORATIONS honeypots to trap hackers. But these techniques are evolving, writes Chris apoorba@eccouncil.org
InfoSec Partnerships Roberts, the Chief Security Strategist at Attivo Networks. Chris is an advisory Senior Director,
Compliance & Governance
board member at EC-Council. Read his views in the BUZZ section. Cherylann Vanderhide
62 54
cherylann@eccouncil.org
These days CISOs have more career options and can pursue other executive
IN THE NEWS 62 roles, writes Charles L. (Chuck) McGann, Jr., in the INSIGHTS section. This is
good news, and it should open the door for security professionals who are
Deputy Business Head
Jyoti Punjabi
jyoti.punjabi@eccouncil.org
Top Stories from looking for alternative avenues of growth or responsibility, outside the CISO Marketing and Business Development
Officer
the Cybersecurity World function. Chuck is a nationally recognized information security professional Riddhi Chandra
riddhi.c@eccouncil.org
and the former Co-Chair of the (ISC)2 Government Advisory Board on
68
Digital Marketing Manager
Cyber Security. He is also engaged with the EC-Council to facilitate the Jiten Waghela
jiten.w@eccouncil.org
Certified Chief Information Security Officer program.
IN THE HOTSEAT Tell us what you think of this issue. If you have any suggestions, comments or
Publishing Sales Manager
Taruna Bose
High-Profile Appointments in the taruna.b@eccouncil.org
Cybersecurity World queries, please reach us at editorial@cisomag.com.
Technology
Director of Technology
Jay Bavisi
74
Raj Kumar Vishwakarma
rajkumar@eccouncil.org
Editor-in-Chief
KICKSTARTERS
Startups Making Waves in the
Cybersecurity World
68 74 * Responsible for selection of news under PRB Act. Printed & Published by Apoorba Kumar, E-Commerce Consultants Pvt. Ltd., Editor: Brian Pereira.
The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this publication are not
necessarily those of the publisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be
appropriate for the readers’ particular circumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored
CISO MAG | OCTOBER 2019 in a retrieval system, or transmitted in any form without the permission of the publishers in writing.
CISO MAG | OCTOBER 2019
VOLUME 3 ISSUE 9 VOLUME 3 ISSUE 9
BUZZ
BUZZ BUZZ
BUZZ
DECEPTION
6
ALL GROWN UP 7
I
remember the days when we little concern for how they initially
built our honeypots on CDs and breach and pivot. We all know that
dropped them onto machines one of the main components of most
without hard drives. The days enterprises is the human, so it stands
when (let’s face it) the idea was to reason that humans continue to be
to research what the heck the attackers the core focus (after all we’re easily
were doing. If we were lucky, we caught fooled, ready to click on anything
one and they hung out for a while, then at a moment’s notice, and rarely ask
realized they were being taken for a for help). However, as times change
fool and moved on. Meanwhile, we and technology progresses, we have
got some intelligence and carried on to consider the other attack vectors:
regardless. cloud, IoT, mobile, ICS (industrial
Oh, how the times have changed! controls/building controls), wearable
For the last couple of years, a number technology, embedded technology
of companies have been working to (human healthcare as well as
build better and better mousetraps. augmentation), transportation, and a
Some have focused on the endpoint, myriad of other avenues. All of these
8 some on the SMB market, and others require an engagement fabric that 9
have worked to drop decoy machines, deception and detection technologies
systems, and all manner of enticing have to be ready for, and many of them
morsels of cheese scattered across still require human participation. In
the enterprise in the hope of catching many cases, this unfortunately means
attackers as they freely traverse around that we are protecting our systems
your networks (spoiler alert, I work for from the very humans that use them.
one of those companies). Watch, learn, and engage
One of the challenges has been So, how do you engage? How do
engagement, and, like the art of fishing, you actually lay out bait that’s good
it can involve long periods of boredom enough, yet not too good? How do you
wondering if you’ve gotten it right, build a mousetrap that blends in but
punctuated by short bursts of frenzied also isn’t going to be glossed over as
activity as you realize you’ve either “just another machine in the mix”? You
hooked Jaws or just another sunken actively engage. You don’t sit there like
tree root. a frog on a log, waiting for the princess
The other core challenge has been to come by. You actually watch, learn,
“where.” In essence, your entire and engage. You watch for “tells” and
environment is a target, and (as we for actions. You are the Social Engineer
are all well aware) the adversaries of the deception world. Sitting there,
have had an easy time of coming and actively looking at everything around
going through most enterprises with you, saying hello to everyone, and
when necessary engaging. This is (which has always been rather handy). observing will influence (or change)
where it gets sneaky. In the past, you had to hope at each the phenomenon being observed (in
Up to this point, the red blinking of those points that somewhere in this case your computer or anything on
light meaning “there’s an attacker in that list of demands were deceptive it). Think of this new breed of deception
our system” has only gone off when credentials, systems, or accounts. Not as the hypothetical experiment with
someone pokes a decoy, or uses a set of anymore. Today, we’re able to work Schrödinger’s cat. The attacker is the
credentials, or prods a printer, switch, out that you are up to no good, and the one that cracks the lid on the box, and
simply by observing whether the cat is
etc. Now, with the way we’ve helped grown-up deception we’ve nurtured
alive or dead they trigger the change
deception grow up, the simplest starts handing out credentials that
in state that alerts our intrepid band of
question or observation of anything is look/feel/smell real and seem to work,
quantum blue teamers.
