Ciso Mag October 2019 LR

Volume 3 | Issue 9 | OCTOBER 2019
VOLUME 3 ISSUE 9 VOLUME 3 ISSUE 9
STAY TUNED FOR THE UPCOMING
ENDPOINT SECURITY
2 3
ON NOVEMBER 2019
For more information contact:
Jyoti Punjabi Taruna Bose

Deputy Business Head - CISO MAG Publishing Sales Manager - CISO MAG
+91 9963654422 +91 7838483171

jyoti.punjabi@eccouncil.org taruna.b@eccouncil.org
CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

INDEX VOLUME 3 ISSUE 9 VOLUME 3 ISSUE 9
06
BUZZ
Deception all grown up
Volume 3 | Issue 9
October 2019
12 Editorial
International Editor
INSIGHT
Career Options for Cybersecurity
Professionals are Unlimited
06 16
Amber Pedroncelli
amber.pedroncelli@eccouncil.org
Principal Editor
EDITOR’S NOTE
Brian Pereira
brian.p@eccouncil.org
22
Senior Feature Writer
Augustin Kurian
augustin.k@eccouncil.org
Cybersecurity and the risk associated with cyber-attacks are frequent
UNDER THE SPOTLIGHT topics in the Boards of companies. News of cybersecurity threats and attacks
Feature Writer
Rudra Srinivas
Julien Legrand, rudra.s@eccouncil.org
is now common everyday news, so there is much more awareness.
Operation Security Manager, Société Media and Design
Générale The Board is not expecting an explanation of how malware or ransomware Media Director
Saba Mohammad
36
4 works. Instead, they want to know how an attack will impact the business. It saba.mohammad@eccouncil.org 5
22 36
needs to be quantified with business metrics. Sr. Graphics Designer
Sameer Surve
The CISO needs to be an expert in communicating the impact of security to
COVER STORY sameer.s@eccouncil.org
The Security Aware Enterprise the Board. If he speaks the language of the business – in terms of the risks – UI/UX Designer
he might win mindshare. That also makes it easier to convince the CFO for Rajashakher Intha
rajashakher.i@eccouncil.org
54
additional security investment. Management
Companies have for long used deceptive techniques like decoys and Executive Director
Apoorba Kumar*
COLLABORATIONS honeypots to trap hackers. But these techniques are evolving, writes Chris apoorba@eccouncil.org
InfoSec Partnerships Roberts, the Chief Security Strategist at Attivo Networks. Chris is an advisory Senior Director,
Compliance & Governance
board member at EC-Council. Read his views in the BUZZ section. Cherylann Vanderhide
62 54
cherylann@eccouncil.org
These days CISOs have more career options and can pursue other executive
IN THE NEWS 62 roles, writes Charles L. (Chuck) McGann, Jr., in the INSIGHTS section. This is
good news, and it should open the door for security professionals who are
Deputy Business Head
Jyoti Punjabi
jyoti.punjabi@eccouncil.org
Top Stories from looking for alternative avenues of growth or responsibility, outside the CISO Marketing and Business Development
Officer
the Cybersecurity World function. Chuck is a nationally recognized information security professional Riddhi Chandra
riddhi.c@eccouncil.org
and the former Co-Chair of the (ISC)2 Government Advisory Board on
68
Digital Marketing Manager
Cyber Security. He is also engaged with the EC-Council to facilitate the Jiten Waghela
jiten.w@eccouncil.org
Certified Chief Information Security Officer program.
IN THE HOTSEAT Tell us what you think of this issue. If you have any suggestions, comments or
Publishing Sales Manager
Taruna Bose
High-Profile Appointments in the taruna.b@eccouncil.org
Cybersecurity World queries, please reach us at editorial@cisomag.com.
Technology
Director of Technology
Jay Bavisi
74
Raj Kumar Vishwakarma
rajkumar@eccouncil.org
Editor-in-Chief
KICKSTARTERS
Startups Making Waves in the
Cybersecurity World
68 74 * Responsible for selection of news under PRB Act. Printed & Published by Apoorba Kumar, E-Commerce Consultants Pvt. Ltd., Editor: Brian Pereira.
The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this publication are not
necessarily those of the publisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be
appropriate for the readers’ particular circumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored
CISO MAG | OCTOBER 2019 in a retrieval system, or transmitted in any form without the permission of the publishers in writing.
CISO MAG | OCTOBER 2019
BUZZ
BUZZ BUZZ
BUZZ
DECEPTION
6
ALL GROWN UP 7
Chris Roberts, Chief Security

Strategist, Attivo Networks

BUZZ
BUZZ BUZZ
BUZZ
I
remember the days when we little concern for how they initially
built our honeypots on CDs and breach and pivot. We all know that
dropped them onto machines one of the main components of most
without hard drives. The days enterprises is the human, so it stands
when (let’s face it) the idea was to reason that humans continue to be
to research what the heck the attackers the core focus (after all we’re easily
were doing. If we were lucky, we caught fooled, ready to click on anything
one and they hung out for a while, then at a moment’s notice, and rarely ask
realized they were being taken for a for help). However, as times change
fool and moved on. Meanwhile, we and technology progresses, we have
got some intelligence and carried on to consider the other attack vectors:
regardless. cloud, IoT, mobile, ICS (industrial
Oh, how the times have changed! controls/building controls), wearable
For the last couple of years, a number technology, embedded technology
of companies have been working to (human healthcare as well as
build better and better mousetraps. augmentation), transportation, and a
Some have focused on the endpoint, myriad of other avenues. All of these
8 some on the SMB market, and others require an engagement fabric that 9
have worked to drop decoy machines, deception and detection technologies
systems, and all manner of enticing have to be ready for, and many of them
morsels of cheese scattered across still require human participation. In
the enterprise in the hope of catching many cases, this unfortunately means
attackers as they freely traverse around that we are protecting our systems
your networks (spoiler alert, I work for from the very humans that use them.
one of those companies). Watch, learn, and engage
One of the challenges has been So, how do you engage? How do
engagement, and, like the art of fishing, you actually lay out bait that’s good
it can involve long periods of boredom enough, yet not too good? How do you
wondering if you’ve gotten it right, build a mousetrap that blends in but
punctuated by short bursts of frenzied also isn’t going to be glossed over as
activity as you realize you’ve either “just another machine in the mix”? You
hooked Jaws or just another sunken actively engage. You don’t sit there like
tree root. a frog on a log, waiting for the princess
The other core challenge has been to come by. You actually watch, learn,
“where.” In essence, your entire and engage. You watch for “tells” and
environment is a target, and (as we for actions. You are the Social Engineer
are all well aware) the adversaries of the deception world. Sitting there,
have had an easy time of coming and actively looking at everything around
going through most enterprises with you, saying hello to everyone, and

BUZZ
BUZZ BUZZ
BUZZ
when necessary engaging. This is (which has always been rather handy). observing will influence (or change)
where it gets sneaky. In the past, you had to hope at each the phenomenon being observed (in
Up to this point, the red blinking of those points that somewhere in this case your computer or anything on
light meaning “there’s an attacker in that list of demands were deceptive it). Think of this new breed of deception
our system” has only gone off when credentials, systems, or accounts. Not as the hypothetical experiment with
someone pokes a decoy, or uses a set of anymore. Today, we’re able to work Schrödinger’s cat. The attacker is the
credentials, or prods a printer, switch, out that you are up to no good, and the one that cracks the lid on the box, and
simply by observing whether the cat is
etc. Now, with the way we’ve helped grown-up deception we’ve nurtured
alive or dead they trigger the change
deception grow up, the simplest starts handing out credentials that
in state that alerts our intrepid band of
question or observation of anything is look/feel/smell real and seem to work,
quantum blue teamers.
going to set off all the alarm bells. and we cover all the computers around
you (even ones that don’t exist). We This is deception grown up. This is
The art of deception
build responses and engagements on proactive detection, deception, and
Here’s the logic: as an attacker/
the fly, and we do it well enough to something other than a pretty face in
adversary, I’m going to land on
camouflage into the enterprise we’re the crowd. This one goes looking for
your computer or in your network
protecting while all the while recording trouble rather than waiting for it to
somewhere. Sorry, but you can’t stop come to the doorstep. This is deception
and alerting the blue teams. Now, the
me. None of your EDR, FW, IDS/IPS, done right.
nice thing here is, we can also do this
or NGWTF is going to stop me from
10 across the enterprise, so if an adversary 11
getting to you. So, now that I’m in, I want
lands on an IoT system, a switch, a
to know what’s around me. I might ask
cloud (which is, after all, just someone
you if there are computers close to you
else’s computer!) your building
(to which you’ll answer yes). I might
controls, or virtually anywhere else in
ask you (nicely) to give me your login
the network, we have the capabilities
credentials and all the other ones you
to engage effectively. We will welcome Chris Roberts is Chief Security Strategist
have stored in the registry, browser,
the attacker in with a handshake, a at Attivo Networks. He is also an advisory
and 101 other places that applications
hug, and a nice set of credentials that’ll board member at CISO MAG
seem to put data these days (which
keep them busy while we alert all those
you’ll willingly hand over). I might even
around us.
check out the other systems/services
you have running (obviously making The act of observing
sure to stop all the antivirus, host The key to much of this thinking is to
detection elements, and other things change the symmetry, place it firmly
that can ruin my day), as well as other back in the hands of the blue team,
applications, systems, virtual drives, and move from a reactive realm of
connected devices, etc. (which you’ll security to something much more
also hand over). In fact, the upside of proactive. It’s not waiting for someone
being the adversary is I have always to make a move, for an attack to begin,
had the luxury of asking the computer for a pivot to happen, or choices to be
for almost anything, and, up to this made. It’s based on the logic behind
The opinions expressed within this article are the personal opinions of the author. The facts,
point, it’s handed everything over observer effect: simply put, the act of opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does
not assume any responsibility or liability for the same.

