Ask the Experts

Ask the Experts

Information security program management

• How to protect workloads using a zero-trust security model

  Never trust, always verify. Learn how to implement a zero-trust security model to help manage risk and protect IT workloads at your organization.  Continue Reading

• Comparing policies, standards, procedures and technical controls

  Infosec pros may have -- incorrectly -- heard the terms standard and policy used interchangeably. Examine the differences among a policy, standard, procedure and technical control.  Continue Reading

• What are the most important pillars of a zero-trust framework?

  Learn how the ZTX model can help IT leaders identify, organize and implement the appropriate cybersecurity tools to satisfy seven pillars of a zero-trust framework.  Continue Reading

• What are the cybersecurity benefits of zero trust?

  The zero-trust model demands infosec leaders take a holistic approach to security. Learn about the benefits of zero trust and how it differs from traditional security approaches.  Continue Reading

• How can companies identify IT infrastructure vulnerabilities?

  New, sophisticated technology is available to help infosec pros find IT infrastructure vulnerabilities. Automated pen testing and outsourcing threat intelligence services can help.  Continue Reading

• The network security tools to combat modern threats

  Incorporating new network security tools and methods into your enterprise's infosec program may mean the difference between staying safe or falling victim to an attack.  Continue Reading

• What are the roles and responsibilities of a liaison officer?

  While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them critical to incident response.  Continue Reading

• Is a cybersecurity insurance policy a worthy investment?

  Variables such as third-party business partners create unique cyberthreats for organizations. Find out when a cybersecurity insurance policy is a wise investment to prevent risk.  Continue Reading

• How should I choose a cybersecurity insurance provider?

  To vet potential cybersecurity insurance providers, there are a few questions every customer should ask. Learn more about the questions to ask and how to get the answers you need.  Continue Reading

• What types of cybersecurity insurance coverage are available?

  Cybersecurity insurance coverage could prove invaluable to risk mitigation -- if it's chosen carefully. Find out which type of insurance plan is right for your organization.  Continue Reading

• Attackers turn the tables on incident response strategies

  Attackers expect incident response strategies and have a plan for when they encounter them. Find out how to take IR to the next level against attacker incident response counterstrategies.  Continue Reading

• Do I need to adopt a cybersecurity framework?

  A comprehensive cybersecurity framework can help businesses avoid costly attacks. But there are other advantages.  Continue Reading

• What's the best way to maintain top cybersecurity frameworks?

  Keeping top cybersecurity frameworks up to date means understanding how a business evolves and changes. What steps should you take to maintain your security strategy?  Continue Reading

• What are the core components of a cybersecurity framework?

  Cybersecurity frameworks differ from one company to another, but each plan has four fundamental stages. Find out what you need to know.  Continue Reading

• How can SIEM and SOAR software work together?

  Many security pros initially thought SOAR software could replace SIEM. Our security expert advocates learning how SIEM and SOAR can work together.  Continue Reading

• SOAR vs. SIEM: What's the difference?

  When it comes to the SOAR vs. SIEM debate, it's important to understand their fundamental differences to get the most benefit from your security data.  Continue Reading

• The future of SIEM: What needs to change for it to stay relevant?

  Compared to security orchestration, automation and response (SOAR) software, SIEM systems are dated. Expert Andrew Froehlich explains how SIEM needs to adapt to keep up.  Continue Reading

• What are the most important security awareness training topics?

  Organizations looking to heighten security awareness among employees need to cover a wide variety of security awareness training topics, but social engineering tops the list.  Continue Reading

• Why do enterprises need employee security awareness training?

  With human error as the leading cause of breaches and security incidents within the enterprise, organizations should offer employees mandatory security awareness training with regular refreshers.  Continue Reading

• Why did a Cisco patch for Webex have to be reissued?

  Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch with Judith Myerson.  Continue Reading

• Should large enterprises add dark web monitoring to their security policies?

