EBK-Cybersecurity: Understanding Stock Market Terminology

Basic Stock Market Terminology for CyberSecurity Professionals and Why Should They Care!

June 26, 2022 – Rafeeq Rehman

The role of InfoSec professionals has morphed into a critical business function. One should expect getting involved in “business” discussion often, and at increasing higher levels of business structure up to board of directors. Understanding and speaking business language is more important than ever for the success of any InfoSec professionals.

As mentioned in my last post, I have started building body of knowledge for Essential Business Knowledge (EBK) needed for Cybersecurity professionals. The first domain on this body of knowledge is “Essential Business Terminology for InfoSec Professionals”. This post covers some of these terms related to stock markets, where to get this information, and why InfoSec professionals should care. The following diagram shows terms only in one category (Stock Market).

Domain 1 – Essential Business Knowledge (EBK) – Stock Market Terminology

Stock Markets

A very large number of information security professionals work in publicly traded companies. Company stakeholders (shareholders/investors, company executives, employees who own company stocks) have keen interest in performance of the company in the stock market. They use “stock market language” in business meetings and risk discussions.

Information security professionals should develop foundational understanding of the stock market to understand these discussions and to become a productive part of the conversation. 

Where to get stock market information?

Stock market data is available online from many resources. In the United States, you can get the latest data from one of the following (and many other) resources.

  • Yahoo Finance (finance.yahoo.com)
  • Google Finance (finance.google.com)

Public and Private Companies

For-profit commercial businesses typically fall into two categories: public and private. Public companies are those which are traded in a stock markets where any investor can buy or sell their shares/stocks. Private companies, on the other hand, are owned by a limited number of shareholders and these are not traded in the stock market.

Where to get stock market information?

  • Public companies are required to comply with many laws and regulations which are not applicable to private companies. Infosec professionals working in public companies are often involved in compliance, monitoring, and investigation activities.

Stock Ticker

Ticker is a symbol assigned to each company traded in the stock market. For example ticker for Apple Inc is AAPL, for Cisco it is CSCO, for Palo Alto Networks PAN and so on. There are usually multiple stock markets in each country with their own ticker symbols for stocks that are traded on those stock markets.

Why should infosec professionals care?

  • Stock tickers are commonly used in business conversations. You should know the stock ticker of your own company as well as tickers of major competitors.
  • Many APIs are integrated into corporate applications that use stock tickers. Infosec professionals may be engaged in security assessment of applications and APIs.
  • Applications used to track public sentiment and breaking news in social media also use ticker symbols. Some security operations centers may be using this information for real time awareness.

Market Capitalization

Market capitalization, also known as market cap, is the total value of a company calculated by multiplying stock price with number of outstanding stocks.

Market capitalization = share/stock price x total number of shares outstanding 

  • Market cap is a measure of a company’s worth as viewed by investors in the stock market.
  • Market capitalization is frequently used to show growth or decline of a company in financial terms.
  • Market cap is used to put businesses in categories. For example, companies with market capitalization larger than 10 billion are called large-cap companies.

Why should infosec professionals care?

  • Sometimes infosec professionals need market capitalization in risk calculations.
  • Impact on market cap after significant data breaches is an important metric.

Initial Public Offering or IPO

Initial public offering, also known as IPO, is the process by which a new company starts trading in a stock market. IPO is a very important event in the life of startup companies. After an IPO, the general public can invest in company stocks.

Investment banks help private companies establish their valuation and take them to the stock market. IPO established the initial market capitalization of a company. A ticker symbol is also assigned at the time of IPO.

Why should infosec professionals care?

  • An IPO is an important milestone for a company.
  • Companies may face elevated threat activity at the time of IPO intended to gather and sell financial data.

Insider Trading

Some people inside any company have access to financial information that is not available to the public for trading (buying or selling stocks). Insider trading  is when these individuals use or share this information for trading company stocks. All insider trading is not illegal. There are certain rules for the individual with insider knowledge to trade company stocks. Their trade of company stocks is legal as long as they abide by these rules.