INSIGHT INSIGHT
CAREER OPTIONS FOR

12 13
SECURITY
PROFESSIONALS
ARE UNLIMITED
Chuck McGann

INSIGHT INSIGHT
T
he security field is First, have a concrete answer to
growing leaps and the question, “Why are you looking
Some organizations
bounds, gaining more to move?” Is it burnout, too much
respect for the value it
will let executives fill stress, salary, or growth? Or are you
provides the organization in for others when just looking to learn something new
and the stakeholders, and their vacations or sick leave and expand your horizons? Any of
salaries are becoming aligned with the issues occur, and these reasons are valid for a security
responsibility. Security is being taken other organizations professional considering a career
seriously and has a critical role to change.
encourage cross-
play. More recently, the CISO is being
training at the
exposed to the executive roles and
executive level. If you Multiple Opportunities
responsibilities of a business leader.
This is good news and it should open
have the opportunity to If you were an engaged and active
the door for security professionals who learn a peer role, use it, security professional–meaning, you
understood the business, how it
are looking for alternative avenues learn from it, and show
works, where revenue is generated
of growth or responsibility, or even interest in alternative
and invested, who the customers were
to looking outside of the CISO group positions. (internal and external) and if you
into the business functions of the
14 were collaborative — you could move 15
organization.
laterally into almost any position that
If are you a CISO, congratulations on One key issue is to ensure you have
didn’t require specialized education
getting the top security slot! You likely created a succession plan for yours
or training. For example: A Security
report within the CIO, CRO, CFO, CLO and other positions or you may not
Program Manager could easily move to
organization or, if very lucky, report to have those opportunities. a business function program manager
the CEO. This is where it gets a little What should one consider when position without too much difficulty.
harder to decide where to look for looking to steer their career on a new Many security professionals who have
career options. track, including outside of security? come from the technology field of IT
or engineering, or even a business
function — at some point, they may want
to return to those areas after a stint in
the security trenches. These resources
will become significant advocates for
securing the organization within their
new role, and that’s a fantastic benefit
for everyone. In choosing to return to
a previous functional area, they take
with them a greater understanding of
the need for, and value of securing the
organization’s business processes and
information.

INSIGHT INSIGHT
policy, when effective, embraces all

Security professionals the requirements of data protection
should educate and information usage and control. It
identifies roles and responsibilities
themselves and form
and provides a roadmap for
mentoring partnerships
developing process and procedures
with other functional
used in support of the business to
area staff, spending ensure consistency. If you are aware of
time building strong the policy and help implement some
relationships, and of the controls, you are familiar with
understanding the the business area you worked within.
business side of the Work with that foundation and learn
equation. This creates more, again through relationships with

the functional area staff that might be
a balance between
willing to share insights. By helping
security and business
you, they are helping themselves
value/operability. find possible replacements for
their possible promotion within the
organization.
16 Yes, this is an investment of time on
17
everyone’s part, but the knowledge
gained by all parties is invaluable. Demand for Security
Understanding that these efforts
Professionals
are not a short-term strategy is
important. You will not achieve the The demand for cybersecurity
knowledge and experience needed professionals will increase to
in a month. However, you will develop approximately 6 million globally by
an understanding of the needs of 2019, according to some industry
that functional area, its value to the experts cited by the Palo Alto
organization, and how security plays a Networks Research Center. These
role in its success. report findings are backed up by other
A security professional willing to studies and reports. If this continues to
educate himself in another discipline be true, and job security is stable, then
is a valuable resource to any functional why would a person want to leave to
area, due to the institutional knowledge pursue another profession? The report
accumulated while working in the from the CSIS Strategic Technologies
security environment. Program October 2016 indicates that
Security touches every aspect of an security professionals often leave the
organization,from application inception organization for the following reasons:
to business continuity and disaster •
The company did not prioritize or
recovery, there should be no area appreciate the cybersecurity mission.
where security is not involved. Security • Lack of people or tools to do the job.

INSIGHT INSIGHT
Security professionals should consider Career options for you as a security

• Compensation and benefits were not professional are only limited by the
succession planning opportunities
competitive. effort you are willing to put in, the
for other functional areas where they
• No funding for training. show an interest. This would provide a risk you are willing to take, and the
•
Lack of engaging and challenging roadmap for gaining the skills needed reason(s) you are looking to move
tasks (higher rated for more with mentored and approved support away from your current role. You
experienced staff). of the functional area management, must have legitimate expectations of
as well as show the organization yourself and the skills you bring to
If the above holds true and another
you are interested in the other areas a new position. Don’t minimize your
functional area in your organization can
of the business. Look for learning time spent in helping to secure the
provide the support to resolve these
opportunities within the organization organization. You have a lot on offer for
dissatisfaction issues, then the security
any functional area you chose to move
professional is often enticed to make a and discuss possible assignments to
into; the question is, are you moving for
move. other areas if a position is available.
the right reasons — void of emotion,
This will be a challenge as there would
We are still looking to answer the but driven by intellect and a passion to
need to be backfill for your role, but it
question of, “What are the career learn something new?
is doable in a progressive organization
options available today for security
looking to keep their institutional
professionals?” and I think the answer
knowledge base intact and support
is pretty straightforward. The options
morale.
18 available for the security professional 19
are many, depending on the level of
effort that person is willing to put forth!
Obviously, security professions are Charles L. (Chuck) McGann, Jr., is a nationally recognized information security
professional who recently establishing McGann Consulting Group (MCG). McGann
motivated, intelligent, hardworking,
is also engaged with the EC-Council to facilitate the Certified Chief Information
and engaged in often high-pressure Security Officer program. Chuck is also the former Corporate Information Security
situations needing calm and deliberate Officer for the United States Postal Service (USPS). He is the former Co-Chair of the
responses. Many business functions (ISC)2 Government Advisory Board on Cyber Security, and served as a Government
have similar needs for their specific Information Security Leadership Awards Judge for the last three years and chaired
the Federal CISO for CISO’s quarterly meetings.
roles: marketing deadlines, customer
complaints, and production schedule
delays, to name a few.
The ongoing education of security
professionals within an organization
should not be constrained by their
current position. Overall education
should be considered with regard
to its value to the business and with
discussions centering around where
the security employee and the security
organization see themselves in the next
The opinions expressed within this article are the personal opinions of the author. The facts,
1-3 years.
opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does
not assume any responsibility or liability for the same.

J u r y B oa rd a n d Key n o te S p ea ke rs
Sultan Al-Owais Tony Chacko Joseph

Director of Information CISO-eDirham ,
Technology Public Revenue Department,
Prime Minister’s Office - UAE Ministry of Finance, UAE
Thomas Heuckeroth
VP Cyber Security,
Group Chief Cyber Security Officer,
Emirates Group
E m i n e nt S p ea ke rs
21 October, 2019
st
JW Marriott Marquis, Dubai, UAE

20 Suresh Nair, Sunil Gupta George Eapen 21
Be a part of the
Chief Information Co-founder and CEO Global CISO and Group
Security Officer - QNu Labs Head
MENAT & Sub Saharan of Cyber Security
Africa (SSA), Petrofac
biggest cyberseucirty
General Electric
celebration
Hariprasad Amna Al Balushi Mohamed Mousa
Chede CISO CISO
CISO Bank Nizwa, Oman IKEA, KSA
National Bank of
Fujairah
Platinum Partner Astrid E M Nameer Khan Dr. Erdal Ozkaya

Hansen Founding Board Head of Information and
VP Risk and Controls Member Cybersecurity
Barclays MENA Fintech Standard Chartered
Association Bank
Quantum Technology Partner Exhibit Partner Awadh Almur

Sumit Puri
Group Chief Chief Information
Technology Officer Security Officer
Evercare Group Federal Authority for
Nuclear Regulation
(FANR)
UNDER THE VOLUME 3 ISSUE 9 VOLUME 3 ISSUE 9
UNDER THE
SPOTLIGHT SPOTLIGHT
Interview of
JULIEN LEGRAND,
Operation Security Manager,
Société Générale
Augustin Kurian
22 23
Julien Legrand is an experienced cybersecurity specialist, application security

leader, technology writer and international speaker with a strong combination
of business leadership and technical background, focused on risk management,
security assessment, identity and access management, penetration testing and
cryptography.
He started his journey with SFR (Société française du radiotéléphone) as a Lead

Information Security Auditor, then moved to Enedis. He also juggled several
designations at Société Générale, including principal security architect, (APAC).
He is currently the Operation Security Manager at Société Générale. He is also the
Founder and Director of Mycybersecurity.tips.
Julien also holds several cybersecurity certifications like Certified Information

Systems Security Professional (CISSP), Certified Information Security Manager
(CISM), Certified Information Security Auditor (CISA), Certified in Risk and
Information Systems Control (CRISC) and Certified Ethical Hacker (CEH).

