Our top cybersecurity predictions for 2023

Our top cybersecurity predictions for 2023

It’s the time of year when the industry begins making its top cybersecurity predictions for the year ahead. Gartner, among others, recently released their top 8 cybersecurity predictions for 2023, writing that supply chain and geopolitical issues will continue to dominate cybersecurity.

In this article, our team looks into the proverbial crystal ball to share their top cybersecurity predictions and what initiatives security leaders should prioritize for 2023.

What Cybersecurity Lessons Did We Learn in 2022?

The breaches, hacks, and cyber breakdowns in 2022  taught us many cybersecurity lessons that we can use to improve security in the new year. Lessons learned include:

  • You can’t rely on MFA.
  • Company stakeholders, including VCs and board members, must have insight into their company’s security stance.
  • Don’t sacrifice security for a 1% improvement of your product. Constant re-architecting creates numerous security holes.
  • Continuous security is mandatory for blockchain. Instead of one-time assessments at launch, teams should strive for continuous validation throughout the project lifecycle.

What Are the Top Cybersecurity Predictions for 2023?

The top cybersecurity predictions for 2023 identified by the team of experts at Kudelski security are:

  1. Basic, human-targeted attacks will be the biggest risk to cyber defenses.
  2. Zero trust will replace VPN.
  3. Insider and third-party risk will rise.
  4. Reliance on passwords will decline.
  5. Skepticism around blockchain security and availability will continue.
  6. Quantum-interested companies will need to start assessing risks.

Prediction #1: Basic, human-targeted attacks, like ransomware, phishing, and email attacks will be the biggest risk to cyber defenses.

In 2023, we will see the most basic security attacks — email compromise, active directory attacks, ransomware, phishing, and multi-factor authentication attacks — continue to be the most effective and lucrative for cybercriminals.

Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system. Phishing and emerging MFA bombing schemes are more sophisticated than ever and will render cybersecurity training ineffective.

“Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system.”

To combat these attacks, corporate security teams should not trust human factors. Instead, they should adopt an offensive security posture. Detection and response initiatives should focus on preventative features instead of reactive quick fixes.

Will your threat detection and response strategies stand up to advanced threats? Watch our webinar to learn how to improve program maturity.

Prediction #2: Zero trust will replace VPN to secure a distributed workforce.

In 2023, zero trust will replace virtual private networks completely as security teams adjust to a more dispersed workforce. With work-from-home here to stay, company network borders won’t look anything like they used to. Employees are accessing most work applications via SaaS, and IT teams are hesitant to inherit the risk of home networks. Mistrusting every device is the key to supporting and securing remote workforces.

Can zero trust be a business enabler? Read our take on this blog from Vincent Whaart.

Prediction #3: Insider and third-party risk will rise as attackers take advantage of vulnerable parties in the economic downturn.

The impending recession will loom even closer in 2023, and cybercriminals will take advantage of the dire economic situation to bribe their way into corporate systems. We predict that software hacking will decline in 2023 in favor of “insider risk.”

Attackers will set aside their hacking skills and instead single out vulnerable employees at third-party vendors, such as shipping authorities, supply chain companies, internet service providers, and software vendors.

Companies must remain vigilant to not only secure their own network perimeters but also build a strong vendor risk management program.

Prediction #4: Reliance on passwords will decline as the flimsiness of MFA is exposed.

While it’s unlikely that passwords will completely disappear in 2023, MFA fatigue could usher in a passwordless future in years to come. The recent Uber breach highlighted the flimsiness of MFA and left security teams searching for a better alternative. In 2023, we’ll see an emphasis on securing accounts with as many other safeguards as possible, including stronger passwords and password managers.

Prediction #5: Skepticism around blockchain security and availability will continue without more caution.

2023 will be another tumultuous year for blockchain technologies unless it shifts away from “point in time” security measures. Currently, too much trust is put into code to be perfect.

Blockchain security teams must layer in more robust controls, including detection and response capabilities, to deter threat actors. The billions of dollars of bridge hacks that occurred in 2022 put a huge dent in users’ confidence in blockchain security.

Luckily, blockchain enterprises and projects are aware that customers are just as concerned about their chosen blockchain’s security as its features. This will lead blockchains to apportion the appropriate resources to improve security in 2023.