going to set off all the alarm bells. and we cover all the computers around
you (even ones that don’t exist). We This is deception grown up. This is
The art of deception
build responses and engagements on proactive detection, deception, and
Here’s the logic: as an attacker/
the fly, and we do it well enough to something other than a pretty face in
adversary, I’m going to land on
camouflage into the enterprise we’re the crowd. This one goes looking for
your computer or in your network
protecting while all the while recording trouble rather than waiting for it to
somewhere. Sorry, but you can’t stop come to the doorstep. This is deception
and alerting the blue teams. Now, the
me. None of your EDR, FW, IDS/IPS, done right.
nice thing here is, we can also do this
or NGWTF is going to stop me from
10 across the enterprise, so if an adversary 11
getting to you. So, now that I’m in, I want
lands on an IoT system, a switch, a
to know what’s around me. I might ask
cloud (which is, after all, just someone
you if there are computers close to you
else’s computer!) your building
(to which you’ll answer yes). I might
controls, or virtually anywhere else in
ask you (nicely) to give me your login
the network, we have the capabilities
credentials and all the other ones you
to engage effectively. We will welcome Chris Roberts is Chief Security Strategist
have stored in the registry, browser,
the attacker in with a handshake, a at Attivo Networks. He is also an advisory
and 101 other places that applications
hug, and a nice set of credentials that’ll board member at CISO MAG
seem to put data these days (which
keep them busy while we alert all those
you’ll willingly hand over). I might even
around us.
check out the other systems/services
you have running (obviously making The act of observing
sure to stop all the antivirus, host The key to much of this thinking is to
detection elements, and other things change the symmetry, place it firmly
that can ruin my day), as well as other back in the hands of the blue team,
applications, systems, virtual drives, and move from a reactive realm of
connected devices, etc. (which you’ll security to something much more
also hand over). In fact, the upside of proactive. It’s not waiting for someone
being the adversary is I have always to make a move, for an attack to begin,
had the luxury of asking the computer for a pivot to happen, or choices to be
for almost anything, and, up to this made. It’s based on the logic behind
The opinions expressed within this article are the personal opinions of the author. The facts,
point, it’s handed everything over observer effect: simply put, the act of opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does
not assume any responsibility or liability for the same.
SECURITY
PROFESSIONALS
ARE UNLIMITED
Chuck McGann
T
he security field is First, have a concrete answer to
growing leaps and the question, “Why are you looking
Some organizations
bounds, gaining more to move?” Is it burnout, too much
respect for the value it
will let executives fill stress, salary, or growth? Or are you
provides the organization in for others when just looking to learn something new
and the stakeholders, and their vacations or sick leave and expand your horizons? Any of
salaries are becoming aligned with the issues occur, and these reasons are valid for a security
responsibility. Security is being taken other organizations professional considering a career
seriously and has a critical role to change.
encourage cross-
play. More recently, the CISO is being
training at the
exposed to the executive roles and
executive level. If you Multiple Opportunities
responsibilities of a business leader.
This is good news and it should open
have the opportunity to If you were an engaged and active
the door for security professionals who learn a peer role, use it, security professional–meaning, you
understood the business, how it
are looking for alternative avenues learn from it, and show
works, where revenue is generated
of growth or responsibility, or even interest in alternative
and invested, who the customers were
to looking outside of the CISO group positions. (internal and external) and if you
into the business functions of the
14 were collaborative — you could move 15
organization.
laterally into almost any position that
If are you a CISO, congratulations on One key issue is to ensure you have
didn’t require specialized education
getting the top security slot! You likely created a succession plan for yours
or training. For example: A Security
report within the CIO, CRO, CFO, CLO and other positions or you may not
Program Manager could easily move to
organization or, if very lucky, report to have those opportunities. a business function program manager
the CEO. This is where it gets a little What should one consider when position without too much difficulty.
harder to decide where to look for looking to steer their career on a new Many security professionals who have
career options. track, including outside of security? come from the technology field of IT
or engineering, or even a business
function — at some point, they may want
to return to those areas after a stint in
the security trenches. These resources
will become significant advocates for
securing the organization within their
new role, and that’s a fantastic benefit
for everyone. In choosing to return to
a previous functional area, they take
with them a greater understanding of
the need for, and value of securing the
organization’s business processes and
information.
