V ol um e 2 | I s s ue 1

Volume 2 | Issue 1 | February 2018

CYBERSECURITY
THE PHOENIX SAGA CISO MAG | February 2018
 V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1

2 3

CISO MAG | February 2018 CISO MAG | February 2018

 INDEX V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1

BUZZ
Cybercrime: A Serious Health Hazard 06 14

14
TABLE TALK
Kelly Isikoff, Group Information Security Manager, Volume 2 | Issue 1
RenaissanceRe February 2018
Editorial

20
International Editor
INDUSTRY SPEAKS Amber Pedroncelli
amber.pedroncelli@eccouncil.org
It’s Time to Get Back to the Basics
Senior Editor
Rahul Arora

24
rahul.arora@eccouncil.org
COVER STORY Feature Writer
Cybersecurity: The Phoenix Saga The year of 2017 witnessed some of the Nishtha Pathak
most brutal cybersecurity meltdowns. nishtha.p@eccouncil.org

30
The breaches were not always directed Feature Writer
KNOWLEDGE HUB toward corporates; some were state- Augustin Kurian

20
augustin.k@eccouncil.org
Two Questions for Every Security Leader sponsored which did colossal damage to an inordinate number of Internet
Media and Design
users. While Equifax and Yahoo stole the headlines with massive breaches,
UNDER THE SPOTLIGHT
36
Media Director
a number of cybersecurity facepalms--like Uber and Deloitte--didn’t go Saba Mohammad
J A Chowdary, Special Chief Secretary & saba.mohammad@eccouncil.org
unnoticed.
4 IT Advisor to Chief Minister of Andhra Pradesh Design Head and Visualizer 5
The year 2017 may have created mayhem for information security MSH Rabbani

44
professionals, but it left them better prepared as well. Some organizations rabbani@eccouncil.org
VIEWPOINT adopted a coordinated approach to cyber risk management and several Designer
The Missing Link to Finding Insider Threats: HR nations spruced up their cyber divisions in the aftermath of the attacks. Our Jeevana Rao Jinaga
jeevana.j@eccouncil.org
cover story “Cybersecurity: The Phoenix Saga” takes a look back at the

48
Management
brighter moments of 2017 and suggests that all is not lost.
INSIGHT Executive Director
Apoorba Kumar*
Get Your Retaliation in First Move to our Buzz section, where we discuss how cybercrime has jolted the apoorba@eccouncil.org
pharma industry and become its biggest health hazard. The feature also Senior Director,

56
suggests selective measures pharma companies can employ to safeguard Compliance & Governance
COLLABORATIONS themselves against intellectual property theft. Cherylann Vanderhide
cherylann@eccouncil.org
Infosec Partnerships
In our Under the Spotlight section, we have JA Chowdary, Special Chief Marketing & Sales

24
62
Secretary & IT Advisor to Chief Minister of the Indian state of Andhra Pradesh. General Manager
IN THE NEWS He discusses his vision for Fintech Valley in Vizag, Andhra Pradesh, and his
Meghana Vyas
meghana.vyas@eccouncil.org
Top Stories from the Cybersecurity World efforts for continued development of the Fintech ecosystem in India. Marketing Manager
Pooja Saga

68
We also interviewed Kelly Isikoff of RenaissanceRe, where she discusses pooja.saga@eccouncil.org
EVENT FOCUS cybersecurity practices in the insurance sector, women representation in Sales Manager - India
EC-Council’s Event Calendar the cyber world, and much more. Basant Das
basant.das@eccouncil.org
Tell us what you think of this issue. If you have any suggestions, comments,

74
Sales Manager - North America
IN THE HOTSEAT or queries, please reach us at editorial@cisomag.com. Jessica Johnson
jessica.johnson@eccouncil.org
High-Profile Appointments in the Cybersecurity World
Jay Bavisi Technology
Director of Technology

78
Editor-in-Chief Raj Kumar Vishwakarma
KICKSTARTERS rajkumar@eccouncil.org
Startups Making Waves in the Cybersecurity World
* Responsible for selection of news under PRB Act. Printed & Published by Apoorba Kumar, E-Commerce Consultants Pvt. Ltd., Editor: Rahul Arora.
The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this publication are not
necessarily those of the publisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be

36
appropriate for the readers’ particular circumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored
in a retrieval system, or transmitted in any form without the permission of the publishers in writing.
CISO MAG | February 2018 CISO MAG | February 2018
 BUZZ V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
BUZZ

CYBERCRIME:
A SERIOUS
HEALTH HAZARD
Augustin Kurian

T
066 he pharma industry has
077
always been in a tight
spot. Keeping up with
medical advancements and
staying revolutionary in
the space are just a couple of the
many challenges they face. There
is only one constant: the challenges
and threats the industry has faced
for decades. With technological
innovations, cybercrime has
joined this new legion of threats
to the healthcare technology
industry. In fact, a 2015 survey
by Crown Records Management
revealed that two-thirds of pharma
firms had faced data breaches––
with one-fourth of these firms
reporting they wavictims of
cyber attacks. In late October
2016, Northern Lincolnshire and
Goole NHS Foundation Trust in
the United Kingdom was targeted
by a malware attack. Several
operations scheduled on that day
had to be cancelled, with some

CISO MAG | February 2018 CISO MAG | February 2018

 BUZZ V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
BUZZ

trauma patients forced to redirect of these companies are based

to a different location. The United outside of the U.S., making them a
States fared no better, reporting favorite of state-sponsored actors
an 18.5 percent increase in the and extremist groups. According
pharma sector in 2016 compared to a study by Deloitte titled “Cyber
to the previous year. & Insider Risk at a Glance: The
Pharmaceutical Industry”:
This culminated in May 2017 after
the WannaCry attack crippled the “Evidence abounds that
UK’s National Health Service along pharmaceutical companies are
with several other companies the target of sophisticated Internet
and establishments. Hospitals criminals. The UK Government
and GP surgeries in England and identified pharmaceutical companies
Scotland were among the worst hit. as the primary target of cyber
Hospital staff were forced to resort criminals bent on stealing IP. It
to pen and paper, and their own estimated cyber-theft of IP cost
cell phones because the attack the UK £9.2b, of which it attributed
affected key systems, including £1.8b to theft of pharmaceutical,
telephones. Operations, surgeries, biotechnology, and healthcare
and several appointments had to IP. Surveys of U.S. cyber attacks
be cancelled after the malware consistently find that pharmaceutical
scrambled data networks. The IP is a major target of sophisticated
088 only wing functioning at affected cyber gangs. Experts suggest China 099
hospitals was emergency medical is using cyber-espionage to support
care. The crypto-worm targeted its 5- year economic development
Windows computers using the plan.
EternalBlue exploit, taking
advantage of Windows’ Server That plan includes expanding
Message Block (SMB) protocol China’s chemical and
and installing a backdoor implant pharmaceutical sector. Attacks
tool called Double Pulsar. Then, against major U.S. pharmaceutical
the crypto-worm transferred and companies attributed to
ran the WannaCry ransomware sophisticated Chinese hacking
package, which, in turn, encrypted groups include Boston Scientific
data and demanded a ransom from (a medical device-maker), Abbott
victims in the form of Bitcoin. The Laboratories, and Wyeth, the drug
attack is among the most infamous maker acquired by Pfizer Inc. The
ransomware attacks ever, affecting which ranked cybersecurity as the placing patients at risk. Multiple amount of intellectual property same group successfully hacked
more than 150 countries and
230,000 computers.
number one threat to healthcare
technology.
ransomware and other malware
WHY THE and data, which can include
patient profiles and drugs that are
the Food & Drug Administration’s
computer center in Maryland,
PHARMA
variants have infected healthcare
organizations, as well as other currently in the development cycle exposing sensitive data (including
The WannaCry attack was a reality “This year’s No. 1 hazard calls
INDUSTRY?
(or are already developed). The formulas and trial data) for virtually
check to several pharmaceutical attention to the patient safety private and public organizations,
organizations. Following the research and development of these all drugs sold in the U.S.”
component of ransomware and throughout the world,” ECRI stated.
incident, the industry saw cyber- other cybersecurity threats. In drugs is already cost-intensive for
“Patient safety is on everyone’s Sometimes, even hacktivists come
attacks as a harbinger of several the healthcare environment, these companies, which makes
mind, but technology safety Simply put, healthcare records are into the picture, as many of the
other major attacks the industry ransomware and other types of holding them for ransom so easy
sometimes gets left behind,” added valuable on the Dark Web, which drugs are quite expensive. Hackers
was poised to face. This was malware attacks are more than just to do.
David T. Jamison, Executive Director is where black market drug sales attempt to access proprietary
followed by the ECRI Institute an IT nightmare. They are potential information and disclose data that
of the Health Devices Group, ECRI occur most often. Pharmaceutical Pharma firms are also targeted
announcing the “Top 10 Health patient safety crises that can disrupt the firms usually keep confidential.
Institute. firms create and manage a large due to geopolitical reasons. Most
Technology Hazards for 2018 list,” healthcare delivery operations,

CISO MAG | February 2018 CISO MAG | February 2018

 BUZZ V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
BUZZ

She also highlighted that following

REGULATORY the WannaCry incident, “The UK
government conducted several
GLITCHES IN audits and reviews. One of the
recommendations on striking the
PHARMA right balance suggests giving

CYBERSECURITY
patients more control and choice
over who their electronic records
can be shared with.”
Anne Petterd, Principal of Baker
McKenzie Wong & Leow, in an
interview with Health Care WHAT CAN BE
DONE?
Innovation explained: “In terms
of data sovereignty––where a
jurisdiction places restrictions on
taking data beyond its borders––
healthcare data is an issue which The pharma industry has possibly
comes up frequently when parties the world’s largest research and
development sector. It is the duty
are trying to negotiate free trade
of the CISOs/CIOs to make sure
agreements. There’s a notion that that customer data, intellectual
if the data is within the country, it property, and every other
may be more accessible to those valuable asset are protected; more
10 who need it, be it the patients or importantly, the companies must 11
the healthcare providers. There’s have a cybersecurity department
also the notion among regulators at its disposal. Cybersecurity must
that if the data is within the country, originate from the foundation
it may be more secure. However, if of the company––and it must be
you speak to the cloud providers, performed in tandem with the
particularly those who spend a lifecycle of the firm.
lot of time investing in security It must never be an afterthought.
for their products, this may be
one of the main issues that they The attackers are evolving and
want to discuss with regulators keeping pace with them is of
paramount importance. According
as to whether that is really true. to New Hampshire-based Elliot
Companies may want to deliver Health System’s Chief Information
services from one central location Security Officer Andrew Seward,
for efficiencies across borders, “You can set the conditions for
and with that comes savings in success.” Seward offered this
terms of time and storage of data, advice in an interview with
especially when it comes to big Healthcare IT News. “You can’t
data analytics. This is an issue that know everything, but you can never
healthcare companies may feel is go wrong with hiring the right
constraining them with what they people and building a condition of
trust.”
want to do in the region.”
He continued, “It takes forward-
She continued by saying: “It’s a thinking individuals who can see
constant balancing that regulators the risk and determine security
need to do. Even if a law has been is a business risk. When you’re
passed that strikes the perfect doing futureproofing, you have to
balance, something might change determine how much is enough
the next day which means the to manage security, and then how
system is no longer in balance.” much security is enough.”

CISO MAG | February 2018 CISO MAG | February 2018

 V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1

Download our Cloud Security

Toolkit to help you evaluate
potential cloud vendors.

From the CISO Perspective

to Cloud Security Assessments
Learn How to Make the Leap With Confidence

The secret is out:

12
Enterprises large and small have moved to the cloud, 13

and more are making the move daily. Whether you’re an

early adopter or you’ve been battling that persistent
strain of nephophobia going around, it’s
important to thoroughly understand and evaluate
http://bit.ly/2ivU4l9 potential cloud vendors, instilling confidence for your
organization and your customers.

Get insight into how other

companies are approaching
cloud opportunities, and
instill confidence across your
organization today.

CISO MAG | February 2018 CISO MAG | February 2018

 TABLE TABLE
TALK V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 TALK

FEW MINUTES WITH

KELLY ISIKOFF
Group Information Security Manager
RenaissanceRe
14 Rahul Arora 15

An industry veteran with more than two decades of experience, Kelly Isikoff joined
RenaissanceRe in 2016 with global responsibility for directing strategy, operations,
and budget for the protection of information assets.
Before joining RenaissanceRe, Isikoff was an Executive Director for JP Morgan Asset
Management, where she was responsible for setting security strategy and policies
as well as managing operational security departments. Prior to her time with JP
Morgan, she was a Senior Vice President for Citigroup and managed infrastructure,
data management and security across departments. Previously, she has also worked
at Warner Music Group, where she led security and new media initiatives to identify
innovative revenue channels within technology.
In an exclusive interview with CISO MAG, she discusses cybersecurity practices in
the insurance sector, women representation in the cyber world, and much more.

