Security

Security
Cybersecurity Budgets 2020Cybersecurity Budgets 2020

How are cybersecurity budgets evolving in 2020?

0 views
0 comments
Related Tags
How do you promote security as a fundamental aspect of DevOps in your organization?

Top Answer : We're just starting to talk to customers and reach out. The customers have all these questions for us, "Hey, what data of ours do you have? Where are you tracking it? Where are you putting it? How are you restricting who has access to it? Are you doing your annual pen test, and your monthly or weekly, or whatever scans to make sure you don't have any vulnerabilities?" The thing is, if you don't have somebody who comes in and tells you that it's important to [have good security practices], then you're going to do the bare minimum. If you have to answer no on some of these questions, it makes it really obvious that having good security hygiene is actually a sales driver. Not only does it make good sense because you're being a good steward of your customer's data, but it's also going to help you make the money through sales, because your customers are going to trust that you're at least doing the obvious things to get yourself in shape to protect their data.

16 views
5 comments
1 upvotes
Related Tags
How does your IT team work with the Infosec teams in your company?

Top Answer : Our information security team lives within IT who looks after corporate security and everything that's internal. We also have our product security team that we collaborate cross functionally to leverage tools, applications, and resources and ensure joint initiatives are successful especially while we work towards compliance and certification goals such as ISO27001, SOC2 etc. Our IT Operations team works closely with the Infosec whether it’s to resolve tickets on high priority or find joint goals to automate security operations.

17 views
3 comments
1 upvotes
Related Tags
How does the increasing ubiquity of IOT change security?

Top Answer : IOT security, and anything that's agent-less, begs the question, “how do we secure all that?” Right now we don't have a solution at all. In the old days (5 years ago) we would just take the security cameras, the HVAC system, etc., and we'd throw it on another network separate from the corporate network and say, "Okay, we're good." But I don't think that's the case anymore. We have to start thinking differently about how we're going to protect the stuff in the future.

15 views
5 comments
1 upvotes
Related Tags
Hybrid IT Management & SecurityHybrid IT Management & Security

Pulse surveys 100 IT and security leaders to find out how they’re managing hybrid IT infrastructure—and keeping data, access, and users secure.

0 views
0 comments
Related Tags
How has the Solar Winds breach impacted how your organization thinks about IOT security?

Top Answer : We have been using SolarWinds since before I got to campus, so we're on the hook to think about this type of impact. The reality is until somebody is breached, until somebody is personally affected, no one pays attention. At UCLA, we know our leadership is definitely concerned about ransomware and security issues in general. Those are the things that get people's attention, and then once you've got their attention, you can actually try and move forward with a solution, or multiple solutions. The difficulty there lies in needing more people. There just aren't enough people with that skill set already in place to be able to do that. Even though you want to rush to fix the problem, it's still months away until you can get that group of people together that can actually start to move forward, get it resourced, get it funded, get it organized in a way that you can actually implement something and do it. You can't knee-jerk react to Orion and say, "Oh, let me fix the problem." No, too late. Beforehand we had FireEye. FireEye was what picked it up for us. FireEye is relatively new to us and if we didn't have FireEye, we'd have no idea. And I'm one of the lucky ones, at least for now, it doesn't look like it phoned home. I don't have ADFS. This goes back to technology, right? When I walked in the door, we didn't even have a SIEM, right? It's been on my list. We implemented Splunk in June. I can go back now and look at Splunk and see what happened... yay, right? Again, it seems like these little moral victories, that you would think would be normal blocking and tackling. These solutions need to be in place. You need the right tools in the toolkit to be able to help yourself survive.

Executive & Board Communications ToolsExecutive & Board Communications Tools

Following a growing number of security concerns around communications tools, Pulse asks 100 tech leaders if they’ve changed how they communicate with other executives and their BoDs.

0 views
0 comments
Related Tags
How should IT leaders and security think about backup strategy?

Top Answer : Obviously it is important to back-up data, that kind of goes without saying. But the fact is, data is everything at this point: the data we're creating, the attributes about the data, the location of the data, everything we're doing with data is important. Equally important are the analytics that we can do against that data. For example, if you're backing up your laptops, you can very clearly see what files are on laptops and that helps you track down malware, PII, or other exposure. If many people have downloaded the same file, you can go through and find that file and eliminate it. From my standpoint, knowing what's on your endpoints, knowing what's in your SaaS apps, knowing what you have and where you have it is essential. It is not just critical to back it up, but also just knowing what you have and where it is.

8 views
2 comments
1 upvotes
Related Tags
How do you build a security-focused culture within IT?

Top Answer : It's a culture shift you have to create by educating people on what it is that you're actually doing. I've found that when we set up something new, a lot of people ask us questions about what we're doing. The first thing they want to know is basically if the company is watching what they post on social media or what they buy on Amazon. They don’t understand that's the least of my worries. My worries are, “Did you accidentally send out something with a bunch of PII to someone you shouldn't have sent it to?” Those are the real concerns, things that create liability for the company, because our entire job is to enable the company to securely be productive. So I think that's the first thing is to get everyone on board and explain what we're looking to do and what we're trying to protect against. This isn't about a big brother situation. I always tell people, "What you do on your computer is a productivity situation between you and your manager. What we do to secure the endpoint, is to protect the company." I like to impress that upon people.

6 views
3 comments
1 upvotes
Related Tags
Has anyone performed a cost benefit analysis related to risk reduction for security tools?  If so, how did you go about it?

Top Answer : Determining the cost benefit investment in security tools can be tricky and rather subjective. Especially considering some of the risk being mitigated by the tool can be due to human acts. For security tool evaluations, two scenarios are most likely: a random event or an intentional/unintentional human act. The most common cost valuations for security tools are: costs of non-compliance, cost/impact of a hacking event/data breach or the cost of reputational risk. Quantifying any of these costs can also be a challenge but losing customer trust can ultimately be the worst outcome and lead to a loss of revenue. According to IBM, nearly 40% of the average total cost of a data breach stems from lost business. Penalties against organizations that collect and manage personal data or health data can be very costly. Projecting the cost of a data breach to an organization could be quantified by using published penalties under whatever regulatory rules an organization must comply with. However, the regulatory landscape is very complex in the US and can vary from state-to-state, especially when breach notification is involved. According to IBM, the average costs associated with data breaches in 2019 were approximately $8M PER breach. In evaluating a security tool, a reasonable metric for use in a cost benefit analysis may be the penalty cost per record the tool is used to protect. According to IBM, in the US, the average cost of each lost record was approximately $146 in 2019. The most expensive type of record to lose was customer PII records, which are involved in around 80% of all data breaches. Therefore, the tool evaluation needs to address: mitigation of the adverse consequences associated with a breach (penalties, loss of reputation, etc); mitigation of any likely causes of a data breach (events, human acts) and management of the risk going forward (prevention of lost business).

7 views
1 comments
3 upvotes
Related Tags