Priya R's Posts (80)

Sort by

Unveiling%20the%20Ransomware%20Arsenal%20Identifying%20and%20Mitigating%20Critical%20CVEs%20(1).png?profile=RESIZE_710x

 

Greetings, esteemed members of the CISO Platform, the premier online community for information security executives. Today, we are honored to host Jendra Chan, Head of Research at Fire Compass, as he delves into the intricate world of cybersecurity vulnerabilities. In this webinar, Jendra will navigate through the labyrinth of six of the most critical CVEs weaponized by ransomware actors in the past three months. By unveiling these vulnerabilities and elucidating strategies for identification and mitigation, Jendra will empower CISOs to fortify their defenses and reduce the risk of ransomware attacks by a staggering 26%. Join us as we embark on a journey to bolster our cybersecurity resilience and safeguard our digital assets.

 

 

Here is the verbatim discussion:

hello everyone welcome to ciso platform the world's leading online community dedicated to information security Executives including cesos cios csos CTO and directors with over 40,000 Global community members today we are excited to have jendra Chan head of research at fire compus joining us in this webinar jendra will Deep dive into six most critical and ransomware weaponized cves published in the last 3 months he will further share how cesos can identify them and immediately decrease the chance of ransomware by 26% thank you for joining us and all right uh let's you know now not only that attackers have now the capability to scan internet in just few days and that's makes it increasingly difficult to you know increasing that makes a life of of a you know Defender increasingly difficult the reason being that if attacker can scan the internet in few days which means your meantime to remediate has drastically decreased from weeks to days in fact uh now how does this automation works I'll just describe in very in few you know words and sentences and I'll try to simplify this by the way this is and when very simplified version of what happens in reality uh now one of the first step that uh attackers to is to create a internet wide scanner now there are various open source tools available uh which if configured properly using expert can be used to scan the whole internet actually within few days and if you put more horsepower more Computing resources within hours in fact uh now this is not an easy task by the way right there are 3 billion ipv4 addresses and there are 65,000 PS which makes it nearly impossible right to scan the whole internet but then the the advantage the attacker has is that they do not scan whole internet on all the ports but they do do it as per you know as per the attack say a one libility which which is being there on a specific framework such as exxi you know VMware which are exposed outside then they have to just scan certain ports only I think few port on all the IPS right and that makes it relatively easier uh task for them okay and in fact actually what attackers do nowadays is that they maintain this database uh you know pre-indexed they keep on crawling and can maintain this database and in some you know raw big data tables uh Big Data you know Solutions so that you know whenever a one liberty comes up uh they can go and just do a search on this and poent find a potential Target right so first step is internet wide scan and index it into the database so that you can search later then the next.

 

Highlights:

The Peril of Ransomware:

  • Ransomware continues to pose a significant threat to organizations worldwide, targeting critical infrastructure and digital assets.
  • Understanding the vulnerabilities exploited by ransomware actors is paramount in crafting effective defense strategies.

Spotlight on Critical CVEs:

  • Jendra will shine a spotlight on six of the most critical CVEs leveraged by ransomware attackers in recent months.
  • These vulnerabilities represent the entry points through which attackers infiltrate organizational networks and initiate ransomware campaigns.

Empowering CISOs:

  • By equipping CISOs with knowledge about these critical CVEs, Jendra aims to empower them to proactively identify and remediate vulnerabilities within their organizations.
  • Rapid vulnerability mitigation is key to reducing the window of opportunity for ransomware actors and thwarting potential attacks.

Strategic Mitigation Approaches:

  • Jendra will elucidate strategic approaches for identifying and prioritizing critical CVEs, enabling CISOs to fortify their cybersecurity posture effectively.
  • By implementing robust vulnerability management practices, organizations can significantly mitigate the risk of ransomware attacks and enhance their overall resilience.

 

As we navigate the complex landscape of cybersecurity threats, knowledge emerges as our most potent weapon against ransomware. By arming CISOs with insights into critical CVEs and actionable mitigation strategies, we pave the path towards a more secure digital future. Let us harness the collective expertise of our community to fortify our defenses, mitigate vulnerabilities, and safeguard our organizations against the perils of ransomware. Together, we can rise to the challenge and emerge stronger in the face of evolving cyber threats.

 

Speaker:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

Read more…

Future%20of%20Offensive%20Attack%20Simulation%20Shifting%20Paradigms%20%20(2).png?profile=RESIZE_710x

 

As we delve deeper into the digital era, the landscape of cybersecurity continues to evolve at a rapid pace. From the rise of continuous validation to the imperative of secure data lifecycle management, organizations are facing unprecedented challenges and opportunities. In this blog, we explore some of the top predictions for cybersecurity in 2021 and highlight key imperatives for staying ahead of emerging threats.

 

 

Here is the verbatim discussion:

Things are there oh yeah and and and there's another dimension it's not only where the data is but if you start looking at it as a life cycle how does data get created yes is it created in a secure way is it classified and and marked so we know how sensitive it is you know how does it get distributed and how does it die and that's when when I sit and I talk with it folks or or organizations you know HR whatever you know allas all right how do you kill off data and they'll look at me like why would I delete data okay old and inaccurate data it becomes costic over time and now what happens if that inaccurate data also gets exposed that becomes really minutes yes let me ask you this what what are some of your top predictions for 2021 all right um you know first off I'm G to make a prediction about your industry how about this right because it is you know that that continuous um you know validation is important uh especially right now it's predominantly being used on infrastructures right uh to maintain uptime and and you know weed out vulnerabilities I predict within probably two and a half to three years that very very important how are the users and the administrators coming in to do their work right is it set up um I was dealing with um uh a product the other day and it didn't have multiactor or second Factor authentication options for administ there's lots of different things and you know it used to be build whatever you're going to build and then slap on some security at the end right that's the bolt-on security that model fails and it fails spectacularly it fails because it doesn't really protect against risks it isn't sustainable over time against emerging threats it costs a lot at the end of the day between 20 and 200 times versus you know putting security and developing it correctly in the process things are there oh yeah and and and there's another dimension it's not only where the data is but if you start looking at it as a life cycle how does data get created yes is it created in a secure way is it classified and and marked so we know how sensitive it is you know how does it get distributed and how does it die and that's when when I sit and I talk with it folks or or organizations you know HR whatever you know allas all right how do you kill off data and they'll look at me like why would I delete data okay old and inaccurate data it becomes costic over time and now what happens if that inaccurate data also gets exposed that becomes really minutes yes let me ask you this what what are some of your top predictions for 2021 all right um you know first off I'm G to make a prediction about your industry how about this right because it is you know that that continuous um you know validation is important uh especially right now it's predominantly being used on infrastructures right uh to maintain uptime and and you know weed out vulnerabilities I predict within probably two and a half to three years that very very important how are the users and the administrators coming in to do their work right is it set up um I was dealing with um uh a product the other day and it didn't have multiactor or second Factor authentication options for administ there's lots of different things and you know it used to be build whatever you're going to build and then slap on some security at the end right that's the bolt-on security that model fails and it fails spectacularly it fails because it doesn't really protect against risks it isn't sustainable over time against emerging threats it costs a lot at the end of the day between 20 and 200 times versus you know putting security and developing it correctly in the process.

 

Highlights :

Continuous Validation Takes Center Stage: The importance of continuous validation in maintaining infrastructure uptime and mitigating vulnerabilities cannot be overstated. Within the next two to three years, we predict a significant shift towards embedding validation processes into every stage of development and deployment. This proactive approach will enhance security resilience and reduce the risk of costly breaches.

The End of Bolt-On Security: The traditional approach of adding security as an afterthought, known as bolt-on security, is becoming obsolete. Organizations are realizing that this model fails to provide adequate protection against emerging threats and is not sustainable over time. Instead, there is a growing emphasis on integrating security into the development process from the outset. By prioritizing security throughout the development lifecycle, organizations can build more robust and secure systems.

Data Lifecycle Management Comes to the Forefront: Viewing data security as a lifecycle—from creation to distribution to disposal—is gaining traction as organizations recognize the importance of secure data practices. Inaccurate or outdated data poses a significant risk, especially if exposed. Therefore, organizations are increasingly focusing on secure data creation, classification, and proper disposal to minimize risks and ensure compliance with regulations.

Enhanced User Authentication: The importance of multi-factor authentication (MFA) and second-factor authentication options cannot be overstated. Organizations are realizing the critical role of authentication mechanisms in safeguarding sensitive data and infrastructure. The absence of robust authentication measures not only exposes organizations to security risks but also undermines user trust and confidence.

Collaborative Security Practices: Breaking down silos and fostering collaboration between security teams and other departments is essential for effective cybersecurity. By promoting a culture of awareness and accountability, organizations can enhance their security posture and mitigate potential vulnerabilities. Collaboration enables organizations to leverage collective expertise and resources to address complex security challenges.

 

As we navigate the complexities of the digital landscape, cybersecurity remains a top priority for organizations worldwide. By embracing continuous validation, integrating security into the development process, adopting secure data lifecycle management practices, enhancing user authentication measures, and fostering collaborative security practices, organizations can strengthen their defenses against evolving threats. The year 2021 presents both challenges and opportunities for cybersecurity professionals, and by staying vigilant and proactive, organizations can mitigate risks and ensure a secure digital future.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

 
 
 
 
 
Read more…

 

 _The%20Future%20of%20Offensive%20Attack%20Simulation%20Simplifying%20Cybersecurity.png?profile=RESIZE_710x

 

Navigating the complex landscape of cybersecurity can often seem daunting, especially for organizations grappling with the evolving nature of threats and the intricate interplay of technology and human behavior. However, amidst the complexity, there lies a simple yet powerful approach—one that focuses on practicality, collaboration, and understanding the fundamentals. By breaking down cybersecurity into manageable components and fostering a culture of awareness and preparedness, organizations can better equip themselves to address security challenges effectively.

