Information security risk management
A risk management program is a key component for enterprise security. This section offers insight on security risk management frameworks and strategies as well as best practices on conducting effective risk assessments, vulnerability assessments, penetration tests and more.
Top Stories
-
Tip
29 Mar 2024
5 tips for building a cybersecurity culture at your company
As a company's cyber-risks evolve, so must its culture. Here are five tips for creating a cybersecurity culture that protects the business and is meaningful for employees. Continue Reading
-
Tip
05 Mar 2024
What are the pros and cons of shadow IT?
The increase of generative AI, digital natives and remote work drives the rise of shadow IT. CIOs and IT leaders should evaluate the pros and cons to mitigate potential risks. Continue Reading
-
Feature
06 Feb 2024
20 free cybersecurity tools you should know about
Cybersecurity products can get pricy but there are many excellent open source tools to help secure your systems and data. Here's a list of some of the most popular with cyber pros. Continue Reading
-
Tip
29 Jan 2024
What is attack surface management and why is it necessary?
Attack surface management approaches security from the attacker's perspective. Learn how ASM can help better secure your organization's assets and resources. Continue Reading
-
Feature
29 Jan 2024
Top 10 types of information security threats for IT teams
Know thine enemy -- and the common security threats that can bring an unprepared organization to its knees. Learn what these threats are and how to prevent them. Continue Reading
-
Tip
29 Jan 2024
How to rank and prioritize security vulnerabilities in 3 steps
Vulnerability management programs gather massive amounts of data on security weaknesses. Security teams should learn how to rank vulnerabilities to quickly fix the biggest issues. Continue Reading
-
Feature
23 Jan 2024
Top incident response service providers, vendors and software
Get help deciding between using in-house incident response software or outsourcing to an incident response service provider, and review a list of leading vendor options. Continue Reading
-
Feature
22 Jan 2024
How to build an incident response plan, with examples, template
With cyberthreats and security incidents growing by the day, every organization needs a solid incident response plan. Learn how to create one for your company. Continue Reading
-
Tip
18 Jan 2024
How to perform a cybersecurity risk assessment in 5 steps
This five-step framework for performing a cybersecurity risk assessment will help your organization prevent and reduce costly security incidents and avoid compliance issues. Continue Reading
-
Tip
17 Jan 2024
CERT vs. CSIRT vs. SOC: What's the difference?
What's in a name? Parse the true differences between a CERT, a CSIRT, a CIRT and a SOC, before you decide what's best for your organization. Continue Reading
-
Feature
17 Jan 2024
How to create a CSIRT: 10 best practices
The time to organize and train a CSIRT is long before a security incident occurs. Certain steps should be followed to create an effective, cross-functional team. Continue Reading
-
Tip
12 Jan 2024
Incident response: How to implement a communication plan
Communication is critical to an effective incident response plan. Here are five best practices for communication planning and a free, editable template to get started. Continue Reading
-
Feature
09 Jan 2024
Top incident response tools: How to choose and use them
The OODA loop helps organizations throughout the incident response process, giving insight into the incident response tools needed to detect and respond to security events. Continue Reading
-
Feature
09 Jan 2024
Top 30 incident response interview questions
Job interviews are nerve-wracking, but preparation can minimize jitters and position you to land the role. Get started with these incident response interview questions and answers. Continue Reading
-
Feature
08 Jan 2024
How to become an incident responder: Requirements and more
Incident response is a growth area that provides career advancement options and a good salary. Here's an in-depth look at job requirements, salaries and available certifications. Continue Reading
-
Definition
01 Dec 2023
attack surface
An attack surface is the total number of all possible entry points for unauthorized access into any system. Continue Reading
-
Tip
17 Nov 2023
AI in risk management: Top benefits and challenges explained
AI and machine learning tools can aid in risk management programs. Here are the potential benefits, use cases and challenges your organization needs to know about. Continue Reading
-
Answer
19 Sep 2023
What is extortionware? How does it differ from ransomware?
