In this episode, I will dive into Continuous Threat Exposure Management (CTEM) and how it revolutionizes vulnerability prioritization. I discuss the essential steps—scoping, discovery, prioritization, validation, and mobilization—required for effective risk management. Learn how to align your security efforts with mission-based goals and leverage CTEM to protect your organization's critical assets. Gain insights into overcoming implementation challenges and the necessity of integrating various security tools while maintaining strategic oversight.

00:00 Introduction and Viewer Question

00:37 Understanding Risk Reduction Beyond Tools

02:54 The Importance of Prioritization

03:05 Five Steps to Effective Risk Management

06:06 Challenges and Considerations in CTEM Implementation

07:39 The Human Element in Risk Management

09:12 Conclusion and Final Thoughts

Do you want to succeed in your next Cybersecurity Risk Assessment?Here is a quick start guide: https://www.execcybered.com/ECE/3-step-framework-sp/3-step-framework/

Understanding Impact Assessment in Cybersecurity: A Deep Dive

In this video, I tackle the questions: Does impact assessment exist in cybersecurity, and how is it conducted? I break down the fundamental formula of cybersecurity risk, which includes threat, vulnerability, and impact. The different types of impact—financial, reputational, and operational—and how to classify them. Discover the importance of context in impact analysis across device-level, application-level, and organizational-level ecosystems.

00:00 Introduction and Viewer Questions
00:08 Understanding Impact Assessment in Cybersecurity
00:33 Breaking Down the Impact Formula
01:10 Contextualizing Impact in Cybersecurity
01:54 Layers of Impact Analysis
03:32 Operational, Financial, and Reputational Impact
05:12 Standalone vs. Integrated Impact Assessment
05:37 Conclusion and Final Thoughts

Cyber Risk Assessment - 3-Step Framework: https://www.execcybered.com/ECE/3-step-framework-sp/3-step-framework/

It's a common, yet unsettling, scenario in cybersecurity risk assessment: discovering a crucial component was overlooked after an assessment is complete. The question often arises: "How do you handle missing risks in a risk assessment? What can you do in the situation, and how can you prevent this from happening again?"

Let's unpack this compound query, focusing on mission-based cyber risk management and practical prevention strategies.

Dr. B. 

As cybersecurity professionals, we often dive deep into the intricacies of networks, code, and vulnerabilities. We assume that identifying assets, scanning for weaknesses, and generating reports are the core of cybersecurity risk assessment. But if you've ever spent a day in a corporate environment, you know the biggest challenge isn't the technology; it's the people.

Today, let's explore two critical points: how we got here and, more importantly, how we get out of it.

Dr. B. 

Cyber Asset Assessment: Understanding the Importance of Sampling

In this episode, I dive into the crucial step of sampling in cyber asset assessment. Learn why sampling is essential, especially when dealing with large environments and limited resources. Discover the various types of sampling methods, including probability and non-probability sampling, and understand how to statistically correlate your sample size to the total population of your cyber assets. Perfect for anyone looking to efficiently and effectively assess their organization's cyber assets.

00:00 Introduction to Cyber Asset Assessment
00:26 Understanding Sampling in Large Environments
01:23 Statistical Ties and Inference in Sampling
02:30 Why Sampling is Essential
03:12 Types of Sampling Methods
04:25 Implementing Non-Probability Sampling
05:32 Final Thoughts on Sampling

In this episode, I dive into the essential first steps for a successful cybersecurity risk assessment. Unlike traditional methods, we emphasize the importance of aligning cyber protection with corporate objectives and mission-critical assets. Learn why it's crucial to go beyond regulatory requirements and how to accurately identify and cross-check your assets, from application servers to firewalls. Stay tuned for upcoming videos where we break down the comprehensive process for a cyber assessment in organizations of any size.

00:00 Introduction: Protecting Property vs. Cybersecurity

00:27 Misconceptions in Cybersecurity

01:21 Regulatory vs. Non-Regulatory Importance

02:13 Identifying Critical Assets

02:31 Steps for Cybersecurity Risk Assessment

02:54 Validating and Cross-Checking Assets

03:34 Conclusion and Upcoming Videos

How to Aggregate Vulnerability Risks Efficiently for Your IT Environment

In this episode, we'll explore the comprehensive approach to scanning and evaluating the entire ecosystem of your application, including databases, firewalls, and routers. Discover a simple yet effective formula to aggregate the risks from hundreds of vulnerabilities and learn how to categorize these risks to support your corporate objectives and mission. This technique is especially useful for small to midsize companies without automated tools. Gain insights into the subjectivity and adjustments needed to fine-tune the risk levels applicable to your organization's risk appetite. Stay tuned for essential tips on incorporating vulnerability, aging, and external exposure into your risk assessment framework.

00:00 Introduction to Environment Scanning

00:55 Challenges in Vulnerability Management

01:54 Formula for Aggregating Risk

03:28 Adjusting Risk Based on Vulnerability

06:38 Final Thoughts and Next Steps

President Trump Amends Cybersecurity Executive Orders: Key Impacts and Analysis

In this episode, we delve into President Trump's recent amendments to Executive Orders 13694 and 14144, primarily focusing on enhancing national cybersecurity. We outline six key areas of impact, including specific threat identification, secure software development, post-quantum cryptography preparations, AI in cyber defense, modernizing federal systems, and defining scope in sanctions and applications. These proactive measures aim to strengthen the U.S. cybersecurity posture against foreign threats. Join the discussion and share your thoughts on these crucial changes.

00:00 Introduction to Cybersecurity Amendments

00:55 Key Fact 1: Updated Policy and Threat Landscape

02:21 Key Fact 2: Enhancing Secure Software Development

04:30 Key Fact 3: Preparing for Post-Quantum Cryptography

06:44 Key Fact 4: Promoting Security with AI

08:59 Key Fact 5: Modernizing Federal Systems

11:10 Key Fact 6: Scope of Applications and Sanctions

13:08 Conclusion and Final Thoughts

Optimizing SIEM Storage Costs: Effective Logging Strategies

Is storage really as cheap as people think? This episode delves into the true cost of storage in the context of Security Information and Event Management (SIEM) systems. We explore traditional logging practices and their impact on storage, especially with the rise of cloud computing and hybrid environments. The key focus is on identifying critical applications and underlying architectures to optimize logging processes, thus controlling operational costs without compromising security. Learn about the importance of strategic log triage and maintaining an efficient security posture in a complex IT landscape.

00:00 Introduction: Is Storage Really Cheap?
00:20 Understanding SIEM and Log Management
01:08 Strategies for Managing Operational Costs
01:46 Critical vs. Less Critical Systems
02:30 The Importance of a Triage Process
03:06 Conclusion: Balancing Cost and Security

The Importance of Managerial Controls in Cybersecurity: Insights from 1978

In this episode of Doctor's Advice, Dr. B discusses the critical idea presented by Steward Madnick in 1978, emphasizing that computer security can't rely solely on technical measures. Dr. B explains how operational computer security requires managerial controls, such as policies, standards, and procedures. The conversation highlights the importance of prioritizing the protection of systems that align with corporate objectives and customer service rather than randomly patching vulnerabilities. Dr. B urges examining internal processes and adapting strategies to focus on mission-based cybersecurity, especially in today's environment where deploying numerous systems and services through cloud computing has become remarkably easy.

00:00 Introduction to Computer Security

00:32 Madnick's 1978 Insight on Managerial Controls

01:27 The Importance of Prioritizing Vulnerabilities

03:28 Mission-Based Cybersecurity

03:37 Challenges in Modern Cybersecurity

04:29 The Need for Strategic Cybersecurity

04:53 Criticality of Production Systems

05:33 Reflecting on 1978 Principles in 2025

06:23 Final Thoughts and Call to Action

07:25 Conclusion and Subscription Reminder

Dr. B. 

