CISO Corner: What Cyber Labor Shortage?; Trouble Meeting SEC Disclosure Deadlines – Source: www.darkreading.com

Welcome to CISO Corner, Dark Reading’s weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we’ll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We’re committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

In this issue of CISO Corner:

CISOs & Their Companies Struggle to Comply with SEC Disclosure Rules

By Rob Lemos, Contributing Writer, Dark Reading

Most companies still can’t determine whether a breach is material within the four days mandated by the SEC, skewing incident response.

Companies could face millions of dollars in fines if they fail to notify the SEC of a material breach. But, overall, 68% of cybersecurity teams do not believe that their company could comply with the four-day disclosure rule, according to a survey published on May 16 by cloud security firm VikingCloud.

The largest public companies already have disclosure committees to determine whether a variety of events — from severe weather to economic changes and geopolitical unrest — might have a material impact. But while larger companies have focused on the issue for over a year — even before the rule was finalized — smaller companies have had a more difficult road, says Matt Gorham, leader of the Cyber and Privacy Innovation Institute at consultancy PricewaterhouseCoopers. Companies need to focus on creating a documented process and saving contemporaneous evidence as they work through that process for each incident.

“There’s a great disparity from one company to the other … and between incidents,” he says. “Initially, you may have decided that [the breach] may not be material at that point in time, but you’re going to have to continue to assess the damage and see if it’s risen to the level of materiality.”

Read more: CISOs & Their Companies Struggle to Comply with SEC Disclosure Rules

Related: Anatomy of a Data Breach: What to Do If It Happens to You, a free Dark Reading virtual event scheduled for June 20. Verizon’s Alex Pinto will deliver a keynote, “Up Close: Real-World Data Breaches,” that details DBIR findings and more.

Podcast: Dark Reading Confidential: The CISO & the SEC

Hosted by Dark Reading’s Becky Bracken, Sr. Editor, and Kelly Jackson Higgins, Editor-in-Chief

Episode 1 of Dark Reading Confidential brings Frederick “Flee” Lee, CISO of Reddit; Beth Burgin Waller, a practicing cyber attorney who represents many CISOs; and Ben Lee, Chief Legal Officer of Reddit, to the table.

It’s a brand new podcast from the editors of Dark Reading, where we are going to focus on bringing you real-world stories straight from the cyber trenches. The first episode dives into the increasingly complicated relationship between the Securities and Exchange Commission (SEC) and the role of the chief information security officer (CISO) within publicly traded companies.

In the wake of Uber’s Joe Sullivan and the SolarWinds executives being found liable for breaches, CISOs now face a dual challenge of properly interpreting what the SEC means by its new rules for cyber incidents, as well as their own personal liability.

Read more: Dark Reading Confidential: The CISO and the SEC (transcript available)

Related: Ex-Uber CISO Advocates ‘Personal Incident Response Plan’ for Security Execs

Top 5 Most Dangerous Cyber Threats in 2024

By Ericka Chickowski, Contributing Writer, Dark Reading

SANS Institute experts weigh in on the top threat vectors faced by enterprises and the public at large.

Only five months into 2024, and the year has been a busy one for cybersecurity practitioners. But what’s ahead for the rest of year? According to the SANS Technology Institute, there are five top threats flagged by SANS experts that enterprises should be worried about.

1. Security Impact of Technical Debt: The security cracks left behind by technical debt may not sound like a pressing new threat, but according to Dr. Johannes Ullrich, dean of research for SANS Technology Institute, the enterprise software stack is at an inflection point for cascading problems.

2. Synthetic Identity in the AI Age: Fake videos and fake audio are being used to impersonate people, Ullrich said, and they will foil many of the biometric authentication methods that have gained steam over the last decade. “The game changer today is not the quality of these impersonations,” he said. “The game changer is cost. It has become cheap to do this.”

3. Sextortion: According to Heather Mahalik Barnhart, a SANS faculty fellow and senior director of community engagement at Cellebrite, criminals are increasingly extorting online denizens with sexual pictures or videos, threatening that they’ll release them if the victim doesn’t do what they ask. And in the era of highly convincing AI-generated images, those pictures or videos don’t even need to be real to do damage. It’s a problem that’s “running rampant,” she said.

4. GenAI Election Threats: Fake media manipulation and other generative AI-generated election threats will be ever present across all of the major platforms, warned Terrence Williams, a SANS instructor and security engineer for AWS. “You can thank 2024 for giving us the blessing of GenAI plus an election,” he said. “You know how well we handle those things, so we need to understand what we’re coming up against right now.”

5. Offensive AI as Threat Multiplier: According to Stephen Sims, a SANS fellow and longtime offensive security researcher, as GenAI grows more sophisticated, even the most nontechnical cyberattackers now have a more flexible arsenal of tools at their fingertips to quickly get malicious campaigns up and running.

“The speed at which we can now discover vulnerabilities and weaponize them is extremely fast, and it’s getting faster,” Sims said.

