cybersecurity

Presented by

Kayne McGladrey, Field CISO – Hyperproof | Charity Otwell, Director, Critical Security Controls – CIS

Dec 05 2023, 11:00am PST

CIS Critical Security controls are a prescriptive, prioritized, and simplified set of best practices that can strengthen your cybersecurity posture. The CIS Controls include foundational security measures that you can use to achieve essential hygiene and protect yourself against a cyber attack. Are you curious whether CIS Critical Security Controls is the right choice for your organization? Or are you currently using CIS Critical Security Controls and wondering how to maximize your experience? Join Charity Otwell, Director at Critical Security Controls – CIS, and Kayne McGladrey, Field CISO at Hyperproof, to discuss areas of focus for CIS controls and how they can best apply to organizational security.

Participants will:

– Learn the basic foundation of CIS Controls

– Understand how to assess applicability for their organization

– Learn how to adopt best practices around CIS Controls

– Learn the upcoming changes that will be made to the CIS Controls

Kayne and Tom talk about the System and Communications Protection family of FedRAMP Rev5 controls. Learn about the “catch all” approach to this control family and some challenges faced to implementation. Tom and Kayne try a stout for the first time on the show, and Kayne seems to group it with all the other beers. As always, the faces he makes are impressive.

The biggest issue with prioritizing software fixes is that there’s often a disconnect between security controls and business risk outcomes, according to Kayne McGladrey, IEEE senior member and field CISO at Hyperproof, a security and risk company. That makes it harder to get executive support, he says. Code maintenance and dependency management aren’t sexy topics. Instead, executive interest tends to focus “on the financial or reputational repercussions of downtime,” McGladrey tells CSO.

“To address this problem, organizations should document and agree upon the business risks associated with both first-party and third-party code. Then they need to determine how much risk they’re willing to accept in areas like reputational damage, financial damage, or legal scrutiny. After there’s executive-level consensus, business owners of critical systems should work to identify and implement controls to reduce those risks,” McGladrey says.

An illuminating panel discussion, ‘Expert Predictions for 2024’, where seasoned experts delve into the future of cybersecurity. This dynamic discussion explores controversial key areas shaping the landscape in the coming year.

• Cyber Budgets Taking a Step Back

• Maturity in Vulnerability Management

• AI Effects on Cybersecurity Job Market

Experts provide valuable predictions and actionable insights to help you navigate the complex cybersecurity terrain of 2024.

Don’t miss the opportunity to stay ahead of the curve in a rapidly evolving digital world.

Keynote Panelists

• Michael Fulton, Vernovis, Chief Information Officer

• Warner Moore, Gamma Force, Founder & vCISO

• Joe Otten, Fifth Third Bank, Sr. Director, Information Security

“Realistically, the use of AI in cybersecurity will help to reduce the punishing cognitive load on tier one analysts in the security operation center,” said IEEE Senior Member Kayne McGladrey. “Rather than having to comb through a needlestack looking for a needle, AI promises to automate much of the correlation across vast amounts of data that humans struggle with.”

In the cybersecurity realm, AI promises to automate tasks burdening human analysts, as noted by IEEE Senior Member Kayne McGladrey.

Kayne McGladrey, (@kaynemcgladrey), senior IEEE member and field CISO at Hyperproof, which provides SaaS-based compliance and security operations solutions, says: “Developing an application modernization strategy requires careful assessment, planning and execution. First, you must understand your business goals and objectives. Only then can you create an aligned business and application roadmap.”

The primary emphasis of the new revision is that a ‘notification event’ now triggers the reporting process, described as any unauthorized acquisition of unencrypted customer information. This is a change from the earlier draft of the Rule, which used the term ‘security event’ to describe unauthorized system access or information misuse. This change may result in some confusion, unfortunately, described below.

Join us for an illuminating panel discussion, ‘Expert Predictions for 2024’, where seasoned experts delve into the future of cybersecurity. This dynamic discussion will explore controversial key areas shaping the landscape in the coming year.