 

 

Here is the verbatim discussion:

yep so what what we do uh you know exactly what I'm talking about right we we we had been um doing this for a few of these companies getting the CEO the COO the legal guys the marketing guys the operations guys and everybody together in a room and then discuss like let's imagine this breach has happened now what do we do the moment you do that now the operations guy see is my goodness there will be so many calls which is going to come to my call center thisy doesn't even have a script on how to respond to and I don't know how to handle this so there are couple of things that happens one is like you get more ready to face something like that A playbook emerges all those things but along with that these guys kind of envisage or visualize or feel the kind of pain they'll go through if a bad security incident happens and they realize okay I mean it looks knowing the risk the threats etc etc or and then protect but also building a great way to detect um which people are doing right now I mean I guess most of the organizations are building this sock and then doing the response and Recovery there's a much better awareness today in the kind of industry in terms of building the response and recovery so if people build the right kind of hygiene as you have mentioned if if organizations get these Basics right like knowing the asset inventory knowing where the data is how the data flows have basic hygiene and what you mentioned about two Factor authentication right that's that's very very important have the basic kind of security practices in place I'm not talking about all the text Etc and then having a basic mechanism to detect attacks and then respond and recover from it so a lot of times um cyber security is made to look very complex I I love nist CSF very much because n CSF for the first time came up and spoke about cyber security a language which business can understand that you need to identify your assets and threats and risks you need to protect and you need to detect attacks and you need to respond and recover from a breach right I mean it sounds very very simple now when you look at ISO or PCI they talk about W and d and this and that control it's not really very uh friendly from the perspective of management and other stakeholders so I'm a big fan of n CSF in terms of building an architecture a as am I I actually wrote a white paper years before that came out um talking about defense in- depth and a continual process and I broke it down into four things prediction prevention detection and response and it's circular continues to feed in yes and you know and and Gartner picked that up they they published some things a few years ago on on that white paper but nist and and I've worked with nist for many years on many different projects uh they move very similar it's it's they're one or two off right because they they go to identify they don't talk predict but yeah it's it's really from a continual management perspective you do need those four things right you need a prediction capability you need that prevention capability and those two give your highest Roi by the way but you you know you will never be perfect things will always get through or you will choose to allow vulnerabilities to exist Black Swan events so on and so forth because it's too expensive to protect against that's fine um so you need that detection and response capability and those to have exactly yeah a lot of people have that kind of perception and lot of people are not even aware of this problem that I need to know where data is and how data flows because like security uh guys are working in silos and they have no idea that the marketing team how they work on the data do they have an analytics team do they have an analytics partner how does the data go to the analytics partner what is the analytics partner doing Etc so I have seen like just this inventory problem the data uh where does the data reside and how does the data flow that itself is a major issue of course there is third party fourth party all those things are there oh yeah and and then and and there's another dimension it's not only where the data is but if you start looking at it as a life cycle how does data get created is it created in a secure way is it classified and and marked so we know how sensitive it is you know how does it get distributed and how does it die and that's when when I sit and I talk with it folks or or organizations you know HR whatever you know I'll ask all right.

 

Highlights:

Scenario-Based Preparedness Workshops: Bringing together key stakeholders, including executives, legal, marketing, and operations teams, for scenario-based preparedness workshops can be transformative. By simulating potential breach scenarios, organizations not only develop actionable playbooks but also gain a deeper appreciation for the operational and reputational impact of security incidents.

Emphasis on Basic Hygiene: Establishing fundamental security practices, such as asset inventory management, data flow analysis, and two-factor authentication, forms the cornerstone of a robust security posture. These basic hygiene measures provide a strong foundation for security resilience and help mitigate common attack vectors.

Adoption of NIST Cybersecurity Framework (CSF): The NIST CSF offers a pragmatic and accessible framework for organizations to identify, protect, detect, respond, and recover from cybersecurity threats. By aligning with this framework, organizations can streamline their security efforts and communicate effectively with stakeholders, transcending the complexities of traditional compliance-centric approaches.

Lifecycle Approach to Data Security: Viewing data security as a lifecycle—from creation to distribution to disposal—allows organizations to gain a holistic understanding of their data assets. By ensuring secure data practices throughout the lifecycle, including classification, encryption, and secure distribution channels, organizations can minimize data-related risks and enhance regulatory compliance.

Integration of Prediction, Prevention, Detection, and Response: Adopting a holistic approach that encompasses prediction, prevention, detection, and response is essential for effective risk management. While prevention measures offer significant ROI, detection and response capabilities are critical for mitigating evolving threats and minimizing the impact of security incidents.

Collaboration Across Silos: Breaking down silos and fostering collaboration between security teams and other departments, such as marketing, HR, and IT, is paramount. Understanding how data is created, accessed, and utilized across various functions enables organizations to implement targeted security measures and address potential vulnerabilities proactively.

 

In the ever-changing landscape of cybersecurity, simplicity and practicality are key. By focusing on scenario-based preparedness, basic hygiene practices, adoption of frameworks like the NIST CSF, lifecycle approach to data security, and holistic integration of security functions, organizations can enhance their security resilience and readiness. Moreover, fostering collaboration across silos and promoting a culture of awareness and accountability ensures that cybersecurity becomes ingrained into the fabric of the organization. Ultimately, by simplifying cybersecurity and embracing practical approaches, organizations can navigate the complexities of the digital age with confidence and resilience.

 
 
 
Speakers:
 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Read more…

Future%20of%20Offensive%20Attack%20Simulation%20Evolving%20Security%20(1).png?profile=RESIZE_710x

 

Security is not a static concept; it's a dynamic process that demands continual attention and evolution. In today's digital landscape, where threats are ever-present and constantly evolving, relying on a single solution or treating security as a one-time event is no longer feasible. Instead, organizations must adopt a holistic approach that encompasses behavioral analysis, robust technology, and proactive measures to mitigate risks effectively.

 

 

Here is the verbatim discussion:

got to worry about the behavior stuff you have to understand the process why security is never a single solution it is never a moment in time it is something that must be maintained evolved and must maintain you know keep parity with the the emerging threats and attacks right and then it comes down to the technology and for this audience this audience plays a very unique role in developing the technology that can help by default right remove a lot of the attack landscape making sure that the code that you're using the libraries and the dependencies right don't have vulnerabilities when you're developing looking and testing uh what you're creating through the development process is hugely important and valuable right it's also reduce the costs because again risk cost friction right making sure that we've got the controls in place that whoever is going to maintain or administer whatever you're building can keep it patched can keep it secure can go in if something go you know uh bad happens and recover things like that very very important how are the users and the administrators coming in to do their work right is it set up um I was dealing with um uh a product the other day and it didn't have multiactor or second Factor authentication options for administrators just didn't support it I'm like how can you develop something today and not support Second factor or multiactor you should support it for everybody every user but at minimum for the administrators right it boggles my mind that is poor engineering and development right so you know there's lots of different things and you know it used to be build whatever you're going to build and then slap on some security at the end right that's the bolt-on security that model fails and it fails spectacularly it fails because it doesn't really protect against risks it isn't sustainable over time against emerging threats it costs a lot at the end of the day between 20 and 200 times versus you know putting.

 

Highlights :

Understanding Behavioral Patterns: Effective security strategies necessitate a deep understanding of user behavior and process workflows. By analyzing patterns and identifying anomalies, organizations can detect potential security threats early and respond promptly. Behavioral analysis empowers organizations to anticipate and adapt to emerging risks, ensuring a proactive defense posture.

Continuous Maintenance and Evolution: Security is an ongoing commitment that requires constant maintenance and evolution. Organizations must keep pace with emerging threats and attacks, continuously updating their defenses to mitigate new vulnerabilities. This proactive approach not only enhances security resilience but also reduces the likelihood of costly breaches and disruptions.

Role of Technology Development: Technology plays a pivotal role in shaping the security landscape. Developers have a unique opportunity to integrate security by design, ensuring that code, libraries, and dependencies are free from vulnerabilities. Incorporating security testing and validation throughout the development process is crucial for building robust and secure systems from the ground up.

Cost Reduction through Risk Mitigation: Proactive security measures not only mitigate risks but also reduce costs in the long run. By investing in preventive controls and security protocols, organizations can minimize the impact of potential breaches and operational disruptions. The cost of implementing proactive security measures pales in comparison to the financial and reputational losses incurred from security incidents.

User and Administrator Experience: User experience extends beyond functionality to include security considerations such as multi-factor authentication (MFA). Providing robust authentication options, especially for administrators, is essential for safeguarding sensitive data and infrastructure. Poor engineering practices that overlook fundamental security features undermine the integrity and trustworthiness of products and services.

Shift from Bolt-On to Integrated Security: The traditional approach of bolting on security as an afterthought is no longer sufficient. Integrated security, where security is woven into the fabric of every development stage, is essential for building resilient systems. By embedding security into the development lifecycle, organizations can preemptively address vulnerabilities and mitigate risks more effectively.

 

As cyber threats become increasingly sophisticated and pervasive, organizations must embrace a proactive and integrated approach to security. Understanding behavioral patterns, continuous maintenance, technology development, cost-effective risk mitigation, user experience enhancements, and integrated security practices are essential components of a robust security strategy. By prioritizing these elements, organizations can strengthen their defenses, mitigate emerging threats, and foster a culture of security excellence. In an era where security is paramount, proactive measures are not just a choice but a necessity for safeguarding digital assets and ensuring business continuity.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Read more…

Future%20of%20Offensive%20Attack%20Simulation%20The%20Evolution%20of%20Cybersecurity%20(1).png?profile=RESIZE_710x

 

In the ever-evolving landscape of cybersecurity, staying ahead of threats requires more than just reactive measures. Organizations are increasingly adopting proactive strategies, leveraging continuous defense mechanisms to safeguard their digital assets. This approach involves integrating the latest threat intelligence, zero-day vulnerabilities, and attack techniques into automated defense systems. By doing so, companies aim not only to protect their networks but also to demonstrate their commitment to security excellence.

 

 

Here is the verbatim discussion:

so it's not just a dumb attack right they're using the capability of chaining things together understanding and integrating the the newest um zero days that are being announced and newest vulnerabilities that are being announced to be able to integrate those in right and to do that in an automated way for the benefit of the organization and that's that is a that's a capability and unfortunately not everybody's doing it but the leading companies and organizations are which again differentiates them from everybody else it makes them less attractive it makes their defensive positions stronger and auditable right and they can show that due diligence if something bad does happen they can show the Auditors they can show the court if it gets dragged into court that yes we are above right even the median average we do more and bad things are going to happen there's no way around that eventually it will but being able to show that have that confidence to to show your stockholders to show the courts to show your customers and clients and your business partners that yes you are Head and Shoulders Above the Rest because you're doing this continuous type of attacks against your system and again auditable you can show the results and when you get results you it's actionable you can go in and close that that firewall hole you can go in and Harden that new server that someone brought up and didn't tell you about right or that new database that got formed and has all this sensitive data in it with that kind of continuous attacking it gives you the Practical intelligence from an operations perspective to go in and resolve those issues again managing your risk hopefully to that Target that you want that's what you kind of covered it so well that even though I'm from this field I have nothing to add let talk about a few things no you need to add how your company does it better so I can pick on you and challenge you I mean are you perfect you know in your organizations what are your strengths what are your customers coming to you and asking as a priority I mean that's something I want to know you know are they saying I really want that red team kind of report or I want to be defensible or I want it as part of my audit or is it the operations guy going I'm really worried about that shadow it I've got dozens of admins and Engineers spinning up servers all the time that I don't know about what are the two or three asks yeah so so you made a great asked a great question so one definitely is Shadow it getting a visibility of what all assets are going up that's one uh continuous testing for for organizations which are kind of moving up in the maturity they're looking for continuous testing it's not just continuous red teaming they're thinking about continuous testing in their uh devops and their building up the application so they're thinking of continuous so you're looking at products as well right so you're we don't do that no we don't we don't do for the internal applications I'm just talking about General Trends we we focus on one are Mak yeah so so that's another interesting thing we're seeing like the more um mature organizations are going Beyond not just like continuous red timming but also continuous um devop security continuous Cloud security Etc so that's a great mindset so I'm a big believer of continuous security whatever be that area so so that's and also purple teaming is another interesting thing which uh is very helpful because one is you kind of go and attack.