The world is awash in information, but clarity is a rare commodity. We're bombarded with headlines, statistics, and pronouncements, all vying for our attention and belief. But in this age of information overload, a healthy dose of skepticism is not just valuable; it's essential. This is especially true in the realm of cybersecurity, where threats are constantly evolving, and the stakes are higher than ever.

Take a listen.

Dr. B.

Ready to explore the fascinating intersection of AI and cybersecurity? My latest podcast episode is live, and it's packed with insights you won't want to miss!

**In this episode, we delve into:**

- **The AI Advantage:** Discover how AI is revolutionizing threat detection, prediction, and response, acting as a tireless guardian in the digital realm.
- **The Human Element:** Understand why AI is not a magic bullet and how human intelligence remains crucial for setting the mission, guiding the strategy, and ensuring ethical AI implementation.
- **Mission-Based Cybersecurity:** Learn how to align your cybersecurity strategy with your organization's core purpose, prioritizing the protection of what truly matters.
- **The Future of Skills:** Explore cybersecurity professionals' evolving role in the AI age and the essential human skills that will be in high demand.

**Listen now and discover:**

- How to leverage AI to amplify your cybersecurity capabilities.
- Why mission-based cybersecurity is essential for protecting what matters most.
- What skills do you need to develop to thrive in the AI-powered future of cybersecurity?

🛡️ Cybersecurity is EVERYONE'S Responsibility! 🛡️

Think cybersecurity is just for the IT department? Think again!

In this episode, we break down the dangerous misconception that cybersecurity is just about firewalls and antivirus software. It's about protecting your organization's mission, values, and people.

**Here's what you'll learn:**

- **Why cybersecurity is a shared responsibility** - from the marketing team to the receptionist, everyone has a role to play.
- **How to break down silos and foster collaboration** between departments to strengthen your security posture.
- **Practical strategies for building a security-conscious culture** where employees are empowered to identify and report threats.
- **Real-world examples and case studies** that illustrate the importance of a security-first mindset.

Don't wait for a breach to happen! Take ownership of cybersecurity and protect what matters most.

Dr. B. 

Forget the magic numbers. Cyber risk appetite isn't about finding a one-size-fits-all percentage of revenue. It's about protecting your company's dreams. In this episode, we dive deep into the WHY behind cyber risk appetite. We explore how a strong understanding of risk tolerance can safeguard your mission, reputation, and customer trust.

Discover:

• The crucial factors that shape your cyber risk appetite (hint: it's more than just revenue!).
• Why a mission-driven approach to cybersecurity is essential in today's threat landscape.
• How to build a robust risk management plan that aligns with your business goals.
• Don't just mitigate threats - empower your vision. Watch now and learn how to own your cyber risk appetite truly.

An article from Gartner named "AI in Cybersecurity: Define Your Direction" explores the impact of AI, particularly generative AI (GenAI), on the cybersecurity landscape. While acknowledging the transformative potential of AI and the hype surrounding it, the article emphasizes that this technology also introduces new risks and challenges. 

Dr. B. 

Cybersecurity risk management has taken center stage for organizations across all industries in the wake of recent high-profile cyberattacks, such as the SolarWinds breach and the Colonial Pipeline ransomware incident. As a CISO, you know firsthand the challenges and complexities that organizations face in navigating this ever-evolving threat landscape. Today, I'll share insights and leadership advice on how to build a robust and resilient cybersecurity program using four key thematic words: Align, Agency, Awareness, and Adaptability.

Dr. B.

The Cyber Defense Matrix (CDM) model tackles the difficulties of cost-effective and resilient cybersecurity planning by offering a structured framework to select and implement the most critical security controls, considering factors like budget, risk tolerance, and usability constraints.

Dr. B.

In cybersecurity, organizations are constantly grappling with the question of compliance. Is it merely a checkbox exercise, a source of unnecessary overhead, or a fundamental pillar of a robust security posture? The debate surrounding cybersecurity compliance often centers on the perceived tension between agility and adherence to regulatory frameworks. Here, I aim to dive into this complex issue, examining the arguments for and against compliance and ultimately providing insights to help organizations strike a balance between security and operational efficiency.

In cybersecurity, organizations face a relentless barrage of threats that can compromise their sensitive data, disrupt operations, and tarnish their reputation. While quantitative data and automated tools play a crucial role in identifying and mitigating risks, the value of human expertise remains paramount. As D. Hubbard eloquently stated in 2014, "The expert is the instrument,” emphasizing the irreplaceable role of experienced professionals in navigating the complexities of cybersecurity. This podcast explores the significance of expert judgment in risk management, highlighting its ability to provide context, insight, and adaptability that quantitative data alone cannot replicate.

Dr. B.

Organizations face an ever-increasing array of cyber threats. A proactive and strategic approach to cybersecurity risk management is essential to counter these risks. This process not only safeguards an organization's valuable digital assets but also elevates the visibility and influence of the cybersecurity team.

The cybersecurity team can demonstrate its indispensable value by strategically aligning risk management practices with the core business objectives. This alignment ensures that security measures are not seen as mere roadblocks but as enablers of business growth and continuity. It showcases the team's expertise in understanding and mitigating risks that could potentially impact the organization's bottom line and reputation, ultimately contributing to its continued success.

Dr. B.

The rapid advancement of technology brings unprecedented opportunities and significant cybersecurity risks. The World Economic Forum's (WEF) October 2024 white paper, "Navigating Cyber Resilience in the Age of Emerging Technologies: Collaborative Solutions for Complex Challenges," offers a deep dive into these evolving risks and proposes a shift towards a more resilient approach to cybersecurity.

Dr. B.

Organizations grapple with a complex challenge: striking the right balance between human expertise and algorithmic insights. As highlighted by Hubbard (2014), a prevailing trend is the tendency for individuals within organizations, including senior management, to overvalue their own opinions and ideas, even when confronted with data-driven insights generated by sophisticated algorithms. This phenomenon, often referred to as the "expertise paradox," can have significant implications for cybersecurity risk management.

Dr. B.

The adage "what gets measured gets managed" holds significant weight in cybersecurity. Organizations invest heavily in metrics, Key Performance Indicators (KPIs), and risk assessments, aiming to quantify their cybersecurity posture and demonstrate progress. However, a growing concern emerges: the "analysis placebo" effect, as highlighted by Hubbard (2014). This phenomenon suggests that the act of measuring itself can create a false sense of security, leading organizations to believe they are effectively managing risks when, in reality, they may be overlooking critical vulnerabilities.

Dr. B.

Cybersecurity is no longer a luxury but a necessity for small and midsize businesses (SMBs). Cyber threats are becoming increasingly sophisticated, and SMBs are often seen as easy targets due to their perceived lack of resources and security measures. However, with the right approach, SMBs can implement robust cybersecurity risk management programs that are both effective and affordable.

Dr. B.

Establishing a robust cybersecurity risk management program is paramount for any organization. As a CISO, the task of safeguarding critical assets and sensitive data can be daunting. However, leveraging the Cyber Defense Matrix (CDM) as a strategic framework can lay a solid foundation for your cybersecurity program and proactively mitigate risks. This article outlines the first five crucial steps I would take if tasked with setting up a cyber risk management program, emphasizing the integration of the CDM for optimal effectiveness.

Dr. B.

Today, I discuss and present the report's findings and share some of my thoughts on each finding from this survey. 

Thanks.
Dr. B.

Endpoints such as laptops, desktops, mobile devices, and servers remain a prime target for attackers. These devices, serving as gateways to critical business data and systems, are constantly under siege from malware, ransomware, phishing attacks, and other sophisticated threats. As a CISO, safeguarding your organization's endpoints is a matter of cybersecurity and a strategic financial imperative. Here, I will discuss endpoint security, exploring how solutions like antivirus, Endpoint Detection and Response (EDR), and device management align with the Cyber Defense Matrix to protect your organization's assets and financial well-being.

