The Ultimate Cyber Conversation with the CyberHub Engage Podcast

“In 2024, the most significant cybersecurity surprise will be the widespread recognition that Chief Information Security Officers (CISOs) are primarily risk advisors, not risk owners. This distinction contrasts with some companies’ previous perceptions and the operational reality. With cybersecurity concerns such as data center vulnerability, cloud vulnerability, and ransomware attacks still being a top concern for business leaders in 2024, this distinction is important to keep in mind to ensure the success of corporate security. Business systems are managed by business owners, whose performance is measured based on the system’s effectiveness. Historically, some companies have incorrectly assumed that the CISO is responsible for authorizing or mitigating some of the risks associated with these business systems. This is a misconception. The business owner, likely the individual who has approved the business continuity plan or is most affected by operational disruptions, also bears the responsibility of deciding how to address each risk. While CISOs can identify and propose mitigation strategies for business risks related to cybersecurity, they do not and should not accept or authorize the mitigation of risks for systems outside their ownership.”

“In 2024, the most significant cybersecurity surprise will be the widespread recognition that Chief Information Security Officers (CISOs) are primarily risk advisors, not risk owners. This distinction contrasts with some companies’ previous perceptions and the operational reality. With cybersecurity concerns such as data center vulnerability, cloud vulnerability, and ransomware attacks still being a top concern for business leaders in 2024, this distinction is important to keep in mind to ensure the success of corporate security. Business systems are managed by business owners, whose performance is measured based on the system’s effectiveness. Historically, some companies have incorrectly assumed that the CISO is responsible for authorizing or mitigating some of the risks associated with these business systems. This is a misconception. The business owner, likely the individual who has approved the business continuity plan or is most affected by operational disruptions, also bears the responsibility of deciding how to address each risk. While CISOs can identify and propose mitigation strategies for business risks related to cybersecurity, they do not and should not accept or authorize the mitigation of risks for systems outside their ownership.”

Kayne McGladrey, an advisory board member for the Technology Alliance Group NW and cybersecurity strategist for the firm Ascent Solutions, says once the incident is resolved, Sinclair “should do an internal hot-wash” to identify lessons learned – allowing them to strengthen technical defenses and update/validate their incident response plan.

Kayne and Tom talk with Matt Fryer about the cost structures and strategies associated with a Cloud Service Provider (CSP) FedRAMP project. Matt brings a well established perspective and helps understand the challenges of the increased controls focus apparent with FedRAMP. Plus, they try Modelo Especial, a Mexican lager.

Schools also contend with risk born of constant user shifts in the student population. This puts schools in an unusual and unenviable position, Kayne McGladrey, field CISO at Hyperproof, said via email. “Being able to apply real-time policies based on user and device behavior via zero-trust networking becomes critical in this environment,” McGladrey said. Absent these tools, strategies and adequate staff, schools will remain a frequent target for cybercriminals. They could also, at the very least, give schools the confidence needed to refuse ransom demands.

To reduce the risks of an accidental or intentional cybersecurity incident, companies must deploy an effective data loss prevention and associated data retention strategy across endpoints and data storage locations, including cloud services, noted Kayne McGladrey (@kaynemcgladrey), Security Architect at Ascent Solutions LLC.

“Many data breaches would have been less extensive and severe if organizations had automated data disposition schedules, as threat actors cannot steal what companies are not storing,” he continued. “Data covered by one or more regulatory or statutory requirements should be automatically labeled where possible so that controls (like encryption) follow the data regardless of storage location.”

Cloud computing will continue to grow despite the frequency of breaches due to a lack of administrative controls and unintentional configuration errors. When an administrator had access to an on-premises server, they could only administer that server; a “cloud administrator” can administer all the assets in a given cloud instance, including backing up and exfiltrating entire servers. This is like the unintentional configuration errors that have plagued so many Amazon S3 buckets in 2019, where organizations have stored PII in S3 in a default configuration, and then those data have been accessed by security researchers.