Friday, 2 March 2018

CISO Chat – Alvaro Hoyos, Chief Information Security Officer at OneLogin

Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.

To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.

The next instalment of CISO Chat is with OneLogin‘s CISO, Alvaro Hoyos, who has highlighted a few threats to look out for in 2018:


As a CISO, what is your objective?

Simply put, my objective is to safeguard the confidentiality, integrity, and availability of data. However, how I go about achieving that objective, is a much more complex answer.


What is the goal of information security within your organization?

The goal of information security within OneLogin echoes my own mission of safeguarding the confidentiality, integrity, and availability of OneLogin. To expand on that, this includes safeguarding OneLogin customer data due to compromise, misuse, loss, or damage, and just as importantly, in line with legal and regulatory requirements. By doing so, we aim to build and maintain customer trust.

What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?

Vulnerability management, as a process, focuses on discovering and addressing existing vulnerabilities in addition to potential threats. Cybersecurity professionals simply can’t focus on one and ignore the other. Countless security incidents in the last few years have demonstrated that either of these areas cannot be ignored.

What do you see being the biggest threats for 2018?

The biggest threats I see for 2018 are:

AI – AI is poised to be the biggest innovation for mankind, however with ‘great power comes great responsibility’. Businesses of all sizes and sector have the ability to greatly benefit from the use of AI to improve business processes and alleviate employees from mundane time-consuming admin tasks, freeing up time for high-ticket items that can free-up margin or areas of untapped profit. However, in the wrong hands, AI can also be used as a tool by cybercriminals to target vulnerable businesses on a widespread scale.

GDPR – In a rush to ensure compliance ahead of the European General Data Protection Regulation, businesses need to be careful not to shift their attention away from cyber security practises in general.

APIs – Threat vectors and surfaces have skyrocketed in the past few year, mostly down to open application programme interfaces, also known as APIs. The nature of web-based APIs are constantly access by a high-volume of devices, from desktops, mobile devices, tablets, smart TVs and more connected appliances you can even imagine with the advent of the Internet of Things (IoT).  With more interfaces, comes more points of entry for cybercriminals to manipulate and data for them to get their hands on.

How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?

The cyber-skills gap, in the short term, can only be addressed by providing training opportunities to existing personnel. Interest in cybersecurity is at an all time high; not just for those entering or about to enter the workforce, but also for professionals across a wide variety of sectors. In the long term, the growth of cybersecurity programs in curriculums for children and young adults of all ages  will help resolve the issue, but it will take some time for us to see a return on investment at a business level. The number one advice I would give to those starting out in the industry is to focus on an area of security you truly feel passionate about. Cybersecurity is a demanding and ever evolving field, and if you are only in it for a paycheck, you will be quickly burned out by the demanding nature.

Today, IoT and AI have become real big focus’ for organisations with almost every device, toy and appliance created has this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?

Home appliance manufacturers are working at lightning fast speed to get the latest product to market and the reality is cybersecurity is the last thing they think about in the rush against competitors. Eventually, consumers will be the ones that have to pay the ultimate price when a hacker finds an ‘open back door’ into the consumer home through an unsecured device. To tackle this issue head on, there needs to be a change of attitude across the manufacturing sector that makes cybersecurity part of the conversation from the very moment an idea from the latest connected product is conceived.

With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?

We are actively working on the various angles of compliance we need to address. As a global company with global customers, we are both a data controller and a data processor, which means we need to make sure we are addressing all applicable angles. Unfortunately, like any new regulation, there are always grey areas which tend to not resolve until enforcement begins. Meaning, once fines start being assessed, interpretations of the framework will start crystallising more than they are now.


What’s your worst security nightmare? What would be your plan to prevent and mitigate it?

How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding for the work you and your team do?

Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation?


Social media is a security risk companies can no longer ignore, especially when companies have been founded just to deal with the risk social media poses. For us, social media, even more than a security risk, is a brand risk. As a security service provider, we cannot afford to have a social media account hijacked. There is the risk that it could be used for a social engineering attack, but we typically do not use these accounts for operational purposes, so the risk is lower.