In addition to cryptocurrency theft, blockchain availability and stability should be a priority in 2023. If outages and slowdowns continue, blockchains face user decline or even complete collapse.

Learn more about Kudelski Security’s portfolio of blockchain security services.

Prediction #6: Companies concerned about quantum computing should begin assessing risks now.

Controls to prepare for quantum computing are unlikely to see mass adoption in 2023, but keep an eye on it for 2024. The current risks of quantum computing don’t quite outweigh the incredible investment required yet. That said, companies that stand the most to lose from future quantum attacks — e.g., financial services, defense contractors, and companies that transmit extremely sensitive data especially — should begin assessing their risks now.

Are you ready for the era of quantum computing? Watch our webinar to know how to be better prepared.

What Impact Will the Recession Have on Security Teams in 2023?

The recession should have relatively little impact on security teams in 2023. We predict security teams are going to remain mostly untouched even as companies across industries are forced to make cuts to their budgets and workforce in response to the upcoming recession.

American privacy laws will likely elevate to reach current European standards, putting a renewed focus on security and compliance in boardrooms and C-suites.

Additionally, cybersecurity labeling for consumer products, especially on hardware, will further the importance of corporate security teams. Economic hardships will necessitate that security teams work smarter and consolidate to meet the evolving economic and tech landscape.

What Should Security Leaders Prioritize in 2023?

In response to these top cybersecurity predictions for 2023, security leaders should prioritize the following initiatives:

  • Adopting an offensive security posture rather than a defensive one.
  • Focusing detection and response initiatives on preventive features instead of reactive fixes.
  • Phasing out VPN in favor of zero trust strategies for the remote workforce.
  • Building out a strong vendor risk management program to protect against third-party risk.
  • Looking for alternatives to MFA while implementing stronger password requirements and account protections.
  • Working smarter and consolidating to meet the evolving economic and tech landscape.
  • Bolstering availability and security of blockchain-related services.
  • Assessing risks related to quantum computing, especially for those in financial services, defense, or other industries that deal with highly sensitive data.

Get in Touch

Kudelski Security can help you prepare for 2023 and beyond with a comprehensive suite of security advisory services. From MDR and zero trust to blockchain and quantum, our experts can assess, design, implement and manage a resilient cybersecurity strategy. Get in touch with  our team here.

6 Steps to Effective Data Security

6 Steps to Effective Data Security

In this blog post, we’ll identify where today’s data security programs often fail and look at six steps to effective data security. These cover everything from product definition, minimal viable discovery, and services, to telemetrics, metrics as well as threat detection and response capabilities. If you’ve ever asked the question: ‘How can my company reduce insider threats?’ then read on.

You have probably heard something like this before: to implement any kind of meaningful data security, you must first:

  1. Discover your data
  2. Find out where it lives
  3. Catalog who uses it and who owns it
  4. Map its flows and lifecycle
  5. Determine which regulatory / compliance rules apply to it

These platitudes have existed for so long that they are accepted as truth. Be honest – how long would it take your organization to complete each step? Can you plausibly estimate this? Even if you did complete your data discovery effort, why would anyone in your organization care?

In this blog, we explore the shortfalls of discovery-first data security approaches and describe key principles to help organizations shift to value-centric data security.

The Limitations of Discovery-First Data Security

Imagine a manufacturing company that spent its first 6-12 months finding inventory and storing it. No concrete product plans or capital investment in manufacturing – that would simply work itself out once inventory has been bought, stored, and meticulously catalogued.

Sound like an appealing business plan?

This is the approach taken by discovery-first data security. Begin with a long (and comprehensive!) data discovery cycle. Once data is discovered and cataloged, then perform a risk analysis, and only then begin to implement controls to address data vulnerabilities.

In theory, discovery enables a targeted control approach that protects the most sensitive data and results in less business disruption. In practice, data discovery is complex, expensive, and slow. Common challenges include:

  1. Inaccurate milestone dates: there is no good way to estimate how much data exists to be discovered and how responsive the business will be. Further, this indicates a definite “end date” to data discovery; in reality, as the business creates new data, more discovery is needed.
  2. Long duration: many organizations start building an inventory with a top-down interview process. They reach out to senior leaders from across the company, intending to discover what data their organization handles and who “owns” the data. They soon discover that most leaders ignore them. Leaders who engage are irritated by the ambiguity of the interview or unequipped to answer these questions, leading to unending delegation cycles.
  3. High costs: discovery tools can run hundreds of thousands of dollars, with costs increasing for additional scope (structured vs. unstructured, cloud vs. on-premise). Resources must be dedicated to the discovery team and business units. Finally, organizations need to allot resources to maintain their discovered body of knowledge as new data is created and business units change.

