Ciso Mag Sep Oct 2017

2-3_Layout 1 8/18/2017 10:31 PM Page 2
2-3_Layout 1 8/18/2017 10:31 PM Page 3

Page 04_Layout 1 8/20/2017 11:55 PM Page 4
INDEX
06 BUZZ
Cyber Insurance and the Liability Paradox
12 UNDER THE SPOTLIGHT

An Interview with Tim Fitzgerald
17 VIEW POINT
To CISOs with Love: Endpoints are Dead
30
22 COVER STORY
Fintech: Rooted in the Past,
Borrowed from the Future
27 IN THE HOTSEAT
High-Profile Appointments
in the Cybersecurity World
30 TABLETALK
Few Minutes with Foo Siang-Tse
35 EVENT FOCUS
A Curtain Raiser to Global CISO Forum
38 INDUSTRY SPEAKS
In Discussion with Tobias Gondrom
43 IN THE NEWS
Top Stories from the Cybersecurity World 22
49 TECHTALK
Automation and Orchestration: The Big
Picture
56 KICKSTARTERS
Startups Making Waves in the
Cybersecurity World
62 KNOWLEDGE HUB
Understanding Trends and the
Cybersecurity Skills Gap
74 COLLABORATIONS
Famous Collaborations in the
Cybersecurity World
17 38
CISO MAG | September - October 2017
Page 05_Layout 1 8/20/2017 11:58 PM Page 5
EDITORS
NOTE
It may not be wrong to say

that fintech has changed the
way financial services are
offered to consumers. It is a
perfect option for the Volume 1 | Issue 2
consumers, businesses, and September - October 2017
financial institutions who in
todays connected, on- Editorial
demand world want to International Editor
transact in a convenient, Amber Pedroncelli
amber.pedroncelli@eccouncil.org
timely, secured, and efficient
manner. The future may see Senior Editor
Rahul Arora
financial transactions being rahul.arora@eccouncil.org
made majorly through
Feature Writer
Bitcoins, Ethereums, and
Augustin Kurian
other future augustin.k@eccouncil.org
cryptocurrencies.
Content Writer
Sandip Acharyya
Traditional banks have realized that fintech is the future; they are either sandip.acharyya@eccouncil.org
running for cover or trying to stay relevant by embracing new technology
solutions. The countries are also aware of the evolving fintech landscape Media and Design
Media Director
and understand how crucial it is for economic growth. However, for Saba Mohammad
fintech, a number of challenges lie ahead. In the cover story, we throw saba.mohammad@eccouncil.org
light on some of these key challenges which include lack of unilateral Design Head and Visualizer
polices and standardizations and several cyber attack vectors. MSH Rabbani
rabbani@eccouncil.org
In the Buzz section, we discuss cyber insurance, a key mitigation tool for Designer
businesses in an age where deepening dependence on technology is Surendra Bitti
exposing them to greater cyber threats. Move on the Viewpoint section surendra@eccouncil.org
where our executive contributor Chris Roberts pens a candid open letter Management
to CISOs, stripping away the hype surrounding endpoint protection. Executive Director
Apoorba Kumar*
For this issue, we interviewed three cybersecurity stalwarts Tim apoorba@eccouncil.org
Fitzgerald, CSO, Symantec; Foo Siang-Tse, Senior Managing Director, Senior Director, Compliance & Governance
Quann; and Tobias Gondrom, CTO, Huawei. They talk about their Cherylann Vanderhide
journeys, evolving cybersecurity landscape, and challenges ahead, among cherylann@eccouncil.org
many other things. Marketing & Sales

General Manager
The magazine comprises a host of other informative features that look Meghana Vyas
cybersecurity from an all-encompassing perspectiveregulations, meghana.vyas@eccouncil.org
workforce development, partnerships, and much more. Marketing Manager

Jinu Francis
Tell us what you think of this issue. If you have any suggestions, jinu.francis@eccouncil.org
comments, or queries, please reach us at editorial@cisomag.com. Sales Manager - India
Basant Das
Jay Bavisi basant.das@eccouncil.org
Editor-in-Chief Sales Manager - North America
jay@eccouncil.org Jessica Johnson
jessica.johnson@eccouncil.org
Technology
Director of Technology
Raj Kumar Vishwakarma
rajkumar@eccouncil.org
* Responsible for selection of news under PRB Act. Printed & Published by Apoorba Kumar, E-Commerce Consultants Pvt. Ltd. and printed at G97 Network Pvt. Ltd., Editor: Rahul Arora.
The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this publication are not necessarily those of the
publisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be appropriate for the readers particular
circumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored in a retrieval system, or transmitted in any form without the
permission of the publishers in writing.
Page 06-10_Layout 1 8/20/2017 2:00 PM Page 6
BUZZ
CYBER INSURANCE
AND THE LIABILITY
PARADOX
Augustin Kurian

BUZZ
A
ddressing the that number is small considering the
gathering of CISOs cyber insurance market is expected
at the 3rd Annual to reach $20 billion by 2025.
CISO Summit held
in Mumbai, India, WHO NEEDS CYBER
in July 2017, Sunil INSURANCE?
Varkey, CISO of Everyone! Cybercriminals are not
Wipro Technologies, pointed out, Robin Hood, they do not differentiate
The role of CISOs is way more between a large company and a
complex because they handle a small company, and they will do
domain called cybersecurity. CISOs what they do best steal. While big
pester the management to increase corporations fortify themselves with
the cybersecurity spending. When several layers of protection, small
asked by the management if higher businesses often underestimate the
spending would mean the potential impact of cyber attacks.
organization would not be Many small business owners believe
compromised, the CISOs often that hackers only attack high-profile
respond by saying, I dont know. organizations when the reality is just
However, complexity often derives the opposite. In fact, nearly 90
new solutions and one of them is percent of breaches occur in small
cyber insurance. Cyber insurance is businesses. A bigger concern is that
not a hot topic and has been around
for over a decade and a half. It was
designed to alleviate losses incurred
from cyber attacks and is a key tool
that plays crucial roles. According to
the United States Department of
Homeland Security, A robust
cybersecurity insurance market
could help reduce the number of
successful cyber attacks by: (1)
promoting the adoption of
preventative measures in return for

The role of CISOs is way
more complex because
they handle a domain
called cybersecurity.
CISOs pester the
7
more coverage; and (2) encouraging management to increase

the implementation of best practices
by basing premiums on an insureds
the cybersecurity
level of self-protection. spending. When asked
Timetric, in its recent Insight Report: by the management if
Developments in Cyber insurance,'
concluded that the growing number
higher spending would
of attacks have turned cyber mean the organization
insurance into a key mitigation tool.
Although cyber insurance does not
would not be
replace the need for cybersecurity compromised, the CISOs
technology, it has the ability to
complement cybersecurity standards
often respond by saying,
through mitigating cyber risk. I dont know.
According to Allianz SE,

organizations are paying roughly
$3.25 billion each year in annual
premiums for cyber insurance. But

BUZZ
nearly 60 percent of small businesses financial disaster in the event of a reasons is that the cyber insurance
who face cyber attacks shut down malicious attack, stated Natalie market is largely based on old-
within six months of the attack. Cooper, editor of BankingSense.com fashioned ideas about information
in a report from Cyber Insurance security and what kind of coverage a
Because news coverage of attacks
Guide. breached company will actually
primarily focuses on big corporations,
need.
small businesses are unaware of the
threat they face. For small
THE MISMATCH A study by Marsh and the UK
businesses, nothing is more While cyber threats have drastically Government in 2015 concluded that
important than protecting their evolved from the time cyber cyber insurance premiums are
livelihood. Cyber liability insurance is insurance was first offered, the cyber almost three times higher than
another tool they can use to prevent insurance market hasn't. One of the commercial general liability policies.

Page 06-10_Layout 1 8/21/2017 12:01 AM Page 9
BUZZ
TAKEAWAYS FOR CISOs

Work with your organizations risk management stakeholders to understand prospective or existing insurance
policies. Understand what is explicitly covered, what is not, and how the policy could be defended in court
Ensure that you are a part of the buying and renewal process
Be a part of the underwriting process
Communicate with insurers about prior breaches
But even here, there has been a huge PF Changs policy with Chubb stated make fraudulent transactions. The
gap between the damage incurred that it would address the full suit was rejected by the court upon
and the breadth of policy coverage. breadth of risks associated with hearing the argument from Chubb
For example, in 2014, when PF doing business in todays technology- that the policy signed by PF Changs
Changs, a U.S.-based dining dependent world, but, PF Changs did not cover any external contract or
restaurant chain,was hacked and argued, much of the cost of having agreement the company held.
credit card information of nearly been breached was not, in fact,
Perhaps if more companies find
60,000 customers were leaked, covered. Due to this discrepancy, PF
themselves in situations like PF
Chubb cyber-insurance, the insurer, Changs sued Chubb to recover an
Changs did, cyber insurance policies
only covered the cost incurred for additional $2 million the company
will be forced to evolve in accordance
investigation of the data breach, legal was required to repay credit card
to the needs of the market. As it
advice, and the expenses for companies whose details were stolen
stands now, high premiums keep
notifying authorities and customers. in the hack and subsequently used to 9

BUZZ
10
cyber insurance out of reach for most unanticipated accumulations due to market in a complex and growing
medium and small businesses, but as potential silent exposures. Silent risk area. It also notes that the
insurance companies strive to beat cyber risks are things like standalone insurance market holds
their competition with better, more (re)insurers potential exposure to the promise of unlocking the
comprehensive policies, prices will cyber losses within P&C products potential for meaningful coverage for
fall too. where no explicit exclusions are both insurers and buyers. This
included. And even where exclusions means that traditional insurance
SOLUTION FOR THE are included, gaps can emerge in the companies longstanding history in
PRESENT PERILS event of unforeseen causes of loss. As the insurance business could actually
The PF Changs case is an example of exposures evolve, the lack of be holding them back from offering
a company not fully understanding understanding around silent cyber the solutions that an industry as
its insurance policy, or at least, not risks could pose a material threat to dynamic as information security
fully understanding how that policy (re)insurers future solvency. really needs. The structures they
could be defended in court and leave have in place may not apply to
While there is an increased number
them vulnerable. According to a cybersecurity because threats are
of takers for cyber insurance, the
report by JLT Re and JLT Specialty often unforeseeable, the impacts of
underwriters are concerned over the
Limited, Traditional P&C (property known threats arent easy to predict,
unquantified cyber coverage (like the
and casualty) products were not and there is so much ongoing change
incident of PF Changs). The report
designed to protect against todays that long-term policies can be out of
points out the need for, greater
fast-moving cyber risk landscape. date long before they expire.
certainty, expertise, capacity and
And there are now growing fears stability from the (re)insurance
that future losses may bring

AD_Layout 1 8/18/2017 10:38 PM Page 2
UNDER THE
SPOTLIGHT
12
UNDER THE
SPOTLIGHT
As the Chief Security Officer (CSO) of Symantec, Tim Fitzgerald has been
driving innovation on several security initiatives. He oversees the Global
Security Office (GSO) and is also a member of the Symantec Security
Council. Tim has a compelling view of industry trends and a unique
perspective on how to best protect, monitor, analyze, and respond to 13
security threats and issues. In a brief interaction with CISO MAG, Tim
talks about his journey as a network security expert, current trends in
cybersecurity, IoT hacking and cloud security, and the need to have a
holistic approach to security.
TIM FITZGERALD
CSO, Symantec
Augustin Kurian

UNDER THE
SPOTLIGHT
Tell us about your journey from

being a market analyst to a
cybersecurity chief. What is
Symantecs Security Council?
Tell us a bit about your role at Coming to the Security Council, it serves the
the Council.
My early career was spent more on IT need for ground support for our security and
control, implementation, and
evaluation. However, over the course,
our overall leadership in order to be
I became more concerned with successful in completing every mission. The
having a job role that influences a
company directly, rather than simply Security Council is a governing body that we
assessing and controlling what other
people were creating. While working
use to form our strategy and guide our
with one of the clients, I learned security programs. The functioning of the
more about network security.
Gradually, I started investing more in Security Council is not my job singularly.
my education and research on
network security, and that led to a

job opportunity at Symantec as a
manager. I was responsible for
governance and compliance in the
security department; it was a huge
14 prospect for learning as in the early Paris attack. Do you think this Paris attacks happened, my physical
years of cybersecurity, we had a sort of an approach can help security team reached out and
higher degree of turnover. Because of contacted every single employee who
other organizations combat
that, I had an opportunity to fill the was either working in the region or
incidents like these? travelling to the region. They found
gap, take on bigger roles, and try my
hand at almost entire domain. We are certainly taking advantage of out where they were, if they or their
forming personal relationship with families were in any danger. We
Coming to the Security Council, it the employees. I am responsible for helped them get them to safety, get
serves the need for ground support ensuring cybersecurity of the medical assistance, and even helped
for our security and our overall company as well as employee them know that somebody is looking
leadership in order to be successful in safetyfrom our executive level to out for them. You could imagine if
completing every mission. The down to the lowest level employee in you were in Paris that day, how
Security Council is a governing body the company. I must admit, first frightened you would be and you
that we use to form our strategy and when I had to take on that would appreciate any level of
guide our security programs. The responsibility, I was hesitant as I resourcefulness even if were a
functioning of the Security Council is didn't know much about the space of reassuring voice on the other end of
not my job singularly. It comprises a personal and physical security. But, the phone. So, the next time we
CEO, majority of our C-level as we got into it, I came to realize called them, or the next time we ask
executives, and all the leaders at the that there is tremendous opportunity them that, we already have a friend,
highest level. in improving the relationship with an ally, somebody who knows that
the employees, in such a way that we you care about them personally.
Symantec is known for a holistic can demonstrate to our employees
how much we care and how much In fact, we also noticed that that the
approach toward security that
we invest in their personal security. employees whose lives we touched
merges cyber, physical, and through these gestures also had a
employee security. Tell us a bit Often many companies do the right much lower rate of cyber security
about it and how it helped the thing in that space but do not take problems, the reason perhaps is
organization during the 2015 credit for that work. While the tragic because they take security more