Thomas Heuckeroth
VP Cyber Security,
Group Chief Cyber Security Officer,
Emirates Group
E m i n e nt S p ea ke rs
21 October, 2019
st
Be a part of the
Chief Information Co-founder and CEO Global CISO and Group
Security Officer - QNu Labs Head
MENAT & Sub Saharan of Cyber Security
Africa (SSA), Petrofac
biggest cyberseucirty
General Electric
celebration
Hariprasad Amna Al Balushi Mohamed Mousa
Chede CISO CISO
CISO Bank Nizwa, Oman IKEA, KSA
National Bank of
Fujairah
Interview of
JULIEN LEGRAND,
Operation Security Manager,
Société Générale
Augustin Kurian
22 23
have cybersecurity certifications allow one to venture professionals to fit in that criteria.
into new careers, most of which
certifications helped lack enough talent. Cybersecurity
However, as much as certifications
you in your career certifications, therefore, have
provide aspiring professionals
85% BACHELOR
OF SCIENCE
In Cyber Security
*GRADUATE
DEGREE
PROGRAM
Enterprise 37
T
he volume of security attacks to serve organizations in government
and threats to organizations and the private sector, share their best
has reached alarming practices and communication strategies.
proportions, so much so that They can be regarded as missionaries of
“cybersecurity” and “risk” cybersecurity,responsible for spreading
have become frequently used words awareness, top-down. That’s not an easy
among Boards of Directors. task, especially when reaching out to
The Board understands risk, numbers, overburdened employees who have
charts, and strategy. But when news of their plates heaped with work. Rallying
organizations getting hacked, and the thousands of employees in different
unfortunate consequences, trickles locations to talk about best practices
into the boardroom, it triggers waves of and security policies is a Herculean
panic. The typical questions that arise task.
are, “What if we were hit by that malware But it’s a job that the CISO needs to do
or ransomware next? How badly would because they know that protecting the
that impact our business?” organization from hackers and malware
Board members are likely to be aware has more to do with people and process.
of terms like “malware,” “ransomware” The technology is a means to achieve it,
and acronyms like DDoS and APT that but not an end in itself.
38 39
the tech industry notoriously creates It’s the CISO’s job to identify the risks that
every year (heard any new ones lately?). are most likely to impact the business –
They might need a simple explanation and translate that into potential losses
of say, how ransomware spreads and using absolute business terms and
what it does. They’re not asking for a quantifiable metrics.
crash course in cybersecurity, mind you. The CISOs we interviewed for this
But someone who has a deep story told us that using data points and
understanding of cybersecurity and speaking in terms of risk are some
knowledge of business operations has ways to get the Board’s attention. Using
got to answer those nagging questions. common security analogies to explain
That calls for a clear communication a threat is a better approach than using
strategy. That person has to talk about technical jargon.
cybersecurity using the lingo of the And they also share how they keep
business. themselves abreast with developments
But how? What should and shouldn’t be and how they continually train others in
said? the organization.
CISO MAG reached out to global CISOs, Bottomline: The CISO should be an
C-level executives and strategists excellent communicator to win the
and asked them to share strategies Board’s mindshare and approval for
and tips for effective communication. security investment. Learn from these
Ten experienced senior management CISOs and adopt their communication
executives who served or continue strategies.
How do you My focus on awareness directed at the The boards are based on numbers, you. State what you would need to better
communicate
executive Board and beyond, is to bring beyond talking about KRIs (key risk protect the company. Don’t just share
real insight into the potential security indicators), risk levels and impact, the areas that you need resources. Share
Directors?
value to those expectations, we become and Chief Information Officer such as
way. That makes it easier to understand
a strategic partner. Cybersecurity Liability Insurance, then
the risks. I often talk about security
share that with them. If you see something
incidents reported by the media,
Jorge Mario Ochoa that points out the true cost of a data
associating the same risks with the
Global Security Operations Center breach in regard to company brand and
company in order to bring to life the Manager, Millicom International Cellular
When dealing with Board of Directors, potential risks of companies in the (Tigo) reputation management, then share it
and other executive leadership that digital world, regardless of the industry. Professor of the Master in Cybersecurity, with your Chief Marketing Officer and
are not in the cyber security field, you Panamerican Business School
The expectation is to have a Board that Chief Financial Officer. Those are great
must present the cyber risks to the is more in line with current threats and touch points beyond the standard Board
organization in business terminology therefore promote appropriate care for meetings. There will always be several
I update the various boards through
they understand. I lean heavily on the effective risk management, prioritization
required semi/annual meetings and great opportunities each quarter.
Factor Analysis of Information Risk that considers opportunity risks vs.