Applications have become the lifeblood of businesses, driving innovation and operational efficiency. However, this reliance on applications also exposes organizations to a myriad of cyber threats. Attackers are increasingly targeting vulnerabilities within applications to gain unauthorized access, exfiltrate sensitive data, and disrupt critical business functions. As a CISO, safeguarding your organization's application portfolio is paramount. Here, we dive into the domain of application security, exploring best practices, the role of the Cyber Defense Matrix, and actionable strategies to fortify your defenses against application-level attacks.

As CISOs, you are entrusted with safeguarding our organizations' digital assets. However, this responsibility extends beyond mere technical implementation; it encompasses a financial imperative. In today's threat landscape, network security vulnerabilities can lead to devastating financial losses, from data breaches and regulatory fines to operational disruptions and reputational damage.

Here, I’ll dive into the critical role of network security within the Cyber Defense Matrix framework. We'll explore how robust network security controls, such as firewalls, intrusion detection systems (IDS), and segmentation, mitigate cyber risks and contribute to a fiscally responsible security strategy.

The critical role of Identity and Access Management (IAM) in today's complex digital landscape. IAM is essential for controlling access to valuable assets, both in the cloud and traditional datacenters. The cloud's dynamic nature requires a robust IAM strategy incorporating centralized identity management, dynamic authorization, and strong authentication, including multi-factor authentication (MFA). For datacenters, best practices include privileged access management (PAM), network segmentation, and regular audits.

This podcast highlights IAM's integral role within the Cyber Defense Matrix, supporting functions like Identify, Protect, Detect, Respond, and Recover. It also underscores the financial benefits of a strong IAM strategy, mitigating the risk of costly data breaches and streamlining operations through automation. The author concludes by positioning IAM not just as a best practice but as a strategic imperative for CISOs, enabling innovation while safeguarding digital assets.

In the boardroom and the server room, today's CISO faces a dual challenge: safeguarding the organization's digital assets while demonstrating the tangible value of cybersecurity investments. The Cyber Defense Matrix emerges as a strategic bridge between these imperatives, offering a structured framework to identify security gaps, prioritize spending, and align defensive strategies with business goals.

This podcast explores how CISOs can leverage the Cyber Defense Matrix to make informed financial decisions, ensuring that every dollar spent on cybersecurity contributes to a resilient and risk-aware enterprise.

Today, we’re tackling a crucial topic for any Chief Information Security Officer—how to validate your Cyber Defense Matrix using Key Performance Indicators or KPIs. This episode is for you if you're looking for actionable ways to measure and enhance your security posture.

The Cyber Defense Matrix is an invaluable framework for organizing and understanding your cybersecurity strategy. But its true power comes into focus when its effectiveness is quantifiable. Today, we'll explore some fundamental KPIs and see how they align with the layers of the matrix, giving you the tools to validate your security measures in a practical and powerful way.

Advisory Services: https://www.execcybered.com/advisory-services
White Paper: https://www.execcybered.com/cybersecurity-metrics

>>Schedule Call<<

Dr. Bill Souza

Cybersecurity risk assessment is a very effective tool; however, it can not be done using a survey instrument. Here are my thoughts on the matter. 

🎓 FREE MASTERCLASS: Learn all about cybersecurity project success, from pitch to approval! Join me: https://www.execcybered.com/cybersecurity-project-success-from-pitch-to-approval. 🚀

Connect with us on:

• 👥LinkedIn: https://www.linkedin.com/company/exceccybered/ 
• 📺YouTube: https://bit.ly/3BGOtPA 

🔒 Secure your knowledge and stay informed! 🌟

Thank you.
Dr. Bill Souza

Read more: https://buff.ly/3UST8aE

FREE MASTERCLASS

https://www.execcybered.com/cybersecurity-project-success-from-pitch-to-approval

Read more: https://www.execcybered.com/blog/cybersecurity-risk-assessment-device-identify

FREE MASTERCLASS

https://www.execcybered.com/cybersecurity-project-success-from-pitch-to-approval

Alarmed by "Have you heard cybersecurity is a business issue?" But WORRIED your education left you UNPREPARED to face it? Colleges and certificate programs rarely teach business, communication, or sales skills crucial for cybersecurity careers.

Don't fret! My YouTube video talks about the essential soft skills missing from your education. Learn how to navigate business dynamics, communicate effectively, and even close deals in the cybersecurity field with my free training below. Stop feeling powerless and unlock your true career potential!

Click the link in the description to watch now and master the skills to thrive in the competitive cybersecurity landscape.

#cybersecurity #careers #education #skills #business #communication #sales #softkills #youtube #video #learning #development #opportunity #success

FREE MASTERCLASS

https://www.execcybered.com/cybersecurity-project-success-from-pitch-to-approval

Zone Defense - Another strategy to add to your cybersecurity program.

How to defend your organization from cybersecurity breaches and today's cyber attacks. One quick sec cybersecurity rule to add to your strategy arsenal is discussed here.

In this week's podcast, I discuss the required steps to establish a risk or vulnerability program in your organization. Check it out!

Areas to Address:

1. Adoption challenges
2. Risks
3. Governance
4. Roles and responsibilities

Scope to Consider:

• Can the users use Generative Artificial Intelligence (GAI)? (External GAI vs. Internal GAI)
• Which department is responsible for documenting the need for GAI and aligning it with corporate objectives?
• Third-party & GAI, including software features
• Privacy
• Contractual obligations
• Responsible AI
• Regulatory
• Output quality
• Inherited bias

Governance:

• Who is responsible?
• Who should be part of the governance team?
• What are the roles and responsibilities?

In an interconnected world, the impact of various global trends is not limited to individual domains. The convergence of COVID-19, the green transition, the rise of AI, microeconomic uncertainties, and cybersecurity have created a complex landscape with challenges and opportunities. Let's explore the intricate relationship between these forces, shedding light on cybersecurity's significant role in this new era. Read more here: https://www.execcybered.com/blog/unveiling-the-intersection-the-impact-of-covid-19-the-green-transition-the-rise-of-ai-microeconomic-uncertainties-and-cybersecurity

With increasingly sophisticated cyber threats, organizations must prioritize protecting their sensitive data and networks. As a result, the demand for skilled cybersecurity professionals has skyrocketed, creating a unique opportunity for individuals to upskill or reskill in this high-demand field. Today, I will explore the significance of upskilling and reskilling in cybersecurity and provide valuable insights into navigating this dynamic industry effectively. Want to read more? Go to our block at https://www.execcybered.com/blog/upskilling-and-reskilling-in-cybersecurity-unlocking-the-path-to-professional-excellence

Have you heard? ChatGPT 4.0 is here, so what is your corporate strategy? Let me give you a few pointers to think about.

5 Cybersecurity Controls - Reduce 85% of Cyber Risk

A Hard Look Honest communication between board members and information officers is critical to good cybersecurity. Cyber experts must relay their insights through non-technical storytelling and make a pertinent business case. Business leaders should aim for a cyber-aware culture permeating an entire organization.

Read more: https://www.weforum.org/agenda/2022/12/cybersecurity-board-collaboration/

==========
How can a vCISO help your organization?

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved.

The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

Contact us: https://www.execcybered.com/contact

Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #vciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

Is your organization using threat intelligence to run threat modeling?

If not, that’s a miss-opportunity. Your organization should establish desktop exercises or an informal cross-functional team to run threat modeling scenarios. This team would do the following four steps: Identify and characterize the systems supporting the organization's mission and objectives as a starting point. Identify the cybersecurity stack capabilities protecting these systems. Identify and select the attack vectors to be included in the model. The most plausible is not every scenario. Analyze the threat model. Any gaps identified should be reported to management as potential vulnerabilities must be addressed. Bonus Point: Map the identified vulnerabilities to the cybersecurity risks to the mission and corporate objectives being reported to the executive leadership or board of directors.

==========
How can a vCISO help your organization?

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved.