Sharing insider information to outside entities is also a crime and there are strong penalties, including jail time, for people caught in such activity.

Why should infosec professionals care?

  • Some infosec professionals, as part of their investigation work, may get access to financial information not available to the public. In that case they should check with the internal legal/ethics team to understand if insider trading rules apply to them.
  • You may be asked to do an investigation (DLP systems, logs reviews, etc.) to determine if an individual(s) is involved in insider trading.
  • You may be responsible for risk assessment of financial systems and implement security controls to limit access.

Security and Exchange Commission – SEC

Securities and Exchange Commission, also known as SEC (sec.gov), is a US government agency with responsibilities to regulate stock markets, ensure fairness, stop illegal insider trading and investigate cases where it suspects market manipulation.

Why should infosec professionals care?

  • For public companies, complying with SEC regulations is crucial. Infosec professionals are usually involved in designing, implementing, and monitoring controls for SEC compliance.
  • SEC controls may involve data retention, access to certain data, monitoring communications of individuals and certain roles (e.g. traders).

What About Other Terms?

I know all of the terms are not covered in this post. However this provides the reader about what they expect when we expand other subcategories including:

  • General Management Terms
  • Budgeting and Financing
  • Sales and Marketing
  • User Experience
  • Legal and Compliance

Stay tuned!

Subscribe to My Blog

Recent Posts

Posted in EBK-Security | Tagged , , | Comments Off on EBK-Cybersecurity: Understanding Stock Market Terminology

Essential Business Knowledge for InfoSec Professionals

June 18, 2022 – By Rafeeq Rehman

The role of InfoSec professionals has morphed into a critical business function. One should expect getting involved in “business” discussion often, and at increasing higher levels of business structure up to board of directors. Understanding and speaking business language is more important than ever for the success of any InfoSec professionals. Knowing basic business lingo is also crucial for effective communication inside an organization.

Lack of basic business knowledge and common business terminology hinders success and progress. 

I have started creating a body of knowledge for basic business skills required for success of security professionals and elevating their status in the business hierarchy. Following are eight major domains of essential business knowledge for information security professionals.

  • DOMAIN 1 – Essential Business Terminology for InfoSec Professionals
  • DOMAIN 2 – Business Communication for InfoSec Professionals
  • DOMAIN 3 – Funding Requests and Managing InfoSec Budget
  • DOMAIN 4 – Working with Vendors and Partners
  • DOMAIN 5 – Building Alliances, Collaboration to Advance InfoSec Goals
  • DOMAIN 6 – Excellence in InfoSec Customer Service, Knowing and Serving Customers
  • DOMAIN 7 – Creating Business Value with InfoSec
  • DOMAIN 8 – General Soft Skills to Succeed as InfoSec Professional

While the diagram shown here is a draft version, a much more detailed body of knowledge and a program to acquire this knowledge/skills will follow.

What are Major Skill Gaps?

ISACA published a report on “State of Cybersecurity 2022” in which they presented their findings on the global workforce. The most striking of all the findings is Figure 14 of the report showing major skill gaps among security professionals.

At the top of these skill gaps is “soft skills” that includes communications, flexibility, leadership and others. This is similar to what we have been talking about creating a body of knowledge for Core Cybersecurity Skills and Practices. Please see a screenshot of Figure 14 from the ISACA report (the report is available for download at https://www.isaca.org/go/state-of-cybersecurity-2022).

Figure 14: ISACA Report on State of CyberSecurity 2022

 

References

Also check the following reference

Subscribe to Blog

Latest Posts

Posted in InfoSec, Leadership | Tagged , , | Comments Off on Essential Business Knowledge for InfoSec Professionals

CISO MindMap 2022 – Recommendations

I have included six specific recommendations with the recent publication of CISO MindMap. This article is to further elaborate on these recommendations, why these matter, and what actions information security leaders can take. The objective of this article is to provide context for these recommendations and a starting point to take some actions. The actual strategy will vary for each organization depending upon how their IT environment and networks are designed and implemented. 