 

Highlights :

Continuous Integration of Threat Intelligence: Leading organizations are harnessing the power of automation to incorporate the newest threat intelligence into their defense systems. This includes zero-day vulnerabilities and emerging attack techniques, allowing them to stay one step ahead of cyber threats.

Auditable Defense Posture: Continuous defense strategies enable organizations to build auditable defense postures. By conducting ongoing attacks against their systems, they can demonstrate due diligence to stakeholders, auditors, and regulatory bodies. This proactive approach strengthens their defensive positions and instills confidence in their ability to mitigate risks effectively.

Operational Insights for Risk Management: Continuous defense not only identifies vulnerabilities but also provides valuable operational insights for risk management. By simulating real-world attack scenarios, organizations gain practical intelligence to prioritize and remediate security gaps. This proactive approach empowers them to manage their risk profile effectively and align security measures with business objectives.

Addressing Shadow IT: Visibility into shadow IT is a critical aspect of continuous defense. Organizations strive to gain insights into all assets deployed within their environment, including unauthorized or undocumented resources. This helps them mitigate the risks associated with unmanaged infrastructure and ensure compliance with security policies.

Embracing Continuous Testing: As organizations mature, they recognize the importance of continuous testing across various domains, including development, operations, and cloud environments. Beyond traditional red teaming, they prioritize continuous security testing as an integral part of their DevOps processes. This proactive approach enhances the security posture of internal applications and infrastructure.

Adopting Purple Teaming: Purple teaming emerges as a collaborative approach to security testing, bridging the gap between red and blue teams. By simulating real-world attack scenarios and fostering communication between offensive and defensive teams, organizations can enhance their detection and response capabilities. This synergy strengthens their overall security posture and ensures a more robust defense against evolving threats.

 

In today's cyber threat landscape, organizations must adopt a proactive stance towards defense. Continuous security practices, including integrating threat intelligence, addressing shadow IT, and embracing purple teaming, are essential for staying ahead of adversaries. By prioritizing continuous defense mechanisms, companies can not only mitigate risks effectively but also demonstrate their commitment to security excellence. As cyber threats continue to evolve, embracing a culture of continuous defense remains imperative for safeguarding digital assets and maintaining trust with stakeholders.

 
 
Speakers:
 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

  
 
Read more…

The%20Future%20Of%20Offensive%20Attack%20Simulation%20Navigating%20Collaboration%20and%20Innovation%20in%20Cybersecurity.png?profile=RESIZE_710x

 

In the dynamic realm of cybersecurity, collaboration and innovation are paramount for addressing evolving threats and driving progress. Matthew Rosenquist offers invaluable insights into the challenges and opportunities encountered in fostering collaboration within the cybersecurity community. From the formation of diverse groups to the complexities of stakeholder engagement, Rosenquist's experiences shed light on the importance of effective communication and tangible outcomes. Join us as we explore the nuances of collaboration and innovation in cybersecurity through Rosenquist's perspective.

  

 

Here is the verbatim discussion:

You there was a great amount of in interest we saw a whole bunch of different uh groups get formed and staffed and Tech U very very smart people get brought in great discussions papers being written but then many of the the autom automotive manufacturers kind of decided to pull back and they said oh that's a great paper oh glad for for articulating the risk but you know what I've got business issues that I really have to get my market share shrinking or I have to reduce costs I really don't have time for this right now you know thanks for your effort um and you saw a lot of people start to leave those forums because they weren't being listened to or the paper that they had worked so diligently on that outline what needed to happen got shelv and nobody nobody exy Etc over to you bash Matthew the floor is yours thank you Shel and uh great to see you Matthew thanks for joining us absolutely it's having conversations is what it's all about right communication and collaboration absolutely and that's that's the vision of our platform um so so collaboration with the aim of building Community Goods so so as a community we focus more on how can you build something which is tangible so let me ask you uh I know you you you are frequent um speaker at RSA or or multiple other various conferences so when I visit some of these conferences one of the key goals which I have is like to check out what's new happening and based on your last few conferences where you physically visited which I believe is quite some time.

 

Highlights :

Formation of Collaborative Groups: Rosenquist reflects on the initial surge of interest and enthusiasm that accompanied the formation of various cybersecurity groups. Smart minds, vibrant discussions, and promising papers marked the early stages, showcasing the potential for collaborative endeavors to address pressing security concerns.

Challenges in Stakeholder Engagement: Despite the initial momentum, Rosenquist highlights the challenges encountered when engaging stakeholders, particularly within industries like automotive manufacturing. Business priorities often take precedence, leading to disengagement and a lack of follow-through on cybersecurity initiatives.

The Importance of Tangible Outcomes: Rosenquist emphasizes the need for tangible outcomes in collaborative efforts, where discussions and papers translate into actionable measures. The disillusionment experienced when well-articulated risks are disregarded underscores the necessity of driving tangible progress within the cybersecurity community.

The Role of Conferences in Fostering Innovation: As a frequent speaker at conferences like RSA, Rosenquist shares his experiences in exploring emerging trends and innovations. Conferences serve as invaluable platforms for networking, knowledge sharing, and staying abreast of the latest developments in cybersecurity.

 

Matthew Rosenquist's insights into collaboration and innovation in cybersecurity offer a nuanced perspective on the challenges and opportunities inherent in fostering community-driven progress. From the formation of collaborative groups to the role of conferences in driving innovation, Rosenquist underscores the importance of effective communication, tangible outcomes, and stakeholder engagement. As the cybersecurity landscape continues to evolve, his experiences serve as a guiding light for navigating the complexities of collaborative endeavors and driving meaningful change in the pursuit of digital security.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Read more…

_The%20Future%20Of%20Offensive%20Attack%20Simulation%20Unveiling%20Trends%20in%20Cybersecurity.png?profile=RESIZE_710x

 

In the ever-evolving landscape of cybersecurity, Matthew Rosenquist sheds light on emerging trends and persistent challenges. From the prevalence of misconfigurations to the dichotomy between complex and simplistic breaches, Rosenquist's observations offer valuable insights into the evolving threat landscape. Join us as we delve into the nuances of cybersecurity trends and their implications for organizations worldwide.

 

 

Here is the verbatim discussion:

Things which we are seeing like for example based on my observations of many of these major breaches I've seen misconfiguration being one of the top reasons now of course the world has gone a lot ahead in terms of security over last two decades but many of these breaches are because of simple misconfigurations many of these breaches are because of a open RDP port and the password being company name one two three okay so so there's a very interesting another kind of trend which I am noticing so so what I have observed is like there are two types of kind of breaches which are happening one is very complex ones like the ones which you mentioned right I mean many of those are very complex and you need really good knowledge of systems um um multi-stage attacks Etc and some are very very simple and many of the reasons why these simple breaches are happening is probably because um all of a sudden huh well they work they're easy but they work if you don't patch your systems and there's 50 known vulnerabilities you're an easy target and unfortunately the attackers haven't had to to get too complex because in general there's a lot of easy victims out there yeah yeah and the other thing which is happening is that sometimes what I have seen is that yes those are easy but a lot of times what what's happening is now yeah yeah did you did you visit RSA last time um I'm trying to think if I was there like seriousness and an investment perspective and unfortunately I've seen many of these industries and many of these companies pull back greatly and go you know what we'll just wait to see what regulation comes about now that's dangerous and now we're talking Life Safety dangerous so you know there there are Pros but we also have to peel back the onion a little bit to see okay at any given moment in time what's the trajectory that we have is it a good trajectory or has it kind of gone down a little bit and it's not really where a good TR trajectory or has it gone down a little bit I'm sorry 

 

Highlights :

Misconfigurations: A Persistent Challenge: Despite advancements in cybersecurity, misconfigurations continue to rank among the top reasons for breaches. Simple oversights, such as open RDP ports and weak passwords, highlight the critical importance of basic security hygiene in safeguarding against threats.

Complex vs. Simple Breaches: Rosenquist delineates between complex, multi-stage attacks and simplistic breaches driven by unpatched systems and known vulnerabilities. While sophisticated attacks garner attention, the prevalence of easy targets underscores the need for organizations to prioritize patch management and proactive security measures.

Impact of Regulatory Environment: A concerning trend highlighted by Rosenquist is the shift in organizations' attitudes towards cybersecurity investments, driven by regulatory uncertainty. The temptation to adopt a wait-and-see approach risks compromising security posture, particularly in industries where the stakes are high, such as life safety.

Balancing Pros and Cons: While regulatory frameworks offer potential benefits in enhancing cybersecurity standards, Rosenquist cautions against complacency. Organizations must navigate the delicate balance between regulatory compliance and proactive risk management to mitigate threats effectively.

 

Matthew Rosenquist's insights into cybersecurity trends provide a sobering reminder of the persistent challenges facing organizations in an increasingly digital world. From the prevalence of misconfigurations to the impact of regulatory uncertainty, his observations underscore the need for proactive security measures and strategic investments in cybersecurity. As organizations strive to safeguard their assets and protect against evolving threats, Rosenquist's guidance serves as a valuable compass for navigating the complexities of the modern threat landscape.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Read more…

The%20Future%20of%20Offensive%20Attack%20Simulation%20Navigating%20Three%20Decades%20in%20Cybersecurity.png?profile=RESIZE_710x

 

In the ever-evolving landscape of cybersecurity, few voices carry the weight of experience and insight as Matthew Rosenquist and Bkash Parai. With over three decades in the field, their journey reflects the transformation of security from a niche concern to a critical aspect of modern business. From humble beginnings to prestigious roles at industry giants like Intel, their expertise spans investigations, operations, and strategic leadership. In this blog, we delve into the highlights of their careers, extracting valuable lessons and perspectives for navigating the complex world of cybersecurity.