What’s the Alternative? Six Principles of Value-Centric Data Security

Prioritizing the discovery element of data security results in the misuse of time and resources. Instead, organizations should focus on the end goal – practical controls addressing data vulnerabilities and threats. Read on to learn the essential principles to start your journey to value-centric data security.

  1. To produce value, first, define the product

Agile and its cousins, lean/just-in-time manufacturing, were born out of the inefficiency of long planning processes and excessive inventory gathering. Both begin by identifying a goal or product, identifying how the product is delivered, and then optimizing the value chain to produce the product quickly and well.

In software development, the product is code that fixes a problem or provides a service. In manufacturing, the product is the widget produced on the factory floor. This realization subordinates specific elements of the value chain (planning, inventory gathering, testing) to the end goal of delivering a usable product.

Data security products are not:

  • A list of sensitive data and where it lives
  • A list of data owners
  • Data classification definitions
  • Data flow diagrams

These are all fine things, but by themselves do next to nothing to protect data. They only become valuable when mobilized through data security controls and user training. Therefore, data security controls and user training, which either directly protect data or help users do the same, are the product.

2. Practice Minimally Viable Discovery

Discovery data, while not bad, should not be the focus of a data security program since it does not create direct value.

Instead, start by addressing obvious security risks with broad controls suitable for all data. Examples include:

  • Alerting on or blocking data moving to personal cloud storage or email accounts
  • Removable media control
  • Automatic remediation of folders accessible to everyone in the organization
  • Quarantining or purging severely aged data (e.g., 2+ years since last viewed)

Organizations should start conservatively with conditions that are unlikely to disrupt legitimate business activity. Even a cautious approach will address glaring vulnerabilities and generate success stories to fuel further growth.

3. Build Services First and the Controls Will Follow

Successful data security controls are supported by layers of governance and infrastructure to ensure they align with business objectives. These layers comprise a service and include:

  • User experience considerations
  • Communications and knowledge articles
  • Exception processes
  • Metrics
  • Telemetry (e.g., ingress or egress APIs)

For example, a control to alert on uploads to personal webmail accounts should:

  • Provide a pop-up educating the user and linking them to secure collaboration guidance
  • Link to exception processes for legitimate use cases
  • Include metrics to signal user behavior improvements to leadership

Each service can create multiple, unique controls and serve as a landing place for data that is discovered.

4. Use Discovery to Enable Telemetry

Well-designed data security services (data access governance, insider risk management, etc.) can consume inputs from data discovery or classification efforts. While discovery on its own is of little value, the service can operationalize discovery-driven insights. These insights could stem from discussions or data owners or tagging done with labeling technology like Microsoft Information Protection.

For instance, an existing control within a DLP service may alert on uploads to personal webmail. After discovering a trade secret and confirming with a data owner, the existing control could be copied and enhanced with a REGEX identifying the trade secret and trigger a complete block, instead of a simple alert.

5. Use Metrics Intentionally

Security organizations often struggle to demonstrate value from their controls. Can be used to not only improve controls but to demonstrate the value the products are creating. This is especially important for cyber board communications.

Each data security service should entertain the following metrics types:

Improve – internally facing metrics to ensure the service is producing intended results. Examples include:

  • Exception request growth (shows how precisely controls were configured)
  • Time to close (for detective controls)

Impress – upward metrics designed to show the success of your program and obtain more buy-in

  • Volume-based (amount of aged data purged, number of overly permissive ACLs remediated, number of unsanctioned cloud service uploads blocked)
  • Success stories (egregious incidents contained or organizational processes improved due to insights from the service)

Invoke – upward metrics showing service weakness to garner additional funding or support

  • % of environment visible (could be used to support buying additional software)
  • Escalation response time (may highlight unresponsiveness from leadership, requiring re-assignment of responsibilities or additional support from program sponsors)