CISO MAG | February 2018 CISO MAG | February 2018

 TABLE TABLE
TALK V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 TALK

Please tell us about your types of business clients to go over have a strong program around insurance is keeping
our security program with them building out our access control of
role and responsibilities in and then go over their security critical data in critical systems.
pace with cyber-exposure?
RenaissanceRe.
Our strategy program with us. So, there’s a lot
of vetting of partner security that’s What is your take on
Definitely, I know that a lot of large
finance institutions are increasing
I am the head of the information
security for the global focuses on happening across the industry. cyber insurance? their coverage through larger
organization. I also manage all of cyber offerings and a lot of other
the strategies, programs that will cybersecurity As you said, you are We’re really seeing an evolution
multiple insurance products are
of cyber as a specific product to
help us maintain our compounds actually working with a starting to develop cyber policies
across most of the regions. I also framework which lot of third parties and
cyber as a peril which can influence
multiple insurance products. Most
within it. So, we’re saying more
manage the additional groups that aesthetic cyber policies into
feed into security that have a role is really flexible partners. What do you do insurance products today focus on
credit marketing and notification
multiple insurance clients.
to support overall defenses. So that to keep the data transfer
being said, a smaller organization across the absolutely secure?
cost, and these costs are often
required by a regulation. So we
The representation of
unlike the larger organizations I
industries and see a potential growth for risk women in cybersecurity
worked with in the past were are Well we follow different frame managers as they asses a cyber has remained stagnant
using different types of managing
security service providers for
really simple to works. Our strategy focuses on risk for their business and starting at 11 percent for the past
cybersecurity framework which is to work more with our insurers
different capabilities to achieve
follow. and re-ensure a way to access four years, according to
really flexible across the industries
the same level of security. So
and really simple to follow, and we
monitor and mitigate risks. This a report. This is despite
my role is to transform the
organization and manage a lot of also follow top 20 critical security
could include a broader cover for growing awareness
16 system failure, and interruptions 17
the overall security program and controls which were developed for example. on cybersecurity,
help it to maintain compliance and
an effort to create tighter from a lot of industry practice and expanding career
achieve compliance with pretty Do you think cyber
big regulations that are coming up customer relationships. within the community. So, that’s our options. Most of times,
and hitting a lot of other financial What are the things
strategy and that’s how we set our the reasons cited is the
programs for the year.
firms and worldwide global firms.
RenaissanceRe is trying to lack of women role model
It looks like a lot of the states within
the U.S. have started to fall in line keep the hackers away? How important is and the impression the
with the same cyber regulations cybersecurity education industry carries. What
that we have in New York. It seems I mean there’s not one practice
like every country around the that we follow. We have a lot of or training for employees can be done to break the
world is starting to uplift their partners that we work with and in keeping cyber threats at
cyber regulations, so making sure a lot of vendors that we manage bay?
that we get things right and follow and that (Third party security
a standard process and framework management) is a big issue for a lot Security awareness training is
is the key to making sure that of companies, not just a company very important to us. We have
we don’t have to continue to go of our size. There are a lot of new continuous programs as well
through our compliance checklist companies that are entering the as digital annual trainings and
with each one of these different space and provide you assessment certifications. Also, there are
countries, states, and jurisdictions. services. Unfortunately, some of company meetings on key security
them are not robust than others. risks to the organization. Security
Cyber attacks in the So, third party security is a big is everyone’s responsibility, not
issue and we are receiving more just one department’s. As far as
insurance sector are and more requests from clients for protecting ourselves against a
growing exponentially, as much more exhaustive security cyber threat, we have a lot of
companies are migrating reviews of our control and a lot controls on data access on an add
of my time is dedicated to calls need-to-know basis. We really
toward digital channels in with our investor group, different

CISO MAG | February 2018 CISO MAG | February 2018

 TABLE TABLE
TALK V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 TALK

really have to up your application

security program. Overall,
understanding the risk level of
your organization and speaking
closely with the business leaders
to comprehend the key risks
and how do you mitigate those
risks and build a depth of control
around those risks. That’s what I
would recommend the CISOs or
new CISOs entering into that space
because that’s where I’ve seen a lot
of CISOs who failed.

What advice would

you give to a budding
information security
professional?
There are so many different
18 areas within the security to 19
grow into. So, getting a broader
in-depth knowledge of various
kinds of security domains and
understanding the different
domains and skills you’d be
doing in each area. Basically,
understanding what might
interest you! That’s what I would
recommend to anyone who’s
getting into the security because
there are so many different
specialties within security. It wasn’t
like that when I got into security. I
worked between infrastructure
gender stereotype so that across universities to encourage can be compromised and have are doing wrong at a time about application, user behaviour,
young women because it is really and application groups, managing
women, even in their teens, dynamic and interesting field
the ability to work with business
when the threats are
and other things. They need to
security process domain. There
to understand your risk, so you know the overall threats that are
are inclined to join the that’s constantly changing. It’s not evolving with each passing targetting your organization. You weren’t many specializations then,
can protect against them. It’s really
cybersecurity space? something for programmers or
important for me to mentor young day? need to follow the cybersecurity whereas now there are so many
people who like technology. It is
women who are interested and framework and employing specializations and with that there
Well, you’re right! There’s much more diverse than that. You What we really need to learn from
definitely a skill gap and I do feel moving into security. it for your environment and are many opportunities to learn
need to have an investigative type recent attacks is that CISOs need
like a minority in my profession. understanding your risk level. For and develop unique skills that
of mindset, you need to look at a lot to understand the full scope of
I think some of the things we can of different ways that your systems, According to you, is there security. It’s not just infrastructure say, if you’re managing a company make you even more valuable in
that has a lot of Web exposure, you
do is promote cybersecurity your information, your business anything that the CISOs parameter anymore. It’s also the marketplace.

CISO MAG | February 2018 CISO MAG | February 2018

 INDUSTRY INDUSTRY
SPEAKS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 SPEAKS

S
o, the CISO MAG staff
and I were talking about
an end-of-year article
that might get people
reflecting on 2017 AND
concentrating on 2018. The
prediction thing is too fuzzy and I The human,
have an aversion to crystal balls,
the financial thing is pretty much the poor sap we
sorted (everyone got their 2018
budgets locked and loaded? More sit between the
blinky lights for everyone, right?),
and if I hear again that AI or ML chair and the

20
is going to solve everything, I will
be whipping up another batch of
Molotov cocktails to distribute. So,
we decided to go back to basics.
The human, the poor sap we
sit between the chair and the
keyboard, is the one we expect
to defend against people like me
on a daily basis. We ask them to
keyboard, is the
one we expect to
defend against
people like me on
a daily basis.
“
21
do this all the while juggling their
regular jobs on systems that are
either ancient or changing every
5 minutes with that annoying call
of “where’s my damn icon NOW?” know the ones, the ones sitting in
ringing out across the office. We the remote office, or the warehouse
ask them to defend our companies (yeah, you though I forgot about

IT’S TIME TO
after we take them for one hour those didn’t you). They’re sitting on
each year and sit in a room with the same network segment as the
a geek who simply tells them to rest of the organization, aren’t they?
“Please don’t click sh*t, please The users, servers, printers, doors,
don’t send sh*t, and please AD, and probably even the IoT

GET BACK TO
stop using P@ssw0rd1 as your office-dogs bowl are all sitting on
Facebook, bank, AND company the same network. Just because it’s
log in.” That’s one whole hour, once easy, just because you don’t know
a year and you then expect them to how DHCP or VLANS work, doesn’t
remember that for the remaining excuse you from putting some

THE BASICS
2,086 work hours in the year (I’m simple separation, segmentation,
now waiting for someone to tell or other controls in place. Oh, also
me it’s 2,080 and I’ll point out leap back to those Windows XP servers
years and calendar fluctuations. in the warehouse, just because the
Trust me, HR folks need advanced vendor or supplier is too lazy to
degrees in quantum math to work upgrade them doesn’t excuse you
out holidays and work periods!) from taking adequate protection to
reduce the risks accordingly.
Chris Roberts Here’s another thing you’re
probably not paying enough And another thing. Recently, we
Chief Security Architect, Acalvio Technologies were on an IR engagement and the
attention to: those servers. Yes, you

CISO MAG | February 2018 CISO MAG | February 2018

 INDUSTRY INDUSTRY
SPEAKS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 SPEAKS

attackers hit at 22:30 on a Friday last “x” years. Your presence on avoid becoming another Uber? Lastly, the employees, those folks a step back, evaluate how that I promise you, if you miss your
night. They were done and out the Internets, all of the Internets, Communicate across the ranges – you continue to overlook: we technology will fix the very basics vendor steak, come to Colorado
with “job done” left all over the the open, dark, and deep – what the basics of communication are started with them, so it’s fitting that are crippling your organization and I’ll buy you one. I live on a golf
screens 3 hours later (NOT the do you know about yourself that fundamental to our understanding we close with them. Let’s look at a (probably without you knowing it) course so you can go catch that one
normal 12 hours AVERAGE it takes might be out there, what do others of our environments. Talk with couple of things that you do wrong: put down the fork or golf club, say
to get in and get out without being know that is out there, and more missed game and your enterprise
people regularly, explain why NO THANK YOU and spend the
detected). It took them 3 hours and importantly, what are your users, decisions around security and 1. You trust them! Why on this will thank you a lot more for simply
time, effort, and money on fixing
nobody watching the logs until vendors, suppliers, partners, and integrity are being made, educate great green planet do you do some of the things I’ve covered doing the basic things you need to do to
0800 MONDAY morning. Get some trusted resources putting out there them as to the logic for protecting that? You are not nice to them above. protect them and their assets.
logging in place, get someone about you? Learn what’s outside the organization, and help them yet you expect them to be
to watch them 24x7, and pony up of your four walls and it might implement the same protections loyal and look after your assets
the minimal money it costs to have help you to focus better on how to at home and with their own family. and then you are surprised
some peace of mind! protect what’s inside them. Communication is free and it’s a when they turn against you
troublingly underutilized tool! and you have to call us in on
Don’t forget about the computers Oy vey, physical security still
themselves. You’ve given each gets overlooked. The systems the forensics to see what the
A good friend of mine (F1nux)
employee a new, shiny computer that are in place can still can be heck happened and why they
has a somewhat amazing yet
and you’ve entrusted them (you bypassed (in many cases) with grounded-in-reality statistic. He dropped all your dirty secrets
fool) with all your data. You’re a fake business card (Sprint/ talks about the number of accounts out to WikiLeaks.
left praying that the sales guys AT&T, Cable Company), an official that are already breached in global 2. You don’t train them and then
don’t trade their laptop for a looking folder, and a box that looks organizations at any one point in wonder why they email all your
round of drinks at the next client like an Internets upgrade. Failing time and it’s ridiculous how many PII/PHI/EHR all over the place?
22 appreciation golf outing. Why? that, we’re going to go in via your there are. It’s more than you’d 3. You don’t give them any 23
Because you didn’t bloody encrypt shipping entrance, your vendor think, and it’s right here, right now. incentives to help secure not
them! Seriously, it’s free, it’s simple, (HVAC, water, etc.), or some other If we can’t keep control of our only YOU (the company) but
easy, secure, and can be locally or way that gets us into your facility. credentials what hope do we have also their own families and
centrally managed. Just do it! That When we get in, we’ll find your of keeping control of our data? friends, and you still trust
way, the next time you lose the surveillance is probably on the them with everything and are
security plans for a major airport LAN and if it’s working, nobody’s Embrace the distributed workforce
surprised when they turn on
or government, you won’t be on watching it. It’s still too easy, too and their desire to connect into the
you.
the 9 o’clock news! simple to walk far enough into mother ship and then make sure
many facilities (not always the you throw the public facing RDP Good grief, look in a mirror
You have lost the battle for the main office! Got to love satellite server off the bloody roof. and realize YOU, the capitalist
perimeter; accept that and you offices or warehouses on the LAN)
All your SQL, MySQL, Oracle, corporation, are the problem.
might be able to focus accordingly. and simply park yourself in their
NoSQL and other types of WE ARE NOT A NUMBER, OR A
Look at the simple fact that in offices and let loose the dogs
databases that are sitting on the STATISTIC, we are HUMANS. Treat
essence “computer number 1” of war (or a scanner – both are
has been compromised and Internets belong to us. This has us as such, please.
equally effective). Fix the physical
work accordingly. The concept of nothing to do with patching (you So, in closing, when 2018 comes
and you’ll be amazed at the uptake
predictive, proactive, deceptive are already underwater on that
in people caring about how they for us (or 5775 for those of you
technologies should not be alien and running round trying to patch
look after “their” company. currently in a different set of though
to you. Neither should you buy things every day of the week isn’t
processes) and the vendors line
next year’s purple blinky light Ok, now on to communications. going to work). This is back to
you up in their sights for golfing,
F/W and expect it to do anything Let’s NOT be another Uber. Sh*t the fundamentals: certain things
fishing, dinner, and other events
more than this year’s did, EVEN if happens – acknowledge it, learn should NOT be on the Internets!
There’s no excuse, there’s no way to woo you into buying the next
it has UBA or “Next Gen” or “AI/ from it, and move on. Humans
ML” on it. You have the basic tools; can be forgiving if you ask for of lying your way out of this one, NGFW, UBA, purple-blinky light
now it’s time to elevate them with forgiveness, are contrite, accept VPN’s are free, easy to implement, POS, please for all those of us out
something OTHER thank the same the blame, and actually do and simple to integrate: get the low there fighting the good fight, take
sh*t that hasn’t secured you for the better in the future. How do you hanging fruit OFF the firing line!
The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not refl ect
the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

CISO MAG | February 2018 CISO MAG | February 2018

 COVER COVER
STORY V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 STORY

CYBERSECURITY
THE PHOENIX SAGA Augustin Kurian

24 25

2
017 may have been one that nearly 978 million people
of the worst years for the in 20 countries were affected by
cybersecurity industry. cybercrime in 2017; 44 percent
Time after time, day of consumers were impacted by
after day, news of cyber cybercrime in the last 12 months.
incidents consistently made All the incidents highlighted major
headlines in major publications vulnerabilities within systems
across the world. Every kind of and unpreparedness among
cyber incident----from breaches, organizations, leading to the
to ransom campaigns, to DDos damaged reputations of several
attacks, to hacktivism----seems companies. A study by Bitdefender
to have taken place during the found that ransomware payments
year. A Norton survey revealed hit $2 billion in 2017, which is twice