What would be your no.1 piece of cyber security advice as we begin 2018?

Don’t plan on throwing more security tools and technology at the problem, plan on maximizing current tools and fine-tune processes and controls.


Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.

The post CISO Chat – Alvaro Hoyos, Chief Information Security Officer at OneLogin appeared first on IT SECURITY GURU.

from CISO Chat – Alvaro Hoyos, Chief Information Security Officer at OneLogin

Thursday, 1 March 2018

46 Percent of Organizations Fail to Change Security Strategy After a Cyber Attack

According to the CyberArk Global Advanced Threat Landscape Report 2018, nearly half (46 percent) of IT security professionals rarely change their security strategy substantially – even after experiencing a cyber attack. This level of cyber security inertia and failure to learn from past incidents puts sensitive data, infrastructure and assets at risk.

Security Starts with Protecting Privileged Accounts

An overwhelming number of IT security professionals believe securing an environment starts with protecting privileged accounts – 89 percent stated that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.

Respondents named the greatest cyber security threats they currently face, including:

  • Targeted phishing attacks (56 percent)
  • Insider threats (51 percent)
  • Ransomware or malware (48 percent)
  • Unsecured privileged accounts (42 percent)
  • Unsecured data stored in the cloud (41 percent)

IT security respondents also indicated that the proportion of users who have local administrative privileges on their endpoint devices increased from 62 percent in our 2016 survey to 87 percent in 2018—a 25 percent jump and perhaps indicative of employee demands for flexibility trumping security best practices.

The Inertia that Could Lead to Data Compromise 

The survey findings suggest that security inertia has infiltrated many organizations, with an inability to repel or contain cyber threats – and the risks that this might result in – supported by other findings:

  • 46 percent say their organization can’t prevent attackers from breaking into internal networks each time it is attempted
  • 36 percent report that administrative credentials were stored in Word or Excel documents on company PCs
  • Half (50 percent) admit that their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics

 Inertia and a ‘Hands-Off’ Approach to Securing Credentials and Data in the Cloud Create Cyber Risk

The automated processes inherent in cloud and DevOps mean privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities. Organizations increasingly recognize this security risk, but still have a relaxed approach toward cloud security. The survey found that:

  • Nearly half (49 percent) of organizations have no privileged account security strategy for the cloud
  • More than two-thirds (68 percent) defer on cloud security to their vendor, relying on built-in security capabilities
  • 38 percent stated their cloud provider doesn’t deliver adequate protection

 Changing the Security Culture

Overcoming cyber security inertia necessitates it becoming central to organizational strategy and behavior, not something that is dictated by competing commercial needs. According to the survey:

  • 86 percent of IT security professionals feel security should be a regular board-level discussion topic
  • 44 percent said they recognize or reward employees who help prevent an IT security breach, increasing to nearly three quarters (74 percent) in the U.S.
  • Just 8 percent of companies continuously perform Red Team exercises to uncover critical vulnerabilities and identify effective responses

“Attackers continue to evolve their tactics, but organizations are faced with cyber security inertia that is tipping the scales in favor of the attacker,” said Adam Bosnian, executive vice president, global business development, CyberArk. “There needs to be a greater urgency in building cyber security resilience to today’s attacks. This starts by understanding the expanding privileged account security attack surface and how it puts an organization at risk. Successfully battling inertia requires strong leadership, accountability, clearly defined and communicated security strategies, and the ability to adopt a ‘think like an attacker’ mindset.”

The post 46 Percent of Organizations Fail to Change Security Strategy After a Cyber Attack appeared first on IT SECURITY GURU.

from 46 Percent of Organizations Fail to Change Security Strategy After a Cyber Attack

UK’s Top PLCs at Risk of Breaching GDPR Guidelines with Three Months to D-Day

Digital threat leader RiskIQ, has discovered that one third of web pages belonging to 30 companies within the Financial Times Index are collecting personal data without adequate security measures, potentially breaching GDPR guidelines.