The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

Contact us: https://www.execcybered.com/contact

Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #vciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

The Neglected Pages of NIST

When you download a NIST document, whether NIST 800-53, NIST 800-39, NIST 800-37, or the NIST Cybersecurity Framework, what page do you start reading first?

==========
How can a vCISO help your organization?

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved.

The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

Contact us: https://www.execcybered.com/contact

Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #vciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

How a vCISO can help your organization? The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved. The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

==========
How can a vCISO help your organization?

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved.

The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

Contact us: https://www.execcybered.com/contact

Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #vciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

Theft of Information is present in every organization and varies widely concerning value. The value of information is directly related to its criticality to the business. However, information can be further characterized along a continuum of data, information, and knowledge that reflects variances.

“Data becomes information when endowed with relevance and purpose;” there are numerous motivating factors for threat actors and criminals to steal data, such as aiding in the theft of funds, disrupting operations, and increasing capabilities for further data theft. While the value of financial or physical assets is typically straightforward and quantifiable, the value of various forms of information is harder to measure. Information theft is unique compared to other types of theft; information theft generally does not result in depriving the asset owner of the asset because the theft is usually executed as a data copy or as an action intended to deprive legitimate users of accessing the system or data.

Organizations must understand where their crown jewels are in the organization so they can be protected accordingly. 

==========
How can a vCISO help your organization?

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved.

The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

Contact us: https://www.execcybered.com/contact

Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #vciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

Do you have an operational or strategic view when protecting your organization's systems?

==========
How can a vCISO help your organization?

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved.

The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

Contact us: https://www.execcybered.com/contact

Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #vciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

Acronyms, Jargons & Idioms Impacting Communication Between Board, C-Suite, and Specialists. Communication is a two-way street, and company executives must be prepared to ask their own questions exploring the data being presented to them. The questions can be simple and direct, such as Can you elaborate on how this presented data impacts our company's objective(s)? What percentage of these vulnerabilities impact the systems supporting our company's mission and objectives? These simple questions will ignite an insightful discussion and provide the information you may want to make educated decisions.

==========

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved. The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

Thanks.

Dr. Bill Souza

CEO | Founder

www.execcybered.com

Mission-Centric Cyber Risk Metrics Understanding what to measure in a mission-critical risk program is important, so today, I'll discuss a framework you can use.

1. Identify the system's environment (production, development, test, etc.) 2. System's criticality 3. Business Area ownership 4. Solution(s) being hosted on the identified systems 5. Top controls being violated 6. Vulnerabilities identified 7. Minimum Security Baselines non-conformance 8. Internal audit findings 9. Penetration test findings 10. Threat hunts.

These data points will assist your organization in understanding how much risk exposure your mission-supporting solutions may be exposed to. 

==========

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved. The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

Thanks.

Dr. Bill Souza

CEO | Founder

www.execcybered.com

Retail banking takes care of regular daily banking, for which most people know banks. This includes providing checking and saving services and issuing credit cards. Retail banking divisions may also be in charge of providing loans, mortgages, and other financings. Some other products and services may be offered under retail banking divisions: Lines of credit, Investment management and accounts, Insurance Retirement, and education accounts. Ask a simple, broad, and open-ended question; what do you perceive as your cybersecurity risk? This question probes for a direct answer to an intentional board and open-ended question. You don’t need to know or even judge the merit of any answer, but you do need to judge the organization’s ability to provide a sufficient answer. 

==========

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved. The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

Thanks.

Dr. Bill Souza

CEO | Founder

www.execcybered.com

Technologies and the methods used to hack into them continuously evolve. If you’re looking for an effective and efficient way to check the cybersecurity health of your organization, I suggest the following three checkups:

1. Vulnerability and Penetration: Test Once you know the mission-critical systems in your organization, I suggest performing these two cybersecurity tests on a continuous basis.
2. Vulnerability Scans & Software Updates Scanning: your mission-critical systems for vulnerabilities and then prioritizing and patching them is a critical practice to maintain cybersecurity hygiene.
3. Risk Assessments: A holistic approach will require that your team consider the results of your penetration test, vulnerability scans, and other vulnerability and threat information and develop an educated conclusion of the organization’s risks.

==========

The CISO role is all about the strategy, leadership, management, and communication of how potential threats will be assessed and solved. The CISO will absorb the big picture and dismantle it and restructure it to ensure it meets the initiatives of the department and the organization.

Let E|CE help your Small Business

• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: https://bit.ly/3BGOtPA

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #ece #governance #cybergovernance #cybersecurity #chiefinformationsecurityofficer #ceos #chiefexecutiveofficer #cybersecurityawarenessmonth #cybersecuritystrategy #cybersecurityculture #cybersecurityawarenesstraining #cybersecuritythreats #cyberattacks #cybersecurityleadership #insiderthreats #insiderrisk #informationsecurity #businessstrategy #securitymanagement #leadership

Thanks.

Dr. Bill Souza

CEO | Founder

www.execcybered.com

Do you believe these are business challenges?

• Upskilling
• Low morale or quiet quitting
• Hiring and talent retention
• Keeping up with technology and tools

If so, why aren’t you considering cybersecurity as a core business challenge?

It takes 280 on average days to identify and contain a data breach, and the average cost is $3.86 million. Stolen or compromised employee credentials initiate the lion’s share of those breaches.

Small business advisory boards and panels must start pushing management to treat cybersecurity as a business risk.

========

#cybersecurity #cyberrisk #cyberriskmanagement #risk #riskmanagement #smallbusiness #smaillbusinesses #ceo #cio #ciso #ece #governance #cybergovernance

========

Let E|CE help your Small Business

*** Book a Call ***

https://booking.execcybered.com/#/customer/drbillsouzaexeccybered

• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: https://bit.ly/3BGOtPA

Thanks.

Dr. Bill Souza

CEO | Founder

www.execcybered.com

Antivirus has become a necessary tool for preventing cyber incidents; while the market is crowded, you need to look for antivirus software that fits your organization’s needs. NIST has guidance that you can leverage; NIST 800-83 recommends key capabilities that an antivirus software must have:

• Scanning startup files and boot records
• Real-time scanning of emails and email attachments for malware
• Behavior monitoring of emails, browsers, and instant messaging software
• Scanning for known malware
• Disinfecting files
• Quarantining files
• Identifying common types of malware and attacker tools

NIST also recommends that organizations deploy antivirus software from a host and network-based perspective.

NIST 800-83: https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final

========

Let E|CE help your Small Business

*** Book a Call ***

https://booking.execcybered.com/#/customer/drbillsouzaexeccybered

• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: https://bit.ly/3BGOtPA

Thanks.

Dr. Bill Souza

CEO | Founder

www.execcybered.com

Greater than Cybersecurity

When we realize that our cybersecurity challenges are complex and intertwined with conscious living people who view their actions in light of stories with emotions and ideas attached, one sees the need for many different perspectives. Therefore, the solution for your cybersecurity challenges will require knowledge beyond its discipline; it will involve communication, marketing, business, psychology, and sociology, among others. 

However, as an industry, we tend to become insular; as subject matter experts, we can’t know everything, so the first impulse is to specialize, narrowing our point of view to a defined subject. 

When cybersecurity reports are published depicting the most significant cybersecurity events of the year, they rarely focus on the critical narratives that accompanied those events or what actions, or lack thereof, led to those events.

It is not enough to assess what controls or tools are deployed in an organization. You need to understand the governance and management oversight of these controls and tools to ensure that they are effectively being used as prescribed; otherwise, you only see half of the story. 

Be critical, think critically, and have the right strategy in place. 

========

Let E|CE help your Small Business

*** Book a Call ***
https://booking.execcybered.com/#/customer/drbillsouzaexeccybered

Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Protective Technology
The last item I want to mention under the Protect function that supports the  attack surface reduction and limits the cyber events' impact on your systems is “protective technologies.” 