CISO MAG | February 2018 CISO MAG | February 2018

 COVER COVER
STORY V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 STORY

as much as the year before. It was of-service (DDoS) attacks on IoT budget for ongoing maintenance
also the year when tools used by devices, crippling the device’s and monitoring requirements,
government hackers went public–– functionality,” said Jason J. Hogg, an organization will be able to
and when hackers figured out that CEO, Aon Cyber Solutions, in a determine its annual budget for
the best way to target companies statement. “In 2018, we anticipate both people and money.”
was to resort to malware stashed heightened cyber exposure due to
China took major steps forward
by the government. a convergence of three trends: first,
with the implementation of the
companies’ increasing reliance on
So, here is a quick rundown: China Cyber Law, which imposed
technology; second, regulators’
Shadow Brokers breached the strict requirements on data storage
intensified focus on protecting
National Security Agency (NSA), and scrutiny. The U.S. Senate
consumer data; and third, the
leading to the release of a global imposed the IoT Cybersecurity
rising value of non-physical assets.
ransomware campaign, WannaCry, Improvement Act, which states that
Heightened exposure will require
which affected more than 150 smart devices need to meet basic
an integrated cybersecurity
countries and 230,000 computers standards if they are to be used
approach to both business culture
globally. Equifax reported one of by federal agencies. The Ukraine
and risk management frameworks.
the biggest breaches in history, President Petro Poroshenko
Leaders must adopt a coordinated,
during which hackers infiltrated signed a law that “creates the
C-suite driven approach to cyber
the website and stole the personal foundations of a national system
risk management, enabling them
data of nearly 145 million people, of cybersecurity as a combination
to better assess and mitigate risk
including social security numbers. of political, social, economic, and
across all enterprise functions.”
Around June, a virus called information relations, along with
26 NotPetya hit Ukrainian businesses Several nations and organizations organizational, administrative, 27
using compromised tax software. began sprucing up their cyber and technical and technological
On October 24, 2017, Ukraine, divisions in the aftermath of the measures of the public and private
Russia, Japan, and Bulgaria were attacks. For example, the United sectors and civil society.”
hit by a wave of cyber attacks by Kingdom government pledged £21
A proposed cybersecurity bill in
a malware dubbed as “BadRabbit” million to boost the cybersecurity
the Malaysian parliament seeks
and prompted the Ukrainian of the National Health Service.
to regulate not only current
The announcement was made in
(state-run) Computer Emergency cybercrimes, but also lays the
the wake of the WannaCry cyber-
Response Team (CERT) to ask groundwork to deal with coming
attack that crippled the sector.
transport networks to be on alert. threats. Even the government of
“Careful consideration of how
There were several others high- Ghana is mulling over establishing
to secure your legacy business
profile incidents, but these were a national cybersecurity center
systems, what, if any, network
the most notable ones. to safeguard the nation against
security appliances are needed,
cybercrime. The government
There’s more to come. However, and which lower-cost solutions
of India will introduce multiple
there is some evidence that we are can be implemented will give
checkpoints to ensure that
better prepared than ever before. management a better idea of
equipment imported for the
what their needs are in terms
“In 2017, cyber attackers created domestic power distribution sector
of a cybersecurity budget,”
havoc through a range of levers, is not vulnerable to cyber attacks.
according to Crowe Horwath, one
from phishing attacks that of the largest public accounting, Aon Cyber Solutions, a provider of
influenced political campaigns consulting, and technology firms. risk advice and insurance solutions,
to ransomware crypto worms “Once these needs are mapped announced its predictions for 2018
that infiltrated operating systems into the organization’s long-term and pointed out that “increasing
on a global scale. With the plan, the available capital can be scale and impact of cyber attacks,
growth of the Internet of Things allocated for new development. coupled with companies having
(IoT), we have also witnessed a When the budget for new to accept more liability and
proliferation of distributed denial- projects is combined with the accountability over cyber attacks,

CISO MAG | February 2018 CISO MAG | February 2018

 COVER COVER
STORY V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 STORY

will lead to significant changes in content across the curriculum as all to four percent of total worldwide for cybersecurity, it’s possible
the corporate landscape.” students represent entry points into annual turnover––these potentially the worst is behind us. However, in
the broadly defined cybersecurity staggering numbers have a an industry as volatile as
According to Aon, adoption of workforce,” said Diana Burley, a purpose: to put privacy and data ours, it’s very hard to predict.
standalone cyber insurance professor at George Washington security on the boardroom agenda Much progress has been
policies “will spread beyond University (2014 Cybersecurity by bringing it in line with the made, but there is still much
traditional buyers of cyber Educator of the Year recipient) highest sanctions for regulatory to do. The work is not over.
insurance, such as retail, financial, in an interview with Monster. noncompliance––such as anti- And for the ones that have
and healthcare sectors, to others com. “Continuous professional bribery and anti-trust laws,” said suffered in the past, it is
vulnerable to cyber-related development is critical in the Raymond Teo, Senior Vice time they rise above the ashes
business disruption, including field of cybersecurity because the President, Business Development, and retell the Phoenix saga.
manufacturing, transportation, nature of the threat continuously APAC, NTT Security, in his column
utility, and oil and gas.” evolves. Many options exist for with CISO MAG.
According to a Forbes report, current professionals to augment
their skill set; including certificates According to the Norton Trends
“Half of all security budgets for Report, despite this year’s cyber
IoT will go to fault remediation,
recalls and safety failures rather
Increasing from technical training companies,
additional degrees through attacks, consumers continue
than protection through 2022.” scale and university study, or standalone, to trust the institutions that
manage their data and personal
For this very reason, the coming hands-on courses to develop
years would make cybersecurity impact of specific skills. The right decision information; however, only 41
percent of consumers globally
depends on specific knowledge
a hot job opportunity, with tech
companies indulging in a fastidious
cyber attacks, or skill required. There are no one- lost trust in their government to
manage their data and personal
28 talent-hunting spree. The hiring in coupled with size-fits-all.”
information.
29
this space is only going to escalate.
There would be a key focus on companies Also, with the GDPR due for rollout
this year, several nations will be As the cyber world and the
IoT security due to its explosive physical world are colliding, CISOs
penetration. Newer curriculums having to imposing stricter laws and heavier
fines for organizations not taking
are being introduced
cybersecurity education is being
and accept more security seriously.
considered at an early age. Towson liability and “In our experience, many
University and the Maryland organizations that are located
National Guard recently signed accountability outside Europe, but have a
an agreement to collaborate on
several activities, which included over cyber global employee and customer
base, remain behind the curve
cybersecurity training for students
and guardsmen. The need for
attacks, in assessing the risks and
opportunities of GDPR [...] With
K-12 students to learn the basics will lead to massive fines and requirements
of network security, cryptography, for notification that will push
and cyber ethics was one of the key significant more breaches into the public
topics addressed in the National
Initiative for Cybersecurity
changes in eye, GDPR promises to make
data privacy a potential public
Education (NICE) conference
in November. According to the
the corporate relations challenge. With proposed
penalties for falling short of
speakers at the event, one of the landscape. compliance––including fines of up
best ways for young students to
engage with cybersecurity is to
solve real-world problems.
and CIOs are more important
“In the coming years, we will see than ever because they serve
an expansion of cybersecurity as a bridge between the two. As

CISO MAG | February 2018 CISO MAG | February 2018

 KNOWLEDGE KNOWLEDGE
HUB V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 HUB

TWO QUESTIONS
FOR EVERY
SECURITY LEADER
Richard Seiersen
SVP & Chief Information Security Officer, LendingClub
30 31

The actual science of logic is conversant at present only with

things either certain, or impossible, or entirely doubtful, none
of which (fortunately) we have to reason on. Therefore, the
true logic for this world is the Calculus of Probabilities, which
takes account of the magnitude of the probability which is,
or ought to be, in a reasonable man’s mind.
—James Clerk Maxwell

CISO MAG | February 2018 CISO MAG | February 2018

 KNOWLEDGE KNOWLEDGE
HUB V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 HUB

T
here are two basic centuries old shortcut born out of out which capabilities best reduce
questions I ask myself, laziness, boredom, and the desire risk (breach) given your risk
my teams, and security to beat the house. tolerances . It should also take
folks at large. First, “How into consideration any reduction
do I know I have the right in opportunity loss (lost sales) as
well as the cost of controls (cost
TRUTH IS NOT
security capabilities?” and second,
“What would I see occurring that of people and gear etc.). That’s
how we get the best return on
THE GOAL,
would let me know my capabilities
investment (ROI) i.e. the best bang
are improving?” I might add to that
BETTER IS
for our buck in reducing probable
last one, “... while the business
future loss.
scales?”
ROI becomes a type of score
Adopting a probabilistic approach for organizing our choices in
means not looking for the order of importance. It’s a huge
DO I HAVE THE “perfectly correct” answer to improvement over risk registers,
heat maps, and other qualitative
RIGHT SECURITY
intangible questions like “do I have
the right capabilities?” You want scoring systems in the security
marketplace. We and other experts
CAPABILITIES?
the most plausible answer(s) given
your current state of uncertainty. in our book enjoy saying that those
This means being resourceful with approaches are “worse than doing
what little empirical data you have. nothing.”
My co-author Doug Hubbard and I And if you lack empirical data you
provide a detailed answer for the may be left with modeling your
32 first question in our book, How to
Measure Anything in Cybersecurity
subject matter experts’ beliefs. You
likely paid a lot for their expertise, BUT WAIT, 33

Risk (Wiley 2016)1 . Measurement

experts such as scientists,
you might as well model it. Now
that is being resourceful!
WE’RE
actuaries, mathematicians,
statisticians, some engineers, This is a key point for security folks. DIFFERENT!
and data scientists will find our Security by its very nature is mired
approach familiar. Especially in uncertainty. We have uncertain Security folks may argue that
sentient and artificially intelligent the combination of systems
actuaries because the green book
adversaries attacking a myriad of complexity and chaotic actors
(as we affectionately call it) will
systems all in transient states. Our make the possibilities of
become required reading for The
understanding, or model, of that compromise uncountable (not
Society of Actuaries exam prep
world is by its very nature, woefully that they have tried) and thus
from 2018 onward. incomplete. immune to probabilistic means.
These experts would most The statistician George Box made BETTER They say this as if fields that use
probabilistic approaches must
DECISION
certainly take a quantitative this point of view popular by
approach to my first question. have easier problems to solve;
saying, “all models are wrong,
fields like nuclear engineering,
MAKING
Their tactics are grounded in the but some are useful.” Which my
logic of uncertainty aka probability military logistics, epidemiology,
co-author embellishes with, “... seismology, and cytology (name
theory. Please don’t be scared off and some models are measurably
by that “mathy” turn of phrase. You your ology as long as it’s not
more useful than others.” Your goal Models, wrong or very wrong, astrology … it doesn’t work). The
just need to know that probability is improvement over your current exist to aid you in decision making point is that measurement experts
theory simply counts up all the model at a reasonable cost. Don’t as opposed to substituting for it. adopt probabilistic approaches
ways an event can happen and puts let your uncertainty caused by a The model for answering my first because of uncertainty, not in spite
more weight on those possibilities lack of perfect data stand in your question would help you figure of it.
that are most plausible. It’s a way.

Doug Hubbard was my co-author: https://www.linkedin.com/in/dwhubbard/

1 2
Risk tolerance could be your cyber insurance coverage or it could be multiple factors. Also consider that the NIST CSF, amongst others, expects risk management to consider tolerance.
3
Opportunity loss is reduced when security meets customer, industry or regional requirements and allows for new and expanded sales.
4
Security gear, people and etc.
5
It’s a mathematically unambiguous score. Unlike a “High” or a 10 on a 1-10 scale.

CISO MAG | February 2018 CISO MAG | February 2018

 KNOWLEDGE
HUB
“ V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1

LIVE CCISO
after the Equifax breach. I used
MAKING what we knew of the breach as a
tabletop exercise to determine the
SECURITY state of the current organization’s

RIGOROUS
end-to-end vulnerability management
If your problem program. While they had
historically knocked out numerous

TRAINING IS GLOBAL!
If you haven’t guessed it by now, I
is framed badly tasks related to the topic and
made several key investments,
believe it’s time for security to start
measuring more like the sciences
then no model, they profoundly underperformed
Equifax. Why? They couldn’t
do, or like anyone with serious no math, no
treasure at stake would do. And
you don’t have to be a scientist or
a statistician to do this (I’m not).
Statisticians, similar to cooks, do
what they do for others to consume.
Take plumbers for example: they
don’t need to know squat (pun
intended) about the physics of
fluid dynamics to fit the right
concoction of
any kind can
magically
save you from
yourself.
“ rank-order what big outcomes
were important in a systematic
way. What they did have was
“more security tasks … faster.”
That was their model. Now, after
improving
management
their vulnerability
program
focusing on ranking important
and

outcomes, their results should beat

their old model, which had near
With classes in Portugal, Dubai, Singapore, Spain, Mexico,
the UK, South Africa, and all over the US find a class in your
region today! New cities are being added all the time!

pipes given the water pressure

SEE UPCOMING TRAINING DATES
zero measurable outcomes, and
34 coming into a house. They just Equifax to boot (at least I hope 35
know which tools and materials it will). The improvements were
to use for the particular problem fundamentally about shifting their
at hand. Likewise, you don’t thinking from being task-oriented/
necessarily need to understand If your problem is framed
busyness-obsessed to big picture
the math as much as you need to badly then no model, no math,
strategizing for the organizations’
understand the problem you are no concoction of any kind can
assets.
trying to solve. From there you magically save you from yourself. In
are just fitting the appropriate my experience, most security folks As a security leader, don’t be
quantitative materials together don’t spend enough time thinking fooled by busyness and don’t let
to make what will ultimately be a or framing their problems. The your teams be fooled by it either.
wrong (all models are wrong) but current trend is to knock out tasks It’s faux noble and will not be
(be a doer/builder) and deploy effective in light of increasing
hopefully better model than you
taken-for-granted technology in platform uncertainties and
are currently using.
the hope things will improve. Task talented adversaries. Perhaps it’s
obsession is a sure-fire way to lose time to think more and do less?

