What is the Cyber ​​Workforce Shortage? SEC Deadline

Welcome to CISO Corner. Dark Reading's weekly article digest is tailored specifically for security operations readers and security his leaders. Each week we bring you stories from across News Operations, The Edge, DR Technology, DR Global, and Commentary sections. We are committed to providing diverse perspectives to support the operationalization of cybersecurity strategies for leaders in organizations of all shapes and sizes.

In this issue of CISO Corner:

CISOs and their companies struggle to comply with SEC disclosure rules

Author: Rob Lemos, Contributor, Dark Reading

Most companies still cannot determine whether a breach is material within the SEC-mandated four days, distorting incident response.

Companies can be fined millions of dollars if they fail to notify the SEC of material violations. But overall, 68% of cybersecurity teams don't believe their organizations will be able to comply with the four-day disclosure rule, according to a survey released May 16 by cloud security firm Viking Cloud.

Large publicly traded companies already have disclosure committees that determine whether events ranging from severe weather to economic fluctuations to geopolitical instability could have a material impact. But while large companies have been focused on the issue for more than a year, even before the rule was finalized, smaller companies have had a more difficult path, according to the Cyber ​​Privacy Innovation Study from consulting firm PricewaterhouseCoopers. said Matt Gorham, leader of the company. Companies should focus on creating a documented process and preserving contemporaneous evidence of executing that process for each incident.

“There's a lot of variation from company to company, and there's a lot of variation from case to case,” he says. “I may have decided that way at first, but [the breach] Although it may not be significant at that point, you will need to continue assessing the damage to see if it has reached a critical level. ”

read more: CISOs and their companies struggle to comply with SEC disclosure rules

Related: Anatomy of a data breach: What to do if a data breach occurs, a free Dark Reading virtual event is scheduled for June 20th. Verizon's Alex Pinto will give a keynote speech titled “Up Close: Real-World Data Breaches,” detailing DBIR's findings and more.

Podcast: Dark Reading Confidential: CISO and SEC

Moderated by Dark Reading Senior Editor Becky Bracken and Editor-in-Chief Kelly Jackson Higgins.

Episode 1 of Dark Reading Confidential features Frederick “Flee” Lee, CISO of Reddit. Beth Burgin Waller is a practicing cyber attorney who represents many CISOs. Then Ben Lee, Reddit's chief legal officer, took a seat at the table.

This is a new podcast from the editors of Dark Reading, focused on bringing you real-world stories straight from the cyber trenches. The first episode delves into the increasingly complex relationship between the Securities and Exchange Commission (SEC) and the role of the chief information security officer (CISO) within public companies.

After Uber's Joe Sullivan and SolarWinds executives were held accountable for violations, CISOs now face the dual challenge of appropriately interpreting the content. SEC means new rules for cyber incidentsthey also bear their own personal responsibility.

read more: Dark Reading Confidential: CISO and SEC (with transcript)

Related: Former Uber CISO proposes a “personal incident response plan” for security personnel

Top 5 Most Dangerous Cyber ​​Threats of 2024

Ericka Chickowski, Contributing Writer, Dark Reading

SANS Institute experts discuss the main threat vectors facing businesses and society at large.

We're just five months away from 2024, but it's been a busy year for cybersecurity professionals. But what will happen for the rest of this year? According to the SANS Technology Institute, his SANS experts have identified five top threats that businesses should be concerned about.

1. Security implications of technical debt: Security cracks left by technical debt may not sound like an imminent new threat, but according to Dr. Johannes Ullrich, director of research at the SANS Technology Institute, enterprise software stacks are We're at an inflection point on the issue.

2. Synthetic identity in the age of AI: Ulrich said fake videos and fake audio are being used to impersonate people, and these will undermine many of the biometric authentication methods that have gained traction over the past decade. “The game changer today is not the quality of these imitations,” he said. “The game changer is cost. We can now do this cheaply.”

3. Sextortion: According to Heather Mahalik Barnhart, SANS faculty fellow and senior director of community engagement at Celebrite, criminals use sexually explicit photos and videos to blackmail online residents and release them if the victims do not comply with their demands. It is said that the number of cases where people are being threatened is increasing. And in the age of highly convincing AI-generated images, those photos and videos don't even need to be real. It's a “pervasive” problem, she says.

4. GenAI election threat: Fake media manipulation and other AI-generated election threats will continue to exist across all major platforms, warned Terrence Williams, SANS instructor and security engineer at AWS. “We can be grateful to 2024 for giving us the blessings of GenAI and elections,” he said. “You have to understand what we're facing now because we know how well we're dealing with those things.”

5. Aggressive AI doubles the threat: As GenAI becomes more sophisticated, even the least technically savvy cyber attackers can quickly launch malicious campaigns, said Steven Sims, a SANS fellow and longtime offensive security researcher. Now you have more flexible tools to get up and running.