Prevention is the only line of defense against an extortionware attack. Learn how extortionware works and why it can be more damaging than ransomware. Continue Reading
-
Tip
14 Aug 2023
Top 3 ransomware attack vectors and how to avoid them
Protecting your organization against these three common ransomware attack entryways could mean the difference between staying safe or falling victim to a devastating breach. Continue Reading
-
Definition
29 Dec 2022
credential theft
Credential theft is a type of cybercrime that involves stealing a victim's proof of identity. Continue Reading
-
Definition
22 Nov 2022
buffer underflow
A buffer underflow, also known as a buffer underrun or a buffer underwrite, is when the buffer -- the temporary holding space during data transfer -- is fed data at a lower rate than it is being read from. Continue Reading
-
Definition
18 Nov 2022
pen testing (penetration testing)
A penetration test, also called a pen test or ethical hacking, is a cybersecurity technique that organizations use to identify, test and highlight vulnerabilities in their security posture. Continue Reading
-
Definition
14 Oct 2022
Wi-Fi Pineapple
A Wi-Fi Pineapple is a wireless auditing platform from Hak5 that allows network security administrators to conduct penetration tests. Continue Reading
-
Feature
05 Sep 2022
What is the future of cybersecurity?
Cybersecurity is top of mind for businesses and their boards amid a relentless rise in cyber threats. What does the future of cybersecurity look like? Continue Reading
-
Tip
19 Aug 2022
Top 10 cybersecurity interview questions and answers
Interviewing for a job in cybersecurity? Memorizing security terms won't cut it. Here are the 10 interview questions you should be ready for -- and how to answer them. Continue Reading
-
Definition
29 Oct 2021
shoulder surfing
Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Continue Reading
-
Guest Post
28 Oct 2021
Applying security to operating models requires collaboration
Balancing business needs with security is more important than ever. Integrating operating models with reference architectures is a key step in the process. Continue Reading
-
Feature
25 Oct 2021
How to use Python for privilege escalation in Windows
Penetration testers can use Python to write scripts and services to discover security vulnerabilities. In this walkthrough, learn how to escalate privileges in Windows. Continue Reading
-
Feature
25 Oct 2021
Why hackers should learn Python for pen testing
The authors of 'Black Hat Python' explain the importance of learning Python for pen testing, how it helps create scripts to hack networks and endpoints, and more. Continue Reading
-
Guest Post
20 Oct 2021
5 questions to ask when creating a ransomware recovery plan
These 'five W's of ransomware' will help organizations ask the right questions when creating a ransomware-specific disaster recovery plan. Continue Reading
-
Tip
19 Oct 2021
5 ways to improve the CIO-CISO relationship
CIOs and CISOs need to work together for the benefit of the whole organization. To break the mold of hostility, C-suite leaders need to prioritize collaboration and mutual respect. Continue Reading
-
Tip
11 Oct 2021
5 open source offensive security tools for red teaming
To be an effective red teamer, you need the right tools in your arsenal. These are five of the open source offensive security tools worth learning. Continue Reading
-
Feature
30 Sep 2021
How to use Ghidra for malware analysis, reverse-engineering
The Ghidra malware analysis tool helps infosec beginners learn reverse-engineering quickly. Get help setting up a test environment and searching for malware indicators. Continue Reading
-
Feature
30 Sep 2021
Get started with the Ghidra reverse-engineering framework
Malware analysts use Ghidra to examine code to better understand how it works. Learn what to expect from the reverse-engineering framework, how to start using it and more. Continue Reading
-
Tip
21 Sep 2021
The benefits of an IT management response
Many organizations create management responses to traditional audit findings. But did you know organizations can do them after IT audits and assessments, too? Continue Reading
-
Tip
14 Sep 2021
SIEM vs. SOAR vs. XDR: Evaluate the differences
SIEM, SOAR and XDR share similar definitions, but each has distinct drawbacks. Learn what each offers and how they differ for help deciding which to deploy in your company. Continue Reading
-
News
31 Aug 2021
Governments continue to eye data privacy, forcing CIOs to adapt
With new data privacy regulations like China's personal data protection law coming down the pike, CIOs need to make privacy and security the central focus of their overall IT strategies. Continue Reading
-
Feature
30 Aug 2021
Malware analysis for beginners: Getting started
With the cybersecurity industry struggling to fill open positions, now is the time to start in the field. Infosec expert Dylan Barker shares what you should know to be a malware analyst. Continue Reading
-
Feature
30 Aug 2021
Top static malware analysis techniques for beginners
Malware will eventually get onto an endpoint, server or network. Using static analysis can help find known malware variants before they cause damage. Continue Reading
-
Guest Post
23 Aug 2021
Why zero-trust models should replace legacy VPNs
Many organizations use legacy VPNs to secure their networks, especially in the work-from-home era. Expert Pranav Kumar explains why zero-trust models are a safer option. Continue Reading
-
Feature
11 Aug 2021
The differences between open XDR vs. native XDR
With extended detection and response, security teams get improved threat analytics and response capabilities. Here's what they need to know to choose the right type of XDR. Continue Reading
-
Feature
30 Jul 2021
Recent surge in ransomware attacks threatens national security
Some recent ransomware attacks that have disrupted service include Colonial Pipeline, JBS Foods and Quanta. Continue Reading
-
Tip
27 Jul 2021
Use a decentralized identity framework to reduce enterprise risk
To reduce the risk of identity theft for customers, partners and employees, companies should look at integrating a decentralized identity framework into existing infrastructure. Continue Reading
-
Tip
29 Jun 2021
How to select an MDR service that's right for your company
A well-engineered managed detection and response system can provide a lot of benefits. But, before deploying an MDR service, determine exactly what you expect from a provider. Continue Reading
-
Feature
28 Jun 2021
What are cloud containers and how do they work?