Remember, protecting your organization involves six critical cybersecurity categories:

• Access Control
• Awareness and Training
• Data Security
• Information Protection Processes and Procedures
• Maintenance 
• Protective Technologies

The restriction of removable media according to policy is a good first step. Restricting the use of USB drives and external hard drives are the first ones that come to mind; however, if we holistically see this category, we can include company or vendor-specific support equipment, such as tablets and laptops that are used in your data center to support diagnose or troubleshoot your equipment. 

Second, and perhaps most prevalent in small businesses or micro-businesses, is to ensure your systems are single function; therefore, avoiding, for example, hosting an email server and web servers on the same device. An attack on one device would cause an interruption of service for both services.

Lastly, you can implement mechanisms to achieve business resilience; technology will fail, so having technology and the right architecture in place will minimize the impact to your business, such as:
Implementing load balancing, which will distribute workload across various systems
Hot-swap, which allows you to make maintenance repairs while your system continues to function

These are a few strategies that will turn your business more resilient. 

========

*** Book a Call ***
https://booking.execcybered.com/#/customer/drbillsouzaexeccybered

*** FREE GUIDE ***
https://www.execcybered.com/asset-management

Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Ideally and preferably, your cybersecurity program should follow established policies, standards, and procedures. These documents will govern all organization members, including staff, vendors, volunteers, and anyone working on the organization’s behalf.

The first step towards information protection is to develop and maintain a baseline configuration for IT and OT systems if this applies to your organization that incorporates appropriate cybersecurity principles, such as least privilege. 

The baseline configurations are documented, formally reviewed, and agreed-upon sets of specifications for IT systems or configuration items within those systems. It serves as the basis for all future changes to the systems, and it is considered the stable version of any system. 

However, changes will occur over time, so a method is imperative to manage system changes. This task is part of a much larger discipline known as configuration management. Configuration management addresses the methods for controlling asset changes throughout the assets’ lifecycle. 

There are three roles your organization should consider in the change management process:
Configuration manager
Baseline manager
Verification manager

Once your organization establishes good baseline practices, the challenge is to keep track of all the changes required for the business; therefore, I suggest using a standard exception process to document the exceptions to the baseline while calculating the risk and requiring sign-offs. 

========

*** FREE GUIDE ***
https://www.execcybered.com/asset-management

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Data Security
The third of the six critical cybersecurity categories I presented previously is “data security.” An organization's most valuable asset is data; hackers seek data sources to steal from businesses, governments, and non-profit organizations, including small and midsized companies. Data must be protected in transit and at rest. 

The NIST CSF addresses data security in its Protect function under its data security category (PR.DS). The first and second subcategories handle data in transit and data at rest, respectively. Organizations must implement security controls to address the integrity and confidentiality of the data. However, when putting this advice into practice, the challenge becomes how to protect against all the vulnerabilities; at the time of this recording, the Common Vulnerability Exposure (CVE) contains 183,630 CVE records.

One approach proposed by Scott Musman is to protect against the attack effects, which he classifies as the following categories:
Degradation
Interruption
Modification
Fabrication
Interception
Unauthorized use
The proposed concept is that regardless of the vulnerability of the 183,630, the impact will be one of the categories listed.

The other area that NIST CSF addresses under data security is environment segmentation, keeping the development and testing environments separate from the production environment. Not only by installing a DEV or TST system in production but also by avoiding the communication between these environments.

Last but not least, NIST CSF addresses hardware integrity. Not every company will need to implement this control, so I suggest adopting an ISO 27001 practice: create a spreadsheet with all the NIST CSF controls from the informative reference column and mark them as implemented or justify why it was not implemented. This practice will give you a good inventory of what you have implemented and a business justification for why not. 


========

*** FREE GUIDE ***
https://www.execcybered.com/asset-management

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Securing and protecting your organization also takes a village to make happen, so cybersecurity awareness and training become very important; there’s so much technology can do to protect against phishing and its infinite variations, including the most efficient one, the Business Email Compromise (BEC); the FBI calls it “one of the most financially damaging online crimes.”

The NIST Framework addresses awareness and training in its Protect function under the category PR.AT, and it is also one of the top goals of the National Initiative for Cybersecurity Education (NICE). However, cybersecurity awareness has been a challenge for every organization because training individuals with several different skill levels and interest is complex.

The diffusion of innovation principle tells us that the adoption rate of an innovation or idea is compatible with the values, beliefs, and past experiences of individuals in the social system. So, are you connecting to your audience? 

Here is what the diffusion of innovation principle tells us as well; 

On the bell curve, all population sits in the standard deviation; you will always have high, low, and average performers. The first 2.5% will be innovators, the big idea people; the next 12 to 13% will be the early adopters; these individuals will be excited with a new idea, process, or product that aligns with their own values and beliefs; the next approximately 68% are the early majority, late majority, which is your average individuals, with the last about 16% being the lagging performers, these individuals will adopt the idea or process because they don’t have a choice.  

You need to gain the majority’s attention to achieve cybersecurity training penetration. To do that, you need to aim for your innovators and early adopters because most will not try something new if someone else hasn’t tried it. 

You need to understand your audience.

========

*** FREE GUIDE ***
https://www.execcybered.com/asset-management

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

The problem educational narrative about “college” has created a false dichotomy between the two well-discussed college purposes. Some say college is about preparing a person for work – to help them get better employment or career. The other camp says college is about preparing an individual for success in life. Many of us see the purpose of college as both a job-driven and a career-driven purpose. However, our conversation is incredibly stuck in the either/or debate on these two beliefs.

“Don’t let schooling interfere with your education”- Mark Twain.

The other discussion is the never-ending comparison between college degrees and certifications; similar to the purpose of college; this discussion seems endless. Several other variables are not considered or at least not openly discussed when this topic is brought up. 

The bottom line, it depends on the stage of your life at the moment, what career you are pursuing, and various other factors that affect this decision. The only wrong decision is not seeking education. 

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: https://bit.ly/3BGOtPA

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

Addressing the Highest Risks

As we conclude the risk assessment and governance process, the last part will deal with the organization's highest risks, not the highest vulnerability, but rather the highest risks. This work could take the form of desktop exercises or brainstorming sessions. NIST cover this effort in the subcategory ID.RA-6 “Risk responses are identified and prioritized.” 

The process NIST lays out are:

• Implement a process to ensure the security program's plan of action and milestones (POA&M) are developed and maintained and that remediation plans are appropriate for the type of risk. 
• Review the POA&M for consistency with the organization’s risk management strategy.

Make sure each action in this process has an owner assigned, and each action is viewed from an organizational perspective. When running scenario-based testing, make sure that representatives from each affected business area are involved in the exercise to ensure a common understanding.

========

*** FREE GUIDE ***
https://www.execcybered.com/asset-management

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Cybersecurity Risk Assessment

Risk assessment is not necessarily scanning your network aimlessly; what should you expect from your team? First and foremost, adopt a risk assessment framework; it will be a helpful guide for determining what is assessed, who needs to be involved, and the criteria for developing risk criteria. 

Some of the frameworks you should consider are:
OCTAVE from Carnegie Mellon University
NIST 800-30 Guide for Conducting Risk Assessments
ISO 27005:2011 or the latest version

Identifying vulnerabilities in your organization is a fundamental first step of this process. It aligns with the NIST CSF subcategory ID.RA-1 Asset vulnerabilities are identified and documented. Also, ensure that you have qualified staff managing, operating, and overseeing the vulnerability management program trained in all the automated tools and methodologies to identify vulnerabilities. 

The next step will be for your team to identify the threats to your organization, both internal and external. This activity aligns with NIST CSF ID.RA-3 “Threats, both internal and external, are identified and documented.” Your team won’t be able to protect the organization against every threat, so identifying the most critical threats against your organization is crucial for your cybersecurity strategy.

Remember, you may find vulnerabilities without an active or published exploit; therefore, it is up to you and your team to prioritize accordingly, which takes to NIST CSF ID.RA-5 “Threats, vulnerabilities, likelyhoods, and impacts are used to determine risk.” Now that you know the vulnerabilities and threats you face and the likelihood, focus on the vulnerabilities with the highest risk to your critical cyber assets. 
 