(FAIR) methodology to break down through a monthly progress report. In
security risks, and tailored attention to
40 cyber security risks into quantitative addition to the recurring updates at the 41
IT innovation and outsourcing projects.
terminology. My job is to be the office Board meeting, I share trends, training,
of ‘know’ not ‘no’, and by presenting testing results and what is happening to
these risks in a quantitative manner, I Karina Queiroz be proactive. Lastly, it helps to pick their
Dr. Rebecca Wynn
am able to help the Board and other Founder, Teckids - Online Children brain to determine what’s happening in
Protection. Head of Information Security & DPO
executive leadership (President, CEO, their current organization or other Board Matrix Medical Network
Former Head of IT Security, Risk and
etc.) determine their risk appetite for the Compliance, British American Tobacco. views.
cyber risk facing the organization. Based
off the risk appetite of the executive
leadership for the various cyber risks There are different ways like having Regular Engagement. Align Security goals
I present to them, my team and I start regular connect and giving them updates with business goals. Regular updates on
working on meeting that risk appetite. about the latest threats, etc. Another Carla Wheeler Business focused cybersecurity metrics.
The expectations of the executive Global CIO & CISO, Heartland Alliance Gone are the days when fear tactics worked
effective way is to run lots of simulations
leadership are for me as the CISO to like phishing test, USB test, etc. In a the best. As cybersecurity and privacy laws
meet the risk appetite, and continue to review meeting as a CISO, I always show become stricter, an honest discussion is
reassess the risks facing the organization, Educating the Board is always a challenge the best aid in educating the Board around
Risk with impact value in dollars so the
and continuously reevaluating those in any organization. A really good time potential risks.
Board can understand it better.
risks in terminology they understand. is every time there is something big in
the news such as the Equifax breach.
Those are golden times to send out a Kavya Pearlman
Global Cybersecurity Strategist –
Heath Renfrow brief summary of events, why the event Wallarm
CISO, LEO Cybersecurity Ravinder Arora happened, and what your company is CEO & Founder - XR Safety Initiative
CISO and Data Privacy Officer at Iris (XRSI)
Former CISO, United States Army doing to ensure that it shouldn’t happen to
Healthcare Software Inc
The Board in Indian banks is differently their thought processes with yours and Avoid overdoing it and follow this standard
sensitized or aware about cybersecurity. you’ll get buy-in. guidance for Board members: “Eyes
That’s due to the progressive regulation
open, nose in, fingers out.” Your Board
and the incidents happening around
and C-Suite don’t need to be subject-
them. So there is a reasonable amount
matter experts. Instead, focus on helping
of awareness. They are also familiar with
them understand how to provide security
common technical terms like malware, Sameer Ratolikar
ransomware, etc. Executive VP & CISO, HDFC Bank oversight and empower the organization.
If you use real-world examples, and if Don’t burden the Board with today’s threat
the business impact is communicated, or vulnerability du jour; that’s the CISO’s
the Board of directors understands it The Board is interested in how security job. Instead, help the Board understand
very well. For instance, when speaking protections affect the business. What are that your threats, vulnerabilities, and
about intrusion detection control, use the benefits and what are the operational safeguards will change as the business
the analogy of a CCTV camera. When and business costs? Avoid terms like does. Help them understand how to help
you speak about an intrusion prevention “downtime” or “outage” because they don’t you drive alignment of cybersecurity
system or firewalls, give the analogy of mean anything to the business. Instead, we strategies and plans with the organization’s
a security guard or watchman standing talk about meeting customer Service Level
vision, mission, strategies and services
near the main door. Agreements (SLAs) and other performance
and to establish, implement and mature a
Use data points to relate a security metrics by preventing security impacts on
program that will transcend time.
concept or vulnerability to the business our applications and systems.
42 Do bring in the human element and don’t Ensure the Board is educated on core 43
impact. For example, if I want to buy an concepts and cyber risk management
just focus on technology. Don’t fear statistics:
anti-DDoS solution, I tell them our Internet
explain the number of security events terminology, namely, understanding that
banking volume is x percent, and the
and attacks against the infrastructure and the overarching problem is about ensuring
active customer base is y, and there is a
explain how they are handled and how the confidentiality,integrity and availability
certain amount of transactions per hour.
compromises were avoided. If there were of all of the organization’s sensitive data
If there is a DDoS attack, then this will
some, be specific with the number and and the systems and devices that process
be a loss: per hour, so many customers
extent of them, phrased in terms of client it. From there, important discussions can
would be impacted, translating into this
impact and legal repercussions. Do correlate be had about the organization’s most
amount of dollar value loss for us.
security actions with regulatory, legal and significant risks to that data.