UNDER THE
SPOTLIGHT SPOTLIGHT
1. Tell us a bit about is capable of undertaking actions for professionals competent in

the relevance and that come with a particular field the technical expertise required
importance of (Boldt, 2018). Notwithstanding, one for a hands-on security role. The
certifications in of the key reasons for earning a certification equips additional
cybersecurity? certification is to strengthen the skills such as are cryptography,
bargaining power for increased password management, access
Certifications are essential to pay. control, network mapping and
the career of cybersecurity network controls, DNS, public
According to PayScale (2019),
professionals. There are different key infrastructure, detecting
the average annual salary for an
certifications which provide skills and preventing cybersecurity
information security analyst is
for different specializations. As incidences, among others.
$70,754 while that for a CISSP
such, certifications allow a cyber
certified analyst is $86,352. In addition, a Certification in
expert to gain skills required to
Risk and Information Systems
specialize in a particular discipline.
Control (CRISC) equips
Besides, one must pass various 2. Which are the most security professionals with risk
exams before being certified to essential certifications management abilities needed
have completed a specific course. to improve one’s career to secure an enterprise. It is
24 Certifications, therefore, serve prospects today? an essential certification for 25
to validate the knowledge Since, many certifications produce IT management professionals,
and skills acquired when specialties in different fields, it chief information officers, and
completing a cybersecurity is vital to understand the most assurance and control experts.
course (Springboard, 2018). important ones to acquire today. Besides, it allows IT security
This is important since potential A Certified Ethical Hacker (CEH) personnel to identify and
employers require applicants to certification is most popular. It manage risks by developing and
not only demonstrate knowledge enables security professionals to maintaining secure information
of the positions they apply for, acquire penetration skills used for systems. Last but not the least,
but also to provide proof they are assessing computer and network CISM (Certified Information
certified. systems for security issues. The Security Manager) certificate
More importantly, obtaining next relevant certification is is necessary for professionals
a cybersecurity certification Certified Information Systems working at the professional level.
demonstrates a person’s initiative Security Professional (CISSP). It The certification enables them
to complete assigned duties. validates an information security to acquire skills in managing
Before earning a certification, professional’s deep technical and ensuring compliance of
and managerial knowledge and implemented security policies,
a cybersecurity professional
experience to effectively design, developing and managing
must complete various pieces of
engineer, and manage the overall programs for information security,
training to acquire the desired
security posture of an organization. and governing cybersecurity
skills. Different certifications apply
policies.
to a job’s relevance, and this shows Also, SANS GIAC Security
employers that a certified expert Essentials (GSEC) is essential

UNDER THE
SPOTLIGHT SPOTLIGHT
to develop smarter and faster institutions need to provide students

3. What is your take attacks. Without immediate actions, with a more hands-on education
on the dearth of the cybersecurity talent gap will in combating attacks and other
cybersecurity talent continue widening. cybersecurity-related issues. For
example, universities and colleges
A shortage of cybersecurity should provide students with more
talent is affecting the security of 4. Do you think opportunities for defending and
organizations operating in the cybersecurity deploying innovative measures to
finance industry, and other sectors education can remove secure their networks. On the other
as well. According to Irwin (2018), the massive skill gap in hand, organizations can provide
lack of enough cybersecurity
cybersecurity? entry-level cybersecurity training
skills affects at least 80 percent of to employees with apprenticeship
organizations. A 2018 Cyberthreat Cybersecurity education can, programs, to enable them to build
Defense Report by Cyber-Edge without a doubt, assist in reducing their knowledge in handling cyber
Group supports this statement the skill gap experienced in incidences.
as it states four out of five the cybersecurity industry.
organizations are unable to find
qualified cybersecurity personnel
One of the underlying reasons
5. Do you think
causing the massive shortage is
26 for various positions. There is a a lack of cybersecurity interest
cybersecurity training
27
shortage of cybersecurity talent in among the younger generation. for employees
finance and other industries. This Hospelhorn (2019) cites a should be a part of
signifies that financial institutions survey which showed that only an organization’s
may be overwhelmed handling 9 percent of youngsters express roadmap? ?
cybersecurity incidents. an interest in a cybersecurity
Although many cybersecurity career. The diminished interest in Cybersecurity training for
companies and experts have been cybersecurity may be caused by employees must be part and
at the forefront warning about the lack of opportunities needed to parcel of a company’s security
vast shortage, research and surveys learn about the industry. To solve roadmap. According to Kelly
from reputable sources indicate the this, educational curricula need to (2017), an estimated 90 percent
deficit will continue worsening in include cybersecurity curricula to of cybersecurity incidences arise
coming years. Such a colossal lack ensure all students get a chance to from human errors, associated
represents an ever-growing threat to learn more about the industry. with mistakes, ignorance, and
financial organizations. This, fueled Furthermore, the lack of adequately negligence. Most of the methods
by relentless attacks motivated by skilled professionals to counter used to execute attacks mainly
financial gains, requires industry emerging attack vectors largely rely on an employee’s inability to
leaders to take a proactive step contributes to the increased skill- observe and maintain best security
to resolve the problem. Cyber gap shortage. Cybercriminals practices when processing data, or
adversaries are constantly devising are always developing new and generally interacting with a system.
more ingenious means of executing sophisticated malware, coupled For example, phishing attacks bait
attacks. Besides, technologies like with exceedingly smart attacking employees to download malicious
artificial intelligence enable them methods. To keep up, educational attachments or to click links

UNDER THE
SPOTLIGHT SPOTLIGHT
that redirect to websites laden role in the organization’s security.

with malware. All organizations, Some companies believe that the
therefore, require prioritizing IT security department should
employee training. handle all security activities. This is
Cybersecurity training for not true since every employee has
employees should include to observe security practices for
secure password creation and the company to sustain meaningful
management. Organizations cybersecurity processes. To
should emphasize on the need of achieve this, organizations should
creating strong passwords and focus on frequent training and on
storing or sharing them securely. creating security awareness.
Also, cybersecurity training should
Employees may practice
equip employees with skills for
ineffective security acts, but not
recognizing phishing attacks.
out of spite, instead due to lack of
Phishing attacks are among the
knowledge of what constitutes to
most used techniques to gain
be bad practices (Romeo, 2019).
unauthorized system access.
Besides, with more organizations Additionally, implementing a
28 embracing the use of Internet secure development lifecycle can 29
of Things, it leads to increased assist businesses to develop a
attack surfaces and entry points. sustainable cybersecurity culture.
As such, companies should ensure Secure development lifecycle
to train employees on how to use consists of activities or processes
such devices securely. Lastly, a company agrees to perform on
cybersecurity training enables system and software releases. Such
employees to acquire skills for activities include threat modeling,
endpoint protection. This training testing acquired systems for
can allow a business to realize security vulnerabilities, and
strengthened cybersecurity assessing the effectiveness of
programs. security configurations. More
so, rewarding employees who
6. How can security exhibit exemplary cybersecurity
become a part of the practices can motivate others to
ethos of a company? practice the same. Cash rewards
or other non-monetary rewards
An organization can implement can foster a security culture. Lastly,
various measures to ensure organizations can develop security
cybersecurity becomes part of communities to enable employees
its everyday culture. One such to understand the various security
way is by ensuring all employees interests at all levels of the
understand they play a central organization (Romeo, 2019).

UNDER THE
SPOTLIGHT SPOTLIGHT
7. In what ways in my chosen field. Different certifications will enable aspiring
have cybersecurity certifications allow one to venture professionals to fit in that criteria.
into new careers, most of which
certifications helped lack enough talent. Cybersecurity
However, as much as certifications
you in your career certifications, therefore, have
provide aspiring professionals
path? enabled me to access career

with skillsets needed to market and
expose their careers, they should
opportunities that would otherwise
Cybersecurity certifications ensure a strong cybersecurity
be inaccessible with just a
have had a considerable impact foundation. Some employers are
graduation certificate.
on my career. To begin with, the reluctant to entrust the security
certifications have provided an of their systems or networks
opportunity for staying informed 8. What is your to employees with a single
in a continually changing field. advice for aspiring certification. A graduate degree
Cybercriminals create new cybersecurity in IT security or IT management
malware programs every day, professionals who can help alleviate such fears.
want to make it big in

whereas existing attack methods Ensuring to acquire the necessary
certifications to gain cybersecurity
evolve. To remain competent, one
the industry? skills and a strong IT foundation
has to stay informed and acquire
30 as much knowledge about new is the first step of realizing a
Aspiring cybersecurity 31
threats as possible. Certifications successful cybersecurity career
professionals should consider
such as a Certificate in Ethical (University of San Diego, 2018).
completing several certifications
Hacking (CEH), provide the
to improve their career prospects.
necessary opportunities to learn
Kamath (2019) posits that 9. Can AI and machine
more about hacking. In turn,
applying the acquired knowledge
cybersecurity is regarded as the learning compensate
in real-time situations enhances my
new frontier for IT security. This is
for the shortage of
cybersecurity skills
due to the increased dependence
career, thereby opening up better
on technology to drive critical
opportunities for employment.
operations. Technologies like in the industry? If
In addition, the skills acquired artificial intelligence will see most not, what are the
at the college or university level industries automate production limitations?
are insufficient for building and operational processes. As a
a cybersecurity career. Most result, cyber-attacks will increase Artificial intelligence and machine
educational curricula equip skill as cyber adversaries target to take learning can be used to reduce
sets required for specialized control of such systems. Certified the enormous skill gap shortage
IT services. However, specific cybersecurity professionals will be in the cybersecurity field. Firstly,
cybersecurity skills are only required to monitor and secure the artificial intelligence allows the
acquired through pursuing systems continually. However, as is development of automated threat
and completing cybersecurity the case in all fields, companies will detection and response products.
certifications successfully. In light consider applicants with hands- AI-enabled tools can detect
of this, cybersecurity certifications on experience and the correct security threats by identifying
have enabled me to move up qualifications. Cybersecurity software programs whose

