All tagged cybersecurity

Prepare to laugh until your stomach hurts with our most hilarious episode yet, featuring the one and only theater kid turned cybersecurity guru, Kayne McGladrey, Field CISO at Hyperproof. Join us for a rollercoaster of emotions as we dive into the absurdity of security info in 10K filings, engage in heated debates over the polarizing cinnamon sticky bun ale, and champion the cause for more singing and dancing in cybersecurity. Think of it as the "Cybersecurity's Got Talent" episode you never knew you needed! Kayne's journey is packed with invaluable insights and captivating stories that are as unique as they are engaging.

Despite this guidance mandating only four disclosures (identifying and managing risks, disclosing material breaches, board oversight, and management’s role), over 40% of the 2,100+ 10-K filings I’ve reviewed between January 1 and March 11, 2024 disclosed eleven distinct topics.

Companies are disclosing more information than required in their 10-K filings for various reasons. One is that they lack a broad consensus how much detail to disclose in Section 1C. The recent civil litigation of SEC vs. Tim Brown and SolarWinds (case 1:23-cv-09518 in the Southern District of New York) significantly influences the disclosure requirements.

Tom provides an update on the status of the Hyperproof FedRAMP project. Along the way, Kayne uncovers some of the challenges associated with the project and suggests solutions for others going through the same process. And straight out of left field, Kayne actually likes a beer more than Tom. Come find out what caused this seismic disturbance in the force.

In recent years, we've seen a significant shift in the threats targeting businesses. "Everybody focused on the human harms, people couldn't check into their hotel rooms; people couldn't use an ATM... the nature of the technical exploits is not what we focus on in terms of harm... that's not what we focus on in terms of harm," states Kayne McGladrey, a field CISO at Hyperproof and senior IEEE member. This reiterates the transition from mere inconvenience to significant operational disruptions and economic consequences that cyber threats now pose.

During this Hyperproof live stream series, leaders in information security shed light on crucial topics that shape the modern cybersecurity landscape. This month’s episode features Jeff Warren, Owner & Principal Consultant at South Lake Cyber Risk, LLC, and our host, Kayne McGladrey, Field CISO at Hyperproof. Guided by Kayne and audience questions, Jeff will share insights into his current work and past experiences in the field. Register now for your chance to learn from one of today’s top infosec pros.

Kayne McGladrey, Field CISO at Hyperproof and IEEE Senior Member, noted that the use of generative AI models in business hinges on their ability to provide accurate information. He cited as examples studies of AI models’ abilities to extract information from documents used for financial sector regulation that are frequently relied on to make investment decisions.

“Right now, the best AI models get 80 percent of the questions right,” McGladrey said. “They hallucinate the other 20 percent of the time. That’s not a good sign if you think you are making investment decisions based on artificial intelligence telling you this is a great strategy four out of five times.”

“These threats are not merely theoretical, although, at the moment, they are still relatively limited in their application,” McGladrey said. “It is reasonable to expect that threat actors will continue to find innovative new uses of generative AI, extending beyond business email compromise, deepfakes, and the generation of attack code.”

"In 2024, the most significant cybersecurity surprise will be the widespread recognition that Chief Information Security Officers (CISOs) are primarily risk advisors, not risk owners. This distinction contrasts with some companies' previous perceptions and the operational reality. With cybersecurity concerns such as data center vulnerability, cloud vulnerability, and ransomware attacks still being a top concern for business leaders in 2024, this distinction is important to keep in mind to ensure the success of corporate security. Business systems are managed by business owners, whose performance is measured based on the system's effectiveness. Historically, some companies have incorrectly assumed that the CISO is responsible for authorizing or mitigating some of the risks associated with these business systems. This is a misconception. The business owner, likely the individual who has approved the business continuity plan or is most affected by operational disruptions, also bears the responsibility of deciding how to address each risk. While CISOs can identify and propose mitigation strategies for business risks related to cybersecurity, they do not and should not accept or authorize the mitigation of risks for systems outside their ownership."

