DRJ Fall 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 32, Issue 2

Full Contents Now Available!

What does “Digital Transformation” really mean for companies in 2019? Since the dawn of the computer age, organizations have been asking themselves how they can keep up with the times. From an innovation point of view, Digital Transformation at its core is taking analog processes and automating them with technology. When done correctly, the financial investment is well worth the up-front costs for years to come. Over the course of weeks, months, or even years an entire department or workflow can be revamped – think streamlining, process improvement, and efficiencies simply not possible otherwise.

Where does BC in the Cloud (BCIC) factor into this plan? It may be specific to your BC/DR program moving away from printed plans, word documents, and excel files. Or it may be one part of your company’s overall goals to use technology to work smarter, not harder.  The product itself is customizable, flexible enough to leverage any existing templates or documents, and prompt necessary updates during implementation. Now, instead of manually pulling metrics and shaping the narrative to your end users and leadership teams, the system itself contains the data you need including dashboards for an easy (and always up-to-date) bird’s eye view.

...

https://www.bcinthecloud.com/2019/06/digital-transformation/

On May 29, 2019, I performed a Google search for the words “Business Risk Management Approach” in news headlines. I got close to 5,000 results from just the previous 24 hours. I am sure I would get a similar number of results no matter when I searched.  The risk management approach to business decision making is a popular topic for business executives, and certainly something that looks like it will stick around.  How should the security industry get on board with the risk-based approach to managing our programs?  It starts with embracing the inevitable.  We WILL be expected to speak the business language in relation to our programs.  We WILL need to be able to provide measurable results of risk impact, tolerance, and the effectiveness of mitigation strategies.  And, we WILL need new skills and approaches to  do that.

Security is More Than a Tactical Response

Change is never easy and for many of us who have been in the security industry for a while, our comfort zone is in the “nuts and bolts” of our day-to-day tactics.  We know our details.  We understand PTZ, CPTED, IDS, BCM, WPV, EP and any number of other technical acronyms. We know how the organization can protect people and assets from harm.

But in the world of risk-based business management, it’s the security leader who can show the reasons behind all those tactics, and the impact those tactics will have on the overall risk profile and exposures to the organization who will succeed.  It’s that strategic security leader who will successfully shepherd the organization safely into the future as risks and tactics shift on a near daily basis. It is the ability to see the risk landscape holistically, and react with the appropriate mitigation at the appropriate time, that will give us and our security teams the edge in ensuring that we can be ready for the future of security risks.

This doesn’t mean that tactical skills are not important.  It’s critical that team members have the ability to carry out the entire spectrum of security mitigation activities. However, those tactical skills are simply not enough to ensure that the business understands the need for, and supports the implementation of, the security program.  And that is where new skills are needed for the entire team.

...

https://www.riskandresiliencehub.com/must-have-business-skills-for-a-security-risk-management-program/

Many corporate leaders are hesitant to move to the cloud because of security concerns. netlogx’s Clayton Calvert explains that while data breaches are continuing apace, cloud security is entirely possible and manageable.

Cloud adoption has continued to grow in the last decade, and recent reports by the analyst firm Gartner show it will continue to grow by almost 20 percent next year. Gartner’s Vice President of Research, Sid Nag, says that the firm doesn’t know of any vendor or service provider whose revenue hasn’t benefited from the adoption of cloud-first strategies in the organization. By 2022, the analyst firm estimates cloud service growth will triple.

The benefits for employee satisfaction as a result of using cloud services and online collaboration tools cannot be ignored. Study after study shows incredible ROI in productivity, engagement and efficiency from using tools that enable employees to work from nearly any device with an internet connection. However, many corporate leaders are hesitant to make the jump because of security concerns, especially leaders in the health care, finance and government sectors. While data breaches seem to be more commonplace than ever, the truth is that cloud security is entirely possible and manageable with a couple of important steps to increase corporate confidence when it comes to cloud adoption.

...

https://www.corporatecomplianceinsights.com/3-ways-to-increase-corporate-confidence-in-cloud-security/

(TNS) — Officials want to know why dozens of campers were left soaked and stranded after the electronic door locks on a $1 million tornado shelter failed to unlock during an actual tornado warning.