  Security expert Nick Lewis says dark web monitoring can help enterprises gather threat intelligence, but enterprises need to understand how to validate the data they find.  Continue Reading

• What are DMARC records and can they improve email security?

  Last year, the U.S. federal government mandated that by October 2018, all agencies must have DMARC policies in place. Learn how complicated this requirement is with Judith Myerson.  Continue Reading

• SamSam ransomware: How can enterprises prevent an attack?

  SamSam ransomware infected the Colorado DOT after hitting hospitals, city councils and companies. Learn how this version differs from those we've seen in the past.  Continue Reading

• Self-sovereign identity: How will regulations affect it?

  Will laws like GDPR and PSD2 force enterprises to change their identity management strategies? Expert Bianca Lopes talks regulations, self-sovereign identity and blockchain.  Continue Reading

• When does the clock start for GDPR data breach notification?

  As new GDPR data breach notification rules go into effect, companies must be ready to move faster than before. Mimecast's Marc French explains what will change and how to cope.  Continue Reading

• What will GDPR data portability mean for enterprises?

  Enforcement of the EU's Global Data Protection Regulation is coming soon. Mimecast's Marc French discusses the big questions about GDPR data portability for enterprises.  Continue Reading

• How hard will the GDPR right to be forgotten be to get right?

  Under GDPR, the right to be forgotten is granted to all EU data subjects. Mimecast's Marc French explains why enterprises will need to be careful about how they manage the process.  Continue Reading

• GD library: How did it open the Junos OS to attacks?

  The GD library used in the Junos operating system has opened Junos up to attacks. Nick Lewis explains how it happened and what it means for companies using open source software.  Continue Reading

• How should BGP route hijacking be addressed?

  A new report from NIST shows how BGP route hijacking can threaten the internet. Expert Judith Myerson reviews the guidance for improving BGP security.  Continue Reading

• How do source code reviews of security products work?

  Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains what to know about these reviews.  Continue Reading

• Monitoring employee communications: What do EU privacy laws say?

  The European Court of Human Rights recently placed strict regulations on monitoring employee communications. Matt Pascucci compares EU privacy laws to the U.S.'s standards.  Continue Reading

• What should you do when third-party compliance is failing?

  Third-party compliance is a necessary part of securing your organization's data. Expert Matthew Pascucci discusses what to do if you suspect a business partner isn't compliant.  Continue Reading

• What is NIST's guidance on lightweight cryptography?

  NIST released a report on lightweight cryptography. Expert Judith Myerson reviews what the report covers and what NIST recommends for standardization.  Continue Reading

• Should the Vulnerabilities Equities Process be codified into law?

  The Vulnerabilities Equities Process is a controversial subject. Expert Matthew Pascucci looks at the arguments for and against codifying it into law.  Continue Reading

• How does USB Killer v3 damage devices through their USB connections?

  USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and how to defend against this threat.  Continue Reading

• What should be included in a social media security policy?

  A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media policies.  Continue Reading

• Should a forced password reset be standard after a data breach?

  Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this should be a standard practice.  Continue Reading

• Is it worth using outsourced security services instead of in-house?

  Outsourced security services are always an option for enterprises. Expert Mike O. Villegas outlines the pros and cons of using MSSPs instead of in-house security.  Continue Reading

• How can CISOs strengthen communications with cybersecurity staff?

  Effective CISO communications are key to fostering a healthy relationship with the cybersecurity staff. Expert Mike O. Villegas reviews some ways to build that relationship.  Continue Reading

• What effect does a federal CISO have on government cybersecurity?

  The brief tenure of a federal CISO in the U.S. government recently came to an end. Expert Mike O. Villegas discusses the effect this has on the U.S. cybersecurity posture.  Continue Reading

• How does a security portfolio help an enterprise security program?

  A security portfolio shouldn't be used as an alternative to a reporting structure, but it can still be beneficial to enterprises. Expert Mike O. Villegas explains how.  Continue Reading

• What are the pros and cons of hiring a virtual CISO?