THINK MORE
the forest for the trees in security.
The bad guys would love nothing
Specifically, thinking more about
our capabilities and doing less
ABOUT THE CCISO PROGRAM
DO LESS more than to have you whittling
away the hours on low impact,
busy work so you can focus on big
impact, ROI-based, outcomes. EC-Council’s Certified CISO (CCISO) Program has been helping information security
uncoordinated busy work.
In my next article, I will address the
professionals take their careers to the next level since 2012. CCISO is designed to teach
“A problem well defined is a
problem half solved.” By way of example, I consulted second question. And who knows, I the executive information security management skills that are in demand by the job
-Charles Kettering with an organization not too long may throw in some code! market today to help our members advance their careers.
6
Data analysis is an applied art. Analysts are API/tool users. Deeper math, statistics, probability theory and etc. is not required. But, it would certainly help in better understanding what is
going on under the hood. Those people designed tools for you use to answer questions in your particular domain. Go for it!
7
Use big breach announcements, new zero days, etc. as a form of table top. Collect the evidence from an article about the event and turn it on yourselves to see how well you would do. This
is a much more productive way to read all the security blather that is out there. Ask “what if it were me?”
LEARN MORE
The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not refl ect
the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

CISO MAG | February 2018 CISO MAG | February 2018

 UNDER THE UNDER THE
SPOTLIGHT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 SPOTLIGHT

J A CHOWDARY
SPECIAL CHIEF SECRETARY & IT ADVISOR TO
CHIEF MINISTER OF ANDHRA PRADESH
Rahul Arora

36 37

Under the able leadership of J A Chowdary, the Indian state of

Andhra Pradesh has been able to create a culture of innovation
for the Fintech sector as well as establish a vibrant ecosystem for
startups to thrive.
In an exclusive interview with Rahul Arora, he talks about his
vision for Fintech Valley in Vizag, Andhra Pradesh, and his efforts
for continued development of the Fintech ecosystem in India.

CISO MAG | February 2018 CISO MAG | February 2018

 UNDER THE
SPOTLIGHT

What is the reason behind

choosing Fintech as an
area of focus?
act as a facilitator for information
flow---a playground for innovators
to disrupt traditional processes
with new, more efficient,
“ “ V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1

“The state is leading in e-governance; it is

using Blockchain technology to address
UNDER THE
SPOTLIGHT

“The government of AP has set aside INR

100 crore incentives to corporates who set
cybersecurity issues. Andhra Pradesh is up bases in Vizag. We are also speaking
Considering that resources are economically beneficial The FinTech positioning itself to take advantage of to several private equity firms to help
limited, there needs to be a technologies that will change the
sharp focus in a particular area, way India does business. Fintech Valley would act the niche technologies to create business raise more funds to promote Vizag as the
otherwise one will never be able Valley Vizag forum will bring
as a facilitator for and investment opportunities. The state Fintech hub. We are adopting Internet
together regulators, banks, non-
to create real impact through has also created the largest repository of Things (IoT) for real-time monitoring
just noise. We studied the areas banking financial companies,
educational institutions, and the
information of used cases for global startups to test of all aspects of administration in the
and identified the major ones
which may create a real impact. government-to create the best flow---a their solutions. Today, as a part of the state. We have developed e-Pragathi, so
Ultimately, for any government, practices for the sector. Fintech Valley Vizag initiative, there are that even soil testing will be done using
through economic activity, the Manpower, money, market access,
playground nine companies set up and 16 are yet to technology with the help of drones and
key milestone is job creation.
Especially with a population of
mentoring and media—these for innovators establish their bases in Vizag. Within the Microsoft.
five M(s) are the Paanch Pandavas
to disrupt last one year, we have been able to attract
1.2 billion, it becomes even more (according to Hindu Mythology) “Our goal is very clear. In the IT sector, we
INR 600 crore in investment. Progress

38
fundamental for governments to
focus on jobs. Now, with Indian IT
1.0 slowing down with automation
and layoffs, we mapped sectors
that are going to be crucial to
creating the right jobs for our
people. We narrowed down to
three technologies: cybersecurity,
that we have identified for the
success of fintech startups. The
role played by the media in
stimulating a meaningful debate,
and by educational institutions in
providing skilled manpower, will
be vital to our strategy.
traditional
processes with
new, more
efficient,
economically
is only possible through adoption of
technology. Our aim is for Vizag to be
the technology and education hub not
only in Andhra Pradesh but for the
entire country.
“
have to create 100,000 jobs and secure
$2 billion investment. In electronics, we
have set a target of 200,000 jobs and
an investment of $5 billion. To achieve
these goals, we have made our own
policies such as AP IT Policy 2014-2020,
39

blockchain---which is just emerging

and key to preventing cyber
hacks—and analytics, considering
the digital footprint the country
has been creating. We thought of
focusing on one industry where
all these technology changes are
relevant. Fintech encapsulates
all three and, as an industry, is
We saw a massive
conference focused on
Blockchain in Vizag a
couple of months ago.
Which other areas of
Fintech is the government
looking to explore?
beneficial

will change the

way India does
business
“
technologies that
Electronic Policy 2014-20, Cyber Security
Policy 17-20 and Global Inhouse Policy
2017-20.”

- Nara Chandrababu Naidu

Chief Minister of Andhra Pradesh

growing globally at a CAGR of 26 The AP government has taken the

percent. lead by incorporating Fintech and competing in four Fintech included panel discussions investments. After successful
including Blockchain, Cybersecurity, Challenges, of which 40 percent related to scope in the field of response to its attempt to involve
As one of the cutting-edge
Artificial Intelligence, Machine participants were from 15 financial technologies, as well as
technologies that break the
Learning and Analytics as its key at the Vishakapatnam Singapore in promoting the
traditional chain in financial sector, countries. About 30 international competition among the startups FinTech industry in the city, it
FinTech is the future of global
strategy in FY17. event. What kind of efforts delegations from Japan, Singapore, having best solutions for problems has been decided to undertake
economy and would play a pivotal Apart from Blockchain, the
is the government putting and Switzerland also participated being faced in financial world. overseas trips by Chief Minister
role in developing the country government is looking at exploring to globalize the Fintech in the event. N. Chandrababu Naidu and
The state government has decided
through its innovative products new technologies such as big Valley? members of the Confederation of
and service. Fintech has enabled Representatives from government to develop Visakhapatnam into
data analytics, Internet of Things
the unbanked to be brought under As many as 26 countries participated bodies and industry working on a FinTech (financial technology) Indian Industry (CII) to showcase
(IoT), cybersecurity, and artificial
the formal system, so we have the intelligence. in ‘Blockchain Business Conference’ Blockchain technologies gathered Valley by holding roadshows in the the huge potential for investment
potential to find robust and secure to promote business opportunity together to create business and United States, the Middle East, and in Visakhapatnam—the largest
solutions by incubating potential We saw several global and investment. The conference investment opportunities for Europe to attract leading players city in Andhra Pradesh with an IT
startups. The FinTech Valley will companies and delegates witnessed over 150 startups startups. The two-day conference in the field for partnerships and turnover of Rs. 2,000 crores and a

CISO MAG | February 2018 CISO MAG | February 2018

 UNDER THE UNDER THE
SPOTLIGHT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 SPOTLIGHT

robust industrial base.

Fintech Valley Vizag invited experts

from the Fintech ecosystem,
government officials, and CXOs
of enterprises for closed-door
meetings to discuss and share
ideas on blockchain applications in
key areas including cybersecurity,
regulatory, trade finance, and
logistics. The Blockchain Business
Conference had closed-door
discussions, investor connect
where startups pitched to
investors, customer connect where
startups met large corporates to
provide opportunities to investors
and startups globally.
We signed an MoU with the
Monetary Authority of Singapore
(MAS) to explore projects of
40 mutual interest on innovative 41
technologies such as digital
payments and Blockchain
(database) technology, and
collaborate on the development
of education programs/curricula
on FinTech. The MAS and the
State government would also work
together on emerging FinTech
trends and addressing regulatory
issues related to innovations in
financial services. Delegations
were already sent to Boston and
Silicon Valley to impress upon
investors and FinTech experts
to explore opportunities in the
proposed FinTech Valley.
Several startups are
making breakthroughs
in Fintech and taking the
banking industry head-on.
What is the AP government
doing to assist or promote
them?
The potential to create successful
startups lies in how we build our

CISO MAG | February 2018 CISO MAG | February 2018

 UNDER THE
SPOTLIGHT
“ “We are the first state to use blockchain
pilots. The Fintech Valley Spring
V ol um e 2 | I s s ue 1

development in the city by focusing

on infrastructure. Congenial policies,
V ol um e 2 | I s s ue 1

funds and map out intricacies.

The AP government is supporting
the state, online delivery of
services, citizen information
portal, state intranet portal,
UNDER THE
SPOTLIGHT

to have a regulation in all fronts

including Financial technologies.
Due to proper measurements
Conference is our step in joining the burgeoning pool of talent, and strategic the startups by providing the remote management and service by government of India, India
following incentives:
Fourth Industrial Revolution which is a investments are attracting investors to integration, and disaster recovery. is able to provide a stable and
spectacular combination of technology set up operations in Vizag. The Govt. of • Regulatory support and ePragati is the nodal agency to trusted economy while many other
and Internet of Things (IoT). In Andhra Pradesh is making all the efforts incentives implement blockchain initiatives international economies disrupted
across departments in association like such as subprime crisis.
recent times, technology has started to embark on its vision to make Vizag • Access to local and global
with blockchain technology
investors
influencing our lives in a comprehensive the Fintech hub of India. • Leverage learnings from companies in AP and agency is Financial Technologies have
manner. The demand for Fintech is taking every step in protecting the opened many doors for the
“The technology was required to prevent mentors financial inclusion. At the same
growing each day. To meet this demand, • Access to professional interests of common man through
tampering of land records, which had time, Fintech is very much
we would need the support from Fintech services providers (e.g. tax, securing various digital assets.
already been digitized and placed vulnerable to data security and
and cybersecurity companies. We also recruitment) According to you, what
online. Similarly, the technology is used ever increasing digital attacks.
need the academic institutions to adapt • Access to talent pool
is the role of regulations Indian Citizen cannot be exposed
in Transport Department to streamline • Access to corporate partners
curriculum that trains individuals to in Fintech? When is a with highly speculative currencies
titles of the vehicles. The government has • Access to free physical
contribute to fintech sector. regulation good and when
like Bitcoin (digital currency).
brought advisory major KPMG and card infrastructure

42
“We are very proud of the fact that
currently we have created over 22,000 job
opportunities in IT sector and 40,000 in
electronic sector in the state. By 2019, we
aim to create job opportunities to the
scale of 100,000 jobs in IT sector and
200,000 in the electronics sector. Govt.
is not only making tremendous efforts
“
network majors Visa as partners in this
initiative. It has also partnered with six
educational institutions for imparting
special courses on financial technology
for necessary skill-building. A New
Jersey-based company, Conduent, is
setting up a 5,000-seater facility here
and another major company has agreed
• Access to high speed
connectivity

The identifying
information of an individual
and its verification is often
considered an important
tool for Fintech companies
to mitigate fraud losses and
is it bad?
A democratic country like India
where more than 1.3 billion
population exists, it is necessary
Due to this reason, Reserve Bank
of India, the central bank of
the country, has decided not to
promote speculative currency like
Bitcoin. 43

in inviting Fintech companies to Vizag, to set up center here, generating 5,000 create better assess credit
it is also trying to create socio-economic more jobs.” worthiness. What efforts
did the AP government put
- Nara Lokesh in to form a robust identity
IT Minister, Andhra Pradesh.
regime?
Aadhar is a standalone platform,
which has robust mechanism in
infrastructure. Under our chief based fintech hub), UIDAI (Unique The AP government is providing protecting individual identity. The
minister, we have developed Identification Authority of India), free infrastructure for six months, AP government would like to take
the Fintech Valley Vizag as an and the NPCI (National Payments free fiber (high speed internet) Aadhar as a source of identification
ecosystem of success that helps Corporation of India), among connectivity, and preferential for all its initiatives. In addition to
identify and nurture financial others to boost our research market access to facilitate POCs that, the government is proposing
technology institutions and and development capacity, and of the start-ups. Additionally, fund to have AP CODE, which is a
startups. We intend to bring of funds strategy and alternate
provide the startups with the best secured platform, which will arrest
together the fintech community payment options are being
and catalyze the sector’s growth intelligence. any misuse of data and would like
discussed and expected to be to bring this initiative through an
by hosting global business To encourage financial technology on the books soon. An advisory
competitions and awarding enactment by state legislation.
sector, Andhra Pradesh council consisting of global The government has setup new
innovation.
government announced an INR 100 thought leaders from the FinTech state-of-the art State Data Centre
We have partnered with Wipro, crore fund of funds to invest in the space headed by the chief minister (SDC), central repository of
Microsoft, Lattice80 (a Singapore- startups in this area. is also being planned to handle

CISO MAG | February 2018 CISO MAG | February 2018

 VIEWPOINT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
VIEWPOINT

A
ccording to the the company and ensure that is inherently focused on human
Ponemon Institute’s they benefit; other times, it’s an psychology and is typically
2017 Cost of Data employee who accidentally clicks different from the technologist’s
Breach study, 47 percent on a phishing email, for example, point of view. Similar to how the

K
of the organizations and unexpectedly exposes the enterprise risk management

L I N
represented stated that the root organization to malware. In an groups in larger organizations are

N G
cause of the security breaches they Insider Threat Task Force white viewing and assessing all types of

I S S I
suffered was a malicious insider paper, a recent observation was risk across the company, HR sees

M E R
or criminal attack. Respondents made that of the organizations the patterns of various employee

TH E S I D
reported that breaches caused with a formal insider threat issues that are happening across

I N
by insider criminal attacks were program, there is little evidence the organization and may be able to

N G
costlier than system glitches and that insider threat programs use spot trends in certain departments

D I
human error. Some of the largest detection strategies focusing on or employees before they do harm

F I N
and most infamous breaches have non-technical behaviors––such as to the company.

