CISO DRG Publishing is pleased to announce the availability of Bring Your Own Cyber, the third and final book in the CISO Desk Reference Guide® Small Business Series. Published in paperback and eBook formats and written by Bill Bonney, co-author of the CISO Desk Reference Guide Volumes 1 & 2, this book addresses the security concerns of the smallest of business. In this book, Bill explains in plain language how to make micro businesses more secure and details steps that anyone can take. The privacy case studies come from real businesses, and in researching this book, Bill interviewed more than a dozen small business owners across six industries to ensure than all of the advice he provides is grounded in the real world.
Congratulations, Bill, we are thrilled to complete the CISO Desk Reference Guide® Small Business Series.
Gary Hayslip, Matt Stamper, and I would like to thank our colleagues who generously gave their time and expertise to help us create the CISO Desk Reference Guide, Volumes 1 and 2. Because of their patience and thoughtful feedback, both books in the two-volume set have been inducted into the Cybersecurity Canon Hall of Fame. We are very honored and wish to express our gratitude to Selim Aissi, Jerry Archer, Gabriele Benis, Kip Boyle, Dr. Winnie Callahan, Magda CHELLY, Ph.D, S-CISO, CISSP®, Stephen Cobb, Sam Curry, Kirsten Davies, Limor Elbaz, Jane Frankland, Todd Friedman, Peter Gregory, David Hahn, Rick Howard, Vickie Miller, Kenneth Slaght, Mark Wales for their guidance and to the nominating committee for the recognition.
CISO DRG Publishing is pleased to announce the availability of Creating a Small Business Cybersecurity Program, the second book in the CISO Desk Reference Guide® Small Business Series in paperback and eBook formats. This book was written by Alan Watkins to help a small business of 25 to 500 employees build a practical cybersecurity program. In addition to his career as an educator and consultant, Alan was part of the small international team that updated the 20 CIS Controls® from v.6.1 to v.7 and then v.7.1, as well as helping create the implementation groups, which are featured in the book.
Whether this is your first cybersecurity program or you are formalizing policies that grew organically over time, the risk-informed approach explained by Alan will help you integrate your program with your business needs and develop a practical program that will not only help you secure your company, but also provide clarity and direction in decision making for security priorities. The recommendations in the book are customizable to fit within your business culture.
Congratulations Alan, we are proud to have Creating a Small Business Cybersecurity Program in our growing catalog.
We just adopted a rescue puppy. He is the sweetest, most beautiful Mountain Cur Hound with a gorgeous brindle coat, and we named him Henry. We fell in love at first sight. He whimpered a bit when we drove away from his foster mom, but he bonded to us within 24 hours. We had no idea whether he was housebroken (he was, but not without some early drama) and we had no idea how much training he had. Turns out, not much. So, we dutifully signed up for a back-to-back-to-back set of classes – 18 hours in all over four months – to go from “we don’t know” to a pooch that would pass the Canine Good Citizen test with flying colors. And then, we were told to shelter in place and all non-essential services in San Diego were postponed until further notice. Now what?
Most of our cybersecurity programs have modest to extensive investments in cybersecurity education for our workforce. We envision a well-trained workforce that never clicks on PhishBait and checks all the boxes when working away from the office for safeguarding sensitive information. But in the blink of an eye, we are now faced with work from home on steroids that includes many who have never had to safeguard sensitive data on their own, and we’re asking them to do it while their health and their family’s health is in jeopardy. Oh, and we cannot provide as much equipment or know-how as we would like, or that they need.
We have to act fast, and we need our new work-from-home workforce to learn a bunch of new tricks quickly. They need to protect sensitive corporate data and themselves while they navigate WiFi routers and videoconferencing tools with which they are not that familiar. And they may have to do it without as much support from HQ as they (or we) would like.
So how do we do that? Well, like Henry when we have him out for a walk, we’re not going to get their attention through all the Coronavirus distractions vying for mindshare using the same old approach of mandated training and “thou shalt nots.” With Henry, we have to take the distractions away. We get his attention by touching or eye contact, speaking softly, and making sure he knows we’re talking to him with love. For our workforce, we need to put their needs first. We need to make sure they feel safe and they feel confident that their family is safe. Then they can be more receptive to what we need them to do for us. We’re not going to get their attention when they are focused on figuring out the optimal time to go grocery shopping or are spending five hours a day shopping online for baby wipes.