 

 

Here is the verbatim discussion:

He is an experienced keynote speaker author and actively collaborates with the industry Partners to tackle pressing problems on a wide range of cyber security issues bkash parai is the co-founder of fire compus earlier he co-founded IIs and idg Ventures founded company which got acquired by digital Inc and synopsis uh I was the first company the let's get started with that um I mean it was kind of covered little bit i' I've been 30 years in security which means actually over 30 years which means I started when security was a deadend field there was no future for it uh but I had a passion for it so I've done everything from investigations operations um I Justified and built Intel's first 24x7 secur Operation Center and I managed it uh I also landed and managed the the C team right the computer information security Response Team uh and I've done a whole bunch of different roles at Intel and and part of the beauty there is I also got to work with developers and engineers and Architects um I owned platform security for all it systems I uh built out the security for uh Intel's AI group and so I got to sit down throughout my career uh and you develop new methodologies understand the landscape figure out what worked and didn't had a lot of frustrating days you know dealing with all the challenges out there in trying to figure out okay how of offensive attack simulation strategies tools and techniques today our speakers are mat Rosen and the gash bar Matthew is the Chief Information Security Officer for Eclipse formerly a cyber security strategist for intop and he benefits from over 30 years in the field of cyber physical and information security uh Mr rqu is a member of multiple advisory boards and consults on best practices and emerging R to academic business and government audiences across the globe he specializes in security strategy measuring value developing best practices for cost effective capabilities and establishing organizations that deliver optimal level of cyber security.

 

Highlights :

Early Beginnings and Passion: Both Rosenquist and Parai entered the cybersecurity realm when it was still a nascent field, driven not by promise but by passion. Despite initial skepticism, their dedication laid the foundation for illustrious careers marked by innovation and leadership.

Pioneering Initiatives: Rosenquist's tenure at Intel witnessed the establishment of groundbreaking security initiatives, including the company's first Security Operations Center and the Cyber Crisis Response Team. Parai's entrepreneurial spirit led to the founding of companies like IIS and IDG Ventures, paving the way for innovative solutions in cybersecurity.

Adapting to Change: Over the years, Rosenquist and Parai have demonstrated a keen ability to adapt to the evolving threat landscape. From managing platform security for AI systems to collaborating with developers and engineers, they have continuously refined their strategies to stay ahead of emerging risks.

Industry Influence and Collaboration: As influential figures in the cybersecurity community, both Rosenquist and Parai actively engage with industry partners to address pressing challenges. Through advisory roles, consultations, and speaking engagements, they contribute to shaping best practices and guiding organizations towards optimal cybersecurity posture.

 

Matthew Rosenquist and Bkash Parai exemplify the resilience, innovation, and foresight required to thrive in the dynamic field of cybersecurity. Their journey from pioneers to thought leaders serves as inspiration for aspiring professionals and established experts alike. As we navigate the complexities of cybersecurity in an increasingly digitized world, their insights offer invaluable guidance for building robust defenses and staying ahead of emerging threats.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

 
 
 
 
 
Read more…

The%20Future%20of%20Offensive%20Attack%20Simulation%20Journey%20of%20Innovation%20and%20Collaboration%20.png?profile=RESIZE_710x

 

Embark on a journey through the fascinating career trajectory of Matthew Rosenquist, where a passion for mathematics and a chance encounter with a white hat hacker laid the foundation for groundbreaking advancements in cybersecurity. From his formative years as a computer science enthusiast to shaping security strategies at Intel Corporation, Rosenquist's story epitomizes the fusion of technical expertise, innovation, and collaboration. Join us as we explore his insights into building effective security architectures and navigating the ever-evolving threat landscape.

 

 

Here is the verbatim discussion:

so my background had been I had been more of a a computer science guy when when when I was in the schools I loved maths Etc then I got acquainted with with my other um kind of uh co-founder for my first Venture who who was a hacker was still a hacker so I kind of observed him on how he does and thought about like how can we have algorithms to automate that so so I love though is was he a white hat hacker black hat hacker gry hat I mean what what kind of hacking were you involved in if you're willing to say yeah he he's a very timid person so he's an absolute white hat hacker so good my favorite kind okay good and and I love kind of deconstructing things whether it's deconstructing happiness as a problem or stress management or I had been Operation Center and I managed it I also landed and managed the CT team right the computer information security Response Team uh and I've done a whole bunch of different roles at Intel and and part of the beauty there is I also got to work with developers and engineers and Architects um I owned platform security for all it systems I uh built out the security for uh Intel's AI group and so I got to sit down throughout my career uh and you develop new methodologies understand the landscape figure out what worked and didn't had a lot of frustrating days you know dealing with all the challenges out there in trying to figure out okay how do we actually make technology trustworthy and I've spent many years advising Academia advising uh companies of all sizes Fortune 100 all the way down to to to very small companies um and governments around the world really around what are the emerging threats what are the opportunities that we can seize um and how is everything going to kind of evolve uh you know what are those risks and what can we do as industry Professionals in regards to best practices and Engineering developer developers coders Architects play such a crucial role not the only role it's all part of a team but it's a very very crucial role because that defines topic right let's should always be part of the discussion top so let's move on to the defense side like imagine if you have to build the security architecture of an organization so in order to build the effective build an effective security architecture how would you approach that and what would be your thinking model and what could be um architecture sample architecture so you can take it in the way you would like to this so again building um you know security for a company or for a technology or for an industry uh it's it's not easy it is I think it's fun myself but you know certain fundamental pieces have to be in place right first off you need Executive support because you're going to need money and things of that sort which means you have to again find that optimal level of security and it's important all the way down the chain all the way down to the developers and the engineers because you have to know there's a there's a balance between managing the risk

 

Highlights:

The Convergence of Passion and Expertise: Rosenquist's journey into cybersecurity began with a love for mathematics and computer science. Inspired by the complexities of algorithms and problem-solving, he embarked on a quest to explore the intersection of technology and security.

Collaboration and Innovation: A pivotal moment in Rosenquist's journey was his collaboration with a co-founder who was a white hat hacker. This partnership sparked a curiosity for deconstructing security challenges and devising innovative solutions, laying the groundwork for future endeavors.

Leadership at Intel Corporation: Rosenquist's tenure at Intel Corporation was marked by pioneering initiatives in cybersecurity, including the establishment of the company's first Security Operations Center and leading the Cyber Crisis Response Team. His diverse roles, from platform security to advising on emerging threats, showcased his ability to bridge technical expertise with strategic leadership.

Guiding Principles for Effective Security Architectures: Rosenquist emphasizes the importance of executive support and a holistic approach to security, where every stakeholder, from executives to developers, plays a crucial role. His insights underscore the need for a balanced approach to managing risks and prioritizing investments in security.

 

Matthew Rosenquist's journey from mathematics enthusiast to cybersecurity leader is a testament to the power of passion, collaboration, and innovation. His experiences at Intel Corporation and beyond offer invaluable lessons for building effective security architectures and navigating the complexities of the modern threat landscape. As we continue to confront evolving cyber threats, Rosenquist's insights serve as a guiding light for organizations striving to safeguard their digital assets and embrace a culture of security excellence.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

 
 
 
 
 
Read more…

Exposure%20Management%20and%20Finanacial%20Institutions%20Navigating%20the%20Complexities%20of%20Cybersecurity.png?profile=RESIZE_710x

 

The life of a cybersecurity professional is characterized by a constant battle against evolving threats and vulnerabilities. In today's complex and sophisticated landscape, there's no silver bullet solution to fix all our problems. Instead, we must embrace a multifaceted approach, acknowledging that addressing cybersecurity challenges requires time, resources, and expertise. One viable solution for organizations, especially mid-sized ones, is managed services, where specialized providers offer both tools and services to bolster cyber defenses.

 

 

Here is the verbatim discussion:

That's the life of a cyber security professional yeah much about it we got to live with it yeah I think unfortunately there's no Silver Bullet there's no one magic tool that would fix all our problems especially in today's world where we just discussed everything has become increasingly complex and sophisticated and our cyber posture needs to respond accordingly so we really need to take a multipro multifaceted and and and is going to take time money now one solution for this is going for manage service so somebody who has the tools and also can offer a layer of service on top of it and if you are a midsized organization and that's a great um solution because you may not need a full-time person for running that and also manage services folks they know the tools um and and and they also are trained on that they have probably a better license uh price maybe they can pass on some benefit to you so that could be a good um kind of solution in fact um interestingly um when we launched this as a product we got some feedback from various folks like especially from the midm market that can you offer this as a manag service so we also have a small manage services team who does this as a manage service for uh um I I think um Dave mentioned um like some very critical element few things like it's a big thing like um it's not a vendor risk management becomes a big part of the program few things which um which you might consider would be um like knowing your vendors like that's also again another very hard problem lot of times people don't know the list of all the vendors and somebody goes and starts working with another vendor without the knowledge of the security team so just the policy is not enough also doing some Discovery like we have seen sometimes exposure management or external attex surface Discovery is able to go and figure things out like here is a database which exposes your data on this specific it we found that for one of the banks and um they came back and said you know what that's not any IP address of our bank but the data looks like ours then it turned out we figured out that belongs to a specific organization um which was AI company doing certain things really think this is going to make us happy after we get that we don't feel happy and it's a difficult problem to solve right so risk management is something very similar but one very interesting thing like which is very similar to the happiness problem is that you have some generally happy folks and the happy folks whatever bad thing happens they come back to the Happy State and then you have generally unhappy folks whatever good thing happens in their life they generally come back to that negative state right so when it comes to risk management I think it's very important that we build a program where we come back to the safe State as a business so bad things can happen risks are there but can we come back to the safety State as a business so the organizations which can kind of um and and this CSF is very close to that.

 

Highlights:

The Reality of Cybersecurity Challenges: Cybersecurity professionals must grapple with the reality that there's no one-size-fits-all solution. As threats become increasingly complex, our cyber posture must adapt accordingly. This necessitates a comprehensive, multifaceted approach to cybersecurity.

Benefits of Managed Services: Managed services offer a compelling solution for organizations seeking to enhance their cyber defenses without the need for a full-time in-house team. By outsourcing to specialized providers, businesses can access expertise, tools, and cost-effective solutions tailored to their needs.