TO
been classified as insider threats. alarming psychosocial events in

R
HR should play an integral role

: H
There are numerous technologies the workplace. So, the question

T S
in an insider threat program with

A
in the marketplace that do their remains:What can we do to prevent

E
multiple touch-points throughout

THR
part to help organizations protect this from continuing to happen
themselves against insider threats, at this scale and how quickly can an employee’s career (beginning
but having the right technology the incident response team find at the hiring stage) according to
isn’t enough to stop these kinds the breach when it inevitably does the CERT Insider Threat Center.
n Small CERT also provides a list of best
Renee Browetic Hir ing
of threats. A thoughtful insider occur?
threat program that addresses practices that organizations can
n
l, and Author, Mag technologies, policies, and One area of the organization adopt to shore up their insider
44 , C y b e r H u man Capita procedures is needed to combat that seems to be overlooked or threat programs. The ones that are 45
CEO underutilized for using detection easier to implement and provide
insider threats. There is a human
element in every single breach. strategies and combating the the biggest impact include:
Sometimes, it’s a malicious insider threat is Human Resources.
actor with the intent to harm It’s typically not the first area that
security leaders think of when
focusing on insider threats, but
it should be. HR professionals
bring a diversity of thought that

CISO MAG | February 2018 CISO MAG | February 2018

 VIEWPOINT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
VIEWPOINT

New hire on-boarding subject to mandatory vacation.

MATURE YOUR TRACK TERMINATED ADD INSIDER During on-boarding, the new These policies should be expanded

INSIDER THREAT EMPLOYEES THREAT employee is provided with to some high-risk IT roles where
employees have access to admin
PROGRAM AWARENESS mandatory training. Insider-
threat awareness training should rights that could be a threat to the
Since 70 percent of insider threat
intellectual property incidents
TRAINING TO be added to the training deck an company if used maliciously.
Implement or mature your current are completed 60 days prior to an OVERALL SECURITY employee must complete. It can
also be administered during the
In conclusion, there is no question
insider threat program to include
the broader organization––
employee leaving the organization,
you should have HR provide an
AWARENESS times of the year that there may be
that policies, procedures, and
technologies are necessary in
IT, HR, legal, enterprise risk automated list of voluntary and TRAINING higher cases of security breaches
or insider threats.
trying to prevent and detect
management, and other areas involuntary terminated employees insider threats; however, in
of the company. Due to the to track their activity. At this point, a majority of order to minimize the damage
sensitivity and confidentiality of organizations have security of breaches in the future, there
this work (potentially probing into Mandatory should be a multifaceted approach
awareness training for their vacation policies
an employee’s private life), it is employees. Partner with HR to add with an emphasis on a partnership
important to utilize HR as a starting IMPROVE EMPLOYEE insider threat awareness to the Many organizations have roles–– with HR to provide the best barrier
ENGAGEMENT
point for policies and for ensuring security awareness training. Like typically in finance, payroll, or of protection against your own
that HR employment laws align other training that is mandatory, employees.
trading––where the employee is
with the program. ensure all users have completed
Preliminary studies show that the training and provide refreshers
engaged employees who are throughout the year, so employees
46 fulfilled in their jobs are less stay abreast of red flags and 47
likely to pose an insider threat. can spot malicious or accidental
Partner with HR to understand best threats when they see them.
practices for maturing employee
engagement programs. Companies have been successful
by making updates to:

Pre-hiring practices
DEVELOP A Larger organizations have
WATCHLIST OF pretty robust background
EMPLOYEES WITH check processes when hiring
employees; however, some of
BEHAVIORAL the smaller companies must
INDICATORS continue to mature their hiring
practices by updating policies
to include Google searches and
HR will be essential in creating social media searches. Since past
a list of employees who are performance is an indicator of
exhibiting behaviors that could future performance, this additional
be an indicator for insider threats. data check can help with hiring
Some examples are frequent decisions and determining if
policy violations, disruptive the candidate could pose future
behavior, financial hardship, employee issues.
and job performance problems.
Disgruntled employees are a
consistent factor when it comes to
insider threats.

The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not refl ect
the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

CISO MAG | February 2018 CISO MAG | February 2018

 INSIGHT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
INSIGHT

GET YOUR
RETALIATION
48 49

IN FIRST
Agnidipta Sarkar
Global Information Risk & Continuity Officer, DXC Technology

CISO MAG | February 2018 CISO MAG | February 2018

 INSIGHT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
INSIGHT

I
n 2016, ISO contacted speaker John Sileo had this to say:
accredited certification “Corporations continue their
bodies and requested delusional belief that data security
information about the number Many have and cyber privacy are a byproduct
of purchasing better technology.
of valid certificates they
had as of December 31st, 2016. relegated ISO It helps, but it’s the human beings
using the technology correctly (or
The results revealed that 33,290
organizations had been certified 27001:2013 to a not, in the case of most breaches)
that actually delivers results.”
for ISO 27001, which is a steady
growth rate of 21 percent year over
mere certificate Information security management
year. That is the good news. The on the wall, and governance will only succeed
when the technology is used
bad news: only 39 countries have
more than 100 certificates. and are not effectively.

In sharp contrast is another leveraging it

number: the breaches. More data
as an inherent
records were leaked or stolen ABOUT
enabler to a
ISO 27001:2013
during the first half of 2017 (1.9
billion) than all of 2016 (1.37
billion). Compared to the losses, robust and lean
the ISO 27001 story looks like a
bleak effort at standardization; it is governance of Unlike the 2005 standard, the ISO
27001:2013 creates a framework
50 not clear if ISO 27001 is helping or
not. Currently, no data is available
an information that follows a very simple logical
51

about how many of these certified

organizations had breaches and
security breakdown of how information
security (and all its other
how successful or unsuccessful management names,
and
like
cybersecurity
IT security
can be
the ISO 27001 journey has
been in regards to reducing the culture. managed. The standard requires
breaches or their impact. And organizations to determine
the perpetrators are having stakeholder requirements and
then remediate gaps if any exist. It
fun: educated global criminals,
then expects that the organization
unethical corporate competition heralded a sea change in security will establish information security
and greed, advanced persistent attitudes, from security being objectives and establish plans
threats, blatant insider abuse, thought of as asset-based instead to implement them. These
radicalization of script kiddies, and of being related to the context of may require the establishment
many other cybersecurity violators protection. Unfortunately, not many of operational processes for
are breaching our security. organizations have embraced information security management,
that logic, primarily because and then identification, assessment,
There is still hope. In June 2016, change is disruptive. Many have and evaluation of information
PECB, a leading certification relegated ISO 27001:2013 to a security risks in order to treat them.
body, published a whitepaper mere certificate on the wall and Evaluate the performance of the
claiming, “No ISO 27001 Certified not leveraging it as an enabler information security operations
Companies among Largest Data to a robust and lean information- through the already established
Breaches 2014-2015.” Released in security management and objectives, and then improve the
2013, the revamped ISO 27001:2013 governance culture. Cybersecurity established ISMS (information-

1
To read more about the ISO survey, go to: http://bit.ly/2p0O3yN. 4
To learn more about the breaches, go to: http://bit.ly/2efGM5I.
2
To read more on the data breaches, visit the “The Register” website at: http://bit.ly/2ByyHYh. 5
To learn more about Annex SL, go to: http://bit.ly/2kDlHGt.
3
To read more about the PECB whitepaper, go to: http://bit.ly/2yLZxGV. 6
To learn more about ISO 27009:2016, go to: http://bit.ly/2BoSHKI.
7
To learn more about AWS ISO27018, go to: http://bit.ly/2yN9qUV.
8
The learn more about AWS ISO27017, go to: http://bit.ly/2j9rvXP.
9
To learn more about Microsoft ISO 27017, go to: http://bit.ly/2BnJFNW

CISO MAG | February 2018 CISO MAG | February 2018

 INSIGHT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
INSIGHT

security management system) by that the ISMS is fulfilling the

requirements of the stakeholders;
addressing non-conformances
identified through audits. At all Organizations its performance is measured
times, the ISMS program should
be visible to top management
that are based on the information security
objectives. In order to do that,
personnel through appropriate
management reviews.
successfully organizations are increasingly
making sure that the all

Nothing could be simpler in

using ISO 27001 information security reviews
are guided by the ISO 27001.
the context of the complicated
cybersecurity challenges we
to improve their Organizations that are successfully
using ISO 27001 to improve their
face today. Does this mean we do security posture security posture are continuously
not need high-tech equipment to
protect our cyber infrastructure? are continuously denying perpetrators the chance
to breach their security, which
No, it does not. But an ISO 27001
ISMS program puts the appropriate denying satisfies their stakeholders. By
example, Japan, which has the
focus and rigor into determining
the requirements for the best
perpetrators highest number of certified
organizations, has consistently
possible network security. Does the chance to reduced its exposure––from 21
that prevent breaches? Yes, to a in 2015, 16 in 2014, and 1 in 2017
large extent. Today, data breaches breach their (www.breachlevelindex.com ).
and information security incidents
are part of our daily life. And your security, which However, this is not an adequate
52 indicator of the benefits of
ISO 27001 certification can be
more than just a “best practice.” satisfies their ISO 27001:2013. We need to
53
understand how the ISO technical
The first step to leverage you ISO stakeholders. committee focuses on developing
27001 certification is to ensure the ISO 27001 family of standards.

Determine Context Address Risks Operate the ISMS

management system standards. It in ISO 27001, how to refine any of

LEVERAGING
Organizational Identify Information Security Risks
From the requirements documents
Intent (policies) Assess impact and likelihood of their was designed to make it easier for the ISO 27001 requirements, and
Stakeholder information security objectives to

STANDARDS
Contractual occurrence Evaluate these risks vis-a-vis how to include controls or control
expectations Legal Requirements the risk criteria set by the organization. operate an ISMS organizations that have to comply
& Regulatory with more than one management sets in addition to ISO 27001,
Establish information security
Expectations Take appropriate risk decisions to system standard. Annex A. ISO 27009 is a big step
implement controls, to reduce risks procedures to ensure that the
toward enabling organizations
Information Security within acceptable limits. information security objectives are In order to create consistency If your organization subscribes to face cyber-threats. It has
Management Issues met and the risks are maintained in structure and terminology to more than one management
Programs Build a Statement of Applicability by within acceptable limits heralded a new world in regards to
comparing the controls with those in
across ISO management systems system standard, adopt the implementing controls to reduce
Operational Annex A, while documenting the reasons Conduct audits & management standards, ISO released Annex SL, Annex SL method to integrate both the likelihood and impact
Environment for Dependencies for implementation & exclusion. reviews to assess performance which was previously known as management systems. In doing of security and privacy threats
cybersecurity
Correct non-conformances and ISO Guide 83. Annex SL describes so, you reduce resource wastage,
operations by introducing the concept of
continually improve the information the 10 clauses that define the reduce expenses, and improve sector-specific application of ISO
security management system. ISO 27001:2013 (and also ISO performance by focusing the right 27001. And these sectors may be a
9001:2015, ISO 22301:2012, and amount of leadership to ensure a specific field, application area, or
many more). One of the biggest high level of security. even a market sector.
benefits of Annex SL is providing
10
To learn more about BS 10012:2017, go to: http://bit.ly/2AIletx. a universal, high-level structure, In 2016, ISO released ISO 27009. The most popular of these sector-
identical core text, and common ISO 27009 explains how to include specific implementations are the
terms and definitions for all requirements additional to those two cloud certifications for ISO