Containers in cloud computing have evolved from a security buzzword. Deployment of cloud containers is now an essential element of IT infrastructure protection. Continue Reading
-
Definition
22 Jun 2021
security
Security for information technology (IT) refers to the methods, tools and personnel used to defend an organization's digital assets. Continue Reading
-
Definition
12 May 2021
hacker
A hacker is an individual who uses computer, networking or other skills to overcome a technical problem. Continue Reading
-
Definition
07 May 2021
kill switch
A kill switch in an IT context is a mechanism used to shut down or disable a device or program. Continue Reading
-
Guest Post
03 May 2021
Cybersecurity contingency planning needs a face-lift
Following the unexpected craziness of 2020, companies need to sit down and revamp their cybersecurity contingency plan to ensure their business continuity. Continue Reading
-
Guest Post
15 Apr 2021
5 cybersecurity testing areas CISOs need to address
With increasing board interest in cybersecurity risk, CISOs need to explain the preventive steps they are taking to have the right cybersecurity testing in place to minimize risk. Continue Reading
-
Definition
13 Apr 2021
physical security
Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. Continue Reading
-
News
08 Apr 2021
Unpatched applications threaten SAP security
Cyberattacks are a significant threat to unpatched, unprotected SAP applications, according to a new threat intelligence report from SAP and Onapsis. Continue Reading
-
Feature
30 Mar 2021
Create an incident response plan with this free template
Want to boost your organization's ability to fight cybersecurity threats? Uncover the essentials to creating an incident response plan and download our free, editable template. Continue Reading
-
Feature
17 Mar 2021
Top incident response tools to boost network protection
Incident response tools can help organizations identify, prevent and respond to malware exploits, ransomware and other targeted cybersecurity attacks. Continue Reading
-
Guest Post
11 Mar 2021
Strengthening supply chain security risk management
In the wake of several supply chain attacks, Pam Nigro discusses how companies can work to reduce risk by broadening how to manage third-party vendors' access to company data. Continue Reading
-
Tip
25 Feb 2021
How to manage third-party risk in the supply chain
From third-party risk assessments to multifactor authentication, follow these steps to ensure suppliers don't end up being your enterprise cybersecurity strategy's weakest link. Continue Reading
-
Tip
24 Feb 2021
How to prevent supply chain attacks: Tips for suppliers
Every company, large and small, must assume it is a target in the supply chain. Suppliers should follow these best practices to keep themselves and their customers protected. Continue Reading
-
Feature
22 Feb 2021
Why developers should consider automated threat modeling
Traditional threat modeling is hard. Can automated threat modeling make development and security teams' lives easier? Continue Reading
-
Feature
22 Feb 2021
Introducing development teams to threat modeling in SDLC
Enterprises can improve their security posture by educating development teams on threat modeling so they can work alongside security teams and everyone knows a common language. Continue Reading
-
Feature
18 Feb 2021
SolarWinds fallout has enterprise CISOs on edge
As investigators uncover more about the massive SolarWinds hack, enterprise CISOs' concerns about digital supply chain security grow. Continue Reading
-
Guest Post
11 Feb 2021
4 tips to help CISOs get more C-suite cybersecurity buy-in
CISOs can get more cybersecurity buy-in with cohesive storytelling, focusing on existential security threats, leading with CARE and connecting security plans to business objectives. Continue Reading
-
Feature
08 Feb 2021
5 cybersecurity lessons from the SolarWinds breach
Ransomware attack simulations, accessing enterprise logs and pen testing software code are among the best practices cybersecurity pros suggest following the SolarWinds breach. Continue Reading
-
Guest Post
31 Dec 2020
The enterprise case for implementing live-fire cyber skilling
Companies continue to grapple with the cybersecurity skills gap, but Adi Dar offers a way to ensure security teams are properly trained through the use of live exercises. Continue Reading
-
Feature
30 Dec 2020
Insider risk indicators thwart potential threats
By paying attention to risk indicators, enterprises can tell the difference between insider threat and insider risk to prevent falling victim at the hands of one of their own. Continue Reading
-
Feature
30 Dec 2020
Insider threat vs. insider risk: What's the difference?