UNDER THE
SPOTLIGHT SPOTLIGHT
activities or processes seem talent shortage are the presence

unusual from those of legitimate of anomalies. Machine learning
programs. Also, they can deploy algorithms use various data sets to
adequate measures to respond to train a system to identify malicious
threats. This eliminates the need and clean codes. Some training
for cybersecurity professionals information might be created
who first acquire secure data and using insistent data points, causing
analyze it for security incidences. developed systems to contain
Companies suffering from anomalies. As a result, they may
inadequate cybersecurity skills fail to detect some cyber-attacks,
can deploy intelligent intrusion thus exposing a company to severe
and detection systems, firewalls, risks and threats.
or antiviruses, which would enable Also, hackers may successfully
them to minimize their reliance on gain access to the deployed
human operators. artificially intelligent security tool.
Also, machine learning Accessing them may allow them to
technologies have many benefits corrupt AI and machine learning
which organizations can use to data through processes such as
32 address a shortage of cybersecurity switching the code labels. In such 33
talent. Key among them is the an instance, the security tools may
ability to make intelligent decisions label a malware code as clean
used for improving organizational or fail to detect suspicious user
cybersecurity. An example of such activities in a network. The result is
capabilities is scanning the contents the organization being exposed to
of an email message to determine if multiple security risks.
allowing them through the network
would cause security risks. Also,
applying artificial intelligence
in security systems can aid in
filtering insecure connections and
using machine learning to adapt
to specific security environments.
All these are actions requiring
human operators, but since AI-
enabled systems automate them,
they eliminate the need for security
professionals.
The main limitations of using
artificial intelligence and machine
learning to address cybersecurity

85% BACHELOR
OF SCIENCE
In Cyber Security
OF ALL CYBER SECURITY JOB VACANCIES

Require a Bachelor’s Degree or Higher
burning-glass.com
PROPEL YOUR CAREER MASTER

AS A CYBER SECURITY LEADER OF SCIENCE
In Cyber Security
34
with an online cyber security degree from ECCU 35
*GRADUATE
DEGREE
PROGRAM
*Graduate Certificates available for:

CISO MAG | OCTOBER 2019 CISO
Disaster Recovery; Digital Forensics; IT Analyst; Executive Information Assurance; Information Security MAG | OCTOBER
Professional 2019
COVER VOLUME 3 ISSUE 9 VOLUME 3 ISSUE 9
COVER
STORY STORY
The Security Aware

36
Enterprise 37
Where security is culture and awareness is habit
Team CISO MAG

COVER
STORY STORY
T
he volume of security attacks to serve organizations in government
and threats to organizations and the private sector, share their best
has reached alarming practices and communication strategies.
proportions, so much so that They can be regarded as missionaries of
“cybersecurity” and “risk” cybersecurity,responsible for spreading
have become frequently used words awareness, top-down. That’s not an easy
among Boards of Directors. task, especially when reaching out to
The Board understands risk, numbers, overburdened employees who have
charts, and strategy. But when news of their plates heaped with work. Rallying
organizations getting hacked, and the thousands of employees in different
unfortunate consequences, trickles locations to talk about best practices
into the boardroom, it triggers waves of and security policies is a Herculean
panic. The typical questions that arise task.
are, “What if we were hit by that malware But it’s a job that the CISO needs to do
or ransomware next? How badly would because they know that protecting the
that impact our business?” organization from hackers and malware
Board members are likely to be aware has more to do with people and process.
of terms like “malware,” “ransomware” The technology is a means to achieve it,
and acronyms like DDoS and APT that but not an end in itself.
38 39
the tech industry notoriously creates It’s the CISO’s job to identify the risks that
every year (heard any new ones lately?). are most likely to impact the business –
They might need a simple explanation and translate that into potential losses
of say, how ransomware spreads and using absolute business terms and
what it does. They’re not asking for a quantifiable metrics.
crash course in cybersecurity, mind you. The CISOs we interviewed for this
But someone who has a deep story told us that using data points and
understanding of cybersecurity and speaking in terms of risk are some
knowledge of business operations has ways to get the Board’s attention. Using
got to answer those nagging questions. common security analogies to explain
That calls for a clear communication a threat is a better approach than using
strategy. That person has to talk about technical jargon.
cybersecurity using the lingo of the And they also share how they keep
business. themselves abreast with developments
But how? What should and shouldn’t be and how they continually train others in
said? the organization.
CISO MAG reached out to global CISOs, Bottomline: The CISO should be an
C-level executives and strategists excellent communicator to win the
and asked them to share strategies Board’s mindshare and approval for
and tips for effective communication. security investment. Learn from these
Ten experienced senior management CISOs and adopt their communication
executives who served or continue strategies.

COVER
STORY STORY
How do you My focus on awareness directed at the The boards are based on numbers, you. State what you would need to better
communicate
executive Board and beyond, is to bring beyond talking about KRIs (key risk protect the company. Don’t just share
real insight into the potential security indicators), risk levels and impact, the areas that you need resources. Share
Cybersecurity risks associated with the business —

such as those that materialize would
strategy has been to become business
enablers. Board expectations are
what you are doing right as well. If you
see something that would mainly be of
to the Board of affect corporate processes, marketing,
logistics, sales, case law, and more, in a
efficiency and profitability, when we add interest just to the Chief Financial Officer
Directors?
value to those expectations, we become and Chief Information Officer such as
way. That makes it easier to understand
a strategic partner. Cybersecurity Liability Insurance, then
the risks. I often talk about security
share that with them. If you see something
incidents reported by the media,
Jorge Mario Ochoa that points out the true cost of a data
associating the same risks with the
Global Security Operations Center breach in regard to company brand and
company in order to bring to life the Manager, Millicom International Cellular
When dealing with Board of Directors, potential risks of companies in the (Tigo) reputation management, then share it
and other executive leadership that digital world, regardless of the industry. Professor of the Master in Cybersecurity, with your Chief Marketing Officer and
are not in the cyber security field, you Panamerican Business School
The expectation is to have a Board that Chief Financial Officer. Those are great
must present the cyber risks to the is more in line with current threats and touch points beyond the standard Board
organization in business terminology therefore promote appropriate care for meetings. There will always be several
I update the various boards through
they understand. I lean heavily on the effective risk management, prioritization
required semi/annual meetings and great opportunities each quarter.
Factor Analysis of Information Risk that considers opportunity risks vs.
(FAIR) methodology to break down through a monthly progress report. In
security risks, and tailored attention to
40 cyber security risks into quantitative addition to the recurring updates at the 41
IT innovation and outsourcing projects.
terminology. My job is to be the office Board meeting, I share trends, training,
of ‘know’ not ‘no’, and by presenting testing results and what is happening to
these risks in a quantitative manner, I Karina Queiroz be proactive. Lastly, it helps to pick their
Dr. Rebecca Wynn
am able to help the Board and other Founder, Teckids - Online Children brain to determine what’s happening in
Protection. Head of Information Security & DPO
executive leadership (President, CEO, their current organization or other Board Matrix Medical Network
Former Head of IT Security, Risk and
etc.) determine their risk appetite for the Compliance, British American Tobacco. views.
cyber risk facing the organization. Based
off the risk appetite of the executive
leadership for the various cyber risks There are different ways like having Regular Engagement. Align Security goals
I present to them, my team and I start regular connect and giving them updates with business goals. Regular updates on
working on meeting that risk appetite. about the latest threats, etc. Another Carla Wheeler Business focused cybersecurity metrics.
The expectations of the executive Global CIO & CISO, Heartland Alliance Gone are the days when fear tactics worked
effective way is to run lots of simulations
leadership are for me as the CISO to like phishing test, USB test, etc. In a the best. As cybersecurity and privacy laws
meet the risk appetite, and continue to review meeting as a CISO, I always show become stricter, an honest discussion is
reassess the risks facing the organization, Educating the Board is always a challenge the best aid in educating the Board around
Risk with impact value in dollars so the
and continuously reevaluating those in any organization. A really good time potential risks.
Board can understand it better.
risks in terminology they understand. is every time there is something big in
the news such as the Equifax breach.
Those are golden times to send out a Kavya Pearlman
Global Cybersecurity Strategist –
Heath Renfrow brief summary of events, why the event Wallarm
CISO, LEO Cybersecurity Ravinder Arora happened, and what your company is CEO & Founder - XR Safety Initiative
CISO and Data Privacy Officer at Iris (XRSI)
Former CISO, United States Army doing to ensure that it shouldn’t happen to
Healthcare Software Inc

COVER
STORY STORY
The Board in Indian banks is differently their thought processes with yours and Avoid overdoing it and follow this standard
sensitized or aware about cybersecurity. you’ll get buy-in. guidance for Board members: “Eyes
That’s due to the progressive regulation
open, nose in, fingers out.” Your Board
and the incidents happening around
and C-Suite don’t need to be subject-
them. So there is a reasonable amount
matter experts. Instead, focus on helping
of awareness. They are also familiar with
them understand how to provide security
common technical terms like malware, Sameer Ratolikar
ransomware, etc. Executive VP & CISO, HDFC Bank oversight and empower the organization.
If you use real-world examples, and if Don’t burden the Board with today’s threat
the business impact is communicated, or vulnerability du jour; that’s the CISO’s
the Board of directors understands it The Board is interested in how security job. Instead, help the Board understand
very well. For instance, when speaking protections affect the business. What are that your threats, vulnerabilities, and
about intrusion detection control, use the benefits and what are the operational safeguards will change as the business
the analogy of a CCTV camera. When and business costs? Avoid terms like does. Help them understand how to help
you speak about an intrusion prevention “downtime” or “outage” because they don’t you drive alignment of cybersecurity
system or firewalls, give the analogy of mean anything to the business. Instead, we strategies and plans with the organization’s
a security guard or watchman standing talk about meeting customer Service Level
vision, mission, strategies and services
near the main door. Agreements (SLAs) and other performance
and to establish, implement and mature a
Use data points to relate a security metrics by preventing security impacts on
program that will transcend time.
concept or vulnerability to the business our applications and systems.
42 Do bring in the human element and don’t Ensure the Board is educated on core 43
impact. For example, if I want to buy an concepts and cyber risk management
just focus on technology. Don’t fear statistics:
anti-DDoS solution, I tell them our Internet
explain the number of security events terminology, namely, understanding that
banking volume is x percent, and the
and attacks against the infrastructure and the overarching problem is about ensuring
active customer base is y, and there is a
explain how they are handled and how the confidentiality,integrity and availability
certain amount of transactions per hour.
compromises were avoided. If there were of all of the organization’s sensitive data
If there is a DDoS attack, then this will
some, be specific with the number and and the systems and devices that process
be a loss: per hour, so many customers
extent of them, phrased in terms of client it. From there, important discussions can
would be impacted, translating into this
impact and legal repercussions. Do correlate be had about the organization’s most
amount of dollar value loss for us.
security actions with regulatory, legal and significant risks to that data.
Another important point — the discussion
international issues. Find comparisons and
should not revolve only on cybersecurity;
examples from the news and show how you
but it should move from security to risk.
have prevented those by using technology,
The Board is quite aware of the risk; there process and people well.
is also the important element of risk The Board wants to confirm that they are Bob Chaput
management. This means identification of acting appropriately and doing the correct Founder, Executive Chairman,
risk, assessing the risk, predicting the risk due diligence to protect shareholder value Clearwater
and residual risk. You also need to relate and corporate assets. Make sure every
these four elements of risk management statement in some way supports that.
to the proposal for which you are seeking
approval. If the discussion shifts from
security to risk management, then it
becomes a meaningful discussion for
the Board. The Board understands your Michael Miora
thought process very well. They align SVP & CISO, Korn Ferry