 

6. Enhance Insider Risk Management capabilities

Data detection and response capabilities (best manifested in Insider Risk Management) are quickly becoming the predominant data security service. There are a few reasons for this phenomenon:

a. Follow the leader: for close to a decade, the security industry has shifted from a prevent-centric to detect/respond paradigm. This is evidenced by the growth of threat hunting and the literal inclusion of “detection and response” into new product and service names (EDR, MDR, etc.). While discovery and prevention have their place, they struggle to keep up with large, complex, and hybrid operating environments.

b. Boundaryspanning improvements: security services that demonstrate the broadest value statements get the most support. More than any other security service, Insider Risk Management (IRM) is holistic and seeks to understand why employees violate policy instead of just addressing incidents. Insights gleaned from asking “why” can improve not only security controls, but user training, employee retention, and satisfaction, and the alignment of technology offerings with business needs (shadow IT).

c. Scalability: the core of IRM is people and process, meaning that technology is rarely a barrier to entry. No CASB, DLP, UEBA, or SIEM? No problem. Start by assigning responsibilities and building repeatable investigation and escalation processes. Stretch current technology to provide as much incident visibility as possible. As the IRM service matures and gains political capital, invest in technology to increase visibility and integrate it into existing processes.

Want to learn more about maturing your insider risk management program? Download our latest ModernCISO Guide, A Four-Step Framework for Managing Insider Risk, for a deeper dive into the topic. Or contact a member of Kudelski Security’s team of data security experts today info@kudelskisecurity.com.

Getting Started with Cyber Risk Quantification and Decisioning

Getting Started with Cyber Risk Quantification and Decisioning

Over the last few years, there has been increasing interest by CISOs and business leaders in cybersecurity risk quantification. Many of the CISOs we are working with are keen to connect security risk to the language of business. In this article, Graeme Payne reviews how cyber risk quantification and decisioning can be used to communicate cyber risk more clearly and accurately to the business, including:

  • Pitfalls of the traditional approach to communicating cyber risk
  • The shift to cyber risk quantification and decisioning
  • Where to start your cyber risk quantification journey
  • Why now is the time to start

Cybersecurity risk is now ranked by Global CEOs as the top threat to growth. The increasing digitization of business, expansion of digitized data, and high reliance on technology have created many opportunities for threat actors to attack companies’ systems and data.

While senior business leaders and Boards of Directors intuitively understand that cybersecurity is a key risk, they are challenged to evaluate it in relation to other risks such as credit, liquidity, and market risk. At the same time, security leaders want to be able to communicate risk in business terms.

Understand the evolving roles, skillset, and practices of the CISO in our research report “Recommendations to Address the Security Leadership Talent Gap”

Pitfalls of the traditional approach to communicating cyber risk

The traditional approach to communicating cyber risk has been to use ordinal scales for determining the likelihood and impact of a risk, for example, 1 (low) to 5 (high). Risks are then plotted on a risk grid so that management can visualize the relative severity of the risks facing the organization.

In their book How to Measure Anything in Cybersecurity Risk, authors Douglas Hubbard and Richard Seiersen point out many of the pitfalls of using these techniques. Pitfalls of the traditional approach to communicating cyber risk include:

  • Heavy reliance on the subjective judgment of the risk assessor to determine likelihood and impact.
  • A greater tendency to inflate risk due to the uncertainty of measurements
  • A perception that risk measurements are based on a scientific approach that provides a “placebo effect”
  • A lack of evidence that traditional risk scoring and risk matrices improve cybersecurity decision making
  • A belief that some elements cannot be measured, or are too few to be representable

Instead, they argue for a more quantitative approach to measuring cybersecurity risk.

The shift to cyber risk quantification

There are multiple approaches and tools available to help CISOs in quantifying cybersecurity risk. Kudelski Security has teamed up with X-Analytics, a leading provider of cybersecurity risk decisioning services. X-Analytics is a patented and validated cyber risk decisioning platform that is changing how executives, boards, and the risk management industry understand and manage cyber risk.

X-Analytics leverages a combination of firmographic data about the organization and historical cybersecurity incident data to deliver financial metrics that enable better cyber risk decisions.  Key factors addressed in the model include:

  • Threat
  • Impact
  • Inherent risk
  • Control effectiveness
  • Residual risk
  • Loss categories

The model also allows for “what if” simulations to model potential investment returns in evolving the security program.

