Info Risk Today Podcast

How can organizations get the most out of partnering with managed security services providers and avoid common pitfalls? Cybersecurity consultant Vito Sardanopoli, an experienced CISO, offers top tips.

An analysis of a crackdown on criminals' use of encrypted communications leads the latest edition of the ISMG Security Report. Also: a preview of ISMG's Healthcare Security and Legal & Compliance summits, including expert insights on vendor risk management.

As we approach 2019, is it realistic to think the end of our dependency on traditional user names and passwords is in sight? Shane Weeden, and authentication expert with IBM Security, discusses the future of authentication and why he's encouraged by the FIDO2 initiative.

As ransomware and other cyberattacks continues to proliferate, organizations must improve vendor risk management so they have a plan in place in case a business associate falls victim, says Mitch Parker, CISO of Indiana University Health System, who will speak at ISMG's Healthcare Security Summit in New York.

Identity and access management is not about compliance anymore - It's really about security, says Gartner's Felix Gaehtgens. With cloud, virtualization, DevOps and other IT trends, IAM has evolved from being a one-off project to an ongoing initiative.

Malicious bots and botnets are becoming increasingly common and sophisticated, and enterprises need to address them in their risk assessments and security frameworks, says Akamai's Aseem Ahmed.

The latest edition of the ISMG Security Report features Kevin McDonald of the Mayo Clinic discussing how to secure connected medical devices. Plus, updates on the indictments of Chinese agents for hacking and the unveiling of the Financial Services Sector Cybersecurity Profile.

Banks have a new tool available for developing cyber risk management programs. In an interview, architects of the Financial Services Sector Cybersecurity Profile, Denyette DePierro and Josh Magri, describe how to use it. They'll offer more details at ISMG's Legal & Compliance Summit in New York on Nov. 15.

Kevin McDonald, director of clinical information security at Mayo Clinic, spells out several steps for helping to ensure the security of medical devices, stressing there's no "silver bullet" that can do the job. He'll be a speaker at ISMG's Healthcare Security Summit, to be held Nov. 13-14 in New York.

A user identity management system can help improve visibility of data residing in the cloud and improve security, says Deepen Desai, a vice president at Zscaler, a cloud-based information security company.

Organizations must carefully monitor that their business associates are adequately addressing data security to help guard against breaches, says Mark Eggleston, CISO at Health Partners Plans, who will speak on vendor risk management at ISMG's Healthcare Security Summit, to be held Nov. 13-14 in New York.

A new "playbook" co-developed by the Food and Drug Administration and Mitre Corp. aims to assist healthcare delivery organizations in responding to cybersecurity incidents involving medical devices. Julie Connolly, who helped develop the guide, explains how to use it.

This week's edition of the ISMG Security Report features an analysis of whether the U.K.'s fine of Facebook for the Cambridge Analytica scandal is just the beginning of regulatory enforcement action. Plus: A potential settlement of Yahoo breach lawsuit and tips on securing data in the cloud.

Protecting "East-West" cloud traffic - the traffic between apps and virtual machines - is a significant challenge, but microsegmentation can help address it, says Raghu Raghuram of VMware.

As companies go through a digital transformation, they need to move toward real-time risk management - and artificial intelligence can play a critical role, says David Walter, vice president of RSA Archer.

The latest edition of the ISMG Security Report features an analysis of the results of over 1,000 cyberattack investigations in the U.K. Also: an update on the proposed NIST privacy framework and a report on voter registration information for sale on the dark web.

Organizations can effectively rely on managed security services providers to take care of many tasks, but certain strategic security functions must be handled in-house, says Sid Deshpande, research director at Gartner.

IoT and OT risks are well publicized. But too often they are discussed in a consumer context. Tom Dolan of ForeScout Technologies wants to raise these topics in terms of enterprise risks - and how to mitigate them.

Building on the success of the NIST Cybersecurity Framework, the National Institute of Standards and Technology is in the early stages of developing a privacy framework. The effort will kick off with a workshop Tuesday in Austin, Texas, explains Naomi Lefkovitz, who is leading the project.

CISOs and other security practitioners are embracing the idea of a business-driven security model that takes a risk-oriented approach, says Rohit Ghai, president of RSA. "Cybersecurity conversations are becoming business conversations rather than technology conversations."

With so much focus on endpoint security, it's important not to overlook the importance of network-level security controls, says Lawrence Orans, research vice president at Gartner.

The biggest challenge for any critical infrastructure facing potential cyberattacks is devising ways to maintain business continuity, says cybersecurity specialist Prashant Pillai, who calls for building resilience into network design. He'll be a speaker at ISMG's Security Summit: London, to be held Oct. 23.

An in-depth report on the exposure of personal details for 500,00 Google+ accounts leads the latest edition of the ISMG Security Report. Also featured: an update on mitigating the risk of business email compromises and tips for protecting critical infrastructure.

What can organizations do to thwart business email compromise attacks? In an interview, David Stubley, CEO of the consultancy 7 Elements, outlines several key steps. He'll be a featured speaker at Information Security Media Group's Security Summit: London, to be held Sept. 23.