UNDER THE
SPOTLIGHT
seriously and feel more responsible only what Symantec has used, but

toward us. So, in a way, benefiting what others might be interested in
our employees was the most gaining from us.
rewarding thing that could have
happened. Many of my peers have Tell us a bit about the evolution
said for a long time how employees
In many ways, I have of Symantec from an antivirus
are the biggest problem in an grown up in the company to a security solutions
organization when it comes to
insider threats, and in some aspects, information security provider. Symantec has always
it is true. But, we prefer to learn and been attributed as a legacy
treat them as an opportunity to turn
through my own platform. What is your comment
our employees into advocates of learning. I have learned on that?
security and another pair of eyes for Symantec has always focused on
us. It has been extremely powerful from my own mistakes, endpoint protection, it was never just
for us to leverage that human
connection.
and from those of my antivirus company. Symantec has
often been branded as a legacy
peers. When I first antivirus provider, but Symantec has
Tell us a bit about the evolution come far in the last 10 years in terms
of cybersecurity over the years. started into cyber of providing endpoint protection
How integral is it for security, the CISOs against threats. Our capability in
organizations to have a endpoint protection is so much
cybersecurity expert among the
were predominantly greater and impressive that it has
influenced the market in many ways.
top brass? responsible for the While most companies were
In many ways, I have grown up in the 15
information security through my
implementation of confused with security space,
Symantec went on to become a
own learning. I have learned from technical controls. leader with market-leading products
my own mistakes, and from those of in every segment it played in.
my peers. When I first started into

cybersecurity, the CISOs were Not many players in the security
predominantly responsible for the space can truly put their technology
implementation of technical solutions together into a meaningful
controls. They were responsible for capability but Symantec, especially
room to being excellent risk in the last few years, has found ways
endpoint protection of some kind, or
managers. As a CISO, you are not just to do that. We not only continue to
to make sure that the networks were
a manager, you are a negotiator, you have market-leading products, but as
secure, majorly focusing on technical
become an influencer, a salesman, a company, we always think about
controls. Gradually, the role evolved
and a part of a much larger business how our customers are going to use
and CISOs moved into controlling the
discussion because you know you them. All these are backed with the
processes and technologies. However,
can speak the financial language, inputs and suggestions from
over the last three to four years, they
reputational terms, and brand terms. employees on future steps and
have evolved dramatically.
CISOs have now moved a little bit connectivity between the solutions,
CISOs have become threat managers closer to a larger executive sweep. that you don't find anywhere else in
with a job to see how they Driving conversations beyond just the market.
implement controls that are known; controlling the implementation, we
this involves anticipating and also look at all the possible ways in What are the major challenges
analyzing a plausible problem from which we might lose that
information or data that we consider
for global enterprises against
the start to the end. Additionally,
CISOs are now involved with overall to be valuable to us. At Symantec, we cyber attacks? What is the need
risk management. The role has have our threat evaluation of the hour? Also, what are the
shifted from the CISOs being the methodology and ethics. As an newer trends in cyber attacks?
most technical security person in the interesting exercise, we look at not Every organization is different and

UNDER THE
SPOTLIGHT
16 the idea that we all face exact same governments sponsored actors are of an early foray, can create an army
threat universe is not helpful. If you going after more than just profit. of IoT devices. Whats more
go back five years, criminals or From my perspective, that is concerning is that, there are many
nations wanted to take something frightening. You look at some of the apps that claim to securing your
from you, but it was not very clear of tactics that were used in many of devices, but most are far more
what they were after. You had to these big attacks, they were not worried about their market
review multiple companies to super sophisticated. We are also penetration and increasing the
understand what were they looking seeing the re-emergence of big consumer base, with security as an
for and what they got. That has hacking suites perhaps being afterthought. Companies must be
changed. Majority of the cyber world associated with the NSA or other concerned on managing the security
has figured out how to monetize the government organizations. of their devices in a way that they are
information they steal, whether its less likely to be compromised. This
credit card information, health With IoT hacking and cloud provides a huge opportunity for
information, or whatever it may be. security now hitting major every provider.
Businesses need to evaluate their
headlines, can you shed some The shift toward cloud security in the
information and understand their
light on these subjects? last two or three years has been
threats, look at how their
IoT in many ways is one of the next remarkable. But, many of the
information might be monetized by
big frontiers in terms of controls, the systems, the processes
the criminals, and then evaluate
cybersecurity. Firstly, the prevalence to make sure that the infrastructure
their threat support level. Secondly,
of IoT devices is continuously is secured, doesnt necessary apply in
recognizing nation/state actors and
growing at an exponential pace and the cloud environment. The security
what countries might do in the
that has made it something to be professionals must understand and
information and protocol space is
concerned about. While talking should think of ways to secure cloud
important. We were once concerned
about IoT as an attack vector, if you environment. Symantec has made all
that nationwide actors worked either
can take control of a whole bunch of the very moves in terms of being
for property or profit. But now, as the
IoT devices, it can do a lot of harm. ready for the transition to cloud and
U.S. elections, we are seeing
Similarly, DDoS attacks, which is sort is helping its customers get there.

VIEWPOINT
TO CISOs WITH LOVE:

ENDPOINTS ARE DEAD
Chris Roberts, Chief Security Architect, Acalvio Technologies
17
O
pen letter, lets see. I like companies still rely upon it as the be- to that thinking AND hopefully
the CISO opening, its all/end-all for security and they somewhat of a mindset change for
truthful and its part of typically cant implement it all people. We might as well start with
the spark for this. Ive correctly, or monitor it. More and the worst-case scenario and go from
been vocal about more organizations are selling the there, but I encourage you to read to
endpoint being the mythical silver utopia of secure endpoint and all the end as there IS hope! So, without
bullet for a while. Too many will be forgiven. This is a challenge further ado, here are my initial

VIEWPOINT
feelings about endpoint protection in So, lets take a step back and look at quick look at what you and your
blunt bullet points: what is working, what's not, and endpoint have to have to be
what we can do for the future. After protected in today's world:
Nothing to gain?
all, there is little we can do to secure
Antivirus
A waste of time and resources? the actual user who still, after 25
years of InfoSec, wants to click on Antimalware or whatever that's
Snake oil in a slickmarketing
anything that comes into vision or is called these days
campaign?
happy to jot down their passwords
Heuristic detection capabilities
All flash and no go? on post-it notes and leave them all
over the office like confetti. HIDS (Host Intrusion Detection)
Its arguable that the endpoint has
already been compromised. Devices As an attacker, my goal is quite Network behavior analytics
are still one of the core points of simple: get you or your computer to UBA (User Behavior Analytics)
access into most organizations, do something against your/its will,
therefore, don't bother with endpoint against (hopefully) company policy OS patches
security, give up, go home and have a and against your best interest. To do Application patches
good cup of tea. That's what I really this, I need to facilitate a behavior
want to say BUT there must be some change or get lucky and hit the Web browser patches
hope, some ray of light, otherwise systems that are not patched or We browser all protected too,
why would we still have a vibrant protected (too often this is the case, meaning no flash, popups, redirects,
and active commercial sector doing but for this exercise we'll take the Java, etc. Basically plain, vanilla text
all they can to stave of what seems to utopian view that you have ALL your and nothing else!
be the inevitable onslaught of attacks protection active).
launched at the very systems we Web browser outbound analysis,
Now, before we go on, lets take a DNS validation, and ensuring you
strive to protect?
18

VIEWPOINT
ARE going to the right cloud

Application containerization
Encryption
Email filtering
Email anti-malware, anti-anything-
useful removal of all attachments
enabled
NOT admin on your local machine
You, yes, you the squishy bag of
flesh you'd better have done your
regular (monthly?) security training
and know NOT to click sh*t, open
attachments, give out your
passwords,or anything else.
So, a nice tidy list, easy to implement
AND keep up-to-date daily (hourly
would be preferable, but we don't
want to completely saturate the
network with updates).
And we didn't even get to the good
stuff the technology that is starting 19
to make a difference, like the only their work systems wrapped up endpoint protection can be a useful
intelligent systems that are now in an InfoSec condom but also all tool in the defense-in-depth model as
being deployed within enterprises to their portable devices, their phones, long as its implemented with other
facilitate the deceptive technologies, watches, wearables, home systems, controls and procedures. Lets take a
the preventative and proactive kids systems, doorbells, Nests, and look at some of those:
systems that monitor and watch anything else that might somehow
traffic, logs, systems for behavioral 1. Users will still click sh*t even with
break into them to get to you. After
anomalies and/or the logging protection in place. Protection does
all, you are the CISO and you have
systems surrounding them. its best to mitigate, therefore, lets
your hands firmly around all of this
train the users more effectively and
So, now we have all of this in place: right?
combine some user grey matter with
we have the reactive, the proactive, Ok, now reality has set in, youve whatever brand of machine learning
and the preventative systems fired grabbed yourself a good glass of employed by the endpoint.
up, ready to protect us and something Scottish and peaty, and
hopefully an army of staff behind the 2. Users will be users some wont
realized that this task is something
scenes watching, monitoring, listen and will do their best to avoid
more than slamming another
managing, and generally causing a the protections we put in place.
product into the stack. Its more than
nuisance to the business by Therefore, both evaluate what is
relying upon the latest vendor
demanding security be considered at necessary and required against a
presentation and if you have your
every corner. They'll be standing by good risk model to ensure both the
wits about you, its going to have a
eagerly watching all the logs ALL the business and users can actually be
positive impact on that maturity
time for that one time the bad guy productive and you can protect all
model the last penetration test
tries to get lucky. the necessary assets. On top of this,
helped put together so you can
add in a set of tasks to ensure
Hopefully this sounds familiar to you finally track changes, risks, and
exceptions are handled correctly and
all. Hopefully this situation is how report up to the board how you are
documented accordingly, and when
you are operating, how you are being successful. You have looked at
the user doesnt listen for the third
protecting your users you have not the statistics and realized that

VIEWPOINT
vendors and partners talk about how Snake oil in a well wrapped
theyve protected you in a public marketing campaign?
forum, the better chance you have of
Yes, there are a number of vendors
slowing them down. You wont stop
who wrap their solution in artificial
them, but you will buy yourself
intelligence, threat analytics, and
valuable time. Combine this with an
other verbiage designed to entice
internal training focused on data,
and blind you to the simple fact that
intelligence gathering, and other
theyve spent more on the marketing
social engineering tactics that the
than the actual product. Some of
users can use both in the work
these vendors are well known
environment and at home, and youll
names, so do your due diligence,
have added another layer to what is
trust the team you employ to dissect
traditionally the weakest link us,
the entire thing, and involve the end
the humans, the employees, the
users in the selection process. Worst
people at the keyboards.
case call me Ill help!
Revisiting those opening statements,
All flash and no go?
lets add a little more context:
When theyve spent more developing
time, you have disciplinary processes Nothing to gain?
the GUI than the engine behind the
in place to deal with them Relying on basic antivirus and some tools, when the CLI has more
accordingly. basic Web browsing heuristics is not horsepower than the flashy graphics,
3. Not all endpoint users are to be going to protect you. If you are going and the executive report has more
treated equally. Therefore, remove to look at endpoint, then you need to colors to choose from than the latest
everyones ability to administer their focus on it, work through what you car brochure, back away slowly and
20
own systems and provide the need for your enterprise, and look for a vendor that allows you to
required support structure and approach it as carefully as you would talk with the geeks, where they are
polices to deal with the special a major overhaul of an ERP or other proud of what they have built, and
snowflakes that need and can justify enterprise level system. Its complex they are willing to go geek-to-geek
the elevated privileges. and requires both technical and with your team at any point. Chose
human resources to be completely someone who actually is willing to
4. Endpoint cant work effectively in a effective. Treat it with the necessary work with you and not simply
vacuum. Therefore, support it with a respect and you will have built integrate you into this quarters sales
well-architected log management yourself another effective layer of numbers.
system that is also bolstered by more defense treat it as a quick software
proactive, predictive, and Hopefully, this has been helpful,
purchase and you will find yourself
preventative measures. Look beyond insightful, and a little provocative. As
living a lie, believing you are
the traditional IDS/IPS stack towards a researcher and security architect,
protected when you are not.
the deceptive and other technologies Im in a unique position to be able to
that exist to complement the A waste of time and resources? both assess whats out there, break it,
endpoints and other security and implement it. In my experience,
No, but as with any product that is
systems. Chose wisely and dont be there ARE good tools out there the
going to be integrated into an
fooled by the thousands of vendors challenge sometimes is looking
environment, careful planning and
that can solve all your problems. through the FUD to see the diamonds
implementation will be key. Simply
(sometimes still in the rough).
5. Be aware that the attackers buying the software or solution and
focused on your environment already not also getting the professional Good luck and thanks for reading to
have the upper hand; they have the services and training for your teams, the end.
time and resources to research not or ensuring adequate coverage for
only you and your enterprise but also the solution is going to end in failure
and another product gathering dust The opinions expressed within this article are the
your people and technologies. The personal opinions of the author. The facts and
less you put out there about what is on the shelf of useless ideas and opinions appearing in the article do not reflect the
wasted money. views of CISO MAG and CISO MAG does not assume
protecting you, the less you let your any responsibility or liability for the same.