CISO MAG | February 2018 CISO MAG | February 2018

 INSIGHT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
INSIGHT

27017, for information security in security will protect privacy, many organizations may also use ISO
cloud operations, and ISO 27018, security experts are waiting for 22307, which is helpful during
for protection of personal data in privacy teams to tell them what privacy compliance audits.
the cloud. Both AWS & Azure have needs to be protected. Additionally, there is ISO 29190,
obtained these certificates and which provides organizations with
assure their customers that their The only sure-fire way to address high-level guidance about how to
data is protected. Both standards the GDPR is to implement assess their capability to manage
are called “code of practices” a management system. BS privacy-related processes.
and contain a list of controls that 10012:2017 is the only privacy
extend the ISO 27001 program. management system standard in However, a full implementation
These extensions include two the world. However, it does not of GDPR requires not only a
types: controls that modify existing address requirements to protect privacy information management
ISO 27001 Annex A controls (to privacy information. system, but also an accompanying
make them relevant to the sector)
and controls that are additional
to ISO 27001 in order to enhance
the capability of the operational
ISMS. Needless to say, the ISMS ABOUT THE GLOBAL CISO FORUM
needs to be optimally resourced
to continuously improve the
management system.
EC-Council Foundation’s Global CISO Forum is an invite-only, closed-door event gathering
the highest level executives from across industries and countries to discuss the most pressing
issues in information security. Now in its seventh year, the 2017 Global CISO Forum promises
54 55
to be the best yet with an exciting mix of industries, formats, and interactive presentations.
GDPR:
THE NEXT BSI revised BS 10012 in 2017 to information security management LEARN MORE
FRONTIER align with Annex SL in order to
ensure there was good governance
system. In order to enhance the
coverage of ISO 27001 (ISMS),
around data protection and that ISO has also released ISO 29151,
The regulatory environment will it was anchored at the board which, like all other sector-specific
change the equations soon. GDPR
CCISO TRAINING AVAILABLE
level––with a very specific focus standards, is a code of practice
looms (April 25, 2018), and many on aligning with ISO standard and contains privacy-specific
countries (including Great Britain, structure and the existing GDPR information-security controls––
Singapore, India, Philippines, etc.) standard. The new standard has
are introducing new legislation both as an extension of Annex A
a section for updated terms and and as modifications of existing Dates: September 9-12, 2018
(or modifying existing practices definitions, as well as separate controls that can be used to extend COURSE OUTLINE
and regulations) to make the sections concerning “planning” Venue: Crowne Plaza Atlanta Perimeter at Ravinia
computing world more secure. May the scope and coverage of the ISO Domain 1
and “implementing/operating” 27001 program.
25, 2018 isn’t just about the GDPR; Governance (Policy, Legal & Compliance)
the ePrivacy Directive and the Law
the management system; it also COURSE INCLUDES
Enforcement Directive (LED) also
contains a comparison between With so much going on around us, Domain 2
UK DPA and the GDPR. ISO, for standardization in security and IS Management Controls and Auditing Management Official Courseware.
comes into effect on that day.
its part, has released the base privacy provides the discipline
It is no secret that most privacy framework though a free Domain 3 1 Complimentary Exam voucher
to ensure we cover all our bases.
organizations are unprepared standard called ISO 29100; and has Management – Projects and Operations (Projects,
As Willie John McBride, captain Certificate of Attendance
to meet the requirement of this already released ISO 29134, which of the famous 1974 rugby team Technology & Operations)
regulation. There are clear gaps is a necessary implementation Complimentary Pass to Hacker Halted conference.
dubbed “The Invincibles,” told his Domain 4
in how we are organized. While for a privacy impact assessment teammates: “Get your retaliation in Information Security Core Competencies Lunch and coffee breaks throughout the duration of the
most privacy experts assume that program. Financial services first.” training.
Domain 5
The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not refl ect Strategic Planning & Finance

REGISTER NOW
the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

CISO MAG | February 2018 CISO MAG | February 2018

 COLLABORATIONS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 COLLABORATIONS

I N F O S E C PARTNERSHIPS

56 57

In 2017, cybersecurity took center stage with other crucial topics like climate change,
decolonization, big data, and atomic energy. Significant mergers and acquisitions
took place as the year came to an end, the effects of which will be observable in
the near future. Following the trend of collaboration, many startups and innovators
joined hands with established cybersecurity brands to pursue aggressive courses
of action. Also, the governments and defense departments around the world, along
with other industries, began taking cybersecurity more seriously. Below are a few
stories from 2017 that made front-page with their substantial acquisition amounts
and futuristic outlook.
CISO MAG Staff

CISO MAG | February 2018 CISO MAG | February 2018

 COLLABORATIONS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 COLLABORATIONS

network (CDN) services, “Deterring information operations

announced the acquisition of is inherently a government
Nominum on October 11th 2017. responsibility, and the technology
Nominum is a leader in the domain firms will decide how to act on their
name services (DNS) industry platforms, but state organizations
for carriers and this merger are the victims,” said Rosenbach.
will expand Akamai’s array of
The Belfer Center is also sending
cybersecurity services. The
amount of the transaction wasn’t their students to various states
disclosed. The merger was in to analyze different voting
the last week of November 2017. technologies and procedures.
In an official Press Release on
Akamai’s website, Robert Blumofe,
Executive Vice President, Platform
& General Manager for the Air Force Awards
McAfee was valued at $4.2 Enterprise and Carrier Division, $50 million Contract
McAfee acquires million when it announced its said, “We believe this acquisition is the first effort of its kind and
for Cybersecurity
separation from Intel in April 2017, is a key investment in our security US Democrats, covers topics like The Vulnerable
Skyhigh Networks Campaign Environment, the
Research
Republicans
marking itself as a standalone in capabilities because Nominum will
to Provide Cloud the cybersecurity domain. The bring complementary technology, threats campaigns face, managing
addition of a CASB to its offerings engineering, technical support, Join Hands with cyber risks, and steps to securing
Services and sales talent to better reach your campaign are covered in this Ball Aerospace and Technologies
Harvard to Prevent
58 will certainly increase its value. Corp., a leading spacecraft,
and serve our carrier partners and playbook. 59
McAfee, the world’s largest components, and instruments
The acquisition of Skyhigh technology security company, their enterprise customers.”
Hacking in Elections Eric Rosenbach, Belfer co-director, manufacturer, has been awarded a
Networks, a prominent name in will now be able to increase its has already announced the new contract by the U.S. Air Force
the Cloud Access Security Broker expertise in the cloud security In order to safeguard the 2018 release of a second guidebook for the security of its weapons from
(CASB) category, by McAfee on realm. “Skyhigh’s leadership in midterm elections from hacking for state election officials, cyber threats. “Ball Aerospace
November 27th is an example of cloud security, combined with and related propaganda, a scheduled for release in spring. & Technologies Corp., Boulder,
a large company purchasing a McAfee’s security portfolio Considering the rising number bipartisan Harvard panel recently
smaller, niche company to add to strength, will set the company apart of cases of cyber attacks on both launched a “Cybersecurity
their security repertoire. Skyhigh in helping organizations operate carriers and enterprises, CDNs like Campaign Playbook.” This
CEO Rajiv Gupta, who will be freely and securely to reach their Akamai need robust cybersecurity initiative is being led by the
heading McAfee’s cloud business full potential.” said Chris Young, solutions that can identify and
Belfer Center for Science and
unit, wrote in his blog on the CEO of McAfee. thwart breach attempts. CEO & Co-
International Affairs, in conjunction
company’s website, “As part of founder of Akamai Technologies,
with top security executives from
McAfee, we will have access to even Dr. Tom Leighton, stated “Nominum
tech and cybersecurity giants
Nominum’s
greater resources to accelerate provides Akamai important
such as Google, Facebook, and
delivery of Skyhigh’s product technology and DNS expertise
Acquisition by
CrowdStrike.
roadmap, further advancing our to help protect carriers and
enterprises increasingly targeted
Akamai
vision of making cloud the most According to a report by Reuters, it
by attackers attempting to exploit is a 27-page guide recommending
secure environment for business.”
Although the financial terms of
Expected to Expand weaknesses and gaps in their
cybersecurity defenses. With our
leaders to prioritize security
while campaigning, emphasizing
the deal remain undisclosed, their Carrier Customer acquisition now complete, we’re practices like two-factor
Base
according to an online database, looking forward to deepening authentication when accessing
Skyhigh Networks raised $106 our relationships with our carrier emails and using complete
million in funding last year from partners as we work together to encryption from service-
its investors, including Sequoia, Akamai, a company involved make the Internet faster and more providers such as Signal and
Greylock, and Salesforce. in offering in content delivery secure.” Wickr. The security handbook

CISO MAG | February 2018 CISO MAG | February 2018

 iClass: EC-Council’s Official
COLLABORATIONS COLLABORATIONS
delivery platform!
V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1

Colorado, has been awarded a in order to truly make mobility iClass students get their exam included in the package and the application
$47,900,000 modification (P00003) Automotive Giant more intelligent and secure.” process (which requires 2 years IT Security experience) is waived.
to a previously awarded contract
(FA8650-16-D-1878) for research Continental AG Argus will become a part of

Acquires Israel’s
and development to provide Elektrobit, Continental’s stand-
investigation and development of alone software company. The
methodologies, tools, techniques, Argus Cyber Security automotive cybersecurity provider BASE PACKAGE
and innovative solutions to identify has previously partnered with
susceptibilities and mitigate EB in October 2017 to introduce
One Year Access to the official e-courseware, six months access to EC-Council’s official Online
vulnerabilities in Air Force weapon In a PR released on its website on technology for delivering over-
November 3rd, 2017, Israel-based the-air vehicle software updates. lab environment (iLabs) with all tools pre-loaded into platform, Certification Voucher & expert
systems, and protect those systems
against cyber attack,” the Air Force startup Argus Cyber Security Recently, the automotive industry instructor-led training modules with streaming video presentations, practice simulators and learning
stated in a statement. “Work will be announced it had been acquired has faced strong criticism for its supplements including official EC-Council Courseware for an all inclusive training program that
performed at Wright-Patterson Air by Germany’s Continental AG. A negligence in securing connected provides the benefits of classroom training at your own pace.
Force Base, Ohio, with an expected prominent automotive manufacturer, vehicles. Alexander Kocher,
completion date of March 29, 2023. Continental acquired Argus for its President and Managing Director
Air Force Research Laboratory, expertise in protecting connected of Elektrobit said, “Adding Argus Upgrade options available in our online shop!
Wright-Patterson Air Force Base, cars from hacking. Helmut Matschi, to our portfolio will allow us to
Ohio, is the contracting activity.” Executive member of the Board further advance the development
at Continental, said, “Only secure of our software. We are now
The drive is expected to lead the

60
operationalization of numerous
mobility is intelligent mobility.
With the acquisition of Argus
offering to the automotive industry TRAINING OPTIONS
important components identified – carmakers and suppliers alike 61
by the Air Force in its extensive Cyber Security, we are enhancing – a complete secure solution
cybersecurity strategy. Air Force our abilities to directly develop for the development of highly
leaders also created a new unit and offer solutions and services automated and connected driving.
tasked with handling cyber threats with some of the world’s leading This will enable them to develop
called the Cyber Resilience Office automotive cybersecurity experts safer, smarter and more efficient
for Weapons Systems, or CROW. to our customers around the globe vehicles.” iLEARN iWEEK CLIENT SITE
iLearn is EC Council’s facilitated self-paced Courses delivered Live Online by EC-Council can bring a turn-key
option. All of the same modules taught in a Certified EC-Council Instructor. training solution to your location.
the live course are recorded and presented Courses run 8 am to 4 pm MST, Call for a quote.
in a streaming video format. Monday - Friday.

LEARN MORE LEARN MORE LEARN MORE

OUR FEATURED PRODUCTS

CISO MAG | February 2018 LEARN MORE LEARN MORE LEARN MORE LEARN MORE LEARN
CISO MAG | February MORE
2018
 IN THE IN THE
NEWS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 NEWS

O
Due to the ongoing, high-profile data breaches in 2017, cybersecurity is a trending n November 21, 2017, continues to be on Uber’s board the U.S. National Security Agency,
it was reported that and Khosrowshahi said that he to restructure the company’s
topic in all kinds of media. It is imperative that information security executives Uber paid hackers regularly consults the former CEO. security teams and processes.
are updated about the incidents around them. Read on for the 10 most important $100,000 to keep a
data breach a secret. While announcing that the exposé In a statement, Uber said “Uber
cybersecurity stories of the last three months. The personal information of about led to the sacking of two employees, passengers need not worry as there
was no evidence of fraud, while
57 million accounts was reportedly Khosrowshahi said, “The stolen
information included names, email drivers whose license numbers
CISO MAG staff compromised in a hack that took had been stolen would be offered
addresses and mobile phone
place in October 2016. The incident free identity theft protection and
numbers of Uber users around the
was first reported by Bloomberg. credit monitoring.”
world, and the names and license
The company reportedly fired its
numbers of 600,000 U.S. drivers.” The company alleged that two
Chief Security Officer, Joe Sullivan,
and a deputy, Craig Clark, the Khosrowshahi was quoted saying hackers gained unauthorized
following week for concealing the as “While I can’t erase the past, access to information on Github
hacking incident. I can commit on behalf of every and stole Uber’s credentials for a
Uber employee that we will separate cloud-services provider
Dara Khosrowshahi, who replaced where they were able to download
learn from our mistakes. We are
co-founder Travis Kalanick as driver and rider data.
changing the way we do business,
CEO in August, wrote in a blog
putting integrity at the core of Meanwhile, Uber spokeswoman
post, “None of this should have every decision we make and said the hack was not the result
happened, and I will not make working hard to earn the trust of of a failure of GitHub’s security
excuses for it.” He also revealed our customers.” while adding that the New York
62 that he only learned of the breach 63
attorney general has opened an
recently. To investigate the breach,
investigation.
Khosrowshahi said that his
Kalanick learned of the breach in company has hired Mandiant, In 2014, Uber acknowledged that
November 2016, but he reportedly a cybersecurity firm owned by its employees used a software
chose not to share the incident with FireEye. Uber has also hired Matt tool called “God View” to track
fellow board members. He still Olsen, former general counsel of passengers.

UBER PAID
UK proposes ban on the nation, Britain’s cybersecurity
agency has warned government
cyber threat actor which uses
cyber as a tool of statecraft. This
Kaspersky Labs departments to refrain from using includes espionage, disruption

$100,000
products antivirus software from Kaspersky
Labs citing concerns over the
and influence operations. Russia
has the intent to target UK central
company’s ties to the Kremlin Government and the UK’s critical
and Russian spy operations. In national infrastructure.”

TO COVER UP
After the clamor at the United States
a letter addressed to the head
Senate and the following ban in According to him, the overwhelming
honchos of several civil service
departments, Ciaran Martin, head majority of UK individuals and

BREACH THAT
of the National Cyber Security organizations, “are far more likely
Centre, stated that, “The specific to be targeted by cyber criminals”
country we are highlighting in this than by the Russian state but still

AFFECTED
package of guidance is Russia. advises “that where it is assessed
As the Prime Minister’s Guildhall that access to the information by
speech set out, Russia is acting the Russian state would be a risk

57 MILLION USERS
against the UK’s national interest to national security, a Russia-based
in cyberspace. The NCSC advises AV (anti-virus) company should
that Russia is a highly capable not be chosen.”