The Significance of Vendor Risk Management: Vendor risk management emerges as a critical element of any cybersecurity program. Knowing your vendors, conducting thorough assessments, and monitoring for potential exposures are essential steps in mitigating risks associated with third-party relationships.

Importance of Discovery and Exposure Management: Asset discovery and exposure management are indispensable components of effective risk management. Proactively identifying vulnerabilities, such as exposed databases or sensitive data, enables organizations to address potential risks before they escalate into breaches.

Striving for Resilience: Ultimately, the goal of risk management is to build resilience within the organization. Like the pursuit of happiness, where individuals naturally gravitate back to a baseline state, businesses must aim to return to a safe state despite encountering risks. This involves establishing robust cybersecurity frameworks, fostering a culture of security awareness, and implementing strategies to mitigate risks effectively.

 

As cybersecurity professionals navigate the ever-evolving threat landscape, it's imperative to adopt a proactive and holistic approach to risk management. By leveraging managed services, prioritizing vendor risk management, and embracing proactive discovery and exposure management practices, organizations can strengthen their cyber defenses and build resilience against emerging threats. In striving for resilience, businesses aim not to eliminate risks entirely but to mitigate their impact and swiftly return to a secure state. In this ongoing battle against cyber threats, the key lies in continuous vigilance, adaptability, and a commitment to cybersecurity best practices.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy


Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Read more…

Exposure%20Management%20and%20Financial%20Institutions%20Enhancing%20IT%20Risk%20Management.png?profile=RESIZE_710x

 

In the realm of IT risk management, tagging applications in a consistent and standardized manner serves as a crucial foundation for effective asset classification. However, this process poses challenges, especially in terms of understanding the various perspectives from which tagging can occur. Additionally, managing internal and external vendor risks within the broader IT risk management strategy presents complex challenges that require meticulous attention. Let's delve into these topics further.

 

 

Here is the verbatim discussion:

I don't either way be cash I don't mind okay so um I can go for the um first take huh T after that please go ahead so tagging our applications in a consistent standardized manner so uh one thing which i' would like to understand like what what you mean as tagging so is the tagging more from the perspective of um like tagging it based on the organization it belongs to or the business unit the criticality of that the ownership so you can do tagging based on multiple perspectives so let me just consider that you want to tag it from all the perspectives and try to answer so this is a very very um um challenging problem from the perspective of like knowing all the assets and then classifying those if you mean tagging as the classification tags then probably what I'm going to answer yeah that that's a great point Thank You bash our our next question is from Ernest how are you managing the internal and external vendor risks as part of the overall it risk management strategy would you like to take that Dave sure that's a that's also a pretty big question there so obviously there is if I was to simplified it's all about the onboarding offboarding of to receivables and This Server had like a lot of data related to um the signature of their corporate customers so um then it turned out like this particular um AI kind of organization Al Lage company they were working with this bank but when the bank went and looked into their inventory of all the or or rather list of all the vendors the name of the vendor was not part of it then they went deeper and tried to figure out why is the vendor name missing and it turned out like business one of the business unit did a proof of concept with these guys and uh they gave certain data to them which was exposed now knowing certain exposures like this is a very hard problem so you got to kind of know your vendors from the process and all those things classify those vendors but also have a process of going and uh scouting the internet figure what do you mean as tagging so is the tagging more from the perspective of um like tagging it based on the organization it belongs to or the business unit the criticality of that the ownership so you can do tagging based on multiple perspectives so let me just consider that you want to tag it from all the perspectives and try to answer so this is a very very um um challenging problem from the perspective of like knowing all the assets and then classifying those if you mean tagging as the classification tags then probably what I'm going to answer will make sense if not I would like to understand your question better so one is like the discovery part becomes very very critical uh because if we don't have the discovery we can't do the rest of it so asset Discovery you can do it based on two perspectives one is from outside in perspective which tools like esm.

 

Highlights:

Tagging Applications for Classification: Tagging applications involves assigning labels based on multiple perspectives such as organizational hierarchy, business unit affiliation, criticality, and ownership. This standardized approach aids in asset classification, providing clarity and structure to IT risk management processes.

Understanding Asset Discovery: Asset discovery forms the cornerstone of effective risk management. It involves identifying all assets within the organization, both internal and external, to comprehensively assess potential risks and vulnerabilities. Leveraging tools like ESM enables organizations to conduct asset discovery from both internal and external perspectives, facilitating a holistic view of their IT landscape.

Challenges in Vendor Risk Management: Managing internal and external vendor risks presents significant challenges, particularly in ensuring compliance and mitigating potential exposures. A case study exemplifies the importance of thorough vendor assessment, as evidenced by a situation where a vendor's name was missing from the bank's inventory, leading to data exposure risks. This underscores the critical need for robust vendor management processes and continuous monitoring to mitigate risks effectively.

Process of Vendor Classification: Classifying vendors based on various criteria, including the nature of their services, data access privileges, and risk exposure, is essential for effective risk management. By categorizing vendors and understanding their role within the organization, businesses can prioritize risk mitigation efforts and implement appropriate controls to safeguard sensitive data.

Embracing Proactive Risk Mitigation: Proactivity is key in mitigating IT risks associated with vendor relationships. Organizations should focus on establishing robust discovery processes, implementing comprehensive vendor assessment frameworks, and fostering a culture of continuous monitoring and improvement to stay ahead of emerging threats.

 

As organizations navigate the complexities of IT risk management, tagging applications for classification and effectively managing vendor risks emerge as critical imperatives. By adopting standardized tagging practices, leveraging asset discovery tools, and implementing robust vendor management processes, businesses can enhance their resilience against potential threats and vulnerabilities. Proactive risk mitigation strategies, coupled with a thorough understanding of internal and external risk factors, empower organizations to safeguard their digital assets and sustain long-term success in today's dynamic landscape.

 
 
Speakers: 
 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy


Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

 
 
Read more…

Exposure%20Management%20&%20financial%20Institutions%20Navigating%20Complexities%20of%20Third-Party%20Risk%20Management.png?profile=RESIZE_710x

 

In an era marked by Shadow IT, hybrid working models, and rapid digitization, the landscape of cybersecurity is constantly evolving. With countless potential attack surfaces and vulnerabilities, organizations must prioritize understanding the unknowns to fortify their security operations. Additionally, meeting the intricate demands of regulatory reporting adds another layer of complexity. As we reflect on the insights shared today, the need for proactive measures to mitigate risks and ensure security preparedness becomes abundantly clear.

 

 

Here is the verbatim discussion:

Dave for their insights today thanks to everyone who listened in for your time investment and engagement I hope you find the session useful I also wanted to thank ciso platform fire compass and Quantum smart for having me lastly do take advantage of the complimentary scam from fire compass and the Consulting offering from Quantum smart to help you build a path forward for a more secure digital Journey until next time have a great control are gone now with Shadow it hybrid working rapid digitization there's really so many uh potential attack surfaces and vulnerabilities that are unknown to us wouldn't it be nice to get to know the unknowns have a clear handle on your security operations preparedness and in the same time meet the ever complex regul atory reporting demands that is a key piece of takeaway for for me before we wrap is there a call to action for the audience to help them explore the next steps uh Dave what about you any call to action to offer definitely we're at quto smart we're highlighting how we can help companies with their digital Journey so we're or you know reach out to why is the vendor name missing and it turned out like business one of the business unit did a proof of concept with these guys and they gave certain data to them which was exposed now knowing certain exposures like this is a very hard problem so you got to kind of know your vendors from the process and all those things classify those vendors but also have a process of going and uh scouting the internet figuring things out is there something else is there something more which is out there on the internet so uh some of those age cases is also something which organizations typically don't think about but could also be part of your vendor risk yeah good point and and sometimes when we're trying to tackle a huge topic um you know I guess the more practical strategy is just pick one or two things that are tangible and and start doing them so to our audience members if you have any strategies to manage both internal and external thirdparty risks do share with us.

 

Highlights :

Unveiling the Unknowns: Amidst the proliferation of potential attack surfaces, it's essential to gain insight into the unknowns. By comprehensively assessing security operations and identifying vulnerabilities, organizations can proactively address potential threats before they manifest into breaches.

Meeting Regulatory Reporting Demands: The evolving regulatory landscape necessitates meticulous compliance efforts. Organizations must not only fortify their security posture but also ensure adherence to complex regulatory requirements. This entails robust reporting mechanisms to demonstrate compliance and mitigate regulatory risks effectively.

Leveraging External Partnerships: Collaborating with external partners such as CISO platforms, Fire Compass, and Quantum Smart can provide valuable resources and expertise in navigating security challenges. These partnerships offer insights, tools, and consulting services to bolster organizations' security operations and enhance overall resilience.

Embracing Tangible Strategies: Amidst the enormity of the task at hand, it's crucial to adopt practical strategies that yield tangible results. Organizations can start by focusing on a few key areas, such as vendor risk management or internal security protocols, and gradually expand their efforts.

Sharing Best Practices: Encouraging dialogue and knowledge-sharing within the cybersecurity community is paramount. Organizations can benefit from sharing strategies, challenges, and successes with peers, fostering a collaborative approach to risk management.

 

As we conclude today's discussion, the imperative for robust third-party risk management and security preparedness remains paramount. By embracing proactive measures, leveraging external partnerships, and prioritizing regulatory compliance, organizations can navigate the complexities of the digital landscape with confidence. Let us heed the call to action, embracing tangible strategies and fostering collaboration within the cybersecurity community to fortify our defenses and safeguard against emerging threats. Together, we can embark on a secure digital journey, equipped with the knowledge and tools to confront the challenges ahead.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy


Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Read more…

Exposure%20Management%20and%20Financial%20Institutions%20Transforming%20Risk%20Management%20.png?profile=RESIZE_710x

 

As organizations grapple with escalating risks in the digital realm, the imperative for robust risk management has never been more pressing. In this era of increased scrutiny from regulators and stakeholders, businesses are compelled to demonstrate airtight security postures and transparency in their operations. The emergence of Chief Risk Officers, Privacy Officers, and Third-Party Risk Management programs reflects a paradigm shift in how companies approach risk mitigation.