Read more: Top 5 Most Dangerous Cyber Threats in 2024

Related: Why Criminals Like AI for Synthetic Identity Fraud

3 Tips for Becoming the Champion of Your Organization’s AI Committee

Commentary by Matan Getz, CEO & Co-Founder, Aim Security

CISOs are now considered part of the organizational executive leadership and have both the responsibility and the opportunity to drive not just security but business success.

As organizations get a handle on how AI can benefit their specific offerings, and while they try to ascertain the risks inherent in AI adoption, many forward-thinking companies have already set up dedicated AI stakeholders within their organization to ensure they are well-prepared for this revolution.

Chief information security officers (CISOs) are the heart of this committee, and those ultimately responsible for implementing its recommendations. Therefore, understanding its priorities, tasks, and potential challenges is pivotal for CISOs who want to be business enablers instead of obstructors.

There are three fundamentals CISOs can use as a guide to being the pivotal asset in the AI committee and ensuring its success:

1. Begin with a comprehensive assessment: You can’t protect what you don’t know.

2. Implement a phased adoption approach: Implementing a phased adoption approach allows for security to escort adoption and assess real-time security implications of adoption. With gradual adoption, CISOs can embrace parallel security controls and measure their success.

3. Be the YES! guy — but with guardrails: To protect against threats, CISOs should set up content-based guardrails to define and then alert on prompts that are risky or malicious, or that violate compliance standards. New AI-focused security solutions may allow customers to also set up and define their own unique parameters of safe prompts.

Read more: 3 Tips for Becoming the Champion of Your Organization’s AI Committee

Related: US AI Experts Targeted in SugarGh0st RAT Campaign

Global: Singapore Cybersecurity Update Puts Cloud Providers on Notice

By Robert Lemos, Contributing Writer, Dark Reading

The nation amends its Cybersecurity Act, giving its primary cybersecurity agency more power to regulate critical infrastructure and third parties, and requiring cyber incidents be reported.

Lawmakers in Singapore updated the nation’s cybersecurity regulations on May 7, to take into account the impact of running critical infrastructure management systems on cloud infrastructure and the use of third-party providers by critical infrastructure operators, as well as a cyber threat landscape in Asia that is growing more dangerous.

Given that so many critical information infrastructure operators have outsourced some facets of their operations to third parties and cloud providers, new rules were needed to hold those service providers accountable, Janil Puthucheary, senior minister of state for the Singapore Ministry of Communications and Information, said in a speech before the country’s parliament.

“The 2018 Act was developed to regulate CII that were physical systems, but new technology and business models have emerged since,” he said. “Hence, we need to update the Act to allow us to better regulate CIIs so that they continue to be secure and resilient against cyber threats, whatever technology or business model they run on.”

Read more: Singapore Cybersecurity Update Puts Cloud Providers on Notice

Related: Singapore Sets High Bar in Cybersecurity Preparedness

There Is No Cyber Labor Shortage

Commentary by Rex Booth, CISO, SailPoint

There are plenty of valuable candidates on the market. Hiring managers are simply looking in the wrong places.

Hiring managers often are hesitant to hire candidates perceived as undercredentialed when they believe there must be a “perfect” candidate out there somewhere. But the truth is, a perfect candidate [a bachelor’s degree in cybersecurity, Security+ (CISSP preferred) training, and $30,000 worth of SANS courses] probably isn’t interested in a third-shift SOC position — which means hiring managers need to reevaluate where they look for new employees and which qualifications matter most.

By narrowing down candidate pools based on a small number of arbitrary qualifications, organizations and recruiters end up self-selecting candidates who are good at acquiring credentials and taking tests — neither of which necessarily correlate to long-term success in the cybersecurity field. Prioritizing this small pool of candidates also means overlooking the many, many candidates with analytical potential, technical promise, and professional dedication who may not have gotten the right degree or attended the right training course.

By tapping into these candidates, organizations will find that the “cyber labor shortage” that has received so much attention isn’t such a hard problem to solve, after all.

Read more: There Is No Cyber Labor Shortage

Related: Cybersecurity Is Becoming More Diverse … Except by Gender

Is CISA’s Secure by Design Pledge Toothless?

By Nate Nelson, Contributing Writer, Dark Reading

CISA’s agreement is voluntary and, frankly, basic. Signatories say that’s a good thing.

At 2024’s RSA Conference last week, brand names like Microsoft, Amazon Web Service (AWS), IBM, Fortinet, and more agreed to take steps toward meeting a set of seven objectives defined by the US’s premier cyber authority.

CISA’s Secure by Design pledge consists of areas of security improvement split into seven primary categories: multifactor authentication (MFA), default passwords, reducing entire classes of vulnerability, security patches, vulnerability disclosure policy, CVEs, and evidence of intrusions.

The pledge contains nothing revolutionary and has no teeth whatsoever (it’s voluntary and not legally binding). But for those involved, that’s all beside the point.

“While they may not have direct authority, I think that there is indirect authority by starting to define what the expectation is,” says Chris Henderson, senior director of threat operations at Huntress, one of the signees.

Read more: Is CISA’s Secure by Design Pledge Toothless?

Related: Patch Tuesday: Microsoft Windows DWM Zero-Day Poised for Mass Exploit