========

*** FREE GUIDE ***
https://www.execcybered.com/asset-management

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Cybersecurity Governance

Once you have your hardware and software inventories, the next step might not be obvious. Still, before performing a risk assessment, you’ll need to establish a governance structure to report risk and regulatory, legal, and operational requirements.

This particular governance requirement is covered in the NIST CSF subcategory ID.GV-4 “governance and risk management processes address cybersecurity risk.”

As cybersecurity risk continues to escalate to the board of directors and C-suite level executives for managing cyber threats by shareholders and other stakeholders, a reporting structure needs to be in place. Regardless of your company’s size, developing and implementing a system for informing top decision-makers of cybersecurity risks will likely play an ever-more important role in your role as a cybersecurity executive.

Depending on the size of your organization, this can be accomplished in several different ways; here are two approaches: 
Internal governance committees comprise cybersecurity, IT, and business area executives.
An internal or external information risk steering committee that reports the risk program’s strategic direction. 

Even if your organization is small and you outsource your cybersecurity to a vendor, you still require cybersecurity governance that keeps top management informed about the risk profile.

========

*** FREE GUIDE ***
https://www.execcybered.com/asset-management

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

The NIST CSF subcategory ID.AM-2 deals with the inventory of software platforms and applications used in your organization. Most organizations will that creating an inventory of software to be a bit more challenging than creating one for hardware.

When developing the inventory, make sure to take a holistic view of your organization’s operations and functions to build a comprehensive list of the software used in each line of operations.

Similar to the approach used for hardware, automation will play a critical role in the software inventory. Running vulnerability management or scanning software should provide visibility into each scanned system's software.

A recommended inventory management approach would be to keep the hardware inventory and software inventory in a single location or file to facilitate the identification of critical issues if they arise.

========

*** FREE GUIDE ***
https://www.execcybered.com/asset-management

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Cybersecurity Risk Management - Physical Devices

The risk management process entails four fundamental concepts, which can be further broken down; however, the fundamental concepts are:

Frame risk
Assess risk
Respond to risk once determined
Monitor risk on an ongoing basis

However, before getting here, other fundamental steps must be in place, and one that I have discussed here in the past has been asset management. Today I want to give you a bit more detail on this process.

First, inventory every physical device and system you have and keep an inventory of them; this is one of the most important yet least practiced cybersecurity tasks conducted worldwide. Small and mid-sized businesses can start with a simple Excel or Google spreadsheet, while larger organizations can leverage a configuration management database (CMDB).

The approach can be as simple as brainstorming with your team a list of system types, such as:

End-user devices: laptops and phones
Servers: virtuals and physical servers
Cloud platforms: SaaS, PaaS, and IaaS

You should tie the software inventory into the hardware asset inventory where possible. Make sure to include critical information, such as:

Network address
Hardware address
Machine name
Data asset owner
Department

Along with the traditional IT devices, consider as part of your team brainstorming devices such as VoIP phones, printers, HVAC systems, and any IoT devices connected to the network that could become an attack vector.

Detection of new authorized and unauthorized devices is critical for the program; therefore, some automation is necessary, which will vary depending on the size of your organization. It can be as simple as monitoring the DHCP server for IP assigning or systems that can scan the network and monitor it on a 24/7 basis or at periodic intervals determined by your organization.

========

* FREE GUIDE *
https://www.execcybered.com/asset-man...

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001f...
Linkedin: https://www.linkedin.com/company/exce...
Twitter:

Questions Boards Should Ask
The challenge for directors or investors is determining the organizational overall cybersecurity maturity relative to the risk. The board of directors, in particular, has an oversight problem to solve, not a management problem.

To quickly explore organizational thinking and cybersecurity management, here are five questions to get the discussion started in the effort to provide oversight and due diligence.

*** FREE GUIDE ***

https://www.execcybered.com/asset-management

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Cybersecurity Confidence vs. Performance

Several studies conducted in other fields showed how spending effort on analysis improved confidence even when the actual performance was not improved.
A study by the University of Chicago in 2008 tracked the probability of outcomes of sporting events as assigned by participants. These participants were given varying amounts of information about the teams, except the team’s name or players. As fans were given more information, their confidence in picking the winner increased, despite the chance of picking the winner remaining nearly flat no matter how much information was provided.

Imagine how many metrics and measures we have in cybersecurity; is your confidence level increasing or your performance on the outcome?

Don’t be so quick to accept metrics and measures labeled “best practices;” best practice does not mean it was measured and scientifically proven to be the best performer among a set of practices.

Focus on reducing risk; are your metrics and measures driving a reduction in risk to the company's mission?

========

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/
Youtube: https://bit.ly/3BGOtPA

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Asset management is most commonly associated with cybersecurity hygiene, which is associated with patching, anti-virus, access control, and other asset-specific protections. However, there are three NIST CSF sub-categories that I want to bring to your attention and how they align with a mission-based cybersecurity risk program.

ID.AM-1: Physical devices and systems within the organization are inventoried.
ID.AM-2: Software platforms and applications within the organization are inventoried.
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.

These three sub-categories are the foundation of your organization's cybersecurity program, specifically, your cybersecurity risk program. 
Some factors to keep in mind when developing a priority methodology:

• The role the asset plays in generating revenue
• The asset's importance to ongoing operations
• The asset's cost to replace or protect
• The reputation or legal damage the asset would cause if compromised.

Bottom line, the methodology decision will be up to every organization; however, be consistent in your assessment and prioritization. 

========

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.

The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:

1. Data access: who has access to your data? What kind of data is it? How is it stored? This is a confidentiality issue. Reviewing and discussing your providers' policy,  procedures, and contractual language is essential. This is an area you should involve your legal team. 
2. Security program transparency: where is the data center? What are physical controls in place? Make sure these questions are asked and, if possible, validated to a degree, such as by a third-party assessor. 
3. Location of data regulation: most providers do not disclose where their data centers are, and that becomes a challenge if your data has a regulation regarding the location of the data. Two examples are that Israeli banking data can’t be stored outside of Israel; similarly, the Federal Information Security Management Act (FISMA) requires that customer data be kept within the United States. 
4. Privacy policies: Ensure the provider’s privacy policy aligns with your organization’s privacy policies. 
5. Disaster recovery: how do the providers handle disaster recovery from an outage to a compromise? 

These 5 focus areas should be embedded into your cybersecurity assessment and be addressed in your analysis and conclusion of any assessed vendor. 

========

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Cyber attacks targetting small businesses that often do not have the resources to defend against devastating attacks like ransomware have grown. As a small business CEO or CIO, you have likely come across outdated security advice that does not help prevent the most common attacks. The security landscape has changed, and your cybersecurity knowledge needs to evolve with it. Here are 5 tips to get you started:

Establish a culture of [cyber] security
Talk about cybersecurity to leadership and staff, communicate cybersecurity program initiatives in your regular communications, and set measurable quarterly cybersecurity goals are just a few examples.

Hire a vCISO or part-time CISO
Due to the ever-changing nature of the cybersecurity threat environment, consider having a part-time CISO (vCISO) on a retainer to assist your organization with all cybersecurity initiatives. A vCISO can lead your staff in developing DRP, IRP, Acceptable Use Policy, Cybersecurity Policy, Remote Access requirements, etc.

Develop and implement an incident response plan (IRP)
An incident response plan (IRP) has different objectives depending on the author; if the authoring source is IT, the IRP will focus on service restoration; however, investigating a cyber incident and potentially a forensic investigation will be a cybersecurity function, where a vCISO could assist your organization.

Perform regular tabletop exercises
Regular simulation exercises, such as tabletop exercises, will condition your team to respond appropriately to incidents.