 

 

Here is the verbatim discussion:

Similar to what bees is mentioning the tools that he has in place that reduces the burden on the it organizations it allows them to provide that information to the third- party risk management programs and what I've been seeing across the industry customers vendors are going through a lot more scrutiny so the the the customers have have to show to their uh their the customers have to show that that um sorry the vendors have to have to show to their customers the different uh the different measures that they put in place you can't just do business with other companies nowadays without providing some of that evidence that you have the right security posture in place so anything that can automate that anything that can show that hey we we have continuous uh security scanning on our environment here's our exposure here's our external threat uh threat ATT or to surface and that we've scanned it and we've we've put the appropriate measures in place so that that uh it's one of the big drivers that you're seeing in addition to Regulators is that customer vendor relationship that vendor management uh relationship so onboarding offboarding customers working with other vendors uh that is you need to provide some kind of security before it was a MSA you sign you do business with someone now it's show me that you have a good security posture we can connect to your environment and providing that evidence to all your your your vendors or your customers depending on the relationship is a challenge so I would definitely leverage this ass solution to provide me with that evidence that that we've continuously have that program in place uh risk management so that's the other part I know I stayed at a very philosophical level but it's very hard to go tactical it would probably need days or weeks to build a program for risk management now back to nashin the other thing which you mentioned like uh one thing we would be very happy to uh for anybody in the audience um if you would like we would be happy to offer you a kind of uh free discovery of your attex surface and how does the hackers view of your attack surface look like what kind of exposure you have we would be happy to conduct an assessment and provide you with the results so you will have a kind of good view of how does the attack surface look like are there some unknown unknowns any any surprises if you are on Sand and if you don't go enough depth and figure out a really solid structure whatever you build on top of it it really doesn't matter that might look very strong the um the walls and doors and windows but if the fundamentals are not strong it's going to just collapse and that is something which happens a lot with this kind of risk management models the fundamental assumptions and the fundamental models are not strong enough so unless you really have a very mature process I would say like doing some kind of risk quantification like that is very hard so mature not just process very mature organization where you have really tested out those models and there are a lot of organizations who does it decently well like any any underwriter for insurance they have to build a very strong model otherwise their companies at stake right like they have built certain things but even they know that their assumptions has to be tested over a period of time when you do insurance for people's life life insurance they have data for like 50 60 years or even more for this it's new so but they know the RIS they adequate time so if you do not have very high maturity going that route is not very helpful so that's one thing which I wanted to mention then what is the other way to solve this I think a better way or a easier way in certain ways which could also be more practical and more useful is to look at it from the perspective of adversity go and look at Verizon DB and see what kind of attacks the bad guys are doing which are causing Brees look at from that perspective look at the various threat intelligence data and use that information like my adversary or our adversary are XYZ and they use these kind of techniques and they use this kind of attacks so let me prioritize based on that so definitely you can prioritize your assets that's very that's much easier if you know the assets you can prioritize you know which has got high value.

 

Highlights :

Evolving Dynamics of Customer-Vendor Relationships: In today's business landscape, the mere exchange of contracts is no longer sufficient. Companies must showcase their security measures to forge trustworthy partnerships. The burden falls on vendors to provide evidence of their robust security postures to gain the confidence of customers, thereby emphasizing the importance of continuous risk management practices.

The Role of Automation in Risk Mitigation: Automation tools play a pivotal role in alleviating the burden on IT departments and enabling organizations to streamline their risk management processes. Solutions such as SAS offer the ability to provide repeatable and predictable outputs, crucial for meeting the demands of third-party risk management programs.

Importance of Structured Data Management: Structured approaches to data management, including classification and labeling, are essential for effective risk mitigation. By prioritizing the protection of critical data assets and implementing encryption and access controls, organizations can fortify their defenses against potential threats.

Offering Proactive Risk Assessments: To stay ahead of evolving threats, organizations can benefit from proactive risk assessments. By conducting assessments of their attack surfaces and leveraging threat intelligence data, businesses can identify vulnerabilities and prioritize mitigation efforts accordingly.

Embracing Adversity as a Strategy: Rather than solely relying on internal risk models, organizations can gain valuable insights by studying adversary tactics. Analyzing threat intelligence data and understanding the techniques used by cybercriminals can inform proactive risk management strategies and enhance overall resilience.

 

In a landscape characterized by heightened risks and regulatory scrutiny, organizations must adopt a proactive approach to risk management. By leveraging automation, structured data management practices, and insights from threat intelligence, businesses can strengthen their security postures and navigate the complexities of the digital age with confidence. Embracing adversity as a strategy allows companies to stay ahead of emerging threats and build resilience against potential cyberattacks. In this dynamic environment, effective risk management is not just a necessity but a strategic imperative for long-term success and sustainability.

 
 
Speakers:
 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy


Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

 
 
 
Read more…

Exposure%20Management%20for%20Financial%20Institutions%20Navigating%20the%20Evolving%20Landscape%20of%20Risk%20Management%20in%20the%20Digital%20Age.png?profile=RESIZE_710x

 

In today's interconnected digital landscape, organizations face heightened risks that demand robust risk management strategies. With the proliferation of data breaches and regulatory scrutiny, the role of Chief Risk Officers, Privacy Officers, and Third-Party Risk Management programs has expanded significantly. As businesses strive to meet compliance requirements and safeguard sensitive information, the need for structured approaches to data management becomes increasingly apparent.

 

 

Here is the verbatim discussion:

I have unmuted uh David if you can hear me questions I can see your hand raised so you'll just have to unmute yourself to start talking if there's anybody else who has a question just raise your hand what's happened in because of the increased risk that organizations have you start seeing Chief risk officers privacy officers third party risk management programs expand and you start seeing the demand to provide repeatable predictable output similar to what we were saying it's a program it has to be built in so when you start looking at some of the SAS Solutions or automation or continuous uh Improvement and continuous scanning Security Solutions similar to what bees is mentioning the tools that he has in place that reduces the burden on the it organizations it allows them to provide that information to the thirdparty risk management programs and what I've been seeing across the industry customers vendors are going through a lot more scrutiny so the the the customers have have to show to their uh their the customers have to show that that um sorry the vendors have to have to show to their customers the different uh the different measures that they' put in place you can't just do business with other companies nowadays without providing some of that evidence that you have the right understand more of the question but if you if I was to try and interpret in a a path forward the structured data versus unstructured data and how you would look at that obviously with the like G Sues and the Microsoft they have labeling and different pieces so you need to have your labeling standard you know be it three four labels that you put together um for data categorization when you start looking at the corporate assets and the office documents that's quite easy and anything you save or open you put in a policy DLP that's that's much more straightforward uh but from a categorization tagging perspective of unstructured structured data for commercial system servicing your business uh the best way I I would approach it is that the pieces that you need to classify that are the most critical address those first put those understand your digital crown jewels understand which uh data is critical put that into the appropriate areas be it you know the encryption or the buckets that would then tag them.

 

Highlights:

Rising Demand for Repeatable and Predictable Outputs: Organizations are under pressure to provide repeatable and predictable risk management outputs, akin to structured programs. This necessitates the adoption of solutions that streamline processes and reduce the burden on IT departments.

Integration of Automation and Continuous Improvement: Solutions such as SAS (Software as a Service) and automation tools facilitate continuous scanning and improvement in security measures. These technologies not only enhance efficiency but also enable organizations to meet the rigorous demands of third-party risk management programs.

Elevated Scrutiny from Customers and Vendors: Both customers and vendors are subject to heightened scrutiny in their business relationships. Vendors must demonstrate their adherence to security standards and provide evidence of robust risk management practices to earn the trust of their clients.

Structured vs. Unstructured Data Management: Classifying and managing data, whether structured or unstructured, poses significant challenges. While tools like G Suite and Microsoft offer labeling features for structured data, a comprehensive approach is required to tackle unstructured data effectively.

Prioritizing Critical Data Assets: Organizations should prioritize the classification and protection of their most critical data assets, often referred to as digital crown jewels. By understanding the value and sensitivity of data, businesses can implement appropriate encryption and access controls to mitigate risks effectively.

 

In an era where data breaches and regulatory compliance are top concerns, organizations must adapt their risk management strategies to navigate the complexities of the digital landscape. By embracing automation, continuous improvement, and structured data management practices, businesses can enhance their resilience against emerging threats while building trust with customers and partners. Effective risk management is no longer a choice but a necessity for survival and growth in today's dynamic business environment.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy


Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Read more…

Exposure%20Management%20for%20Financial%20Institutions%20Navigating%20Regulatory%20Demands%20.png?profile=RESIZE_710x

 

In both the US and Canada, financial institutions face heightened regulatory demands, with regulators emphasizing the need for standardized cybersecurity practices and enhanced digital resilience. This blog explores the evolving regulatory landscape and the key expectations outlined by regulators to ensure cybersecurity maturity across the financial sector.

 

 

Here is the verbatim discussion:

now Gentlemen let's dive in in both the US and Canada The Regulators are really stepping up and demanding a higher level of sophistication and cyber security maturity from financial institutions so my first question is to you um if you could Dave if you could uh kick it off for us here how are the regulatory demands changing and at a high level what are The Regulators asking for well that's a great question nen uh what we're seeing is more standardization so across the board US and Canada they've stepped up their game similar to many companies where they had to enhance their digital footprint so does The Regulators have to make sure that those digital Footprints are standardized so there's less tolerance for Poe hygiene uh there are better questions better uh maturity matrixes that are going out to evaluate the environments and to make sure that they here to proper standards so that's that's something that's that's uh really helped uh helped provide direction for financial institutions across like very very frequently that's something which is super important another very interesting story this is from my kind of um school days during the school days I remember like um every time Patch Tuesday was out there some new patches came up there was a group of hackers uh who used to immediately go and uh reverse engineer that find out which are the vulnerabilities which has been patched then go and try to write an exploit for that and the goal was going and how quickly can somebody own the university Network so those days it was more like people were doing things at the University Centric manner but fast forward if you look at today I mean the same thing is happening but that is being done by the Bad actors and they're doing it on the entire internet the moment something new comes up they are trying to kind of exploit the entire internet so here is the second kind of realization the first was like we don't know our attack surface we don't

 

Highlights:

Standardization and Compliance: Regulators in the US and Canada are prioritizing standardization in cybersecurity practices, leaving little room for poor hygiene. Financial institutions are expected to comply with established standards and frameworks, demonstrating a commitment to robust cybersecurity measures.

Enhanced Maturity Assessment: Regulatory bodies are employing more sophisticated maturity matrices to evaluate the cybersecurity posture of financial institutions. These assessments go beyond surface-level evaluations, delving into the intricacies of cybersecurity programs to ensure adherence to industry best practices.

Patch Management and Vulnerability Response: The evolution of cyber threats necessitates proactive patch management and vulnerability response strategies. Regulators emphasize the importance of timely patching and proactive vulnerability assessments to mitigate the risk of exploitation by malicious actors.