AD_Layout 1 8/18/2017 10:42 PM Page 2
COVER
STORY
22
FINTECH: ROOTED IN THE PAST,

BORROWED FROM THE FUTURE
Augustin Kurian

COVER
STORY
N
ew innovations in
financial technology
tend to be discussed
as if the financial
industry is only now
being impacted by technological
innovation. The fact is that banks
and technology have always
complemented each other.
Technology making financial
innovation possible can perhaps
best be seen by looking at the 1950s
when Diners Club introduced the
first credit cards. By the 1960s,
Chemical Bank of the United States
installed ATMs aimed at replacing
branches and tellers which
dispensed cash when users inserted
a specially coded card. The 1970s
brought electronic stocks and by the
1980s, banks started using
sophisticated computers to monitor
financial data. The nineties and
naughts brought internet and e-
commerce to the fore and the Wall 23
Street replaced telephone stock
brokering with online stock
brokerage websites.
Cut to the present and fintech, a
new abbreviation simply meaning
financial technology, found its way
into the Oxford Dictionary as a term
originated in the early 21st century.
Fintech aims to leverage modern
technology to craft innovative
financial services that bring
consumers and businesses closer.
The fintech industry is one of the
fastest growing segments to
emerge out of cyber space the
global investment in Fintech sector
skyrocketed from $928 million in
2008 to $12.7 billion by 2016.
Fintech innovations like mobile
wallets, payment apps, robo-
advisors, etc all are largely
enhancements to existing banking
services, but with the direction the
industry is going, the future could
see fintech replacing banking

COVER
STORY
24
services or even competing with that facilitates financial service For example, financial institutions
banks outright. This is the disruptive transactions; Ds are disruptors, fast- are becoming more technology
nature of startup technologies at moving companies, often startups, focused. At the same time, big tech
work. focused on a particular innovative companies are offering peer-to-peer
technology or process. payment solutions over social
Haskell Garfinkel and Dean
networks and email. Meanwhile,
Nicolacakis, PwCs US Fintech The evangelists of fintech have been
disruptors are providing financial
Practice co-leads, have this to say predicting the demise of banks in the
services that, until recently, you
about the emerging industry: We face of Fintechs explosive
could get only from banks or
think about all the players in a larger penetration. However, a bankless
financial advisors,adds Haskell
fintech ecosystem, which we refer to reality may be further away than
Garfinkel.
as the As, Bs, Cs, and Ds. As are large, some think, according to Garkinkel:
well-established financial Fintech isnt static. When we talk However, given the complexity of
institutions; Bs are big tech about the As, Bs, Cs, and Ds, we think financial technology, one of the
companies; Cs are companies that of them as sectors in motion, all inevitable challenges is with regard
provide infrastructure or technology moving toward each other over time. to cybersecurity. It is highly likely

COVER
STORY
that there will be vulnerabilities, and

those will be exploited.
KEY CHALLENGES
The first step towards securing any
industry must begin with a
fundamental acknowledgment of the
importance of security. Instead of
thinking of how to aggressively get
to the market quickly (a scenario
prevalent among startups),
companies must first focus of
securing their product. However,
securing architecture cannot be a
one-step process. There should be
continuous testing and dedicated
quality assurance teams to create
less breakable and secure codes.
Blockchain is often seen as an added
advantage and a natural fit for
fintech. However, there has not been
a mass exodus of the general
population migrating from physical examined institution's overall risk
COMPLIANCE AND exposure and risk management
to digital currency. But, if such an 25
exodus does occur, blockchain and
REGULATIONS performance and determine the
cryptocurrency could lead to the The security risks of fintech are now degree of supervisory attention
demise of banks and other being recognized by organizations necessary to ensure that weaknesses
middlemen that fail to adapt to the with special attention toward are addressed and risks are properly
new reality. Of course, even application vulnerabilities. Several managed, states FFIECon its website.
blockchain is not hack proof. For standardization and regulatory
FS-ISAC in its 2015 report pointed out
example, digital currencies like measures have also been mandated
the implementation of open source
bitcoin are vulnerable to hackers while several others are in the
management policy to boost Fintech
stealing end-users wallets and pipeline. The existing measures
cybersecurity. It also recommended
bitcoin exchange private keys, include Basel II, Federal Financial
creation of open source Bill of
mining DDoS bitcoins, or even Institutions Examination Council
Materials (BOM) to identify open
exploiting code flaws. Added to this, (FFIEC) Uniform Rating System for
source components.
bitcoin is famous among the hacker Information Technology (URSIT),
Gramm-Leach-Bliley Act, Fair Credit The existing regulations also include
community and is the currency of
Reporting Act (FCRA), Federal Trade open source vulnerability scanning
ransomware. It is often impossible to
Commission Act (FTC Act), among and review, incorporating risk
trace or recover data and financial
several others. assessments into supply chains,
losses from attacks that have been
audits on internal controls, cyber risk
triggered from blockchain-based Basel II focused on, The risk of loss
governance, cyber risk management,
systems. resulting from inadequate or failed
internal and external dependency
Another key challenge is protecting internal processes, people and
management, examination of IT
the identity of end users, which often systems or from external events."
assets, among several other
is the most complex part of the Basel II helps organizations evaluate
measures standard to other
equation. Once a hacker reaches a and mitigate operational risk losses.
technology in the industry.
users bitcoin wallet, the outcome FFIEC established URSIT as a rating
Upcoming regulations like the
can be as catastrophic as bankruptcy. system. The primary purpose of this
European Union (EU) General Data
rating system is to evaluate the
Protection Regulation (GDPR)

COVER
STORY
26
mandates all companies must into new layers in mergers and Fintech is revolutionizing the
protect personal data (including acquisition processes even in the financial services industry and is
financial information) of citizens. The fintech industry. Standardizations contributing to its growth. All it
governing bodies will verify the are also playing a crucial role. The needs is optimum utilization with
protection measures adopted. National Economic Council in a enough attention to security.
statement of principals have
At present, fintech is one of the most
provided a framework for
regulated industries in the world. But
stakeholders in the Fintech
Key takeaways for CISOs
the key challenge is the presence of Identify blockchain attack vectors
ecosystem to assess their role in
too many governing bodies but no Safeguard user identity
contributing to the policy objectives.
universal standards a singular
These principles represent practical Limit access to consumer data
regulatory policy or framework for
and actionable propositions to help
the industry is lacking. Have role-specific security training
the fintech ecosystem contribute to a
Fortunately, fintech is on the right well-functioning and inclusive Embed security testing and conduct
track, with enough attention on financial system and to the economy penetration test after every major
ensuring secured architecture. as a whole. change
Cybersecurity is being incorporated

IN THE
HOTSEAT
In a business landscape characterized by dynamic trends and events,

change is the only constant. Many organizations often bring about a
change in their leadership to achieve the desired results from a new
direction, to create and disseminate a vision, or just to breathe new life
into the corporate structure. The field of information security is no
different. In this segment, we look at some new appointments in the
information security domain.
CISO MAG staff
KEN GONZALEZ JOINS

TRIDENT CAPITAL
CYBERSECURITY AS
MANAGING DIRECTOR
27
I
n July 2017, Ken Gonzalez
joined Trident Capital
Cybersecurity (TCC) as a
Managing Director. Gonzalez,
who previously worked as a
Senior Vice President of Corporate
Development and Global Alliances at
FireEye, joins TCC with the primary
focus of securing the Internet of
Things (IoT), next generation identity
platforms, behavioral data analytics,
privacy, and secure payments and
fraud prevention. Gonzalez joins
fellow managing directors Alberto
Ypez, Don Dixon, and Sean
Cunningham.
Prior to FireEye, Gonzalez was with
Avast Software as the Chief Strategy He graduated from Harvard Business Cybersecurity because of its stellar
Officer, where he was responsible for School and the United States Military cyber investment record, its
corporate strategy, business Academy at West Point, and served in understanding of technology and
development, inbound licensing, and the U.S. Army as infantry officer with because it is renowned for its
M&A. Gonzalez has also had a tenure the 82nd Airborne Division and the connections in the cyber ecosystem.
with at McAfee as Senior Vice 75th Ranger Regiment. The firm also pays close attention to
President of Corporate Development. helping entrepreneurs build their
Commenting on his appointment, he
At McAfee, he oversaw licensing, companies and is active on their
said, I chose Trident Capital
acquisitions, and partnerships. boards. Thats important to me.

IN THE
HOTSEAT
GHANA COMMUNICATIONS MINISTRY APPOINTS ANTWI-BOASIAKO

AS CYBER SECURITY ADVISOR
T
he Communications He will also assist the government Boasiako is the principal consultant
Ministry of Ghana recently with implementing policies aimed at of cybersecurity firm E-Crime Bureau
appointed Albert Antwi- addressing the countrys as well as a cybersecurity expert
Boasiako as the National cybersecurity challenges. The with the Interpol Global Cybercrime
Cyber Security Advisor. He technology environment of today Expert Group (IGCEG). He has worked
is responsible for implementing the requires the urgent implementation on several cybersecurity incidents in
National Cyber Security Policy and of important cybersecurity activities Accra, Ghana. A PhD Research Fellow
Strategy (NCSPS), and building a and programs to address Ghanas with the University of Pretoria, South
secure information security cyber security challenges and Mr. Africa, Boasiako is also an expert
management architecture that will AntwiBoasiko is expected to assist with the Council of Europes Global
bridge the gap between the ministry to implement the policy Action on Cybercrime Extended
cybersecurity services and in this regard, read a statement from (GLACY+) Project.
government functions. the Communications Ministry.
VERVE INDUSTRIAL PROTECTION APPOINTS BILL EASTON AS CTO
P
rominent management, security
28
cybersecurity information and event
software architect management (SIEM), patch
Bill Easton management, vulnerability
recently joined assessments, intrusion
Verve Industrial Protection, detection, backup
a provider of industrial management, compliance,
controls engineering and workflow, and document
managed asset protection management into a single
services, as the Chief console.
Technical Officer. Easton is
On his appointment, Easton
known for innovatively
said, I am thrilled to join
integrating different types
the Verve team. The
of endpoint protection to
complexity of cybersecurity,
create a simple security
especially in the ICS
process for the end users.
environment, requires that
Easton, who was previously providers find a way to
with RES software, is simplify solutions. The
involved in expanding Verve platform is one-of-a-
Verve Security Center (VSC), kind. The ability to bring
a threat management together the full view of
software used to evaluate threats into an orchestrated
the cybersecurity stance of platform is key to ensuring
the end user by protection. I am excited to
consolidating antivirus, help continue to expand
application whitelisting, Verves leadership.
change and configuration

IN THE
HOTSEAT
WILLIAM DIXON JOINS KROLL AS ASSOCIATE MANAGING DIRECTOR
W
illiam (Bill) Dixon categories of the practice: risk
has joined Kroll as assessment, penetration testing,
an Associate security strategy, and incident
Managing response. Before joining Stroz,
Director where he Dixon served with Accenture as
will oversee the companys Cyber Security Consultant Senior Manager
Security and Investigations and IBM as Security Services Sales
practices. Dixon is a veteran in Leader.
information security and his career
Dixon has entrepreneurship
spans over 16 years during which
experience as well. He was
hes worked with established
associated with HALOCK Security
organizations as well as startups.
Lab, where he oversaw solution
Prior to Kroll, Dixon was the Vice design, business development, and
President of Cyber Resilience with marketing as Senior Client Security
Stroz Friedberg. Besides handling Advisor. He also co-founded
the responsibilities of client Continuum Worldwide Corporation,
executive leadership management where he worked as Consulting
for existing and new clients, he also Director of Enterprise Security
managed four sub-service Solutions.
29
BOB THIBODEAUX HIRED AS CHIEF INFORMATION SECURITY
OFFICER OF DEFENSESTORM
C
ybersecurity Thibodeaux has over 20
firm years of experience in the
DesertStorm field and has previously
appointed Bob worked with
Thibodeaux as organizations like F5
the Chief Information Networks and The Seattle
Security Officer (CISO) in Times. While at F5
a bid to expand the Networks, he worked as a
companys team of senior security engineer,
security experts, known and handled tasks related
as Guardian. Thibodeaux to the development and
will oversee incident management of the
response processes, risk security network. At The
management, and Seattle Times, he worked
penetration testing for as the senior network
community banks and engineer for InterNAP
credit unions across the Network Services.
U.S. He will also manage Thibodeaux has
any security concerns of completed his C-level IT
DefenseStorm and its executive business
customers, and facilitate training at the MIT Sloan
action plans to counter School of Management.
them.

TABLE
TALK
FEW MINUTES WITH

30
FOO SIANG-TSE, SENIOR
MANAGING
DIRECTOR, QUANN
Augustin Kurian
Foo Siang-Tse is an influencer in the cybersecurity industry in the

Asia-Pacific region. He has been credited with establishing Quann
as Asias leading cybersecurity services provider. Driving the
growth and development of all aspects of Quanns business,
Siang-Tse has been instrumental in introducing new products and
services, establishing partnerships, and opening new markets for
Quann. In a brief interaction with CISO MAG, Siang-Tse discusses
cybersecurity for organizations, the need for regulations, and
major threat vectors.