Recommendation 1 

Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.

Why it matters:

  1. Ransomware is widespread and will continue to be in the near future, as it provides a quick monetization path to attackers. In many industry sectors, it also touches human life and safety (energy, healthcare, manufacturing, shipping, etc.) making it even more impactful.
  2. Ransomware attacks have high visibility among corporate boards and executive leadership.

What to do:

  1. Perform business impact analysis with an objective of identifying critical assets, processes, applications and data.
  2. Evaluate security controls to protect these assets. Buy insurance.
  3. Test online and offline backups to ensure backups can be reliably restored within recovery windows.
  4. Evaluate your capabilities of dealing with ransomware attacks by mock drills and tabletop exercises.

Recommendation 2 

Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.

Why it matters:

  1. A Ponemon study shows that the InfoSec teams have an average of 47 tools. Also, 53% of leaders are not sure if these tools are working.
  2. More tools need more staff, more cost, more probability of becoming shelfware.
  3. Fewer tools that are properly configured and fully utilized, actually work better in managing and optimizing risk.

What to do:

  1. Take an inventory of all security tools and their features.
  2. Identify feature overlap and eliminate redundancy.
  3. Eliminate shelfware (tools that are purchased but never used).
  4. Explore use of Cloud based subscription services. These are relatively easy to maintain over time.
  5. Simplify!

Recommendation 3 

To serve your business better, train staff on business acumen, value creation, influencing and human experience.

Why it matters:

  1. Studies from organizations like ISACA show that “soft skills” is the largest gap among infosec professionals.
  2. Work of infosec professionals impacts other fields in technology and business. Ability to effectively communicate and influence others is crucial to the success of your work.
  3. Security must become a business differentiator!

What to do:  

  1. Create a body of “essential business skills” that serves as curriculum for InfoSec professionals (refer to some of my work at my blog site rafeeqrehman.com)
  2. Train team on key business concepts: value creation, negotiation, conflict management, influencing, effective communication, human experience, listening, collaboration, KPI (Key Performance Indicators), NPS (Net Promoters Score) and others.
  3. Add a column to security controls databases/spreadsheets to monitor impact of a control on human experience (both +ve and -ve).

Recommendation 4

Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.

Why it matters:

  1. Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
  2. Many commercial software vendors use open source components but don’t properly disclose it.
  3. Recent vulnerabilities (e.g. log4j) have far reaching impact.

What to do:

  1. It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
  2. Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
  3. Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.

Recommendation 5

Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.

Why it matters:

  1. Business enablement requires InfoSec professionals to be on the forefront of innovation and provide guidance on how to utilize emerging technologies (or risk being a roadblock for innovation).
  2. Security professionals must learn new technologies, identify use of these technologies inside their organizations, and proactively build policies and standards for the use of these technologies.

What to do:

  1. As an InfoSec leader, Identify emerging technologies relevant to your business and encourage your teams to build expertise.
  2. Allocate budget for training or incentives for self-learning.
  3. Some technology areas are a must for every security team. These include basic understanding of machine learning (ML) models, how ML models are trained, modern Cloud application architecture, service mesh, containers, and DevOps.

Recommendation 6

Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.

Why it matters:

  1. Risk management is a key component of any reasonable security management program, yet many organizations don’t have a good idea about their overall risk.
  2. Corporate boards and business leadership need InfoSec leaders to get better at communicating Cyber risk.
  3. Cyber insurance companies’ demands for better risk management practices are only going to increase.

What to do:

  1. While proper quantification of risk is a great aspirational goal, many organizations can start with simple methods to track risk.
  2. Account for all major areas (technology, insider threat, process gaps, third parties, skill gaps in security teams, compliance, use of open source software) and adopt a consistent  methodology for risk identification, assessment, prioritization and treatment.

