Cybersecurity Awareness Month – Insight From Seasoned Experts

BACKGROUND:

October officially marks National Cybersecurity Awareness Month. While an annual reminder for organizations to pay attention to their security posture and the wider cyber landscape, this year in particular has been a constant battle against advisories taking advantage of the unique environment as companies continue to adjust to working in a pandemic. 

While potentially holding a bit more significance than in year’s past, if you’re planning on publishing a roundup of sorts, or a related article, please see below for quoted thoughts from 7 seasoned experts, including spokespeople from Okta, Netskope, and Raytheon Intelligence & Space. 

Experts Comments

October 25, 2021
Karen Worstell
Senior Cybersecurity Strategist
VMware

From entry level positions to more senior roles, job postings can be a major pain point. They are frequently disconnected from the required critical skills and expectations for the job. Focus on hiring for attitude and talent, and avoid focusing too much on certifications. For example, an entry level cyber position should not require a CISSP, yet we see it all the time. Some of the most productive and creative professionals come from positions outside of infosec. Hiring outside of your comfort

.....Read More

From entry level positions to more senior roles, job postings can be a major pain point. They are frequently disconnected from the required critical skills and expectations for the job. Focus on hiring for attitude and talent, and avoid focusing too much on certifications. For example, an entry level cyber position should not require a CISSP, yet we see it all the time. Some of the most productive and creative professionals come from positions outside of infosec. Hiring outside of your comfort zone will make a difference in the power and success of your team.

  Read Less
September 30, 2021
Joe Partlow
Chief Technology Officer
ReliaQuest

The events of this past year have put a magnifying glass on the longstanding issues many organizations are unfortunately faced with year-round. While each October we celebrate National Cybersecurity Awareness month as a reminder to prioritize such initiatives, the cybersecurity industry should instead use this as a moment - and an opportunity - to consider what can, or needs to be done, to make organizations more secure every day. Whether that’s educating employees about the dangers of social

.....Read More

The events of this past year have put a magnifying glass on the longstanding issues many organizations are unfortunately faced with year-round. While each October we celebrate National Cybersecurity Awareness month as a reminder to prioritize such initiatives, the cybersecurity industry should instead use this as a moment - and an opportunity - to consider what can, or needs to be done, to make organizations more secure every day. Whether that’s educating employees about the dangers of social engineering and phishing, using MFA whenever possible, avoiding password reuse and administrative privileges or implementing more fool-proof policies and procedures for employees, these changes must have a lasting impact to reduce the risk at home and in the workplace. 

Despite headway this year with organizations working to achieve a stronger risk-based security posture all year round, a recent study from Ponemon Research found that there’s still ample work to be done. For example, 64% of security leaders believe the primary obstacle to implementing IT security risk management is a lack of standardized metrics to measure progress. Additionally, while 57% of organizations are prioritizing secure cloud migrations and another half are looking to implement Zero Trust, the majority are still held back by the lack of visibility. In short, most are still lacking operational efficiencies and actionable metrics that prevent them from detecting threats and making meaningful changes to their security posture. Constantly staying on top of security operations and visibility couldn’t be more critical in today’s landscape. Teams must be empowered with the right support, technology and resources to get the job done right.

  Read Less
September 28, 2021
Jason Rebholz
CISO
Corvus Insurance

In light of Cybersecurity Awareness Month, it’s critical for organizations to focus on where they can multiply their security efforts. As we look back on 2021, we saw Cyber Insurance pushed into a negative spotlight with some raising concerns that it may have been contributing to the rise in ransomware attacks. It’s crucial that we dispel the falsehoods and instead educate on the positive impact cyber insurance has for organizations individually and industries as a whole.

Insurance carriers are

.....Read More

In light of Cybersecurity Awareness Month, it’s critical for organizations to focus on where they can multiply their security efforts. As we look back on 2021, we saw Cyber Insurance pushed into a negative spotlight with some raising concerns that it may have been contributing to the rise in ransomware attacks. It’s crucial that we dispel the falsehoods and instead educate on the positive impact cyber insurance has for organizations individually and industries as a whole.

Insurance carriers are an integral component of setting minimum standards for security solutions and technologies across all industries. There is a shared interest between insurance carriers and their policyholders to mitigate risk and keep businesses up and running free of security incidents. Carriers can become an ally and force multiplier for organizations of every size by delivering access to best practices and more affordable security solutions that don't compromise on quality. Organizations that implement cyber insurance will undoubtedly be better armed to protect themselves against the growing cyber threat environment.