COVER
STORY STORY
What initiatives the CISO to interact on a regular basis. What is important is the perspective One of the most rewarding activities has
have you or your The CISO educates this champion on or the thought process. I look at it as a been working with multidisciplinary
not only the cybersecurity posture security culture. Today, it has to be looked teams and different generations (Baby
organization taken of the organization, but other cyber

related events around the world.
at in terms of the employee lifecycle.
Employees need to be sensitized about
Boomers, Generation X, Millennials and
Centennials). This diversity challenged
to spread security cybersecurity at the time of joining the
organization. An employee needs to be
me to identify new ways to communicate
awareness?
and raise awareness. That’s why I
briefed about the important security created CyberHeroes.me, a cyber
controls and adherence. He needs to be
Heath Renfrow security awareness training based on
aware of the usage policies of the bank, gamification, where everyone enjoys
CISO, LEO Cyber Security
Former CISO, United States Army the email policy, the internet policy
learning through gaming techniques
Healthcare — before onboarding. Adherence to
My number one priority when walking that also generates a sense of healthy
compliance is also extremely crucial.
into a new organization as their CISO competition and, above all, generates
On the day of joining an employee
is to drive a culture change regarding changes in behavior because users truly
I have several initiatives. Every other has to undergo a course called ‘Watch
cybersecurity, especially security believe in the benefits.
month I issue a security awareness your step.’ It is an orientation course
awareness. It is however the most difficult about the organization structure and Additionally, I created the concept of
newsletter for the corporation. It is shared NeuroHacking, which is basically how
aspect of building or turning around a its cybersecurity best practices. It also
and stored on the corporate intranet. We social engineering plays an increasingly
cybersecurity program. The most critical includes the names of the people in the
do monthly introductions to security and important role in cyber-attacks and how
44 element to building a cyber aware IT organization. 45
conduct security awareness trainings for we can prepare for it.”
culture is to have the most senior level Additionally, there is a mandatory online
new hires. Departments ask us to speak
executives onboard, and telling their course which every employee (including
to their team on a variety of subjects
employees how important security is to the CEO and the Managing Director) has
and we do those on average, every 6 - 8 Jorge Mario Ochoa
them and the organization. I have found to pass, annually. It is called ISecurity
weeks. We have two months that we have Global Security Operations Center Man-
that without this level of support from Ambassador. ager, Millicom International Cellular
adopted for extra trainings and events: A new employee has to do the ISecurity (Tigo)
executive leadership, security awareness
October – National Cybersecurity Ambassador course after 60 days of Professor of the Master in Cybersecurity,
programs struggle to be successful. Awareness Month; and January – National Panamerican Business School
joining the organization. And for the rest
Once I have that level of support, we put Privacy Month. We do other days too of the year, he will receive wallpapers and
in place the following: such as Change Your Password Day and screensavers with security messages. He
• Simulated phishing campaigns. Digital Spring Cleaning Day. Lastly, we also participates in the phishing quiz or We do lots of awareness mailers
• Continuous cyber awareness training have awareness posters and change out drills. and floor shows. We also have some
(videos, posters, flyers, comic strips, awareness on the huge flat screen TVs We won the DSCI (Data Security Council mandatory trainings for employees like
interactive games, etc). around the locations. Those change out of India) award for creating security Data Privacy, BCP, etc. We have selected
•We drive home the cybersecurity every month to different themes. awareness and culture in the organization security champions from different
conscious culture by putting — for the last four years. groups who ensure information security
cybersecurity performance in the organization.
expectations into yearly goals for
performance evaluations and tie that
performance to incentive plans. Ravinder Arora
Dr. Rebecca Wynn
• Establish a cyber champion within the Head of Information Security & DPO Sameer Ratolikar CISO and Data Privacy Officer at Iris
Board of Directors (BoD) who ranks for Matrix Medical Network Executive VP & CISO, HDFC Bank Software Inc.

COVER
STORY STORY
I am currently the CEO of XR Safety — we ‘live’ — with my employees and The education and security awareness
Initiative (XRSI), a non-profit organization their students. At the same time, there process start with an agreement and
dedicated to help build safe virtual was mandatory security policy training understanding that the organization’s
environments. XRSI has an entire sub- (online, 20 minutes) and we started security program is a “team sport,” and
organization ReadyHackerOne (RH1), an online security competition where everyone in the organization should be
dedicated to spreading cybersecurity everyone could participate. In the end, “deputized” as a “security officer.” Lines
awareness in the emerging technology the winners were recognized as “key of business leaders, functional leaders
domain. RH1 is actively working with security partners” in the areas where they and process leaders should have security
global organizations to roll out awareness were working. It was highly acclaimed, performance objectives built into their
campaigns throughout the world. In and the participation was excellent. annual performance appraisals.
my previous roles as Head of Security, Employees saw it as an opportunity to Once the “team sport” concept is
I have always focused on the audience learn, be recognized for their efforts and established: Consider adopting the
needs. Regular awareness campaigns be compliant with the Program. Board education recommendations
focused on small wins, such as adoption provided above, engage lines of business,
of password manager, using gamification functional areas and process teams to
for awareness activities, etc. I believe engage in table-top incident response
Cybersecurity is everyone’s job and Karina Queiroz exercises; turn similar-organization,
Founder, Teckids - Online Children
ensuring everyone understands what Protection. industry events into teachable moments
that really means. I have contributed to Former Head of IT Security, Risk by developing case studies to share
and Compliance, British American
building resources such as this guide Tobacco.
throughout the organization. “Here’s
46 from National Initiative for Cybersecurity what happened at Target or Yahoo or 47
Education. Equifax…,” provide an ongoing cadence
I recommend circulating resources of security reminders via email or
like this among each department and We use a combination of cybersecurity internal newsletters; and create a culture
including cybersecurity discussions training tools and modules. I lead of security – reward internal reporting of
during various department meetings as small setting trainings, annual renewal any potential security events.
well as company all hands. trainings, lunch-n-learn sessions,
memos, newsletters, features and lots of
re-education. It also helps to personalize
discussions to something the team
Kavya Pearlman members relate. Bob Chaput
Global Cybersecurity Strategist –
Founder, Executive Chairman,
Wallarm
Clearwater
CEO & Founder - XR Safety Initiative
(XRSI)
Carla Wheeler
Global CIO & CISO, Heartland
I have developed different types of Alliance
awareness throughout my career.
The main point of attention in raising
awareness at all levels of the corporation
is language alignment and theme
generalization. The best project I did was
to design security training for everyone,
giving them a chance to participate in
what they believed to be most relevant

COVER
STORY STORY
The security
landscape is ever We are already working on AI for security For employees, we use phishing current as possible. I am not afraid to
testing. We also have an R&D lab where campaigns to train them up and the ask a question and love being around
evolving. How do we test different type of threats, check