CISO MAG | February 2018 CISO MAG | February 2018

 IN THE IN THE
NEWS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 NEWS

country’s telecommunications Mayor’s Banquet on Monday night. remote, non-cooperative, penetration,”

systems, media, and energy Russia is seeking to undermine the said Robert Hickey, aviation
networks over the past year. international system. That much program manager within the
is clear. The PM made the point
Martin’s remarks came amid Cyber Security Division of the DHS
on Monday night — international
heightened scrutiny of Russia’s Science and Technology (S&T)
order as we know it is in danger of
influence in last year’s Brexit Directorate. “[Which] means I
being eroded.”
referendum. Addressing the didn’t have anybody touching the
Times Tech Summit in London on On November 13, 2017, Britain’s airplane, I didn’t have an insider
November 15, 2017, Martin said, Prime Minister Theresa May had threat. I stood off using typical stuff
“I can’t get into precise details said that Russia was “weaponizing that could get through security
of intelligence matters, but I can information” and meddling
Russia meddled
and we were able to establish a
confirm that Russian interference, in elections to undermine the presence on the systems of the
with UK’s telecom seen by the National Cyber
Security Centre over the past one
international order.
DHS hacks successfully took control of Boeing
757 airplane while the passenger
aircraft.”

systems, confirms year, has included attacks on the Sending a stark warning to Russia,
May said, “We know what you are Boeing 757 jet sat on the runway at Atlantic
While the details of the hack are
still under wraps, Hickey revealed
NCSC chief
UK media, telecommunication and City airport, New Jersey.
energy sectors.” doing. And you will not succeed. his team of DHS cyber sleuths
Because you underestimate the Robert Hickey, the aviation He revealed the details of hack achieved the feat by accessing the
Part of Martin’s speech summary resilience of our democracies, program manager within the that was conducted in 2016 while radio frequency communications
The United Kingdom’s National was released on November 14, the enduring attraction of free Cyber Security Division of the giving his keynote address at a of the plane. The initial response
Cyber Security Center (NCSC) 2017. Martin said, “the Prime and open societies, and the DHS Science and Technology summit. “We got the airplane on from experts was, “’We’ve known
Chief Ciaran Martin confirmed Minister sent Russia a clear commitment of Western nations to (S&T) Directorate, revealed on Sept. 19, 2016. Two days later, I that for years,’” and, “It’s not a big
64 that Russian hackers targeted the message in her speech to the Lord the alliances that bind us.” 65
November 08, 2017, that DHS once was successful in accomplishing a deal,” Hickey said.

1.7M emails Imgur users. Our Chief Operating

Officer received the email late
identifying information (PII) like
real names, addresses, or phone
Ukrainian President According to a report on Ukinform.
net, “The law defines the legal and
and passwords night on November 23rd and numbers. According to Have I Been signs law on organizational foundations for
ensuring the protection of vital
compromised immediately corresponded with
the researcher to learn more
Pwned’s database, 60 percent of
the hacked email addresses were
cybersecurity interests of citizens, society and
in 2014 Imgur hack about the potential breach. He already on the deep web.
the state, the national interests of
Ukraine in cyberspace, the powers
simultaneously notified Imgur’s
On November 07, 2017, Ukraine and responsibilities of state
Founder/CEO and Vice President bodies, enterprises, institutions,
of Engineering. Our Vice President President Petro Poroshenko
Image hosting site Imgur, which organizations, individuals and
of Engineering then arranged to signed a law which “creates the
later metamorphosed into a meme citizens, the basic principles of
securely receive the data from the foundations of a national system
haven for social media users, has coordination of their activities, and
researcher and began working to of cybersecurity as a combination also basic terms in cybersecurity.”
apparently been subjected to a
validate that the data belonged of political, social, economic and
massive data breach. The hack As per reports, the bill also
to Imgur users,” Imgur stated in a information relations, along with
occurred in 2014 and involves the summaries that several cyber
blog spot. organizational, administrative
stolen data of 1.7 million users. threats mitigation efforts will
Imgur discovered the incident on and technical and technological
The data is believed to be a fraction focus on protecting critical
November 23, 2017. measures of the public and
of Imgur’s user base which usually infrastructure. The law also
private sectors and civil society,”
sees the traffic of 150 million explores the possibilities of
The incident came to fore after the press service of the head of partnering with private agencies
Have I been Pwned founder Troy monthly users. The affected data state reported. The president will and civil societies as well as takes
Hunt notified the company. “He may only include email addresses coordinate activities in the field into account several proposals
(Troy Hunt) believed he was sent and passwords of the users as the through National Security and from the European Union and
data that included information of site never gathered personally- Defense Council of Ukraine. NATO.

CISO MAG | February 2018 CISO MAG | February 2018

 IN THE IN THE
NEWS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 NEWS

released
International
by the US-based
Consortium of
figures. Out of 13.4 million records,
6.8 million documents came from a
Chinese nationals
Investigative Journalists (ICIJ) have cyber attack on Appleby files. The indicted for hacking
opened a can of worms. ICIJ is the
same organization that was behind
Appleby files were obtained by the
German newspaper Süddeutsche into Moody’s, Siemens,
the Panama Papers’ sensational Zeitung who shared them with the and Trimble
exposures. The major cyber ICIJ along with 95 media firms
breach has been reported from to maximize the exposure of the
Appleby, a multi-national offshore leaked information. Three Chinese nationals have been
law firm known for its tax planning charged by U.S. prosecutors for
The long list of international with Guangzhou Bo Yu Information Soo C. Song said arrest warrants
services. The Panama Papers leak hacking into Siemens AG, Trimble
leaders and celebrities on the list Technology Company Ltd, a had been issued for the three men.
exposed millions of documents Inc, and Moody’s Analytics. The
includes Britain’s Queen Elizabeth cybersecurity company located The indictment, which was filed in
from the Mossack Fonseca law firm. trio tried to steal business secrets
II, Colombian President Juan in Guangzhou in southern China. September 2017 at a federal court
The leaked documents, dubbed Manuel Santos, Canadian Prime of the three companies through
Two U.S. government officials told in Pittsburgh, Pennsylvania, claims,
the Paradise Papers, were Minister Justin Trudeau’s chief “coordinated and unauthorized”
Reuters that Guangzhou Bo Yu is “the hackers monitored email
cyber attacks between 2011 and
Paradise Papers
released on November 6, 2017 fundraiser Stephen Bronfman, affiliated with the China’s People’s correspondence of an unidentified
and consisted 13.4 million records individuals linked to the U.S. 2017. The three accused have been
Liberation Army Unit 61398. Moody’s economist; stole data
rocks the world including emails, loan agreements, President Donald Trump, singers identified as Wu Yingzhuo, Dong
from transportation, technology
and bank statements that contain Bono and Madonna, and U.S. Hao, and Xia Lei. During a hearing in federal court and energy units at Siemens; and
sensitive financial information Commerce Secretary Wilbur Ross An indictment that was unsealed in Pittsburgh, Pennsylvania, on targeted Trimble as it developed
The “Paradise Papers” findings pertaining to highly prominent among several others. on November 27, 2017, said all November 27, 2017, the acting U.S. a new and more precise global
66 attorney for Western Pennsylvania 67
three of them were associated navigation satellite system.”

John McAfee’s point that my phone had been present cybersecurity guidelines
lost 58 billion yen ($530 million) internal funds. According to a
compromised. I was on a boat at and methodologies.
Twitter Account the time and could not go to my
in what has dubbed as biggest Reuters report, “The NEM coins
were stored in a “hot wallet”
cryptocurrency heist ever
Breached carrier (AT&T) to have the issue
corrected. All that the hacker recorded. Coincheck had to instead of the more secure “cold
immediately halt sale and wallet”, outside the internet (…)
did was compromise my Twitter
withdrawals of the currency NEM, It also does not use an extra layer
John McAfee recently declared that account. It could have been worse.”
The claim that the Twitter account and later extended restrictions of security known as a multi-
his Twitter account was hacked
of the former owner of one of the to other cryptocurrencies except signature system.”
and used to endorse some minor-
league cryptocurrencies. Although world’s first anti-virus companies Bitcoin. “It’s been long said that
he claimed to have enabled the was successfully hacked led to cryptocurrencies are a solid system
During the course, Japan’s finance
two-factor authentication, his some ribbing by the security but cryptocurrency exchanges are
community. regulator Financial Services
Japanese
mobile phone was jeopardized not,” Makoto Sakuma, research
Agency instructed the company
leading to the cyber attack on his fellow at NLI Research Institute,
While cybersecurity experts
social media account.
are assessing the perils of AI- cryptocurrency to improve its operations and to
submit an incident report, where told Reuters. “This incident showed
The former presidential candidate empowered cyber breaches, exchange suffers the company would highlight the that the problem has not been
solved at all. If Coincheck screws
it is indeed worrisome that the
massive breach
said that he got the first indication preventive measures adopted by it
of his phone being hacked when frequency of break-ins have to avert any further incidents. up its crisis management, that
he turned it on to see a dubious increased. Although veracity of could deal a blow to the current
error message on the screen. John McAfee’s account hacking is Coincheck assured its users that cryptocurrency fever.” Following
In an interview with the BBC, debatable,the rapid surge in cyber- On January 26, 2018, Japanese it would return about 90 percent the incident, the price of NEM fell
John mentioned, “I knew at that attacks has led to reconsidering the cryptocurrency exchange Coincheck of the stolen money through with from $1.01 to $0.78 within a day.

CISO MAG | February 2018 CISO MAG | February 2018

 EVENT EVENT
FOCUS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 FOCUS

Pharma CIO Leadership Series

20th February, 2018
Mumbai, India

Takeaways:
The event features deliberations on innovations, emerging opportunities and instrumental
strategies, with an elite panel of keynote speakers sharing their knowledge on the adoption
of critical cybersecurity prospects.

MALAYSIAN CYBER SECURITY SUMMIT

20th March, 2018
Kuala Lumpur, Malaysia
68 69
Takeaways:
A joint effort with CyberSecurity Malaysia, the wing of Malaysia’s Ministry of Science,
Technology and Innovation (MOSTI), this is one of EC Council’s premier events. The event
deep dives into the most pressing information security issues and advocates the adoption
of systematic cybersecurity methodologies. Malaysia was number three on the UN’s Global
CyberSecurity Index (GCI) last year and the country’s progress in information security
makes it an ideal host for a security event of this stature. The event is an invite-only executive
session for leaders from across the ASEAN region to work together towards solving some of
the world’s most pressing cybersecurity problems.

The significant technology shift to mobile and connected devices has left
MENA CISO SUMMIT
vulnerabilities to cyber breaches that need to be addressed aggressively. EC- 18th - 19th April, 2018
Council’s annual calendar of events all over the world is an attempt to bring together Dubai, UAE
leaders and dignitaries of various industries and advocates of information security. Takeaways:
Through our live events, we have been able to create awareness and bring together The MENA CISO Summit is the regional counterpart to our annual Global CISO Forum in
Atlanta, GA USA. This cross-industry event invites leaders, specialist, chiefs, and innovators
the best in the industry. Here’s a sneak peek into our upcoming events: in information security and other industries to discuss current trends, threats, and solutions.
The Sapient panel discussion includes experts from information security and beyond to
ensure that the message of information security isn’t siloed in one industry.
CISO MAG staff

CISO MAG | February 2018 CISO MAG | February 2018

 EVENT EVENT
FOCUS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 FOCUS

4th EDITION CISO SUMMIT

08th June, 2018
Mumbai, India
GLOBAL CISO FORUM 2018
13th - 14th September, 2018
Takeaways: Atlanta, Georgia
The 3rd CISO Summit India focused on national cybersecurity architecture, investments in
cybersecurity, ensuring safer use of cloud, securing IoT infrastructure, and skill set scarcity
Takeaways:
in the information security ecosystem. Our 2018 event will tackle issues just as critical to the
EC-Council’s Global CISO Forum is an invite-only,
information security industry with a larger audience than ever.
closed-door event gathering the highest-level
executives from across industries and countries
to discuss the most pressing issues in information
security. Now in its eighth year, the 2018 Global CISO
Forum promises to be the best yet with an exciting mix
of industries, formats, and interactive presentations.

ASEAN CISO FORUM

16th - 17th August, 2018
Singapore
70 71
Takeaways:
With the world gearing-up to turn into a glocal (globally local) village, the urgency to adopt
effective measures against cybersecurity threats in the connected world has become intense.
Another regional subsidiary of the Global CISO Forum, the ASEAN CISO Forum invites
CISOs, CTOs, and other security leaders from different industries to share their knowledge
and to improve information security in the ASEAN region and beyond.

HACKER HALTED 2018

3rd EDITION FINTECH SECURITY SUMMIT 13th - 14th September, 2018
10th October, 2018 Atlanta, Georgia
Manama, Bahrain
Takeaways:
Takeaways: The brainchild of EC Council, Hacker Halted 2018’s
The 3rd edition of the Fintech Security Summit is motivated by the successful recognition of
theme is “The Ethical Hacker’s Guide to the Galaxy:
the first two Summits in Singapore and Abu Dhabi. Bahrain is set to launch its Fintech Bay in
Life, the universe, everything...Hacked.” 2017’s
February 2018 for better banking and finance innovation standards in a secure environment.
Hacker Halted was the largest in history, drawing
EC-Council’s Fintech Forums bring Fintech forerunners and information security evangelists
incredible speakers and huge audiences. The event
together to exchange views and discuss cybersecurity threats looming over the sector, the
is open to all those passionate about the latest
problems with standard IT practices, and the best measures to overcome and prevent this
information security vulnerabilities, hacks, and
promising industry from being hampered by poor security.
defenses.