TABLE
TALK
31

TABLE
TALK
What, according to you, are the key threat should also optimize their It is important that security is
vectors? When coming towards handling (cybersecurity policies) feasibility viewed holistically. We are
threats, do you think organizations have from a governance and compliance witnessing a convergence of threats
their priorities misplaced? perspective. from various vectors. There must be
The traditional approach to better visibility across all domains
cybersecurity addressed external Should businesses have a holistic approach whether its physical security,
attacks. Nowadays, internal and toward security by merging cyber and
cybersecurity, or operational
external vectors have become more physical? How does Quann differentiate
cybersecurity from physical security? What technology. This can enable
or less equivalent. We need to focus enterprises to fend off attacks
are the benefits of merging the two?
on cyber engineering as well as appropriately. If there is a more
I think, fundamentally, the principles
safeguarding our forts. We also need converged approach, you will be able
of security are more or less the same
to recognize the weakest link in the to look at threats from a holistic
whether we talk about cybersecurity
cybersecurity, which most often is perspective because threats, or rather
or physical security. We are
people in an organization. This is perpetrators, do not differentiate
addressing a perpetrator trying to
where the greatest vulnerabilities lie. between cybersecurity and physical
penetrate an organization through
On whether the organizations have security. They are basically looking
whatever means. The key difference
their priorities misplaced, I really for the most vulnerable part of the
between cybersecurity and physical
dont think that is much of an issue. organization. You are only as strong
security is the means in which the
The reality is cybersecurity is not just as your weakest link. Organizations
attacks are perpetrated. So no matter
technology it is a much more really need to raise the bar to ensure
how complex it may sound, there
complex subject. Our decision- that they are safe from all kinds of
should always be attention to risk.
making should reflect our threats.
Cybersecurity must have the same
understanding of cybersecurity,
amount of attention as physical
which, unfortunately, is still lacking In one of your interviews, you mentioned
security, given that organizations are that the most vulnerable person in a
32 in many countries and organizations.
much more interconnected than ever company is the CEO. How should
Organizations must frame their
before. There is also a need to organizations handle insider threats?
cybersecurity policies while
prioritize cybersecurity, which is still It is not just the CEOs, but all
addressing business risks. They
lacking. employees. But here, the employees

TABLE
TALK
who are not involved directly in the Quann has the largest bank of malicious infect other computers, it is 33
IT part of an organization need software that has been collected in over 15 worrying. It is no longer static but
special attention. Typically, non-IT years. Can you briefly tell us how malicious highly dynamic. Malware is now
professionals may underestimate the software has evolved over that period? stealing credit card information and
potential damage cyber threats can To correct your statement, we do not critical personal information. We are
cause. Unfortunately, there really have the largest bank in the world, also seeing the use of artificial
isnt a solution to this; there really but we do have a large bank. In the intelligence (AI) in various sectors.
isnt a magical technology or product beginning, there was something We are not far from the time when
that can solve this problem. All you called the Brain virus in boot sector, AI-infused malware evades the
can do is build awareness within the which was among the first malware. measures the enterprises put to
organization, have training programs If you recall, in those days hardware guard themselves.
so that the employees are familiar played a crucial role. By the time the
with threat vectors and hacking internet became more prevalent, How secure is Quann with a bank of
malware evolved. They needed to be malicious software? Dont you think a leak
tactics, so that they are on guard all
downloaded and installed as or security breach would be catastrophic?
the time. If there is proper
programs and were in mostly in .exe How we treat banks is nowhere
awareness, then the employees will
formats. Malware gradually gained different from how enterprises treat
not respond to emails from
the ability to infect content through their critical data. Our access is not
unidentified sources and can also
macros. Basically, even a flash singular, we really have multiple
spot strange inconsistencies in the
document or pdf was sufficient to approaches to ensure that the bank is
network. The second most important
allow malware to propagate. What kept separate and under wraps. We
thing is to have a proper governance
we have also witnessed in recent have several isolation measures
policy within organizations. All
years is how worms are evolving. In installed to ensure that the bank is
employees must possess basic
the past, malware was containable not even remotely connected to
knowledge of cybersecurity. The roles
but now malware can propagate on anything that could be compromised.
of every employee must be
its own laterally, almost like a living And on top of that, we have all sorts
segregated and differentiated from
organism. So when each affected of security measures which ensure
others, and access to critical data
computer becomes a launch pad to only the right person can access the
must be given only to a few.

TABLE
TALK
bank. Unfortunately, I cannot tell you

more about these, but we can assure
you that the bank is safe and secure.
The industry currently faces a massive skill
gap when it comes to experts in
cybersecurity. How should this skill gap be
filled?
The demand for cybersecurity
experts is at an all-time high. There is
a huge mismatch between the
demands of cybersecurity experts
and the supply. The demand has
been growing exponentially because
the threats are growing
exponentially, and that is the reason
there is a shortage of workforce.
Singapore has done something
wonderful to increase the current
workforce by promoting
cybersecurity knowledge at various
levels of education, and has been
encouraging students to take up this
industry. To me, that is one aspect
the second is recognizing that for
34
enterprises, it is really challenging to while working on difficult and Cybersecurity Index in 2017, India was
recruit a new person from the complex problems. These help them ranked 23rd. What cybersecurity strategies
market. One approach that can serve hone their necessary skills to deal can countries like India learn from
as a solution is to engage an external with cybersecurity risks. These are Singapore? Also, do you think growing
security service provider to help not the skills that one will learn from economies need stringent regulations to
enterprises. This will help the encourage better existing cybersecurity
the books but is an art as it is
companies manage their security policies?
extremely dynamic.
without having to recruit employees I think every country has different
to manage sophisticated software. What are the future plans of Quann with sorts of threats and different ways to
This is one way to combat the urgent regard to expanding its security operations approach threat vectors. I dont think
need. center (SOC) footprint? we need to analyze countries on that.
Like all businesses, we are looking to The typical ingredients for ensuring
Can you also comment on the relevance of expand, we are looking to grow. And that countries or enterprises are
certifications for network security experts in this particular industry of cyber secured are the support of the
and the importance of cybersecurity literacy managing cybersecurity, the most government, a robust regulatory
among the current breed? important aspect is coverage. The framework, skilled professionals, and
Certifications are important in that strength of a company is in its ability a free ecosystem of cybersecurity
they provide external validation of to cover a wide range of customer providers.
the capabilities of individuals. And, it bases, verticals, and machines.
certainly is very important to know For enterprises, the focus must be on
Having broader coverage means
whether a person understands security, convenience, and cost. They
better visibility and anticipating
security and technology, as well as must understand that cybersecurity
threats before they come. For us, the
has the necessary skillset to take on is important for both individuals and
key area is the SOCs. We are looking
the challenges in the industry. While enterprises. And, regulations be must
for better market penetration and it
saying that, I would add that there is be such that everyone is able to
is pretty exciting.
much more to cybersecurity than adopt them, be it organizations,
certifications. I feel individuals gain Quann has SOCs both in Singapore and enterprises, or individuals.
the best experience in cybersecurity India. While Singapore topped the Global

EVENT
FOCUS
GLOBAL CISO FORUM

THE ART OF CYBERWAR:
THE CISO AS GENERAL
EC-Council Foundations Global CISO Forum (GCF) is an invite-only, closed-
door event gathering the highest-level executives from across industries
and countries to discuss the most pressing issues in information security.
Now in its seventh year, the 2017 Global CISO Forum promises to be the
best yet with an exciting mix of industries, formats, and interactive
presentations.
Amber Pedroncelli
35

EVENT
FOCUS
T
he theme for GCF 2017 CyberAttorney (former DoJ) to will also be available for 15-minute
is The Art of address some of the most pressing coaching sessions for any GCF
Cyberwar: The CISO as issues facing not just the industry, attendee interested in his
General. The but the world at large. mentorship.
conference will be an Following the 90-minute debate, Next on the agenda is a keynote
opportunity for the Chris Roberts, Chief Security entitled From Banking to Energy to
speakers and audience Architect at Alcalvio, will present his Healthcare to Criminal Justice
to explore the ways their leadership keynote entitled, provocatively, Systems to Academia: A CISOs
impacts their teams,organizations, Leave your zero days at the door, Journey by William Miaoulis, CISO
and careers. Keynote presentations, leave your latest hacks behind, AND at Auburn University.
panel discussions, and roundtable bring your playbook for the blue
sessions will cover topics from IS A second panel discussion will
team. follow, focusing on Building an
frameworks, policy management,
aligning a security program to the And with that, the CISOs will head to Information Security Program on a
goals of the organization, among the GCF room for their closed-door, Budget moderated by Sean Kelley,
many others. executive session. The first GCF CISO of EPA, and featuring Favour
keynote will be presented by Brian FEMI-OYEWOLE, CISO of The Nigerian
The 2017 GCF, EC-Councils largest Phillips, CISO of Macys. Phillips, a Stock Exchange; Eric Svetcov, CSO of
executive event of the year, promises seasoned executive and speaker, will MedeAnalytics; and Shane Durham,
to be the most relevant event for highlight lessons hes learned over Security Threat Intelligence and
executives of the year. The event was his impressive career. Analytics Director at WorldPay. The
constructed by the GCF speaker topic of building a robust security
committee with an eye toward Following this day of high-level
technical and executive content, the program on a less than ideal budget
ensuring every executive who drives many of the hard decisions
attends the event will come away CISOs will be treated to a networking
and cocktail reception at Atlantas security leaders are forced to make.
36 better able to perform the duties of
an information security leader. Top Golf facility. The GCF speaker Following lunch, Kathy Fithen, Chief
committee recognizes that one of the Privacy Officer at The Coca-Cola
The speaker committee chose from a most important parts of any Company, will give a talk on The
formidable stack of speaker executive conference is the time Partnership Between Privacy,
submissions to craft this years allowed for networking and peer Information Security, and the
agenda. Starting with the realization conversations. Therefore, a full Business, touching on the CISOs
that most CISOs are interested in the afternoon will be set aside for this responsibility to bring different
show and keynotes of the first half of purpose. There are many CISOs who stakeholders of the business together
the first day of Hacker Halted, the EC- attend the Forum every year and look to ensure the strength of the overall
Council event the GCF runs forward to the opportunity to catch security posture.
alongside, the two conferences will up with friends theyve made at past
be joined to hear the opening Closing out the event will be industry
events. authority Richard Seiersen, Chief
keynote, debate, and second keynote.
The first keynote will be, as tradition The second day of the GCF is back to Information Security Officer & VP of
dictates, delivered by EC-Council CEO business with a keynote by Michael Trust at Twilio Inc. Seiersen will
Jay Bavisi historically one of the Santarcangelo, Founder of Security present How to Measure Anything
highest rated presenters of the Catalyst, entitled The three in Cybersecurity Risk a topic he
conference year after year. questions security leaders must knows very well. As the CISO role has
answer to earn respect. This topic increasingly included risk
The debate following Bavisis address was selected because of its relevance management as one of the most
will address the topic Hackers, The to the CISO role and the challenge important facets, the closing keynote
Media, Truth, Trust, and Alternative CISOs face in breaking free from the should leave the attendees motivated
Facts and will be moderated by idea that they are primarily technical and ready to return to their offices to
industry veteran Winn Schwartau, managers. Following the keynote, lead their programs to a more secure
Founder of The Security Awareness Santarcangelo will lead a panel of future.
Company. Schwartau hand-picked security leaders in a discussion of
his debate panel, inviting Dr. PH (c) EC-Councils CISO events have been
their real-world problems and how running annually since 2011 and
Gregory Carpenter, Owner at GCE, effective leadership has helped
LLC; Michael J. Masucci, Hollywood have attracted increasingly large and
through their careers. Santarcangelo loyal crowds of executives.
Producer; and Mark Rasch,

AD_Layout 1 8/18/2017 10:43 PM Page 2
INDUSTRY
SPEAKS
38
IN DISCUSSION WITH
TOBIAS GONDROM
Amber Pedroncelli

INDUSTRY
SPEAKS
T
obias Gondrom is training materials? That would be

among the first good, some documentation material
generation of across organizations, because at
information security OWASP everything is open source
experts. He has been in and free. That was a brilliant way to
the industry for over I got into security do so. So, in fact, at that time I used
two decades and has quite a bit of that to ramp up my
witnessed its evolution very closely. somewhat as a own programs.
Tobias is currently the CTO for
security at Huawei and a global
coincidence you How did your career develop from software
board member of OWASP. He is also could say, or maybe development to the head of security for
huge corporations?
finalist for Certified CISO (CCISO) of
the year. Gondrom was interviewed out of interest. I I know there are very different angles
how to become a CISO. Personally, I
by Amber Pedroncelli, where they
discussed the roles and qualities of
started as a believe it's good that you really know
how software is being built, to make
CISOs, the need for certification developer, software sure that you understand the basics
among CISOs, and a bit of
technology. development, when you design security around it
because there is plenty of
Let's start at the beginning! How did you get software architect opportunities to make mistakes for
the developers and so this was
into security?
I got into security somewhat as a
and back then actually quite helpful for me to be
coincidence you could say, or maybe security was not such able to write code. At some point, I
out of interest. I started as a was even teaching JAVA back then.
developer, software development, a hot topic. Basically, So, it was very helpful to know how 39
software architect and back then these things are really done with
security was not such a hot topic.
not many people hands on, and then later, it always is
Basically, not many people were were excited about it. good for me that I could open a book
excited about it. Not many people and read the source code if necessary
wanted to work in this area, and and deep dive if it's important.

management didn't really pay too
Do you find that a lot of CISOs don't know
much attention on this topic back
how to code?
then. So, responsible for system
I find that CISOs bring in different
architecture for quite a large system
engage in this global community strengths. So, a number of CISOs
and a number of people who
very well. So, it's an exciting job. bring in strength from an
developed this, one of the things that
organizational perspective, from a
came up is Hey, what about
How did you get involved with OWASP? governance perspective, risk
security? Who's actually looking after
I got involved with OWASP about 10 management perspective, and some
that? And back then people would
years ago. At that time, the CCISO become more from the technology
say oh, okay, maybe this is something
program didn't exist yet from EC angle. And every flavor has its own
for the global architect team to work
council. So, one of the questions I advantages and disadvantages. So,
on. So, that was my first encounter,
had, how do you design the yes, a number of CISOs may not
and I would say I liked it, and I felt
program? Who can you ask and there know how to code. But, that's fine.
very excited about it. So, then I stuck
were not many people around that. They have other strengths. And
with it and over the years you learn
So, I went to the OWASP community actually from my side, one of the
more and more. You see this as a
and there were at least a number of reasons why I recognize this is that in
growing community. People are very,
security like-minded people. So, it addition to the coding part, actually
very passionate about it and so did I
was great to engage with them, to in 2008, I also did a senior MBA, the
feel very passionate about it and over
discuss with them, hey what works Sloan Master's in leadership and
the years you learn more people. You
for you? What are common security strategy from London Business
learn more. You see more best
problems? Can we maybe share some School, which basically helped me to
practices. You feel like you can