Continuous Monitoring and Incident Response: Financial institutions are expected to implement continuous monitoring mechanisms to identify and respond to cyber threats in real-time. Regulators stress the importance of robust incident response plans, ensuring swift and effective responses to security incidents to minimize their impact.

Shift in Threat Landscape: The emergence of sophisticated cyber threats, coupled with the increasing prevalence of exploit automation, underscores the need for heightened vigilance. Regulators urge financial institutions to stay abreast of evolving threat landscapes and adopt proactive measures to protect their digital assets.

 

As regulatory demands for cybersecurity maturity intensify in the US and Canada, financial institutions must prioritize standardized practices, compliance with established frameworks, and robust cybersecurity measures. By enhancing patch management, vulnerability response, continuous monitoring, and incident response capabilities, organizations can navigate the evolving threat landscape effectively. Moreover, a proactive approach to cybersecurity, informed by a deep understanding of emerging threats, is essential to safeguarding the integrity of financial systems and maintaining regulatory compliance. Through collaboration with regulatory bodies and industry peers, financial institutions can strengthen their cybersecurity posture and uphold the trust of stakeholders in an increasingly digital world.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

 

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Read more…

Exposure%20Management%20for%20Financial%20Institutions%20Navigating%20the%20Cyber%20Talent%20Shortage.png?profile=RESIZE_710x

 

The cybersecurity landscape is marred by challenges, compounded by a severe shortage of skilled professionals. As organizations strive to adhere to higher standards, combat increasing complexity, and defend against relentless cyber threats, the scarcity of cyber talent emerges as a critical impediment. In this blog, we explore the implications of the cyber talent shortage for financial institutions and strategies to mitigate its impact, including the pivotal role of cyber insurance in bolstering organizational resilience.

 

 

Here is the verbatim discussion:

You look at security it's even even worse in terms of the shortage of of staff so it's it's a real challenge to look you know you we've talked about in this discussion how much companies now need to adhere to higher standards uh there are there's more complexity in the environment and then you layer on top of it the the the war on talent and the Cyber Talent Trend where there there are shortage there's been a shortage because cyber Al over the years has been you know has that funnel has not been as strong there hasn't been as many people if you go back 10 20 years ago most of the folks were infrastructur uh half infrastructure half security a lot of people it's a challenge to find Talent so the these the people coming out of the universities there are less of them and the demand is higher than anything hello everyone I welcome you all on behalf of C platform to this today's webinar ceso platform is world's first online community it's Solly dedicated information senior security Executives like C CIO csos cdos directors with 40,000 plus that's why the price is going up as well from cyber insurance and so definitely something to to have to protect yourself uh you need to have the right uh you know putting cyber insurance in place gets you the right teams right right measures in place when you do have those if that does happen and it's it's in many cases you look at the insurers and based on the trends and the information they're providing it's not a matter of if it's a matter of when and how severe so this is one of those mitigating controls.

 

Highlights:

Escalating Demand vs. Limited Supply: The demand for cybersecurity professionals has skyrocketed in recent years, fueled by regulatory requirements, escalating cyber threats, and growing organizational complexity. However, the supply of skilled professionals has failed to keep pace, resulting in a severe talent shortage across the industry.

Impact on Cybersecurity Posture: The shortage of cyber talent poses significant challenges for financial institutions, hindering their ability to maintain robust cybersecurity postures. With fewer skilled professionals available, organizations struggle to implement effective security measures, conduct timely threat assessments, and respond swiftly to cyber incidents.

Addressing the Talent Gap: Financial institutions adopt various strategies to address the cyber talent gap, including talent development initiatives, strategic partnerships with educational institutions, and recruitment efforts targeting diverse talent pools. Moreover, organizations invest in upskilling existing staff and fostering a culture of continuous learning to enhance their cybersecurity capabilities.

Role of Cyber Insurance: Cyber insurance emerges as a critical risk mitigation strategy for financial institutions grappling with the cyber talent shortage. By providing financial protection against cyber incidents, including data breaches and ransomware attacks, cyber insurance helps organizations offset the impact of security breaches and navigate the aftermath effectively.

Proactive Risk Management: Recognizing the inevitability of cyber incidents, financial institutions prioritize proactive risk management strategies, including comprehensive incident response plans, robust security protocols, and regular cybersecurity assessments. Cyber insurance serves as a crucial component of this risk management framework, complementing proactive security measures with financial protection.

 

The cyber talent shortage presents formidable challenges for financial institutions, threatening their ability to maintain effective cybersecurity postures in an increasingly hostile digital landscape. To mitigate the impact of the talent gap, organizations must adopt proactive strategies, including talent development initiatives, upskilling efforts, and strategic partnerships. Moreover, cyber insurance plays a pivotal role in bolstering organizational resilience, providing financial protection against cyber risks and enabling institutions to navigate the challenges posed by the talent shortage effectively. By embracing these strategies and leveraging cyber insurance as a risk mitigation tool, financial institutions can enhance their cybersecurity resilience and safeguard their operations against evolving threats.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

 

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Read more…

Exposure%20Management%20for%20Financial%20Institutions%20Navigating%20Cybersecurity%20Paradigm%20Shifts.png?profile=RESIZE_710x

 

The cybersecurity landscape is undergoing profound shifts, marked by the recognition that complete protection is unattainable. Instead, the focus has shifted towards detection, response, and remediation, epitomized by the XDR movement. In this blog, we delve into the strategies adopted by financial institutions to provide continuous assurance of their cyber posture in response to these transformative trends, including the pivotal role of cyber insurance in mitigating risks.

 

 

Here is the verbatim discussion:

thank you bash I I really love your analogy and then the two trends that you've outlined are really bang on and at this point I also wanted to remind our audience please do chime in and comment in the chat window what are some of the trends that you have observed but more importantly what are some of the tactics you're implementing to provide continuous Assurance of your cyber posture and Dave you know speaking of risk mitigation cyber insurance is another strategy many FIS leverage with mitigating risk is cyber Insurance really that important given what BH just talked about and how does it best serve a organization and I generally kind of look for what are those kind of future directional changes so if I think from that perspective there are two major kind of fundamental shifts which are happening in the cyber security industry which is going to be very important for us um to kind of take us towards the moon now one um interesting change is that as as a industry we realize that we will not be able to protect ourselves whatever we do and that is the reason why came up this drive for detection response and Remediation right and nist came up with that and uh um then the entire set of Technologies also moved into that direction so that is if you look at the xdr movement it's part of that fundamental movement which is happening in the industry which is this realization we cannot protect ourselves always there'll be moments when US and Canada and so it's very clear what they have to follow what they need to do and they have steps to do that with with clear direction from from The Regulators both osie and US Regulators that's a really good uh high level overview Dave and Bash based on what Dave just said how have the financial institutions responded to these asks what are some of the ways financial institutions provide for continuous Assurance of their cyber posture you're on mute.

 

Highlights:

Embracing Detection and Response: Financial institutions acknowledge the inevitability of cyber threats and prioritize detection, response, and remediation. The XDR movement reflects a paradigm shift towards proactive threat detection and swift incident response, enabling organizations to thwart attacks effectively.

Regulatory Compliance and Assurance: Regulatory bodies, such as OSFI in Canada and various regulators in the US, mandate stringent cybersecurity requirements for financial institutions. To comply with these regulations and provide continuous assurance, institutions implement robust security measures, conduct regular audits, and demonstrate adherence to industry standards.

Cyber Insurance as a Risk Mitigation Strategy: In light of the evolving threat landscape, cyber insurance emerges as a crucial risk mitigation strategy for financial institutions. Despite debates surrounding its efficacy, cyber insurance provides financial protection against cyber incidents, complementing proactive security measures and enhancing organizational resilience.

Continuous Improvement: Financial institutions prioritize continuous improvement of their cybersecurity posture to adapt to evolving threats and regulatory requirements. This entails regular assessments, vulnerability scanning, and penetration testing, coupled with proactive measures to address emerging vulnerabilities and strengthen defenses.

Collaboration and Knowledge Sharing: Recognizing the collective nature of cyber threats, financial institutions actively participate in industry forums, share threat intelligence, and collaborate with peers to enhance their cybersecurity posture. This collaborative approach fosters a culture of resilience and adaptability across the sector.

 

In response to paradigm shifts in cybersecurity, financial institutions are embracing strategies for continuous assurance of their cyber posture. By prioritizing detection and response, complying with regulatory requirements, and leveraging cyber insurance as a risk mitigation strategy, organizations fortify their defenses against evolving threats. Moreover, a commitment to continuous improvement, coupled with collaboration and knowledge sharing, enables institutions to navigate the dynamic cybersecurity landscape effectively. As threats evolve and regulations evolve, financial institutions must remain vigilant and adaptive, ensuring the resilience of their cybersecurity posture in an ever-changing environment.

 
Speakers:
 
 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

 

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

 
 

 

Read more…

Exposure%20Management%20for%20Financial%20Institutions%20Adapting%20to%20Continuous%20Threats.png?profile=RESIZE_710x

 

The cybersecurity landscape has undergone fundamental shifts, with attackers targeting organizations of all sizes and deploying continuous, sophisticated tactics. In response, the industry is witnessing a movement towards continuous defense strategies, exemplified by the rise of XDR (Extended Detection and Response) and the paradigm shift embodied by concepts like zero trust. This blog explores these transformative trends, emphasizing the imperative for organizations, particularly financial institutions, to embrace continuous security measures to mitigate evolving threats effectively.

 

 

Here is the verbatim discussion:

there's some fundamental shifts one is it doesn't matter whether you're big or small ransomware guy can attack you and the second change is that these attacks are continuous unlike five years back today the attackers have gone continuous and the moment a new CV is out they're building scripts and scanning the entire internet today there is showan through which you can go and find out which are those vulnerable assets and then there are this bu Bounty programs which feeds this information to the Bounty Hunter so this information of your exposed assets are being continuously sent to them so attacks are continuous that's the second thing now because attacks are continuous our defense also has to be continuous so there is also a movement which is happening in the industry which is the continuous movement one is the xdr movement and the other is the continuous moving to continuous movement and that is happening in many different shapes and forms like if you look at the zero trust and zero trust I consider is a very bad name because most people misunderstand what zero trust is they consider it's like zero trust you don't trust I mean that's not the idea the idea about zero trust is continuous evaluation of trust so that means that you give the password and I'm trusting you right now but if you behave differently I'm going to remove my trust like your trust is going to change so trust is now evaluated continuously so zero trust a better name could have been continuous trust rather than zero trust so look at zero trust even though zero trust looks like something uh but on underlying theme is I and bs7799 Etc if you all remember just before the audit people used to go and get all these printouts and create all these artifacts and show like yes we have something I'm talking about very early days right but now The Regulators are much more mature and they just don't stop there they would like to see the program do you have it's not like you went to gym once do you have a program that you're going to gym every day that's what they want to see because they they're really kind of looking at the Health uh of the cyber security organization and from that perspective there are a lot of things which are essential so one thing which I would suggest is like of course build the program but then see how that program can be made very repeatable and also how can you continuously improve upon that that is another organization so absolutely a must and I would see in in some regions that this would become mandatory depending on um depending on your business it's already become mandatory in some some areas um so yes definitely a tool that needs to be put in place yeah that makes sense and how can financial institutions best demonstrate their actually adhering to security standards and and compliance Frameworks how are these standards maintained and updated and I know bash you said you're not a standards guy per se but would you like to kick off the answer and then we'll have uh Dave expand on that.