“The speed we can do now is Discover and weaponize vulnerabilities It’s very fast and it’s getting faster,” Sims said.

read more: Top 5 Most Dangerous Cyber ​​Threats of 2024

Related: Why criminals prefer AI for synthetic identity fraud

3 tips for becoming your organization's AI committee champion

Comment from Matan Getz, CEO and Co-Founder of Aim Security

CISOs are now considered part of an organization's executive team, with both the responsibility and opportunity to drive not only security but business success.

As organizations seek to understand how AI can benefit their specific services and identify the risks associated with implementing AI, many leading companies already have a dedicated AI stakeholder within their organization. We are making sure that we have installed and are fully prepared. This revolution.

The chief information security officer (CISO) is the central figure on this committee and is ultimately responsible for implementing its recommendations. Therefore, understanding priorities, tasks, and potential challenges is crucial for a CISO who wants to be an enabler rather than an inhibitor of business.

There are three fundamentals that CISOs can use as a guide to becoming a key resource on the AI ​​board and ensuring its success.

1. First of all comprehensive evaluation: You can't protect what you don't know.

2. Implement a phased deployment approach: Implementing a phased deployment approach allows security to escort the deployment and evaluate the security impact of the deployment in real time. A phased implementation allows CISOs to adopt parallel security controls and measure their success.

3. Be Yes! But with Guardrails: To protect against threats, CISOs can set up content-based guardrails to define prompts that are dangerous, malicious, or violate compliance standards. and should issue a warning. New AI-focused security solutions may allow customers to set and define their own parameters for secure prompts.

read more: 3 tips for becoming your organization's AI committee champion

Related: US AI experts targeted by SugarGh0st RAT campaign

Global: Singapore cybersecurity update informs cloud providers

Robert Lemos, Contributing Writer, Dark Reading

The country has amended its cybersecurity law, giving the main cybersecurity agency the power to regulate critical infrastructure and third parties, and mandating the reporting of cyber incidents.

Singapore lawmakers updated the country's cybersecurity regulations on May 7 to take into account the impact of running critical infrastructure management systems on cloud infrastructure and the use of third-party providers by critical infrastructure operators. . Asia Cyber ​​Threat Landscape It's becoming increasingly dangerous.

Given that so many critical information infrastructure providers outsource some of their operations to third parties and cloud providers, new rules are needed to hold these service providers accountable. said Janil Puthuchary, Singapore's Senior Minister for Communications and Information. He said this in a speech in the country's parliament.

“While the 2018 Act was enacted to regulate CII, which is a physical system, new technologies and business models have emerged since then,” he said. “The law therefore needs to be updated to better regulate CIIs so that they remain secure and resilient to cyber threats, no matter what technology or business model they operate on. there is.”

read more: Singapore's latest cybersecurity information alerts cloud providers

Related: Singapore sets high standards for cybersecurity preparedness

There is no cyber labor shortage

Commentary by Rex Booth, CISO of SailPoint

There are many valuable candidates on the market. Recruiters are simply looking in the wrong places.

Recruiters are often hesitant to hire candidates who are deemed underqualified, believing that there must be a “perfect” candidate out there somewhere.But the truth is the perfect candidate [a bachelor’s degree in cybersecurity, Security+ (CISSP preferred) training, and $30,000 worth of SANS courses] You probably aren't interested in a 3-shift SOC position. This means hiring managers need to re-evaluate where they look for new employees and which qualifications are most important.

By narrowing the candidate pool based on a small number of arbitrary qualifications, organizations and recruiters end up selecting for themselves candidates who are good at earning qualifications and taking tests; It does not necessarily correlate with long-term success in the cybersecurity field. Prioritizing this small pool of candidates means those with analytical potential, technical promise, and professional dedication who do not have the appropriate degree or have attended the appropriate training course. This means that you will miss out on many, many candidates who may not have been eligible.

By leveraging these candidates, organizations will realize:Cyber ​​workforce shortage” is a problem that has received a lot of attention, but as it turns out, it is not that difficult to solve.

read more: There is no cyber labor shortage

Related: Cybersecurity is becoming more diverse…except for gender.

Is CISA's Secure by Design pledge worthless?

By Nate Nelson, Contributing Writer, Dark Reading

The CISA agreement is voluntary and frankly basic. The signatories say that's a good thing.

At last week's 2024 RSA conference, brand names such as Microsoft, Amazon Web Services (AWS), IBM, and Fortinet took steps toward achieving a set of seven goals defined by leading U.S. cyber authorities. I agreed to take the course.

CISA's Secure by Design pledge: Areas of security improvement Divided into seven main categories: multi-factor authentication (MFA), default passwords, class-wide vulnerability reduction, security patches, vulnerability disclosure policies, CVE, and evidence of compromise.

There is nothing revolutionary in this pledge and there are no restrictions (it is voluntary and not legally binding). But for those involved, it doesn't matter at all.

“They may not have direct authority, but I think they have indirect authority by starting to define what is expected,” said one of the signatories, Huntress Threat Prevention. said Chris Henderson, senior director.

read more: Is CISA's Secure by Design pledge worthless?

Related: Patch Tuesday: Microsoft Windows DWM zero-day is ready for mass exploitation