  A virtual CISO is a good option for smaller organizations that want stronger security leadership, but don't have the budget. Expert Mike O. Villegas discusses the pros and cons.  Continue Reading

• How can CISOs get past security vendor hype and make smart purchases?

  Security vendor hype is a problem CISOs often have to deal with. Expert Mike O. Villegas discusses some ways to cut through the hype and make smart purchasing decisions.  Continue Reading

• Who should be on an enterprise cybersecurity advisory board?

  What qualifications does a cybersecurity advisory board member need to best serve enterprises? Expert Mike O. Villegas outlines the most helpful backgrounds for board members.  Continue Reading

• What caused the ClixSense privacy breach that exposed user data?

  A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held accountable for their security practices.  Continue Reading

• How serious are the flaws in St. Jude Medical's IoT medical devices?

  MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the severity of these vulnerabilities.  Continue Reading

• How does USBee turn USB storage devices into covert channels?

  USB storage devices can be turned into covert channels with a software tool called USBee. Expert Nick Lewis explains how to protect your enterprise data from this attack.  Continue Reading

• What effect does FITARA have on U.S. government cybersecurity?

  FITARA became a law in 2014, but government cybersecurity continues to struggle. Expert Mike O. Villegas discusses the effects of the law.  Continue Reading

• What are the potential pros and cons of a Cyber National Guard?

  A congressman proposed adding a Cyber National Guard to the military to protect the U.S. from cyber adversaries. Expert Mike O. Villegas examines the potential drawbacks of this branch.  Continue Reading

• Are investigations crucial to data breach protection?

  SWIFT banking has a team dedicated to data breach investigations. Expert Mike O. Villegas discusses why this is necessary and whether other organizations should follow suit.  Continue Reading

• Can security employee tenure be improved by CISOs?

  Security employee tenure is shorter than in most industries. Expert Mike O. Villegas outlines five budget-friendly steps CISOs can take to help lengthen it.  Continue Reading

• Should CISOs share the responsibility for a cybersecurity incident?

  CISOs usually take the brunt of the blame when a cybersecurity incident occurs, but should they? Expert Mike O. Villegas details ways CISOs can share the responsibility.  Continue Reading

• What are the pros and cons of the different types of CISOs?

  There can often be two types of CISOs: the builder and the stabilizer. Expert Mike O. Villegas discusses the pros and cons of each type and the roles they play.  Continue Reading

• Are cybersecurity conferences valuable to CISOs?

  Cybersecurity conferences are highly attended events, but are they valuable to CISOs in particular? Expert Mike O. Villegas discusses how CISOs can get the most out of them.  Continue Reading

• How should CISOs handle security patching with IT administrators?

  What role does the CISO play when it comes to security patching? Expert Mike O. Villegas discusses the best way to share patch management responsibilities.  Continue Reading

• How can IoMT devices be protected from the Conficker worm?

  IoT medical devices are being targeted by the Conficker worm and other older malware in order to steal patient data. Expert Nick Lewis explains how to protect these IoMT devices.  Continue Reading

• How does the Safeguards Rule pertain to SEC cybersecurity regulations?

  The SEC claimed Morgan Stanley violated the Safeguards Rule, but what does that mean? Expert Mike Chapple discusses the federal regulation and what happened with Morgan Stanley.  Continue Reading

• How does the Federal Privacy Council affect government security?

  Established as part of an executive order by President Obama, the Federal Privacy Council plays a role in government cybersecurity. Expert Mike Chapple discusses what that means.  Continue Reading

• Is a cybersecurity expert necessary on a board of directors?

  Communicating cybersecurity issues to a board of directors can be challenging. Expert Mike O. Villegas discusses whether a cybersecurity expert on the board would ease the struggle.  Continue Reading

• How would a cyberattack information database affect companies?

  A proposed cyberattack information database in the U.K. aims to improve cyberinsurance. Expert Mike Chapple explains what collecting data breach information means for U.S. companies.  Continue Reading

• Is settling a data breach lawsuit the best option for enterprises?