INDUSTRY
SPEAKS
get the second angle, the people very tired at the end of the day, but

angle, and the management angle, in you also learned a lot and you could
addition to the technology angle. So, I feel and see the benefit of how
believe that you need both of these people learn and, yeah, when the
strengths if you want to be a good They already have people later said, "Hey, this was really
CISO. great, and we took away a lot," then
That is an interesting spot on your resume
good basics, that was the greatest reward for that
day.
and it was before the trend of CISOs going understanding and to
to get their Master's, or their MBA. You did It seems that CISOs learn best by talking,
that a while ago. So, I was going to ask how learn things really debating, discussing every point and they
that helped your career. seem to get a lot out of that. Have you
Oh, yes, it was exceptionally valuable means that you need noticed any trends that came out of
and quite exciting as well. It was a to discuss and go as discussions with CISOs where you saw one
good opportunity to take one year, particular thing that they tend to struggle
really a full break and basically deep in-depth as you can with that you were able to help them with?
dive into the whole management, Well, there were actually many
leadership, and strategy education until you finally see, points and I would say, no class was
and I'm not sure whether you're the same. CISOs are very senior
familiar with London Business
oh, okay, this is the people in general. They already have
School. They are ranked among the problem, or maybe good basics, understanding and to
top 10 in the world for business learn things really means that you
schools. So, it was a good thing to here's some need to discuss and go as in-depth as
learn these things and later when I you can until you finally see, oh,
actually moved back into the chief
knowledge okay, this is the problem, or maybe
40 information security business, like limitations. And so, here's some knowledge limitations.
doing advisory and so on, I And so, for these discussions are
incorporated quite a number of the for these discussions essential and we would touch on
learnings I had back then about stuff like security development, life
organizational design management
are essential and we cycles, processes, governance. And
and leadership part of the CISO would touch on stuff depending on the group that would
programs into my daily work. So, it be in the class, the topics would be
was quite useful. like security different because normally I would
always ask at the beginning, okay,
So, you've really gone out of your way to development, life what do you care about?
educate yourself on all the different facets
of being a CISO. Have you had the
cycles, processes, And then we would deep dive into
these specific elements, testing,
opportunity to share some of your wisdom
with other CISOs?
governance. training materials, how do you
Yes. It's actually not only part of my convince your boss that you should

job, it's part of my passion. So, I very actually invest more in security or
much enjoy sharing and discussing how do you balance how much you
with people and exploring what invest and different CISOs have very
would be best practices. How can you different needs and different
advance global knowledge in this advising other CISOs and actually problems depending on the
sphere? Because basically, we have teaching CISOs. Probably so far, I organization, and the maturity of
been building this body of have probably taught more than 100 these organizations, or how do you
knowledge over the last 20 years and of chief information security officers execute your strategy and your
we are still building it. So, indeed I and senior security managers from roadmap for your next CISO program,
have been enjoying this other organizations and that was or security program for the next one,
tremendously and for example, like always an amazing experience, very two, three, four, five years depending
from 2009 to just before I started at challenging discussions, good on that?
Huawei a few years ago, I've been questions, and of course, you felt

INDUSTRY
SPEAKS
So, I would say there were a couple of And when we started defining some abilities, the ability to influence
things. Maybe some of the things of the internet protocols, we didn't stakeholders, etc. So, there have come
that were not covered so much by really think about security like 25 a number of more management
others is the trends that we are years ago, 20 years ago, and so on. related tasks with it now that is
moving towards an application But, more and more this, so the shifting the scope, and for example, if
world and a number of CISOs, at least internet technology itself, security you would be comfortable just with
in the past, like when I started, were has become a standard part in the working with machines, I think the
more about network security focus, considerations for every design we CISO role today would no longer be
which would be classic parameter make. When it comes to the comfortable for you, because actually
firewall type of things. This is like 10 applications, I can see that a number now you need to work a lot with
years plus ago, okay? And I did notice of companies just a few years ago people.
there is a strong trend towards would still say, "Oh, okay. Let's bolt
application layer security needs. And security on afterwards. Let's do What's your experience been like reporting
to boards and working with boards?
that was quite an interesting shift I security second."
Interesting. I think this also, as I said,
think for a number of CISOs to see
But, I think nowadays, like the last this changed over time. Years back, it
that, hey, we are not only
few years, after all these big security was more an uphill battle. But, the
responsible, but there is no Malware.
events in the news, more and more last few years, actually, boards have
In fact, we're also responsible for that
companies are quite aware that been quite open to these risks and
all the application and systems that
security can pose a huge risk for their they were very curious about things.
we are running are totally secure.
bottom line at the end of the day. So, I Of course, it took some interesting
And there's a number of
would say many companies now challenges how to explain the scope
opportunities in that.
have security by design which means of security risks to them because you
Do you find that sometimes security lags a they actually think about the needed to explain it in a way that a
bit behind technology? security considerations right from less technical person, including a 41
I believe now security's actually the start, which is something that I CFO, or a chief customer officer, or
driving technology. Yes, 10 years ago, also very strongly advocate and yeah, sales officer would understand, oh,
15 years ago, security was lagging they also struggle with investments. this is a massive risk to our business.
behind, clearly. But, we have caught It's always a balance. You can build So, you need to translate these
up. We did catch up with that and some more features, or you can make things. So, this was an interesting
now if you look at where a lot of the the features secure. And this is challenge. But once, you do that,
innovation is, there is so much always a risk based decision you actually I found many board
innovation in the security field, we need to make. But, most companies I members are very receptive to
start to use machine learning, think, now got it that if they fail to security because once you translate it
artificial intelligence technologies, make this decision the right away, into their language, once you speak
big data analysis, huge detection then sooner or later it will come back their language, they fully
capabilities, refined analysis tools. If and haunt them. comprehend, oh, this is a massive
you look around this, I think security risk and we have to deal with it. And
You've been a CISO for quite a while. How
today is really close to state of the art boards are quite professional when it
have you seen the role change?
what's possible in technology, and comes to general risk management
I would say it has moved from a
really pushing the boundary quite a and looking at strategic topics. So,
technical person more to a
bit. they can do that. You just need to
recognized management and
speak in their language and then it's
But yes, there is sometimes a business person. Ten years ago, the
actually a great opportunity.
challenge that people may want to role was for a technical person who
roll out the feature first and think wouldn't talk with the board. But, the Your business education helped you grasp
about security second. In fact, that's last few years, I think it has become that fairly quickly, right?
how the internet was also built. I also quite apparent that a CISO actually Yeah, it definitely helped a lot and
have been working with the IETF, has to give reports to the board and translating this, understanding ROI
Internet Engineering Task Force, for so that requires slightly different and all the other measures and
15 years as a working group chair in skills sets. It requires better metrics that you have, I think it's still
various working groups for security. communication ability, leadership difficult to make a good case for

INDUSTRY
SPEAKS
business investment for security example an airplane, if it may go limited and security budgets are still
because eventually you actually have down, yeah, this is a very spectacular, not as big as they should be, and for
to say you pay this amount for so everybody's very scared of it. But, example, at OWASP, I did study, a
reducing a risk and if nothing effectively, your risk of let's say dying CISO survey a few years back where
42 happens, your boss may actually say, crossing the street is potentially we asked CISOs how is your budget?
well, you know what? Nothing higher than dying when you are Are you increasing next year, and so
happens. Maybe we don't have to pay sitting in an airplane. So, you have a on. This was really quite interesting
so much. Maybe nothing happens bias towards misjudging which risk and we could see the budget is not
next year too. And then you have to you actually should mitigate more, big enough to do everything that you
come and really show, hey, wait a where you should invest, and there's need or that you think you need. So,
moment. We are actually managing a number of learnings that you can if you overinvest in the spectacular
risks here and we are trying to reduce take from that. So, if you recognize things, that means you don't have
and control the risks for our your own biases, that means you can enough money for doing your
organization that we don't go compensate for them and adjust homework, which is maybe not so
completely out of business next year. your investment decisions, and really sexy, and then effectively, you're
And that's something that's not investing in the stuff that really actually exposed on the low hanging
coming so natural for people. So, yes, makes a difference, while maybe food that you just didn't cover.
business frameworks, decision only moderately investing in the
making frameworks have been very things that are spectacular in the Do you sometimes have trouble hiring for
your many teams? I assume you have quite
helpful and to understand personal news, but potentially not your main
a lot of people under you.
biases towards risk was a good tool in risk.
Yes, of course. Of course. This is
explaining how to make these
I've heard from a few CISOs that having big, always a challenge hiring people and
decisions.
spectacular breaches in the news has been I think it's not only me. Probably
Personal biases. Tell me more about that. helpful for them to drive their security everyone I talk with in this sphere is
If you look at security risks, in general budgets. But, I wonder if that leads to like, Oh, you want to hire security
if you look at risks, there's actually a misallocation of budgest? architect or a security analyst? Oh
great talk by Bruce Snyder about this. If you don't compensate for your boy, okay. It's really quite a challenge.
People tend to overestimate certain biases, it will likely lead to that you But, I think this is a great opportunity
risks. For example, if they are ignore your most common risks and for people who want to enter this
spectacular but rare, you may feel oh you may overinvest, well you may market that there's still a lot of room
this is so dangerous. So, let's say for spend ...The problem is your budget is to grow.

IN THE
NEWS
Due to several data breaches in 2017, cybersecurity is a buzzing topic. It

is imperative that information security executives are informed about
the incidents around them as headline-making breaches can lead to
boardroom discussions. Read on for the 10 most important cybersecurity
stories of the last two months.
CISO MAG staff
43
USRUSSIA CYBERSECURITY UNIT:

THE CONFUSION
A
fter a series of and Russian President Vladimir Putin hacking, & many other negative
events, the idea of engaged in a lengthy conversation. things, will be guarded and safe.
a U.S.Russia The issue of cybersecurity was one of The comment drew widespread
cybersecurity unit the key points discussed during their criticism from government officials
is in doubt. The two-hour long meeting. in the U.S. who vehemently opposed
decision to build a the formation of any alliance with
After the meeting ended, Trump
joint cybersecurity the Russian government. Following
tweeted, Putin & I discussed
unit was made on the sidelines of the the uproar, Trump again tweeted,
forming an impenetrable Cyber
G-20 Summit in Hamburg, Germany, The fact that President Putin and I
Security unit so that election
where U.S. President Donald Trump discussed a Cyber Security unit

IN THE
NEWS
doesnt mean I think it can happen. It saying the talks between the country of the U.S. administration, not ours."
cant-but a ceasefire can, & did! and the U.S. on the joint Two days later, U.S. National Security
within a few hours. cybersecurity unit are still on. He was Agency Director Mike Rogers
quoted as saying, "there is no need to dismissed the idea of the unit, saying
However, on July 20, 2017, a Russian
dramatize the working process, it is now is probably not the best time to
government-run media organization
undoubtedly difficult, taking into be doing this.
quoted Russia's special envoy on
account the current American
cybersecurity Andrey Krutskikh as
realities, but this is a problem rather
HBO AND THE SERIES OF UNFORTUNATE

EVENTS
A
merican television further data leaks, the hackers
network HBO was released a video that said, HBO
in the news spends 12 million for Market
recently for wrong Research and 5 million for Game of
reasons, as hackers Thrones advertisements. So
broke into its consider us another budget for
infrastructure and your advertisements!
44 stole 3.4 terabyte of data, including
The latest security breach, which is
forthcoming episodes and scripts of
supposedly several times bigger
popular TV shows Game of
than the Sony hack in 2014, is
Thrones, Ballers, and Room 104,
reportedly under investigation by
along with personal data of
the FBI. The TV channel faced a
employees.
similar situation back in 2016,
The hackers sent an anonymous when four episodes of Game of
email to reporters saying, greatest Thrones were leaked online. Amid
leak of cyber space era is happening. the series of events, the fourth
Whats its name? Oh I forget to tell. episode of Game of Thrones was
Its HBO and Game of Thrones!!!!!! leaked on August 4, 2017. HBO's
You are lucky to be the first pioneers distribution partner Star India was
to witness and download the leak. held accountable for the leak. In
Enjoy it & spread the words. Whoever connection to the incident, four
spreads well, we will have an men from Mumbai were the Twitter account of Game of
interview with him. HBO is falling. apprehended by Indian cyber sleuths Thrones, was compromised by
on August 15. The next day, HBO OurMine Security Group , a self-
The fourth episode of the highly- proclaimed white hat hacker group
Spain mistakenly aired the sixth
watched seventh season of Game of which hacks companies and
episode of the TV series before its
Thrones was released online two approaches them with sales pitch.
official air date. The episode
days after the hack, and a week later, The group posted on the page stating,
eventually landed on peer-to-peer
the attackers leaked personal phone Hi, OurMine are here, we are just
sites and was downloaded globally.
numbers, email addresses, and home testing your security. HBO team
addresses of cast members of the TV The juggernaut of leaks didnt stop please contact us to upgrade the
series. Asking for an undisclosed there. On August 17, the social media security - ourmine .org -> Contact.
amount as a ransom to prevent handles of the cable giant as well as

IN THE
NEWS
BOTCHED DATA BACKUP IN SWEDEN
I
n a massive botched data in the information security
transfer, Swedens Transport violation, including data on
Agency sent information members of the military holding
about every vehicle in the high-security positions, criminal
country to marketers. The suspects, and citizens in witness
agency believed it was protection programs. The breach
moving the data to cloud included names, photos, and
storage via an outsourcing addresses.
agreement with IBM, but apparently,
Falkvinge criticized the lack of
the information was forwarded to
punishment in the case. The
third parties.
department director found guilty in
According to Pirate Party Founder criminal court for being responsible
RikFalkvinge, who is also a key player for the incident was sentenced only
information simply receiving a
at the Virtual Private Network (VPN) to the loss of half of her monthly
follow-up email requesting that they
company Private Internet Access, a salary.
delete it with no follow-up. It has
whole host of sensitive information
It also became clear that the also been reported that IBM
was compromised. Several databases
response to the leak was employees without security
that may have had top-secret
lackadaisical, with the marketers clearance outside of Sweden also had
designation may have been included
who incorrectly received the access to the information. 45
ILLICIT DARK WEBSITES SHUT DOWN
T
he Attorney General of vendors. Digital currencies, including
the United States, Jeff Bitcoin, were used to process
Sessions, announced transactions. The largest online black
the shutdown of two market before being shut down,
dark web AlphaBay processed transactions
marketplaces, worth hundreds of thousands of
AlphaBay and Hansa. dollars and had taken over much of
These sites were clearing houses for the market after Silk Road was shut
the illegal trade of products such as down in 2013. According to FBI
guns and drugs, including fentanyl acting Director Andrew McCabe,
and heroin. Both were Tor-based AlphaBay was 10 times larger than
anonymous sites. Silk Road at its height.
enforcement agencies in Thailand,
The investigation that led to the Lithuania, Canada, Britain, and Servers for Hansa were seized in
shutdowns included law France. Alexandre Cazes, a Canadian Lithuania, the Netherlands, and
enforcement agencies worldwide, led citizen and founder of AlphaBay, was Germany under the coordination of
by the Federal Bureau of arrested in Thailand. He apparently the Dutch National Police. Prior to
Investigation (FBI), the Drug committed suicide within a week of shutting down the site, authorities
Enforcement Agency (DEA), and the being taken into custody. took covert control of it in order to
Dutch National Police. track migration from the shutdown
Europol estimates that AlphaBay had
AlphaBay site to Hansa.
AlphaBay servers were seized by law over 200,000 users and 40,000