The reinforced concrete of the new dome-shaped shelter at Delaware State Park is designed to withstand hurricane-force winds and save lives, but only if you can get inside.

On Saturday night, Stacy Cummings and her three daughters from Huron County were in their camper when the first warning sounded around 10 p.m. They immediately drove about a quarter-mile to the shelter and were greeted with a downpour, wailing sirens and a full parking lot.

Her daughter, Annie, 20, fell face-down running to the door. It was locked.

About 20 people were huddled at the dark entrance wondering why it wasn't open. Annie cut her fingers after jumping to reach a metal latch.

...

https://www.govtech.com/em/preparedness/Why-Did-Ohio-County-Shelter-Stay-Locked-in-Tornado-Warning.html

Agency urges organizations with vulnerable systems to apply mitigations immediately.
 

Time may be running out for organizations that have still not applied the patches that Microsoft released last month for the "BlueKeep" Remote Desktop Protocol (RDP) vulnerability in multiple older Windows versions.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that it had successfully tested a remote code execution exploit for BlueKeep against a Windows 2000 machine.

It is believed to be the first publicly known remotely executable exploit for BlueKeep — a security vulnerability that many, including Microsoft, have compared to the EternalBlue vulnerability that led to the WannaCry and NotPetya global outbreaks of 2017.

...

https://www.darkreading.com/vulnerabilities---threats/dhs-tests-remote-exploit-for-bluekeep-rdp-vulnerability/d/d-id/1334986

June weather in New York City can be fickle. As the I.I.I.’s own Brent Carris reported, this fickleness can lead to chaos for the city’s outdoor music festivals, like the recent fiasco at this year’s Gov Ball. Carris noted that event organizers will often have event cancellation insurance to protect themselves financially.

But this got me thinking: is there rain insurance?

...

http://www.iii.org/insuranceindustryblog/insurance-protection-rainy-day-2/

Tuesday, 18 June 2019 14:14

INSURANCE PROTECTION FOR A RAINY DAY

“There is no elevator to success. You have to take the stairs.”

 ~ Bit of wisdom on stairway outside a high-intensity gym

Life ain’t easy. Neither is a job. That’s why they call it work.

It’s true of every aspect of personal life and every profession. Hurdles exist all around us. What’s the best way to overcome them?

The best of us make it look easy — even though it really isn’t. The athlete who is at the peak of his game. The trial lawyer who always knows the right thing to say because he’s so good at reading the judge and jury. The businessman who knows just how hard to push in negotiations because he can tell when the other side will blink.

The most important trick is composure. When you have it, you exude confidence and competence. That gives you the upper hand.

...

https://www.gillottcommunications.com/no-elevators/

Tuesday, 18 June 2019 14:12

No Elevators

Exabeam has released its annual ‘State of the SOC’ report, identifying shifting roles and responsibilities as one of the most pressing challenges for security operations centre / center (SOC) managers. As an example of this shift, C-suite executives are doing more in incident response and threat hunting, while frontline employees are completing fewer operational tasks. Similar to last year, the report also found that SOC staffing remains an issue, as do processes like reporting and documentation, along with alert fatigue and false positives.

The survey sought the opinions of IT professionals in the US and UK, with management responsibilities in operations and security. Common roles targeted were CIO/CISO, SOC manager or frontline employee, such as threat researchers, security architects, engineers, analysts and risk officers.

Interestingly, only 5 percent of respondents reported seeing 100 percent of events in the security incident and event management (SIEM) system. In fact, keeping up with security alerts presented the largest pain point experienced by SOC personnel (39 percent). The top reason cited for this pain was the inability of legacy applications to log events. Without full visibility into events happening throughout the enterprise, SOC managers are more likely to miss security alerts, resulting in greater vulnerability to cyberattacks.

...

https://www.continuitycentral.com/index.php/news/technology/4111-c-level-executives-are-engaging-more-frequently-in-incident-response-and-threat-hunting