  Read Less
September 28, 2021
Stephen Cavey
Co-founder and Chief Evangelist
Ground Labs

First, I advise organizations of any size to collect only the data they need. When it comes to personal data, particularly medical-related data, there is no such thing as "nice to have" — only what you must collect in order to run your business and deliver your product or service. The consequences of over-collecting personal data are highly visible as the number of reported data breaches continues to rise.

Secondly, this sensitive data must only be accessible on a “need-to-know” basis, and

.....Read More

First, I advise organizations of any size to collect only the data they need. When it comes to personal data, particularly medical-related data, there is no such thing as "nice to have" — only what you must collect in order to run your business and deliver your product or service. The consequences of over-collecting personal data are highly visible as the number of reported data breaches continues to rise.

Secondly, this sensitive data must only be accessible on a “need-to-know” basis, and organizations should set that “need-to-know” threshold at the highest possible level. When we think about security within our organizations, we often forget that employees do represent a significant risk to the likelihood of a security breach, which often occurs without their awareness due to an unintended action such as clicking on a malicious email. With a dispersed workforce becoming the norm, ensuring that employees understand the required confidentiality and appropriate handling of customer data is critical to meeting increasingly challenging privacy regulations and ultimately honoring the trust that a customer has placed on your organization with their data.

Finally, with over 70% of organizations not fully understanding where all their data is located, I strongly urge organizations to make data awareness a priority. The technology to achieve this is readily available using sensitive data discovery to map out where all PII data lives within your organization. Through this process, you will quickly learn where data is created, who has access to it, and gain accurate insights into what risks exist around data that require immediate attention.

  Read Less
September 28, 2021
John DeSimone
Vice President of Cyber, Training & Services
Raytheon Intelligence & Space

Being cyber aware requires constant diligence all year long, but it’s also necessary for organizations to take a step back to consider how their security strategies can be improved in order to continuously meet these challenges head on. Cybersecurity is a multi-layered problem which is why every organization should test to reveal vulnerabilities.

I’d recommend vulnerability scanning monthly—weekly if resources allow it—and quarterly at a minimum. Penetration testing should be done at

.....Read More

Being cyber aware requires constant diligence all year long, but it’s also necessary for organizations to take a step back to consider how their security strategies can be improved in order to continuously meet these challenges head on. Cybersecurity is a multi-layered problem which is why every organization should test to reveal vulnerabilities.

I’d recommend vulnerability scanning monthly—weekly if resources allow it—and quarterly at a minimum. Penetration testing should be done at least annually, but bi-annually is better; critical apps or websites you’d want to test more often especially after major changes or releases to ensure that a new vulnerability wasn’t introduced. I’d also recommend a Red Team exercise, which mimics what adversaries may attempt to do to break into your organization, to test your security team as well as the detections and controls that you have in place. This should happen at least once a year or when major changes are implemented. These real-world tests will help any organization determine how well they can detect malicious activity that other testing won’t find.

Finally, I suggest implementing a Zero Trust framework, where you continually assess your organization’s security posture (yes, even internally). Zero Trust Security relies on multiple technologies that have to continuously scan and monitor your users, devices, networks, workload, and data to detect suspicious and malicious behaviors.

  Read Less
September 28, 2021
David Friend
Co-founder and CEO
Wasabi Technologies

As the former CEO of backup company Carbonite, and now co-founder and CEO of hot cloud storage company Wasabi Technologies, I’ve seen many companies spend so much time and money on intrusion prevention and detection against ransomware. But it’s a losing battle because cyber criminals will always find a way to get in, and vulnerabilities are not always technical – they depend on people never making a mistake. 

One underutilized way to protect your data against cyber threats and ransomware is

.....Read More

As the former CEO of backup company Carbonite, and now co-founder and CEO of hot cloud storage company Wasabi Technologies, I’ve seen many companies spend so much time and money on intrusion prevention and detection against ransomware. But it’s a losing battle because cyber criminals will always find a way to get in, and vulnerabilities are not always technical – they depend on people never making a mistake. 

One underutilized way to protect your data against cyber threats and ransomware is through object-level immutability in your cloud storage, which means certain files and stored objects cannot be modified or deleted by anyone, even a systems administrator. If you store your backups in immutable buckets, ransomware hackers can’t delete or encrypt your backups. Ransomware hackers know that if you can restore your systems from backups, they are unlikely to be able to extort ransom from you. So they try to destroy backups at the same time they are encrypting your primary data. But if you have done your backups properly, when you get attacked by ransomware, you should be able to start fresh and restore your entire system from backups. 

No amount of high-tech prevention will stop ransomware attacks because most of the time the vulnerability is with the humans, not the machines. So my advice is to do the best you can on the prevention side, but more importantly do complete backups, store them in immutable object stores, and test that you can successfully do a full restore before you get hit.

