i remember as a desktop support guy... it was ALWAYS directors who'd leave laptops on the train


Sent from my iPhone

This is why one implements automated group policy mechanisms to encrypt hard drives, enforce screen locks, use MFA when possible, and to enable remote-wipe-and-report.

 

Also, buy them an Airtag to keep in their laptop bag.  Might cause their phone to beep while there is still time to go back for it.

There is a MASSIVE issue in the tech industry across the whole board that refuse to acknowledge that humans exist.

Everyone has processes, ‘good practices’, standards, etc etc yet are STLL surprised when a user will do something because it makes their job easier to do. Or Directors that insist on letting their kids use Minecraft on their work laptops. I’ve even worked in a place where we provided IT support to a directors wife and kids.

Every department in organisations is understaffed now, outsourcing, offshoring make things even harder. Yet for some reason, saying to the Directors or the C-Suite..”YOU decided to stick this Helpdesk offshore and YOU decided to make our IT support work out of the same office builds and sound identical to the scammers that call our users everyday. How come it’s suddenly OUR problem” is seen as something that isn’t done. (Unless it’s me)

I think training needs to be directed toward the technical resource on how to understand humans as much as it’s needed for staff to understand how to recognise a phishing email.

There’s been too much STEM STEM STEM recently and not enough concentration on looking at the soft skills, psychology, basic human nature and how to talk to people.

@vishybear   We have been emphasizing STEAM for years because of that soft skills component.  You are correct that they need those very human interaction skills.  

It grates on my nerves, like fingernails on a chalkboard . . every time I see the phrase "IT Security." The 'information technololgy' portion of 'security' is only a percentage of the entirety.

 

And, you mentioned how cyber professionals like CISOs are continually placed 'under' authorities like the CFO, the COO, the CEO, ad infinitum, ad nauseum . .   I found a paper by Rebecca Herold that clearly states (and logically so) how the CISO should/must be independent and not have their authority hamstrung or shackled. (Now, I need to scan that work into my PC) . . or find a copy online.

 

keep thinking . . it may be a dangerous occupation, yet it is Now needed in cyber More than Ever,

 

Dr. Jan, DCS

(aspiring CISO)

@jbuitron agree with you.

 

Most do not see the entire picture and many think it is an IT issue.  WRONG for so many reasons.

 

I have always found it amazing that Audit gets a seat with the Board but not Security.  I suppose that comes from external Auditors pounding on tables and pointing to deficiencies.

 

If you find Rebecca's paper, would love to read it.

 

Regards

 

d

 

Hi dcontesti,

Rebecca Herold's work on Organization and Roles is within this edition of the Information Security Handbook available online at: 

 

https://www.ic.unicamp.br/~rdahab/cursos/inf712/repositorio/ISMHandbook_toc.pdf

 

I have a copy of the .pdf attached. Please keep in mind that cybersecurity/Information Security papers regarding structure and operations that do not 'get old' like Microsoft Windows '95 does. Great Work is always Great work! 

 

This ISC2 site won't allow me to upload the .pdf with just the article in it. Nevertheless, it is in the handbook at the link.

 

This was the first paper that I found when I was starting the Norwich U., MSIA in 2008. It STILL RINGS TRUE.

 

best regards,

 

Dr. Jan F-B., DCS

CISSP, C-CISO

Ok, So let's recognize we are talking about two separate types of security - IT Security is just that security that deals with IT I'm including a pic to assist.  The reason it is important to recognize is that ISACA and such state Cyber is a sub-component of IT Security which is a sub-component of IT which is an enabler for the business.  Effectively we are fighting the colleges of business on this one (which I am totally good for).  I realize we are not ISACA, but many of the leaders in business have subscribed to those philosophies and ones like them.  When I wrote my exegesis - I spelled these out.  Since then I have simply created a chart to help folks (mostly students) understand - there is a place within business for IT security, and IS security, and secure software development - but this fight has been going on for some time.  We have to recognize that IT absorbed IS, or most of its functions in the early 2000's - and the terminology IT now means something different to business than it does to technologists.  In business it means all of the technologies used to regulate their organizational technology - effectively everything.  In technology it is the hardware and software used by technologist to keep the organization going..  It's a subtle difference, but one just the same.

 

 

Remember if we want to properly address the problem, we need to address it properly.  We need to recognize that all of us are not cyber practitioners.  Some are technology specialist (which are as important if not more so at times), some are people specialists, some are process specialists.  Bottom line is cyber is not an individual sport, it is a team event - it takes everyone together to make it happen.  From the listing above, all of the components are necessary to create a defense.

 

At least if they are referring to it as "IT Security" and they understand it from the technologist point of view, we have hope to educate them about other securities and make an organizational change.

 

Ervin Frenzel, PhD

Cybersecurity Leadership

CEI, CCISO, CISSP-ISSAP, CISSP-ISSMP, ECSA