Welcome to CISO Corner, the weekly collection of Dark Reading articles designed specifically for readers and security leaders involved in security operations. Each week we will offer articles collected from our news operations, The Edge, DR Technology, DR Global and our Comments section. We are committed to bringing you a diverse set of perspectives to support the work of operationalizing cybersecurity strategies, for leaders of organizations of all shapes and sizes.
In this problem:
-
10 Categories of Security Metrics CISOs Should Present to the Board
-
Convergence between CISO and CIO: ready or not, here we are
-
The FCC requires telecommunications and VoIP providers to report any PII violations
-
DR Global: Middle East and Africa CISOs plan to increase 2024 budgets by 10%
-
GenAI tools will permeate all areas of the company
-
Should CISOs give up on Ivanti for now?
10 Categories of Security Metrics CISOs Should Present to the Board
By Ericka Chickowski, Contributing Writer, Dark Reading
Boards of directors don’t care about the fine technical details of a security program. They want to see how key performance indicators are monitored and used.
With the The new rules of the US Securities and Exchange Commission on cybersecurity Now that they are in place, security teams must apply greater rigor in how they track key performance indicators (KPIs) and key risk indicators (KRIs) and how they use those metrics to advise and report to the board of directors.
“When shared with the board’s risk or audit committees, these KPIs highlight the organization’s cybersecurity capabilities and the efficiency of IT controls, while helping the board evaluate the “adequacy of investments in technology and talent,” according to Homaira Akbari, CEO of AKnowledge Partners, and Shamla Naidoo, head of cloud strategy for Netskope, write The meeting room of cyber experts.
Drawing on the recommendations in the tome, Dark Reading analyzes the key operational security metrics that CISOs and IT leaders must be comfortable knowing to provide the board with a comprehensive report on risk levels and security performance, and discusses how to create a data- supported model to determine the effectiveness of an organization’s program and identify security gaps.
To know more: 10 Categories of Security Metrics CISOs Should Present to the Board
Related: How CISOs can create better narratives for the board
Convergence between CISO and CIO: ready or not, here we are
Comment by Arthur Lozinski, CEO and co-founder of Oomnitza
Recent changes highlight the importance of collaboration and alignment between these two IT leaders for successful digital transformation.
CISOs’ management of digital risk control is so essential to the success of digital transformation that their roles increasingly overlap with those of CIOs, highlighting the ongoing trajectory of cybersecurity from the server room to the boardroom.
The two roles have been together for 20 years, but CIOs are now primarily tasked with sourcing and leveraging technology to support business innovation – and the role is significantly less operational than it was in the past.
Meanwhile, the CISO is now a key operational stakeholder, dealing with compliance mandates, preventing operational disruptions due to data breaches, and assigning risk scores for emerging threats to cybersecurity.
The result? CIOs and CISOs are increasingly walking hand in hand, and no matter how the two roles evolve, the shift highlights the importance of collaboration and alignment between these two IT leaders for successful digital transformation—and beyond.
Learn more about CIO/CISO convergence: Convergence between CISO and CIO: ready or not, here we are
Related: How changes in state CIO priorities for 2024 apply to API security
The FCC requires telecommunications and VoIP providers to report any PII violations
By Tara Seals, Editor-in-Chief, News, Dark Reading
The Commission’s violation rules for voice and wireless service providers, unchanged since 2017, have finally been updated for the modern era.
Move over, SEC: There’s a new compliance mandate in town.
Starting next month, telecom and VoIP providers will have to do so report data breaches to the FCCthe FBI and Secret Service within seven days of discovery.
And they will have to issue data breach notifications to customers whenever there is personally identifiable information (PII) involved in a cyber incident.
The FCC released its final rules this week, requiring carriers and service providers to be more transparent when PII is exposed. The Commission’s definition of PII is broad and includes not only names, contact information, dates of birth and social security numbers, but also biometric data and a range of other data.
Previously, the FCC required notifications to customers only when Customer Proprietary Network Information (CPNI) data was affected—that is, phone bill information such as subscription plan data, usage charges, numbers called or texted, and so on.
The last update to the FCC’s breach reporting requirements was 16 years ago.