their impact, etc. We also keep our teams
regularly scheduled trainings I have
previously discussed. For the security
other bright individuals. I review as
many articles / books / magazines and
your employees certified with the latest technologies. team, they actively attend vendor online web sites as I can throughout the day.
In addition to that, I stay on top of any
update their skills?
We have regular subscription for training webinars and prove their skills
continuing education requirements and
different IT magazines. We also run through technical certifications.
take this time seriously. I participate
How do you pursue different workshops and call trainers
from around the world to keep ourselves
I am very active on LinkedIn being a Top
Influencer. Daily review and research
on panels and facilitate to drive thought
continual learning?
energy from others. Lastly, I attend
updated. are constant and I post frequently as courses and workshops.
well as learn from my peers. I write
for many magazines (CS Hub, Security
Current, Cybersecurity Magazine, CIO
I think the best way to keep my team’s Review, CISO Magazine) so I am always
Carla Wheeler
skills up to date has been to lead by Ravinder Arora reading them. Additional feeds that I Global CIO & CISO, Heartland
CISO and Data Privacy Officer at Iris read on a regular basis are Crypto-gram, Alliance
example. When we demonstrate the Software Inc
benefits of keeping up to date, our teams Cyberwire, Krebs, InfraGard, and sector
specific news items such as Healthcare IT,
will proactively look for opportunities to
48 NextGov. As for courses, I am an Adjunct I believe daily study is the way —
train and update knowledge continuously, While advising on this aspect, I have always 49
Professor for the University of Advanced understand vulnerabilities, how
when these happen it is time to do focused on role-based training. Technical-
Technology. I am always looking at and applications work and related bugs;
everything in our hands as leaders so savvy engineers should be given OWASP
taking courses from LinkedIn and edX. I network threats, database flaws,
Top 10 type training, while everyone
that our teams get the necessary support. believe, the more you know – the more incidents techniques, the monitor
should have some level of awareness
I believe that cybersecurity has a lot in you know that you don’t know. I am a backstage blogs; work on labs, monitor
around common threats like social
common with medicine, in the sense that constant learner. news through media, and engage in
engineering, phishing, ransomware, etc.
professional networking.
updating is not an option; it is a necessity. I also believe an internal communication
I read lab’s blogs, engage in professional
In order to keep my current certifications, regularly updating employees about the
networking, do my own virtual lab,
I must comply with certain hours of latest threats and breaches, and the lessons
and go for conferences. I also explore
continuous education, that challenges learned, is helpful to keep them aware. Dr. Rebecca Wynn experiences with peers.
me to look for new certifications, I am regularly on Twitter and LinkedIn to Head of Information Security & DPO
Matrix Medical Network
keep up with current affairs, and I remain
courses and papers that keep myself
connected with the hacker and information
updated and curious about the future of
security community, to keep up with any
Karina Queiroz
Most team members stay on top of Founder, Teckids - Online Children
Cybersecurity. new developments in the field. Protection.
current matters through networking
Former Head of IT Security, Risk
events, reading, seeking guidance from and Compliance, British American
management, and collaborating amongst Tobacco.
Jorge Mario Ochoa
Global Security Operations Center peers.
Manager, Millicom International Cellular
Kavya Pearlman
I utilize some of the tooling mentioned
(Tigo) Global Cybersecurity Strategist –
Professor of the Master in Cybersecurity, Wallarm above but take it a step further. I am
Panamerican Business School Founder - XR Safety Initiative (XRSI) driven by learning and staying as

COVER
STORY STORY
The landscape is forever shifting, and that enamored with the latest threat, exploit
will never change. When establishing or “shiny tool” — and don’t lose track
a new cyber program, I have always of the fundamental mission, which is
heavily focused on the core foundational to ensure the confidentiality, integrity,
pieces being in place and using as and availability of all the sensitive data,
much automation as possible to optimize systems and devices. Tactically, stay
performance and reduce man hours on top of changes as best as possible
associated with those pieces. If you cannot by reading, participating in critical
master the core foundational pieces, then infrastructure sharing forums (e.g.,
having employees looking at the next in healthcare, H-ISAC; in Financial
generation of threats and technology will Services, FS-ISAC), attending local
do you no good. By streamlining those and regional conferences, listening to
core pieces, you are then able to have your vendor briefings, etc., and strategically,
employees hone their skills on the ever- take the long view with the Board by
changing threat landscape, and emerging focusing on establishing, implementing
technologies that are developed to counter and maturing a Cyber Risk Management
those threats. program that will transcend time.
I have great relationships with other I keep myself updated by reading,
professionals in this field, and we are participating in critical infrastructure
50 51
constantly sharing information and sharing forums (such as the H-ISAC,
knowledge. The security field truly is like a Health Information Sharing and Analysis
big sports team, where everyone wants to Center), attending local and regional
help each other succeed. On top of those conferences, and leading webinars on
relationships, I read 20-30 cyber related key topics. Part of Clearwater’s mission
articles daily, annual cyber studies, books, is education, so the Clearwater website
etc. Knowledge Center is a tremendous
resource. CISOs who have not yet pursued
formal undergraduate and graduate
education should find a program that fits
Heath Renfrow their schedule and budget. I recommend
CISO, LEO Cyber Security
starting with National Security Agency /
Former CISO, United States Army
Healthcare Centers for Academic Excellence (NSA/
CAEs) most of which offer excellent
distance learning programs.
The organization needs a long and short

game. CISOs and their teams have to
devote the majority of their attention to
the short game, while the C-suite and
Bob Chaput
Board need to focus on the long game. Founder, Executive Chairman,
Clearwater
That means operationally, don’t become

52 53

COLLABORATIONS COLLABORATIONS
54 INFOSEC 55
PARTNER SHIPS
Cybersecurity is among the most discussed topics. Significant mergers and acquisitions
took place, the effects of which will be observable in the near future. Following the trend of
collaboration, many startups and innovators joined hands with established cybersecurity
brands to pursue aggressive courses of action. Also, the governments and defense departments
around the world, along with other industries, began taking cybersecurity more seriously.
Below are a few stories from last month that made front-page news with their substantial
acquisition amounts and futuristic outlook.
CISO MAG Staff

incremental, run-rate revenues

Broadcom acquires and approximately $1.3 billion
of Pro Forma EBITDA, including
Symantec’s enterprise
synergies. The transaction is
security unit for $10.7 expected to generate more than $1
billion in cash billion of run-rate cost synergies
within 12 months following close.
Additionally, Broadcom expects to
achieve double-digit cash-on-cash
Broadcom, a global technology
returns on its investment.
leader that designs, develops
and supplies semiconductor and
infrastructure software solutions,
announced an agreement to Microsoft owned
acquire the enterprise security
GitHub acquires
business of Symantec Corporation
for $10.7 billion in cash. The Semmle
addition of Symantec’s enterprise
56 security portfolio will significantly 57
expand Broadcom’s infrastructure Microsoft-owned GitHub recently
56 software footprint as it continues announced that it has acquired 57
to build one of the world’s code analysis provider Semmle in
leading infrastructure technology an undisclosed amount. Based in
companies. San Francisco, Semmle develops
an engineering analytics solution.
Hock Tan, President and Chief It helps developers and security
Executive Officer of Broadcom, researchers discover potential
said, “M&A has played a central vulnerabilities in their code.
role in Broadcom’s growth strategy
and this transaction represents the Founded in 2006, Semmle claims
next logical step in our strategy that its products have been used by
following our acquisitions of NASA, Uber, Google, and Microsoft
Brocade and CA Technologies. to enhance their cybersecurity
We look forward to expanding posture.
our footprint of mission critical
GitHub stated that it’s now a
infrastructure software within our
Common Vulnerabilities and
core Global 2000 customer base.”
Exposures (CVE) Numbering
The transaction is expected to drive Authority and with the latest
more than $2 billion of sustainable, acquisition it will become easy

for code contributors to report defuse threats.

potential vulnerabilities directly
Commenting on the new
from the repositories.
partnership, Samir Shah, CEO at
“Open source has had a Cyberinc, said, “The InfiniVAN
remarkable run over the past approach to delivering business
20 years. Today almost every internet service is at par with
software product from any vendor global standards, with world-
or community includes open- class fiber optic network
source code in its supply chain. infrastructure perfectly aligned
We all benefit from the open- with the Cyberinc vision of
source model, and we all have a providing a completely secure
role to play in making open source browsing experience to our
successful for the next 20 years,” customers. Together, we can help
GitHub said in a blog post. “Both our customers scale their cyber
of these announcements are part defenses and safeguard against
of our larger strategy to secure the an increasingly relevant global
world’s code.” problem. We see that Remote
Browser Isolation can reduce the
attack surface against web and
58 59
Cyberinc partners with email-based attacks, making the
endpoints and networks safer. Our
58 InfiniVAN partnership with InfiniVAN will 59
deliver next-generation security
solutions to our customers.”
Cybersecurity startup Cyberinc
recently announced its
partnership with InfiniVAN to CyberRisk
provide local web isolation cloud
solutions in the Philippines. The Alliance acquires
alliance integrates Cyberinc’s Isla Cybersecurity
Isolation Cloud with InfiniVAN
to bring a fully isolated secure
Collaborative
internet connection for the users
in the region.
Cybersecurity and business
Based in California, Cyberinc intelligence company CyberRisk
helps public and private Alliance recently acquired
enterprises get a safer internet Cybersecurity Collaborative, a
by proactively preventing email, peer council platform for Chief
web, and document-based threats.
Information Security Officers
The company claims that its Isla
(CISOs).
Isolation Platform uses cutting-
edge isolation technology to Cybersecurity Collaborative is a

Cyberbit partners with

private cross-industry forum for
CISOs and security professionals
Purdue University
devoted to peer association. The to boost cybersecurity
company offers a secure platform Training
to share knowledge, skills, and
experiences on cybersecurity
challenges. Cyberbit, a provider of cyber range
training and simulation platforms,
Founded in 2018, CyberRisk recently joined hands with Purdue
Alliance is a diversified marketplace University to boost cybersecurity
of business information products workforce education and training.
and services that trains security As part of the partnership, Purdue
professionals. The new acquisition University will launch a Cyberbit
allows the cybersecurity community Range, a realistic training platform
members to access the confidential for cybersecurity professionals.
security reports, critical updates,
and CISO-led SWAT teams. Cyberbit uses a hyper-realistic
simulation approach to train and
Speaking on the new acquisition, assess cybersecurity experts. This
60 61
Doug Manoni, the CEO and approach is now widely adopted
Founder of CyberRisk Alliance, by the industry as a means to
said, “Cybersecurity Collaborative cope with the ever-growing global
represents another key investment cybersecurity skill shortage.
and an essential component of
our platform strategy to serve The new alliance allows security
this fast-growing industry with professionals to work with Purdue’s
strong resource demands. We’re cybersecurity workforce to assess
privileged to partner with Stuart and enhance cybersecurity skills
Cohen and his team with their deep and boost organizational readiness
understanding of the community toward cyber-attacks.
and their ability to support this “Pilots have flight simulators,
exclusive and valued service to soldiers have firing ranges, now
the community. We’re eager to Purdue University has a cyber range
work with Stuart and build on his — a state-of-the-art cyberattack
impressive accomplishments by simulator,” said Adi Dar, CEO of
adding additional capabilities Cyberbit. “We’re excited to work
to the membership offering with Purdue’s world-class team to
and expanding into new market ensure its industry partners are
segments.” learning, retaining what they learn
and building the reflexes needed
to remain prepared in the highly
dynamic world of cybersecurity.”

