Cybersecurity: What You Need To Know2018-01-25T20:54:20+00:00

What’s the difference between a Vulnerability Scan and Penetration Test?

There are topics in cybersecurity that can be left to individual interpretation and debate, such as choosing the best possible password policies. The goal of this article is not to argue such an opinionated topic, but rather educate on a couple of cybersecurity practices that are extremely binary, but very commonly misinterpreted.

Regardless of your industry, you’ve likely heard both of these terms come up in discussions around compliance. Most regulatory bodies are increasing their enforcement of cybersecurity, and generally require companies to run both a vulnerability scan and a penetration test annually. Even without a compliance need or regulators on your back, both practices are paramount for understanding your risk.

Suffice it to say that there are third party vendors out there selling vulnerability scans under the guise of penetration tests, so it’s important to known which is which, and what questions you should be asking.

  • Vuln scans check your systems against already documented vulnerabilities

  • Pen tests are an attempt to break into your systems from a real-world scenario, given certain details about your infrastructure

  • You need to understand both services as there are companies trying to sell you services without giving you all the correct information

Read more at CSO Online

The Difference Between IT and Security

All too often we hear business leaders state matter-of-factually that their IT team has their cybersecurity under control. This is one of the biggest mistakes a company can make. It usually only takes a handful of questions for us to know if that’s true or not; in most cases it’s not true. There are few cases where the IT department is able to handle both IT and security functions. Let us explain why.

  • Your IT’s primary function is to maintain and continually optimize your technology infrastructure.

  • A security team spends all their time trying to find vulnerabilities in your technology, operations, policies and procedures.

  • You need both teams to have a truly secure and efficient business.

What is a CISO, and do I need one?

A Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance (e.g. supervises the implementation to achieve IEC/ISO 27001:2013 certification for an entity, or a part of it).

Typically, the CISO’s influence reaches the entire organization.

  • A CISO is the central focal point of all things cyber security and cyber compliance.

  • A CISO will spends time working through process to continuously identify and remediate vulnerabilities in your technology, operations, policies and procedures.

  • In corporations, the trend is for CISOs to have a strong balance of business acumen and technology knowledge. CISOs are often in high demand and compensation is comparable to other C-level positions who also hold a similar corporate title.

Read more at CSO Online

Cyber Security Risk Models

To have an effective risk model, we need to understand exactly what is at risk. Seems simple enough, but this goes beyond merely identifying sensitive information within the infrastructure. We need to understand the core business, how the business operates, who we do business with, so on and so forth all the way down to which kind of battery back-ups are being used (if any). Without that thorough understanding of all aspects of the business you cannot properly understand and, therefore, manage your cyber risks.

  • Every business needs it’s own cyber risk model.

  • You can not understand your cyber risk until you thoroughly understand what is currently in place.

  • Your IT department inventory audit is not a substitute for a proper cyber risk model baseline.

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

Bruce Schneier, Cryptographer & Computer Security Expert