Running Away From Zombies and Better Protecting Infrastructures

CIOs should collaborate closely with CISOs to evaluate which zero trust controls will offer the most significant mitigation of agreed-upon business risks. Once specific controls are implemented, they can be centralized and reused across the various compliance standards like SOC 2 Type 2, ISO 27001, and PCI, delivering greater flexibility. “The key lies in the deliberate selection of zero trust controls aimed at reducing specific business risks while potentially streamlining existing compliance efforts,” explains Kayne McGladrey (@kaynemcgladrey), field CISO at Hyperproof and senior IEEE member.

Despite this guidance mandating only four disclosures (identifying and managing risks, disclosing material breaches, board oversight, and management’s role), over 40% of the 2,100+ 10-K filings I’ve reviewed between January 1 and March 11, 2024 disclosed eleven distinct topics.

Companies are disclosing more information than required in their 10-K filings for various reasons. One is that they lack a broad consensus how much detail to disclose in Section 1C. The recent civil litigation of SEC vs. Tim Brown and SolarWinds (case 1:23-cv-09518 in the Southern District of New York) significantly influences the disclosure requirements.

“It’s low effort for them. Once they set up the subscription and unless the subscription is canceled, they don’t have to do any other work and they can resell access to that subscription,” he said. “So it’s a guaranteed line of profit for them until somebody goes and notices there’s been a problem.”

Criminals typically resell access to the services on secondary markets, McGladrey said. Criminals may resell a streaming service that’s normally $10 per month for $5, netting the thieves $5 monthly. While a single crime is not that profitable, there have been cases where groups have reaped millions of dollars by charging small amounts to hundreds of thousands of consumers, he said.

“In this episode, we’re talking with Kayne McGladrey about cybersecurity, cyberterrorism and how to defend against these attacks at the personal, corporate, and national levels. I’ve been working on research for my next book and I knew that I had to talk to him to see what we could do to defend against this new and pernicious form of war.”

“Moving network and security functions to a DPU allows server CPUs to be more efficient at running core applications and operating systems without sacrificing security controls,” said Kayne McGladrey (@kaynemcgladrey), Security Architect at Ascent Solutions LLC. “DPUs should also expedite the application of Zero Trust principles by allowing finer-grained micro-segmentation of applications and networks so that there is limited or no unearned trust.”

“The CIO won’t see the business impact if there’s not a culture of risk mitigation,” says Kayne McGladrey, director of security and IT for Pensar Development and a member of the professional association IEEE (The Institute of Electrical and Electronics Engineers).

“A culture where security is seen as someone else’s problem will derail any conversation around security, so the biggest thing for CISOs is to make the conversation with CIOs around risk – not around technologies or shiny objects but around risks to the business.”