  Read Less
September 28, 2021
David Bradbury
Chief Security Officer
Okta

Cybersecurity Awareness Month is especially crucial this year as we’ve seen cyberattacks become more sophisticated and more destructive across all industry sectors. If the past year has taught us anything, it’s that it has never been cheaper or easier to launch a cybersecurity attack. As leaders, we must remain continuously vigilant to thwart these emerging threats and keep cybersecurity as a top priority for every company. To meet the demands of today’s modern users and avoid becoming

.....Read More

Cybersecurity Awareness Month is especially crucial this year as we’ve seen cyberattacks become more sophisticated and more destructive across all industry sectors. If the past year has taught us anything, it’s that it has never been cheaper or easier to launch a cybersecurity attack. As leaders, we must remain continuously vigilant to thwart these emerging threats and keep cybersecurity as a top priority for every company. To meet the demands of today’s modern users and avoid becoming the next victim of a cyberattack, organizations must move toward a Zero Trust security model and adopt strong authentication across all services, everywhere — from on-premises, to cloud, to mobile, and for employees as well as customers, partners, contractors, and suppliers. In order to maintain this level of vigilance, cybersecurity leaders should keep their team’s well-being top of mind by hiring globally, regularly checking the ‘pulse’ of your team’s work and stress levels, and being open about the organization’s broader strategy - these are all key to addressing potential sources of burnout across multiple touchpoints. With our industry also facing massive skills gap challenges, it’s also important for cybersecurity leaders to empower their employees to properly train and mentor young IT professionals who will go on to become the security teams of the future. This month should be much more than just a time of awareness for organizations — it should be a call to action to start (or bolster) their Zero Trust journey, address and correct sources of burnout, and to keep an eye on the future development of the profession to meet the evolving challenges in our increasingly identity-centric world.

  Read Less
September 28, 2021
James Christiansen
VP of Security Transformation
Netskope

This is Netskope’s second Cybersecurity Awareness Month during the COVID-19 pandemic, which has given us the opportunity to reflect and recognize how we can move the industry forward. As part of this awareness, it is our responsibility to redefine ‘Zero Trust’ so that it is more adaptable for companies to implement into their security. This type of trust is at the core of secure access service edge (SASE), which will connect security products across infrastructures and help companies make

.....Read More

This is Netskope’s second Cybersecurity Awareness Month during the COVID-19 pandemic, which has given us the opportunity to reflect and recognize how we can move the industry forward. As part of this awareness, it is our responsibility to redefine ‘Zero Trust’ so that it is more adaptable for companies to implement into their security. This type of trust is at the core of secure access service edge (SASE), which will connect security products across infrastructures and help companies make complex decisions around trust. 

According to a recent report, 70% of users continue to work remotely as of the end of June 2021. During an era when organizations are learning to navigate a hybrid workforce, it is critical that companies have secured their data, which is now being accessed on an abundance of servers. The Great Resignation has shown us that there is a large opportunity to change the security architecture for companies that are at high risk of employees leaving and taking data with them. In fact, departing employees upload 3 times more data to personal apps in the last 30 days of employment. Additionally, many companies are adopting a remote-first approach while onboarding workers all over the country, which calls for a change of traditional security systems and is a large opportunity for cybersecurity companies to offer innovative solutions. 

Realistically, we can never have an environment with no trust because this would mean we have zero interactions. The key to achieving continuous adaptive trust is by having a view of our risks at all times. This includes identifying users, classifying the data being accessed, and looking at the applications used on the network. This will help us better understand who is causing the risk, where it is coming from, why they are doing it, and how this will affect company data. By considering these threats, companies can begin their journey to SASE architecture and be better prepared for the risks they face on a daily basis.

  Read Less
October 25, 2021
Rick McElroy
Principal Cybersecurity Strategist
Distributed

One of the most pressing issues facing the cybersecurity industry is burnout, driven in large part by the talent shortage. Reports estimate there are 3.5 million cybersecurity jobs currently available around the world. This leaves organisations extremely vulnerable to destructive cyberattacks. Leaders should not only foster an environment where employees feel empowered to share their concerns and work to remove the stigma around burnout, but they must also dedicate the proper resources to

.....Read More

One of the most pressing issues facing the cybersecurity industry is burnout, driven in large part by the talent shortage. Reports estimate there are 3.5 million cybersecurity jobs currently available around the world. This leaves organisations extremely vulnerable to destructive cyberattacks. Leaders should not only foster an environment where employees feel empowered to share their concerns and work to remove the stigma around burnout, but they must also dedicate the proper resources to closing the skills gap.