Another important point — the discussion
international issues. Find comparisons and
should not revolve only on cybersecurity;
examples from the news and show how you
but it should move from security to risk.
have prevented those by using technology,
The Board is quite aware of the risk; there process and people well.
is also the important element of risk The Board wants to confirm that they are Bob Chaput
management. This means identification of acting appropriately and doing the correct Founder, Executive Chairman,
risk, assessing the risk, predicting the risk due diligence to protect shareholder value Clearwater
and residual risk. You also need to relate and corporate assets. Make sure every
these four elements of risk management statement in some way supports that.
to the proposal for which you are seeking
approval. If the discussion shifts from
security to risk management, then it
becomes a meaningful discussion for
the Board. The Board understands your Michael Miora
thought process very well. They align SVP & CISO, Korn Ferry
What initiatives the CISO to interact on a regular basis. What is important is the perspective One of the most rewarding activities has
have you or your The CISO educates this champion on or the thought process. I look at it as a been working with multidisciplinary
not only the cybersecurity posture security culture. Today, it has to be looked teams and different generations (Baby
awareness?
and raise awareness. That’s why I
briefed about the important security created CyberHeroes.me, a cyber
controls and adherence. He needs to be
Heath Renfrow security awareness training based on
aware of the usage policies of the bank, gamification, where everyone enjoys
CISO, LEO Cyber Security
Former CISO, United States Army the email policy, the internet policy
learning through gaming techniques
Healthcare — before onboarding. Adherence to
My number one priority when walking that also generates a sense of healthy
compliance is also extremely crucial.
into a new organization as their CISO competition and, above all, generates
On the day of joining an employee
is to drive a culture change regarding changes in behavior because users truly
I have several initiatives. Every other has to undergo a course called ‘Watch
cybersecurity, especially security believe in the benefits.
month I issue a security awareness your step.’ It is an orientation course
awareness. It is however the most difficult about the organization structure and Additionally, I created the concept of
newsletter for the corporation. It is shared NeuroHacking, which is basically how
aspect of building or turning around a its cybersecurity best practices. It also
and stored on the corporate intranet. We social engineering plays an increasingly
cybersecurity program. The most critical includes the names of the people in the
do monthly introductions to security and important role in cyber-attacks and how
44 element to building a cyber aware IT organization. 45
conduct security awareness trainings for we can prepare for it.”
culture is to have the most senior level Additionally, there is a mandatory online
new hires. Departments ask us to speak
executives onboard, and telling their course which every employee (including
to their team on a variety of subjects
employees how important security is to the CEO and the Managing Director) has
and we do those on average, every 6 - 8 Jorge Mario Ochoa
them and the organization. I have found to pass, annually. It is called ISecurity
weeks. We have two months that we have Global Security Operations Center Man-
that without this level of support from Ambassador. ager, Millicom International Cellular
adopted for extra trainings and events: A new employee has to do the ISecurity (Tigo)
executive leadership, security awareness
October – National Cybersecurity Ambassador course after 60 days of Professor of the Master in Cybersecurity,
programs struggle to be successful. Awareness Month; and January – National Panamerican Business School
joining the organization. And for the rest
Once I have that level of support, we put Privacy Month. We do other days too of the year, he will receive wallpapers and
in place the following: such as Change Your Password Day and screensavers with security messages. He
• Simulated phishing campaigns. Digital Spring Cleaning Day. Lastly, we also participates in the phishing quiz or We do lots of awareness mailers
• Continuous cyber awareness training have awareness posters and change out drills. and floor shows. We also have some
(videos, posters, flyers, comic strips, awareness on the huge flat screen TVs We won the DSCI (Data Security Council mandatory trainings for employees like
interactive games, etc). around the locations. Those change out of India) award for creating security Data Privacy, BCP, etc. We have selected
•We drive home the cybersecurity every month to different themes. awareness and culture in the organization security champions from different
conscious culture by putting — for the last four years. groups who ensure information security
cybersecurity performance in the organization.
expectations into yearly goals for
performance evaluations and tie that
performance to incentive plans. Ravinder Arora
Dr. Rebecca Wynn
• Establish a cyber champion within the Head of Information Security & DPO Sameer Ratolikar CISO and Data Privacy Officer at Iris
Board of Directors (BoD) who ranks for Matrix Medical Network Executive VP & CISO, HDFC Bank Software Inc.
