One Article Review
| Source |  CSO |
|---|---|
| Identifiant | 1201953 |
| Date de publication | 2019-07-12 08:03:00 (vue: 2019-07-12 18:00:20) |
| Titre | How organizations are bridging the cyber-risk management gap |
| Texte | Cyber-risk management is more difficult today than it was two years ago. So say 74% of cybersecurity professionals in a recent ESG research survey. Respondents point to an expanding attack surface, an increase in software vulnerabilities, and more sophisticated tactics, techniques, and procedures (TTPs) from cyber-adversaries. (Note: I am an ESG employee.) OK, so there's a cyber-risk management gap at most organizations. What are they going to do about it? The research indicates that: 34% will increase the frequency of cyber-risk communications between the CISO and executive management. Now, more communication is a good thing, but CISOs must make sure they have the right data and metrics, and this has always been a problem. I see a lot of innovation around some type of CISO cyber-risk management dashboard from vendors such as Kenna Security, RiskLens (supporting the Factor Analysis of Information Risk (FAIR) standard), and Tenable Networks. Over time, cyber-risk analytics will become a critical component of a security operations and analytics platform architecture (SOAPA), so look for vendors such as Exabeam, IBM, LogRhythm, MicroFocus (ArcSight), Splunk, and SumoLogic to make investments in this area. 32% will initiate a project for sensitive data discovery, classification, and security controls. Gaining greater control of sensitive data is always a good idea, yet many organizations never seem to get around to this. Why? It's really, really hard work. This is another area ripe for more VC investment. Rather than paying Accenture, E&Y, or PWC millions, we need tools that can help automate data discovery and classification – especially as organizations ramp up on data privacy. 31% plan to hire more cybersecurity staff. That's a sound idea, but it is difficult to execute. According to recent research from ESG and the Information Systems Security Association (ISSA), 73% of organizations have been impacted by the cybersecurity skills shortage, and these firms are already competing for talent. My advice to CISOs is to assume they won't have the right skills or an adequate staff size in every area – including bridging the cyber-risk management gap. 31% want to increase security awareness training for employees. Also a great idea, but too many firms treat security awareness training as a “check-box” exercise. To really make an impact, CEOs must become cybersecurity cheerleaders and establish a cybersecurity culture throughout the organizations. 29% will conduct more penetration testing and red teaming exercises. ESG data demonstrates that penetration testing and red teaming are extremely beneficial, but few organizations have the internal skills to do those things well and it can be costly to hire third-party services. I'm bullish on an emerging category I call synthetic cyber-risk assessment (SCRA) from vendors such as AttackIQ, Randori, SafeBreach, and Verodin. It's important to remember that cyber-risk management is job #1 for every CISO. Yes, business executives are willing to spend more money on cybersecurity, but they increasingly want to target this spending on protecting their most critical digital assets and need help measuring ROI on these investments. Therefore, it's no exaggeration to say that bridging the cyber-risk management gap may be the most important task for CISOs in 2019 and beyond. |
| Envoyé | Oui |
| Condensat | 2019 about accenture according adequate adversaries advice ago already also always analysis analytics another architecture arcsight are area around article assessment assets association assume attack attackiq automate awareness become been beneficial between beyond box” bridging bullish business but call can category ceos cheerleaders ciso cisos classification click communication communications competing component conduct control controls costly critical culture cyber cybersecurity dashboard data demonstrates difficult digital discovery e&y emerging employee employees esg especially establish every exabeam exaggeration execute executive executives exercise exercises expanding extremely factor fair firms frequency from full gaining gap get going good great greater hard has have help here hire how ibm idea impact impacted important including increase increasingly indicates information initiate innovation internal investment investments issa job kenna logrhythm look lot make management many may measuring metrics microfocus millions money more most must need networks never note: now operations organizations over party paying penetration plan platform please point privacy problem procedures professionals project protecting pwc ramp randori rather read really recent red remember research respondents right ripe risk risklens roi safebreach say scra security see seem sensitive services shortage size skills soapa software some sophisticated sound spend spending splunk staff standard such sumologic supporting sure surface survey synthetic systems tactics talent target task teaming techniques tenable testing than that that: there therefore these thing things third those throughout time today too tools training treat ttps two type vendors verodin vulnerabilities want well what why will willing won work years yet ok to “check |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.