IN THE VOLUME 3 ISSUE 9 VOLUME 3 ISSUE 9
IN THE
NEWS NEWS
Due to some high-profile data breaches, cybersecurity is a trending topic in

all kinds of media. It is imperative that information security executives are
updated about the incidents around them. Read on for the most important
cybersecurity stories of the last month.
CISO MAG Staff
62 63

IN THE
NEWS NEWS
of potential car buyers wanting

Yahoo Data Breach Unprotected Database more information, loan and finance
inquiries, vehicles that were for
Victims will get US$ Leaks 198 Million Car sale, log data with IP addresses of
visitors, and more,” Jeremiah said in
100 Compensation Buyers’ Personal Data a post.
The researcher found that the leaky

database is an Elastic database
In one of the biggest class-action An unprotected database exposed
that contained a compiled list of
lawsuit settlements in the United around 198 million personal records
States history, Yahoo Inc. has potential car buyers who requested
of car buyers’ online. Jeremiah
agreed to pay US$ 117.5 million for information like, vehicles for
Fowler, a security researcher at
over a series of data breaches that services, they can opt for cash United States or Israel is eligible sale, loan and finance inquiries,
Security Discovery, stated that
affected its users between 2012 payment, which is less than US$ 100 for the settlement. log data with IP addresses of
he discovered a database, that
and 2016. The affected users will or more (up to US$ 358) per user, visitors, and more. Upon further
“You may additionally provide contained 413 GB of data, that was
likely get US$ 100 in compensation depending on how many users are investigation, Fowler discovered
documentation or proof to receive left online without any password
or two years of credit monitoring claiming for the settlement, Yahoo The most shocking part was that I that the car buyer marketing
reimbursement of up to $25,000.00 protection.
services for free. said in a statement. database is maintained by an
in out-of-pocket losses, including had seen this dataset several times
“On August 19th I reported a non- agency dealerleads.com. The
Yahoo urged the Settlement According to Yahoo, anyone who lost time, that you believe you in the previous weeks but was
Class Members to claim for the password protected database that database was taken down by
had a Yahoo account between suffered or are suffering because
contained a massive 413GB of data unable to identify the owner. It was DealerLeads after Fowler reported
reimbursement. In case users January 1, 2012, and December of the Data Breaches,” the statement
64 already hold credit monitoring 31, 2016, and is a resident of the added. and a total of 198 million records. clear that this was a compilation the issue. 65
Data Breach Exposes Chicago Brokerage

Almost Everyone’s Slammed with US$ 1.5
Information in Ecuador Million Fine
Almost everyone in Ecuador
became a victim of a massive Phillip Capital (PCI), a Chicago-
data breach that exposed the based futures brokerage, was
personal information of over 20 fined US$ 1.5 million for lack
million individuals, including the have come from various sources, The unprotected database was of cybersecurity measures.
country’s president and WikiLeaks including the Ecuadorian national taken down on September 11, after According to an order from the “Cybercrime is a real and growing Multiple security incidents were
bank, Ecuadorian government vpnMentor notified Ecuador’s U.S. Commodities Futures Trading reported by various brokerage
founder Julian Assange, who was threat in our markets,” said
registries, and an automotive CERT (Computer Emergency Commission, the brokerage firms in recent times. Crypto
granted asylum by Ecuador in CFTC Director of Enforcement
association called Aeade. The Response Team). vpnMentor firm failed to disclose the cyber brokerage platform, Coinmama,
2012. James McDonald. “While it may
exposed information includes opined that the breach could breach to its customers in a recently notified users that it
timely manner. The order also not be possible to eliminate all
Security firm vpnMentor names, date of birth details, bring some severe ramifications suffered a security breach which
finds that PCI failed to supervise cyber threats, CFTC registrants
discovered the breach on a contact information, National in the future. In case the data was affected around 450,000 users’
its employees with respect must have adequate procedures emails and hashed passwords.
Miami-based Elasticsearch identification numbers, bank obtained by cybercriminals, they
to cybersecurity policy and in place — and follow those The company stated that a few
server owned by an Ecuadorian account details, taxpayer- could use it to launch phishing
procedures, a written information procedures — to protect their unknown intruders compromised
company Novaestrat. It’s said identification numbers, and attacks, scams, identify theft, and
systems security program and customers and their accounts customer data and kept for sale
that the exposed data appears to driving records. fraud. on a dark web registry.
customer disbursements. from potential harm.”

IN THE
NEWS NEWS
highest number of ransomware

Report suggest threats (42.98 percent) are
suffered by businesses in Asia.
265% Rise in ‘Fileless And the companies in India
Attacks’ reported around 23.88 percent of
ransomware attacks in the first of
2019, the report stated.
Cybersecurity and Defense
company Trend Micro revealed a Along with the growth in fileless
265 percent increase in Fileless threats in the first half of the
Attacks in the first half of 2019 year, attackers are increasingly
when compared with the same Trend Micro stated that deploying threats that aren’t
cybercriminals are using visible to traditional security
period in 2018. A Fileless Attack,
sophisticated attack formats filters, as they can be executed
also known as a zero-footprint
that aren’t visible to traditional in a system’s memory, reside in
attack or non-malware attack, will
security procedures. In its Mid- the registry, or abuse legitimate
not install any malicious software
Year Cybersecurity report, Trend tools. Exploit kits have also made
on a user’s computer, as it exploits
Micro revealed that out of 1.8 a comeback, with a 136 percent
applications that are already billion ransomware threats, from increase compared to the same
66 installed in the device. January 2016 to June 2019, the time in 2018. 67

IN THE
HOTSEAT HOTSEAT
The ways in which the world’s infrastructure

is vulnerable to cyberattacks is constantly
growing thanks to technology advancements.
There is some good news, though. As
organizations around the world are learning
to take information security more seriously,
we are seeing more appointments of
cybersecurity leaders. Here are some of the
most noteworthy in the last month.
CISO MAG Staff

68 69

IN THE
HOTSEAT HOTSEAT
companies to comply with industry Cybersecurity program. Ahead

FortifyData Announces security standards, including ISO
Steven Schwartz of that he was the Managing
Bob Morrell as its New
27001, PCI, HIPAA, SOC 2, NIST,
joins Cytegic as Vice
Director of CEO Quest where
and 23NYC500. he specialized in working with
President and CEO Speaking on his new role, Bob President of Strategy & venture capital funds while
Morrell said, “What excites me Insurance coaching tech-company CEOs
most about FortifyData is the towards accelerated company the language we all understand:
Cybersecurity software company growth within the insurance
opportunity we have to protect Cybersecurity firm Cytegic dollars,” Schwartz said. “Imagine a
FortifyData recently announced industry. Schwartz is also a co-
companies from their biggest risk: recently launched an insurance world where insurance is not purely
the appointment of Bob Morrell as founder of The Data Union and
cybercrime. Ultimately, companies unit to quantify complex threats transactional for transferring risk
its new CEO and President. Bob the Senior Vice President of
are looking for a platform that emerging from cyberspace. but advising insurers on mitigating
Morrell was previously co-founder Business Development & Senior
provides a clear line of sight to Steven Schwartz joins Cytegic risks with a relationship built on
and CEO of Riskonnect. He is also a Managing Consultant at UIC, a risk
their cyber risk exposure with an as Vice President of Strategy & trust. New sources of revenue
serial entrepreneur and a pioneer management consultant firm.
integrated, holistic solution, and Insurance for this new unit. without customer acquisition
in risk management software. global sales.
that’s what we provide. It’s not just “This is a once in a lifetime costs is where insurers profit. We
In his new role, Morrell will lead the FortifyData helps public and the bigger companies that need Schwartz brings in an exceptional opportunity to work with a enable the industry to transform
deployment of FortifyData’s cyber private enterprises enhance help. I see a lot of opportunity blend of insurance, technology platform as mature as Cytegic’s its business model with automated
risk platform. He also oversees the their cybersecurity posture. It’s to help businesses of all sizes to and venture capital experience. and the value proposition it brings remediation plans to engage
strategic direction of the company said that FortifyData’s cyber risk navigate this increasingly complex He is currently on the Board of to the insurance market. We make insureds with ease and value add
70 71 71
and is responsible for growing its management platform allows world of cybersecurity.” Advisors for Rutgers’ University cyber risk understandable and in with every touchpoint.”
Chief Executive Officer and

Aware Appoints Robert President North America at Idemia, Sadeghi has over 25 years of help build on its solid foundation
A. Eckel as its New

an Identity and Security business. Lunarline announces experience in the information of cyber techniques, tools,
Chief Executive Officer &

Eckel holds significant expertise
in biometrics, secure identity,
appointment of Michael security space. Previously, he training and managed security
President air traffic control, and defense Sadeghi as Vice held executive-level positions at services,” says Mr. Sadeghi. “Due
Edgework, Engility, Tetra Tech,
President of National
systems. to the exponential growth in the
BAE Systems, Government Micro cyber threat vectors and the non-
Aware, a supplier of biometrics
“I’m excited to be joining Defense Resources and Booz Allen Hamilton. scalability of the majority of the
an Aware team known for its
software and services, recently He was also the Chief Technology current mitigation techniques
customer relationships, employee
appointed Robert A. Eckel as Cybersecurity solutions provider Officer at Lockheed Martin where
dedication and exemplary domain combined with quantum
its Chief Executive Officer and
knowledge and passion. Together Lunarline, recently announced the he was instrumental in redesigning
President. Eckel will also serve as computing and many other
we’ll continue to expand Aware’s appointment of Michael Sadeghi the worldwide infrastructure of the
a member of the Board of Directors disrupting technologies right
leadership position in the industry
of Aware. Aware provides as Vice President of National Pentagon, post the 9/11 attacks. He
and bring effective biometric around the corner, Lunarline is
biometrics software products is known to be one of the pioneers
technology into people’s lives. Defense. Sadeghi will be tasked perfectly positioned to help its
and development services to of AI and machine learning
One of my passions is to build with overseeing the rapidly
government agencies, system clients transform the security and
and lead companies that enable solutions, biometrics technology, programs of Defense Advanced
integrators, and solution providers increasing portfolio of defense productivity of their business to
individuals to experience the life and complex systems will help Research Project Agency (DARPA).
globally.
we deserve through technology. me drive this mission for Aware,” and intelligence community better perform in this rapidly
Previously, Eckel served as the My background in secure identity Eckel said. cybersecurity clients. “I’m elated to join Lunarline and changing security space.”