Support IT Leaders
There are places where the support of a vCISO, CIO, and CEO is critical, especially when a good cybersecurity program will require the help of every staff member in your organization. For example, don’t rely on the IT team to persuade busy employees to use Multi-Factor Authentication (MFA); instead, have your vCISO or CEO make the announcement.

========

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Third-Party Risk Management

The third-party outsourcing trend will continue to grow in the coming years, which places third-party risk as a significant concern for organizations, large or small. Depending on which statistics you read, 39-63% of breaches are caused by third parties. One of the most notorious breaches is the case of Target, where the HVAC vendor’s credential was stolen, resulting in the retailer's breach of 40 million credit and debit card numbers and 70 million records of personal information stolen. 

How you manage this risk vector is the inspiration of several books and articles; however, it will all start in the contract and what you were able to negotiate upfront; then a mixed methodology assessment, where you use qualitative and quantitative elements to assess the vendor based on industry-accepted standards, such as NIST CSF or ISO 27001. 

I would use caution in leveraging Service Organization Control (SOC) 2 reports; these reports vary by organization and may not cover all cybersecurity controls you may be looking for. 

Once the assessment is complete, work with the vendor to mitigate any findings; if not possible, enter the findings in your cybersecurity standard exception program or a vendor exception program. 

It will be the responsibility of the business to accept or reject the amount of risk proposed by this third-party vendor relationship. 

========

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Chasing Perfection

Pursuing perfection takes a lot of resources, financially and people. In Cybersecurity risk management, there are two key questions: 

• When will enough be enough? 
• What is the correct amount of time and effort should your organization spend to achieve a reasonable level of cybersecurity against an attacker?

The answer to these questions will be your risk tolerance. Chasing perfection has challenges and may not get you where you want to be. Chasing perfection may also risk missing the big picture, leaving security gaps in other areas of your organization, and burning out your staff.

A holistic and mission-driven approach to cybersecurity, with reasonable and measurable goals, will help secure your organization. To get you started, keep in mind three questions:

1. What are your organization’s cybersecurity risks?
2. How are you managing the organization’s cybersecurity risks?
3. How are you measuring your cybersecurity risk reduction?

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

Amid a global financial crisis and potentially facing cybersecurity budget challenges, you are now facing a tough decision; how to do more with less. What if I told you that you can; change the focus of your cybersecurity risk management program from a threat/vulnerability-centric focus to a mission-centric focus. Using the same people, processes, and technologies you have but targeting critical systems in your organization.

This change in strategy will allow your cybersecurity organization to provide valuable services by redirecting the same resources to a mission-centric approach, hence, innovating your cybersecurity strategy while being a good steward of your financial resources.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

Rules for Effective Cybersecurity Metrics

First, you must establish agreement among your leadership on the actual risk(s) to measure, then select which data will provide the most accurate representation of the risk.

The following are 5 fundamental rules for measuring cybersecurity risk:

1. Select informative measures with actionable value to leadership
2. Research other subject matter experts have done and worked
3. Keep the math simple and clear
4. Develop a standard reporting format and reporting governance
5. Keep consistent and allow your measures and metrics to mature over time

Bonus rule: Gain buy-in from your stakeholders.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

Mission Centric Risk Assessment

In a mission-based risk assessment, the question is, how do you perform one? 

A four-layer approach will be a good start: 

1. Mission layer
2. Operational layer
3. Application layer
4. Infrastructure layer

========

Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

When measuring risk in your organization, you’ll typically discover two challenges: First, top key risk measures that do not have supporting data (aspirational). Second, you’ll be developing middle to low measures with supporting data that do not entirely address the risk. 

The lack of data to calculate a particular measure is no reason not to measure the risk; these are your aspirational measures; setting an organizational ambition or goal for your cybersecurity program to report over time is a good strategy; allow your cybersecurity program mature.

To calculate the percentage of assets identified as critical will require two data points, first, the total number of assets, and second, the total number of critical assets; if you don’t have these numbers, you can start by collecting secondary data and establishing secondary measures that will drive towards the aspirational goal of calculating the percentage of assets identified as critical.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

Cybersecurity Report Framework to the Board of Directors

There is a three-point framework to keep in mind when preparing a report to the Board, especially if you are a small to medium-size business with annual revenue between $100M to $700M with [potentially] no CISO in your organization.

1. What are key risks the Board should be aware of at a high level? What should they be offered a deeper understanding of?
2. How do these risks align with the organization's strategic initiatives?
3. What is your opinion? What do you recommend? - A solution.

One key factor to remember is to be prepared to answer how your organization compares to others in the industry. I suggest discussing with other organizations in the same industry and of similar size.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

How do you understand a digital asset's business value?

First, let’s define what a digital asset is; a digital asset is a system, process, data, and technology that is used. A cyber event could affect one or more of these digital assets, resulting in a loss for the business.

These digital assets have a hierarchical relationship:

• Organization
  • Function
• Business Unit
  • Own & Use
• Business Process
  • Own & Use
• System
  • Supports
• Technology 
  • Process & Store
• Data Type

Understanding this hierarchy in your organization will lead you to the critical systems in your organization. 

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

NIST has developed a cybersecurity risk management framework that addresses the issue as a comprehensive process that requires organizations to:

1. Frame risk
2. Assess the vulnerabilities
3. Respond to risk once determined
4. Monitor risk on an ongoing basis

These four pillars must be addressed by all small and midsize businesses. A small and midsize business (SMB) is a business that, due to its size, has different IT requirements — and often faces different IT challenges — than do large enterprises, and whose IT resources (usually budget and staff) are often highly constrained.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/ 

Dr. Bill Souza
CEO | Founder
www.execcybered.com

There are many stakeholders in cybersecurity, and it makes sense to outline roles and responsibilities in terms of how each role impacts cyber resiliency.

1. The board of directors
   1. February 21, 2018, SEC guidance requires board oversight in terms of cyber (https://www.sec.gov/rules/interp/2018/33-10459.pdf).
2. Chief Information Security Officer (CISO)
   1. There are two types of CISOs; a governance CISO and an Operational CISO.
3. Data Privacy Officer (DPO)
   1. General Data Protection Regulation (GDPR) requires that organizations process privacy data to have a DPO.
4. Compliance Manager or Officer
   1. This is an individual with the responsibility to ensure the company complies with its outside regulatory obligations and internal policies.
5. Auditors
   1. Auditors are responsible for developing, planning, and executing IT audit programs based on risk assessments.
6. Legal team
   1. The legal team will be involved in cyber when a breach occurs and most likely will review all external communications before they are released to the media or regulatory authorities.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.

Dr. Bill Souza
CEO | Founder
www.execcybered.com

The initial public draft of NIST IR 8286D provides comprehensive asset confidentiality and integrity impact analyses to accurately identify and manage asset risk propagation from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. This document adds expanded BIA protocols to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

Choosing a Cybersecurity Framework

Three common pitfalls of cybersecurity or risk frameworks:

1. Finding the “perfect” framework. No single framework fits an organization’s risk profile perfectly. Frameworks like ISO 27001, ISO 3100, NIST CSF, NIST RMF, COBIT, and many others. 
2. Using custom frameworks that do not map to regulators or industry standards.
3. Failing to assign a single project leader with appropriate deadlines and resources. 

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Thanks.
Dr. Bill Souza
CEO | Founder

There are several measurements or metrics an organization can put in place to monitor; some of them can be turned into Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs).

========
Training: https://www.execcybered.com/iso27001foundationcourse
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

These 3 steps you can take to perform a risk assessment:

1. Identify and document the scope and assets to be assessed. I suggest starting with your critical assets.
2. Identify and collect your assessment data.
   1. Vulnerability scan (including applications)
   2. Minimum security baseline scan
   3. Access management at the OS and application levels
   4. Standard exceptions against your scoped systems
   5. Security information and event management (SIEM) logging and alerting
3. Analyze and report
   The most important part is the analysis, since quantitative data alone may not provide the correct information.