When to use a cyber risk decisioning platform

The adoption of cybersecurity risk quantification is a journey. In working with our clients, we have identified several use cases for when to use a cyber risk decisioning platform.

Evaluating cyber insurance and self-insurance

The relatively immature nature of the cybersecurity insurance market has resulted in the insurance industry experiencing high losses. Consequently, insurance premiums, underwriting standards, and contract exclusions have all increased. In some cases, organizations are deciding to self-insure their cyber risk.

Using X-Analytics we have been able to help our clients through this decision process and optimize the insurance spending and capital allocation needed to address the overall cyber risk.

Justifying and prioritizing cybersecurity investments

By measuring the amount and range of potential financial impacts resulting from cybersecurity risk, the senior management, Board, and CISO can now engage in a discussion about cyber risk appetite and risk tolerance expressed in financial terms.

Now investments to reduce financial exposure can be considered alongside other investments that generate revenue or reduce risk. Armed with quantified financial dashboards and metrics, the key stakeholders are all using the language of business to discuss cyber risk and return on investment.

X-Analytics provides “what if” analysis features that allow a range of investment options to be considered and measured.

Evaluating a potential acquisition

When a company is considering an acquisition, it is often difficult for the security leader to evaluate the potential risks inherent in the acquisition. Due diligence is often limited, and there is a lack of detailed information to really understand cyber risk. Using a risk quantification platform can provide a quick analysis of the potential cyber risk that the organization may assume if the acquisition is completed.

Evaluating the impact of specific threats

Cyber risk quantification analysis allows the security leader to focus on the potential financial impact of specific threats. For example, Boards of Directors are very interested in the company’s exposure to ransomware. Using a tool like X-Analytics allows the security leader to provide a specific financial quantification of that risk profile. Management can then evaluate whether the analyzed risk is acceptable or if not, what mitigations need to be implemented to reduce the risk to an acceptable level.

Communicating cyber security program effectiveness

As the senior management and Board become accomplished in understanding and using a risk quantification model for cyber risk, the security leader can now use it to measure and report on the overall security strategy and program. As changes occur in the threat landscape and business environment, these can be seen in changes in the loss estimates. Similarly, as investments are made in security controls and processes, the payback in terms of reduced risk exposure can be measured and reported in financial terms.

Where to start your cyber risk quantification journey

We have four tips to help security leaders get started on their cyber risk quantification journey:

  1. Get comfortable with the risk decisioning model.
  2. Socialize the model with peers.
  3. Integrate the decisioning model into your overall risk framework.
  4. Leverage the model to communicate the organization’s overall risk profile.

Get comfortable with the cyber risk decisioning model

First, the security leader needs to be comfortable with the risk decisioning model and the underlying assumptions. They don’t need to be a financial expert but understanding the basic inputs and drivers of any model is important. Experiment with different assumptions and inputs to understand the model sensitivity and drivers. Leverage experienced consultants to help ramp up quickly.

Socialize the cyber risk decisioning model with peers

Second, socialize the risk quantification model and dashboards with peers. Finance, insurance, and other risk professionals in the organization will want to understand the model. Start with one of the use cases described above and build from there. For example, use the model to help with your next cyber insurance review.

Integrate the decisioning model into your overall risk framework

Third, find ways to integrate the risk decisioning model into your overall risk framework. Consider how it can be used to help in managing your risk register, determine risk impacts, and evaluate risk treatments.

Use the “what if” analysis tools to help evaluate the efficacy of risk treatments. Expand the tool to measure risks at a business unit level. Use it to measure and manage supply chain risks.

Leverage risk quantification and decisioning to communicate overall risk profile

Finally, leverage risk quantification and decisioning to communicate the overall risk profile of your organization to your Board and senior management. Use the tools and models to help in your discussions of risk appetite and risk tolerance. Align your security investments and strategic roadmaps with the risk profile to demonstrate how investments in developing and maintaining capabilities are providing a payoff in risk reduction.