I am currently the CEO of XR Safety — we ‘live’ — with my employees and The education and security awareness
Initiative (XRSI), a non-profit organization their students. At the same time, there process start with an agreement and
dedicated to help build safe virtual was mandatory security policy training understanding that the organization’s
environments. XRSI has an entire sub- (online, 20 minutes) and we started security program is a “team sport,” and
organization ReadyHackerOne (RH1), an online security competition where everyone in the organization should be
dedicated to spreading cybersecurity everyone could participate. In the end, “deputized” as a “security officer.” Lines
awareness in the emerging technology the winners were recognized as “key of business leaders, functional leaders
domain. RH1 is actively working with security partners” in the areas where they and process leaders should have security
global organizations to roll out awareness were working. It was highly acclaimed, performance objectives built into their
campaigns throughout the world. In and the participation was excellent. annual performance appraisals.
my previous roles as Head of Security, Employees saw it as an opportunity to Once the “team sport” concept is
I have always focused on the audience learn, be recognized for their efforts and established: Consider adopting the
needs. Regular awareness campaigns be compliant with the Program. Board education recommendations
focused on small wins, such as adoption provided above, engage lines of business,
of password manager, using gamification functional areas and process teams to
for awareness activities, etc. I believe engage in table-top incident response
Cybersecurity is everyone’s job and Karina Queiroz exercises; turn similar-organization,
Founder, Teckids - Online Children
ensuring everyone understands what Protection. industry events into teachable moments
that really means. I have contributed to Former Head of IT Security, Risk by developing case studies to share
and Compliance, British American
building resources such as this guide Tobacco.
throughout the organization. “Here’s
46 from National Initiative for Cybersecurity what happened at Target or Yahoo or 47
Education. Equifax…,” provide an ongoing cadence
I recommend circulating resources of security reminders via email or
like this among each department and We use a combination of cybersecurity internal newsletters; and create a culture
including cybersecurity discussions training tools and modules. I lead of security – reward internal reporting of
during various department meetings as small setting trainings, annual renewal any potential security events.
well as company all hands. trainings, lunch-n-learn sessions,
memos, newsletters, features and lots of
re-education. It also helps to personalize
discussions to something the team
Kavya Pearlman members relate. Bob Chaput
Global Cybersecurity Strategist –
Founder, Executive Chairman,
Wallarm
Clearwater
CEO & Founder - XR Safety Initiative
(XRSI)
Carla Wheeler
Global CIO & CISO, Heartland
I have developed different types of Alliance
awareness throughout my career.
The main point of attention in raising
awareness at all levels of the corporation
is language alignment and theme
generalization. The best project I did was
to design security training for everyone,
giving them a chance to participate in
what they believed to be most relevant
The security
landscape is ever We are already working on AI for security For employees, we use phishing current as possible. I am not afraid to
testing. We also have an R&D lab where campaigns to train them up and the ask a question and love being around
continual learning?
energy from others. Lastly, I attend
updated. are constant and I post frequently as courses and workshops.
well as learn from my peers. I write
for many magazines (CS Hub, Security
Current, Cybersecurity Magazine, CIO
I think the best way to keep my team’s Review, CISO Magazine) so I am always
Carla Wheeler
skills up to date has been to lead by Ravinder Arora reading them. Additional feeds that I Global CIO & CISO, Heartland
CISO and Data Privacy Officer at Iris read on a regular basis are Crypto-gram, Alliance
example. When we demonstrate the Software Inc
benefits of keeping up to date, our teams Cyberwire, Krebs, InfraGard, and sector
specific news items such as Healthcare IT,
will proactively look for opportunities to
48 NextGov. As for courses, I am an Adjunct I believe daily study is the way —
train and update knowledge continuously, While advising on this aspect, I have always 49
Professor for the University of Advanced understand vulnerabilities, how
when these happen it is time to do focused on role-based training. Technical-
Technology. I am always looking at and applications work and related bugs;
everything in our hands as leaders so savvy engineers should be given OWASP
taking courses from LinkedIn and edX. I network threats, database flaws,
Top 10 type training, while everyone
that our teams get the necessary support. believe, the more you know – the more incidents techniques, the monitor
should have some level of awareness
I believe that cybersecurity has a lot in you know that you don’t know. I am a backstage blogs; work on labs, monitor
around common threats like social
common with medicine, in the sense that constant learner. news through media, and engage in
engineering, phishing, ransomware, etc.
professional networking.
updating is not an option; it is a necessity. I also believe an internal communication
I read lab’s blogs, engage in professional
In order to keep my current certifications, regularly updating employees about the
networking, do my own virtual lab,
I must comply with certain hours of latest threats and breaches, and the lessons
and go for conferences. I also explore
continuous education, that challenges learned, is helpful to keep them aware. Dr. Rebecca Wynn experiences with peers.
me to look for new certifications, I am regularly on Twitter and LinkedIn to Head of Information Security & DPO
Matrix Medical Network
keep up with current affairs, and I remain
courses and papers that keep myself
connected with the hacker and information
updated and curious about the future of
security community, to keep up with any
Karina Queiroz
Most team members stay on top of Founder, Teckids - Online Children
Cybersecurity. new developments in the field. Protection.
current matters through networking
Former Head of IT Security, Risk
events, reading, seeking guidance from and Compliance, British American
management, and collaborating amongst Tobacco.
Jorge Mario Ochoa
Global Security Operations Center peers.