As more companies move away from passwords toward behavioral biometrics, they face new challenges, says Rajiv Dholakia, vice president, products at Nok Nok Labs. "There are no standards as such in this area on how the information is collected, how it's stored and how it's processed," he says.

The healthcare sector needs to continue upping its ante in cybersecurity to prevent potentially catastrophic "doomsday" events that could devastate regional healthcare systems, says Erik Decker, CISO of the University of Chicago Medicine. He's helping draft a guide to mitigating five key cyber threats.

Although the passage by Congress of the Support for Patients and Communities Act this week is an important step in the nation's battle against the opioid drug addiction crisis, it lacks a critical privacy provision, says Geisinger Health CIO John Kravitz, who analyzes the implications.

The latest edition of the ISMG Security Report features an analysis of the latest developments in Facebook's massive data breach and expert analysis of the potential for nation-state interference in the U.S. midterm elections.

Suzanne Spaulding, former undersecretary for the Department of Homeland Security, says a key way to ensure public confidence in the security of U.S. elections is to rely on paper ballots for voting or as backups for electronic balloting.

Healthcare organizations often fail to address five fundamental elements of a solid cybersecurity program, says security expert Mark Johnson of the consultancy LBMC Information Security, who formerly was CISO at Vanderbilt University and Medical Center.

Education plays a critical role in any program designed to combat insider threats, says Christopher Greany, head of group investigations at Barclays. He'll discuss how to start an insider threat program in a presentation at Information Security Media Group's Security Summit: London, to be held Oct. 23.

As new payment options continue to emerge via mobile phones and internet of things devices, the PCI Security Standards Council is broadening its security efforts, starting with a new standard for contactless payments coming early next year, says Troy Leach, PCI SSC's chief technology officer.

There is greater awareness to the proliferation of mobile threats, and yet many organizations still underestimate their own vulnerabilities. Brian Duckering of Symantec discusses the rise and maturity of mobile threat defense.

As attackers become more adept at evading "reactive" security controls and alert mechanisms, proactively analyzing the behaviors of people and systems is critical to detecting malicious activity, says Gartner's Kelly Kavanagh.

Machine learning could be a breakthrough for data classification, addressing fundamental challenges and paving the way to create and enforce automated policies that can be scaled across the enterprise, says Titus CEO Jim Barkdoll.

Because business associates have been culprits in heath data breaches impacting millions of individuals, healthcare entities need to be diligent in taking steps to reduce the persistent risks these vendors pose, says privacy and security expert Susan Lucci.

Leading the latest edition of the ISMG Security Report: The reaction to the recently released White House cybersecurity strategy. Also featured: A discussion of GDPR's impact on class action lawsuits.

Security ratings are increasingly popular as a means of selecting cybersecurity vendors. But Ryan Davis at CA Veracode also uses BitSight's ratings as a means of benchmarking his own organization for internal and external uses.

Breached businesses in Europe: Brace for more class action lawsuits seeking material and non-material damages filed by victims following mandatory data breach notifications under GDPR, says attorney Jonathan Armstrong. He predicts more breach-related suits will succeed in Europe than in the United States.

Many of the computer devices to be used for electronic voting in November's midterm elections have unpatched older operating systems that make them vulnerable, says Darien Kindlund, a data scientist at the cybersecurity firm Insight Engines, which advises governments and others.

Not only are we now seeing the most powerful DDoS attacks ever recorded, but they also are leveraging the ever-growing army of IoT devices. Gary Sockrider of NETSCOUT Arbor offers advice for detection and defense.

The latest edition of the ISMG Security Report takes a look at the EU's General Data Protection Regulation, including the outlook for enforcement and common misconceptions about its provisions.

Seeking better operational efficiency and ROI, many enterprises have begun significant software automation and orchestration efforts without accounting for the inherent security risks they may bring, says Jeffery Kok of CyberArk.

The biggest security budget in the business cannot save you from also suffering one of the biggest breaches. The key is: Do you have the right skills and technology deployed to defend your critical assets? Michael Malone and Ben Johnson of Datashield, an ADT company, make the case for outsourcing.

Attorney Elizabeth Harding clears up confusion about certain provisions of the EU's General Data Protection Regulation, including the issue of when organizations need to obtain a European consumer's consent to process their data.

A key amendment to Canada's Personal Information Protection and Electronic Documents Act goes into effect on Nov. 1. What are the baseline standards for compliance, and how does this change impact risk transfer and mitigation? Charlie Groves of CrowdStrike shares his views.

Making bigger advances in implementing nationwide health information exchange will require a multipronged effort, including getting patients more involved and using a variety of technical approaches, says Scott Stuewe, the new president and CEO of DirectTrust.

The latest edition of the ISMG Security Report features an analysis of a new Government Accountability Office report on the causes of last year's massive Equifax breach. Also: An update on the role of tokenization in protecting payments.

Effective "SecOps" involves revamping security processes that are inconsistent and ad hoc to make them targeted and consistent, says Rapid7 CEO Corey Thomas, who describes the roles of automation and orchestration.

Why did CISOs at a half-dozen leading healthcare organizations launch a new council aimed at standardizing vendor security risk management? One of those CISOs, John Houston of UPMC, explains why the group was launched, how it will work and why managing cloud vendor risks is a top priority.