Why now is the time for cyber risk quantification and decisioning

In Cyber-Risk Oversight 2020, the National Association of Corporate Directors provides the following guidance:

“To address these increased expectations, companies need to understand the financial impact associated with cyber-event risk. Boards of directors and management are also expected to demonstrate to investors due care in the governance and oversight of cyber risk…. Leveraging these mathematical and scientific methods for improved analyses can allow for more effective decision making compared to qualitative types of risk scoring and heat map risk reporting.

Regulators such as the Securities and Exchange Commission and investor groups are also calling for increased disclosure of cyber risk, including understanding the financial implication of cyber risk.

Now is a great time for security leaders to step forward and take the lead in cyber risk quantification. I would encourage security leaders to start experimenting and getting comfortable with cyber risk decisioning.

To get started on your cyber risk quantification and decisioning journey, get in touch with our advisory services team here.

 

Return-to-work: Best Practices for Implementing Proximity Tracing to Reduce Workplace Risk

Return-to-work: Best Practices for Implementing Proximity Tracing to Reduce Workplace Risk

Contract tracing is especially top of mind given the global challenges surrounding COVID-19, and, in some cases, it’s a requirement as organizations begin re-opening their doors to employees and customers. Analyzing location-based data from network-connected devices or Bluetooth and mobile application signals can significantly reduce workplace risk and enable a safe return to work.

We recently sat down with Joel Crane, Partner Sales Engineer at Juniper, and Ron Frederick, VP of Solutions Architecture at Kudelski Security, for a webinar covering effective methods for user location data collection and how to apply the analysis of that data to reduce workplace risk through various forms of contact tracing. A recap of that discussion is below.

Three ways network-based location data can be analyzed to reduce workplace risk

Enforce social distancing guidelines with congestion alerting. Congestion alerting is the most straightforward way to use location data. It doesn’t require user-level identification, just signals from Bluetooth, WiFi, or a mobile application. Defining a capacity limit for each area or zone will allow you to identify areas that exceed the allowed number of users, at which point you may choose to alert those nearby users that they are in or entering a congested area.

Identify potential contact events with proximity tracing. Proximity tracing looks at user-level location data to identify possible encounters, e.g. the areas and contacts the user comes in contact with and the time and duration of the encounter. This type of analysis requires the user to be identified by their device via Bluetooth, WiFi, or a mobile application.

Understand the potential spread with user journey mapping. Together with proximity tracing, user journey mapping creates a map that allows you to trace a user’s journey throughout a site, floor or zone as defined by your network access points. User journey mapping also requires user-level identification, which can be provided by a Bluetooth device, WiFi connection or mobile application.

Methods of collecting user location data for analysis

The type of analysis you’re able to perform depends on the accuracy and completeness of the location data you’re able to collect. There are three primary methods of collecting location data—each with its own advantages and disadvantages.

WiFi Networks

WiFi is the best place to start for location data gathering. It’s the easiest method to deploy, only requiring an access point to be installed. In fact Juniper includes this type of tracking with all their Mist deployments. WiFi is always-on, meaning your location data is nearly real-time. It’s one limitation, however, is accuracy. WiFi location data is accurate at about 5-10 minutes, which is okay but not great.

There are two variations of WiFi data collection: connected users and unconnected users Connected users have a phone or device connected to the WiFi network. This allows you to track users at the individual level by hostname or MAC address. Collected data from unconnected users won’t give you the ability to uniquely identify a user, but it will show you how many devices are scanning for WiFi in a certain zone.

Bluetooth Beacons

Bluetooth is a great option for collecting location data because it’s always-on. It’s easy to connect a user to a Bluetooth device, especially if you implement a Bluetooth beacon on employee badges (e.g. kontakt.io). If you’re looking at all Bluetooth devices, however, you will need to account for users having multiple devices on their person—a phone, headphones, badge, etc. Bluetooth location data is moderately accurate at about 3-5 meters.

Bluetooth also provides the most variety in terms of the methods of data collections available. Passive BLE listening, for example, can tell you where Bluetooth devices are, but not who they belong to. BLE tags, like a kontakt.io beacons, are constantly signaling and would be tied to a specific user, giving you more precise, real-time location data. Finally, BLE application-based tracking ties to a user’s device….

