Blog

Cyber Security is still primarily seen as an ‘IT issue’ and this often means that security often gets “bolted on” rather than embedded in a company’s ecosystem. In this panel discussion, discover why everyone within the business is responsible for Cyber Security and how to educate the enterprise on safeguarding customer data.

2019 wasn’t a great year for cyber security. Although the number and scope of solutions available on the market increased, blue teams around the globe have been stymied by the increasing complexity and tactics of threat actors and the sheer volume of data to review. Here are four predictions for the coming storm, based on events in 2019.

Cyber attacks are bad and getting worse, and you’d like to turn things around before it’s too late. In this session, you’ll learn how the three most common attacks target people, how to deter and deny threat actors attacking your applications, and how to defend yourself and your community.

For some organizations CCPA will require a total overhaul on their privacy policies, while others might only need to make minor changes due to existing GDPR compliance. But as Kayne McGladrey, Chief Information Security Officer at Pensar Development, pointed out, there will certainly be another round of endless privacy disclosure emails.

We thought it would be a great idea to get Kayne’s take on some key issues facing the world from a cybersecurity perspective, and also learn more about his journey. We get lots of questions from readers about how to break into the cybersecurity industry, how to get their foot in the door, and all manner of other questions relating to getting started. This is why we think it’s so important to share the experiences of those in the industry.

A key ingredient for success in cybersecurity is a passion for all things tech and security. Needless to say, we were also impressed to learn that Kayne has over fifty smart devices and a handful of robots! Let’s take a look at what Kayne had to say:

“Effective defense in depth is not just shiny overlapping technical controls,” said Director of IT and Security Kayne McGladrey. “Rather, it’s the combination of culture, documented and tested processes, policies, and technical controls. For example, an organization with a policy of least privilege, a process for approving account privileges, and a process for auditing and harvesting unused privileges does not need multiple technical controls to implement the desired outcome.” It’s best to start with policy and then enact that in culture, where feasible.

Venture capitalists will accelerate feature development via mergers and acquisitions. In recent years, VCs have funded point solution vendors for technologies like SOAR and UEBA. These are features, not stand-alone technologies, and it’s often cheaper for market leaders to buy rather than build new features. CISOs should be aware of this market reality, as buying early-stage cybersecurity from a startup carries the risk of unintentionally having a business relationship with a much larger vendor within two years, and consequently needing to either buy the larger technology solution or rip and replace after the acquisition closes.

“There’s a perception that it is all hands-on-keyboards — people sitting in a basement somewhere drinking soda,” McGladrey said. “That perception, unfortunately, drives a lot of talented individuals who would have made a lot of meaningful contributions to the field to make other career choices.”

McGladrey wants security pros to talk to their colleagues, friends and families about the field and its diversity of roles. He also urges organizations to widen their candidate pools to include those with more varied backgrounds and life experiences.

“Right now in cybersecurity, we’re doing the same thing over and over and expecting a different result — the definition of insanity,” he said.

Cloud computing will continue to grow despite the frequency of breaches due to a lack of administrative controls and unintentional configuration errors. When an administrator had access to an on-premises server, they could only administer that server; a “cloud administrator” can administer all the assets in a given cloud instance, including backing up and exfiltrating entire servers. This is like the unintentional configuration errors that have plagued so many Amazon S3 buckets in 2019, where organizations have stored PII in S3 in a default configuration, and then those data have been accessed by security researchers.

Keeping an organization secure is every employee’s job. Instead of the obligatory employee training, Director of Security & IT for Pensar Development Kayne McGladrey recommends continuous engagement with the end-user community. “Provide opportunities and instrumentation to demonstrate policy violations rather than lecture at people.” Examples include leaving a USB data stick in a break room or using phishing tools to falsify emails from known employees that seem suspicious. “This helps educate and creates healthy suspicion,” said McGladrey.