IN THE
NEWS
MARCUS HUTCHINS, WANNACRY HERO,

FACES 40 YEARS IN JAIL
M
arcus Hutchins stands accused of building
Hutchins, and selling a banking trojan named
the man Kronos. He and another unknown
who associate had allegedly sold the
discovered malware on the dark web between
the 2014 and 2015. During questioning
WannaCry by FBI, Hutchins admitted to writing
kill switch, is facing a jail term of at some codes about a malware, but
least 40 years. The FBI arrested him only for research purposes.
on August 4, 2017, on the charges of
Hutchins has been in a jail in Nevada
developing and selling banking
ever since, He appeared in court on
malware as he was about to board a
August 14, 2017 in Milwaukee, WI,
flight back to the United Kingdom conditions such as no Internet access
and pleaded not guilty to the
from Las Vegas after attending the and an ankle monitor. He had to
charges. Currently, he is out on a
hacking conference DEFCON. surrender his passport as well.
$30,000 bail on several strict
46 LAWS OF ROBOTICS PUBLISHED BY UK

FOR SELF-DRIVING CARS
T
he United Kingdom governed, and promoted at the
Transport Minister board level;
Lord Callanan
Security risks are assessed and
announced a set of
managed appropriately and
privacy and security
proportionately, including those
principles targeted
specific to the supply chain;
toward automakers,
distributors, and suppliers to Organizations need product
safeguard the forthcoming aftercare and incident response to
automated vehicles from any ensure systems are secure over their
potential cyber threats. The set of lifetime;
principles was jointly drafted by the
All organizations, including sub-
UK's Department for Transport with
contractors, suppliers and potential
the assistance of the Centre for the
3rd parties, work together to
Protection of National Infrastructure.
enhance the security of the system;
The eight principles come with
Systems are designed using a
several sub-principles that encourage
defense-in-depth approach;
all the participants in the supply
chain to work together. The The security of all software is
The system is designed to be
principles include: managed throughout its lifetime;
resilient to attacks and respond
Organizational security is owned, The storage and transmission of appropriately when its defenses or
data is secure and can be controlled; sensors fail.

IN THE
NEWS
SINGAPORE BEST IN CYBERSECURITY

STRATEGY: UN SURVEY
A
recent survey by the country issued a
United Nations comprehensive strategy
International in 2016."
Telecommunicatio
The survey featured 195
n Union (ITU)
countries which were
revealed that
evaluated on the basis
Singapore has the
of their legal, technical,
best cybersecurity approach in the
and organizational
world. Singapore is ahead of U.S.,
skills, educational and
Malaysia, Oman, Estonia, Mauritius,
research capabilities,
Australia, Georgia, France, and
and cooperation in
Canada. Equatorial Guinea was the 5th in the world on the ITU report
information-sharing networks.
lowest ranker with a score of zero. much higher than Germany, which
It was observed that many wealthier ranks 4th in the world in GDP but
The report lauded Singapore for a
nations did poorly in adhering to 24th on this report. Small, rich
number of its cybersecurity
robust cybersecurity strategies, countries such as Andorra,
initiatives, including the launch of
whereas some poor countries fared Liechtenstein, Monaco, and San
their cybersecurity master plan in
much better. The famously Marino got low ranks as well.
2005 and the establishment of The 47
technically-advanced Estonia is
Cyber Security Agency of Singapore
ranked 98th in the world in GDP but
in 2015 to oversee cybersecurity and
WANNACRY ATTACKERS WITHDRAW

RANSOM FROM ONLINE WALLETS
A
ccording to a BBC to be mixed with other larger
report, the online payments that could be used
accounts involved inconspicuously and are harder to
in collecting track.
ransoms from the
The WannaCry malware that
WannaCry victims
crippled businesses around the
were emptied by
world was launched in May 2017. To
late July or the first week of August.
unlock victims computers, attackers
The attackers withdrew more than
demanded ransoms between $300
$140,000 worth of bitcoins and have
and $600 in the form of bitcoins.
been laying low ever since.
Despite instructions from
Bitcoins can be turned into real
cybersecurity experts and law
money but experts feel that a large
enforcement agencies against
amount of the ransomed bitcoins
payments, several victims gave in to
have most likely been put through a
the attackers demands.
mixer, allowing the digital money

IN THE
NEWS
CHINA ENFORCES FIRST ACTION UNDER

NATIONAL CYBER LAW
C
hinese authorities that did not adhere to the
came down hard on a National Cyber Law that was
local Internet data implemented on June 1. The
center company for law requires companies to
reportedly not store data like information
adhering to the about Chinese citizens or data
newly implemented concerning national interests
National Cyber Law. The company on domestic servers. It also
reportedly failed to preserve a blog requires every firm that
and was issued a warning from the exports bulk data to undergo
Chongqings Public Security Bureau an annual security
(PSB). The Bureau ordered the assessment.
company to rectify the issue within expert panel would examine the
Four government departments have
15 days. privacy policies of 10 notable
also jointly initiated Action Plan for
This was the first instance of Personal Information Protection domestic network product and
enforcing action against a company Improvement, under which an service providers.
48
NORTH KOREA TARGETED BY HACKERS

AFTER ICBM TEST
N
orth Korea is malware can hide in the
facing a barrage background while victims
of cyberattacks are tricked into releasing the
from an payload. Hackers can the
unknown hacker easily steal data using
group. According keylogger and screen
to experts, the grabbing features in the
group is using Konni malware, a malware.
remote access trojan (RAT), to attack
Researchers at Kaspersky
North Korean organizations. At least
Labs suggested that the
three campaigns have been detected
malware could be created by
so far in 2017, the most recent being government-backed Financial
people of Korean origin. Some
in July after the intercontinental Security Institute suggested in a
researchers also suggested the attack
ballistic missile test. report that around 1,700 hackers are
could have originated from within
Experts havent pinpointed a reason South Korea. looking to break into a number of
for the attacksbut suggested it may international banking systems to
Though presumably the victim in steal cash. If the report is to be
be geared towards espionage
this case, North Korea has allegedly believed, North Korean was behind
against targets who would be
carried out a number of cyber the attacks on Bangladeshs central
interested in North Korean affairs."
attacks. Recently, South Korean bank as well some Polish banks.
According to researchers, the

TECH
TALK
AUTOMATION AND
ORCHESTRATION:
THE BIG PICTURE
Tari Schreider, Chief Cybersecurity Strategist and Author,
Prescriptive RiskSolutions, LLC
49
assets and information with aplomb. but they are thinking it, if you
CYBERSECURITY Layer by layer, one security cannot make what we have work
COUNTERMEASURES technology is stacked upon another together to reduce our risk, were just
SPRAWL hoping to achieve defense in depth. throwing good money after bad.
Today, CISOs have a dizzying array of However, the bad actors somehow
If there were only way to leverage
cybersecurity technologies offering still find a way around our defenses.
our growing complexity of desperate
the promise of a securer tomorrow. No wonder CISOs have trouble asking
cybersecurity technologies and force
Each technology performs its for funding for the next galactic
multiply our limited SecOps
appointed mission of protecting malware cure. CFOs may not say it,

TECH
TALK
personnel with machine agility and CyberSponse Inc.

speed. Well there is my fine CISO KEY PLAYERS
At my last count, there were over Demisto
friend, there is. The age of
automation and orchestration is thirty providers of products claiming DFLabs - IncMan
dawning. Solutions now exist that placement within the security
automation and orchestration Exabeam Security Intelligence
allow you to automate your
market. If you attended RSA in Platform
cybersecurity playbooks. With an
extensible automation and February, you should have noticed FireEye, Inc. Security Orchestrator
orchestration platform, you can these products were all the rage.
Some claim they are a full Gemini Atlas Platform
programmatically curate from your
inventory of countermeasures your automation and orchestration Hexadite AIRS
response to various threat scenarios. suitewhile others are carving out
IBM Corporation - Resilient Incident
narrow niches in areas like policy
Response Platform
MARKET ADOPTION orchestration or automated incident
You may have already seen their response. Intel Open Security Controller
booths at RSA or received marketing Below are the ones creating the most Komand Security Orchestration &
grams from various security chatter: Automation Platform
automation and orchestration
Bradford Networks - Network Phantom Cyber Corporation
vendors and wondered does this
Sentry
thing have legs? To answer in a word, Resolve Systems
yes. Market and Markets Research Cisco Systems Process
Swimlane LLC
published a report in 2016 Orchestrator
forecasting the security orchestration ThreatNexus Orchestration Engine
Cyberbit SOC 3D
market will grow from $826.1 Million
50 Tufin Orchestration Suite
in 2016 to $1.682.4 Billion by 2021, at
a Compound Annual Growth Rate
(CAGR) of 15.3%.
USE CASE RATIONAL
Some companies jumped on the
security automation and Reduce effort to aggregate, correlate,
orchestration train early by Alert Resolution and resolve alerts from multiple
announcing integration sources.
partnerships.
Automate risk scoring of patch
An example of seemingly early advisories, scan for missing patches
Detect & Patch
adoption would be the Tufin and remediate in one continuous
Orchestration Suite integrating with motion.
Cisco Firewalls. These partnerships
were generally a space holder to Execute incident response playbook in
Incident Response
allow vendors to figure this market real-time.
out and create products that actually
liveup to the promise of security Automate security technologies to
automation and orchestration. Integrate Cybersecurity
work as a cohesive integrated
Countermeasures
The field of players is becoming workflow.
crowded and I expect an aggressive
2017 M&A season to follow on Reduce time required to chase down
previous years activity. In 2016, we Metrics & Report Consolidation metrics, consolidate results and
witnessed IBM acquiring Resilient produce reports.
Systems and FireEye acquiring
Invotas as well Cisco Systems Reduce time and effort to source,
acquiring Tail-F in 2014. Threat Intel Fusion analyze and report on threat
intelligence from multiple sources.

TECH
TALK
When looking at these products you

will need to recognize that half of THE PROMISE OF ALL THAT GLITTERS IS NOT
them will no longer either be in AUTOMATION & GOLD
business or operate as an ORCHESTRATION If you are waiting for the other shoe
independent company within the The promise of automation and to drop, well listen thud there it is.
next two years. You should also note orchestration solutions lies in use Security automation and
that this is an arms race with feature cases. Depending on your solution, orchestration solutions are the next
advantage changing sides often. you can improve just about any best thing to sliced bread, but they
SecOps function or process. are not magic. You have to model
I have not mentioned the girth of log
your processes in advance before you
management and security incident Below are some of the use cases best can automate and orchestrate them.
and event management (SIEM) served by these solutions: These solutions have no idea what
products that have just created white
From what I can see from these you want to accomplish unless you
papers to convince us they are a
products, your imagination is your tell them. Remember that old adage
security automation and
only limitation on how deep you can garbage in, garbage out?
orchestration solution.
automate SecOps. Modeling a process is a 360-degree
51

TECH
TALK
exercise. You will need to consider middle of the night. What if you
People, policies, procedures, could eliminate all the white noise of
processes, products and proof Solutions that offer the SecOps, automate your incident
(metrics). It is only through the union broadest partner eco response and receive a call only in
of these domains does automation times of emergency? It can happen
and orchestration occur. system and when you implement security
I know what you are thinking, I can customizable library of automation and orchestration
solutions.
get rid of all my SecOps staff through playbooks should be at
automation and orchestration. I will
have a lights out SecOps. Wait what? the top of your DEVOPS
Nice try but it does not work like evaluation list. However, DevOps has produced one of the
most profound changes in IT in the
that, you will still need people. Your
goal is to root out the rote tasks of for them to acquire past five years. In many ways, it is a
SecOps freeing your people up to either, they will have had disruptive technology forever
changing the landscape of
focus on the strategic aspects of your
cybersecurity program. Yes, you may to log time in the seat. application development and
be able to stave off hiring more staff operations. Security automation and
You will want a orchestration solutions are perfect
addressing the growing skills gap,
but dont go into acquiring a security company; whose product for facilitating DevOps by supporting
automation and orchestration a playbook that integrates security-
has a reasonable size testing, validation and monitoring
solution thinking youre going to cut
staff. customer base (25+) and throughout the lifecycle of
can provide evidence of application development to
deployment. Playbooks support the
SECRET SAUCE:
52
PLAYBOOKS & PARTNERS automating and integration of security testing into
Sometimes the difference in being orchestrating dozens of the domain of application
programmers rather than security
compromised or not is a matter of security products within personnel. Application development
seconds. Security and automation becomes their own gatekeeper and
software provides the ability to the same client. they no longer can blame
respond to attacks at machine speed. deployment delays on the security
Designed to execute preset detection department. Also, imagine the
protocols, these solutions reduce the Managed Security Service Providers economies of scale of automating
dependence on manual intervention. (MSSP) for years. However, their patching and hardening into release
Some of the solutions already come solutions where mostly hybrids of builds. In my mind, DevOps justifies
with playbook templates. service management tools or custom moving toward a security and
Solutions that offer the broadest code written specifically for their automation solution alone.
partner eco system and customizable SOCs. Having managed SOCs around
library of playbooks should be at the the world, I know thing or two about A WORD OF CAUTION
top of your evaluation list. However, what goes on behind the scenes. I can I am a huge believer in taking stock
for them to acquire either, they will also say that some of you are perfect of the past to ensure I do not repeat
have had to log time in the seat. You candidates for replacing your an incident as a future failure. I
will want a company; whose product expensive MSSP contract through the searched my disaster archives and
has a reasonable size customer base introduction of an automation and found an extreme example of an
(25+) and can provide evidence of orchestration solution. automation blunder that serves as a
automating and orchestrating Most organizations gravitate to an cautionary tale. In June 2012, Royal
dozens of security products within MSSP because they do not have the Bank of Scotlands (RBS) NatWest and
the same client. people to watch their network Ulster Bank subsidiaries descended
around the clock. In addition, when a into chaos following a glitch in their
ELIMINATING YOUR MSSP critical event does happen, most software workflow automation
Security automation and companies still want a call in the product.
orchestration has been the secret of