RiskIQ’s research found 120,072 live websites belonging to the companies and 18,457 pages across those sites that collect personal data. 35 per cent of these pages were found to be collecting data insecurely. The research suggests that with an average of 615 login and data collection forms spread across an average of 4002 web sites per organisation, businesses are struggling to gain a complete view of their security and compliance postures ahead of the GDPR deadline.

With a chronic skills shortage and cyber threats at an all-time high, the findings highlight one of the key challenges businesses face in the protection of Personally Identifiable Information (PII) as required by GDPR. A recent survey by RiskIQ identified data breach as a top fear cyber security leader’s face in 2018 yet 67 per cent don’t have sufficient staff to handle the daily barrage of cyber alerts they receive.

Fabian Libeau VP EMEA at RiskIQ explains: “Companies that haven’t already implemented encryption for all collection and transmission of personal information will have missed the boat in order to comply with the fast approaching regulation.”

“Now more than ever companies need to be aware of their digital footprint.  With the ever expanding volume of PII it’s crucial companies ensure they are tracking all of their digital assets and consistently monitoring for potential breaches and gaps in their security.”

The post UK’s Top PLCs at Risk of Breaching GDPR Guidelines with Three Months to D-Day appeared first on IT SECURITY GURU.

from UK’s Top PLCs at Risk of Breaching GDPR Guidelines with Three Months to D-Day

Elizabeth Denham, Information Commissioner, tops the 2018 DataIQ 100

Now in its fifth consecutive year, the DataIQ 100 has been revealed once again to highlight the UK’s key industry leaders who drive business success from the intelligent use of data.

The Information Commissioner, Elizabeth Denham, secured this year’s number one position and celebrated the success of the organisations which recognise the need to champion best practice in data-driven business, at the launch of the 2018 power list on February 28th in Central London.

Denham comments “DataIQ provides an important forum for data professionals to share best practice and learning – essential in such a fast paced and changing environment. 

“Leaders and practitioners in this space – everyone in data and analytics – should learn from data, and augment their services through data intelligence, but also ensure that they don’t lose sight of their brand and the essence of their service. 

“Data is a powerful tool; when used ethically and responsibly it can be used to empower and enrich all our lives. It is incumbent on all of us as data professionals to earn the trust and confidence of the public in how their personal data is used, so that everyone benefits in a data driven world. 

“The General Data Protection Regulation (GDPR) is a game changer and a powerful incentive for businesses to embrace good data protection practice. I am encouraged by the many organisations that see the data opportunities the law presents, rather than the barriers it throws up.

 “My role allows me to engage with progressive companies and public bodies looking to adopt privacy by design solutions. I am struck by entrepreneurial development of products which minimise the amount of personal data processed, and which maximise the control people have over their data.  

“As the head of the agency charged with protecting UK citizens’ information rights, I am honoured to work with 500 staff dedicated to innovative regulation and excellent public service.”

The top ten professionals in the 2018 DataIQ 100 are:

  1. Elizabeth Denham, Information Commissioner
  2. Gillian Tomlinson, CDO, RSA
  3. Andrew Day, CDO, Sainsbury’s
  4. Jon Hussey, Managing Director, Data and Strategic Analytics, Barclays
  5. Michael Greene, Group Data and Analytics Director, Tesco
  6. Paul Lodge, CDO, Department for Work and Pensions
  7. Lauren Sager Weinstein, CDO, Transport for London
  8. Orlando Machado, Global Director of Customer Analytics and Data Science, Aviva
  9. Martin Squires, Global Lead, Customer Intelligence and Data, Walgreens Boots Alliance
  10. Katia Walsh, Chief Global Data and Analytics Officer, Vodafone

DataIQ compiles the list using a set of objective criteria including recognising those with the greatest regulatory powers, industry contribution and influence, data privacy best practice, and innovation in digital and mobile. Extra ‘points’ were awarded to those with a high public profile.

