Infosec Pros: Jeff Warren, Owner at South Lake Cyber Risk

During this Hyperproof live stream series, leaders in information security shed light on crucial topics that shape the modern cybersecurity landscape. This month’s episode features Jeff Warren, Owner & Principal Consultant at South Lake Cyber Risk, LLC, and our host, Kayne McGladrey, Field CISO at Hyperproof. Guided by Kayne and audience questions, Jeff will share insights into his current work and past experiences in the field. Register now for your chance to learn from one of today’s top infosec pros.

The Jobs of Tomorrow: Insights on AI and the Future of Work

Kayne McGladrey, Field CISO at Hyperproof and IEEE Senior Member, noted that the use of generative AI models in business hinges on their ability to provide accurate information. He cited as examples studies of AI models’ abilities to extract information from documents used for financial sector regulation that are frequently relied on to make investment decisions.

“Right now, the best AI models get 80 percent of the questions right,” McGladrey said. “They hallucinate the other 20 percent of the time. That’s not a good sign if you think you are making investment decisions based on artificial intelligence telling you this is a great strategy four out of five times.”

What Will Be The Biggest Surprise For Security In 2024?

“In 2024, the most significant cybersecurity surprise will be the widespread recognition that Chief Information Security Officers (CISOs) are primarily risk advisors, not risk owners. This distinction contrasts with some companies’ previous perceptions and the operational reality. With cybersecurity concerns such as data center vulnerability, cloud vulnerability, and ransomware attacks still being a top concern for business leaders in 2024, this distinction is important to keep in mind to ensure the success of corporate security. Business systems are managed by business owners, whose performance is measured based on the system’s effectiveness. Historically, some companies have incorrectly assumed that the CISO is responsible for authorizing or mitigating some of the risks associated with these business systems. This is a misconception. The business owner, likely the individual who has approved the business continuity plan or is most affected by operational disruptions, also bears the responsibility of deciding how to address each risk. While CISOs can identify and propose mitigation strategies for business risks related to cybersecurity, they do not and should not accept or authorize the mitigation of risks for systems outside their ownership.”

“In 2024, the most significant cybersecurity surprise will be the widespread recognition that Chief Information Security Officers (CISOs) are primarily risk advisors, not risk owners. This distinction contrasts with some companies’ previous perceptions and the operational reality. With cybersecurity concerns such as data center vulnerability, cloud vulnerability, and ransomware attacks still being a top concern for business leaders in 2024, this distinction is important to keep in mind to ensure the success of corporate security. Business systems are managed by business owners, whose performance is measured based on the system’s effectiveness. Historically, some companies have incorrectly assumed that the CISO is responsible for authorizing or mitigating some of the risks associated with these business systems. This is a misconception. The business owner, likely the individual who has approved the business continuity plan or is most affected by operational disruptions, also bears the responsibility of deciding how to address each risk. While CISOs can identify and propose mitigation strategies for business risks related to cybersecurity, they do not and should not accept or authorize the mitigation of risks for systems outside their ownership.”

Why enterprises need cyber insurance — how and what to buy

“It should be a strategic choice for a company to transfer certain business risks associated with cybersecurity threats, which exceed an acceptable level of risk, to an insurer,” says Kayne McGladrey, a senior member of the IEEE. “The expectation is that the insurer will help lessen the financial impact of significant cyber incidents or data breaches.”

However, this approach assumes companies maintain risk registers with clear definitions and measurement criteria for various risk categories, he notes. “It also presumes they use compliance operations to continuously assess the effectiveness of their current controls in reducing or mitigating these risks.”

Article: Experts advise on how to build a successful hybrid work security strategy

Next, commit to solving the complexity issue. In practice, this involves consolidation and integration of tools while striking “a balance between robust protection and user convenience,” said Kayne McGladrey (@kaynemcgladrey), Field CISO at Hyperproof and Senior IEEE Member. For example, “automation and integration of security controls are crucial in achieving scalability and simplifying validation of efficient control operations.”

Special Guest Michael Chaoui | Drafting Compliance Ep. 24

Kayne and Tom are joined by special guest Michael Chaoui, the Founder of Atlas One Security. Michael pulls the covers back on some of the challenges of companies going through the ATO process. We also discuss recent legislation and draft memos intended to modernize the FedRAMP process, all while enjoying one of Michael’s favorite stout beers.

Presentation: Communicating Risk with Your Leadership Team

In response to the ever-changing risk environment, company leadership is asking more and more questions about how to best manage risk. But being able to answer those questions means having a system and process in place to accurately document, manage, mitigate, and report on those risks.

Luckily, some frameworks and processes already exist to help guide you through that process. Kayne McGladrey, Field CISO, will walk you through the current state of risk and how to effectively and accurately communicate risk to your leadership team.

In this presentation, you’ll learn:

● What the 2023 risk landscape looks like

● How risk managers are planning on updating their risk workflows to adapt

● How to communicate risk to leadership

December 6th at 10:45 AM in Atlanta, GA

Thinkers360 Predictions Series – 2024 Predictions for Cybersecurity

My prediction for 2024: In response to increasing regulatory burdens and the risk of civil litigation, successful companies in 2024 will lean into enhancements in their compliance operations. They will actively collect and test evidence of security control effectiveness, linking these controls directly to their risks, across all critical assets or systems. This approach ensures companies are confident in accurately describing how well they manage their risk portfolio, including in SEC filings. The automation of compliance operations enables security and audit professionals to spend more time doing the parts of their jobs that they love. Furthermore, as supply chain risks intensify scrutiny of B2B transactions, companies will efficiently repurpose many of their controls and control evidence. This strategy not only allows companies to secure additional attestations or certifications such as ISO or SOC 2 without increasing their workforce, but it also provides a significant competitive business advantage.

Presentation: Elevating Security: The Power of CIS Critical Security Controls

Presented by

Kayne McGladrey, Field CISO – Hyperproof | Charity Otwell, Director, Critical Security Controls – CIS

Dec 05 2023, 11:00am PST

CIS Critical Security controls are a prescriptive, prioritized, and simplified set of best practices that can strengthen your cybersecurity posture. The CIS Controls include foundational security measures that you can use to achieve essential hygiene and protect yourself against a cyber attack. Are you curious whether CIS Critical Security Controls is the right choice for your organization? Or are you currently using CIS Critical Security Controls and wondering how to maximize your experience? Join Charity Otwell, Director at Critical Security Controls – CIS, and Kayne McGladrey, Field CISO at Hyperproof, to discuss areas of focus for CIS controls and how they can best apply to organizational security.

Participants will:

– Learn the basic foundation of CIS Controls

– Understand how to assess applicability for their organization

– Learn how to adopt best practices around CIS Controls

– Learn the upcoming changes that will be made to the CIS Controls

System and Communications Protection | Drafting Compliance Ep. 23

Kayne and Tom talk about the System and Communications Protection family of FedRAMP Rev5 controls. Learn about the “catch all” approach to this control family and some challenges faced to implementation. Tom and Kayne try a stout for the first time on the show, and Kayne seems to group it with all the other beers. As always, the faces he makes are impressive.