Managing the Risks of the Future Internet of Things

Kayne and Tom are joined by special guest Michael Chaoui, the Founder of Atlas One Security. Michael pulls the covers back on some of the challenges of companies going through the ATO process. We also discuss recent legislation and draft memos intended to modernize the FedRAMP process, all while enjoying one of Michael’s favorite stout beers.

“There’s a perception that it is all hands-on-keyboards — people sitting in a basement somewhere drinking soda,” McGladrey said. “That perception, unfortunately, drives a lot of talented individuals who would have made a lot of meaningful contributions to the field to make other career choices.”

McGladrey wants security pros to talk to their colleagues, friends and families about the field and its diversity of roles. He also urges organizations to widen their candidate pools to include those with more varied backgrounds and life experiences.

“Right now in cybersecurity, we’re doing the same thing over and over and expecting a different result — the definition of insanity,” he said.

There are three best practices that security professionals supporting schools can follow to help make the school year uneventful in their district: defending user identities, patching endpoints, and running quarterly tabletop exercises.

Hosts Kayne and Tom talk about how to create the Authorization Boundary, a cornerstone of the System Security Plan (SSP) as part of FedRAMP certification. Includes beer tasting notes for Black Butte Porter.

Identity management of users and devices is key for CISOs to manage the risks associated with unauthorized access to sensitive data and systems, according to Kayne McGladrey, Field CISO at Hyperproof and IEEE senior member. “From a control operations standpoint, the two most important capabilities are the ability to validate a user’s behavior when it deviates from the norm, and the ability to quickly de-provision access when it is no longer needed,’’ McGladrey told VentureBeat.

For example, if a user regularly logs in from Washington State using their Windows-powered computer to access a single program, there’s little reason to prompt them for a second authentication factor, he said. “But when the device changes, perhaps a new Mac computer that’s not configured correctly, or their location suddenly changes to Australia, they should be prompted for multifactor authentication as part of identity validation before being allowed to access those data,” McGladrey said. When a user leaves an organization, their identity access should be rapidly revoked across all platforms and devices. Otherwise, organizations run the risk of a threat actor using the older access and credentials, McGladrey added.

The biggest issue with prioritizing software fixes is that there’s often a disconnect between security controls and business risk outcomes, according to Kayne McGladrey, IEEE senior member and field CISO at Hyperproof, a security and risk company. That makes it harder to get executive support, he says. Code maintenance and dependency management aren’t sexy topics. Instead, executive interest tends to focus “on the financial or reputational repercussions of downtime,” McGladrey tells CSO.

“To address this problem, organizations should document and agree upon the business risks associated with both first-party and third-party code. Then they need to determine how much risk they’re willing to accept in areas like reputational damage, financial damage, or legal scrutiny. After there’s executive-level consensus, business owners of critical systems should work to identify and implement controls to reduce those risks,” McGladrey says.