David Reed, Director of Strategy, DataIQ comments, “Choosing the candidates for the DataIQ 100 2018 edition was a unique opportunity to understand how far data and analytics practitioners have come since our first list five years ago. 

With 475 nominations, it was the most diverse set of candidates that we have ever considered and the final line-up is our strongest yet. It also reveals that 2017 was a breakthrough year for individuals, even more than it was for the industry as a whole. This is because they are finally benefitting from the status, resources and rewards that have long been merited, but not always realised. We have 27 chief data officers represented among our Data Titans – the end-users whose investment into data and analytics is bringing about such profound changes to the economy, society and business.

 Appointing a CDO is a sure sign of a fast-maturing practice and a necessary step to formalise all the individual processes that are required to be data-driven, from leadership to deep data diving, customer insight to business intelligence. Alongside them stands a spectrum of senior professionals whose diversity of titles speaks of the ongoing need for standardisation, not least to make clear the career paths industry. We need to maintain and build the flow of talent if this list, five years from now, is to continue to represent the brightest and best.

 When asked why they chose data, the most common answer our candidates gave was, “data chose me.” We are glad it did and that they responded to its call because it means that, based on the incredible performance and depth of commitment they have shown, we have been able to choose them, too.”

Lindsay McEwan, Vice President and Managing Director, EMEA of Tealium, the headline partner of the 2018 DataIQ 100, added “In an age where data has become the driver of change, Tealium is proud to sponsor the DataIQ 100, recognising the leaders carrying the industry forward.

 With the imminent implementation of the GDPR, businesses are being forced to focus on data governance. At Tealium, we strongly advocate data transparency and encourage businesses to adopt a similar mindset.

 Through building consumer trust, gathering data from all entry points, and bridging data silos into a centralised hub, we can obtain a 360-degree customer view; companies will then be best-placed to provide engaging, personalised, and real-time experiences.”

 You can view the full list and detailed profiles of the 2017 DataIQ 100 at

The post Elizabeth Denham, Information Commissioner, tops the 2018 DataIQ 100 appeared first on IT SECURITY GURU.

from Elizabeth Denham, Information Commissioner, tops the 2018 DataIQ 100

Are Your Employees Putting Your Organisation at Risk?

By Ronald Sens, EMEA Director for A10 Networks

We’ve just undertaken some new research which shows that UK employees are unwittingly putting their organisation as risk through their use of unapproved apps. The problems associated with ‘Shadow IT’, where employees download apps or use services without the consent of the IT department, have escalated in line with cloud adoption, and the use of personal smart devices in the workplace.

Even though the use of unsanctioned apps can be a real security headache for IT – the apps can act as gateways to the network for cybercriminals looking to gain access to an organisation’s valuable data – there seems to be no stopping employees’ actions.

The research  Application Intelligence Report  which was conducted across ten territories shows the UK has the highest percentage of employees (41 percent) who use apps without permission from IT, or not knowing if those apps have been approved to use at work.

Of those who use non-sanctioned apps, more than half (57 percent) use the excuse that “everybody does it” – more than any other European country questioned in the report.

Other respondents say their IT department doesn’t have the right to tell them what apps they can and can’t use, while some claim that their company’s IT department doesn’t give them access to the apps they need to do their jobs.

The research highlights a notable lack of understanding among UK employees as to the potential damage they are inflicting on their organisations’ security. In fact, many companies still don’t realise the risks that come with this growing reliance on disparate and app-dependent workforces.

In the UK, 54 percent of respondents have experienced at least one data breach, 41 percent have experienced a DDoS (Distributed Denial of Service) attack, and 30 percent have fallen victim to ransomware attacks – both higher than the global averages.

As the high-profile data breaches have shown over the past 12 months, all it takes is one DDoS attack to damage an organisation’s brand, its reputation with customers, and its revenue stream.