References

  1. Download CISO MindMap 2022
  2. 2022 ISACA Report on State of Cybersecurity
  3. Managing Cybersecurity Program Cost
  4. Ponemon Report: The Cybersecurity Illusions, The Emperor Has No Clothes.
  5. CISA National Risk Management Center (NRMC)
  6. Verizon Data Breach Investigations Report (DBIR)
  7. CISA Stop Ransomware website
  8. Blog post: Why we need to redefine CIA triad
  9. Blog post: What is service mesh and why should anybody care
  10. AWS Publication: Ransomware Risk Management on AWS using NIST Cyber Security Framework (CSF)

Disclaimer

Recommendations provided here are not professional advice. Cybersecurity is a complicated matter and actions may differ significantly based upon how the overall ICT networks and applications are designed and implemented. A thorough assessment of network and applications is necessary for specific recommendations.

Subscribe to Blog

Latest Blog Posts

Posted in cisomindmap, InfoSec | Tagged , , , | Comments Off on CISO MindMap 2022 – Recommendations

CISO MindMap 2022: What do InfoSec Professionals really do?

NOTE: An updated version of CISO MindMap has been published here.

Let me start with the quote from last year: Most people outside the Cybersecurity profession don’t fully realize and appreciate the complexity of a security professional’s job. Since 2012, CISO MindMap has been an effective educational tool and has enabled professionals to design and refine their security programs. Here is the latest and updated CISO MindMap for 2022 with a number of updates and new recommendations for 2022-23.

CISO MindMap 2022
CISO MindMap 2022

Please download PDF version for better printing quality.

What has changed?

With time, the responsibilities of security professionals are only increasing. Why? Technology is changing fast, bringing new ways of doing business, continuous adoption of Cloud, and many emerging technologies. Not only the Infosec professionals are “expected” to deeply understand these technologies, but also provide policies/guidance on how to secure them. For this reason, every year you find a few new things on the CISO MindMap. Like every year, few things are added, changed or removed from the MindMap depending upon their relevance. Changed items are marked in red for your convenience.

Other changes include but not limited to:

  • Remove duplicates
  • Merge branches with overlapping functions
  • Add NIST CSF references at high level, where possible.
  • In some cases more defined/accepted terminology has emerged. For example, Cloud Security Posture Management (CSPM) is a widely accepted term now. As a result, I have replaced some Cloud Security items with CSPM.
  • Expiration Date – A common issue is that many professionals still have older CISO MindMap copies. I added an “expiration date” to let people know when they should stop using a particular version. The expiration date for the 2022 version is the end of June 2023. The next version will be published before the current version expires.

Recommendations for 2022-2023

I know you already get plenty of recommendations from your vendors, industry analysts and pundits, and other “experts”. You also know that many of these recommendations may have some vested interests and/or biases. I make my own recommendations as a practitioner every year and try to be objective, avoid the hype, need for adoption in the next 12-18 months, and solely focus on what data and research shows. However, it is still my interpretation of data and facts and I may have my own unintended biases even with all objectivity and an evidence-based approach. For me, the most difficult part while making these recommendations is to pick as few as I can. The following list is longer than what I would like it to be but hopefully it would give you a few things to think about. The followers of MindMap would quickly realize that some of these are the same as of last year.

  1. Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.
  2. Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.
  3. Train staff on business acumen, value creation, influencing and human experience to serve business better. I can’t emphasize this enough.
  4. Take an inventory of open source software (both direct and indirect use) and make it part of your vulnerability management program.
  5. Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
  6. Maintain a risk register.

I am eager to listen to your viewpoint on these recommendations, why or why not!

How to use CISO MindMap?

