Aligning Business Goals with InfoSec Strategy

How do you align yourself with the business you are supporting? What value are you creating? These are the questions that every CISO should be thinking on regular basis. In a typical organization, the CEO has a list of business goals and objectives that trickle down through chain of leadership. Objective for IT leaders are usually derived from CEO’s business objectives to support the organization. Understanding the organizational objectives as well as the personalities of business leaders helps in creating and aligning the information security strategy. Read more

, ,

Social Engineering Awareness Program Part 4: Clicking the Phish

It is inevitable that at some point, someone will fall victim to a social engineering attack. This could be via clicking the phish, letting an unauthorized person in, or succumbing to a phone scam. Integrating with your Incident Response plan (if you have one; otherwise read my next series) is vital. Read more

, , ,

Building a Successful Security Operations Center Part 3: SOC Budget Calculator

Sometime back I published an article “What it Really Takes to Stand up a SOC”. This included a MindMap showing everything you need to consider while making a decision about establishing an internal Security Operations Center. Take a look at the PDF Download link for this MindMap. Since then, many people have asked questions about estimating budget for standing up an internal SOC. Read more

,

Social Engineering Awareness Training Part 3: Reinforcement and Incentivization

Reinforcement and Incentivization

At this point in the awareness life cycle, the culture has been set. Training has been designed and conducted. At this point, we are trying to reinforce the training and provide incentives for those who thwart attacks or report “interesting” attempts or by volume. Read more

Social Engineering Awareness Training Part 2: Designing Effective Training Program

Designing Effective Training Program

Image Reference – Pixabay

In a continuation from the previous post, we have established the culture of security. The population is ready to be trained, thus raising awareness. This prerequisite is key for setting up the training. Effective training will raise awareness for all levels of employees and add a layer of protection to the organization while also removing a level of insider threat. Read more

,

Social Engineering Awareness Program: PART 1

Building the Culture to Support a Social Engineering Awareness Program

Today, companies are investing more than ever before on protecting their IT infrastructure. As a response, hackers and, in turn, penetration testers are using a different vector to gain access to enterprises: the human element. Humans can be exploited using a variety of methods collectively known as social engineering. This broad category includes phishing, spear phishing, whaling, vishing, smishing, pretexting, dumpster diving, and tail gating. Read more

, ,

Building a Successful Security Operations Center (SOC) Part Two – Estimating SOC Budget

Image credit Pixabay

Budget estimates are a major part of SOC business case. A typical budget will consist of capital cost, payroll expenses, and annual recurring costs. The budget estimates also helps in making decision about build an internal SOC or using SOC as a Service. Following is a summary of three major cost components. Read more

, ,

Want to be a CISO? Career Advice from David Garcia

Image Credit - Pexels

Image Credit – Pexels

Like any other field, many people in the field of information security are asking for career advice. Recently we had conversation with David Garcia, specializing in executive recruiting in the field of information security. He typically works with CISOs and VPs of Sales to fulfill their staffing needs. David’s firm, Garcia and Associates, made placements in thirteen states and two countries over the past year. David shared his insights into what it means to be a security leader, skill sets that are in demand, and how to make progress your career. Following is the Question/Answer session with David. Read more

, ,

Disruptive Technologies Every CISO Should Know

Image Credit - Pexels

Image Credit – Pexels

Information Security is a rapidly changing field as advancements due to disruptive technologies, like SDN, IoT, NFV and others, have direct impact on security management programs. Information Security professionals, in general, are perceived to be slow in  adapting to new technologies and are many times considered a road block. This perception must change and this post is an effort in this regard. Read more