We have to remember that stress is one of the key ingredients for successful scams. Scammers and con artists have relied on behavioral psychology for years because they know if they talk fast, if they create fear, and if they strike when we’re distracted with new stimuli, they have more success. As documented in a study published by the CDC, when we are under stress, we think differently. Our focus narrows, and we alter the way we assess data, often rejecting data that does not fit known patterns. When this happens, we can miss key cues that would normally alert us to a problem. Trending PhishBait and malware is designed to exploit this. The FTC reports a jump in consumer complaints related to Coronavirus targeting people’s desire to be informed, and the FBI has detailed assaults on teleconferencing and videoconferencing — going hard after tools essential to the new work-from-home paradigm.
So, the first thing we need to do is put our employees’ needs first. Help them figure out how to be safe, and how to get their basic needs met. I recommend that CISOs sit down with their Human Resources counterparts and model out with them the basic needs; food – ordering and delivery is extremely challenged in some communities, and basic supplies – not just toilet paper, but cleaning and sanitizing products, healthcare and personal care, even pet supplies are all in short supply or difficult to find and order, and perhaps other needs specific to your workforce.
If they remain on your payroll it is not likely that money is the key issue (though some two-income families may be short an income), it’s the logistics. Consider turning your HR helpdesk into a community ombudsman. Can you help your employees with information and, when you have the personnel, can you offer shopping and delivery services? Can you use your third-party relationships to your employees’ benefit? Do you run a cafeteria? If so, can your cafeteria staff develop meals to go that your team can deliver? This might be especially helpful to workers with young children that aren’t currently in school.
The second thing we need to do is take away as many decision points as we can. Hopefully you’ve been able to issue company equipment or are in the process of doing so. As you know, properly configured and continually patched and updated equipment is essential, so configure those global policies before putting the equipment in employees’ hands. The fewer complicated instructions you need them to follow, the more secure you and your network will be. And please remember to configure conferencing applications with appropriate security settings. Incidents of zoombombing are on the rise and bad actors are focused on this as an attack vector.
And finally, now that you have their attention, are helping them de-stress, and have taken as many difficult decisions out of their hands as possible, you can begin to push out to them regular updates designed to allow them to keep up on cyber safety. Avoid making your messaging too complex, and try to combine it with regular updates from your leadership to continue to manage those stress levels. Proactively talk about the company’s status, and how you are helping your customers deal with the Coronavirus crisis. Don’t let fears of layoffs or destructive rumors take hold. Provide ample time for questions and answers. Be as transparent as you can be, provide the best information you have.
It is a heartening that the same services that make the modern corporate campus so inviting can also help provide the foundation for the work-from-home workforce to feel safe and confident. Just as on-campus services provided employees with options and backstops to ease the burden when projects demand many hours over long stretches of time, so too they can now help employees keep themselves safe and help them safeguard the sensitive data they must protect for your company to continue to deliver for your customers.
And Henry? Well, while he waits for his 18 hours of treat-based training, he is currently getting six walks a day and more play time than he knows what to do with. Who’s a good dog?
The movement to make cities smarter, which is transforming municipal governments worldwide into disparate ecosystems of cutting-edge technologies, is also making cities unique targets for cybercriminals. To manage these threats requires security professionals who are comfortable managing risk across both legacy and smart technologies to create security programs that allow innovation safely amid the chaos.
Gary Hayslip, co-author of the CISO Desk Reference Guide and author of the just released book for small business cyber professionals: “The Essential Guide to Cybersecurity for SMBs” will be speaking at RSA, addressing this topic in a session titled: “How Smart Cities Become Wise.” This session will be held on Thursday the 27th at 1:30 PM in PDAC-R07 which is in Moscone West 3009.
After his talk, Gary will be signing books at the RSA bookstore.
Welcome to the CISO DRG site. We’ve built this site to showcase the authors who contribute to the CISO Desk Reference Guide catalog, provide information about the books in our catalog so you can determine which books will best help you on your journey, highlight the compelling cybersecurity issues that we feel need discussion, and have an ongoing dialog among the cybersecurity community.
Over the next few months, we’ll be publishing several more books (look for the coming soon banner for the books in each of our series), as well as launching a regular blog and a newsletter to stay in touch with you. We’re working now on the plumbing to allow for moderated dialog. Our goal is to create a hub for cybersecurity professionals, whether it is to dialog with the authors or each other. And hopefully, we’ll have a little fun along the way.
With Warm Regards,
Gary, Matt & Bill