I receive messages from many professionals about how many different ways they are using the CISO MindMap. Over the years, it has become a great tool for many of you and I appreciate your feedback and kudos. Following are some of the ways this MindMap is quite helpful:

  • Have you been asked what you really do as a security professional? The CISO MindMap is one way for answering the question and explaining it to people. I have heard from many professionals that this MindMap is extremely helpful in explaining the complexity of a CISO job, especially to a business audience.
  • A means for guiding conversation with other technology professionals.
  • SANS Institute uses it as part of the Security Leadership Poster.
  • Designing and refining security programs.
  • Some security vendors use the MindMap for awareness.
  • CISO group discussions and/or community meetings.

Obviously there is a lot on this MindMap. The stress on people who have these responsibilities is real. If nothing else, this MindMap should help leaders recognize that stress and do something about it. I covered this topic (stress) in my latest book Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC) as well.

Translation to other languages

Some of you have offered to translate the MindMap into other languages. I really appreciate it and look forward to working with you to have a few translations completed this year.

Acknowledgments

Many people have contributed to the thought process behind this MindMap over the years. This time we had a LinkedIn Group to gather suggestions and comments from the community. While many provided feedback, the following is an alphabetically organized list of people and organizations who provided “specific suggestions” for improvements. If I missed anyone, please send me a message to make corrections.

Your suggestions contributed towards overall enrichment of the MindMap. Additionally, I am thankful to all community members who use and share their experiences. Your input is highly appreciated!

Copyright © Note

This MindMap is copyrighted material. However it is absolutely free to all (like water and air) with no strings attached, as long as it is not altered and not used to make money. When using this MindMap, please cite the source properly so that recipients can receive future updates.

Subscribe to Blog

Recent Posts

Posted in cisomindmap | Tagged , , , | Comments Off on CISO MindMap 2022: What do InfoSec Professionals really do?

Essential skills to start any career path in information security

Essential Skills for InfoSec paths
Essential skills for all infosec career paths

Many career paths in information security are well-established and new ones are emerging. Although there are specific skills required for each career path, some skills are fundamental and essential for each of these career paths. These essential skills are listed below and anybody wishing to be successful in information security should build a strong foundation in all of these.

  1. Foundational information security principles 
    • Confidentiality, Integrity and Availability (CIA), fundamental security architecture, least privileges, need to know, access controls, 
  2. Operating Systems and Cloud – Linux/Unix, Windows, Cloud, Mobile operating systems. Fundamental hardening methods for these operating systems
  3. Networking and application protocols
    • Very good knowledge of common Internet and application protocols TCP/IP, DNS, HTTP, SMTP, SSH, routing protocols etc.
    • Knowledge and hands-on practice for routers and switches, packet capture tools, nmap, curl, and other tools to be able to know what is happening on the network.
  4. Scripting and Programming
    • Shell scripting, Python, understand how web applications are built, HTML, JavaScript, SQL/Databases
  5. Encryption technologies – PKI concepts, TLS, data security
  6. Written and verbal communication

Posted in Leadership | Comments Off on Essential skills to start any career path in information security

Why we need to redefine CIA triad of information security

Whether it is opening a firewall port, relaxing a permission on an S3 bucket, or mailing a confidential document to a private email address, people often try to circumvent information security controls with a “good intention of getting things done”. Unfortunately, the same results in data breaches repeatedly, many of which could be avoidable. One of the reasons is how the CIA (Confidentiality, Integrity, Availability) triad is used by information security professionals to design security controls. An overemphasis on the CIA triad makes information security professionals forget the harm some of these controls may do to human experience and create an implicit temptation for others to circumvent those controls. It is time to recognize this issue and make modifications to remediate it.

What is the CIA triad of information security?

The triad is built around fundamental principles and objectives of any information security program. It has done an excellent job to explain information security to newcomers to the field and explain security objectives to others. 

The CIA triad of information security

In summary:

  1. Confidentiality is about ensuring that information stays protected and is only disclosed to people who need to know it.
  2. Integrity is built around the idea that no unauthorized change is made to the information, systems and networks to protect confidence in the accuracy of the information and other IT systems.
  3. Availability – The information, systems, networks and other resources stay available in the face of cyber attacks, natural disasters, and other unforeseen events.