========

Training: https://www.execcybered.com/iso27001foundationcourse

Linkedin: https://www.linkedin.com/company/exceccybered/

Twitter: https://twitter.com/DrBillSouza

Instagram: https://www.instagram.com/drbillsouza/

Author: Dr. Bill Souza | Jun 28, 2022 

What to Focus on FIRST
Mission-based cybersecurity

• Systems supporting the mission, vision, and services
• Regulatory systems - PCI, HIPAA, SOX, GDPR

Prioritizing remediation is based on quantifying the three primary financial impacts:

1. Business interruption cost
2. Data exfiltration cost
3. Regulatory cost

===
Blog: https://www.execcybered.com/blog
Training: https://www.execcybered.com/store
Linkedin: https://www.linkedin.com/company/exceccybered/
Twitter: https://twitter.com/DrBillSouza
Instagram: https://www.instagram.com/drbillsouza/

Thanks.
Dr. Bill Souza
CEO | Founder
www.execcybered.com

There are some simple rules that you can start today to ensure improvements to your cyber risk program.

1. Define the problem
2. Define risk
3. Define critical
4. Identify and inventory critical assets or systems
5. Identify risks

These rules apply to small, medium, and large businesses with corresponding difficulty levels.

Thanks.
Dr. Bill Souza
CEO | Founder
E|CE - Executive Cyber Education
https://www.execcybered.com 

Today I’ll discuss risk probability and impact and give you some examples to build your own impact and probability table.

• Probability
• Impact

Thanks.
Dr. Bill Souza
CEO/Founder
E|CE - Executive Cyber Education
https://www.execcybered.com 

Today I’ll touch on the topic of Cyber Risk & Cyber Investment challenges.

• Improving
• Exploits
• Attack paths
• Attacker behavior
• Investment

Thanks.
Dr. Bill Souza
CEO/Founder
E|CE - Executive Cyber Education
https://www.execcybered.com 

The show today is based on an article titled, “Global utilities lacking basic cybersecurity practices.” Although the article was focused on utilities, the guidance is applicable to every industry, so I will touch on a few recommendations that could be useful to you as well, regardless of industry.

Links mentioned on the show:
Article: Global utilities lacking basic cybersecurity practices says expert (powerengineeringint.com)
Webinar: https://www.execcybered.com/nist-csf-replay

Thanks.
Dr. Bill Souza
CEO/Founder
E|CE - Executive Cyber Education
https://www.execcybered.com 

We are so focused on the threats and the vulnerabilities that allowed a hack to occur, that we forget the basics. The protection necessary to prevent or slow down these attacks already exists, and they exist for a long time.

Thanks.
Dr. Bill Souza
CEO/Founder
E|CE - Executive Cyber Education
https://www.execcybered.com 

In today's episode, I will discuss exceptions tracking and expirations. This is the last episode in a three-part series on cybersecurity standard exceptions.

Thanks.
Dr. Bill Souza
CEO/Founder
E|CE - Executive Cyber Education
https://www.execcybered.com 

As I mentioned in my previous episode, there’s much more to discuss on cybersecurity exceptions, such as the risk they pose to the organization and the hidden dangers of cumulative risk.

Blog: https://www.execcybered.com/blog/cybersecurity-exceptions-part-2

Thanks.
Dr. Bill Souza
Founder & CEO
E|CE - Executive Cyber Education
www.execcybered.com

If your cybersecurity standards were written to protect the organization, why do you have security exceptions? Your standard development team writes an excellent standard; it follows all the best practices of the NIST Cybersecurity Framework, the ISO 27001, or any other industry-recognized standards and frameworks, but most of all, it is common sense, right? Anyone working on or with a cybersecurity team in a large organization knows this does not happen! Exceptions happen.

Dr. Bill Souza
Founder & CEO
E|CE
www.execcybered.com

Asset classification is the foundation of everything else to come in cybersecurity; it will help your organization, for example, small or large, to better understand, manage, identify, and classify your assets.

Episode: Cybersecurity - Asset Classification (execcybered.com)

Dr. Bill Souza
Founder & CEO
Executive Cyber Education

In this episode, I will discuss three challenging areas where cybersecurity education is falling short in preparing students and professionals to succeed in the field.

In this episode, I discuss how to leverage your risk framework to make sound cybersecurity investment decisions. I addressed two critical questions that you will need to know the answers; first, how can you tell your program is doing the right thing? and second, How can you tell you are protecting the organization in a financially healthy way?

Dr. B.
Executive Cyber Education
www.execcybered.com

eBook: https://www.execcybered.com/risk-identification-ebook

To get results you need to ask the right question, collect the data, analyze, and develop a robust and factual interpretation. This episode will guide you through the thought process and give you some ideas on how to develop a strong argument on where you should focus your cybersecurity investments and tools.

Infographic: https://executive-cyber-education.mykajabi.com/identification-analysis

Dr. B.

Today’s episode I will discuss a strategy to identify critical systems in your organization. The steps I will discuss today will make sure your program is objective and repeatable.

The eBook mentioned in this podcast can be downloaded here:
https://executive-cyber-education.mykajabi.com/risk-identification-ebook

Thanks.
Dr. B.
https://execcybered.com/podcast-1

Today’s episode we will discuss how to identify KRIs (key risk indicators). I’ll discuss a simple and effective way to do it; there seems to be a lot of confusion on what to measure and for a long time, subject matter experts believe we can’t measure Cybersecurity.

Today’s episode, we will discuss “tail risk” and the impact it may have on organizations when it’s realized. Given our current environment, it seems entirely appropriate for us to have this meaningful discussion.

Today’s episode we will discuss the popular risk formula, “Risk =  Threat x Vulnerability x Consequence/Impact and its limitations to actually provide accurate information for a cybersecurity investment or tactical decision. I will be leveraging the “Risk Analysis and Management for Critical Asset Protection (RAMCAP) framework that was also used by the Department of Homeland Security.

I will discuss “Threat Reports,” specifically eight 2019 reports; the 2019 data breach investigations report by Verizon; 2019 data breach investigations report (executive summary) by Verizon; 2019 annual report, state of cyber security by security in depth; cyber security report by darkmatter; Q2 2019 Cybersecurity threatscape by Positive Technologies; 2019 Cyber Security Risk Report by Aon; the 2019 global threat report by CrowdStrike; and cyber trendscape 2020 by fireeye. My discussion will focus on what these reports don’t say and how to use them in your Cybersecurity organization.

Dr. B.
www.execcybered.com

Today’s episode we will discuss a strategy to select controls to assess, this strategy can be used to select any controls for your assessment, as a framework for security control selection, this approach is standard or regulatory standard agnostic. The steps we will discuss today will make sure your control selection is objective and repeatable.

Today’s episode we will discuss a strategy to select an environment to assess, this strategy can be used from your first assessment to developing an assessment calendar. The steps we will discuss today will make sure your assessment selection is objective and repeatable.

Dr. B.
www.execcybered.com

In this episode, we discuss an overview of our cybersecurity risk and governance program. Here I'll discuss what we are trying to achieve in the next several podcasts. Starting from choosing an environment and business organizations to establishing a residual risk for your cybersecurity organization that you can trust. 
Our overview will touch on environment selection, security controls, control assessments, risk identification, and much more.

There are six-step in a cybersecurity program assessment framework. I will discuss each step of the framework and how it will help you to achieve a comprehensive assessment. A cybersecurity program assessment is a process, that you will design to provide your company or department with a comprehensive review of the tools, processes they implemented, policies, standards, procedures, and practices in place at your organization.

Dr. B.
www.execcybered.com

I'm Dr. B and I have a particular view on cybersecurity's governance, risk, and compliance role in the organization; in this podcast show, I will share with you this view. Cyber risk plays a big role in the overall cybersecurity strategy of any organization and I'll take you through this journey, so you can also understand how to leverage this knowledge to make your business more resilient or expand your current knowledge on this subject.

www.execcybered.com
Dr. B.