June 2023 Newsletter – New CISO Insights

Welcome to the June edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed. In this issue:

  • Client Insight
  • Current Openings + Recent Hiring Projects Supported
  • Infosec The Biggest Risk
  • Cyber Pros Get Seat in the C-Suite
  • Accessibility: The Forgotten Aspect of Security
  • Star Trek’s Lessons For Cybersecurity
  • Money Launderers Gain From Security Measures
  • .ZIP Domains Raise Concerns
  • Best Of The Rest

Client Insight

Each month we ask our clients what’s on their minds and what it means for security professionals.

This month, Intercast was at Gartner’s Security and Risk Management Summit in National Harbour, Maryland. We had the opportunity to meet roughly 300 new Cyber Security Executives from multiple industries and the most common theme we heard from them was:

“I’m telling my board that new tools are not going to solve these problems.”

If it’s not tools then what is it? Program builders and dedicated professionals who can communicate the importance of the security initiative to a wide ranging audience of technical and non technical clients.

Current Openings

1. Director, Security Transformation (Hybrid, Full-Time)
https://intercastglobal.com/job/director-security-transformation/

2. Cyber Client Relationships Manager (Hybrid, Contract)
https://intercastglobal.com/job/cyber-client-relationships-manager-city-of-toronto/

3. Director, Cybersecurity Architecture and GRC (Hybrid, Full-Time)
https://intercastglobal.com/job/director-security-architecture-and-grc/ 

Recent Hiring Projects Supported

1. IR Analyst – Financial Services

2. Data Scientist – Financial Services

3. GRC Consultant – Energy and Infrastructure

Infosec The Biggest Risk

Risk.net shared the results of a survey of “senior industry practitioners” who were asked to name their anticipated top five operational risks for the next year. It uncovered some significant changes from the corresponding last year, with “information security” replacing “IT disruption” in the top spot.

While that may be a case of changing semantics, there’s no ambiguity about the biggest change: “regulatory compliance” has rocketed from 10th place to 2nd. It could mean trouble ahead: while strong regulations may be a positive overall, a one-size-fits-all approach could mean security is more of a box-ticking exercise than something that best addresses an organization’s specific risks.

Pros Get Seat In The C-Suite

The most welcome cybersecurity development of 2023 is businesses finally treating the sector with the importance it deserves. The latest reports come from Dark Reading, which covers businesses putting cybersecurity on the agenda at board meetings. In some cases, security chiefs even have a permanent place on the board.

It’s partly a regulatory issue with companies getting ahead of a proposed SEC rule that would mean businesses having to disclose what security knowledge (if any) their top team has. But it’s also a change of culture with executives finally concluding that security has to be built into every element of a business rather than being purely a standalone division.

It’s creating opportunities for CISOs, but also adding new elements to the role. The best CISOs are no longer simply strategists and managers. They must be great communicators who can brief board members. This means not only explaining the detail of threats without getting bogged down in jargon, but also putting individual threats into a wider context.

Accessibility: The Forgotten Aspect Of Security

The UK’s National Cyber Security Centre has raised the undersung topic of accessibility in cybersecurity. While most website designers now think carefully about making their content usable by people with a range of additional needs, the same isn’t always true of security tools and procedures.
The NCSC lists a host of accessibility issues you may not have considered and it’s well worth a read. To take just one example, many security dashboards rely on a traffic light-style system with green indicating everything is fine and red indicating a potential threat. That’s not necessarily the best option for the estimated eight percent of men who have some form of red-green colorblindness.

Another example is with controls that aren’t fully accessible. That could turn a near miss into something more damaging, with users unable to respond to and mitigate a threat quickly enough to be effective.

Star Trek’s Lessons For Cybersecurity

The Conversation is where academics go to explain their work in an engaging manner and that’s certainly the case with a piece by Richard Forno of the University of Maryland. He explains why the spin-off series “Star Trek: Picard” provides useful lessons and explanations of key cybersecurity principles.

We’re wary about saying too much given Forno gives a strong spoiler warning for those watching the show at their own pace. Suffice to say the plot of the final season has strong parallels with the way many attackers patiently infiltrate systems before launching a major attack.

Forno also notes that even in the high-tech futuristic world where Picard operates, human weaknesses are still so often the biggest security vulnerability. On the flipside, he explains that the most effective cybersecurity pros understand human behavior and activity as much as they do computer systems and networking.

Money Launderers Gain From Security Measures

Information security and data privacy may have unintended consequences according to financial crime experts. They tell Risk.net that the pressure to keep data secure may be hampering anti money-laundering controls.

https://www.risk.net/risk-management/7956422/hurdles-to-cross-border-data-sharing-impede-aml-fight

The heart of the problem is that many data privacy frameworks and information security policies are set up so that national borders are a natural barrier. That’s unfortunate because money laundering operations increasingly involve cross-border transfers to try to obfuscate the movement of ill-gotten gains.

Carolin Gardner of the European Banking Authority cited two specific examples of the wider problem. One is that different European countries have differing interpretations of GDPR, which is meant to be a single Europe-wide data privacy operation. Another is that US companies have security concerns about sharing information with foreign organizations.

There doesn’t seem to be an easy solution and it’s a reminder that no aspect of information security operates in isolation. In the end, business security chiefs may just need more explicit assurances that they can share data for the greater good without facing regulatory sanctions.

.ZIP Domains Raise Concerns

Google has just released eight new top-level domains that, for the first time, anyone can use when registering a website. New fathers and aristocrats will no doubt be racing to grab .dad and .esq addresses respectively, but it’s the .zip and .mov domains that are attracting the attention of security pros.

The domains could lend themselves to a simple-but-effective attack in which bogus messages appear to contain a link to a ZIP or MOV file, complete with filename and extension. That would look perfectly innocent but unfortunately them becoming publicly available top level domains changes the game.

Some major platforms, most notably Twitter, will now automatically convert the links to URLs and what the user thinks is a filename will actually take them to an unknown website. Given they’ll be expecting to download a file, there’s a clear scope for a malicious payload. It’s prompted a bit of a debate in security circles, with the main argument being whether the potential for security risks outweighs the convenience and other benefits of making the domain available for legitimate users.

 Best Of The Rest

Here’s our round-up of some of the other stories you need to know about:

Back to Blog