  Read Less
October 25, 2021
Tom Kellermann
Head of Cybersecurity Strategy
VMware Carbon Black

By empowering CISOs, we can help relieve some of the burnout felt by their security teams. Elevating the CISO’s role within an organisation will help to better ensure cybersecurity measures are appropriately prioritised and that the team leading those measures has the necessary resources and support to combat burnout and build resilience.

October 19, 2021
Bindu Sundaresan
Director
AT&T Cybersecurity

Regardless of the month, cybersecurity has become a big priority for organizations today, with increased engagement at the board level. The top-of-mind question ends up being if people get compromised, how do you make sure lateral movement doesn't occur? The answer is simple. A shift in your approach to security is needed. Focus on a Zero Trust strategy and implementation where you connect users to applications, not the network. 

Many organizations agree that implementing a Zero Trust

.....Read More

Regardless of the month, cybersecurity has become a big priority for organizations today, with increased engagement at the board level. The top-of-mind question ends up being if people get compromised, how do you make sure lateral movement doesn't occur? The answer is simple. A shift in your approach to security is needed. Focus on a Zero Trust strategy and implementation where you connect users to applications, not the network. 

Many organizations agree that implementing a Zero Trust Architecture can help stop data breaches. Yet Zero Trust Architecture means different things to different people, as organizations already have certain aspects of Zero Trust in place. A Zero Trust Architecture can be designed and executed in several different ways. The journey will depend on an organization’s use cases, business flows, risk profile, and the business function of the network. With that said, both users and devices must be continuously authenticated and granted access to resources through disciplined verification no matter the journey. For success, it’s recommended that organizations aim to implement a holistic Zero Trust approach that focuses on safeguarding critical digital resources and assets. No one solution will get organizations there but focusing on identity management and Zero Trust segmentation is a first step in the right direction. 

By utilizing Zero Trust and its core foundations of micro-segmentation and enforced authentication, organizations can fully visualize networks and resources to ensure relevant least privilege and secure access to corporate resources. This also means control over all aspects of network security across cloud and on-premises applications and services. Zero Trust provides the visibility, control, and threat inspection capabilities necessary to protect networks from ransomware, targeted attacks, and the unauthorized exfiltration of sensitive data. Every organization looking to establish secure ‘trust boundaries’ according to the Zero Trust security model can improve their overall security posture.

  Read Less
October 04, 2021
Jason Stirland
CTO
DeltaNet International

Cybersecurity Awareness Month is another opportunity for businesses to educate their employees on staying safe and secure online, reducing the likelihood of being attacked. According to research by LastPass, despite 92% of online users recognising that using the same password is a risk, 65% still reuse theirs across accounts, increasing the risk of a data breach. That’s why it’s so important for businesses to train their employees on the importance of using passwords securely as a

.....Read More

Cybersecurity Awareness Month is another opportunity for businesses to educate their employees on staying safe and secure online, reducing the likelihood of being attacked. According to research by LastPass, despite 92% of online users recognising that using the same password is a risk, 65% still reuse theirs across accounts, increasing the risk of a data breach. That’s why it’s so important for businesses to train their employees on the importance of using passwords securely as a preliminary line of defence. 

With cyber-attacks on the rise, it is remarkable how many passwords are compromised simply because they are not strong enough. Strong passwords are hard to guess, include a combination of upper-case letters, lower-case letters, symbols, and numbers, and are different for each account/platform. Unfortunately – often due to the sheer number of passwords required for users online - many people reuse the same password across multiple accounts, making them vulnerable and posing an information security risk, especially if shared with business accounts. To help counter this risk, IT teams should enable mandatory multi-factor authentication on company accounts as an added layer of security.

  Read Less
September 28, 2021
James Hadley
CEO
Immersive Labs

 

Although cybersecurity awareness should stretch further than one month, October serves as an important reminder that organizations should be preparing their teams for cyber threats year-round, no matter how big or small.  

This year has made it abundantly clear that management of cyber risk cannot be left to just a few experts in the security team. Cyber risk now impacts financial, reputational, regulatory, legal, and technical teams. That means the responsibility for mitigation and response

.....Read More

 

Although cybersecurity awareness should stretch further than one month, October serves as an important reminder that organizations should be preparing their teams for cyber threats year-round, no matter how big or small.  

This year has made it abundantly clear that management of cyber risk cannot be left to just a few experts in the security team. Cyber risk now impacts financial, reputational, regulatory, legal, and technical teams. That means the responsibility for mitigation and response now falls on a much broader range of people across the entire workforce. All must be ready to respond and should have the necessary knowledge, skills and judgement to mitigate this ever growing, fast-paced risk.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.