There are numerous articles written on this topic and I am not going to go into detail except stating one crucial aspect: A balance is needed in all three parts of the triad as overemphasis on one can impact the others. For example, over-protection of confidentiality may adversely impact availability.

Without good human experience, the triad is failing the profession

One way or the other, directly or indirectly, ultimately people have to interact with security controls designed by the information security departments. As we are painfully aware of the fact that many times security teams are considered a roadblock rather than enabler of the business because of these controls. I am sure many of us have heard quotes like “security is where ideas go to die”. If you dig deeper into this notion and ask questions to explore why it is so, you will easily come to realize that the missing element in designing security controls is forgetting the human experience.

With very good intentions and without any disregard to human experience, sometimes security professionals still get carried away with strict implementation of the CIA triad in the design of security controls. The reason is that the human aspect is not part of basic principles and objectives (Confidentiality, Integrity and Availability). Since the CIA triad is always the focus of designing these controls, it is time to change it.

How can we redefine the information security triad?

While there could be a number of different ways to bring the notion of human experience into the CIA triad, one of the simpler ones can be putting the human experience at the center as shown in the diagram below.

Another option is to change the triad to a quartet. The importance of factoring in the human experience is high enough to make this change.

Now just changing the triad one way or the other is not enough unless it is accompanied by making it part of security training and defining what the human experience means and how it is impacted, positively or negatively, by certain actions. Major security certification organizations like ISC2, ISACA and others also need to make it part of the learning objectives for certifications exams.

Continuous improvement to the information security profession based upon what we learn from our experiences is an essential part of the progress. Lack of considerations for the human experience is a deficiency in the current state of affairs and it needs to be addressed, starting with fundamental change to the information security triad.

Subscribe to this blog

Latest posts

Posted in Leadership | Comments Off on Why we need to redefine CIA triad of information security

SIX MODELS FOR A SUCCESSFUL CAREER

Six fundamental models that always fill my personal and professional life with joy, pleasure and satisfaction

  1. Do the right thing, always – This is my first model of a joyful life, explained to me by a school senior friend. If you do this, you will never regret anything from the past, career choices, business decisions or personal relationships. It takes a lot of courage, but you will have a contented heart all the time.
  2. Create value for people – “Your value” is directly proportional to the value you create for others. Measure your actions by how much they benefit others, whether it is a business meeting, a family dinner, or social media post. Always serve the people around you.
  3. Embrace imperfection – There is no perfect time to launch a product, start a business, pursue a degree, or change career. You will never have perfect information to make important decisions. Embrace imperfection, “good enough” is much better than “perfect”.
  4. Be generous to people – Be generous in your praise of people, in sharing credit, in giving favors. Be a giver. Be generous with people who disagree with you. Giving favors is the best investment for your career and your personal life. The best thing is that you know when you are generous. 
  5. Simplify everything – Complexity is the biggest enemy at work, home, in relationships, and with friends. Be simple, do simple things, have simple ideas, simplify things for people. Be single threaded to improve productivity. Use images, diagrams, and analogies to explain complex things.
  6. Fail often – Fear of failure keeps people from achieving great things and miss career opportunities. Fail, because if you have not failed in a long time, you have very likely missed many opportunities. Overcome the fear of failure, you don’t have to prove anything to anyone. Abandon your comfort zone.
Posted in Leadership | Tagged , , , , | Comments Off on SIX MODELS FOR A SUCCESSFUL CAREER

On Open Source and Poverty Alleviation

While many people and organizations have been praised for their philanthropic work and poverty alleviation, the open source movement does not get the credit it deserves. I would argue that no other work comes even close to what the open source software movement contributed and achieved. How? Let me explain just a few points.