Identifying, managing and mitigating insider threats is far different than protecting against insider risks. Read up on the difference and types of internal risks here. Continue Reading
-
News
23 Dec 2020
Security measures critical for COVID-19 vaccine distribution
The COVID-19 vaccine supply chain is already under attack, which comes as no surprise to experts. The biggest potential threats, however, are still to come. Continue Reading
-
Tip
20 Nov 2020
Pair cyber insurance, risk mitigation to manage cyber-risk
The role of cyber insurance may come after a breach, but it remains a useful element in an organization's vulnerability management strategy. Continue Reading
-
Tip
20 Nov 2020
Cyber insurance explained, from selection to post-purchase
Before you sign on the dotted line, make sure you understand what cyber insurance can and can't do -- and what type of policy will do the most for you. Continue Reading
-
Guest Post
28 Oct 2020
Addressing the expanding threat attack surface from COVID-19
CISOs need to ensure they and their security teams are aware of the new threats created by many businesses expanding their attack surface with many employees still working remotely. Continue Reading
-
Guest Post
27 Oct 2020
The need for independent cybersecurity solutions testing
Rohit Dhamankar suggests implementing standardized testing of cybersecurity providers, like MSSPs and MDRs, to help companies better understand the services they're getting from each. Continue Reading
-
Guest Post
21 Oct 2020
Changing the culture of information sharing for cybersecurity
Dan Young explains why it's time for the cybersecurity industry to come together regarding information sharing and how insurance providers, regulators and others could assist. Continue Reading
-
Guest Post
09 Oct 2020
For Cybersecurity Awareness Month, learn about emerging risks
Tami Hudson examines why leaders should use October to educate themselves and their companies around the latest attacks bad actors are implementing and where to prioritize investment. Continue Reading
-
Guest Post
28 Sep 2020
How to improve cybersecurity for the workforce of the future
Many organizations continue to have employees work from home, but they haven't always hardened their cybersecurity efforts alongside this move to better protect employees and data. Continue Reading
-
Guest Post
28 Sep 2020
Cybersecurity testing essentials for mergers and acquisitions
Before moving forward with an M&A, conduct some cybersecurity testing to ensure your company knows how the acquired company protects data, employees and customers. Continue Reading
-
Tip
24 Aug 2020
The 7 elements of an enterprise cybersecurity culture
An effective 'human firewall' can prevent or mitigate many of the threats enterprises face today. Adopt these seven elements of a culture of cybersecurity to defend against risks. Continue Reading
-
Quiz
03 Aug 2020
Test your cybersecurity knowledge with this quick ISM quiz
Read our August 2020 e-zine, and then take this short quiz to test your knowledge of cybersecurity awareness training and other issues -- from types of CISOs to talent recruitment. Continue Reading
-
Opinion
03 Aug 2020
The case for cybersecurity by design in application software
Security must be part of IT from the start and then continue through the entire product lifecycle -- design, build, release and maintenance. Consumers now demand it. Continue Reading
-
Feature
03 Aug 2020
10 tips for cybersecurity awareness programs in uncertain times
Explore the winning tactics and tools CISOs and other cybersecurity leaders are employing in their programs to raise employee security awareness -- and consider how they might work for you. Continue Reading
-
Infographic
03 Aug 2020
7 security awareness statistics to keep you up at night
As if protecting corporate systems and data wasn't hard enough, beware of another potential foe: those well-meaning but woefully uninformed staff members. Continue Reading
- E-Zine 03 Aug 2020
-
Opinion
03 Aug 2020
Importance of cybersecurity awareness never greater
Security awareness is more essential than ever, but in a world of increasingly sophisticated threats, making it a reality requires more than set-it-and-forget-it training. Continue Reading
-
Podcast
20 Jul 2020
ICIP IoT training: Get started with IoT risk management
Organizations must assess and prioritize risk management in their IoT investment to ensure their data and information assets are protected without overspending. Continue Reading
-
Tip
10 Jun 2020
How security teams can prevent island-hopping cyberattacks
Learn how to prevent island-hopping cyberattacks to keep hackers from gaining the confidence of a phishing victim who could then accidentally commit corporate financial fraud. Continue Reading
