The Truth About Security Job Requirements

Good morning!

In today’s line up:

• How We Can Increase Security Buy-In

• 5 Ways To Better Understand Cyber Security Risk

• Security Operations Center Architecture Map

• Data Privacy Law Shows It’s Teeth to Big Tech

• The House Doesn’t Always Win – Vegas Cyber Attacks

• PLUS, The Truth About Cyber Security Job Requirements

How We Can Increase Security Buy-In

One of the biggest challenges Cyber Security teams must overcome is getting ‘buy-in’ from the business. This means business stakeholders working with, or dare I say, embracing security requirements in their processes and development activities.

The standard approach I’ve seen across industries is trying to embed a security presence at all major decision-making stages. However, this often leads to security being perceived as a gate / barrier.

We should be aiming to empower the business to make decisions in alignment with a define security and risk appetite.

We can achieve this by using the following approaches:

1. Define and document security requirements into CI/CD pipelines, limiting required security intervention

2. Define and document a list of security requirements for vendor assessments

3. Design re-usable security patterns that can be applied to any new solution

4. Create a list of approved hardened images that can be deployed without further security sign-off

5. Educate developers on threat modelling and cyber risk to minimise required intervention

If we design secure, re-usable approaches that the business is educated on, we can increase security adoption and improve our perception across the business.

5 Ways To Better Understand Cyber Security Risk

Until a cyber security risk materialises, it’s easy for people to ignore their true implications and view it as another line on a risk register spreadsheet.

For many business leaders, ‘cyber risk’ is one of the things that keeps them up at night, but its implications can be hard to grasp.

Here are 5 ways to improvement your understanding of cyber risk:

1/ Cyber Risk intersects and influences many other risk types

• Cyber risk is distinct in that it intersects with various other risk types and alters their nature.

• Unlike some risks with clear outcomes, cyber events can result in a wide range of consequences, from fraud and data loss to operational disruptions and reputation damage—many of which are already on an organisation's risk radar.

• While it merits individual attention, cyber risk should also be seamlessly integrated into the broader risk management framework of an organisation.

2/ Technology is a strategic asset, not another cost to be managed

• The legacy of tech debt highlights the importance of viewing technology as a strategic asset rather than a mere cost.

• In my experience with organisations hit by ransomware attacks, a common thread is the neglect of IT infrastructure over many years, making it vulnerable to attackers due to outdated systems and poor maintenance.

• This stems from a historical perspective that sees IT as a financial burden rather than a critical component of business operations. To address this, a shift in mindset is needed to value a robust technology infrastructure.

3/ One organisation's breach affects others

• In our highly connected world, the cyber security of suppliers, partners, and even unrelated entities matters. For instance, breaches of cryptocurrency exchanges can reduce the value of your assets, even if you're not connected to them.

• Both nation-states and criminals exploit this interconnectedness by targeting service providers and IT suppliers to access customers' data.

• This means cybersecurity goes beyond an organization's control, requiring a shift in mindset, similar to how banks adapted to online fraud risks in the early 2000s.

4/ Cyber events can be immediate and devastating

• Rapid, devastating cyber events are now CEOs' top worry globally. Attacks like the 2017 NotPetya by a nation-state and rising ransomware incidents have made cybersecurity a paramount concern.

• The reason is clear: these attacks can paralyse an entire organisation within minutes, disrupting global IT operations and halting business. Recovery, especially after ransomware, often requires rebuilding IT from the ground up, taking weeks or months due to lack of preparation.

• Few other risks can bring an organisation to a standstill so swiftly and broadly.

5/ We must rethink strategy, governance and business models

• Cyber risk extends beyond cybersecurity controls and touches upon the core aspects of an organisation's strategy, governance, and business model.

• I've witnessed major global organizations grappling with the realization that they can't maintain a federated business model in today's interconnected digital landscape. They've had to rethink supply chain strategies for resilience against cyber disruptions, reconsider operational territories in response to geopolitical cyber challenges, and make various other strategic adjustments.

• Cyber risk isn't just another risk; it presents unique challenges.

Security Operations Center Architecture Map

Understanding a Security Operations Center and all of its capabilities can be quite the challenge. Thankfully, Prabh has created a simplified graphic to address that challenge.

Data Privacy Law Shows It’s Teeth to Big Tech

• TikTok faces a €345 million (about $368 million) fine for violating the European Union's General Data Protection Regulation (GDPR) in relation to its handling of children's data. More here.

• Google has agreed to pay $93 million to settle a lawsuit filed by the U.S. state of California over allegations that the company's location-privacy practices misled consumers and violated consumer protection laws. More here.

The House Doesn’t Always Win – Vegas Cyber Attacks

This week’s big news is the extortion attacks on the Caesars and MGM Las Vegas casino chains, with one having already paid the ransom and the other still facing operational disruptions.

• Caesers was first quietly breached earlier this month, with the attackers stealing its loyalty program database. This database contains driver's license numbers and social security for customers, and to prevent the leak of the data, Caesers paid a ransom demand.

• The threat actors demanded $30 million not to leak the data, but the Casino negotiated it down to a $15 million payment.

• MGM Resorts suffered massive disruptions in its casinos, such as ATMs and credit card machines not working, guests locked out of hotel rooms, and slot machines not working.

• The attack was conducted by an affiliate for the BlackCat/ALPHV ransomware operation known as Scattered Spider.

The Truth About Cyber Security Job Requirements

Many traditional job requirements aren’t actually “required.” It helps to review job specifications through the lens of mandatory requirements, and nice-to-haves.

For example, many cyber-security job posts require a Computer Science Degree, or something similar.

The truth is, they don’t really care about your degree. It’s a method to sift through piles of candidates and it’s one of many potential ways to signal value to an employer.

What ultimately matters is that you can signal the same, if not greater value than the requirement. When you do this, the requirement disappears.

For example, you may be applying for a SOC Analyst position that is requesting a degree relating to cyber security. They want to know you’re technically proficient and understand the field.

• Candidate 1 has a degree in Computer Science and did a Cyber Security module.

• Candidate 2 doesn’t have a degree, but has 1 year in IT Helpdesk and has practical experience with some open-source SOC tools that would bring great value to the team from day 1.

The choice is clear, right?

Wisdom

We need more explainers and translators in cybersecurity.

This space is vast and complex. It’s our responsibility to simplify and translate our world to other areas of the business so that it resonates with them.

Plus, it will make conversations easier at Christmas with elderly relatives, when they inevitably ask what you do for a living…

www.cyberproclub.com