Access of modern operating system for Universities

Before Linux was a thing, a vast majority of universities in the developing world could not afford purchasing expensive multi-user operating systems and the machines they used to run. People remember how expensive Sun, IBM, Vax and other systems (hardware and software) used to be. As a result, it was very difficult for students of these universities to gain modern skills, get high paying jobs in the emerging software industry, and pull their families out of poverty. Linux changes much of it. It was free, it ran on cheap commodity hardware, and it opened a world of new possibilities for millions.

Startups and software development

The open source software packages, compilers like GNU, and other development tools made software development accessible and enabled common people to build software applications and start their own businesses. It made innovation and large scale job creating possible.

Enabling the Internet

The Internet would not be what it is if there were not  the Apache web server, open source databases, and other tools that run the core of the Internet engine. Think about the opportunities and wealth that has been made possible through the Internet, thanks to open source software that runs most of the Internet services.

AI/ML and emerging technologies

Open source software libraries for Artificial Intelligence (AI) and Machine Learning (ML) are core to the expansion of this field as well as other technologies that fuel IoT, Cloud, and DevOps.

Today a large number of Internet connected devices run on some version of Linux, most of the Internet servers run Linux. Same is true for mobile devices. The credit goes to a large number of enthusiasts building open source software and organizations protecting the movement from legal challenges. The open source software is the engine of innovation, human progress, and wealth generation. Directly or indirectly it continues to pull people out of poverty. More than anything else, it is changing lives for many and making the playing field level for everyone.

References

Shahid H. Bokhari and Rafeeq U. Rehman,  Linux and the developing world – IEEE Software, January/February 1999, pp. 58-64, vol. 16

Subscribe to this blog

Recent blog posts

Posted in Open Source | Tagged , , | Comments Off on On Open Source and Poverty Alleviation

What could derail SASE train

There are many reasons that make Secure Access Service Edge (SASE) an appealing concept. Major among these are moving from corporate data centers to the Cloud, need to work from anywhere, reducing complexity, and use of applications delivered as SaaS. The SASE hype is at its peak and all major security &network vendors are embarking on the SASE train. However, there are many factors that can derail this train and it is yet to be seen if market is ready for large scale SASEE adoption.

Factors to Consider

  1. SASE is not a single technology. One of the objectives is to provide a combination of many capabilities into a single platform. However, reliance on single platform has its own side effects. Any major security issue with a SASE vendor could create problems. For example, in the face of a major security incident, while it is plausible to shutdown part of IT infrastructure, turning off a SASE platform may mean shutting down the business.
  2. Many small businesses have limited budgets/IT staff with no separation of security and network and could be good target for SASE adoption. However, any sizable medium and large businesses have separate security teams. People who have worked in corporate world for a long time, are well aware of cultural issues and dynamics that play a key role between security and network teams. How these two cultures come together is yet to be seen.
  3. Adherence to the key security concepts including separation of duties, defense in-depth with multiple technologies, using technology components that provide a single function, still need some reconciliation with the notion of convergence and use of a single platform.

Why it matters?

To implement a SASE platform, key decision makers need to fully evaluate the factors mentioned above, keeping in view risk factors, cost, and complexity. The alternate to using a single SASE platform is combining best capabilities from multiple vendors.

Who should care?

There are multiple parties who have some stake in SASE decision making. These include but not limited to:

  • CISO – manage risk
  • CFO – save money
  • CIO – manage complexity and budget

What is next?

A “complete” SASE platform does not exist yet. Businesses need to make careful evaluations of vendor offerings, avoid “me-too” solutions, and think in the long-term as adopting a SASE platform.

Subscribe to this blog

Latest Posts

Posted in Digital Transformation, InfoSec | Comments Off on What could derail SASE train

CISO MindMap 2021: What do InfoSec professionals really do?

NOTE: A new version of CISO MindMap (2022) is available at this URL.

