Listen at https://player.fm/series/the-cybersecurity-startup-revenue-podcast-for-founders-leaders-and-go-to-market-teams/dont-let-the-security-questionnaire-stall-your-deals-with-kayne-mcgladrey-field-ciso-at-hyperproof
With between 1.8 and 5.5 million cybersecurity jobs that are likely to go unfilled by 2021, the cybersecurity industry needs to encourage people who have not previously considered these jobs to include cybersecurity in their job options. The world does not need another whitepaper about the lack of diversity of race, gender, and orientation in cybersecurity.
“Not all high schools are promoting cybersecurity as a career option, and working in the SOC can have the knock-on effect of bringing people in who were unaware of the field before,” says Kayne McGladrey, a senior member at IEEE. Even if they don’t go on to take cyber jobs, “working in the SOC gives them exposure to some of the language and risks common in cybersecurity,” he says. “Then, if they’re working as developers, it’ll influence the direction by which they create things. They’ll at least have security in mind.”
A hacker can say that an institution has 90 days to fix a vulnerability before publicly divulging the secret, and for the vulnerable bank or credit union, that might come off as extortion or a threat. However, it is well within the boundaries of normal security research to do that, according to Kayne McGladrey, Field CISO for the security and compliance company Hyperproof.
“If the company doesn’t respond in a timely manner, that’s where you can get vulnerability disclosures after a reasonable period of time, like 90 or 120 days, or 180 days, depending on which philosophy the researcher subscribes to,” McGladrey said. “That’s all well within the ethical boundaries of a normal security researcher.”
The key difference between an ethical and unethical hacker — between extortion and responsible disclosure — is what the hacker does with the vulnerability.
“I think it’s very possible to say you can prove you can use this vulnerability — maybe it’s to steal a whole bunch of credit card information — without actually doing it,” McGladrey said. “You just show that you can.
“This means those organizations facing advanced persistent threats (from nation-states, in particular) now have guidance on how to select quantum-resistant encryption for their highest-secrecy data moving forward,” said Kayne McGladrey, IEEE senior member.
Cybersecurity in a Hyperconnected World: By Kayne McGladrey, IEEE Member, and Stephen Cass, IEEE Spectrum Senior Editor
CIOs should collaborate closely with CISOs to evaluate which zero trust controls will offer the most significant mitigation of agreed-upon business risks. Once specific controls are implemented, they can be centralized and reused across the various compliance standards like SOC 2 Type 2, ISO 27001, and PCI, delivering greater flexibility. “The key lies in the deliberate selection of zero trust controls aimed at reducing specific business risks while potentially streamlining existing compliance efforts,” explains Kayne McGladrey (@kaynemcgladrey), field CISO at Hyperproof and senior IEEE member.