  In the unfortunate event of a data breach lawsuit, it's often better to settle before the case reaches court. Expert Mike O. Villegas explains why and how CISOs can help.  Continue Reading

• Are new cybersecurity products the best investment for enterprises?

  Having the latest cybersecurity products isn't always the best way to approach security. Expert Mike O. Villegas explains why and how to deal with pressure to buy new.  Continue Reading

• What does the GAO's SEC cybersecurity report mean for regulation?

  The GAO reported on SEC cybersecurity weaknesses, even though the SEC regulates cybersecurity. Expert Mike Chapple discusses the effects of this report.  Continue Reading

• Cybersecurity skills: What is the best way to find staff that has them?

  Finding and keeping employees with the right cybersecurity skills is a challenge all organizations face. Expert Mike O. Villegas explains the skills shortage.  Continue Reading

• What's the best way to organize the CISO reporting structure?

  The importance of the CISO reporting structure continues to grow as the importance of the CISO grows. Expert Mike O. Villegas discusses who the CISO should report to.  Continue Reading

• Security startups: What do CISOs need to know before being customers?

  Being a customer of security startups comes with some risk. Expert Mike O. Villegas discusses this risk and how CISOs can dodge the potential issues.  Continue Reading

• What's the best way to communicate about advanced persistent threats?

  Advanced persistent threats are a constant risk for enterprises, so the board needs to know about them. Expert Mike O. Villegas discusses how to effectively communicate about APTs.  Continue Reading

• How can a vendor risk assessment help enterprise security?

  Third-party vendors are necessary for organizations, but with them come more security risks. Expert Mike O. Villegas discusses how vendor risk assessments can help.  Continue Reading

• Are nonprofit organizations subject to FTC data security oversight?

  Are nonprofit organizations, like higher education institutions, subject to FTC data security regulations and oversight? Expert Mike Chapple explains.  Continue Reading

• Does mass scanning of the internet do more harm than good?

  Mass scanning of the internet can reveal how pervasive a vulnerability is. Expert Michael Cobb explains how these scans work and what the arguments for and against them are.  Continue Reading

• How can a security incident response plan be most effective?

  A security incident response plan is key to preparing for a data breach, but to be effective, the plan needs to be well tested. Expert Mike O. Villegas explains how to do that.  Continue Reading

• How do chief data officers affect the role of the CISO?

  Chief data officers are becoming more common in enterprises, but how does the presence of this c-level affect the CISO's role? Expert Mike O. Villegas discusses.  Continue Reading

• What security log management best practices should my team follow?

  Security log management includes deciding what log data to retain and the length of time it should be stored. Expert Michael Cobb explains some challenges and best practices.  Continue Reading

• How can an external CISO hire overcome new job challenges?

  An external CISO hire can often struggle with the new role and fitting in with the company's existing security program. Luckily, there are ways to overcome these challenges.  Continue Reading

• Are cybersecurity lawyers necessary for organizations?

  Cybersecurity lawyers can help handle a variety of enterprise security issues, but are they necessary? Expert Mike O. Villegas discusses the potential benefits.  Continue Reading

• How will the FTC lawsuit against Wyndham affect enterprises?

  A recent FTC lawsuit against Wyndham Hotels highlighted concerns for enterprises that have suffered a data breach. Expert Mike Chapple discusses the case and its takeaways.  Continue Reading

• Will the Neiman Marcus data breach lawsuit set a precedent?

  The Neiman Marcus data breach lawsuit was appealed and it could set a precedent for the victims of data breach lawsuits in the future. Expert Mike O. Villegas explains.  Continue Reading

• The merger and acquisition process: How can organizations stay secure?

  Organizations dealing with the complicated merger and acquisition process can't forget about security. Unfortunately, security presents a whole new set of obstacles.  Continue Reading

• Personal email servers: What are the security risks?