 

Highlights:

Continuous Threats: The evolution of cyber threats transcends organizational size, with ransomware attacks and continuous scanning becoming ubiquitous. Threat actors leverage automated tools and exploit vulnerabilities promptly, necessitating a paradigm shift in defense strategies.

Continuous Defense: In response to the relentless nature of cyber threats, organizations are adopting continuous defense mechanisms. Concepts like zero trust advocate for the continuous evaluation of trust, reflecting a departure from traditional perimeter-based security models towards dynamic, context-aware approaches.

Compliance and Standards: Regulatory bodies demand more than mere compliance; they seek assurance of robust security programs capable of withstanding continuous threats. Financial institutions must not only adhere to established standards and frameworks but also demonstrate the repeatability and continuous improvement of their security practices.

Maintaining and Updating Standards: While compliance with standards and frameworks is essential, organizations must go beyond checkbox exercises. They must establish processes for maintaining and updating standards, ensuring alignment with evolving threats, regulatory requirements, and industry best practices.

Demonstrating Adherence: Financial institutions face the challenge of demonstrating adherence to security standards and compliance frameworks effectively. Beyond documentation, they must showcase the operationalization of security measures, highlighting a culture of continuous improvement and resilience.

 

As cyber threats evolve in sophistication and frequency, financial institutions must adapt their cybersecurity practices accordingly. Embracing continuous defense strategies, such as those embodied by concepts like XDR and zero trust, is essential to thwarting relentless attacks. Compliance with security standards and frameworks is necessary but insufficient; organizations must prioritize the repeatability and continuous improvement of their security programs. By demonstrating operational adherence to security standards and fostering a culture of continuous improvement, financial institutions can bolster their resilience against the evolving threat landscape and enhance trust with stakeholders.

 

Speakers:

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

 

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

 

Read more…

Exposure%20Management%20for%20Financial%20Institutions%20Building%20Cyber%20Resilience%20.png?profile=RESIZE_710x

 

Cybersecurity isn't a one-time activity but a continuous effort that demands integration into every aspect of system design, build, and deployment. In a landscape rife with complexities and evolving threats, manual approaches are unsustainable. Instead, a programmatic approach, embedding security into the fabric of operations, is imperative. This blog explores the necessity of incorporating security from the outset and highlights insights from industry leaders, Bicash and Dave Loi, on the proactive integration of security into organizational processes.

 

  

Here is the verbatim discussion:

ree it's a matter of how you design build and deploy your systems and it can't be a one-time activity it's too much effort it's it's too much to manage maintain sustain that in a um in a way that's very manual so it has to be programmatic and that's where from the build process the design process build process sustaining process today we have Dev SEC Ops we have other Buzz terms that are out there but ultimately uh security has to be built into your design security has to be uh running all the time and not put on afterwards we often hear this it's it's put in after the fact it has to be part of the process baked into the process to be to be part of your sustaining uh systems and that complexity to manage be it hundreds of processes Services other things that even a small business today has where before they did not you need to under his name a Fortune Magazine 40 under 40 bicash is well known on the global speaking circuit on cyber security matters appearing at RSA Conference USA Singapore interrup USA tedex just to name a few Dave laui is a senior technology executive and co-founder of quantum smart he is a seasoned Tech leader with over 20 years of experience in highly regulated environments such as insurance banking Pharmaceuticals retail and payments he's also a member of the Gardner research board and an advisor to sure so I love technology and problem problem I me solving the core problem but of course like standards is something which we need to continuously work with and also work on and also been part of developing some of those Frameworks Etc so um if you look at The Regulators now there had been a time when The Regulators used to come and ask you like show this they to look at the policy and they us to look at some artifacts and leave now Regulators are increasingly looking for like is this a program or is it like you are just cooking up the data to show us like very early days of PC c i and bs7799 Etc if you all remember just before the audit people used to go and get all these printouts and create all these artifacts and show like yes we have something I'm talking about very early days right but now The Regulators are much more mature and they just don't stop there they would like to see the program do you have it's not like you went to gym once do you

 

Highlights:

Programmatic Security: Effective cybersecurity cannot be retrofitted; it must be ingrained from the inception of systems. From the design phase to sustaining processes, security protocols need to be seamlessly integrated, transcending buzz terms like DevSecOps, to ensure continuous protection.

Complexity Management: The modern business landscape is characterized by a myriad of processes and services, even for small enterprises. Managing this complexity requires a strategic approach, where security frameworks are diligently applied to streamline operations and mitigate risks.

Industry Expertise: Leaders like Bicash, renowned for their global contributions to cybersecurity discourse, emphasize the importance of proactive security measures. By advocating for the incorporation of security into the design and build phases, they underscore its intrinsic role in sustaining business resilience.

Regulatory Compliance: Regulatory bodies are increasingly scrutinizing cybersecurity programs, moving beyond surface-level assessments to evaluate the efficacy of security measures. This necessitates a shift towards comprehensive security programs, rather than ad-hoc compliance efforts.

Continuous Improvement: In an ever-evolving threat landscape, adherence to standards and frameworks is paramount. Industry leaders, like Dave Loi, advocate for ongoing refinement of security protocols, ensuring alignment with emerging threats and regulatory requirements.

 

Integrating security into every phase of system development and deployment is no longer a luxury but a necessity in today's digital landscape. By adopting a programmatic approach, organizations can effectively manage complexities and sustain robust cybersecurity postures. Industry insights from thought leaders like Bicash and Dave Loi underscore the importance of proactive security measures and continuous improvement to navigate evolving threats and regulatory demands. Embracing this ethos of security-by-design is paramount in building cyber resilience and safeguarding against emerging risks.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

 

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Read more…

Exposure%20Management%20for%20Financial%20Institutions%20Navigating%20Cyber%20Risk%20.png?profile=RESIZE_710x

 

In an era marked by evolving cyber threats and stringent regulatory requirements, financial institutions face a daunting challenge in maintaining robust cybersecurity postures. Amidst talent shortages and escalating complexities, effective risk management becomes paramount. This blog delves into the strategies employed by these institutions to mitigate exposure, emphasizing the significance of cyber insurance in bolstering their resilience.

 

 

 

Here is the verbatim discussion:

you have observed but more importantly what are some of the tactics you're implementing to provide continuous Assurance of your cyber posture and Dave you know speaking of risk mitigation cyber insurance is another strategy many FIS leverage with mitigating risk is cyber Insurance really that important given what bicash just talked about and how does it best serve a organization well I'll play on bat's uh analogy sometimes you need many fingers to Point At The Moon And so in this case this would be one of to this today's webinar C platform is world's first online community it's Solly dedicated by information senior security Executives like ceso CIO csos cdos directors more with 40,000 class professionals glob and 5,000 Plus members today's session is on for financial ins he can we just check maybe we'll restart that quick because I think need to go on mute to some of the attendees or some of the other areas I didn't quite get you did oh no it's okay just there was some background noise maybe if you can repeat ah okay sure thank you I'll just restart again thank thank you so much uh hello everyone I welcome you on behalf of ceso platform ceso platform is the world's first online community solely dedicated for information senior security Executives cesos cios csos cdos directors and more with 40,000 plus professionals globally and 5,000 Plus members do join us if you're one of them today's session is on exposure management for financial institutions to overcome resource limitations and Regulatory reporting our speakers today are Dave Loi and this session will be moderated by nashen Le partner at CIO program strategy nine has been in the technology industry and to the audience what are your observations on this Talent topic and do the resource challenges resonate with you and how are you addressing it and do share and use the chat window to um to sh to voice your your opinion as well and let's move on to the next question which is very exciting so given all the challenges that we've discussed what are some of the more effective strategies for managing exposure in the face of talent shortage and increasingly complex regulatory demands uh bash your your view on this sure sure um so there are a couple of things which I would like to maintain uh or I'd like to talk about today but there are many other things which needs to be done but these are like two things which are more.

 

Highlights:

Continuous Assurance: Financial institutions employ tactics such as regular risk assessments, vulnerability scanning, and penetration testing to ensure ongoing vigilance over their cyber posture. By leveraging automated tools and robust frameworks, they strive for comprehensive threat visibility.

Cyber Insurance: Despite debates surrounding its efficacy, cyber insurance emerges as a critical risk mitigation strategy. By providing financial protection against data breaches, ransomware attacks, and other cyber incidents, it serves as a vital component of an organization's risk management arsenal.

Talent Shortage and Regulatory Compliance: Resource limitations and complex regulatory mandates pose formidable challenges for financial institutions. To navigate these hurdles, they adopt innovative approaches, including talent development initiatives, strategic partnerships, and outsourcing arrangements, to augment their cybersecurity capabilities.

Exposure Management Strategies: In the face of talent shortages and regulatory demands, financial institutions prioritize proactive exposure management. This entails robust incident response plans, comprehensive data protection measures, and strategic investments in emerging technologies such as AI and machine learning.

Collaboration and Knowledge Sharing: Recognizing the collective nature of cyber threats, financial institutions actively participate in industry forums, such as the CISO platform, to exchange insights, best practices, and threat intelligence. This collaborative approach fosters a culture of resilience and adaptability across the sector.

 

In the dynamic landscape of cybersecurity, financial institutions must adopt a multi-faceted approach to manage exposure effectively. By embracing continuous assurance measures, leveraging cyber insurance, and addressing talent shortages through innovative strategies, they can fortify their defenses against evolving threats. Moreover, fostering collaboration and knowledge sharing within the industry reinforces their ability to adapt to emerging challenges and safeguard the integrity of global financial systems.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/


Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

 

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Read more…