HOTSEAT
with more than 30 years of

MedCrypt appoints experience in the medical device,
Axel Wirth as Chief

healthcare IT and cybersecurity
industries. Ahead of this,Wirth held
Security Strategist a leadership role in cybersecurity
firm, Symantec. He has also held
several roles at Siemens, Analogic,
Healthcare security provider
Mitra and Agfa as well.
MedCrypt announced the
appointment of leading healthcare “I’ve been an advocate for
technology expert, Axel Wirth compliance, privacy, and security
as Chief Security Strategist. He — and ultimately patient safety —
will be instrumental in guiding in healthcare throughout my entire
the company in critical security career,” said Axel Wirth, chief
strategy decisions as well as security strategist at MedCrypt. “I
was pleased to find a team whose
supporting the adoption of
values align so closely with my critical medical device and IT
critical security technology to the
own. MedCrypt’s mission involves infrastructure. The healthcare
healthcare industry.
protecting sensitive data and industry is in dire need of this
72 Axel Wirth is an industry veteran assuring patient safety by securing technology.” 73

KICKSTARTERS KICKSTARTERS
74 75
With cybersecurity gaining more importance than ever, cybersecurity

startups have become a huge attraction for venture capitalists. The
cybersecurity market has seen tremendous growth despite the slowdown
in the global economy, with many companies inking record-breaking
funding deals with venture capital firms. The influx of money has driven
innovation and solutions to important security challenges. In this section,
we look at some of the emerging companies to watch out for.
CISO MAG Staff

KICKSTARTERS KICKSTARTERS
F
ounded in 2017 by security experts Yakir Golan,
Shalom Bublil, and Avi Bashan, Kovrr delivers
data-driven end-to-end insights to government
and private insurance regulators, that enable
them to calculate their cyber risk exposures.
What sets it Apart: Kovrr claims that its end-to-end
platform quantifies potential financial loss caused due to
different types of cyber-attacks and helps in managing
Shape Security
F
cyber risks. Kovrr accurately quantifies potential financial
loss caused by various types of cyber events. The platform ounded in 2011 by Derek Smith, Justin Market Adoption: Shape Security recently raised
uses open-source, proprietary and third-party business Call, and Sumit Agarwal, Shape Security US$51 million in a funding round led by C5 Capital
and threat intelligence data to train predictive cyber risk is a California-based startup that provides along with existing investors, including Focus Ventures,
models. defense against malicious automated cyber- JetBlue Technology Ventures, Top Tier Capital Partners,
Market Adoption: Kovrr recently raised US$ 5.5 Million attacks on web and mobile applications. EPIC Ventures, Kleiner Perkins, HPE Growth, and
in a financing round led by venture capital firms StageOne What Sets it Apart: Shape Security helps enterprises Norwest Ventures Partners. The California-based
Ventures and Mundi Ventures, along with the participation prevent automated and imitation attacks. It provides startup has reached the US$ 1 billion valuation mark
from Banco Sabadell and other private investors. The Tel- omnichannel protection for web applications, mobile with the latest investment. Shape Security stated the
Aviv based company stated the new funding will help the
company accelerate its product development and global Kovrr applications, and API interfaces. The company claims
that its Fraud Prevention Platform detects and blocks
new proceeds will accelerate the company’s product
development and also support its business expansion
76 expansion activities. over 2 billion fraudulent transactions daily. in North America. 77
F F
ounded in June, 2017 by Avidor Bartov, Dean
ounded in 2003 by Jack Zubarev, Oleg Melnikov,
Sysman, and Ofri Shur, Axonius provides
Serguei Beloussov, and Stanislav Protassov. Acronis
end-to-end management solutions to cover
is a Swiss cybersecurity company that offers safety,
security gaps by validating and enforcing
accessibility, privacy, authenticity, and security
enhanced security policies.
services.
What Sets it Apart: Axonius helps enterprises bolster
What sets it apart: Acronis offers cyber protection, solving
safety, accessibility, privacy, authenticity, and security their cybersecurity capabilities. The company has
(SAPAS) challenges with innovative backup, disaster recovery, several services including active directory, endpoint
and enterprise file sync and share solutions to enterprises in protection tools, cloud tools, NAC solutions, VA
hybrid cloud environments and on-premises. The company scanners, and Mobile Device Management systems.
claims that its Acronis Cyber Platform protects all the data in Market Adoption: The company recently raised $20
any environment, including cloud, physical, virtual, mobile
million in a Series B funding round led by OpenView
workloads, and applications.
along with the participation from Bessemer Venture
Market Adoption: Acronis recently secured US$ 147 million
in an investment round led by Goldman Sachs. With the latest Partners, YL Ventures, Vertex, WTI, and Emerge. The
investment, the Singapore and Switzerland-based company New York and Tel Aviv-based cybersecurity startup
reached a valuation of over one billion dollars. Serguei stated the new funding will help the company boost
Beloussov, the founder and CEO of Acronis, stated the new its customer acquisition and expedite product
Acronis
proceeds will be used to expand the company’s engineering development. Axonius, earlier this year, was awarded
team, build additional data centers, grow its business reach
in North America, and pursue acquisitions.
the Most Innovative Startup of the Year after it won
the RSAC Innovation Sandbox Contest.
Axonius
KICKSTARTERS
F
ounded in 2014 by security veterans Bertil
Chapuis, Fabien Jordan, Federico Belloni,
Jean-Michel Jordan, Julian Harris, and Nicholas
Petrig, Astrocast offers a bidirectional and
highly secure connection to any IoT device on
Earth, in a few minutes.
What sets it apart: Astrocast is the first Nanosatellite IoT
network to address this market need in remote areas and
for urban LPWAN applications needing satellite backup.
The company is also developing an advanced Nanosatellite
network for the Internet of things (IoT). A network of 64
CubeSat satellites in Low Earth Orbit (LEO).
Market Adoption: The firm recently secured US$9.2
million (€8.3 million) in a Series A round of funding. The
Swiss startup said the new proceeds will help it accelerate
the production of IoT modules and the deployment of
its Low Earth Orbit (LEO) IoT Network. Speaking on the
investment, Fabien Jordan, the CEO of Astrocast, said,
78 “We are excited to see the continued confidence of our 79
investors and partners in the new space race and our
Astrocast company, as we make our mission of building the world’s
first IoT network for the planet a reality.”
SCAN, FOLLOW AND GET REAL TIME

CYBERSECURITY NEWS
WWW.CISOMAG.COM
VOLUME 3 ISSUE 9
80
CISO MAG | OCTOBER 2019

Ciso Mag October 2019 LR

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ciso Mag October 2019 LR

Uploaded by

Copyright:

Available Formats

Volume 3 | Issue 9 | OCTOBER 2019

VOLUME 3 ISSUE 9 VOLUME 3 ISSUE 9

STAY TUNED FOR THE UPCOMING

For more information contact:

Jyoti Punjabi Taruna Bose

+91 9963654422 +91 7838483171

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

Chris Roberts, Chief Security

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CAREER OPTIONS FOR

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

policy, when effective, embraces all

equation. This creates more, again through relationships with

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

Security professionals should consider Career options for you as a security

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

Sultan Al-Owais Tony Chacko Joseph

JW Marriott Marquis, Dubai, UAE

Platinum Partner Astrid E M Nameer Khan Dr. Erdal Ozkaya

Quantum Technology Partner Exhibit Partner Awadh Almur

Julien Legrand is an experienced cybersecurity specialist, application security

He started his journey with SFR (Société française du radiotéléphone) as a Lead

Julien also holds several cybersecurity certifications like Certified Information

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

1. Tell us a bit about is capable of undertaking actions for professionals competent in

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

to develop smarter and faster institutions need to provide students

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

that redirect to websites laden role in the organization’s security.

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

7. In what ways in my chosen field. Different certifications will enable aspiring

path? enabled me to access career

want to make it big in

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

activities or processes seem talent shortage are the presence

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

OF ALL CYBER SECURITY JOB VACANCIES

PROPEL YOUR CAREER MASTER

*Graduate Certificates available for:

The Security Aware

Where security is culture and awareness is habit

Team CISO MAG

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

Cybersecurity risks associated with the business —

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

organization taken of the organization, but other cyber

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

evolving. How do we test different type of threats, check

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

The organization needs a long and short

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

CISO MAG Staff

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019

incremental, run-rate revenues

CISO MAG | OCTOBER 2019 CISO MAG | OCTOBER 2019