  Hillary Clinton has taken much criticism over the use of a personal email server. Expert Michael Cobb explains the risks of shadow IT email and what enterprises can do about them.  Continue Reading

• What are the differences between active boards and passive boards?

  Both active and passive boards of directors have different approaches to handling cybersecurity within their organizations. Here's how to tell which type you have.  Continue Reading

• Cybersecurity budget: What are the top priorities after a breach?

  After an incident, a cybersecurity budget usually starts to feel the pressure. Identifying the top security priorities for the organization can help alleviate the budgetary stress.  Continue Reading

• What are the latest SEC Risk Alert findings?

  The latest SEC Risk Alert from the OCIE has important updates for financial services firms. Expert Mike Chapple reviews the report.  Continue Reading

• How many security administrators does an enterprise need?

  There's no magic formula for figuring out how many security administrators an organization needs, but expert Mike O. Villegas reviews the decision-making process.  Continue Reading

• Can companies safely fire an information security manager?

  An information security manager has access to many privileged systems in an organization, so letting one go can be tricky. Expert Mike O. Villegas explains how to handle the process.  Continue Reading

• What's the best risk analysis method for enterprises?

  There are a number of different risk analysis methods for enterprises to choose from. Expert Michael Cobb highlights some of the best options available.  Continue Reading

• How should CISOs present a security assessment report?

  CISOs regularly have to present a security assessment report to the board of directors. Expert Mike O. Villegas has some tips to make it more engaging.  Continue Reading

• How can CISOs improve security communication with the board?

  Effective security communication to board members is an important way to get cybersecurity on their radar. Expert Mike O. Villegas explains how to make this happen.  Continue Reading

• What should security automation do for enterprises?

  Letting security automation handle certain tasks can make a security team more efficient. Here's which tasks should be automated and which should be left to the professionals.  Continue Reading

• How can security vendor hacks affect enterprises?

  Several security vendors and providers have been hacked over the last year. Expert Michael Cobb explains how enterprises should prepare for a vendor hack.  Continue Reading

• What effect would DMCA changes have on security researchers?

  There's been a lot of controversy around the DMCA, especially because of the Chrysler car hack. Here are the issues with it and how it affects security researchers.  Continue Reading

• What is the best way to trim a security portfolio?

  Trimming down a security portfolio and budget is a struggle for many security professionals. Here's how to trim security portfolios without affecting security.  Continue Reading

• Should enterprises use the Let's Encrypt open certificate authority?

  Let's Encrypt, a new open certificate authority, is coming soon. Expert Michael Cobb explores the merits of using free and open CAs and whether or not enterprises should explore them.  Continue Reading

• What data breach notification policy should enterprises follow?

  A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best practices.  Continue Reading

• How should enterprises start the vendor management process?

  The security vendor management process can be tricky, especially at the beginning when deciding what to buy and from whom. Expert Mike O. Villegas has some advice.  Continue Reading

• What should CISOs include in security reports?

  Security reports are a good way for CISOs to communicate with the board of directors. Here are specific topics that should be included in the reporting.  Continue Reading

• Why did Anthem resist government vulnerability assessments?

  Vulnerability assessments are often a requirement for organizations that have suffered a data breach and the assessors' results can be invaluable to protect a business.  Continue Reading

• What should you look for in candidates for a CISO position?

  The CISO position can be tough to fill, especially when enterprises set high expectations for the candidates. Expert Mike O. Villegas discusses key CISO qualifications.  Continue Reading

• What does the Consumer Privacy Bill of Rights mean for enterprises?

  The Consumer Privacy Bill of Rights, if made a federal law, would create a uniform set of privacy requirements. Here's a look at the potential benefits.  Continue Reading

• How can companies avoid failing the annual FISMA audit?

  The annual FISMA audit is designed to ensure companies need to have consistent security standards. Here's how to prepare for the audits.  Continue Reading

• Is data center cleaning a compliance requirement?

  Data center cleaning may not be mandated, but it's still a good idea to do. Some best practices include using HEPA technology and specific cleaning products.  Continue Reading