CISO MAG | February 2018 CISO MAG | February 2018

 V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1

85% BACHELOR
OF SCIENCE
In Cyber Security

OF ALL CYBER SECURITY JOB VACANCIES

Require A Bachelor’s Degree Or Higher  LEARN MORE
burning-glass.com

PROPEL YOUR CAREER MASTER

AS A CYBER SECURITY LEADER OF SCIENCE
In Cyber Security
72
with an online cyber security degree from ECCU 73

 LEARN MORE

*GRADUATE
DEGREE
PROGRAM

 LEARN MORE
GET STARTED TODAY
CISO MAG | February 2018 *Graduate Certificates available for: CISO MAG | February 2018
Disaster Recovery; Digital Forensics; IT Analyst; Executive Information Assurance; Information Security Professional
 IN THE IN THE
HOTSEAT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1 HOTSEAT

In a business landscape characterized by FBI’s Former IT management, data privacy, and

cyber resiliency.
dynamic trends and events, change is the Assistant Director In his new role with Deloitte,
only constant. Many organizations often Joins Deloitte Turgal is responsible for advising
clients on cyber incident response,
bring about a change in their leadership cyber resilience, and cyber war-

J
to achieve the desired results from a gaming. About his new job, Turgal
ames Turgal, former FBI said, “Deloitte recognizes that a
new direction, to create and disseminate executive assistant director comprehensive understanding of
a vision, or just to breathe new life into of the Information and the cybersecurity landscape is
Technology branch, has critical to helping organizations
the corporate structure. The field of joined Deloitte Risk and stay ahead of emerging threats.
Finding the right balance between
information security is no different. In Financial Advisory’s Cyber
technology and talent, and knowing
Risk Services practice as
this segment, we take a look at some of managing director. This is the when and how to best utilize each,
can significantly strengthen cyber
the new appointments in the information second former FBI employee to
join Deloitte for the same position, incident response programs.”
security domain. after Linda Walsh in April 2017. Turgal is a well-known name
Turgal, who served in the FBI for 21 in the intelligence community
years, was a member of the C-suite and frequently consulted
CISO MAG staff supervising FBI’s worldwide IT for his expertise in cyber
74 needs including digital forensics counterterrorism, criminal, and 75
and investigations, identity security issues.

Trapp Technology career, I have always approached

hires Jim Mapes as

cybersecurity as a business
problem, unlike competitors who Renitalynette tenure at the Federal Deposit
Insurance Corporation (FDIC)
CISO have traditionally viewed it as a Anderson as Deputy Director. During her
technology concern. Company
owners are very concerned about is the New tenure with NIH, Anderson was
appointed as the Deputy Director

P
hoenix-based Managed
the impact a cyber breach can President for Information Technology where
have on their bottom line, and
Service Provider (MSP) this keen interest is driving a of Quality she renovated the data center,
telecommunication services, and call
Trapp Technology announced
the appointment of its new
new conversation around how
much security is really enough to
Technology Inc. centers improving the computing
environment through better
CISO, Jim Mapes, last eliminate as much risk as possible. security and increased capacity.
month. Mapes has 25 years of Trapp will help these companies

Q
experience in IT, including 19 determine the answer to that QuTech is an IT company
uality Technology
years dedicated to information question, and then get them to specializing in cybersecurity,
Inc., popularly known
security. Mapes plans to further where they need to be.” data management, and cloud
“I’ve been impressed with as QuTech, has
enhance Trapp Technology’s array services among others. Renee
Trapp Technology’s success in Mapes has held the title of CISO chosen Renitalynette
of security services, with more K. Anderson as its Parker, CEO of QuTech, stated,
attention towards cybersecurity the managed services market, in eight previous jobs and has a “We are excited to have such an
and I firmly believe that the strong background in designing new president.
assessments and security Anderson brings 30 years of accomplished professional with
managed services for mid-market company is well-poised to lead information security programs and proven leadership, executive-level
the cybersecurity services mid- experience, which include 19
to enterprise-level businesses. operations. He also has technical experience, and business acumen
years at the National Institute of
market with smart, business- expertise in intrusion testing and to lead our company.”
Health (NIH) as well as her recent
About his new role, Mapes said, driven solutions. Throughout my forensic investigations.

CISO MAG | February 2018 CISO MAG | February 2018

 IN THE
HOTSEAT V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1

MetTel appoints $13 trillion in IT spending across

businesses and government,”
Dr. Curtis Levinson said Marshall Aronow, CEO of
MetTel. “Running our government
as CISO more efficiently, effectively and
securely through upgrades

C
spurred by the GSA’s Enterprise

MOBILE SECURITY TOOLKIT

ommunications Infrastructure Solutions program
solutions provider and the Modernizing Government
MetTel has appointed Technology Act will help restore
Dr. Curtis Levinson
as the new Chief
US competitiveness.”
ETHICAL HACKING WORKSHOP
Information Security Officer Levinson is a proven technologist
(CISO) for the firm as well as with his expertise ranging
its Federal team. Levinson will from cybersecurity/defense,
oversee all IT security for MetTel continuity/recovery of operations,
and information governance. He
What is the Mobile Security Tool Kit Workshop?
and the EIS solutions it provides to
Federal agencies. US Cyber Defense Advisor to the has served with distinction, two
ISSA Metro in Atlanta came to EC-Council and asked if we could teach a course on the
North Atlantic Treaty Organization sitting Presidents of the United
Levinson has worked as a (NATO). States, two Chairmen of the Joint STORM. The answer of course was a resounding “YES!” and the Mobile Security Tool Kit –
strategic consultant providing Chiefs of Staff and the Chief Justice Ethical Hacking Workshop was born.
cybersecurity guidance to a range “2018 is projected by leading of the United States. In June 2017,
76 of clients for more than 30 years. analysts as a tipping point for Levison joined the advisory board 77
Levinson continues to serve as digital transformation with up to of CISO MAG. The course content was derived by pulling carefully selected modules from EC-Council’s
Certified Network Defender (CND) and Certified Ethical Hacker (CEH) certification courses.

Major General Djoko Djoko Setiadi earlier served as

the chief of the National Cyber
Setiadi sworn Security Agency, Lemsaneg,
in as the chief of the which has been dissolved. The UPCOMING WORKSHOPS MORE ABOUT STORM
newly appointed chief of BSSN is
new BSSN aggressively hiring for the agency
as the date for local elections to
be held across the country is fast

M
approaching.
ajor General Djoko COURSE INCLUDES:
Setiadi was sworn The country of Indonesia has been
in as the chief of notable for social media hoaxes
the National Cyber and online religious zealotry
ooe-Book
Encryption Agency
of Indonesia, also known as BSSN,
leading to adoption of such
vigorous arrangements by the
ooCertificate of Attendance (.pdf)
at the State Palace in Jakarta on
3rd January 2018. The regulation
president. “Our responsibility is
ooSTORM Device
to provide protection in the cyber
for the establishment of BSSN world to government institutions, ooKeyboard
was signed in June of last year by even private companies, but most
President Jokowi. The agency will importantly to the public,” said ooCarry Case
be under the direct control of the Djoko during a press conference
President of Indonesia. in Jakarta. ooSTORM T-Shirt
ooSTORM Sticker
CISO MAG | February 2018 CISO MAG | February 2018
 KICKSTARTERS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
KICKSTARTERS

78 79

With cybersecurity gaining more importance than ever, cybersecurity startups What sets Shape Security apart: The company claims to have

Shape
The company helps apps and thwarted more $1 billion in losses
have become a huge attraction for venture capitalists. The cybersecurity market websites change their source for its customers, including several
code constantly to prevent
has seen tremendous growth despite the slowdown in the global economy, with Fortune 500 and government

Security
automated attacks by deploying
companies. The company’s last
many companies inking record-breaking funding deals with venture capital firms. polymorphism.
series of funding was spent on
The influx of money has driven innovation and solutions to important security Market adoption: Its tool makes expanding in the Asia-Pacific

F
the website’s source code appear region. The company is also a
challenges. In this section, we look at some emerging companies making waves in ounded in 2011, Shape different every time it is viewed, participant in the Hewlett Packard
Security, a cybersecurity thus, preventing botnets and
the information security domain. startup based out of malware from running scripts. The
(HP) Pathfinder program; HP
California, is led by process happens all under the is reportedly offering Shape
CISO MAG staff Derek Smith, Sumit hood without the user noticing any Security’s products to its own
Agarwal, and Justin Call. changes. customers globally.

CISO MAG | February 2018 CISO MAG | February 2018

 KICKSTARTERS V ol um e 2 | I s s ue 1 V ol um e 2 | I s s ue 1
KICKSTARTERS

stages, which enables companies

to separate campaigns that warrant target, hunt, and disrupt advanced
investigation from network noise. cyber-threats.

Market adoption: Versive focuses Market adoption: Originally

on adversary detection. The headquartered in Washington
company recently announced it has D.C., Sqrrl moved to Cambridge
raised an additional $12.7 million after receiving $2 million in
in funding, reaching a total funding venture capital funds from Kendall
of $54.7 million. The company Square’s Atlas Venture. Sqrrl relied
has also earned recognition from on Apache Accumulo and used
prominent industry stakeholders, the open-source technology for

Sqrrl
including CB Insights’ prestigious cybersecurity. It is believed to

Versive
Artificial Intelligence 100 list (“AI be an industry-leading threat
100”), Best of Interop for Emerging detection and response platform
Vendor in Security. Apart from that unites several threat detections

S
these, John Johnson, a member of and prevention techniques in

F
Versive’s CISO Advisory board, qrrl was founded in 2012 included Ely Kahn, the former an integrated solution. Since
ounded by Chris Metcalfe that help businesses in automation.
was a delegate at the Hacker by a team of several Director of U.S. Cybersecurity its inception, Sqrrl has bagged
and Stephen Purpura in What sets Versive apart: Versive Halted conference in Atlanta, GA. Policy,
network engineers who several top innovator awards from
2012, the Seattle-based uses artificial intelligence to In addition, Bryan Hurd, Versive’s
left their jobs at the What sets Sqrrl apart: Sqrrl numerous publications. In early
firm sells on-premises automatically and dynamically Senior Director of Security Strategy,
National Security Agency specializes in threat-hunting, January 2018, Sqrrl was acquired
software, cloud services, contextualize behaviors within spoke at the EC-Council’s Global
to start their own firm. The team which enables organizations to by Amazon Web Services.
80 and professional service solutions the adversary campaign mission CISO Forum, also in Atlanta. 81

What sets Bugcrowd apart: Market adoption: Over the last

Bugcrowd connects companies three years, Confirm.io raised
and their applications to a crowd
at least $4 million from several
of tens of thousands of security
researchers to identify critical investors, including Cava Capital,
software vulnerabilities. Zelkova Ventures, Rho Ventures,
and Meyer Keith. The company
Market adoption: Bugcrowd
invested its seed funds on
is currently one of the world’s
advanced forensics to gather
top bug bounty startups. To
date, the company has enrolled details from an ID card, as well
60,000 security researchers on as mobile biometrics and facial

Confirm.io
its platform. The startup serves recognition. The USP of Confirm.
as a bridge between white-hat io is its API, which instantly
hackers and companies, where the confirms a person’s identity for

F
Bugcrowd
hackers assist the latter in finding any transaction that requires or
bugs and vulnerabilities. It has a ounded in 2015 by verification, and remote identity
proofing. benefits from proof of identity. In
revered clientele like MasterCard, Bob Geiman, Ralph
January 2018, Facebook acquired

F
Pinterest, and Fiat Chrysler of Rodriguez, and Walt What sets Confirm.io apart:
America. The firm is backed by Doyle, this Boston-based the company in order to potentially
ounded in 2012 in security, mobile application Confirm.io offers an API that allows
Australia by Casey Ellis, security, penetration testing, Blackbird Ventures, Costanoa startup specializes use Confirm.io’s technology
companies to verify whether
Bugcrowd is now based secure development, bug bounty Ventures, Industry Ventures, Paladin in mobile ID verification, ID a user’s government-issued to have people confirm their
in San Francisco and programs, bug bounty, and bug Capital Group, Rally Ventures, and authentication technologies, identification card (like a driver’s identities if they’re locked out of
specializes in application hunting. Salesforce Ventures. online identity vetting, identity license) is authentic. their devices for any reason.

CISO MAG | February 2018 CISO MAG | February 2018

 V ol um e 2 | I s s ue 1 W her
Vever
ol um eyou
2 | I sar e. 1W her ever you go. W hatever the f utur e br ings .
s ue

Check Point keeps you one s tep ahead.

WELCOME
TO THE FUTURE OF
CYBER SECURITY
Check Point vSEC protects assets in the cloud
from the most sophisticated threats with
dynamic scalability, intelligent provisioning and
consistent control across physical and virtual
82 CLOUD MOBILE T H R E AT P R E V E N T I O N 83
networks, ensuring you can embrace the cloud
with confidence.

For more information visit:

checkpoint.com/products-solutions/vsec-cloud-security

Learn More: checkpoint.com

CISO MAG | February 2018 CISO MAG | February 2018
  REGISTER NOW

V ol um e 2 | I s s ue 1

84

ADVANCED ETHICAL OVER 40 2 DAYS OF PANEL DISCUSSIONS

HACKING TRAINING PRESENTATIONS NETWORKING & BREAKOUTS
CISO MAG | February 2018
LEARN MORE LEARN MORE LEARN MORE LEARN MORE