TECH
TALK
53
The outage was so profound it got its its presence at Wimbledon that year. personnel, manage an average of 60
own Wikipedia page. During the one- Game, set, match. security products, adapt to DevOps
month outage, 1,200 branches had to and strive to be more effective and
remain open past normal hours, call CONCLUSION efficient, few choices to accomplish
center staff was doubled and Orchestration and automation all are left. As the CISO of your
millions of customers suffered. The solutions are not new, but advances organization, you should be leading
CEO had to forego his bonus because in technology has made their time the charge toward SecOps
of the fiasco's impact on roughly 20 finally come. As we try to maneuver automation.
million customers, and RBS canceled around a critical shortage of IT

AD_Layout 1 8/18/2017 10:47 PM Page 2
AD_Layout 1 8/18/2017 10:48 PM Page 2
KICK
STARTERS
With cybersecurity gaining more importance than ever, cybersecurity

startups have become a main attraction for venture capitalists. The
cybersecurity market has seen tremendous growth despite the slowdown
in the global economy with many companies inking record-breaking
funding deals with venture capital firms. The influx of money has driven
innovation and solutions to important security challenges. In this section,
we look at some emerging companies making waves in the information
security domain.
CISO MAG staff
56
ARGUS
A
rgus Cyber Security Automobility LA in the LA Auto automotive veterans and are based
is a privately held Show, in the annual Top Ten on the technology of over 29 pending
automotive Automotive Startups Competition. and granted patents. These multi-
cybersecurity layered, end-to-end solutions embed
Founded in 2013, Argus understands
company, working security into the vehicle from
that the more connected vehicles
with the major concept stage through production,
become, the more vulnerable they
private and protecting the vehicle and keeping
are to cyber attacks. With hundreds
commercial OEMs, Tier 1 suppliers, passengers safe, preventing costly
of millions of connected cars
aftermarket connectivity providers, cyber recalls by automakers, and
expected on the roads by 2020, Argus
and fleet managers to address the safeguarding customer data and
enables the motorists to stay
growing security challenges posed property. Argus is headquartered in
connected and protected.
by increasing vehicle connectivity. Tel Aviv, with offices in Detroit,
Argus solutions are developed by a Silicon Valley, Stuttgart, and Tokyo.
Argus was featured among the best
competent research team and
cybersecurity startups in 2016 by

KICK
STARTERS
B-SECUR
B
-Secur is a Belfast- B-Secur has several approved patents
based cybersecurity that include B-Secur Tracker, B-Secur
firm that has Smartcard, and B-Secur Mobile. The
developed a biometric company claims that all these
technology that solutions make the experience of
authenticates authentication more secure,
identity through a convenient, and cost effective for the
unique heart pattern. The technology end user.
is a level ahead of the existing
The company was included in the
biometric technologies like
Top 30 fintech startups of 2015 by
fingerprint or iris scanners, which are
Silicon Republic. It was also one of
known to be vulnerable to hackers. B-
the finalists at the Accentures 2015
Securs solution is based on ECG
Fintech Innovation Lab Dublin and
technology that minimizes hacking
Googles Adopt-A-Startup program.
or spoofing risks.
57
BIOWATCH
F
ounded in 2015,
BioWatch is a Swiss
startup that claims to
have created worlds
first miniaturized wrist
vein scanner that can be
integrated into a
module and added to any watch or
wearable, turning the users wrist
vein into an avenue for
authentication.
The BioWatch solution can be used as
replacement for badges, keys, cards,
passwords, and PIN numbers. It can
be used to unlock a car, access an
office, log in to systems, purchase
goods and services, and sign
contracts and digital documents. The Vanoni, a former EPFL/IDIAP PhD accelerated programs and was
device leverages always-on student, and Joe Rice, a former recognized at various events,
authentication for the user for the engineer at Kodak are the co- including Kickstart Zurich in 2016
entire period of wearing it. founders. The company recently got where it secured third position in the
recognized at the Swiss Fintech Future and Emerging Technologies
BioWatch has offices in Martigny, Convention in 2017, held in Geneva. category.
Lausanne and Neuchtel. Matthias It has also participated in multiple

KICK
STARTERS
CAPSULE8
C
apsule8 has
developed a threat
prevention and
response platform to
protect legacy and
next-generation
Linux infrastructure.
The company claims that its solution
spans the entire Linux infrastructure
in data centers, in the cloud, and as
across virtual machines, bare metal,
and containers.
Capsule8 Protect aims to provide
simplified and automated security the user to review old data stored in headquartered in Brooklyn, New
solutions for organizations that are the distributed flight recorder to York. Earlier this year, the company
adopting containerized and micro- search for signs of an attack. raised seed funding of $2.5 million
service architectures. The platform from Bessemer Venture Partners as
provides visibility, ensures real-time Founded in 2016 by experienced
well as individual investors Shardul
threat prevention, and performs hackers and seasoned security
Shah of Index Ventures and Jay Leek
intelligent investigation that allow entrepreneurs, the company is
of ClearSky.
58
CORELIGHT
C
orelight is an misconfiguration,
American abuse, exfiltration of
cybersecurity data, malware
solution provider infection, insider
headquartered in threat, port scanning,
San Francisco, and advanced
California. It is the persistent threat (APT).
creator of Corelight Sensors, an It can also be helpful to
open-source framework that track phishing or other
provides network visibility by mail-based attacks or
transforming high-volume network incidents.
traffic into high-fidelity data for
According to
incident response, intrusion
consumers, the
detection, forensics, and more.
solution is used as a
Corelight claims that Corelight flight data recorder
Sensor features a comprehensive for their network
API, enterprise integrations for because users can
Splunk, Amazon S3 and Kafka, and servers. The sensor helps in the easily go back in time
performance optimizations yielding investigation and prevention of to quickly understand sophisticated
3-4x higher data processing ransomware, denial of service, cyber attacks more effectively than
throughput compared to standard unauthorized access, ever before.

KICK
STARTERS
ADDO AI
H
eadquarte as intelligent speech and
red at natural language processing,
Singapore, intelligent system modelling,
Addo AI is simulation and controls, data
involved in mining and self-rule
the field of generation, neural networks
artificial and fuzzy systems, and
intelligence, machine computer vision.
learning, and data science. The
Addo collaborates with
company claims that it
experts in the artificial
provides data-driven services
intelligence domain who
and products to help
oversee algorithm
businesses analyze massive
development and testing of
amounts of data and gain
the companys products in
insights.
order to ensure efficacy,
It offers services related to accuracy, and validation. The
statistical analysis, machine AI solutions offered by the
learning, user predictions, company are used in sectors
code engineering, cloud-based such as transportation,
architecture, deep learning, finance, healthcare, retail, real
and much more. The company estate, and logistics. 59
uses several techniques such
FUNCAPTCHA
F
unCaptcha claims to be camera angle,
the worlds only and shifting the
managed CAPTCHA image position.
service. It uses a patent- Every security
pending 3D model image is unique
approach to create to the user,
gamified puzzles that which makes it
leverage gaps in machine vision. heavily resistant
Working with researchers such as to all forms of
Mathworks (MatLab), the company automated
ensures that all its security images abuse, machine
are outside the gaps of off-the-shelf learning, client decryption, brute threats within a guaranteed SLA
machine vision software, forcing forcing, and sweatshop techniques. rendering automated abuse
would-be attackers to write PhD- This approach also makes it easy to inoperative and disarming attackers
level software to attack FunCaptcha. undo machine vision and training before they can recoup their costs.
attacks. FunCaptcha was founded by Kevin
This approach turns one 3D model
into millions of unique images by Additionally, dedicated data Gosschalk in 2013, and is
automatically introducing variations scientists monitor FunCaptcha headquartered in Brisbane,
such as random noise, changing the traffic patterns 24/7 and respond to Australia.

KICK
STARTERS
60
SENTRYO
S
entryo is the creator of analytics software, provides analysis Laurent Hausermann (COO). The
Sentryo ICS on industrial network company collaborated with ET
CyberVision, a network communications, meaningful Digital, a digital innovation and
monitoring and threat information about network assets, entrepreneurial education
intelligence platform advanced anomaly detection, and organization, in 2014. In 2016,
that protects Industrial real-time alerts. Sentryo raised two million Euros
Control Systems (ICS) ($2.36 million) from ACE
Sentryo was founded in 2014 by two
and SCADA networks. The solution, Management and Rhne-Alpes
former tenants of Arkoon Network
which is made up of various sensors, Cration in France.
Security, Thierry Rouquet (CEO) and
central data visualization, and

AD_Layout 1 8/18/2017 10:49 PM Page 2
KNOWLEDGE
HUB
62
UNDERSTANDING TRENDS
AND THE CYBERSECURITY
SKILLS GAP
By Amber Pedroncelli

KNOWLEDGE
HUB
EC-Council recently surveyed its pool of Certified

CISOs to discover what is important to information
security executives in four categories: hiring their
teams, current and past employment, looking for a
job, and career success.
First, the survey collected basic geographic and industry demographic data, which
is important to keep in mind when interpreting the results from other categories.
Represented in the survey were the following regions:
South America 5.6%
Europe 16.7%
Asia 16.7%
Middle East 16.8%
USA 38.9% 63
Africa 5.6%
As for industries represented in the survey, there was quite a diverse range:
Banking, finance, insurance 33.3%
Consultancy or business services 11.1%
Government, public service, military 22.2%
IT 11.1%
Manufacturing or construction 11.1%
Transportation, utility,
11.1%
telecommunication

KNOWLEDGE
HUB
The last area of demographics collected was on the CCISOs current level within their companies:
What level is your current position?
C-Level, VP, SVP, etc. 23.5%
Consultant 29.4%
Director 35.3%
Manager 11.8%
The first section of questions dealt with how CCISOs hire First, the leaders were asked how many job openings on
new employees for their teams. This section was their teams they are currently looking to fill. Over 57% of
important because it highlights challenges that them reported they had between 1-5 job openings
managers, directors, and C-Level executives have when it currently available. Another 31% have over 5 job
comes to filling their teams. EC-Council was interested in opportunities with one survey respondent reporting 300
determining where these leaders are feeling the known jobs needing SOC analysts!
information security skills gap the most. The results point
to some interesting conclusions.
64
How many information security positions are you currently looking to fill with new hires?
Zero 5.3%
1 to 3 47.4%
3 to 5 10.5%
I don't make hiring decisions 5.3%
Over 5 31.6%
The next question asked how many jobs had already been filled in the current year, finding that most leaders had only
filled between 1 and 3 jobs.
How many information security positions have you filled in the last year?
Zero 6.3%
1 to 3 50.0%
e 3 to 5 6.3%
Over 5 37.5%

KNOWLEDGE
HUB
When asked which jobs are the hardest to fill with qualified candidates, the CCISO reported a range of problem areas,
which the most popular job being Security Analyst with 31.3% of respondents pegging it as the most difficult to fill.
What position is the most difficult to hire due to a lack of skilled candidates?
CISO, Director of Information Security, CSO 18.8%
Computer Forensics Investigator or Forensic Analyst 12.5%
Consultant 6.3%
Information Security Manager 6.3%
Penetration Tester 18.8%
Security Analyst 31.3%
Security Architect 6.3%
The next subsection of the survey dealt with what is experience exactly matching what the employee will be
most important to infosec leaders when deciding whom doing. This means that companies are trying to lure 65
to hire. The results point to many different facets of a employees to make lateral moves with better salaries and
resume all being crucial to landing an information benefits. No security leader has an endless budget, so it
security job. The most important, however, is finding a might make better fiscal sense to find new hires that
good personality fit for the culture or the team, which show potential or whose previous roles and certifications
81.3% of CCISOs rating that quality as either extremely or make them good candidates to grow into new roles, for
very important. Limiting hires to people with specific potentially smaller salaries.
personality traits can be troubling, as studies have shown
However, it is easy to understand why leaders might
managers tend to hire people with their own personality
want turnkey solutions to their problems. It takes time to
traits, leading to teams without diversity in point of view
train new employees, even those who have the exact
or other areas. Conversely, its easy to understand why
experience needed for a new role. When an employee
looking for a good fit for a team can lead to better
both has to learn new skills as well as a new company,
cohesion. As long as hiring practices are fair and open-
independence in their work will take significantly longer.
minded, hiring based on cultural fit can be a good option.
This may point to an opportunity in the industry for
The next highest rated characteristic for a job-hopeful to education providers to offer customized solutions to help
have is experience that exactly matches the job, with teams overcome this obstacle and hire for potential
62.5% reporting this as either extremely or very rather than on specific experience.
important. Requiring experience that exactly matches
Other top finishers for candidate qualifications were
the job has been flagged as problematic by industry
relevant certifications and years of experience, each with
experts over the years for the simple reason that it is
56.3% of respondents finding those qualities extremely or
difficult to gain experience in a particular role when all
very important.
the jobs available for that role require previous
How important is experience that exactly matches the job in hiring decisions?
Extremely important 43.8%

KNOWLEDGE
HUB
Important 37.5%
Very important 18.8%
How important is personality fit with culture/team when making hiring decisions?
Important 12.5%
Somewhat important 6.3%
How important are Relevant industry certifications when making hiring decisions?
Important 31.3%