"In 2024, the most significant cybersecurity surprise will be the widespread recognition that Chief Information Security Officers (CISOs) are primarily risk advisors, not risk owners. This distinction contrasts with some companies' previous perceptions and the operational reality. With cybersecurity concerns such as data center vulnerability, cloud vulnerability, and ransomware attacks still being a top concern for business leaders in 2024, this distinction is important to keep in mind to ensure the success of corporate security. Business systems are managed by business owners, whose performance is measured based on the system's effectiveness. Historically, some companies have incorrectly assumed that the CISO is responsible for authorizing or mitigating some of the risks associated with these business systems. This is a misconception. The business owner, likely the individual who has approved the business continuity plan or is most affected by operational disruptions, also bears the responsibility of deciding how to address each risk. While CISOs can identify and propose mitigation strategies for business risks related to cybersecurity, they do not and should not accept or authorize the mitigation of risks for systems outside their ownership."

“It should be a strategic choice for a company to transfer certain business risks associated with cybersecurity threats, which exceed an acceptable level of risk, to an insurer,” says Kayne McGladrey, a senior member of the IEEE. “The expectation is that the insurer will help lessen the financial impact of significant cyber incidents or data breaches.”

However, this approach assumes companies maintain risk registers with clear definitions and measurement criteria for various risk categories, he notes. “It also presumes they use compliance operations to continuously assess the effectiveness of their current controls in reducing or mitigating these risks.”

Next, commit to solving the complexity issue. In practice, this involves consolidation and integration of tools while striking “a balance between robust protection and user convenience,” said Kayne McGladrey (@kaynemcgladrey), Field CISO at Hyperproof and Senior IEEE Member. For example, “automation and integration of security controls are crucial in achieving scalability and simplifying validation of efficient control operations.”

In response to the ever-changing risk environment, company leadership is asking more and more questions about how to best manage risk. But being able to answer those questions means having a system and process in place to accurately document, manage, mitigate, and report on those risks.

Luckily, some frameworks and processes already exist to help guide you through that process. Kayne McGladrey, Field CISO, will walk you through the current state of risk and how to effectively and accurately communicate risk to your leadership team.

In this presentation, you’ll learn:

● What the 2023 risk landscape looks like

● How risk managers are planning on updating their risk workflows to adapt

● How to communicate risk to leadership

December 6th at 10:45 AM in Atlanta, GA

My prediction for 2024: In response to increasing regulatory burdens and the risk of civil litigation, successful companies in 2024 will lean into enhancements in their compliance operations. They will actively collect and test evidence of security control effectiveness, linking these controls directly to their risks, across all critical assets or systems. This approach ensures companies are confident in accurately describing how well they manage their risk portfolio, including in SEC filings. The automation of compliance operations enables security and audit professionals to spend more time doing the parts of their jobs that they love. Furthermore, as supply chain risks intensify scrutiny of B2B transactions, companies will efficiently repurpose many of their controls and control evidence. This strategy not only allows companies to secure additional attestations or certifications such as ISO or SOC 2 without increasing their workforce, but it also provides a significant competitive business advantage.

Presented by

Kayne McGladrey, Field CISO - Hyperproof | Charity Otwell, Director, Critical Security Controls - CIS

Dec 05 2023, 11:00am PST

CIS Critical Security controls are a prescriptive, prioritized, and simplified set of best practices that can strengthen your cybersecurity posture. The CIS Controls include foundational security measures that you can use to achieve essential hygiene and protect yourself against a cyber attack. Are you curious whether CIS Critical Security Controls is the right choice for your organization? Or are you currently using CIS Critical Security Controls and wondering how to maximize your experience? Join Charity Otwell, Director at Critical Security Controls - CIS, and Kayne McGladrey, Field CISO at Hyperproof, to discuss areas of focus for CIS controls and how they can best apply to organizational security.

Participants will:

- Learn the basic foundation of CIS Controls

- Understand how to assess applicability for their organization

- Learn how to adopt best practices around CIS Controls

- Learn the upcoming changes that will be made to the CIS Controls