-
Tip
19 May 2020
Top 2 post-COVID-19 CISO priorities changing in 2020
CISO priorities for 2020 were upended when the COVID-19 pandemic hit. Learn two ways forward-thinking CISOs are planning to deal with the new normal. Continue Reading
-
Infographic
01 May 2020
The state of cybersecurity risk: Detection and mitigation
Hackers will always try to creep in, and many will succeed. That's why effective detection and mitigation are essential. How are enterprises faring? Continue Reading
-
Tip
07 Apr 2020
AI pen testing promises, delivers both speed and accuracy
AI is making many essential cybersecurity tasks more effective and efficient. AI-enabled penetration testing, or BAS, technologies are a case in point. Continue Reading
-
Tip
04 Mar 2020
Tips for cybersecurity pandemic planning in the workplace
Is your security team prepared for a workplace pandemic? This guidance will ensure your company's cybersecurity posture can be maintained despite a potentially severe health event. Continue Reading
-
Opinion
04 Mar 2020
RSA 2020 wrap-up: VMware Carbon Black integrations; MAM for BYOD; how to handle non-employees
RSA is always full of interesting things to learn about, so here are a few more vendors I sat down with. Continue Reading
-
Tip
26 Feb 2020
Stop business email compromise with three key approaches
Why is BEC such a popular attack? Because it works, unfortunately, tempting hackers with huge potential payouts. Learn how to keep them from lining their pockets with your assets. Continue Reading
- 03 Feb 2020
-
Feature
03 Feb 2020
Cisco CISO says today's enterprise must take chances
Cisco CISO Steve Martino talks about taking chances, threats, how the security leader's role is changing and what really works when it comes to keeping the company secure. Continue Reading
-
Feature
28 Jan 2020
'Computer Security Fundamentals:' Quantum security to certifications
New topics, from security engineering to quantum computing, are covered in 'Computer Security Fundamentals,' but the book's author suggests readers review some basic topics, too. Continue Reading
-
Tip
22 Jan 2020
How to write a quality penetration testing report
Writing a penetration testing report might not be the most fun part of the job, but it's a critical component. These tips will help you write a good one. Continue Reading
-
Tip
16 Jan 2020
Craft an effective application security testing process
For many reasons, only about half of all web apps get proper security evaluation and testing. Here's how to fix that stat and better protect your organization's systems and data. Continue Reading
-
Quiz
07 Jan 2020
CISM practice questions to prep for the exam
Risk management is at the core of being a security manager. Practice your risk management knowledge with these CISM practice questions. Continue Reading
-
Feature
07 Jan 2020
The who, what, why -- and challenges -- of CISM certification
Think you're ready for the CISM certification exam? Peter Gregory, author of CISM: Certified Information Security Manager Practice Exams, has some pointers for you. Continue Reading
-
Feature
20 Dec 2019
Business impact analysis checklist: 10 improvements to your BIA strategy
A business impact analysis is a critical part of disaster recovery planning. Avoid potential disruptions and smooth out the planning process with this BIA checklist. Continue Reading
-
Answer
26 Nov 2019
How do a business impact analysis and risk assessment differ?
When it comes to disaster recovery strategy, business impact analyses and risk assessments both play key roles. Make sure you include them in your DR planning. Continue Reading
-
Answer
21 Nov 2019
Do you have the right set of penetration tester skills?
Pen testing is more than just the fun of breaking into systems. Learn about the critical penetration tester skills potential candidates must master to become proficient in their career path. Continue Reading
-
Opinion
01 Nov 2019
When cyberthreats are nebulous, how can you plan?
Security planning is tough when you're short-staffed and hackers have smart tech too. You'll need solid skills and, most of all, a willingness to use your imagination. Continue Reading
-
Opinion
01 Nov 2019
CISOs, does your incident response plan cover all the bases?
Security incidents, let's face it, are essentially inevitable. How do you cover the key bases -- education, inventory, and visibility -- in planning for incident response? Continue Reading
-
Infographic
01 Nov 2019
Enterprises feel the pain of cybersecurity staff shortages
It's hard enough keeping up with today's threats on a good day. But when your IT organization is spread thin, especially in terms of cybersecurity staff, the challenges mount. Continue Reading