66
How important is years of experience when making hiring decisions?
Important 18.8%
Very Important 43.8%
Somewhat Important 25.0%
The second main section of the survey dealt with the their current organization. This fits the common wisdom
current and past employment and salaries of the leaders in the industry that CISOs tend to change jobs every 18
themselves. monthsIt was interesting, however, to see that over 23%
of CCISOs have actually been in their jobs for over 10
When asked how long they had been in their current role,
years, showing the maturity of the information security
most respondents reported only 1-5 years of tenure at
market.
How important is years of experience when making hiring decisions?
Less than one year 11.8%
1 - 5 years 41.2%

KNOWLEDGE
HUB
Over 5 years 23.5%
Over 10 years 23.5%
The next question dealt with salaries. All salaries have been converted to US dollars for the sake of comparison. Very
few CCISOs earn less than $75,000 per year, with most making between $150,001 - $200,000. EC-Council expects
salaries to grow for security leaders every year that they continue this survey.
In what range is your current salary in USD?
Less than $75,000 6.3%
$75,001 - $100,000 6.3%
$100,001 - $150,000 31.3%
$150,001 - $200,000 37.5%
Over $200,000 18.8%
67

KNOWLEDGE
HUB
The third section of the survey dealt with how CCISOs go program with the organization, with 76.5% of CCISOs
about finding new jobs. Asking about a number of finding this extremely or very important. Coming in just
aspects of a new job, the survey found the CCISOs value behind alignment of security vision was the work to life
the culture of an organization and the compensation balance offered by the organization with 75% of the
package on offer, with 82.4% of respondents rating these survey participants rating it as extremely or very
things as extremely or very important. In second place important. The rest of the results can be found below:
was having an alignment in the vision for the security
When looking for a new job, how important is an adequate budget for security program?
Important 29.4%
When looking for a new job, how important is alignment in vision for security?
Important 23.5%

68
When looking for a new job, how important is Culture of organization?
Important 17.6%
When looking for a new job, how important is the number of direct reports you will have?
Not at all important 5.9%
Important 52.9%
Very important 5.9%

KNOWLEDGE
HUB
When looking for a new job, how important is the prestige of company/organization?
Important 25.0%
When looking for a new job, how important is compensation including salary, signing bonus, stock options, etc.?
Important 17.6%

69
When looking for a new job, how important is the title?
Important 20.0%
When looking for a new job, how important is to whom you will report (CIO, CEO, CFO, etc.)?
Important 23.5%

KNOWLEDGE
HUB
When looking for a new job, how important is work/life balance?
Important 18.8%
When looking for a new job, how important is the opportunity for advancement?
Important 26.3%

70
The final section of the survey asked CCISOs about the these. Cultivating relationships, sharing information, and
factors that contributed the most to their success. The increasing their spheres of influence are all things that
overwhelming winner for this category was networking. can be done at conferences. The second key to CCISOs
83.3% of respondents said that networking was very or success is education, with 58.8% of respondents saying
extremely important to the success of their careers. Its their college or university educations have been
easy to understand why there are so many information extremely or very important to their success. The rest of
security conferences around the world with results like the categories can be found below:
How important has earning industry certifications been to the success of your career?
Important 27.8%

KNOWLEDGE
HUB
How important has college/university education been to the success of your career?
Important 17.6%
How important has effective networking been to the success of your career?
Important 11.1%

71
How important have executive recruiting services been to the success of your career?
Important 23.5%
How important have executive recruiting services been to the success of your career?
Important 64.7%

KNOWLEDGE
HUB
How important has mentorship been to the success of your career?
Important 22.2%
72
CONCLUSION
The skill gap in the cybersecurity industry spans all levels, Another key finding was that most infosec professionals
from CISOs to security analysts. It appears that the were holding onto their seats for years, with several
shortage of skilled professionals is not a problem that CCISOs serving the same position for almost a decade.
will be solved in the conceivable future. Most CISOs have The reasons cited for this were work culture, pay scale,
several job openings yet to be filled and CISOs and the the organizations approach towards security, and work-
others involved in the recruiting process are looking for life balance. For most infosec experts, networking is one
prospects with relevant certifications and experience. A of the key components of their success. Several
major hurdle in the recruitment process is finding the respondents also felt mentorship and earning industry
right fit both with culture, personality, and experience certifications were crucial for success.
that matches the job.

AD_Layout 1 8/18/2017 10:51 PM Page 2
COLLABORATIONS
74
FO S EC
IN ERSHIPS
PARTN
COLLABORATIONS
In an age where cyber threats are vast and frequent,

and the business landscape is evolving, it is
imperative for CISOs to take a strategic leadership role
and adopt a collaborative and inclusive approach. An
acquisition or a collaboration can serve several
purposes for organizations, from propelling them into
new markets to strengthening their critical IT
infrastructure to sharing information for turning
knowledge into action. These partnerships can be
difficult, challenging, or chaotic events, but can shape
the future growth of a business. In this segment, we
take a look at some notable collaborations and
acquisitions in the cybersecurity domain.
CISO MAG staff
engineer of Strong. Codes, triggered the 75
SNAP ACQUIRES STRONG. acquisition. Most of the staff members
CODES at Strong. Codes followed Balmelli and
Snap, the company behind Snapchat, joined Snap, leaving only a few
has acquired Strong.Codes, a Swiss employees in the company that led to its
startup that specializes in creating closure. The remaining employees in
software protection codes to make the Strong. Codes former headquarters in
process of replicating an app or program Switzerland now work for Snap.
difficult. Snaps hiring of Laurent
Snap had spent months in Europe
Balmelli, the co-founder and software
looking for cryptography and

COLLABORATIONS
cybersecurity experts, and the move of the firms made any comment Recently, NSO Group caught the
to acquire Strong. Codes is seen as regarding the deal. attention of the international
part of the companys strategy to community due to the alleged use of
The Blackstone Group is a
expand into Europe. Snaps growth the Pegasus software by the Mexican
multinational company based in
potential is currently limited by the government on the devices of
New York that specializes in private
dominant position of Facebook in the opposition lawmakers and private
equity, credit, and hedge fund
social media sector and the ability of citizens, including human rights
investment strategies.
Facebook to incorporate some of lawyers and journalists. The Mexican
Snapchats most popular features The NSO Group, a maker of spyware government denied any such
into its stable of features. It is for mobile devices, was founded in involvement by terming the
believed the acquisition of the 2009 by OmriLavie and ShalevHulio, allegations as false rumors calling for
Strong.Codes portfolio is an attempt and is headquartered in Herzliya, Tel an investigation.
to limit Facebooks ability to adapt Aviv. The firm is known for the
popular Snapchat features, though it development of Pegasus software OPENTEXT TO ACQUIRE
is not clear that Facebook is basing that targets mobile phones to gather GUIDANCE SOFTWARE
new features on Snapchat code. information and provides In a recent announcement, Ontario-
authorized governments with based content management
BLACKSTONE GROUP TO technology that helps them combat company OpenText said it is all set to
BUY 40% STAKE IN ISRAELI terror and crime. acquire Guidance Software as a fully
FIRM NSO GROUP Prior to the deal with Blackstone owned subsidiary for an overall price
According to reports, Blackstone Group, private equity firm Francisco of $240 million in a deal that is
Group is in the advanced stages of Partners owned a majority of the expected to close by the third quarter
negotiations with Israeli NSO Group stake. The new deal will of this year. The shareholders of
cybersecurity firm NSO Group to see the holdings of Francisco Partners Guidance will be paid $7.10 a share
76 which translates to a total value of
acquire 40% of the company at an reduced to 40%, with Blackstone and
estimated value of $400 million. As a Clearsky jointly also holding 40%. $18 million, making the final price
second buyer, Clearsky is expected to The owners will account for 6% each just around $222 million.
collaborate with Blackstone for 10% while the 500 employees of the Guidance Software is a forensic
of the stocks, as reported by Israeli company will hold another 8%. security and eDiscovery vendor that
business newspaper Calcalist. None

COLLABORATIONS
has a customer base of 78 of the value to customers. Consistent global Simplilearns learning model that
Fortune 100 companies. The execution is one of the cornerstones allows learners to access community
acquisition will give OpenText of the HPE OEM Program. We provide forums, projects, teaching assistance,
complete access to the forensic and the technology portfolio, supply study plans, and reminders. Upon
eDiscovery tools along with the rich chain and services that enable completing the courses, learners will
customer base of Guidance Software, partners like Cyberinc to quickly be better prepared for IT security job
though some overlapping scale their business so they can focus roles across the industry.
functionality is included in the on and build upon their unique
package. OpenText had already value. FIREEYE INC. AND
closed another high-profile deal with WATERFALL SECURITY
overlapping functionality last year SIMPLILEARN AND EC- SOLUTIONS PARTNER TO
when it acquired enterprise content COUNCIL PARTNER TO
management firm Documentum
BOOST INDUSTRIAL
TRAIN TOMORROWS CONTROL SYSTEMS
from EMC for $1.62 billion.
CYBERSECURITY EXPERTS Israeli industrial cybersecurity firm
Several other analysts from the Digital economy training company Waterfall Security Solutions has
content management industry Simplilearn and cybersecurity leader announced a global partnership with
research firms expect to see more EC-Council announced their California-based cybersecurity firm
such acquisitions from OpenText in partnership to bridge the growing FireEye Inc. that will enable Waterfall
the coming months. skill gap in cybersecurity. Simplilearn to protect their Industrial Control
will now offer the same EC-Council Systems (ICS) using FireEyes cloud-
HPE PARTNERS WITH Certified Ethical Hacking course used based Helix service. The move will
CYBERINC by many of the U.S. Governments allow Waterfall to integrate its
Cyberinc has signed an original military and security agencies. Unidirectional CloudConnect with
equipment manufacturer (OEM) A report by Frost & Sullivan predicts FireEyes Threat Analytics Platform 77
partnership with Hewlett-Packard that there will be a global shortage of (TAP), drastically reducing any
Enterprise in a move to promote and 1.5 million cybersecurity potential threat of remote
market its advanced web malware professionals by 2020. In the U.S. cyberattacks to the ICS environment.
isolation system Isla. The partnership alone, over 40,000 information Waterfall caters to customers from
will allow Cyberinc to leverage HPEs security analyst jobs go unfilled different industrial sectors, including
go-to-market infrastructure and every year and employers are power plants, nuclear plants,
supply chain to roll out Isla on a challenged to fill 200,000 other cyber manufacturing plants, utilities, and
major scale. security related roles, according to the oil and gas sector across the
Isla was developed to counter cybersecurity data tool Cyber Seek. To Middle-East, North America, Asia,
cybersecurity threats in a unique bridge this shortage in skills, and Europe. Waterfall is already
way. Unlike the commonly followed employers must not only increase accredited with global standards like
detect and respond approach, it uses their hiring of certified and skilled NERC CIP, ANSSI, NEI, NRC, and IEC.
unique technology to isolate all the professionals for these lucrative and
high-demand security jobs, but also The integration of the FireEyes TAP
content in a website outside the
train existing employees from within with the Unidirectional facility by
network perimeter, thus improving
to meet these strategic goals. Waterfall will allow security teams
protection from malware-based
and plant managers to monitor
threats. The course is available through industrial networks on a real-time
Phillip Cutrone, vice president and online self-learning as well as live basis, without interrupting the daily
general manager, Worldwide OEM, virtual classrooms where individuals processes of the organization.
Data Center Infrastructure Group of can learn from global instructors. Through the partnership, Waterfall
HPE acknowledged the importance of This partnership further provides also looks forward to bringing new
Isla technology to counter malware- flexible training access to attend customers who had stayed away
based attacks. He said, Partnerships multiple live classes for all learners from using any cloud or IoT services
like this enable both HPE and who enroll by August 31. EC- due to their concern over external
Cyberinc to utilize our strengths to Councils in-depth training in cyber cyber risks.
deliver unique solutions that bring security is augmented by

AD_Layout 1 8/18/2017 10:56 PM Page 2
AD_Layout 1 8/18/2017 10:58 PM Page 2
AD_Layout 1 8/18/2017 11:00 PM Page 2

Ciso Mag Sep Oct 2017

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Ciso Mag Sep Oct 2017

Caricato da

Copyright:

Formati disponibili

2-3_Layout 1 8/18/2017 10:31 PM Page 2

2-3_Layout 1 8/18/2017 10:31 PM Page 3

12 UNDER THE SPOTLIGHT

It may not be wrong to say

many other things. Marketing & Sales

workforce development, partnerships, and much more. Marketing Manager

CISO MAG | September - October 2017

more coverage; and (2) encouraging management to increase

CISO MAG | September - October 2017

CISO MAG | September - October 2017

TAKEAWAYS FOR CISOs

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

Tell us about your journey from

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

TO CISOs WITH LOVE:

CISO MAG | September - October 2017

CISO MAG | September - October 2017

ARE going to the right cloud

CISO MAG | September - October 2017

CISO MAG | September - October 2017

FINTECH: ROOTED IN THE PAST,

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

that there will be vulnerabilities, and

CISO MAG | September - October 2017

CISO MAG | September - October 2017

In a business landscape characterized by dynamic trends and events,

KEN GONZALEZ JOINS

CISO MAG | September - October 2017

GHANA COMMUNICATIONS MINISTRY APPOINTS ANTWI-BOASIAKO

VERVE INDUSTRIAL PROTECTION APPOINTS BILL EASTON AS CTO

CISO MAG | September - October 2017

WILLIAM DIXON JOINS KROLL AS ASSOCIATE MANAGING DIRECTOR

CISO MAG | September - October 2017

FEW MINUTES WITH

Foo Siang-Tse is an influencer in the cybersecurity industry in the

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

bank. Unfortunately, I cannot tell you

CISO MAG | September - October 2017

GLOBAL CISO FORUM

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

CISO MAG | September - October 2017

Due to several data breaches in 2017, cybersecurity is a buzzing topic. It

USRUSSIA CYBERSECURITY UNIT:

CISO MAG | September - October 2017

HBO AND THE SERIES OF UNFORTUNATE

CISO MAG | September - October 2017

BOTCHED DATA BACKUP IN SWEDEN

ILLICIT DARK WEBSITES SHUT DOWN

CISO MAG | September - October 2017

MARCUS HUTCHINS, WANNACRY HERO,