Most people outside the Cybersecurity profession don’t fully realize and appreciate the complexity of security professionals’ job. I have been publishing and updating this MindMap for almost a decade, not only as an effective educational tool but also to enable professionals to use this MindMap for designing and refining their security programs. Here is the latest and updated CISO MindMap for 2021 with a number of updates and new recommendations for 2021-22.

CISO MindMap 2021

Download CISO MindMap 2021 PDF Version for Printing

What has changed?

The responsibilities of security professionals are only increasing and CISOs are finding themselves in the middle of more things than they wish to be. Why? Technology is changing fast, bringing new ways of doing business, continuous adoption of Cloud, and ever-expanding uses of machine learning (and AI in a broader sense). Infosec professionals are “expected” to not only understand all of this but also provide policies/guidance on security of these technologies. For this reason, every year you find a few new things on the CISO MindMap. This year, I have also reorganized/moved a few items to more appropriate sections. So:

  • Items in red color are new that did not exist last year.
  • Items in blue color are not new, they are just rearranged in a different section of the MindMap.

I hope this color coding will help you understand what has changed.

Recommendations for 2021-2022

I know you already get plenty of recommendations from your vendors, industry analysts and pundits, and other “experts”. You also know that many of these recommendations may have some vested interests and/or biases. I make my own recommendations as a practitioner every year and try to be objective, avoid the hype, and solely focus on what data and research shows. However, it is still my interpretation of data and facts and I may have my own unintended biases even with all objectivity and an evidence-based approach (by now some of you may have figured out that I am not a machine, although the Age of Spiritual Machines has long been predicted and is on the horizon). For me, the most difficult part while making these recommendations is to pick as few as I can. The following list is longer than what I would like it to be but hopefully it would give you few things to think about.

  1. Re-evaluate your ransomware defenses, do a business impact analysis, especially in areas where ransomware may impact the physical world and human safety.
  2. Reduce/consolidate security tools/technologies and vendors (less is more in many cases).
  3. Monitor Cloud mis-configurations in real time and at machine speed.
  4. Adopt borderless network strategies (SASE, Zero Trust, and/or whatever you want to call it).
  5. Think about cooperative/collaborative SOC strategy.
  6. Train staff on business, ML models, model training, service mesh, containers, DevSecOps.
  7. Plan for government shutdown of a critical software or service provider due to security issues and supply chain attacks (hope this never happens but supply chain attacks in the past 12 months warrant need for preparedness).

Item number 5 above is a long-term consideration and is not really a new or earth shattering idea. However, it is something to consider seriously for sustainability and to remove some of the insanity in security operations. If you don’t agree, I am eager to listen to your viewpoint and why.

How to use CISO MindMap?

I continuously get messages about how many different ways people are using the CISO MindMap. Over the years, it has become a great tool for many of you and I appreciate your feedback and kudos. Following are some of the ways this MindMap is quite helpful:

  • Have you been asked what you really do as a security professional? Well, this is one way for answering the question and explaining it to people. I have heard from many professionals that this MindMap is extremely helpful in explaining the complexity of a CISO job to a business audience.
  • A framework for guiding discussion.
  • SANS Institute uses it as part of the Security Leadership Poster.
  • Designing and refining security programs.
  • Some security vendors use the MindMap for awareness.
  • CISO group discussions and/or community meetings.
  • It could be a great time waster if you have nothing else to do on a Friday evening, or, to say “why would anybody do that”?

Obviously there is a lot on this MindMap. The stress on people who have these responsibilities is real. If nothing else, this MindMap should help leaders recognize that stress and do something about it. I covered this topic (stress) in my latest book Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC) as well.

So let me know what you think about these updates!

Copyright © Note

This is a copyrighted material but is absolutely free to all (like water and air) with no strings attached (as long as it is not altered and not used to make money). My request is that when using this MindMap, please cite the source properly.

Latest Posts

Subscribe to my blog

Posted in cisomindmap | Comments Off on CISO MindMap 2021: What do InfoSec professionals really do?