– Microsoft Security Co-pilot Effects

– Cyber Budgets Taking a Step Back

– Impact of War Climate on Cybersecurity

– Maturity in Vulnerability Management

– AI Effects on Cybersecurity Job Market

Our panel of experts will provide valuable predictions and actionable insights to help you navigate the complex cybersecurity terrain of 2024. Don’t miss this opportunity to stay ahead of the curve in a rapidly evolving digital world.

Keynote Panel Moderator

Kayne McGladrey, Hyperproof, Field CISO

Keynote Panelists

Michael Fulton, Vernovis, Chief Information Officer

Warner Moore, Gamma Force, Founder & CEO

Joe Otten, Fifth Third Bank, Sr. Director, Information Security

In this episode, Aaron and Kayne McGladrey discuss:

Strategic alignment of cybersecurity with business risk

Navigating the changing landscape of cybersecurity

Empowering CISOs in the evolving landscape of cybersecurity

The challenges and opportunities of generative AI

Key Takeaways:

The key to a successful cybersecurity strategy lies in reframing it as a business imperative, focusing on aligning security efforts with business risks, engaging with cross-functional teams, proactively obtaining certifications, and leveraging control design expertise, ensuring a competitive advantage and effective risk management beyond mere compliance and technology concerns.In today’s dynamic cybersecurity landscape, CISOs must continually reassess their controls and their alignment with business risks, while also considering the personal liability they bear, making succession planning and strategic adaptability vital for maintaining effective security programs.The role of a CISO is crucial, yet often misunderstood; empowering and respecting CISOs’ authority is essential to effectively manage cyber risks and avoid potential disasters, as generic approaches and AI-driven risk registers fall short of addressing the unique challenges faced by businesses.In a world where cybersecurity threats are inevitable, the key lies in fostering resiliency rather than aiming for an unattainable zero-risk goal; while a lot are excited about the potential of education and automation, the lack of regulatory control over generative AI poses a daunting challenge, risking societal upheaval and economic unrest.

“If we don’t decide to manage the economic impacts of artificial intelligence, potentially a lot of industries could be at least partially automated. And that has the potential for a lot of social arm where people just don’t have jobs. And when you get people who are automated out of a job, what are they going to go do? They’re going to do something that everybody can do fine, but it doesn’t pay well. Like you end up going and driving for a living or doing deliveries for a living. And you end up with a highly educated workforce that is unhappy. That’s like a recipe right there for civil unrest.” — Kayne McGladrey

In this live episode of the Virtual CISO Happy Hour, our cybersecurity experts discuss the critical steps companies must take to navigate the complex landscape of data privacy. They discuss the importance of establishing regular data inventories and minimization efforts to ensure that only business-critical information is retained, thereby reducing the attack surface for threat actors.

The conversation shifts to the pitfalls of treating privacy audits as one-off events rather than ongoing processes. Our experts argue for the automation of data control operations and the continuous evaluation of their effectiveness, which is crucial for maintaining compliance and achieving certifications like ISO or SOC 2.

The episode also tackles the misconception of ‘cyber risk,’ advocating for a broader understanding of business risk and its real-world consequences. The discussion highlights the importance of aligning cybersecurity strategies with business KPIs and KRIs to effectively communicate the value of security measures to executives and boards.

Furthermore, they explore the role of CISOs in control design and effectiveness, emphasizing collaboration with CFOs to leverage their experience with regulatory compliance for more nuanced and effective control strategies. They also touch upon the significant cost savings that can be realized by reevaluating and updating corporate risk registers in response to changes in data storage and access patterns.

This episode is a must-listen for any professional involved in data privacy and cybersecurity, offering practical insights into making informed decisions that align with both security and business objectives.

“Employees across industries are finding new and innovative ways to perform their tasks at work faster,” says Kayne McGladrey, IEEE senior member and field CISO at Hyperproof. “However, this can lead to the sharing of confidential or regulated information unintentionally. For instance, if a physician sends personal health information to an AI tool to assist in drafting an insurance letter, they may be in violation of HIPAA regulations.” The problem is that many public AI platforms are continually trained based on their interactions with users. This means that if a user uploads company secrets to the AI, the AI will then know those secrets — and will spill them to the next person who asks about them. It’s not just public AIs that have this problem. An internal large language model that ingested sensitive company data might then provide that data to employees who shouldn’t be allowed to see it.