There is also the issue of app security, and who is ultimately responsible for protecting the personal information and identity of employees who use approved business apps at work? The application developers, the IT department or the end users themselves?

Globally, only a fifth of IT decision-makers think employees take accountability for protecting their personal information and identity. When it comes to using personal apps at work, 44 percent of IT professionals assume employees take responsibility for securing their own personal information.

A third of respondents say the security team is most responsible for protecting employee’s identity followed by the CIO or VP, and then the IT department.

Drilling down into individual countries’ attitudes, most German IT heads believe the CIO or VP (46 percent) is ultimately responsible for securing employee identity and personal information, while those from Brazil (32 percent) most often place responsibility on all IT practitioners, regardless of the team.

Brazilian, Indian, Chinese, and US IT chiefs believe that employees place a greater amount of responsibility on the vendor or developer of the applications.

So how does the UK compare to other countries? Interestingly, while most firms globally think IT leaders should be held accountable, the UK’s IT leaders point the finger at service providers (36 percent), more so than the company or app developer.

When it comes to app password security, UK IT chiefs have more faith in their employees than some of their counterparts around the world – 23 percent think employees “always” change their passwords, and 56 percent say they “sometimes” do so. China and Japan ranked lowest for how regularly employees change their passwords.

Across the board, more than half of IT decision-makers are agreed that mobile business app usage will increase in the next fiscal year. By 2020, most UK IT pros (84 percent) believe that mobile business apps will be used more than those on a laptop or a PC, almost in line with the global figure of 88 percent.

The good news is that 20 percent of UK IT departments say they are looking to grow their security budgets to combat the explosion of threats. The slightly less good news is that the UK ranks join bottom with Japan for companies that expect to grow their security budget by 10 percent or more, at 14 percent, less than the global average of 27 percent.

Globally, security is the top discipline for which IT teams are hiring, followed by applications teams. More than a third (36 percent) of IT decision-makers believe the security team is the highest hiring priority – again with the UK unfortunately ranking lowest worldwide at only 20 percent.

Awareness and education must be a priority. Factoring in employee behaviour, IT professionals should focus on building enterprise-wide security awareness and education programmes and implement strong security and access policies to prevent bad behaviour, and in particular, rogue app usage.

The post Are Your Employees Putting Your Organisation at Risk? appeared first on IT SECURITY GURU.

from Are Your Employees Putting Your Organisation at Risk?

Germany said its government computers secure after ‘isolated’ hack

Germany said on Wednesday hackers had breached its government computer network with an isolated attack that had been brought under control and which security officials were investigating. A spokesman for the German Interior Ministry said the affected government agencies had taken appropriate measures to investigate the incident and protect data. “The attack was isolated and brought under control within the federal administration,” which oversees government computer networks, he said in a statement, adding that the authorities were addressing the incident “with high priority and significant resources”. The spokesman said he could give no further details immediately due to security and analysis measures that were still under way.

View full story


The post Germany said its government computers secure after ‘isolated’ hack appeared first on IT SECURITY GURU.

from Germany said its government computers secure after ‘isolated’ hack

Major data breach at Marine Forces Reserve impacts thousands

The personal information of thousands of Marines, sailors and civilians, including bank account numbers, was compromised in a major data spillage emanating from U.S. Marine Corps Forces Reserve. Roughly 21,426 people were impacted when an unencrypted email with an attachment containing personal confidential information was sent to the wrong email distribution list Monday morning. The compromised attachment included highly sensitive data such as truncated social security numbers, bank electronic funds transfer and bank routing numbers, truncated credit card information, mailing address, residential address and emergency contact information, Maj. Andrew Aranda, spokesman for Marine Forces Reserve said in a command release.

View full story

ORIGINAL SOURCE: Marine Corps Times

The post Major data breach at Marine Forces Reserve impacts thousands appeared first on IT SECURITY GURU.

from Major data breach at Marine Forces Reserve impacts thousands