Manager, Millicom International Cellular
Kavya Pearlman
I utilize some of the tooling mentioned
(Tigo) Global Cybersecurity Strategist –
Professor of the Master in Cybersecurity, Wallarm above but take it a step further. I am
Panamerican Business School Founder - XR Safety Initiative (XRSI) driven by learning and staying as
The landscape is forever shifting, and that enamored with the latest threat, exploit
will never change. When establishing or “shiny tool” — and don’t lose track
a new cyber program, I have always of the fundamental mission, which is
heavily focused on the core foundational to ensure the confidentiality, integrity,
pieces being in place and using as and availability of all the sensitive data,
much automation as possible to optimize systems and devices. Tactically, stay
performance and reduce man hours on top of changes as best as possible
associated with those pieces. If you cannot by reading, participating in critical
master the core foundational pieces, then infrastructure sharing forums (e.g.,
having employees looking at the next in healthcare, H-ISAC; in Financial
generation of threats and technology will Services, FS-ISAC), attending local
do you no good. By streamlining those and regional conferences, listening to
core pieces, you are then able to have your vendor briefings, etc., and strategically,
employees hone their skills on the ever- take the long view with the Board by
changing threat landscape, and emerging focusing on establishing, implementing
technologies that are developed to counter and maturing a Cyber Risk Management
those threats. program that will transcend time.
I have great relationships with other I keep myself updated by reading,
professionals in this field, and we are participating in critical infrastructure
50 51
constantly sharing information and sharing forums (such as the H-ISAC,
knowledge. The security field truly is like a Health Information Sharing and Analysis
big sports team, where everyone wants to Center), attending local and regional
help each other succeed. On top of those conferences, and leading webinars on
relationships, I read 20-30 cyber related key topics. Part of Clearwater’s mission
articles daily, annual cyber studies, books, is education, so the Clearwater website
etc. Knowledge Center is a tremendous
resource. CISOs who have not yet pursued
formal undergraduate and graduate
education should find a program that fits
Heath Renfrow their schedule and budget. I recommend
CISO, LEO Cyber Security
starting with National Security Agency /
Former CISO, United States Army
Healthcare Centers for Academic Excellence (NSA/
CAEs) most of which offer excellent
distance learning programs.
52 53
54 INFOSEC 55
PARTNER SHIPS
Cybersecurity is among the most discussed topics. Significant mergers and acquisitions
took place, the effects of which will be observable in the near future. Following the trend of
collaboration, many startups and innovators joined hands with established cybersecurity
brands to pursue aggressive courses of action. Also, the governments and defense departments
around the world, along with other industries, began taking cybersecurity more seriously.
Below are a few stories from last month that made front-page news with their substantial
acquisition amounts and futuristic outlook.
62 63
President air traffic control, and defense Sadeghi as Vice held executive-level positions at services,” says Mr. Sadeghi. “Due
Edgework, Engility, Tetra Tech,
President of National
systems. to the exponential growth in the
BAE Systems, Government Micro cyber threat vectors and the non-
Aware, a supplier of biometrics
“I’m excited to be joining Defense Resources and Booz Allen Hamilton. scalability of the majority of the
an Aware team known for its
software and services, recently He was also the Chief Technology current mitigation techniques
customer relationships, employee
appointed Robert A. Eckel as Cybersecurity solutions provider Officer at Lockheed Martin where
dedication and exemplary domain combined with quantum
its Chief Executive Officer and
knowledge and passion. Together Lunarline, recently announced the he was instrumental in redesigning
President. Eckel will also serve as computing and many other
we’ll continue to expand Aware’s appointment of Michael Sadeghi the worldwide infrastructure of the
a member of the Board of Directors disrupting technologies right
leadership position in the industry
of Aware. Aware provides as Vice President of National Pentagon, post the 9/11 attacks. He
and bring effective biometric around the corner, Lunarline is
biometrics software products is known to be one of the pioneers
technology into people’s lives. Defense. Sadeghi will be tasked perfectly positioned to help its
and development services to of AI and machine learning
One of my passions is to build with overseeing the rapidly
government agencies, system clients transform the security and
and lead companies that enable solutions, biometrics technology, programs of Defense Advanced
integrators, and solution providers increasing portfolio of defense productivity of their business to
individuals to experience the life and complex systems will help Research Project Agency (DARPA).
globally.
we deserve through technology. me drive this mission for Aware,” and intelligence community better perform in this rapidly
Previously, Eckel served as the My background in secure identity Eckel said. cybersecurity clients. “I’m elated to join Lunarline and changing security space.”
74 75
F
ounded in 2017 by security experts Yakir Golan,
Shalom Bublil, and Avi Bashan, Kovrr delivers
data-driven end-to-end insights to government
and private insurance regulators, that enable
them to calculate their cyber risk exposures.