Mobile Applications

Using an application installed on a mobile phone is the most accurate way to collect user-level location data at about 1-3 meters accuracy. This makes it very precise, but with a caveat. You are only able to collect data from users who have the app installed on their device. For corporate devices, this won’t be a problem. You can use your mobile device management platform to push the app to all employees. For BYOD or customer devices, however, you may need to offer an incentive to entice users to install the mobile app. Mobile applications also allow for bi-directional communication, which enables push notifications, and blue to navigation if needed.

Juniper’s Mist platform now supports digital contract tracing to enable a safe, secure return-to-work. Mist customers can perform capacity analysis, proximity tracing and user journey mapping with a subscription to Juniper’s Assistant and Premium Analytics services.

For assistance in evaluating a digital proximity tracing solution, request a consultation with Kudelski Security’s Advisory Services here.

Watch the Contact Tracing webinar here.

Frost & Sullivan on Secure Blueprint

Frost & Sullivan on Secure Blueprint

One of the toughest challenges that face Chief Information Security Officers is effectively communicating with the board of directors. That begs the question, how can CISOs articulate their comprehensive and sophisticated security strategy to them?

Kudelski Security’s Secure Blueprint SaaS is a business management platform, designed by CISOs and created for CISOs. The software enables security leaders to plan, execute and evolve business-aligned security programs, allowing continuous improvement. It enables security leaders to centralize key management functions, gives them visibility on maturity and risks, and facilitates stakeholder engagement.

See what Frost & Sullivan, the global business consultants, have to say about Kudelski Security’s software:

 

If you haven’t got three minutes to watch the video, key takeaways include:

  • Secure Blueprint measures cyber program maturity and risk by benchmarking an organization’s capabilities across cybersecurity control models like the NIST cybersecurity framework or Kudelski Security’s own cybersecurity portfolio management model
  • The language that is used to communicate security strategy with the organization, the C-suite, and board of directors needs to be delivered in a business language and not tech speak
  • The program facilitates and automates stakeholder engagements, taking lengthy quarterly meetings down to just a few minutes
  • Secure Blueprint allows the CISO and board of directors to effectively communicate the security strategy using out of the box executive dashboards

If you’re interested in learning more about Secure Blueprint, click here.

Growing Number of Women in Cybersecurity

Growing Number of Women in Cybersecurity

It is easy to recognize the lack of women in the IT world. With an ever-growing demand for a more diverse workplace and a lack of cybersecurity workers in general combined with consistent cyber threats, the demand is surely there.

Olivia Rose, Kudelski Security director of global risk solutions, knows that all too well. The latest statistics suggest that there is only around 10 percent of women in the cybersecurity field in the US and even fewer worldwide. Though she fell into cybersecurity by chance, she hasn’t turned away in almost two decades. Speaking on the Security Boulevard podcast CyberSpeak, Olivia delves into a multitude of topics surrounding her experience and the growing number of women in cybersecurity.

According to Olivia, there are two sides to security:

  1. The highly technical side. if you actually are interested in coding, encryption, technology, penetration testing, etc., go for it.
  2. The strategy and governance side. This is becoming recognized as even more critical than the technology side at times. You help develop the programs, strategy, and find the gaps in existing security programs to help companies effectively defend themselves. This requires a high degree of listening, communication, and creative thinking skills – ALL SKILLS women tend to be good at. It also involves partnering with Executives and Sr. Management of companies which need these skills, which women tend to be strong at, to partner with.

You can listen to the podcast by clicking the play button below.

Olivia has some additional advice for women who may be considering diving into cybersecurity:

  • If you want to get into a field which holds unlimited potential, especially for women, security is it. We need more women (and we need more people in general).
  • The industry needs the skills women tend to be strong at, they shouldn’t be scared to enter into the field. Some of the most successful security consultants, salespeople, and execs I’ve ever worked with have been women because they’ve leveraged their gender skills.
  • Women need to change their perspective of what security is and what is needed to work in the field.
  • Yes, it’s a highly male-dominated field and you will face situations where you are made to feel less important than and/or uncomfortable. But this is also why we need more women in this field, to even out the playing field and support each other.
  • Views on women in the field are changing and becoming more accepting, so it is less harassing than it was ten years ago, but be ready for certain situations which you will encounter.

This podcast was originally featured on Infosec Institute.

Visit the Kudelski Security careers page if you’re interested in our current job openings.