To know more: The FCC requires telecommunications and VoIP providers to report any PII violations
Related: Notice of Willful Violation of Prudential Files with the SEC
Middle East and Africa CISOs plan to increase 2024 budgets by 10%
From Global DR
By Robert Lemos, Contributing Writer, Dark Reading
New data shows stronger-than-expected cybersecurity growth in the Middle East, Turkey and Africa region, thanks to artificial intelligence and other factors.
The cybersecurity market is expected to grow rapidly in the Middle East, Turkey and Africa (META) region, with spending expected to reach $6.5 billion in 2024.
According to the IDC, more than three-quarters of CISOs in the region are planning to increase budgets by at least 10% this year, driven largely by geopolitical threats, the growth of generative AI and increased security regulations. data protection across the region. .
“The increase in successful cyber crimes has driven demand for consulting services in non-core countries where awareness is not as high compared to core countries,” says Yotasha Thaver, research analyst for IT security data at IDC South Africa and META. “There is also a push from governments, particularly in the Middle East, to improve cybersecurity.”
The cost will obviously vary depending on the country. For example, both Saudi Arabia and the United Arab Emirates (UAE), which are actively invest in national strategies to protect their networks and technologies, they are on a higher-growth spending trajectory than their competitors, IDC found.
To know more: Middle East and Africa CISOs plan to increase 2024 budgets by 10%
Related: UAE banks conduct cyber warfare gaming exercises
GenAI tools will permeate all areas of the company
From Further Reading: DR Research Reports
Many departments and groups see the benefits of using generative AI tools, which will complicate security teams’ work to protect the company from data leaks and compliance and privacy breaches.
There is significant interest among organizations in using it generative artificial intelligence (GenAI) tools. for a wide range of use cases, according to Dark Reading’s first-ever survey of GenAI. Many different groups within companies can use this technology, but these tools appear to be most commonly used by data analytics, cybersecurity, research, and marketing teams.
Nearly a third of respondents say their organizations have pilot programs or are otherwise exploring the use of GenAI tools, while 29% say they are still evaluating whether to use these tools. Only 22% say their organizations are actively using GenAI tools, and 17% say they are in the process of implementing them.
Security teams are examining how these activities can be incorporated into their daily operations, particularly to write code, search for reference information related to specific threat indicators and issues, and automate investigative activities.
Meanwhile, marketing and sales groups most often use AI generators to create first drafts of text documents or develop personalized marketing messages and summarize text documents. Product and service groups have begun to rely on GenAI to identify trends in customer needs and create new designs, while service groups focus on predicting trends and integrating the technology into customer-facing applications, such as chatbots.
Learn more about how Dark Reading readers plan to use generative AI in the enterprise in this free downloadable report.
To know more: GenAI tools will permeate all areas of the company
Related: Saudi Arabia launches “Generative AI for All” program.
Should CISOs give up on Ivanti for now?
By Becky Bracken, editor, Dark Reading
Cascading critical CVEs, cyberattacks, and delayed patches are plaguing Ivanti VPNs, leaving cybersecurity teams scrambling for fixes. Researchers are not impressed.
Ivanti has revealed five VPN flaws so far in 2024, most exploited as zero-days – with two of them announced publicly weeks before the patches became available. Some critics, such as cybersecurity researcher Jake Williams, see Ivanti’s excess vulnerabilities and the company’s slow response to incidents as an existential threat to the company.
Williams attributes Ivanti’s current problems to years-long negligence in secure coding and security testing. To recover, Ivanti would have to overcome that technical debt, according to Williams, and at the same time somewhat rebuild trust with its customers. It’s a task Williams adds he doubts Ivanti will be able to complete.
“I don’t see how Ivanti survives as an enterprise firewall brand,” Williams tells Dark Reading, a sentiment he has widely repeated on social media.
Ultimately, Ivanti’s troubles fall to the company’s cyber teams, who will have to choose. Cyber teams can follow CISA’s advice and disconnect Ivanti VPN equipment and update it before reconnecting. Or, while they are already offline installing patches, they can replace Ivanti appliances altogether with fully updated devices.
However, some argue that sticking with Ivanti is a juice that may not be worth the squeeze. “These devices need their software to be designed with the same seriousness that this threat requires,” says John Bambenek, president of Bambenek Consulting. “If I were a CISO, I would consider Ivanti for a few years until it proves itself again.”
To know more: Ivanti gets poor marks for cyber incident response
Related: Typhoon Volt hits several power companies and expands IT activity