What sets it Apart: Kovrr claims that its end-to-end
platform quantifies potential financial loss caused due to
different types of cyber-attacks and helps in managing
Shape Security
F
cyber risks. Kovrr accurately quantifies potential financial
loss caused by various types of cyber events. The platform ounded in 2011 by Derek Smith, Justin Market Adoption: Shape Security recently raised
uses open-source, proprietary and third-party business Call, and Sumit Agarwal, Shape Security US$51 million in a funding round led by C5 Capital
and threat intelligence data to train predictive cyber risk is a California-based startup that provides along with existing investors, including Focus Ventures,
models. defense against malicious automated cyber- JetBlue Technology Ventures, Top Tier Capital Partners,
Market Adoption: Kovrr recently raised US$ 5.5 Million attacks on web and mobile applications. EPIC Ventures, Kleiner Perkins, HPE Growth, and
in a financing round led by venture capital firms StageOne What Sets it Apart: Shape Security helps enterprises Norwest Ventures Partners. The California-based
Ventures and Mundi Ventures, along with the participation prevent automated and imitation attacks. It provides startup has reached the US$ 1 billion valuation mark
from Banco Sabadell and other private investors. The Tel- omnichannel protection for web applications, mobile with the latest investment. Shape Security stated the
Aviv based company stated the new funding will help the
company accelerate its product development and global Kovrr applications, and API interfaces. The company claims
that its Fraud Prevention Platform detects and blocks
new proceeds will accelerate the company’s product
development and also support its business expansion
76 expansion activities. over 2 billion fraudulent transactions daily. in North America. 77
F F
ounded in June, 2017 by Avidor Bartov, Dean
ounded in 2003 by Jack Zubarev, Oleg Melnikov,
Sysman, and Ofri Shur, Axonius provides
Serguei Beloussov, and Stanislav Protassov. Acronis
end-to-end management solutions to cover
is a Swiss cybersecurity company that offers safety,
security gaps by validating and enforcing
accessibility, privacy, authenticity, and security
enhanced security policies.
services.
What Sets it Apart: Axonius helps enterprises bolster
What sets it apart: Acronis offers cyber protection, solving
safety, accessibility, privacy, authenticity, and security their cybersecurity capabilities. The company has
(SAPAS) challenges with innovative backup, disaster recovery, several services including active directory, endpoint
and enterprise file sync and share solutions to enterprises in protection tools, cloud tools, NAC solutions, VA
hybrid cloud environments and on-premises. The company scanners, and Mobile Device Management systems.
claims that its Acronis Cyber Platform protects all the data in Market Adoption: The company recently raised $20
any environment, including cloud, physical, virtual, mobile
million in a Series B funding round led by OpenView
workloads, and applications.
along with the participation from Bessemer Venture
Market Adoption: Acronis recently secured US$ 147 million
in an investment round led by Goldman Sachs. With the latest Partners, YL Ventures, Vertex, WTI, and Emerge. The
investment, the Singapore and Switzerland-based company New York and Tel Aviv-based cybersecurity startup
reached a valuation of over one billion dollars. Serguei stated the new funding will help the company boost
Beloussov, the founder and CEO of Acronis, stated the new its customer acquisition and expedite product
Acronis
proceeds will be used to expand the company’s engineering development. Axonius, earlier this year, was awarded
team, build additional data centers, grow its business reach
in North America, and pursue acquisitions.
the Most Innovative Startup of the Year after it won
the RSAC Innovation Sandbox Contest.
Axonius
CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019
VOLUME 3 ISSUE 9 VOLUME 3 ISSUE 9
KICKSTARTERS
F
ounded in 2014 by security veterans Bertil
Chapuis, Fabien Jordan, Federico Belloni,
Jean-Michel Jordan, Julian Harris, and Nicholas
Petrig, Astrocast offers a bidirectional and
highly secure connection to any IoT device on
Earth, in a few minutes.
What sets it apart: Astrocast is the first Nanosatellite IoT
network to address this market need in remote areas and
for urban LPWAN applications needing satellite backup.
The company is also developing an advanced Nanosatellite
network for the Internet of things (IoT). A network of 64
CubeSat satellites in Low Earth Orbit (LEO).
Market Adoption: The firm recently secured US$9.2
million (€8.3 million) in a Series A round of funding. The
Swiss startup said the new proceeds will help it accelerate
the production of IoT modules and the deployment of
its Low Earth Orbit (LEO) IoT Network. Speaking on the
investment, Fabien Jordan, the CEO of Astrocast, said,
78 “We are excited to see the continued confidence of our 79
investors and partners in the new space race and our
Astrocast company, as we make our mission of building the world’s
first IoT network for the planet a reality.”
WWW.CISOMAG.COM
CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019
VOLUME 3 ISSUE 9
80